diff --git a/src/wp-admin/js/customize-controls.js b/src/wp-admin/js/customize-controls.js
index f3210e8491..672c75d0ba 100644
--- a/src/wp-admin/js/customize-controls.js
+++ b/src/wp-admin/js/customize-controls.js
@@ -4580,6 +4580,16 @@
}
});
+ // Ensure preview nonce is included with every customized request, to allow post data to be read.
+ $.ajaxPrefilter( function injectPreviewNonce( options ) {
+ if ( ! /wp_customize=on/.test( options.data ) ) {
+ return;
+ }
+ options.data += '&' + $.param({
+ customize_preview_nonce: api.settings.nonce.preview
+ });
+ });
+
// Refresh the nonces if the preview sends updated nonces over.
api.previewer.bind( 'nonce', function( nonce ) {
$.extend( this.nonce, nonce );
diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php
index 097be0cf5e..669ce05c80 100644
--- a/src/wp-includes/class-wp-customize-manager.php
+++ b/src/wp-includes/class-wp-customize-manager.php
@@ -486,6 +486,24 @@ final class WP_Customize_Manager {
$this->wp_die( -1, __( 'Invalid changeset UUID' ) );
}
+ /*
+ * Clear incoming post data if the user lacks a CSRF token (nonce). Note that the customizer
+ * application will inject the customize_preview_nonce query parameter into all Ajax requests.
+ * For similar behavior elsewhere in WordPress, see rest_cookie_check_errors() which logs out
+ * a user when a valid nonce isn't present.
+ */
+ $has_post_data_nonce = (
+ check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce', false )
+ ||
+ check_ajax_referer( 'save-customize_' . $this->get_stylesheet(), 'nonce', false )
+ ||
+ check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'customize_preview_nonce', false )
+ );
+ if ( ! current_user_can( 'customize' ) || ! $has_post_data_nonce ) {
+ unset( $_POST['customized'] );
+ unset( $_REQUEST['customized'] );
+ }
+
/*
* If unauthenticated then require a valid changeset UUID to load the preview.
* In this way, the UUID serves as a secret key. If the messenger channel is present,