Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be checked over carefully. It turned out that not all the fixes had been properly implemented. That led to a vulnerability still being in the plugin. One of those was a logic failure in a nonce check to prevent cross-site request forgery (CSRF). Developers need to make sure their nonce checks work if either a nonce isn’t sent or if it is wrong. Otherwise, there still can be CSRF vulnerability, as a valid nonce needs to sent and validate to prevent that type of vulnerability.

Here was a nonce check that was added:

if ( ! isset( $_POST['activate_nonce'] ) && ! wp_verify_nonce( $_POST['activate_nonce'], 'activate_plugin_nonce' ) ) {
	return;

If the nonce doesn’t exist and the nonce verification fails, that will stop the code running. That will work properly if no nonce is sent, as both conditions will fail. But if a nonce is sent, but it isn’t valid, it won’t stop the code running, as it should.

What code like that should do is to stop the code running if either of the conditions fails:

if ( ! isset( $_POST['activate_nonce'] ) || ! wp_verify_nonce( $_POST['activate_nonce'], 'activate_plugin_nonce' ) ) {
	return;

One way to avoid this situation is to try sending requests with the nonce missing and with the wrong nonce value. That way even if you miss that the code’s logic is wrong, you will be able to tell it isn’t working right.

Need Help Fixing a Vulnerability in Your Plugin?