Yes, nonces should always be used when an authenticated user is triggering an action via a GET/POST request. One of the main purposes of the nonce is it ensure that the current user actually intended to trigger this request. It prevents the security vulnerability known as Cross-Site Request Forgery (CSRF), where an attacker can trick an authenticated user into taking an action they didn’t intend to. Checking for a valid nonce prevents this, because the attacker cannot guess the nonce, so they can’t forge a form submission request and trick an admin into submitting it.
Note that the the attacker doesn’t have to have access to the form itself, as your plugin presents it, in order to perform this attack. They can create their own imitation form or trigger the request in another way.
Related Posts:
- wp_create_nonce function doesn’t work inside a plugin?
- Where should my plugin POST to?
- Security checking in meta_box save is reluctant?
- Nonce failing on form submission
- wp_verify_nonce fails always
- How can i see/log all requests coming from a registration form (not from the UI)?
- How to verify/test that a custom built wordpress theme is as secure as possible?
- Disabled plugins are they security holes – rumor or reality?
- How Can I Securely Implement a Password-less Login Feature?
- Security and .htaccess
- Are there procedures to prevent malicious plugin updates?
- Nonces and Cache
- Let readers suggest edits from the frontend
- How to check plugins for malicious code?
- How to properly secure my WordPress installation?
- Plugin development: how to create a form and get custom data?
- Security error WP 4.0 + WP phpBB Bridge [closed]
- Multi step form, custom plugin
- Contact Form 7 plugin refreshing page on submit [closed]
- Plugin form unable to process
- WordPress Custom Application form
- Datepicker not supporting timepicker
- add function to saving change on Options Pages
- How to expire all wordpress user passwords instantly?
- Admin page: form with enctype=”multipart/form-data” does not transfer its data
- Weird problems after recovery from security breach
- How can we deal with unmaintained plugins with vulnerabilities?
- Should you escape hardcoded URLs?
- Preventing BFA in WordPress without using a plugin
- How can I make uploaded images in the editor load with HTTPS?
- How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
- WordPress filter that hook after each action/filter hook
- How to delete Passwrd Protected posts cookies when a user logged out from the site
- Form isn’t inserting data into database with ajax plugin
- Can I use custom CSS and js plugin to put JavaScript in to validate my forms
- How to block plugin activations with no known user or coming from unknown IP address range?
- Check for security updates
- auto populate list of questions if user select a category xyz
- Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
- Adapt PHP form action for WordPress?
- Take input from form and pass it to function using a wp-plugin
- Malicious File Upload [closed]
- How do I make a child theme I made POST through a 3rd party plugin?
- Stop Plugin Enumeration [closed]
- Malware installation during plugin update?
- Submit custom form from post content and execute in plugin
- Char limit on custom blog-post form? [closed]
- I should enable automatic updates?
- easy steps to make front end form without plugin
- Form that generates an ID for the customer
- Editing a text file from plugin menu
- Ajax Plugin Not Echoing Response
- Plugin that will output submitted form data for user? [closed]
- How to handle forms from sidebar widgets – Processing $_POST variables using get_field_name()
- How do I add the same contact form to multiple wordpress sites and capture the response in one place or database?
- Website show Google Ads when we have no Google Ads linked to our website
- Vulnerability Concern From the Plugin or From Not Updating the Plugin?
- coding a WordPress AJAX Form using PHP to check if User is Logged Out and Show error
- Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
- Storing The Data Collected by Ninja Forms into Another (custom) Database [closed]
- add_meta_box creating default form field types
- Form Plugin for Api Requests which is used via Shortcode
- Echo out element to another page.
- Regarding plugin security
- How do I determine if the user who registered is not spam?
- Nonce failing with second argument
- Contact Form 7 “non-selectable” options in a drop down [closed]
- Using AJAX to run SQL statement and populate dropdown
- Looking for a simple checkout plugin [closed]
- Redirect plugin after form submit or show errors
- get wpforms ID value from ACF text field
- WordPress – send digital product with custom email
- How can I disable new plugin and theme install, but allow updates?
- How to create a form where you can select multiple recipients, based on a list of website users?
- WordPress search input in database, to edit information via form and update the database
- Validating ajax search
- WPForms Custom Redirect not working
- WordPress disable direct access of files in WordPress installation path
- Asking help regarding potential malware
- How can I implement radio buttons with icons in Contact form 7?
- Page takes on two different formats
- get/show Last ID
- Being hacked. Is there a list of WordPress security holes I can check against?
- Create user assessment and use results in sql query
- Saving custom form fields
- Adding a Filter to Sidbar Login Plugin to Change Login Button Lable
- Unwanted Links and Spam WordPress Pages and Posts
- Undefined variable _POST
- How to prevent page load on form submission
- File permissions for wp-minify plugin
- How to develop an extension for a simple form post and post back? [closed]
- What is the recommended way to be notified of security updates to my plugins? [closed]
- How to resolve these findings from security audit
- Is it possible to set different payment gateway on each Gravity Forms form? [closed]
- how to show selected options drop down menu values in attributes field in after saving post.php
- How can I add a zip code service availability checker in WordPress without Woocommerce? [closed]
- WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
- Block Root REST API Route using custom &/or iThemes
- I am trying to add form using ACF plugin and acf_form() function, but my user fields dont show up properly
- Is there a WordPress plugin or solution that allows to set up forms with a total control over markup