diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-admin/admin-post.php
--- a/wp/wp-admin/admin-post.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-admin/admin-post.php	Fri Sep 05 18:40:08 2025 +0200
@@ -29,7 +29,7 @@
 /** This action is documented in wp-admin/admin.php */
 do_action( 'admin_init' );
 
-$action = ! empty( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
+$action = ! empty( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : '';
 
 // Reject invalid parameters.
 if ( ! is_scalar( $action ) ) {