I know that this is not the only tutorial that has code that check nonce for meta boxes but this is truly idiotic. Nonce should be checked per the whole action not per parts of it and if your save_post hook was called it means that the save nonce was already checked and found valid, so There is no need for more security checks.
My advice is to simply remove anything related to nonce from your metabox code, but if you will feel better having it around just change the code to
// verify nonce
if ( !isset($_POST[ 'my_meta_box_nonce' ]) || !wp_verify_nonce( $_POST[ 'my_meta_box_nonce' ], basename( __FILE__ ) ) )
return $post_id;
which will bail out when no nonce was supplied or the nonce failed validation
Related Posts:
- How does nonce verification work?
- How to expire a nonce?
- Fatal error: Call to undefined function wp_create_nonce()
- How to add/retrieve the post trash link?
- Using nonce external of WP Admin
- Nonce best practices: hidden input vs. wp_localize_script?
- “The link you followed has expired” when previewing a post
- wp_verify_nonce keeps failing
- Handling nonce generation in AJAX registration process
- increase nonce lifespan
- wp_verify_nonce() via REST always returns false
- Nonce failing in IE
- my theme breaks WP export
- Why am I getting a 403 from check_admin_referer()?
- x-wp-nonce across domains
- wp_create_nonce doesn’t verify when using WP_List_Table
- Handling expired nonces
- What is really “wp_nonce_field” and how does it work? [duplicate]
- Cannot verify nonce
- wp_verify_nonce return false despite correct parameter passed
- WordPress JSON API nonces and Vue development server
- Verify a nonce in Form submission
- phpcs error in WordPress
- Stop WordPress nonces expiring
- Several nonces?
- Nonce for Trashing Item
- Nonce keeps failing
- Public posts – preventing duplicate form submissions
- How to obtain “wp_rest” nonce for WP Statistics plugin manually?
- WordPress “nonce” message
- CSP nonces with Cloudflare Workers
- Why are nonces working in Firefox but not in Chrome?
- wp_verfy_nonce keeps giving false
- Nonce – reissue with ajax poll
- wp_nonce_url generating invalid links
- How to insert wp_nonce field within echoed string
- Weird nonce validation problem
- Logout button in menu without “wp” in links
- Check nonce in the new bulk_edit_posts action
- wp_verify_nonce vs check_admin_referer
- Do I need a nonce field for every meta box I add to my custom post type admin?
- Can I use the same nonce for multiple requests on the same page?
- Nonces and Cache
- Multiple ajax nonce requests
- What is nonce and how to use it with Ajax in WordPress? [duplicate]
- Nonce in settings API with tabbed navigation
- WordPress “Link has expired” error on updating posts
- Headless WordPress: How to authenticate front end requests?
- Nonces and Ajax request to REST API and verification
- How to stop _wpnonce and _wp_http_referer from appearing in URL
- Serving nonces through AJAX is not refreshing nonce, returning 403 error
- Security around save_post hook
- ajax and nonce when JavaScript is in a seperate file
- wp_verify_nonce doesn’t return true on server when it matches the nonce
- Full page NGINX (or Cloudflare) caching and WordPress nonces
- Verify Nonce returns false – Request Nonce returns correct value
- Why save_post_$(custom_post_type) is fired even if I am not already saving a post?
- wp-admin AJAX with Fetch API is done without user
- How can I create a plugin installation link?
- Can a wp_nonce created from domain 1 to be verified on domain 2?
- Help with forms and nonces
- permission_callback has no effect
- Confusion regarding Nonce & using it in Custom Columns for Saving Checkbox Value to Post Meta
- WP REST API – Nonce passes wp_verify_nonce even after logout
- Custom post type: check permissions and validate nonce
- “The link you followed has expired” & “Error while saving” messages when adding new post
- SSO autologin WordPress + Ajax
- Is nonce in PHP form and Ajax both necessary?
- Are nonces in WP REST API optional by default?
- Nonce fails on ajax save
- Can you have more than one nonce on a page?
- Form Security: nonce vs. jQuery
- wp_nonce_field is breaking form for reasons unknown
- Cache plugins and ajax nonce verification
- Nonce doesn’t validate in nopriv call
- Should I use wp_nonce_field on my contact form?
- Why does check_ajax_referer give a 403 error on https websites?
- WordPress is creating nonce as a logged in user but verifying it incorrectly
- How to use nonce
- Where to use nonce
- Re-use Nonce in Repeating Event Signup Buttons
- How to add a WordPress Nonce for this form to avoid CSRF
- How to verify which WordPress user requested the API in ASP .NET Core?
- Reliable way to add nonce to HTTP Header in WordPress?
- Log out without confirmation request (nonce)
- wp_nonce vs jwt
- Using a nonce Content Security Policy header for style-src for inline style elements returns errors
- wp_verify_nonce not working on the mobile device
- How to not cache nonces with WP Rocket?
- whether a nonce is required for get type and get_query_var?
- Unable to update plugins or log out
- Does it make sense to check a nonce on user log in?
- Override plugin function to show invoices even if not logged in
- CSRF attack to create USER
- 403 Forbidden on site logo image upload
- Nonce and widget
- Is it necessary to use a WordPress nonce when allowing users to download public data?
- Wp doesn’t save meta box data
- Is there a solution to expired nonces in forms when using full page caching that doesn’t involve configuring the cache?
- Nonce code vulnerability