[wp-trac] [WordPress Trac] #41617: wp_verify_nonce() check fails on several websites because of filter possibility in wp_nonce_tick()
WordPress Trac
noreply at wordpress.org
Mon Oct 9 13:43:18 UTC 2017
#41617: wp_verify_nonce() check fails on several websites because of filter
possibility in wp_nonce_tick()
--------------------------------------------+----------------------
Reporter: ReneHermi | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 4.8.1
Severity: critical | Resolution: wontfix
Keywords: dev-feedback 2nd-opinion close | Focuses:
--------------------------------------------+----------------------
Changes (by johnbillion):
* status: new => closed
* resolution: => wontfix
* milestone: Awaiting Review =>
Comment:
It's unfortunate that this filter allows a plugin to easily break a site,
but there are dozens of filters in WordPress which are equally as
powerful. A wrong return value from `map_meta_cap`, `user_has_cap`,
`authenticate`, or `salt` for example will easily break your site, but it
doesn't serve anyone well to remove filters which are being misused.
I'd support some improved documentation for this filter, but beyond that
the best approach is to notify developers who are misusing this filter and
ask them to correct or improve their code.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41617#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list