diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php
index 3ecfe0a455..04c19fb440 100644
--- a/src/wp-admin/user-edit.php
+++ b/src/wp-admin/user-edit.php
@@ -83,7 +83,7 @@ if ( is_multisite()
// Execute confirmed email change. See send_confirmation_on_profile_email().
if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) {
$new_email = get_user_meta( $current_user->ID, '_new_email', true );
- if ( $new_email && $new_email[ 'hash' ] == $_GET[ 'newuseremail' ] ) {
+ if ( $new_email && hash_equals( $new_email[ 'hash' ], $_GET[ 'newuseremail' ] ) ) {
$user = new stdClass;
$user->ID = $current_user->ID;
$user->user_email = esc_html( trim( $new_email[ 'newemail' ] ) );
@@ -97,7 +97,8 @@ if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $c
} else {
wp_redirect( add_query_arg( array( 'error' => 'new-email' ), self_admin_url( 'profile.php' ) ) );
}
-} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' == $_GET['dismiss'] ) {
+} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) {
+ check_admin_referer( 'dismiss-' . $current_user->ID . '_new_email' );
delete_user_meta( $current_user->ID, '_new_email' );
wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) );
die();
@@ -400,11 +401,11 @@ if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && current_user_c
printf(
/* translators: %s: new email */
__( 'There is a pending change of your email to %s.' ),
- '' . $new_email['newemail'] . ''
+ '' . esc_html( $new_email['newemail'] ) . ''
);
printf(
' %2$s',
- esc_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ) ),
+ esc_url( wp_nonce_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ), 'dismiss-' . $current_user->ID . '_new_email' ) ),
__( 'Cancel' )
);
?>