Nonces can be reused multiple times? Bug / Security issue?

In WordPress, nonces are specific to the user, the action being performed, and the time. With regards to time, a nonce is valid for 24 hours, and changes every 12 hours. This is considered an acceptable trade-off, since using a real number-used-once would involve adding a tracking system and having storage of the used nonces.

Nonces are also hashed, and so the NONCE_SALT constant will be part of the resulting nonce as well. Changing the NONCE_SALT will invalidate all nonces immediately.

You should issue a new nonce every time. This is so that if the timing or methodology needs to be adjusted in the future, then your code will continue to handle it appropriately.

Related Posts:

  1. What is nonce and how to use it with Ajax in WordPress? [duplicate]
  2. Nonce in settings API with tabbed navigation
  3. Confusion on WP Nonce usage in my Plugin
  4. wp_nonce_field displaying twice
  5. Are there any security risks when submitting data-attribute data through AJAX?
  6. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  7. How-to implement admin Ajax inside an admin WP_List_Table?
  8. Do I require the use of nonce?
  9. Using AJAX in FrontEnd with WordPress Plugin Boilerplate (wppb.io)
  10. WordPress REST API call generates nonce twice on every call
  11. Security – Ajax and Nonce use [closed]
  12. Adding callback function for wp_ajax_ has no effect
  13. get all products of one category
  14. Get returned variable from a function to add_shortcode function
  15. Plugin Settings not Saving on Ajax re-ordered table
  16. Plugin development: is adding empty index.php files necessary?
  17. Admin-ajax.php appending a status code to ajax response
  18. WordPress password reset – why post rp_key?
  19. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  20. WordPress Ajax callback function from plugin – OOP
  21. Why do I need to check if wp_nonce_field() exists before using it
  22. Ensure function has completed before allowing another Ajax call
  23. How do I check if AJAX nonces are implemented correctly?
  24. WordPress security issue to output data from user input from theme option form
  25. Frontend Ajax call not working using wp_ajax, wp_enqueue_script and wp_localize_script
  26. Fetching the value of forms in WordPress AJAX
  27. Any problem in using native jquery ajax style instead of using admin-ajax.php?
  28. Show special field when correct shipping is chosen
  29. Maximum lifetime for nonce
  30. Verify if user is wordpress logged in from another app since wordpress 4.0
  31. Secure Pages Best Practice
  32. How to localize admin.php only once
  33. Passing nonce at admin menu link
  34. Create a new post using rest api and save featured image using an external image url
  35. wp.template() returns tags in Ajax response
  36. How to get Metabox custom field to show checked if value is updated using post meta query?
  37. Fatal error: Uncaught Error: Call to undefined function get_option()
  38. Video Security just like facebook [closed]
  39. Use just a shortcode from another page
  40. template_redirect or admin-ajax.php?
  41. how to get context information inside my funcion
  42. Is disabling test_form in wp_handle_upload a security concern?
  43. How to connect my wordpress plugin to a remote database securely?
  44. Is it necessary to do validation again when retrieving data from database?
  45. Update Data parameter of a wp_localize_script() call
  46. jquery & ajax sending data to php
  47. Can’t get AJAX call working in custom plugin
  48. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  49. Bad Request in AJAX
  50. 400 Bad Request, in wordpress theme development, wp_ajax
  51. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  52. ajax recursive calls on wordpress returning answers outsite the function scope
  53. Ajax submit result opens in admin-ajax.php
  54. insert query on a custom table using ajax with jQuery plugin Jeditable
  55. The Correct Way to Use Nonce Field without Settings API
  56. Why would you use esc_attr() on internal functions?
  57. Data not insert and update through ajax and jQuery in admin page?
  58. WP ajax requests not stacking?
  59. Is it possible to use WP-CLI in a plugin (or theme)?
  60. Secruity Questions on a timer
  61. AJAX button with success callback. (Titan Framework)
  62. Using HTML links within translatable string
  63. AJAX call returns ‘testtest0’ instead of ‘test’ – why?
  64. Using nonce when loading posts with AJAX
  65. Best practice for plugin: always detect admin-ajax call?
  66. add_action wp_ajax_ not loading in plugin file WP Network
  67. Why is the form not updating when I select a new sector from the list?
  68. Ajax +wordpress onClick link redirect to new page and create html content
  69. Using password protection to load different page elements?
  70. Get cat parameter from admin-ajax
  71. WordPress (pagenow link) in ajaxurl change after i change plugin language
  72. Should wordpress nonce be placed in html form or in javascript file
  73. Jquery php request is returning a weird result
  74. Posts form with AJAX request – Plugin development
  75. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  76. How to control ajax calls without effecting memory of server?
  77. Forbidden Error in ajax call with wordpress
  78. “add to cart” links css class “ajax_add_to_cart” doesn’t show in woocommerce in widget sidebar
  79. Does $this context change in an AJAX callback?
  80. How to store sensitive user data (passwords)
  81. WordPress Ajax not returning Response
  82. how to add security questions on wp-registration page and validate it
  83. Performing ajax request in wordpress
  84. wp_ajax function return the html page
  85. ajax multiple Values
  86. Using JavaScript in WordPress page to call for server data using AJAX
  87. wp_ajax add_action fuction won’t fire on custom jQuery action
  88. Ajax Response Error | just getting error as the response
  89. admin-ajax.php returns “No Script Kiddies!” sometimes
  90. Ajax functionality not being called under wordpress plugin
  91. Array/List Edit in Backend
  92. WP Cron as Fast as WordPress AJAX?
  93. wp_verify_nonce fails always
  94. WordPress plugin: admin-ajax.php not passing data to custom function
  95. Ajax url value to pass ‘variable’ to use in query
  96. Ajax functions – no access to wp-admin.php only online
  97. PHPUnit Ajax Serialization of ‘Closure’ is not allowed
  98. Why my admin-ajax url returns 0 even after adding echo and die() at the end of function?
  99. esc_url, esc_url_raw or sanitize_url?
  100. WordPress plugin boilerplate AJAX functionality

Leave a Comment