From 54fb6f0591f208fa52ab3a67b1ffb6d50a968f75 Mon Sep 17 00:00:00 2001
From: Ryan Dewhurst <ryandewhurst@gmail.com>
Date: Wed, 28 Apr 2021 16:23:15 +0200
Subject: [PATCH] Updated WordPress Plugin Security Testing Cheat Sheet
 (markdown)

---
 WordPress-Plugin-Security-Testing-Cheat-Sheet.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
index 696b740..018aaee 100644
--- a/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
+++ b/WordPress-Plugin-Security-Testing-Cheat-Sheet.md
@@ -178,6 +178,13 @@ Use this [simple Burp Suite extention](https://gist.github.com/ethicalhack3r/7c2
 - ```wp_nonce_url()``` adds CSRF token to URL
 - ```wp_verify_nonce()``` checks the CSRF token validity server side
 - ```check_admin_referer()``` checks the CSRF token validity server side and came from admin screen
+- ```check_ajax_referer()``` checks the CSRF token validity server side for AJAX scripts
+
+### Gotcha
+
+Passing `false` or `0` as the third argument to `check_ajax_referer()` will not cause the script to die, making the check useless.
+
+Example:`check_ajax_referer( 'ajax-login-nonce', 'security', false );`
 
 ## SSL/TLS