fix(security): sanitize $_GET input before nonce construction in wp_ajax_fetch_list()

rajeshcpr · web-flow · commit 02f04fe3337e · 2026-04-09T14:59:12.000+05:30
Raw $_GET['list_args']['class'] and $_GET['list_args']['screen']['id'] were used
directly to build the nonce action string and passed to _get_list_table() without
any sanitization or existence checks. An attacker controlling list_args[class]
could influence the nonce key being verified, undermining the referer check.
Apply sanitize_key() and isset() guards to both values before use, ensuring the
nonce action string and _get_list_table() arguments are constructed from clean input.
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
@@ -81,10 +81,11 @@ function wp_ajax_nopriv_heartbeat() {
  * @since 3.1.0
  */
 function wp_ajax_fetch_list() {
-	$list_class = $_GET['list_args']['class'];
+	$list_class = isset( $_GET['list_args']['class'] ) ? sanitize_key( $_GET['list_args']['class'] ) : '';
+	$screen_id  = isset( $_GET['list_args']['screen']['id'] ) ? sanitize_key( $_GET['list_args']['screen']['id'] ) : '';
 	check_ajax_referer( "fetch-list-$list_class", '_ajax_fetch_list_nonce' );
 
-	$wp_list_table = _get_list_table( $list_class, array( 'screen' => $_GET['list_args']['screen']['id'] ) );
+	$wp_list_table = _get_list_table( $list_class, array( 'screen' => $screen_id ) );
 	if ( ! $wp_list_table ) {
 		wp_die( 0 );
 	}
