Require nonce and capability checks in sensitive WordPress mutation callbacks | Critiq Docs

#Metadata

Rule ID: php.security.wordpress-missing-nonce-or-capability
Severity: high
Confidence: 0.9
Languages: php
Presets: security, strict
Stability: stable
Applies to: block
Tags: authorization, php, rules-catalog, security, wordpress

#Why it matters

Missing nonce or authorization checks let attackers trigger privileged actions through forged or unauthorized requests.

#Remediation

Add nonce verification (`check_ajax_referer`/`check_admin_referer`) and explicit capability checks (`current_user_can`) before performing mutations.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.wordpress-missing-nonce-or-capability.rule.yaml.

Back to directory Open rule in repository