Changeset 12520

Timestamp:

03/31/2023 01:18:15 AM (6 months ago)

Author:

dd32

Message:

Plugin Directory: Check for the bulk action nonce after we've verified this is the intended action.

The form uses GET requests and sends over action=-1 for innoculous things like search :( so this is hit for more code paths than just performing actions on the page.

Followup to [12517].
See #6903.

File:

• sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-customizations.php (modified) (2 diffs)

sites/trunk/wordpress.org/public_html/wp-content/plugins/plugin-directory/admin/class-customizations.php

@@ -241 +241 @@
         }
 
-        check_admin_referer( 'bulk-posts' );
-
         $action = array_intersect(
             [ 'plugin_open', 'plugin_close', 'plugin_disable', 'plugin_reject' ],
@@ -251 +249 @@
             return;
         }
+
+        check_admin_referer( 'bulk-posts' );
 
         switch( $action ) {