Harden update_post_meta_ajax against post-meta authorization bypass

[Copilot]

update_post_meta_ajax accepted a valid nonce but did not enforce per-post edit authorization, allowing users with limited editor rights to modify metadata on posts they cannot edit (including HTML/JS-capable fields). The endpoint also exposed a nopriv route for a privileged mutation path.

• Scope of vulnerability

  • Nonce-only validation enabled cross-post metadata writes by authenticated low-privilege users.
  • Sensitive keys such as argon_after_post and argon_custom_css were writable via AJAX on unauthorized targets.

• Authorization and endpoint hardening

  • Added capability check on target post: current_user_can('edit_post', $post_id).
  • Removed unauthenticated AJAX registration for this action (wp_ajax_nopriv_update_post_meta_ajax).

• Metadata write constraints

  • Introduced an allowlist for writable keys to limit mutations to expected Argon-managed post-meta fields.
  • Requests targeting non-allowlisted keys are rejected.

• Request validation and error semantics

  • Added required-field checks for post_id, meta_key, and meta_value.
  • Returns structured JSON failures with explicit HTTP status:
    • 400 for malformed requests (invalid_request)
    • 403 for unauthorized/forbidden mutations (forbidden)

if (!current_user_can('edit_post', $post_id) || !in_array($meta_key, $allowed_meta_keys, true)) {
    status_header(403);
    exit(json_encode(array(
        'status' => 'failed',
        'message' => 'forbidden'
    )));
}