I am developing custom theme from scratch and creates a custom post type and getting this warning while editing custom post type. I also design custom Meta box with two input fields and using nonce in it. Any help removing these warning? Here is code of custom metabox in functions.php //Custom Metabox function register_book_meta_box(){ add_meta_box('book_meta_box_id', 'Book Detail','design_book_meta_box','books','advanced','high'); } add_action('add_meta_boxes','register_book_meta_box'); function design_book_meta_box($post){ wp_nonce_field(basename(__FILE__),'book_cpt_nonce') ?> <div> <label for="book-author">Author Name  </label> <input type="text" name="book-author" placeholder="Author Name" value="<?php echo get_post_meta( $post->ID, 'book-author-key', true );?>"> </div> …

During my pentest of a client's websites I stumbled upon the WP with vulnerable WP Statistics plugin installed. To exploit this vulnerability, I should send a JSON-API request to endpoint /json-api/wp-statistics/v2/.... The problem is I must send correct _wpnonce along with my request. I found a cool explanation here: https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 They recommend to extract the _wpnonce value from the legitimate URLs from the website page source. But I don't see similar URLs anywhere. My guess is that the plugin installed …

I am refactoring my plugin that resets the WordPress database tables back to their defaults and came across an issue. The form submission itself works fine. However, after the first submit, and if you do not refresh the page and submit the form again, the nonce seems to fail. Perhaps there is someone that fully understands how nonces work as I am not sure what is causing this. I have the necessary check for wp_nonce_field and check_admin_referer on the administration …

for a personal plugin (nothing going to the public or commercial), I built an AJAX form and its endpoint is a custom endpoint (REST Api). When a certain Page containing my form is accessed, I generate a nonce. Then, the user sends the form, I add the conventional header (X-WP-Nonce) and in the endpoint function I validate the nonce I first created when the page was loaded. I would like my nonce to be short-lived, that is, 12 hours is …

I have a site with a page where there's one form in the sidebar, and one in the main body of the page. The sidebar comes first in the HTML. Both forms have their own nonces (generated with wp_nonce_field) with different $action and $name parameters. The $referrer fields are on. When I submit the second form, I get the usual "Are you sure you want to do this?" message. If I remove the first form, things work correctly. I added …

I am having problems authenticating a user after logging in using a custom endpoint using the WordPress REST API. I'm aware that this is not the perfect approach but I am just trying to make a few custom routes so that I can prototype a mobile app. I have searched countless forums and I have looked at a number of other answers but I can't seem to find out what the problem is in my code. Code to create a …

I'm making an Ajax call in an Elementor site, and I'd like to use a nonce while doing it. Since my code is really simple, I didn't create a new JS file for it placed in Elementor's HTML widget, and I handle the request in the functions.php file. I realized that the best way is to use wp_localize_script to make both the nonce and the Ajax URL available in the client side, but the function is asking for a file …

Recently, I believe after switching to WP 5, non admin users are randomly getting the following error when previewing a post: “The link you followed has expired” . Please try again I am suspecting this is due to some conflicts with the theme or some plugins. Unfortunately the theme is not supported. I am aware that it would be wise to switch to a supported theme, but in the meanwhile, where should I start investigating? This similar post, points out …

I have run into an issue with nonces becoming invalid, and being unable to refresh to a new nonce. In my example I have a Facebook Connect button, and a Facebook Disconnect button, each with their own nonce. Once either one of these button is pressed, an AJAX call is made, and the other button is sent through AJAX and displayed on the page instead. For sake of the example, we're starting with the Facebook Connect button. <button type="button" id="facebook-connect-button" …

I'm maintaining a WordPress site on GoDaddy for a client and they started to get the "this link has expired error" when they saved a post. It does not happen when I upload a file. However, I am getting an "http error" error when I try and upload a file. I've done some research, everyone who experiences this error seems to find a solution with updating the php config files to allow larger uploads, longer input times and so forth. …

