The use of $_POST['action']
in the WP_Query
and as a dynamic action name is dangerous, and in the code triggers the handler on all AJAX requests even those you don’t want. This is unavoidable and a dead end that cannot be fixed. Alternatives are mandatory.
Instead, use a static non-dynamic action name, E.g. mathieu_loadmode_post_archive
or mathieu_loadmode_taxonomy_archive
, then pass the post type or taxonomy name in your javascripts AJAX the same way you’re passing tax_term
or tax_post_type
.
Other notes:
- do not use relative paths for
admin-ajax.php
, the examples use localised data or absolute paths for a reason, your code will fail if your URL structure needs more than on..
with relative paths - whitelist those options, only allow a limited subset of values, right now I could request any data I want from your site, or ask it for something extremely slow and expensive. User data is not trustworthy, don’t pass it into APIs/classes without checks. E.g. what’s to stop me adding a
meta_value
parameter, or one of the__not_in
parameters. Or requesting all posts by an author for an internal post type that’s not meant to be accessible.