From ac8bc46b098f7826fafed3b3c12536d7f528ca7a Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov@git.wordpress.org>
Date: Wed, 18 Oct 2017 21:00:39 +0000
Subject: [PATCH] Administration: After [41120], check for a registered action
 before sending a Bad Request HTTP response status code.

Props Clorith.
Fixes #42240.

git-svn-id: https://develop.svn.wordpress.org/trunk@41926 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/admin-ajax.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/wp-admin/admin-ajax.php b/src/wp-admin/admin-ajax.php
index c3fc51499f..579f985c4a 100644
--- a/src/wp-admin/admin-ajax.php
+++ b/src/wp-admin/admin-ajax.php
@@ -81,6 +81,11 @@ if ( ! empty( $_POST['action'] ) && in_array( $_POST['action'], $core_actions_po
 add_action( 'wp_ajax_nopriv_heartbeat', 'wp_ajax_nopriv_heartbeat', 1 );
 
 if ( is_user_logged_in() ) {
+	// If no action is registered, return a Bad Request response.
+	if ( ! has_action( 'wp_ajax_' . $_REQUEST['action'] ) ) {
+		wp_die( '0', 400 );
+	}
+
 	/**
 	 * Fires authenticated Ajax actions for logged-in users.
 	 *
@@ -91,6 +96,11 @@ if ( is_user_logged_in() ) {
 	 */
 	do_action( 'wp_ajax_' . $_REQUEST['action'] );
 } else {
+	// If no action is registered, return a Bad Request response.
+	if ( ! has_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] ) ) {
+		wp_die( '0', 400 );
+	}
+
 	/**
 	 * Fires non-authenticated Ajax actions for logged-out users.
 	 *
@@ -102,4 +112,4 @@ if ( is_user_logged_in() ) {
 	do_action( 'wp_ajax_nopriv_' . $_REQUEST['action'] );
 }
 // Default status
-wp_die( '0', 400 );
+wp_die( '0' );