Security update

A WordPress security update (backported even to 4.1.x branch) just has been released with an added check_ajax_referer in wp-admin/includes/ajax-actions.php in function wp_ajax_set_attachment_thumbnail() starting at line 2252

 * Ajax handler for setting the featured image for an attachment.
 * @since 4.0.0
 * @see set_post_thumbnail()
function wp_ajax_set_attachment_thumbnail() {
	if ( empty( $_POST['urls'] ) || ! is_array( $_POST['urls'] ) ) {

	$thumbnail_id = (int) $_POST['thumbnail_id'];
	if ( empty( $thumbnail_id ) ) {

// new added check here:
	if ( false === check_ajax_referer( 'set-attachment-thumbnail', '_ajax_nonce', false ) ) {

	$post_ids = array();

Also a related change in wp-includes/media.php and a change in wp-includes/embed.php and wp-includes/js/wp-embed.*

You might want to add these to ClassicPress too.

Tagging @viktor and @MattyRob because security updates are evaluated by the core team.
I think we would need to include this in a 1.6 CP version?

WordPress currently hides any information about this, there is no ticket in trac and nothing in release notes[1], change logs etc.

So no idea about impact and requirements for exploitability, sorry.

[1] added: besides “A CSRF issue updating attachment thumbnails” and “A flaw allowing XSS via open embed auto discovery” mentioned here.

1 Like

Thanks for letting us know. We’ll review and release a new version as soon as possible.

1 Like

Patched. New version is available. See 1.5.3 release notes.