diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index 37f6ed426a..ef46ccdc66 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -52,6 +52,9 @@ if ( isset( $_GET['action'] ) ) : switch ( $action = $_GET['action'] ) : case 'fetch-list' : + $list_class = $_GET['list_args']['class']; + check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' ); + $current_screen = (object) $_GET['list_args']['screen']; //TODO fix this in a better way see #15336 $current_screen->is_network = 'false' === $current_screen->is_network ? false : true; @@ -60,7 +63,7 @@ case 'fetch-list' : define( 'WP_NETWORK_ADMIN', $current_screen->is_network ); define( 'WP_USER_ADMIN', $current_screen->is_user ); - $wp_list_table = get_list_table( $_GET['list_args']['class'] ); + $wp_list_table = get_list_table( $list_class ); if ( ! $wp_list_table ) die( '0' ); @@ -1089,6 +1092,8 @@ case 'menu-quick-search': case 'wp-link-ajax': require_once ABSPATH . 'wp-admin/includes/internal-linking.php'; + check_ajax_referer( 'internal-linking', '_ajax_linking_nonce' ); + $args = array(); if ( isset( $_POST['search'] ) ) diff --git a/wp-admin/includes/class-wp-list-table.php b/wp-admin/includes/class-wp-list-table.php index fa2001d350..1cc9b79b63 100644 --- a/wp-admin/includes/class-wp-list-table.php +++ b/wp-admin/includes/class-wp-list-table.php @@ -685,6 +685,8 @@ class WP_List_Table { function display() { extract( $this->_args ); + wp_nonce_field( "fetch-list-" . get_class( $this ), '_ajax_fetch_list_nonce' ); + $this->display_tablenav( 'top' ); ?> diff --git a/wp-admin/includes/internal-linking.php b/wp-admin/includes/internal-linking.php index 4ac7a37fac..b2e60a20d8 100644 --- a/wp-admin/includes/internal-linking.php +++ b/wp-admin/includes/internal-linking.php @@ -71,6 +71,7 @@ function wp_link_query( $args = array() ) { function wp_link_dialog() { ?>