From 02f04fe3337ed29cbd23696682c2afdd7119a08a Mon Sep 17 00:00:00 2001
From: rajeshcpr <45383780+rajeshcpr@users.noreply.github.com>
Date: Thu, 9 Apr 2026 14:59:12 +0530
Subject: [PATCH] fix(security): sanitize $_GET input before nonce construction
 in wp_ajax_fetch_list()

Raw $_GET['list_args']['class'] and $_GET['list_args']['screen']['id'] were used
directly to build the nonce action string and passed to _get_list_table() without
any sanitization or existence checks. An attacker controlling list_args[class]
could influence the nonce key being verified, undermining the referer check.
Apply sanitize_key() and isset() guards to both values before use, ensuring the
nonce action string and _get_list_table() arguments are constructed from clean input.
---
 src/wp-admin/includes/ajax-actions.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 2af08fba70af9..3264498a86304 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -81,10 +81,11 @@ function wp_ajax_nopriv_heartbeat() {
  * @since 3.1.0
  */
 function wp_ajax_fetch_list() {
-	$list_class = $_GET['list_args']['class'];
+	$list_class = isset( $_GET['list_args']['class'] ) ? sanitize_key( $_GET['list_args']['class'] ) : '';
+	$screen_id  = isset( $_GET['list_args']['screen']['id'] ) ? sanitize_key( $_GET['list_args']['screen']['id'] ) : '';
 	check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' );
 
-	$wp_list_table = _get_list_table( $list_class, array( 'screen' => $_GET['list_args']['screen']['id'] ) );
+	$wp_list_table = _get_list_table( $list_class, array( 'screen' => $screen_id ) );
 	if ( ! $wp_list_table ) {
 		wp_die( 0 );
 	}