Support » Plugin: YOURLS Link Creator » Security Error

  • moongear

    (@moongear)


    With certain other third party plugins, the Better YOURLS plugin causes a “Security Error” on save_post and/or transition_post_status. This errors results due to an issue in class-better-yourls-actions.php.

    Starting at line #127, the evaluation of $_POST['better_yourls_nonce'] begins. The first part tests if $_POST['better_yourls_nonce'] is set but at the same time validates the nonce while being dependent on $_POST['better_yourls_nonce'].

    Because some third party plugins do not paint the YOURLS Meta Box, the better_yourls_nonce INPUT does not exist on those edit pages. When submitted, $_POST['better_yourls_nonce'] does not exist. Therefore, evaluating the nonce is futile.

    // Make sure we are originating from the right place.
    if (
    ! isset( $_POST['better_yourls_nonce'] ) || // WPCS: input var ok.
    ! wp_verify_nonce( $_POST['better_yourls_nonce'], 'better_yourls_save_post' ) // WPCS: input var ok. Sanitization ok.
    ) {
    wp_die( esc_html__( 'Security Error', 'better-yourls' ) );
    }

    What should happen is a test that $_POST['better_yourls_nonce'] is good then if it is evaluate the nonce (not both at the same time).

    Line #131 (wp_die( esc_html__( 'Security Error', 'better-yourls' ) );) should never be realized if the variable is simply not defined. Instead, it should gracefully return and do nothing else.

    • This topic was modified 1 month ago by moongear.
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.