Harden admin nonce handling and Cloudflare API failures

mustafauysal · mustafauysal · commit 014bbc37ba95 · 2026-03-02T06:23:19.000+03:00
diff --git a/includes/admin/dashboard.php b/includes/admin/dashboard.php
@@ -617,7 +617,8 @@ function purge_all_admin_bar_menu( $wp_admin_bar ) {
  */
 function purge_all_cache_action() {
 
-	if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_all_cache' ) ) { // phpcs:ignore
+	$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+	if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_all_cache' ) ) {
 		wp_nonce_ays( '' );
 	}
 
@@ -687,7 +688,8 @@ function purge_all_cache( $settings = array() ) {
  * @since 1.1
  */
 function download_rewrite_config() {
-	if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_download_rewrite' ) ) { // phpcs:ignore
+	$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+	if ( ! wp_verify_nonce( $nonce, 'powered_cache_download_rewrite' ) ) {
 		wp_nonce_ays( '' );
 	}
 
@@ -940,7 +942,8 @@ function check_alloptions() {
  * @since 1.0
  */
 function deactivate_plugin() {
-	if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'deactivate_plugin' ) ) { // phpcs:ignore
+	$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+	if ( ! wp_verify_nonce( $nonce, 'deactivate_plugin' ) ) {
 		wp_nonce_ays( '' );
 	}
 
diff --git a/includes/admin/notices.php b/includes/admin/notices.php
@@ -440,7 +440,8 @@ function maybe_display_purge_cache_plugin_notice() {
  * @since 3.2
  */
 function dismiss_notice() {
-	if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'powered_cache_dismiss_notice' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated
+	$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+	if ( ! wp_verify_nonce( $nonce, 'powered_cache_dismiss_notice' ) ) {
 		wp_nonce_ays( '' );
 	}
 
diff --git a/includes/classes/AdvancedCache.php b/includes/classes/AdvancedCache.php
@@ -139,7 +139,8 @@ public function admin_bar_menu( $wp_admin_bar ) {
 	 * @since 2.0
 	 */
 	public function purge_page_cache_network_wide() {
-		if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_page_cache_network' ) ) { // phpcs:ignore
+		$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+		if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_page_cache_network' ) ) {
 			wp_nonce_ays( '' );
 		}
 
@@ -758,4 +759,3 @@ public function purge_on_term_change( $term_id, $tt_id, $taxonomy ) {
 	}
 
 }
-
diff --git a/includes/classes/Extensions/Cloudflare/API.php b/includes/classes/Extensions/Cloudflare/API.php
@@ -138,10 +138,21 @@ private function remote_request( $url, $type = 'GET', $data = array() ) {
 		}
 
 		$response = wp_remote_request( $url, $args );
+		if ( is_wp_error( $response ) ) {
+			\PoweredCache\Utils\log( sprintf( 'Cloudflare API Error: %s', $response->get_error_message() ) );
 
-		\PoweredCache\Utils\log( sprintf( 'Cloudflare API Response: %s', print_r( wp_remote_retrieve_body( $response ), true ) ) ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
+			return [];
+		}
+
+		$response_body = wp_remote_retrieve_body( $response );
+		\PoweredCache\Utils\log( sprintf( 'Cloudflare API Response: %s', print_r( $response_body, true ) ) ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r
+
+		$decoded_response = json_decode( $response_body, true );
+		if ( ! is_array( $decoded_response ) ) {
+			return [];
+		}
 
-		return json_decode( wp_remote_retrieve_body( $response ), true );
+		return $decoded_response;
 	}
 
 	/**
diff --git a/includes/classes/Extensions/Cloudflare/Cloudflare.php b/includes/classes/Extensions/Cloudflare/Cloudflare.php
@@ -121,7 +121,8 @@ public function delete_cloudflare_cache_on_flush() {
 	 * Delete CF cache when it triggered from admin menu
 	 */
 	public function delete_cloudflare_cache() {
-		if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_cf_cache' ) ) { // phpcs:ignore
+		$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+		if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_cf_cache' ) ) {
 			wp_nonce_ays( '' );
 		}
 
diff --git a/includes/classes/ObjectCache.php b/includes/classes/ObjectCache.php
@@ -90,7 +90,8 @@ public function admin_bar_menu( $wp_admin_bar ) {
 	 * @since 1.0
 	 */
 	public function purge_object_cache() {
-		if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_object_cache' ) ) { // phpcs:ignore
+		$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+		if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_object_cache' ) ) {
 			wp_nonce_ays( '' );
 		}
 
