Closed hasnain37 closed 7 months ago
Fix WP nonce verification issue
Your plugin does not appear to be properly checking nonce values, you are calling wp_verify_nonce() outside of a conditional check, which will not stop execution of the code if the nonce is invalid
Examples from your plugin:
https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-registration.php?marks=111#L111 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-registration.php?marks=431#L431 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=265#L265 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=410#L410 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=369#L369 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=429#L429 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=508#L508 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/functions/wpfep-functions.php?marks=587#L587 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/functions/wpfep-functions.php?marks=571#L571
resolved in #131
hasnain37
commented
7 months ago
Fix WP nonce verification issue
Incorrect nonce checks
Your plugin does not appear to be properly checking nonce values, you are calling wp_verify_nonce() outside of a conditional check, which will not stop execution of the code if the nonce is invalid
Examples from your plugin:
https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-registration.php?marks=111#L111 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-registration.php?marks=431#L431 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=265#L265 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=410#L410 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=369#L369 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=429#L429 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/inc/class-wpfep-login.php?marks=508#L508 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/functions/wpfep-functions.php?marks=587#L587 https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.2/functions/wpfep-functions.php?marks=571#L571