Unactioned Review Feedback
Source PR: #1371
File: inc/managers/class-site-manager.php
Reviewers: coderabbit
Findings: 1
Max severity: critical
CRITICAL: coderabbit (coderabbitai[bot])
File: inc/managers/class-site-manager.php:548
⚠️ Potential issue | 🔴 Critical
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Locate screenshot AJAX callers and nonce wiring.
# Expectation: callers for wu_get_screenshot include a nonce matching the handler check.
rg -nP -C4 "wu_get_screenshot|Screenshot::take_screenshot|wp_create_nonce\\(|check_ajax_referer\\(" --type=php --type=js
Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 50394
🏁 Script executed:
sed -n '535,575p' inc/managers/class-site-manager.php
Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 1095
🏁 Script executed:
cat -n assets/js/screenshot-scraper.js | head -30
Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 833
🏁 Script executed:
grep -n "check_ajax_referer\|wp_ajax_wu_get_screenshot" inc/managers/class-site-manager.php
Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 159
🏁 Script executed:
grep -A 5 "get_site_screenshot\|async_get_site_screenshot" inc/managers/class-site-manager.php | head -50
Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 702
Add nonce verification to prevent CSRF on screenshot generation.
The get_site_screenshot() AJAX handler currently relies only on capability checking (manage_network). Without check_ajax_referer(), a cross-site request can trick a logged-in network admin into calling Screenshot::take_screenshot() and creating/updating media attachments for an attacker-chosen site_id.
The JavaScript client (assets/js/screenshot-scraper.js:19-20) sends no nonce, and the server-side handler performs no nonce validation. Add nonce generation on the client and verification on the server:
🛡️ Suggested server-side guard
if ( ! current_user_can('manage_network')) {
- wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite')));
+ wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite')), 403);
+}
+
+if ( ! check_ajax_referer('wu_get_screenshot', false, false)) {
+ wp_send_json_error(new \WP_Error('invalid_nonce', __('Security check failed. Please try again.', 'ultimate-multisite')), 403);
}
Update the client-side AJAX call to include the nonce via wp_create_nonce('wu_get_screenshot') passed in the data object.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
if ( ! current_user_can('manage_network')) {
wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite')), 403);
}
if ( ! check_ajax_referer('wu_get_screenshot', false, false)) {
wp_send_json_error(new \WP_Error('invalid_nonce', __('Security check failed. Please try again.', 'ultimate-multisite')), 403);
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@inc/managers/class-site-manager.php` around lines 542 - 544, The
get_site_screenshot() AJAX handler lacks nonce verification, making it
vulnerable to CSRF attacks. Add a check_ajax_referer() call after the
current_user_can() capability check in the handler to verify the nonce with the
action 'wu_get_screenshot'. On the client-side in
assets/js/screenshot-scraper.js, update the AJAX request data object to include
the nonce by adding a field with the value generated from
wp_create_nonce('wu_get_screenshot') on the server. This ensures that only
legitimate requests from your application can trigger the screenshot
functionality.
✅ Addressed in commit 02a06ed
View comment
Auto-generated by quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.
To approve or decline, use one of:
sudo aidevops approve issue <number> Ultimate-Multisite/ultimate-multisite -- cryptographically signs approval for automated dispatch
- Comment
declined: <reason> -- closes this issue (include your reason after the colon)
aidevops.sh v3.20.88 automated scan.
Unactioned Review Feedback
Source PR: #1371
File:
inc/managers/class-site-manager.phpReviewers: coderabbit
Findings: 1
Max severity: critical
CRITICAL: coderabbit (coderabbitai[bot])
File:
⚠️ Potential issue | 🔴 Critical
inc/managers/class-site-manager.php:548🧩 Analysis chain
🏁 Script executed:
Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 50394
🏁 Script executed:
sed -n '535,575p' inc/managers/class-site-manager.phpRepository: Ultimate-Multisite/ultimate-multisite
Length of output: 1095
🏁 Script executed:
cat -n assets/js/screenshot-scraper.js | head -30Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 833
🏁 Script executed:
grep -n "check_ajax_referer\|wp_ajax_wu_get_screenshot" inc/managers/class-site-manager.phpRepository: Ultimate-Multisite/ultimate-multisite
Length of output: 159
🏁 Script executed:
Repository: Ultimate-Multisite/ultimate-multisite
Length of output: 702
Add nonce verification to prevent CSRF on screenshot generation.
The
get_site_screenshot()AJAX handler currently relies only on capability checking (manage_network). Withoutcheck_ajax_referer(), a cross-site request can trick a logged-in network admin into callingScreenshot::take_screenshot()and creating/updating media attachments for an attacker-chosensite_id.The JavaScript client (
assets/js/screenshot-scraper.js:19-20) sends no nonce, and the server-side handler performs no nonce validation. Add nonce generation on the client and verification on the server:🛡️ Suggested server-side guard
if ( ! current_user_can('manage_network')) { - wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite'))); + wp_send_json_error(new \WP_Error('unauthorized', __('You do not have permission to perform this action.', 'ultimate-multisite')), 403); +} + +if ( ! check_ajax_referer('wu_get_screenshot', false, false)) { + wp_send_json_error(new \WP_Error('invalid_nonce', __('Security check failed. Please try again.', 'ultimate-multisite')), 403); }Update the client-side AJAX call to include the nonce via
wp_create_nonce('wu_get_screenshot')passed in the data object.📝 Committable suggestion
🤖 Prompt for AI Agents
✅ Addressed in commit 02a06ed
View comment
Auto-generated by
quality-feedback-helper.sh scan-merged. Review each finding and either fix the code or dismiss with a reason.To approve or decline, use one of:
sudo aidevops approve issue <number> Ultimate-Multisite/ultimate-multisite-- cryptographically signs approval for automated dispatchdeclined: <reason>-- closes this issue (include your reason after the colon)aidevops.sh v3.20.88 automated scan.