Plugin Directory


Opened 5 years ago

Closed 4 years ago

#1859 closed defect (fixed)

Contact form: remove front-end nonces

Reported by: iandunn Owned by: tmoorewp
Priority: normal Severity: normal
Plugin: jetpack Keywords: grunion contact-form plugin-compat has-patch
Cc: jeremy+wp@…, richard@…


Nonces on the front-end don't serve any security purpose, and can cause errors when they're cached and then expire.

I'm getting reports of sporadic "Are you sure..." wp_die()-style error messages when users fill out contact forms on WordCamp.org and suspect they're being caused by expired front-end nonces in the contact form.

The process looks similar to this:

  1. Page with form is created
  2. Page is viewed for the first time
  3. Nonce is generated
  4. Page is cached
  5. Time passes and the nonce expires
  6. Cached version of page is viewed again
  7. Form is submitted with expired nonce
  8. User gets "Are you sure..." error and form is not submitted

Removing the nonce fixes the problem without causing any security issues, since the nonce wasn't giving any real protection in the first place.

Attachments (2)

1859.diff (1010 bytes) - added by iandunn 5 years ago.
1859.2.diff (1.2 KB) - added by iandunn 4 years ago.

Download all attachments as: .zip

Change History (8)

@iandunn5 years ago

comment:1 @iandunn5 years ago

  • Keywords has-patch added

1859.diff removes the nonce in the form itself, but not the nonce used after the form is submitted and the user is redirected to view the results. Removing that one would require setting up some new kind of auth mechanism, and I don't think the redirect page is as susceptible to the caching problem as the form itself.

comment:2 @jeherve5 years ago

  • Cc jeremy+wp@… added
  • Keywords grunion contact-form plugin-compat added
  • Summary changed from Remove front-end nonces from contact form module to Contact form: remove front-end nonces

comment:3 @richardmtl4 years ago

  • Cc richard@… added

comment:4 @mdawaffe4 years ago

There should still be a nonce for logged in users.

Without a nonce, a malicious party can trick someone into submitting the form. That's not great for logged out users, but it's bad for logged in users, since the plugin claims the message was sent by a "verified account" if a logged in user submitted the form.

@iandunn4 years ago

comment:5 @iandunn4 years ago

1859.2.diff wraps the nonces in is_user_logged_in() instead of removing them.

comment:6 @migueluy4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

In 803811:

Error: Failed to load processor CommitTicketReference
No macro or processor named 'CommitTicketReference' found
Note: See TracTickets for help on using tickets.