[wp-trac] [WordPress Trac] #43667: signup_nonce_check does not use wp_verify_nonce.
WordPress Trac
noreply at wordpress.org
Fri Mar 30 14:18:15 UTC 2018
#43667: signup_nonce_check does not use wp_verify_nonce.
------------------------------------+-----------------------------
Reporter: herregroen | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: trunk
Severity: normal | Keywords:
Focuses: multisite |
------------------------------------+-----------------------------
Currently in multisite setups a nonce check is added to the singup form.
This check does not use the `wp_verify_nonce` function but instead creates
a new nonce and expects an exact match. Due to the nature of
`wp_nonce_tick` this means it's possible to generate nonces that are valid
for only a few seconds twice a day.
The error message to try again could also use improvement. Most users will
simply click the back button to try again, which will not generate a new
nonce but simply restore the old form with the old nonce from browser
memory.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43667>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list