From e6821effe2d104ffdd280b7950cb9e99d20dba14 Mon Sep 17 00:00:00 2001
From: rajeshcpr <45383780+rajeshcpr@users.noreply.github.com>
Date: Thu, 9 Apr 2026 18:42:36 +0530
Subject: [PATCH 1/3] Nonce check order flaw in post-quickdraft-save

$_REQUEST['post_ID'] is used to load a post object before the referer is actually checked on line 93. A
  crafted request can cause a database lookup on an arbitrary post_ID before authorization. $_REQUEST['_wpnonce'] is
  also accessed without checking key existence.
---
 src/wp-admin/post.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
index dd7bad1bb3830..99c22bd7a5ce6 100644
--- a/src/wp-admin/post.php
+++ b/src/wp-admin/post.php
@@ -72,13 +72,14 @@
 switch ( $action ) {
 	case 'post-quickdraft-save':
 		// Check nonce and capabilities.
-		$nonce     = $_REQUEST['_wpnonce'];
+		$nonce     = isset( $_REQUEST['_wpnonce'] ) ? $_REQUEST['_wpnonce'] : '';
+		$post_id   = absint( $_REQUEST['post_ID'] ?? 0 );
 		$error_msg = false;
 
 		// For output of the Quick Draft dashboard widget.
 		require_once ABSPATH . 'wp-admin/includes/dashboard.php';
 
-		if ( ! wp_verify_nonce( $nonce, 'add-post' ) ) {
+		if ( ! $post_id || ! wp_verify_nonce( $nonce, 'add-post' ) ) {
 			$error_msg = __( 'Unable to submit this form, please refresh and try again.' );
 		}
 
@@ -90,7 +91,14 @@
 			return wp_dashboard_quick_press( $error_msg );
 		}
 
-		$post = get_post( $_REQUEST['post_ID'] );
+		$post = get_post( $post_id );
+		if ( ! $post ) {
+			$error_msg = __( 'Unable to submit this form, please refresh and try again.' );
+		}
+
+		if ( $error_msg ) {
+			return wp_dashboard_quick_press( $error_msg );
+		}
 		check_admin_referer( 'add-' . $post->post_type );
 
 		$_POST['comment_status'] = get_default_comment_status( $post->post_type );

From cf9e3dbd53277db421e3147a140af79815c9d179 Mon Sep 17 00:00:00 2001
From: rajeshcpr <45383780+rajeshcpr@users.noreply.github.com>
Date: Fri, 10 Apr 2026 14:03:07 +0530
Subject: [PATCH 2/3] Update post.php

---
 src/wp-admin/post.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
index 99c22bd7a5ce6..b221af4dc4a99 100644
--- a/src/wp-admin/post.php
+++ b/src/wp-admin/post.php
@@ -93,7 +93,7 @@
 
 		$post = get_post( $post_id );
 		if ( ! $post ) {
-			$error_msg = __( 'Unable to submit this form, please refresh and try again.' );
+			$error_msg = __( 'Unable to submit this form, please refresh and try again' );
 		}
 
 		if ( $error_msg ) {

From b5702d5954814108d26c0bc14ed1ac369eb1a78d Mon Sep 17 00:00:00 2001
From: rajeshcpr <45383780+rajeshcpr@users.noreply.github.com>
Date: Fri, 10 Apr 2026 14:04:54 +0530
Subject: [PATCH 3/3] Update post.php

sentence correction
---
 src/wp-admin/post.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
index b221af4dc4a99..99c22bd7a5ce6 100644
--- a/src/wp-admin/post.php
+++ b/src/wp-admin/post.php
@@ -93,7 +93,7 @@
 
 		$post = get_post( $post_id );
 		if ( ! $post ) {
-			$error_msg = __( 'Unable to submit this form, please refresh and try again' );
+			$error_msg = __( 'Unable to submit this form, please refresh and try again.' );
 		}
 
 		if ( $error_msg ) {