diff --git a/wp-admin/admin-post.php b/wp-admin/admin-post.php
index cb92699efd..8202f7ee98 100644
--- a/wp-admin/admin-post.php
+++ b/wp-admin/admin-post.php
@@ -28,7 +28,7 @@ nocache_headers();
/** This action is documented in wp-admin/admin.php */
do_action( 'admin_init' );
-$action = empty( $_REQUEST['action'] ) ? '' : $_REQUEST['action'];
+$action = wp_validate_action();
if ( ! wp_validate_auth_cookie() ) {
if ( empty( $action ) ) {
diff --git a/wp-admin/admin.php b/wp-admin/admin.php
index d3e58d2549..1729232e10 100644
--- a/wp-admin/admin.php
+++ b/wp-admin/admin.php
@@ -358,14 +358,16 @@ if ( isset($plugin_page) ) {
}
}
-if ( ! empty( $_REQUEST['action'] ) ) {
+$_action = wp_validate_action();
+if ( ! empty( $_action ) ) {
/**
* Fires when an 'action' request variable is sent.
*
- * The dynamic portion of the hook name, `$_REQUEST['action']`,
+ * The dynamic portion of the hook name, `$_action`,
* refers to the action derived from the `GET` or `POST` request.
*
* @since 2.6.0
*/
- do_action( 'admin_action_' . $_REQUEST['action'] );
+ do_action( 'admin_action_' . $_action );
}
+unset( $_action );
diff --git a/wp-admin/async-upload.php b/wp-admin/async-upload.php
index 9b668238f5..9dda8ae190 100644
--- a/wp-admin/async-upload.php
+++ b/wp-admin/async-upload.php
@@ -6,6 +6,7 @@
* @subpackage Administration
*/
+// `wp_validate_action()` isn't loaded yet
if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
define( 'DOING_AJAX', true );
}
@@ -19,7 +20,7 @@ if ( defined('ABSPATH') )
else
require_once( dirname( dirname( __FILE__ ) ) . '/wp-load.php' );
-if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action'] ) ) {
+if ( ! wp_validate_action( 'upload-attachment' ) ) {
// Flash often fails to send cookies with the POST or upload, so we need to pass it in GET or POST instead
if ( is_ssl() && empty($_COOKIE[SECURE_AUTH_COOKIE]) && !empty($_REQUEST['auth_cookie']) )
$_COOKIE[SECURE_AUTH_COOKIE] = $_REQUEST['auth_cookie'];
@@ -34,7 +35,7 @@ require_once( ABSPATH . 'wp-admin/admin.php' );
header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) );
-if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) {
+if ( wp_validate_action( 'upload-attachment' ) ) {
include( ABSPATH . 'wp-admin/includes/ajax-actions.php' );
send_nosniff_header();
diff --git a/wp-admin/includes/class-wp-terms-list-table.php b/wp-admin/includes/class-wp-terms-list-table.php
index a4c81afbe7..c83f8d4eeb 100644
--- a/wp-admin/includes/class-wp-terms-list-table.php
+++ b/wp-admin/includes/class-wp-terms-list-table.php
@@ -153,7 +153,8 @@ class WP_Terms_List_Table extends WP_List_Table {
* @return string
*/
public function current_action() {
- if ( isset( $_REQUEST['action'] ) && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $_REQUEST['action'] || 'delete' == $_REQUEST['action2'] ) )
+ $action = wp_validate_action();
+ if ( $action && isset( $_REQUEST['delete_tags'] ) && ( 'delete' == $action || 'delete' == $_REQUEST['action2'] ) )
return 'bulk-delete';
return parent::current_action();
diff --git a/wp-admin/network/site-info.php b/wp-admin/network/site-info.php
index a4ee7bb6b2..9048129370 100644
--- a/wp-admin/network/site-info.php
+++ b/wp-admin/network/site-info.php
@@ -53,7 +53,7 @@ if ( ! can_edit_network( $details->site_id ) ) {
$parsed_scheme = parse_url( $details->siteurl, PHP_URL_SCHEME );
$is_main_site = is_main_site( $id );
-if ( isset( $_REQUEST['action'] ) && 'update-site' == $_REQUEST['action'] ) {
+if ( wp_validate_action( 'update-site' ) ) {
check_admin_referer( 'edit-site' );
switch_to_blog( $id );
diff --git a/wp-admin/network/site-new.php b/wp-admin/network/site-new.php
index 5876037e89..c5fa157a98 100644
--- a/wp-admin/network/site-new.php
+++ b/wp-admin/network/site-new.php
@@ -33,7 +33,7 @@ get_current_screen()->set_help_sidebar(
'' . __('Support Forums') . '
'
);
-if ( isset($_REQUEST['action']) && 'add-site' == $_REQUEST['action'] ) {
+if ( wp_validate_action( 'add-site' ) ) {
check_admin_referer( 'add-blog', '_wpnonce_add-blog' );
if ( ! is_array( $_POST['blog'] ) )
diff --git a/wp-admin/network/site-settings.php b/wp-admin/network/site-settings.php
index d2699986b9..f32fc65816 100644
--- a/wp-admin/network/site-settings.php
+++ b/wp-admin/network/site-settings.php
@@ -48,7 +48,7 @@ if ( !can_edit_network( $details->site_id ) )
$is_main_site = is_main_site( $id );
-if ( isset($_REQUEST['action']) && 'update-site' == $_REQUEST['action'] && is_array( $_POST['option'] ) ) {
+if ( wp_validate_action( 'update-site' ) && is_array( $_POST['option'] ) ) {
check_admin_referer( 'edit-site' );
switch_to_blog( $id );
diff --git a/wp-admin/network/user-new.php b/wp-admin/network/user-new.php
index 002e098dc1..f2ccbb8abe 100644
--- a/wp-admin/network/user-new.php
+++ b/wp-admin/network/user-new.php
@@ -30,7 +30,7 @@ get_current_screen()->set_help_sidebar(
'' . __('Support Forums') . '
'
);
-if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) {
+if ( wp_validate_action( 'add-user' ) ) {
check_admin_referer( 'add-user', '_wpnonce_add-user' );
if ( ! current_user_can( 'manage_network_users' ) )
diff --git a/wp-admin/network/users.php b/wp-admin/network/users.php
index 767e03c55f..0c85aaaad9 100644
--- a/wp-admin/network/users.php
+++ b/wp-admin/network/users.php
@@ -174,11 +174,12 @@ get_current_screen()->set_help_sidebar(
require_once( ABSPATH . 'wp-admin/admin-header.php' );
-if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $_REQUEST['action'] ) ) {
+$action = wp_validate_action();
+if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty( $action ) ) {
?>