You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have received an unconfirmed report of a possible security issue in TSML. While we wait for details on what that is, there are a number of improvement actions that we can take.
we can be sure to verify nonces on every POST request, currently I see dozens of places where we verify nonces, but at least one where we do not: on the import & settings page when removing a data source
we can explicitly check for required permissions on any non-public ajax method (i see four)
tsml_import_page and tsml_settings page are currently functions which are currently only called from add_submenu_page - but since they are functions they technically could be reused. seems like a stretch but we could make them closures or explicitly re-check permissions
The text was updated successfully, but these errors were encountered:
We have received an unconfirmed report of a possible security issue in TSML. While we wait for details on what that is, there are a number of improvement actions that we can take.
add_submenu_page
- but since they are functions they technically could be reused. seems like a stretch but we could make them closures or explicitly re-check permissionsThe text was updated successfully, but these errors were encountered: