From 24804144de07d00dccab81430e59dec67aa2d886 Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Thu, 7 Jul 2016 17:13:27 +0000 Subject: [PATCH] Multisite: Add a nonce to the "Cancel" URL when changing a site's admin email. Props scottbasgaard. Fixes #36954. Built from https://develop.svn.wordpress.org/trunk@38006 git-svn-id: http://core.svn.wordpress.org/trunk@37947 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/options-general.php | 2 +- wp-admin/options.php | 1 + wp-includes/version.php | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/wp-admin/options-general.php b/wp-admin/options-general.php index 83aa0d1580..426ebaae10 100644 --- a/wp-admin/options-general.php +++ b/wp-admin/options-general.php @@ -112,7 +112,7 @@ if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?> ); printf( ' %2$s', - esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ), + esc_url( wp_nonce_url( admin_url( 'options.php?dismiss=new_admin_email' ), 'dismiss-' . get_current_blog_id() . '-new_admin_email' ) ), __( 'Cancel' ) ); ?>

diff --git a/wp-admin/options.php b/wp-admin/options.php index 45558dfbd9..f39a0aac1a 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -66,6 +66,7 @@ if ( is_multisite() ) { wp_redirect( admin_url( $redirect ) ); exit; } elseif ( ! empty( $_GET['dismiss'] ) && 'new_admin_email' == $_GET['dismiss'] ) { + check_admin_referer( 'dismiss-' . get_current_blog_id() . '-new_admin_email' ); delete_option( 'adminhash' ); delete_option( 'new_admin_email' ); wp_redirect( admin_url( 'options-general.php?updated=true' ) ); diff --git a/wp-includes/version.php b/wp-includes/version.php index 5f15afc2e9..5055e6086d 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.6-beta2-38005'; +$wp_version = '4.6-beta2-38006'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.