Hello and thank you for reporting this bug.
I’ve released version 2.3 that repairs most bugs appeared while using admin-ajax.php. The bug was from the function that blocks the Arbitrary File Upload vulnerability used by SoakSoak.
Please let me know if it works as I don’t have Zeitgeist theme.
Thanks and Happy New Year! 🙂
We still have problems with the media gallery but I found a workaround.
In wp-admin/admin-ajax.php is a check for ‘$_REQUEST[‘action’]’, if that is empty it will die. In your plugin on lines 51+52 $_POST[‘action’] and ‘client_action’ are replaced with a cleaned up version. It seems that sometimes these are empty, resulting in an empty $_REQUEST[‘action’] letting admin-ajax.php die. I don’t know why $_POST is empty in the media gallery, as it is definitely sent via POST but I added a check to your plugin to see if $_POST[‘action’] is empty, and if it is, it will use $_REQUEST[‘action’] as source for the cleanup.
variables_order is GPCS, request_order GP
The code:
if($_POST['action'])
$_POST['action'] = preg_replace('/[^a-zA-Z_\-0-9]/i', '', $_POST['action']);
else
$_POST['action'] = preg_replace('/[^a-zA-Z_\-0-9]/i', '', $_REQUEST['action']);
if($_POST['client_action'])
$_POST['client_action'] = preg_replace('/[^a-zA-Z_\-0-9]/i', '', $_POST['client_action']);
else
$_POST['client_action'] = preg_replace('/[^a-zA-Z_\-0-9]/i', '', $_REQUEST['client_action']);
Hello,
I am sorry for delaying this update, but I have been studying lately for Uni. I’ve updated the plugin to version 2.3.2 which will resolve this bug and others in WP admin panel (such as hiding a slide) based on your code.
Thanks 🙂
