Check plugin security issue

  • Resolved John Darrel

    (@johndarrel)


    1 year, 9 months ago

    Hi, I see the plugin is accessing the admin edit page with nonce in frontend for not logged users which could be a security issue.

    var tablesome_ajax_object = {“nonce”:”xxxxxxxxx”,”ajax_url”:”https:\/\/domain.com\/wp-admin\/admin-ajax.php”,”rest_nonce”:”xxxxxxxxx”,”edit_table_url”:”https:\/\/domain.com\/wp-admin\/edit.php?post_type=tablesome_cpt&action=edit&post=xx&page=tablesome_admin_page”

    Normally, you should use WordPress REST API.

Viewing 1 replies (of 1 total)
  • Plugin Author Essekia

    (@essekia)

    Hello @johndarrel ,

    Thanks for bringing this up. The nonce used is just a general nonce to identify the user. This nonce is used for both logged-in and non-logged-in users.

    The edit_table_url is just a property inside tablesome_ajax_object used in frontend for redirection. This does not make use of the nonce.

    Will review this further. Also, please send any further security related issues to support [@] pauple [dot] com.

    Regards.

    • This reply was modified 1 year, 9 months ago by Essekia.
Viewing 1 replies (of 1 total)
  • The topic ‘Check plugin security issue’ is closed to new replies.