Nonces can be reused multiple times? Bug / Security issue?

In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces.

Nonces are also hashed, and so the NONCE_SALT constant will be part of the resulting nonce as well. Changing the NONCE_SALT will invalidate all nonces immediately.

You should issue a new nonce every time. This is so that if the timing or methodology needs to be adjusted in the future, then your code will continue to handle it appropriately.

Related Posts:

  1. What is nonce and how to use it with Ajax in WordPress? [duplicate]
  2. Nonce in settings API with tabbed navigation
  3. Confusion on WP Nonce usage in my Plugin
  4. wp_nonce_field displaying twice
  5. Are there any security risks when submitting data-attribute data through AJAX?
  6. ajaxurl not defined on front end
  7. How to store username and password to API in wordpress option DB?
  8. Why does WordPress add 0 (zero) to an Ajax response?
  9. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  10. Saving data-URI to media library
  11. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  12. How can I run AJAX on a button click event?
  13. Can someone explain what wp_session_tokens are, and what are they used for?
  14. WordPress and PHP Sessions – Security and Performance
  15. How-to implement admin Ajax inside an admin WP_List_Table?
  16. What is the difference between esc_html and wp_filter_nohtml_kses?
  17. Nonces and Cache
  18. Is it safe to assume that a nonce may be validated more than once?
  19. Multiple ajax nonce requests
  20. Empty POST data on server on AJAX request using Angular $http
  21. Do I require the use of nonce?
  22. Using AJAX in FrontEnd with WordPress Plugin Boilerplate (wppb.io)
  23. Log in from one wordpress website to another wordpress website
  24. Build path for a custom portfolio plugin
  25. WordPress REST API call generates nonce twice on every call
  26. Using AJAX in a plugin to submit form – REALLY confused
  27. wp_localize_script $handle
  28. Escaping built-in WP function return strings
  29. What is the difference between strip_tags and wp_filter_nohtml_kses?
  30. WP Cron doesn’t save or in post body
  31. How to enable users to down-vote in this simple voting counter (that uses the post meta)?
  32. Security – Ajax and Nonce use [closed]
  33. Adding callback function for wp_ajax_ has no effect
  34. get all products of one category
  35. Get returned variable from a function to add_shortcode function
  36. Plugin Settings not Saving on Ajax re-ordered table
  37. How to post form in ajax mode and handle it in wordpress
  38. Using Ajax call in jQuery doesn’t work in widget
  39. WordPress restrict plugin file direct access
  40. WP_LOCALIZE_SCRIPT doesn’t work
  41. Plugin development: is adding empty index.php files necessary?
  42. Timeout on Admin-Ajax?
  43. Admin-ajax.php appending a status code to ajax response
  44. WordPress password reset – why post rp_key?
  45. Comment `Reply` link doesn’t work if comments are loaded from ajax
  46. Ajax in WordPress – path issue
  47. Nonces, AJAX, script variables & security in WordPress
  48. Cannot search post by taxonomy
  49. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  50. Correct way check nonce (security) using old Options API
  51. WordPress Ajax callback function from plugin – OOP
  52. Verify Nonce returns false – Request Nonce returns correct value
  53. Why do I need to check if wp_nonce_field() exists before using it
  54. WP AJAX is not working, always returns 0
  55. Ensure function has completed before allowing another Ajax call
  56. How do I check if AJAX nonces are implemented correctly?
  57. Is there any way to check for user login and send him to login?
  58. WordPress security issue to output data from user input from theme option form
  59. Frontend Ajax call not working using wp_ajax, wp_enqueue_script and wp_localize_script
  60. Fetching the value of forms in WordPress AJAX
  61. include wp-blog-header not working on MAMP
  62. Any problem in using native jquery ajax style instead of using admin-ajax.php?
  63. Slow WP_query due to nested wp_query. Need Suggestions
  64. Show special field when correct shipping is chosen
  65. WP Admin AJAX Security – using POST to include a relative URL
  66. .mo translation strings not loading in PHP scripts that handle AJAX calls
  67. How can I pass get_the_author_meta(‘user_email’) through the REST API?
  68. Maximum lifetime for nonce
  69. ajax nonce verification failing
  70. Verify if user is wordpress logged in from another app since wordpress 4.0
  71. Woocommerce checkout update totals with datepicker
  72. wp_create_nonce function doesn’t work inside a plugin?
  73. Including the necessary functions for a custom ajax registration form
  74. Secure Pages Best Practice
  75. How can I rewrite a URL to pass requests to a custom method via AJAX? (I can’t use admin-ajax.php)
  76. How to localize admin.php only once
  77. get post attachment using ajax
  78. Dashboard – get status and position of metaboxes and pass them to ajax method
  79. Passing nonce at admin menu link
  80. Securing/Escaping Output of file content – reading via fread() in PHP
  81. Create a new post using rest api and save featured image using an external image url
  82. how to search users by ajax live search
  83. Is nonce in PHP form and Ajax both necessary?
  84. wp.template() returns tags in Ajax response
  85. How to get Metabox custom field to show checked if value is updated using post meta query?
  86. Storing data in wordpress database from ajax call from different website
  87. Custom login doesn’t work properly
  88. Fatal error: Uncaught Error: Call to undefined function get_option()
  89. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  90. Video Security just like facebook [closed]
  91. Create custom HTML/JS app inside page
  92. Use just a shortcode from another page
  93. template_redirect or admin-ajax.php?
  94. how to get context information inside my funcion
  95. Is disabling test_form in wp_handle_upload a security concern?
  96. How to connect my wordpress plugin to a remote database securely?
  97. AJAX form post returns 0
  98. Is it necessary to do validation again when retrieving data from database?
  99. Update Data parameter of a wp_localize_script() call
  100. jquery & ajax sending data to php

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)