Security: Return a 403 instead of a 200 HTTP status when check_ajax_referer() fails.

This is, unfortunately, untestable in the current test suite, even in the AJAX tests. Fixes #36362 Built from https://develop.svn.wordpress.org/trunk@38421 git-svn-id: http://core.svn.wordpress.org/trunk@38362 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2016-08-28 17:31:30 +00:00
parent b85e322e35
commit a1d61a95e1
3 changed files with 15 additions and 5 deletions
--- a/wp-includes/pluggable.php
+++ b/wp-includes/pluggable.php
@@ -1108,7 +1108,7 @@ function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {

 	if ( $die && false === $result ) {
 		if ( wp_doing_ajax() ) {
-			wp_die( -1 );
+			wp_die( -1, 403 );
 		} else {
 			die( '-1' );
 		}