Themes: Ensure that only privileged users can set a background image when a theme is using the deprecated custom background page.

Props xknown, zieladam, peterwilsoncc, whyisjake. Merges [49379] to trunk. git-svn-id: https://develop.svn.wordpress.org/trunk@49388 602fd350-edb4-49c9-b593-d223f7449a82
2026-04-11 16:14:32 +00:00 · 2020-10-29 18:06:18 +00:00
parent d5ddd6d4be
commit cbcc595974
3 changed files with 7 additions and 1 deletions
--- a/src/wp-admin/includes/class-custom-background.php
+++ b/src/wp-admin/includes/class-custom-background.php
@@ -581,6 +581,8 @@ class Custom_Background {
 	 * @deprecated 3.5.0
 	 */
 	public function wp_set_background_image() {
+		check_ajax_referer( 'custom-background' );
+
 		if ( ! current_user_can( 'edit_theme_options' ) || ! isset( $_POST['attachment_id'] ) ) {
 			exit;
 		}