I am trying to program my first wordpress plugin. It works quite well so far, but I get some warnings when checking my plugin with Plugin Check (PCP). These are:
Zeile Spalte Typ Code Hinweis Link bearbeiten
95 27 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
95 59 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
143 48 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
143 73 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
The relevant code in line 95 reads:
// Nonce verification for pagination
if (isset($_GET['paged']) && !empty($_GET['paged'])) {
if (!isset($_GET['_wpnonce']) || !wp_verify_nonce($_GET['_wpnonce'], 'pagination_nonce')) {
echo '<p>Ungültige Anfrage. Bitte versuchen Sie es erneut.</p>';
return;
}
}
The relevant code in line 143 reads:
// Nonce verification for delete_selected
if (isset($_POST['delete_selected']) && isset($_POST['media_ids']) && is_array($_POST['media_ids'])) {
if (check_admin_referer('delete_unused_media', 'delete_unused_media_nonce')) {
delete_selected_media($_POST['media_ids']);
} else {
echo '<p>Ungültige Anfrage. Bitte versuchen Sie es erneut.</p>';
}
}
Now I've been working for a few days on what I could change so that the warnings no longer appear, but I can't get it to work. Can anyone here help me?
I am trying to program my first wordpress plugin. It works quite well so far, but I get some warnings when checking my plugin with Plugin Check (PCP). These are:
Zeile Spalte Typ Code Hinweis Link bearbeiten
95 27 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
95 59 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
143 48 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
143 73 WARNING WordPress.Security.NonceVerification.Recommended Processing form data without nonce verification.
The relevant code in line 95 reads:
// Nonce verification for pagination
if (isset($_GET['paged']) && !empty($_GET['paged'])) {
if (!isset($_GET['_wpnonce']) || !wp_verify_nonce($_GET['_wpnonce'], 'pagination_nonce')) {
echo '<p>Ungültige Anfrage. Bitte versuchen Sie es erneut.</p>';
return;
}
}
The relevant code in line 143 reads:
// Nonce verification for delete_selected
if (isset($_POST['delete_selected']) && isset($_POST['media_ids']) && is_array($_POST['media_ids'])) {
if (check_admin_referer('delete_unused_media', 'delete_unused_media_nonce')) {
delete_selected_media($_POST['media_ids']);
} else {
echo '<p>Ungültige Anfrage. Bitte versuchen Sie es erneut.</p>';
}
}
Now I've been working for a few days on what I could change so that the warnings no longer appear, but I can't get it to work. Can anyone here help me?
[Comparision] Had same issue with simular code, to get the inbound value from $_REQUEST['plugin']; same as your code wanting to get the inbound value from $_GET['paged'].
This code reads the $_REQUEST['plugin'] once and then uses that internal variable moving forward. If it does not exist, the code will still function with the string value of ''; which plays nice with empty(), etc.
$request = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
Running 'Plugin Check (PCP) 1.2.0' identifed 3 warnings with this single statment.
Starting with WordPress.Security.NonceVerification.Recommended.
Interestingly, all 3 warnings are referring to the eact same line and column (aka the exact same statment).
[Investigation] Tinkering with a whole bunch of code-mashing identified that 'column' was specifically pointing to the statement-of-interest in the warning.
~column 45 for $_REQUEST['plugin'] in my code.
~column 27 for !empty($_GET['paged']) in your code.
[Solution] By resolving the 2nd & 3rd warnings, the 1st warning disappeared. No more WordPress.Security.NonceVerification.Recommended.
Specifically by adding sanitize_text_field(wp_unslash( )) to the first statment that was trying to use the inbound value.
My original code:
$request = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
My new code:
$request = isset($_REQUEST['plugin']) ? sanitize_text_field(wp_unslash($_REQUEST['plugin'])) : '';
Running 'Plugin Check (PCP) 1.2.0' now has no warnings; even the nonce disappeared.
[Recommendation] Could you please try sanitising the inbound value, before it gets used for the first time. In this case, it is being used as a parameter to empty().
Your original code:
if (isset($_GET['paged']) && !empty($_GET['paged'])) {
Your new code:
if (isset($_GET['paged']) && !empty(sanitize_text_field(wp_unslash($_GET['paged'])))) {
Then each use of an inbound value will also need to be sanitised, before being used in any comparison or assignment statements: $_GET['paged'], $_GET['_wpnonce'] and $_POST['media_ids'].
Take care when choosing which sanitize_ function to use, for each inbound value. Check out the official WordPress list of Sanitize functions and experiment to find the right one for each use-case.
You might not have to change anything for $_POST['delete_selected'] because it is only used in isset(); which seems to be immune to the warnings (guesssing because it is not a comparison or assignment statement?).
Then running 'Plugin Check (PCP) 1.2.0' should no longer show the nonce warning.