Are you sure that a _doing_it_wrong notice isn’t being issued? You won’t see the notice visibly output on the page because that would break the JSON response. But if you look in the headers of the response you should see a X-WP-DoingItWrong header. It should also appear if you use a plugin like this to … Read more
When you enqueue or localize a script you’re doing it specifically for the front end or the admin. If you want to enqueue or localize a script in both, you have to specifically do it for both. This is used to enqueue/localize for the front end add_action( ‘wp_enqueue_scripts’, ‘your_function_front’ ); your_function_front() { wp_localize_script(‘scripts’, ‘myAjax’, array( … Read more
You need to pass the value of the nonce field as first argument to wp_verify_nonce. So, you need to modify the nonce verification part in your code. Also you were using form fields names that conflicts with internal wordpress query vars, you should prefix them with something unique so they do not conflict with wordpress. … Read more
No, it is not possible. Nonce is generated on server as a function of domain name, user information, action, time, etc. This is made especially to distinguish requests from one server to another.
For remote apps (cURL, Postman, etc.), or when not using the browser, you should use an authentication plugin like Application Passwords instead of sending the cookies. But if you’d rather send the cookies, then copy and send the WordPress logged-in cookie named wordpress_logged_in_<hash>. Example in cURL: curl -H “X-WP-Nonce: <nonce>” -X POST https://example.com/wp-json/wp/v2/posts -d “Data … Read more
I don’t know I just submitted the ticket on track. I was using get_current_user_id() and it modifies the wp_create_nonce behavior. Sinces wp_create_nonce uses wp_get_current_user() I think there is the problem.
As of 4.1.1, the nonce is defined in wp-includes/media.php, line 2883: $settings[‘post’] = array( ‘id’ => $post->ID, ‘nonce’ => wp_create_nonce( ‘update-post_’ . $post->ID ), ); So to verify the nonce: wp_verify_nonce( $nonce, “update-post_$post_ID” );
WordPress nonces are not your usually (‘use only once’) nonce. For a given $action, a new nonce is generated at every 12 hours and a nonces are valid for 24 hours, so at any given point there are two nonces valid for a given $action. The nonce is (a substring of) a hash of $action … Read more
No, not really. You’re assuming the function that called wp_insert_post() has already performed those checks. But wp_insert_post() may be used in other pages too, not just the edit page, by plugins, or even themes (many of them with security holes). That’s why you should ensure that your code runs only where you want to by … Read more
Well, looks like I have found the answer. The action should be changed like so: $action = ‘install-plugin’; $slug = ‘akismet’; wp_nonce_url( add_query_arg( array( ‘action’ => $action, ‘plugin’ => $slug ), admin_url( ‘update.php’ ) ), $action.’_’.$slug ); The answer was found in line 275 in the source code: https://core.trac.wordpress.org/browser/tags/3.9.1/src/wp-admin/includes/plugin-install.php