Hey! Ryan here from WPScan. Great video. Just something to note that wasn't mentioned is that Chrome and other browsers will soon be enabling "SameSite=Lax" cookies by default, which will prevent most CSRF attacks in modern web browsers, when they implement it by default. Nonces should absolutely still be used of course, but the risk of a CSRF attack should also be reduced when web browsers implement SameSite by default.
How to get NOnce for Headless WordPress? Custom endpoint i.e with REST API? And if yes then should we secure the Nonce endpoint by checking like current_user_can() or should just let it be without any checks?
Always love how you dig deeper into WP more than the average channel! Check out the function check_ajax_referer() (developer.wordpress.org/reference/functions/check_ajax_referer/). It pretty much does what you built, but with a simple function call. It's super handy.
What happens if user open this form as not logged in state and then login in another tab, return to first tab and submit the form? Nonce error happens. Why? how to deal with that situation?
I don't understand it. Because the nonce filed is a hidden field. Evey when bot submit the request still isset return true and query get executed. ????
Note that the nonces are unique to the current user's session, so if a user logs in or out asynchronously any nonces on the page will no longer be valid. codex.wordpress.org/WordPress_Nonces
Nonces are to stop replay attacks, they are to help ensuring that a request was made from a valid source and that the request is only run only once and that the primed request can expire if the user fails to submit. Nonces are basically useless on forms that don't require user authentication.