I've created an admin page where I'm displaying a list of a MySQL Table using WP_List_Table. In this table I need to be able to delete a record when I want to. And that's where I have a problem. To delete a record I've set up the following code. class Genres_List extends WP_List_Table { [...] public static function delete_genre( $id ) { global $wpdb; $wpdb->delete( "{$wpdb->prefix}genres", [ 'id' => $id ], [ '%d' ] ); } function column_cb( $item ) …

I have a use-case where I have a WordPress site and an ASP .NET Core as a Restful API backend. I use the WordPress site entire for Frontend, CMS, and User Authentication. On certain pages of my WordPress site, I've embedded React apps into it. The React app does some API calling to my ASP .NET Core server. Now, I would like to know what is the best way to verify which signed-in WordPress user requested the API in ASP …

Here's an interesting experiment: Go to wordpress plugins listing page, notice the activate, deactivate links all have a nonce part in the request. In a second tab, log out of the site, and go back to plugin listing page. After awhile, the page realizes it's not logged in, and pops up a log in screen. Log in, and click an "activate" or "deactivate" button. Notice it gives the nonce-failure message, "are you sure you want to do this"? Because the …

I'm trying to display a WP_List_table inside a metabox. The metabox is for questions which are from assessment_question custom post type.The metabox is being displayed on an other custom post type 'cs_questionnaire'. The table columns display some data taken from questions. Also I am using bulk actions to link questions to a questionnaire. What's happening is that it all looks fine until I click the Publish/Update button on the custom post type edit screen. If the WP_List_Table has bulk actions …

This example is specifically related to woocommerce but apparently the same question also applies to wordpress. Hence I believe this question is relevant to this forum. Here goes the example: I create a customized woocommerce theme with special cart and checkout ajax handlers. Woocommerce has implemented cart and checkout ajax endpoints with special security token called a nonce. I see two methods of implementing nonce in the theme: 1) Insert nonce field into html form element: <?php wp_nonce_field( 'woocommerce-process_checkout' ); …

WP version is 5.5.3 I have 3 API routes set in a plugin that is used in an admin dashboard page. One route is meant to be used "publicly". I have two very curious issues happening: My 3 admin-centric routes do not specify permission_callback. I should be getting notices but I do not when the docs and WP core functions say it will throw a doing_it_wrong error. My 4th public route does have 'permission_callback' => '__return_true' set. I receive a …

I would like to understand the best practices regarding nonce validation in REST APIs. I see a lot of people talking about wp_rest nonce for REST requests. But upon looking on WordPress core code, I saw that wp_rest is just a nonce to validate a logged in user status, if it's not present, it just runs the request as guest. That said, should I submit two nonces upon sending a POST request to a REST API? One for authentication wp_rest …

Random question but I can't work it out or find a solution. I need to find a way to change the WordPress "nonce" message. I'd like to replace to replace "nonce" with "error" when it's output as a message. Here in the UK "nonce" is a common term for a child sex offender and I'm getting complaints. Basically I just need a way so users never see the word "nonce" on the site. It's used in schools so the browser …

I have a log out link in the main header menu, when you click on the link to log out, you are redirected to the page asking if you really want to log out. I know it's doing this because there is no nonce in the menu URL. My question is: is it even possible to add a nonce in CMS appearance>menus in the edit menus screen? The url is something like: example.com/wp-login.php?action=logout&redirect_to=http://example.com/myaccount/&_wpnonce= Just for giggles I tried adding wp_create_nonce('logout') …

I am trying to implement CSP on my wordpress site. Inspired by this question, https://stackoverflow.com/questions/50002041/adding-nonce-to-script-tag I tried to build a way to add nonces to my wordpress site. add_action( 'run_custom_nonce_value', 'custom_nonce_value' ); function custom_nonce_value () { $created_nonce = wp_create_nonce(); define( 'NONCE_RANDVALUE', $created_nonce ); } This function was directly taken from the Stackoverflow link mentioned above. It created Nonce Values using wp_create_nonce() The major problem is that it creates a nonce but doesn't update it. Refreshing my wordpress site still shows …