Cheatin' uh?

[dd32]

Whenever a post is saved, such as through a contact form submission, transition_post_status is fired off, and if that occurs outside of the wp-admin/edit.php screens (OR happens on those screens but.. something or something... Unknown...) then edit-flow will fail a nonce check and kills the request.

edit-flow/modules/notifications/notifications.php

Lines 603 to 605 in 1d04754

	if ( ! empty( $_POST['_wpnonce'] ) && ! wp_verify_nonce( $_POST['_wpnonce'], 'update-post_' . $post->ID ) ) {
	$this->print_ajax_response( 'error', $this->module->messages['nonce-failed'] );
	}

On WordCamp, this caused speaker contact form submissions to fail to save, because the nonce included was not for edit post, but rather for speaker_submission or somesuch.

This doesn't seem to affect every use case.. oh, because if _wpnonce isn't set, this nonce check doesn't even properly run.

Ref: https://wordpress.slack.com/archives/C08M59V3P/p1767945920176379

Earlier issues seem to have been related to, and resolved by, 7ee2706 (Ref: https://wordpress.slack.com/archives/C08M59V3P/p1767902122649419 https://wordpress.slack.com/archives/C08M59V3P/p1767896599567679 )

Suggested solution:

• Don't die like this in this handler; (edit: In any non-ajax handler)
• Include your own nonce.
• If nonce not set, OR nonce verification failed, return.
• Verify this isn't systematic. if ( ! empty( $_GET['_wpnonce'] ) && ! wp_verify_nonce is rarely wanted. if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( is usually what's wanted. Claude should know better.

[dd32]

cc @GaryJones :)