Security Token in the WordPress search box

  • The Acunetix Web Security tool, in a security scan, has detected the lack of use of a Security Token in the WordPress search box as a vulnerability.
    I’ve been looking for information on how to add a Security Token to the WordPress search box for days and I can’t find it. Could someone help me?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    Since search requests would not alter DB data in any way, it’s debatable that this constitutes a vulnerability. It’s no worse than an anchor tag link IMO.

    But to answer your question, use the ‘get_search_form’ filter (assuming your theme uses the same named function for the search form) to insert a hidden field which contains a security nonce. There’s little point in doing so unless the nonce is then verified server side. First the hidden field name needs to be added as a allowed query var. Use the “query_var” filter to do so. Then hook the “request” filter and verify the nonce is valid. If not, compose a 403 response.

    Thread Starter dluiso

    (@dluiso)

    Thank you very much @bcworkz I will review and let you know

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security Token in the WordPress search box’ is closed to new replies.