Is wp_nonce_field vulnerable if you know the action name?

Short answer: No. You can use normal strings for actions, md5’ing them doesn’t change anything.

The nonce is built from three main pieces of information:

  • Time: The current time() divided by 43200 is worked into the nonce. This is what lets the nonce be changed every 12 hours (43200 seconds in 12 hours).

  • The action string you provide. More on this below.

  • The user ID. Every user gets different nonces.

Now, these elements are concatenated, and then the nonce itself is (a smaller piece of) the wp_hash() of this combined string. The wp_hash() function automatically salts the hash, in this case using the NONCE_KEY and NONCE_SALT constants, which should be defined in your wp-config.php file, and which should be unique to your particular site.

(Note that if you happen to have the default of “put your unique phrase here” in that file for whatever reason, WordPress generates random 64 character values for the keys/salts internally and stores them in the database. It won’t use the default values as actual salts. It also won’t let you use duplicate keys or salts for any of the values. Still, you should have the keys and salts defined in the wp-config.php file, and not rely on this. You can get randomized lines for that file from here: https://api.wordpress.org/secret-key/1.1/salt/)

So in order to duplicate a nonce, you need all this information. Time and user ID can probably be deduced. The action string may be known. But the salt is a secret value that should not be known by an attacker, and this makes it infeasible to duplicate the nonce.

That said, the “action” string should be as unique as possible to the specific case. It should be different for each action, like delete_thing vs. update_thing vs. create_thing. And it should contain some “ID” if it is acting on a specific thing, so like “delete_thing_123” for that specific thing.

It doesn’t necessarily add any real security to include complex data in the action string, like the MD5 hash of something. The nonce is already built using the HMAC message digest method with salted secret values. But, the nonce will be the same for the same action, so the action should be specific to the case, in order to make the nonce unpredictable across multiple cases. A nonce used to delete one item won’t delete any item, type of thing.

Also be aware that action values to generate nonces should be entirely internally generated. In no case should user input be used to determine the action which generates the nonce. If a user can inject data to determine the action string, then they can get nonces in advance. Nonces need to be unique static strings with possibly ID’s concatenated to them.

TL;DR: Use a plain string with an ID (if having an ID makes sense). It’s just fine.

Related Posts:

  1. Nonce actions and names available via open source
  2. Should I use wp_nonce_field on my contact form?
  3. Nonces and Cache
  4. Can I verify nonce which was generated on a different WP site?
  5. When is it useful to use wp_verify_nonce
  6. Help with forms and nonces
  7. not logged in users can’t submit form
  8. wp_create_nonce function doesn’t work inside a plugin?
  9. Using Contact Forms to Send Private Information [closed]
  10. Can you have more than one nonce on a page?
  11. How to stop direct HTTP POST to a PHP script?
  12. Should wordpress nonce be placed in html form or in javascript file
  13. whether a nonce is required for get type and get_query_var?
  14. CSRF attack to create USER
  15. Passing form data on submit
  16. wp_nonce for Front-End submission form not working
  17. How to define form action in JSF?
  18. How to display user registration form on front-end of the website?
  19. Best way to create multi-step form with data saved to user account for later updating?
  20. Handling nonces for actions from guests to logged-in users
  21. Where should my plugin POST to?
  22. recommended practice for form submission
  23. Built-in data validation function for URLs
  24. Checkbox won’t check when label is clicked
  25. Trying to save and display a wp_editor()
  26. Contact forms going into spam folder
  27. Performing a POST action on homepage goes to posts page
  28. creating form for wp_remote_post
  29. How to know what submit button the user clicked?
  30. CRUD front end for mySQL in WordPress
  31. How to edit custom user meta information front end
  32. Google Map Latitude and Longitude values in form
  33. How to properly add a custom submenu to the user’s admin menu
  34. How can I find actual logic php file in form’s action path?
  35. How do I use the info submitted in a form to create a form reception page? (like “thank you {firstName}”) [closed]
  36. WordPress form to shortcode
  37. Create Contact7 Form programmatically [closed]
  38. recaptcha working on local but not on live wordpress sites [closed]
  39. User input form field value validation ninja forms 3
  40. Using form parameters within a WordPress “Page”
  41. Can I make Contact Form 7 change over to a new page? [closed]
  42. A mandatory agreement form to access another page?
  43. Creating short code for search form
  44. nonce in custom form is not verifying
  45. textarea field is getting escaped for some unknown reason
  46. Use $_POST data in functions.php
  47. Where to add css file that I want my forms to use?
  48. Why do Metabox use Nonces?
  49. Downloadable content only for subscribers?
  50. The Correct Way to Use Nonce Field without Settings API
  51. How to Collect Keyword and Search Engine Data on Webforms?
  52. free form wordpress
  53. Form submission in WordPress front end
  54. form action wordpress and php
  55. Show button once Contact form 7 is submitted
  56. WordPress Emails & Contact Forms [closed]
  57. How to move HTML form to WP Theme
  58. Does this code indicate an exploit?
  59. Is there a reset_button()?
  60. How can I modify labels in default wordpress registration form? [duplicate]
  61. Display number of sign-ups [closed]
  62. Contact form submit, having to click twice
  63. Form within thickbox
  64. Restore Cforms II Form Presets
  65. Making an input field required from WP’s perspective
  66. How to take large file uploads from users the right way
  67. Cannot modify header form resubmits data on refresh
  68. wordpress forms submit
  69. wordpress blog, is there a way to make anyone post in a blog without having login info
  70. gravityform – retrieve multiple check answers “keys” instead of “values”
  71. Code for front end validation for forms not working
  72. using esc_html_e string in custom form using code snippets
  73. How do I implement form handling when form is custom HTML?
  74. Forms cut off when on mobile
  75. Sorting wordpress data in excel
  76. Quickly Maintain/edit 100+ WordPress Forms on multiple websites
  77. Pricing depending on selected items in a multi step form
  78. Prevent malicious scripts to be submitted in post
  79. Sending Form data as Attachment
  80. Trigger action when submitting form with WPForms [closed]
  81. Form submissions that require users ID# [closed]
  82. Unable to submit form using admin post wordpress
  83. check_admin_referer not working in custom meta box for custom post type
  84. Form data from wordpress theme to be submitted in other site url
  85. Send contact form to a specific referrer-email adres
  86. wp_verify_nonce fails always
  87. Pay before posting (frontend insert post)
  88. admin_post in object oriented plugin
  89. Contact form spam, without form?
  90. How to use the in WP
  91. Using Nonce for my Form
  92. How to send form values from the script in functions.php and not from the form on my website?
  93. How do I capture the selected option and pass in sending the registration form?
  94. Issue with contact form 7
  95. Advanced searching form
  96. Will my WordPress site become vulnerable after adding this functions which allows more HTML tags for subscribers?
  97. Cannot access a file in the theme (twentynineteen-child) folder
  98. Dropdown List Won’t Display Selected Option After Submit / Refresh
  99. Is it possible to change the error message “This is a required field” for all checkout fields? [closed]
  100. How to reproduce the post format field in a front end form?

Leave a Comment