diff --git a/includes/classes/Preloader.php b/includes/classes/Preloader.php
@@ -131,7 +131,8 @@ private function get_preloader() {
 	 * Add preloading items to queue
 	 */
 	public function start_preload() {
-		if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_preload_cache' ) ) { // phpcs:ignore
+		$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+		if ( ! wp_verify_nonce( $nonce, 'powered_cache_preload_cache' ) ) {
 			wp_nonce_ays( '' );
 		}
 
diff --git a/includes/compat/plugins/wpml.php b/includes/compat/plugins/wpml.php
@@ -186,7 +186,8 @@ function admin_bar_preload_cache_menu( $wp_admin_bar ) {
 	 * @since 2.4
 	 */
 	function purge_page_cache() {
-		if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_page_cache_for_lang' ) ) { // phpcs:ignore
+		$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';
+		if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_page_cache_for_lang' ) ) {
 			wp_nonce_ays( '' );
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -440,7 +440,8 @@ function maybe_display_purge_cache_plugin_notice() {`
`440`	`440`	`* @since 3.2`
`441`	`441`	`*/`
`442`	`442`	`function dismiss_notice() {`
`443`		`- if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'powered_cache_dismiss_notice' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated`
	`443`	`+ $nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';`
	`444`	`+ if ( ! wp_verify_nonce( $nonce, 'powered_cache_dismiss_notice' ) ) {`
`444`	`445`	`wp_nonce_ays( '' );`
`445`	`446`	`}`
`446`	`447`
Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,8 @@ public function admin_bar_menu( $wp_admin_bar ) {`
`139`	`139`	`* @since 2.0`
`140`	`140`	`*/`
`141`	`141`	`public function purge_page_cache_network_wide() {`
`142`		`- if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_page_cache_network' ) ) { // phpcs:ignore`
	`142`	`+ $nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';`
	`143`	`+ if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_page_cache_network' ) ) {`
`143`	`144`	`wp_nonce_ays( '' );`
`144`	`145`	`}`
`145`	`146`
`@@ -758,4 +759,3 @@ public function purge_on_term_change( $term_id, $tt_id, $taxonomy ) {`
`758`	`759`	`}`
`759`	`760`
`760`	`761`	`}`
`761`		`-`
Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,8 @@ public function delete_cloudflare_cache_on_flush() {`
`121`	`121`	`* Delete CF cache when it triggered from admin menu`
`122`	`122`	`*/`
`123`	`123`	`public function delete_cloudflare_cache() {`
`124`		`- if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_cf_cache' ) ) { // phpcs:ignore`
	`124`	`+ $nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';`
	`125`	`+ if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_cf_cache' ) ) {`
`125`	`126`	`wp_nonce_ays( '' );`
`126`	`127`	`}`
`127`	`128`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,8 @@ public function admin_bar_menu( $wp_admin_bar ) {`
`90`	`90`	`* @since 1.0`
`91`	`91`	`*/`
`92`	`92`	`public function purge_object_cache() {`
`93`		`- if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_object_cache' ) ) { // phpcs:ignore`
	`93`	`+ $nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';`
	`94`	`+ if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_object_cache' ) ) {`
`94`	`95`	`wp_nonce_ays( '' );`
`95`	`96`	`}`
`96`	`97`
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,8 @@ private function get_preloader() {`
`131`	`131`	`* Add preloading items to queue`
`132`	`132`	`*/`
`133`	`133`	`public function start_preload() {`
`134`		`- if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_preload_cache' ) ) { // phpcs:ignore`
	`134`	`+ $nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';`
	`135`	`+ if ( ! wp_verify_nonce( $nonce, 'powered_cache_preload_cache' ) ) {`
`135`	`136`	`wp_nonce_ays( '' );`
`136`	`137`	`}`
`137`	`138`
Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,8 @@ function admin_bar_preload_cache_menu( $wp_admin_bar ) {`
`186`	`186`	`* @since 2.4`
`187`	`187`	`*/`
`188`	`188`	`function purge_page_cache() {`
`189`		`- if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'powered_cache_purge_page_cache_for_lang' ) ) { // phpcs:ignore`
	`189`	`+ $nonce = isset( $_GET['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ) : '';`
	`190`	`+ if ( ! wp_verify_nonce( $nonce, 'powered_cache_purge_page_cache_for_lang' ) ) {`
`190`	`191`	`wp_nonce_ays( '' );`
`191`	`192`	`}`
`192`	`193`