check for correct admin referer on delete entry (see #64)

admin/panels/entry/admin.entry.delete.php

@@ -45,6 +45,9 @@ class admin_entry_delete extends AdminPanelAction {
 	}
 
 	function ondelete() {
+		// at first: check if nonce was given correctly
+		check_admin_referer('admin_entry_delete');
+
 		$id = $_REQUEST ['entry'];
 		$ok = draft_delete($id) || entry_delete($id);
 

fp-includes/core/core.wp-pluggable-funcs.php

@@ -327,6 +327,15 @@ endif;
 
 if (!function_exists('wp_verify_nonce')) :
 
+	/**
+	 * Verifies the given nonce for the given action string.
+	 *
+	 * @param string $nonce
+	 *        	the nonce to verify
+	 * @param string $action
+	 *        	the action
+	 * @return boolean <code>true</code> if the nonce is valid; <code>false</code> otherwise
+	 */
 	function wp_verify_nonce($nonce, $action = -1) {
 		$user = user_get();
 		$uid = $user ['userid'];
@@ -334,11 +343,13 @@ if (!function_exists('wp_verify_nonce')) :
 		// new nonce each 12 hours
 		$i = ceil(time() / (60 * 60 * 12));
 
-		// Allow for expanding range, but only do one check if we can
+		// The nonce we expect for the given action at the current time
 		$expectedNonce = substr(wp_hash($i . $action . $uid), -12, 10);
-		if ($expectedNonce == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce)
+		// The nonce we expect for the given action in the previous time period
-			return true;
+		$expectedPreviousNonce = substr(wp_hash(($i - 1) . $action . $uid), -12, 10);
-		return false;
+
+		// given nonce must match the current or the previous nonce
+		return $nonce == $expectedNonce || $nonce == $expectedPreviousNonce;
 	}
 endif;