kkmuffme

To summarize: using `$_SERVER['HTTP_*']` should trigger/require a `wp_verify_nonce` (or similar) check requirement just like using any `$_GET['whatever']`

>are too unclear to make this actionable at this time. As mentioned above, any `$_SERVER['HTTP_` and `filter_input( INPUT_SERVER, 'HTTP_` should be checked

There are actually multiple security issues that are connected and extremely often done wrong in tons of plugins: 1) wpcs should have a rule to check for `current_user_can` when checking...

Not the contact form/search itself is unsafe - any logic that is built around the user submitted data, which then is **used in a context that would normally require authentication.**...

@weirdan thanks, in that case I actually got it the wrong way round then - bc atm there is a bug that your example when wrapped in a class doesn't...

@weirdan could you please review if it's alright for you like that now - then I will remove all the unused @psalm-suppress in unrelated code too, before it gets merged...

@weirdan added errors for invalid annotations and updated tests. It's done.

@weirdan can you please merge this

May I ask for a code review :)

Not possible currently, see https://github.com/vimeo/psalm/issues/9413