How does nonce verification work?

TL;DR In short, wp_verify_nonce() uses that value because it expects that value as its first argument. wp_verify_nonce() arguments wp_verify_nonce() receives 2 arguments: $nonce $action The value in the hidden field (‘cabfd9e42d’ in your example) represent the $nonce. 1st argument is the nonce, and comes from the request In fact, wp_verify_nonce() have to be used like … Read more

wp_verify_nonce vs check_admin_referer

I thought that check_admin_referer checked the nonce (it does call wp_verify_nonce, and the referring url. After digging into the core code I realised that it did not do this. Thinking it was a bug I reported it, and Ryan Boren replied with the following: Actually, if the nonce is valid the referrer should not be … Read more