Verify nonce for theme and plugin edits

xwp · Dec 23, 2024 · 697b10e · 697b10e
1 parent c76e5b2
commit 697b10e
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/connectors/class-connector-editor.php b/connectors/class-connector-editor.php
@@ -197,21 +197,29 @@ public function get_edition_data() {
 
 		$action         = wp_stream_filter_input( INPUT_POST, 'action' );
 		$request_method = wp_stream_filter_input( INPUT_SERVER, 'REQUEST_METHOD' );
+		$theme_slug     = wp_stream_filter_input( INPUT_POST, 'theme' );
+		$plugin_slug    = wp_stream_filter_input( INPUT_POST, 'plugin' );
+		$relative_file  = wp_stream_filter_input( INPUT_POST, 'file' );
+
+		if ( ! empty( $theme_slug ) && ! check_admin_referer( 'edit-theme_' . $theme_slug . '_' . $relative_file, 'nonce' ) ) {
+			return;
+		}
+
+		if ( ! empty( $plugin_slug ) && ! check_admin_referer( 'edit-plugin_' . $relative_file, 'nonce' ) ) {
+			return;
+		}
 
 		if ( ( isset( $request_method ) && 'POST' !== $request_method ) || ( 'edit-theme-plugin-file' !== $action ) ) {
 			return;
 		}
 
 		$location   = null;
-		$theme_slug = wp_stream_filter_input( INPUT_POST, 'theme' );
 
 		if ( $theme_slug ) {
 			$location          = 'theme-editor.php';
 			$this->edited_file = $this->get_theme_data( $theme_slug );
 		}
 
-		$plugin_slug = wp_stream_filter_input( INPUT_POST, 'plugin' );
-
 		if ( $plugin_slug ) {
 			$location          = 'plugin-editor.php';
 			$this->edited_file = $this->get_plugin_data( $plugin_slug );