From 0f54ea465ec34a7d28dae0502cf16a806d35276b Mon Sep 17 00:00:00 2001 From: Matthias Pfefferle Date: Mon, 17 Jul 2023 14:37:17 +0200 Subject: [PATCH] fix CSRF flaw --- includes/class-admin.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/includes/class-admin.php b/includes/class-admin.php index 647805a..aae1b36 100644 --- a/includes/class-admin.php +++ b/includes/class-admin.php @@ -202,10 +202,13 @@ class Admin { } public static function save_user_description( $user_id ) { - if ( isset( $_REQUEST['_apnonce'] ) && ! wp_verify_nonce( $_REQUEST['_apnonce'], 'activitypub-user-description' ) ) { + if ( ! isset( $_REQUEST['_apnonce'] ) ) { return false; } - if ( ! current_user_can( 'edit_user', $user_id ) ) { + if ( + ! wp_verify_nonce( $_REQUEST['_apnonce'], 'activitypub-user-description' ) || + ! current_user_can( 'edit_user', $user_id ) + ) { return false; } update_user_meta( $user_id, 'activitypub_user_description', sanitize_text_field( $_POST['activitypub-user-description'] ) );