Skip to content

GDPR plugin form is not security compliant - needs a nonce as its failing security checks audit. #299

New issue
New issue
Open
Open
GDPR plugin form is not security compliant - needs a nonce as its failing security checks audit.#299
@pmbranco

Description

@pmbranco
pmbranco
opened on Apr 10, 2025

GDPR plugin form is not security compliant - needs a nonce as its failing security checks audit.

Upon reviewing the GDPR plugin by Trew Knowledge, I found that the JavaScript file is enqueued with the handle 'gdpr-public'. To enhance security by adding a nonce to the plugin's AJAX requests, please follow these steps:​

  1. Enqueue the Nonce in Your Theme or Plugin
    Add the following code to your theme's functions.php file or a custom plugin:​

add_action('wp_enqueue_scripts', function() {
wp_localize_script('gdpr-public', 'gdprVars', [
'nonce' => wp_create_nonce('gdpr_save_consent')
]);
});
Explanation:

'gdpr-public': This is the handle used by the GDPR plugin to enqueue its public-facing JavaScript.​

wp_localize_script is used here to pass the nonce to the JavaScript file.​

  1. Modify the Plugin’s JavaScript to Include the Nonce
    Locate the JavaScript file used by the GDPR plugin (typically found in the plugin's assets/js/ directory). Find the section where the AJAX request is made, which might look like this:​

javascript

$.post(ajaxurl, {
    action: 'gdpr_save_consent',
    gdpr_preferences: preferences
});

Modify this to include the nonce:​

javascript

$.post(ajaxurl, {
    action: 'gdpr_save_consent',
    gdpr_preferences: preferences,
    _ajax_nonce: gdprVars.nonce
});

Note: Ensure that gdprVars.nonce matches the object and property names used in the wp_localize_script function.​

  1. Validate the Nonce in the PHP Handler
    In the PHP function that handles the AJAX request (likely hooked to 'wp_ajax_gdpr_save_consent'), add nonce verification at the beginning of the function:​

php

function gdpr_save_consent() {
    // Ensure the nonce is correct
    if ( ! isset( $_POST['_ajax_nonce'] ) || ! wp_verify_nonce( $_POST['_ajax_nonce'], 'gdpr_save_consent' ) ) {
        wp_die('Permission denied');  // Security failure
    }

    // Proceed with saving consent preferences (e.g., storing in the database)
    // Your consent-saving logic goes here...
}

add_action('wp_ajax_gdpr_save_consent', 'gdpr_save_consent');

check_ajax_referer('gdpr_save_consent') verifies the nonce. If the nonce is invalid, WordPress will terminate the request.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions