Increase the security with nonces

  • Resolved ttodua

    (@ttodua)


    4 years ago

    Setting save function (named “ajax_load_more” ) doesnt have nonce checks and have only optional filter for check_ajax_referrer. There must be checks against nonces to validate the call. current_user_can might also help.

    • This topic was modified 4 years ago by ttodua.
    • This topic was modified 4 years ago by ttodua.
Viewing 1 replies (of 1 total)
  • Plugin Author anwppro

    (@anwppro)

    Hi,

    Thanks for your proposal, but I think there is no need to use a nonce. Ajax post loading is available for guests, and this action only gets a list of posts and their data.

    If I’ll add a nonce, it can create a problem with caching plugins. And why do you want to check rights? It isn’t an admin part. And it doesn’t create or modify any info.

    Check out this article – https://konstantin.blog/2012/nonces-on-the-front-end-is-a-bad-idea/

    P.S.: The plugin has the possibility to add a nonce check. Simply add this code somewhere in your theme`s hooks.

    add_action( 'anwp-pg-el/config/check_public_nonce', '__return_true' );

    Hope it helps!

Viewing 1 replies (of 1 total)
  • The topic ‘Increase the security with nonces’ is closed to new replies.