07 Nov

Is Poor Documentation To Blame For Some of The Security Vulnerabilities Related to WordPress’ AJAX Functionality?

One of the frequent causes of vulnerabilities being disclosed in WordPress plugins these days involves in part functions that are made available through WordPress’ AJAX functionality that don’t have the proper restrictions on who can access them. In many instances this involves functions that are made available to anyone logged in, despite only being intended for [Read more]

16 May

Security Tip for Developers: Make Sure To Check a User’s Capabilities When Processing an Admin AJAX Request

One common cause of security issues with WordPress plugins that we continue to see happening is a failure to properly check on whether a user should be able to use admin AJAX functions they are sending requests to. Since the wp_ajax_ hook makes the AJAX function accessible to any logged in user, without checking their capabilities even a Subscriber level [Read more]