Skip to content

Security: Improve admin-ajax.php action sanitization #10705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Zaidfarooqui01 wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

Security: Improve admin-ajax.php action sanitization #10705

Zaidfarooqui01 wants to merge 1 commit into from
+159 −73

Conversation

@Zaidfarooqui01
Copy link

@Zaidfarooqui01 Zaidfarooqui01 commented Jan 9, 2026

Props: mohammadzaid
Fixes: https://core.trac.wordpress.org/ticket/64489

Summary

Improve $_REQUEST['action'] sanitization in admin-ajax.php.

Changes

  • Added isset() + is_scalar() checks
  • Applied sanitize_key( wp_unslash( $_REQUEST['action'] ) )
  • Preserved existing wp_die() guard

Testing

  • npm run lint:php
  • npm run test:php
  • Manual admin AJAX testing ✅

Trac: https://core.trac.wordpress.org/ticket/64489

Security: Improve admin-ajax.php action sanitization
2a85e40 
Props: mohammadzaid

Fixes: https://core.trac.wordpress.org/ticket/64489

Adds isset() + is_scalar() checks before accessing ['action'].

Uses sanitize_key( wp_unslash( ['action'] ) ) per WordPress standards.

Preserves existing wp_die() early guard.
@github-actions
Copy link

github-actions bot commented Jan 9, 2026
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Unlinked Accounts

The following contributors have not linked their GitHub and WordPress.org accounts: @reviewandearn092@gmail.com.

Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases.

Core Committers: Use this line as a base for the props when committing in SVN:

Props mohammadzaid.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions
Copy link

github-actions bot commented Jan 9, 2026

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

@Zaidfarooqui01
Copy link
Author

Zaidfarooqui01 commented Jan 9, 2026

@github-actions thanks!
✅ Linked farooquizaid92@gmail.com to my WordPress.org profile (mohammadzaid)
✅ Added mohammadzaid@git.wordpress.org to GitHub emails

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Zaidfarooqui01