Security: require capability checks on privileged network-admin AJAX endpoints

[vuckro]

Summary

Several wp_ajax_* endpoints that back network-admin tools were registered
with no capability check, so any authenticated user (including a subscriber on a
sub-site) could reach them. None of these are wired to customer-facing UI.

This enforces manage_network on each, and adds two endpoint-specific hardenings.

Changes

• Ajax::search_models / search_all_models — returned network-wide objects
  and, for the user model, WordPress logins and email addresses
  (user/email enumeration). Restricted to network admins.
• View_Logs_Admin_Page::handle_view_logs — capability check and the
  "is this under the logs folder?" substring test replaced with realpath()
  containment so a crafted path can no longer traverse out of the logs
  directory (arbitrary file read).
• Dashboard_Widgets::process_ajax_fetch_rss — capability check and the
  outbound feed URL is now pinned to the plugin's own community feed
  (filterable), removing an SSRF vector; plus handle_table_csv.
• System_Info_Admin_Page::generate_text_file_system_info — system report.
• Domain_Manager::get_dns_records / test_integration — DNS lookups and
  hosting-provider connection tests.
• Site_Manager::get_site_screenshot — screenshot scraper.
• Template_Placeholders::save_placeholders / serve_placeholders_via_ajax.
• Base_Customer_Facing_Admin_Page customize form: capability exist
  raised to manage_network.

Compatibility

These endpoints are only ever invoked from network-admin screens, so legitimate
use is unaffected. The customer-facing DNS flow uses a different action
(wu_get_dns_records_for_domain) and is not touched.

---

Part of a small series of focused security hardening PRs. Full technical detail
is available privately to the maintainers on request (coordinated disclosure).

[coderabbitai]

Warning

Review limit reached

@superdav42, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 3 minutes and 8 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 66446f8c-cfe6-4f80-9e5f-7326d9666a1c

📥 Commits

Reviewing files that changed from the base of the PR and between bc4d4bb and ffad1b3.

📒 Files selected for processing (8)

• inc/admin-pages/class-base-customer-facing-admin-page.php
• inc/admin-pages/class-system-info-admin-page.php
• inc/admin-pages/class-view-logs-admin-page.php
• inc/class-ajax.php
• inc/class-dashboard-widgets.php
• inc/managers/class-domain-manager.php
• inc/managers/class-site-manager.php
• inc/site-templates/class-template-placeholders.php

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}