diff --git a/CHANGELOG.md b/CHANGELOG.md
index b82e392..911c123 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -45,7 +45,6 @@
## Security
- Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags
-- Possible path traversal in Media Manager plugin prevented
- Proper check of uploaded files ([#152](https://github.com/flatpressblog/flatpress/issues/152), [#170](https://github.com/flatpressblog/flatpress/issues/170))
- Possible XSS prevented: Admin Area URL ([#153](https://github.com/flatpressblog/flatpress/issues/153))
- Possible XSS prevented: SVG/XML/MD upload ([#172](https://github.com/flatpressblog/flatpress/issues/172), [#178](https://github.com/flatpressblog/flatpress/issues/178))
@@ -54,6 +53,7 @@
- Possible XSS in Media Manager plugin prevented ([#177](https://github.com/flatpressblog/flatpress/issues/177))
- Possible path traversal in Media Manager plugin prevented ([#179](https://github.com/flatpressblog/flatpress/issues/179))
- Possible XSSs in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180), [#183](https://github.com/flatpressblog/flatpress/issues/183))
+- Possible CSRFs in Admin Area prevented ([#64](https://github.com/flatpressblog/flatpress/issues/64))
# 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1)
## Bugfixes
diff --git a/admin/panels/entry/admin.entry.delete.php b/admin/panels/entry/admin.entry.delete.php
index 752170d..256cc24 100755
--- a/admin/panels/entry/admin.entry.delete.php
+++ b/admin/panels/entry/admin.entry.delete.php
@@ -45,6 +45,9 @@ class admin_entry_delete extends AdminPanelAction {
}
function ondelete() {
+ // at first: check if nonce was given correctly
+ check_admin_referer('admin_entry_delete');
+
$id = $_REQUEST ['entry'];
$ok = draft_delete($id) || entry_delete($id);
diff --git a/admin/panels/plugin/admin.plugin.php b/admin/panels/plugin/admin.plugin.php
index dded24f..e29d4df 100644
--- a/admin/panels/plugin/admin.plugin.php
+++ b/admin/panels/plugin/admin.plugin.php
@@ -53,6 +53,9 @@ class admin_plugin_default extends AdminPanelAction {
}
function dodisable($id) {
+ // at first: check if nonce was given correctly
+ check_admin_referer('admin_plugin_default_disable_' . $id);
+
$fp_plugins = $this->fp_plugins;
$success = -1;
@@ -78,6 +81,9 @@ class admin_plugin_default extends AdminPanelAction {
}
function doenable($id) {
+ // at first: check if nonce was given correctly
+ check_admin_referer('admin_plugin_default_enable_' . $id);
+
$success = -1;
$fp_plugins = $this->fp_plugins;
diff --git a/fp-includes/core/core.wp-pluggable-funcs.php b/fp-includes/core/core.wp-pluggable-funcs.php
index 9849c27..3f00016 100755
--- a/fp-includes/core/core.wp-pluggable-funcs.php
+++ b/fp-includes/core/core.wp-pluggable-funcs.php
@@ -327,6 +327,15 @@ endif;
if (!function_exists('wp_verify_nonce')) :
+ /**
+ * Verifies the given nonce for the given action string.
+ *
+ * @param string $nonce
+ * the nonce to verify
+ * @param string $action
+ * the action
+ * @return boolean true if the nonce is valid; false otherwise
+ */
function wp_verify_nonce($nonce, $action = -1) {
$user = user_get();
$uid = $user ['userid'];
@@ -334,11 +343,13 @@ if (!function_exists('wp_verify_nonce')) :
// new nonce each 12 hours
$i = ceil(time() / (60 * 60 * 12));
- // Allow for expanding range, but only do one check if we can
+ // The nonce we expect for the given action at the current time
$expectedNonce = substr(wp_hash($i . $action . $uid), -12, 10);
- if ($expectedNonce == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce)
- return true;
- return false;
+ // The nonce we expect for the given action in the previous time period
+ $expectedPreviousNonce = substr(wp_hash(($i - 1) . $action . $uid), -12, 10);
+
+ // given nonce must match the current or the previous nonce
+ return $nonce == $expectedNonce || $nonce == $expectedPreviousNonce;
}
endif;