From 8a7d81b62743d16cbd264a8bc4fed527b5bc97d7 Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremyfelt@git.wordpress.org>
Date: Thu, 7 Jul 2016 17:12:54 +0000
Subject: [PATCH] Multisite: Add a nonce to the "Cancel" URL when changing a
 site's admin email.

Props scottbasgaard.
Fixes #36954.


git-svn-id: https://develop.svn.wordpress.org/trunk@38006 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/options-general.php | 2 +-
 src/wp-admin/options.php         | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/wp-admin/options-general.php b/src/wp-admin/options-general.php
index 83aa0d1580..426ebaae10 100644
--- a/src/wp-admin/options-general.php
+++ b/src/wp-admin/options-general.php
@@ -112,7 +112,7 @@ if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
 	);
 	printf(
 		' <a href="%1$s">%2$s</a>',
-		esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ),
+		esc_url( wp_nonce_url( admin_url( 'options.php?dismiss=new_admin_email' ), 'dismiss-' . get_current_blog_id() . '-new_admin_email' ) ),
 		__( 'Cancel' )
 	);
 ?></p>
diff --git a/src/wp-admin/options.php b/src/wp-admin/options.php
index 45558dfbd9..f39a0aac1a 100644
--- a/src/wp-admin/options.php
+++ b/src/wp-admin/options.php
@@ -66,6 +66,7 @@ if ( is_multisite() ) {
 		wp_redirect( admin_url( $redirect ) );
 		exit;
 	} elseif ( ! empty( $_GET['dismiss'] ) && 'new_admin_email' == $_GET['dismiss'] ) {
+		check_admin_referer( 'dismiss-' . get_current_blog_id() . '-new_admin_email' );
 		delete_option( 'adminhash' );
 		delete_option( 'new_admin_email' );
 		wp_redirect( admin_url( 'options-general.php?updated=true' ) );