A WordPress security update (backported even to 4.1.x branch) just has been released with an added check_ajax_referer
in wp-admin/includes/ajax-actions.php
in function wp_ajax_set_attachment_thumbnail()
starting at line 2252
/**
* Ajax handler for setting the featured image for an attachment.
*
* @since 4.0.0
*
* @see set_post_thumbnail()
*/
function wp_ajax_set_attachment_thumbnail() {
if ( empty( $_POST['urls'] ) || ! is_array( $_POST['urls'] ) ) {
wp_send_json_error();
}
$thumbnail_id = (int) $_POST['thumbnail_id'];
if ( empty( $thumbnail_id ) ) {
wp_send_json_error();
}
// new added check here:
if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {
wp_send_json_error();
}
$post_ids = array();
Also a related change in wp-includes/media.php
and a change in wp-includes/embed.php
and wp-includes/js/wp-embed.*
You might want to add these to ClassicPress too.