WP Admin AJAX Security – using POST to include a relative URL

If you use nonces properly, it won’t be possible to make the site to process fake request… So this part should be secure, but… There is still one security flaw in your approach…

What if I can make you to run my JS script in your browser, while you’re logged in as admin? It is possible.

This way nonce won’t cause validation error and your code will execute whatever I want – because you don’t verify input from user…

So all your security is based on possibility of injecting some JS to your site – and that’s pretty common – just take a look at malware history in WP…

It would be much more secure, if the template was loaded based on verified data. So don’t load it directly, but make a list of correct, secure templates and load them based on variable sent in POST.

So back to your 3 questions:

1. If I have secured the wp_ajax function (according to WordPress best practices) is it OK to use POST data to include a file within the WP Admin AJAX action?

No. It’s never OK to load any file based on path sent by user. It’s much more secure if you pass a variable and then translate this variable to path of a file in PHP.

2. Am I making it easier for attackers to abuse the system?

You’re not making it much easier, but yes – it will be possible to attack such code.

3. Is this creating an unnecessary back door in the system just to avoid writing several additional functions, ie: is it lazy?

Yes, it is. But you don’t have to write several functions. You just have to secure this one properly and remember – you should never trust anything that comes from user.

Related Posts:

  1. Nonces and Cache
  2. Is it safe to assume that a nonce may be validated more than once?
  3. Multiple ajax nonce requests
  4. AJAX requests broken due to HTTPS for wp-admin
  5. Nonces, AJAX, script variables & security in WordPress
  6. wp-admin AJAX with Fetch API is done without user
  7. How do I check if AJAX nonces are implemented correctly?
  8. ajax nonce verification failing
  9. Why does check_ajax_referer give a 403 error on https websites?
  10. How to check nonce lifetime value of plugins?
  11. Using nonce when loading posts with AJAX
  12. Should wordpress nonce be placed in html form or in javascript file
  13. Ajax Security regarding user priviliges and nonces
  14. How to get a unique nonce for each Ajax request?
  15. WordPress Ajax Data Security
  16. Nonces can be reused multiple times? Bug / Security issue?
  17. Using Nonces for AJAX that only retrieves data
  18. How to verify nonce from Bulk/Quick Edit in save_post?
  19. How to add WordPress nonces to ajax request
  20. Ajax form submission from admin panel
  21. Security – Ajax and Nonce use [closed]
  22. Nonces and Ajax request to REST API and verification
  23. Ajax function returns -1
  24. How to securely add an Ajax button to a WP Admin page?
  25. Serving nonces through AJAX is not refreshing nonce, returning 403 error
  26. wp_remote_get() to get AJAX url /wp-admin/admin-ajax.php
  27. wp_verify_nonce always returns false when logged in as admin
  28. ajax and nonce when JavaScript is in a seperate file
  29. wp_verify_nonce doesn’t return true on server when it matches the nonce
  30. Cookie nonce is invalid – Multisite
  31. Why does WordPress Heartbeat login not refresh the nonces?
  32. How to check an ajax nonce in PHP
  33. Can a wp_nonce created from domain 1 to be verified on domain 2?
  34. Is it safe to manually sign a user in using AJAX?
  35. how to send Ajax request in wordpress backend
  36. Identical wp_rest nonce returned from rest_api
  37. wp_create_nonce() in REST API makes user->ID zero
  38. WordPress Ajax Not Working ( Custom Admin page)
  39. Why a strange discrepency between get_current_user_id() when using AJAX versus output of document.cookie?
  40. SSO autologin WordPress + Ajax
  41. Pass additional parameter with async upload
  42. Should I check for privileges before hooking into `wp_ajax_$handle` or after?
  43. Nonce fails on ajax save
  44. Is it secure to use admin-ajax.php in front?
  45. Use WP admin AJAX url to hide API key
  46. Unable to successfully verify nonce
  47. Cache plugins and ajax nonce verification
  48. Nonce doesn’t validate in nopriv call
  49. Why do Metabox use Nonces?
  50. WordPress is creating nonce as a logged in user but verifying it incorrectly
  51. Preprocess submitted data
  52. javascript ajax and nonce
  53. 200 return code on ‘POST /wp-admin/admin-ajax.php’ while NOT logged in
  54. Use AJAX in a WordPress Plugin to Get Data From Custom Database?
  55. Custom RPC end-point security best pratice?
  56. admin-ajax.php returns 0 even when the post status code is 200 OK
  57. Can I use application/json content type in WordPress
  58. How to prevent my external API call from being called by anyone but me (my site)
  59. wp_verify_nonce not working on the mobile device
  60. How do I mitigate replay attacks when talking about actions that shouldn’t happen twice?
  61. check_ajax_reffer not working when logged
  62. wordpress admin ajax trash_comment
  63. Ajax call not working anymore
  64. How to safely pass post_id and user_id via AJAX to the backend (prevent user from changing it via JS)?
  65. AJAX form not working, still reloads on submit
  66. WorddPress website admin part not working correctly – I think ajax/json issue
  67. CSRF attack to create USER
  68. How modify comments metabox on post edit screen in WordPress?
  69. Weird admin-ajax.php problem
  70. WordPress Get Header and Footer using in Admin Area
  71. How to use nonces for frontend AJAX voting if the page gets cached?
  72. get_comments() returns empty array if called through AJAX
  73. Can I make an ajax response cross-domain?
  74. WordPress blocking polling request when signed into Admin
  75. WordPress wp_localize_script nonce and ajax URL
  76. randomly get 400 error while user is logged in wp_ajax
  77. Including WordPress in RESTful API
  78. How to tie built in AJAX to an add_action?
  79. Elegantly using JavaScript on widget admin forms
  80. Any problem in using native jquery ajax style instead of using admin-ajax.php?
  81. wp_ajax function did not call
  82. Single page site + pushState?
  83. Is it safe to use a global wp nonce per user instead of a nonce per action?
  84. wp_update_post onclick button using ajax
  85. wp_ajax declaration confusing for Front end
  86. ajax in admin menu
  87. Ajax Favorite from foreach (how to specify which result result is processed)
  88. change wordpress pagination url after doing the request
  89. admin-ajax.php 403 errors – no caching, permissions are fine
  90. Issue developing an AJAX form with WordPress
  91. How to check for dependencies for a specific page and enqueue them
  92. wordpress ajax always return 0
  93. How to get data with Select AJAX PHP
  94. Add “load more” functionality to an AJAX response
  95. Bad Request 400… jQuery ajax post of json data to wordpress admin-ajax.php
  96. weird Internal Server Error – no error log produced
  97. Why are the most recent posts not appearing in a fetch request, unless I’m logged in?
  98. Successful ajax call returns lots of whitespace and text of code with 0
  99. How to submit a button automatically after every scheduled hours?
  100. At what stage does wp_ajax hooks gets applied during WordPress request?