diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php index 7c22f57caf..e201b82b8c 100644 --- a/wp-admin/includes/dashboard.php +++ b/wp-admin/includes/dashboard.php @@ -131,6 +131,7 @@ function wp_dashboard_setup() { } if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset($_POST['widget_id']) ) { + check_admin_referer( 'edit-dashboard-widget_' . $_POST['widget_id'] ); ob_start(); // hack - but the same hack wp-admin/widgets.php uses wp_dashboard_trigger_widget_control( $_POST['widget_id'] ); ob_end_clean(); @@ -182,6 +183,7 @@ function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_ function _wp_dashboard_control_callback( $dashboard, $meta_box ) { echo '
'; wp_dashboard_trigger_widget_control( $meta_box['id'] ); + wp_nonce_field( 'edit-dashboard-widget_' . $meta_box['id'] ); echo ''; submit_button( __('Submit') ); echo '
';