Skip to content

fix: strengthen nonce verification across plugin#225

Merged
sushmak02 merged 5 commits intorelease-candidatefrom
fix/nonce-verification
Feb 24, 2026
Merged

fix: strengthen nonce verification across plugin#225
sushmak02 merged 5 commits intorelease-candidatefrom
fix/nonce-verification

Conversation

@akshayurankar48
Copy link
Contributor

@akshayurankar48 akshayurankar48 commented Feb 23, 2026

Summary

  • Replace generic 'ajax_nonce' action with 'bsf_meta_box_ajax_nonce' to prevent cross-plugin collision
  • Replace basename(__FILE__) nonce action with explicit 'bsf_meta_box_nonce_action'
  • Gate bsf_reset_options() behind $nonce_verified flag so it only executes after a per-option nonce check passes
  • Sanitize nonce and option values in reset handler

Test plan

  • Verify meta box save works (nonce action changed)
  • Verify oEmbed preview works (nonce action changed)
  • Verify file upload in meta boxes works (nonce action changed)
  • Verify settings reset buttons work for each schema type

Fixes #220

@akshayurankar48
fix: strengthen nonce verification across plugin
6b078b9 
- Replace generic 'ajax_nonce' action with 'bsf_meta_box_ajax_nonce'
  to prevent cross-plugin nonce collision
- Replace basename(__FILE__) nonce action with explicit
  'bsf_meta_box_nonce_action' string
- Gate bsf_reset_options() behind $nonce_verified flag so it only
  executes after a per-option nonce check passes
- Sanitize nonce and option values in reset handler

Fixes #220
@akshayurankar48 akshayurankar48 changed the base branch from master to release-candidate February 24, 2026 01:54
@sushmak02
Copy link
Contributor

sushmak02 commented Feb 24, 2026

@akshayurankar48 Resolve conflicts in this PR

@akshayurankar48
fix: resolve merge conflicts for security fixes into release-candidate
615b32f 
Resolved conflicts in init.php and admin/index.php:
- bsf_force_send(): sanitize nonce with sanitize_text_field(wp_unslash()) + correct action 'bsf_meta_box_ajax_nonce'
- bsf_oembed_ajax_results(): sanitized nonce + capability check + wp_send_json_error() instead of die()
- Added isset() guard on $_REQUEST['field_id']
- Replaced die() with wp_die() at end of AJAX handler
- admin/index.php: kept $nonce_verified flag initialization, removed extra blank lines
@akshayurankar48
fix: align array arrows and equals signs per WPCS
91ead2e 
- Align 'post_id' double arrow with 'bsf_meta_box_ajax_nonce' in array
- Align $return equals sign with $field_id assignment
@akshayurankar48
addec changelog
3f106f9
@akshayurankar48
fix: correct post_id array arrow alignment to 17 spaces
af8abbc
@akshayurankar48
Copy link
Contributor Author

akshayurankar48 commented Feb 24, 2026

@akshayurankar48 Resolve conflicts in this PR

Updated @sushmak02

@sushmak02 sushmak02 merged commit 47eef5f into release-candidate Feb 24, 2026
2 checks passed
@sushmak02 sushmak02 deleted the fix/nonce-verification branch February 24, 2026 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sushmak02 sushmak02 sushmak02 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: Fix nonce verification issues

2 participants

@akshayurankar48 @sushmak02