Is disabling test_form in wp_handle_upload a security concern?

I wouldn’t say security concern – since you’re using this plugin within the admin (I presume after the user has been authenticated i.e. after admin_init), then already you’ve got protection against any Jon Doe posting a form to your script.

What it does provide, is an additional layer of authentication. All it really boils down to is sending a ‘secret’ along with the form, and then checking for it’s existence (and that it matches) before continuing.

For an attacker, they’d need to know this secret in order to breach, for example, using CSRF or XSS.

This is the very nature of how WordPress nonces work. In fact you’d be a lot better off using these instead of test_form. They go one step better in that they’re secrets that expire, so the window for an attacker is made even smaller.

Check out Jaquith’s article on Nonces.

Related Posts:

  1. How to store username and password to API in wordpress option DB?
  2. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  3. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  4. Nonces can be reused multiple times? Bug / Security issue?
  5. Can someone explain what wp_session_tokens are, and what are they used for?
  6. WordPress and PHP Sessions – Security and Performance
  7. What is the difference between esc_html and wp_filter_nohtml_kses?
  8. Nonce in settings API with tabbed navigation
  9. Log in from one wordpress website to another wordpress website
  10. Escaping built-in WP function return strings
  11. What is the difference between strip_tags and wp_filter_nohtml_kses?
  12. WP Cron doesn’t save or in post body
  13. WordPress restrict plugin file direct access
  14. Plugin development: is adding empty index.php files necessary?
  15. Confusion on WP Nonce usage in my Plugin
  16. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  17. Correct way check nonce (security) using old Options API
  18. Why do I need to check if wp_nonce_field() exists before using it
  19. Is there any way to check for user login and send him to login?
  20. WordPress security issue to output data from user input from theme option form
  21. Verify if user is wordpress logged in from another app since wordpress 4.0
  22. Secure Pages Best Practice
  23. Securing/Escaping Output of file content – reading via fread() in PHP
  24. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  25. Video Security just like facebook [closed]
  26. How to connect my wordpress plugin to a remote database securely?
  27. wp_nonce_field displaying twice
  28. Is it necessary to do validation again when retrieving data from database?
  29. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  30. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  31. add_submenu_page hooked function must explicitly check user capabilities – why?
  32. Are there any security risks when submitting data-attribute data through AJAX?
  33. Why would you use esc_attr() on internal functions?
  34. Is it possible to use WP-CLI in a plugin (or theme)?
  35. Secruity Questions on a timer
  36. Using HTML links within translatable string
  37. How can I save a password securely as a settings field
  38. Using password protection to load different page elements?
  39. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  40. How to store sensitive user data (passwords)
  41. How do I make secure API calls from my WordPress plugin?
  42. esc_attr() on hard coded string
  43. how to add security questions on wp-registration page and validate it
  44. Experts opinions needed: How (in)secure is this approach?
  45. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  46. Data Validation, dynamically generated fields (select for example)
  47. esc_url, esc_url_raw or sanitize_url?
  48. Change the_title() of a page dynamically
  49. Adding more options to the instance of an image. (Attachment Display Settings)
  50. What is wrong with using add_option with Multisite instead of add_blog_option in a plugin
  51. Trouble with Transient API when W3TC is activated [closed]
  52. WordPress REST API call generates nonce twice on every call
  53. Filters ‘request’ and ‘parse_query’ not firing in sites.php nor link-manager.php
  54. How to trap “Publish” button to check for meta box validation?
  55. How to use filter hook ‘post_updated_messages’ in coherence with action hook ‘save_post’
  56. $wp_filesystem returns NULL. What are the dependencies?
  57. wp_mail not recognizing cc and bcc headers
  58. set_sale_price in WooCommerce [closed]
  59. Adding extra pages to plugin that shouldn’t appear in the sidebar
  60. jquery document ready function not being called [closed]
  61. How do I include background images in my stylesheets in a plugin?
  62. Custom plugin icon not showing up
  63. I’m designing a plugin to create database indexes. Suggestions?
  64. $reverse_top_level works the opposite way according to Codex?
  65. How to serve different thumbnails/images depending on users browser/platform
  66. How to export post meta with images in wordpress
  67. Parse form values before sending to options.php
  68. My WordPress plugin cannot load my JavaScript file
  69. Password field is empty when using wp_signon();
  70. Show error message after exception handled
  71. Plugin – Make sure jquery is loaded in my settings page plus my JS file
  72. wp_editor add media button not working
  73. Plugin Development – Class Constructor Not Firing wp_enqueue_style action hook
  74. Alternative functions for mysql_free_result and mysql_ping in wordpress functions
  75. Getting a WordPress Debug Strategy
  76. Add function after the_content
  77. How remove trashed WooCommerce orders from wc_get_orders() result?
  78. How do I get variables from my plugin’s settings page?
  79. Unexpected T_FUNCTION
  80. How to avoid conflicts with db.php / $wpdb and other plugins that decide to use them?
  81. How To Protect Plugin Display From Being Affected By Theme’s CSS
  82. Is there an action_filter hook to add content before the post title?
  83. How to correctly escape an echo
  84. Securing a plugin pop-up window
  85. Add quick edit functionnality to plugin table
  86. Hide / show settings field based on other field’s value
  87. using wordpress acf shortcods in tables goes outside the table
  88. $_SESSION inside php function executed by AJAX
  89. Two same AJAX calls – one is working, other doesn’t
  90. remove different admin menu for specific users
  91. add pagination to wp_remote_get
  92. Shortcode from a plugin not working
  93. How to get option values without requiring wp-load?
  94. Problem with baseurl and interaction with plugin
  95. Downloading Generated XML File
  96. Can’t get query string in ajax call
  97. How to use permalink query to go to specific tabs in posts
  98. Conditional query tags do not work before the query is run. Before then, they always return false
  99. Send Webhook when post-status is publish or trash
  100. Call API on post save/update and show the result in admin area