I haven't seen their patch yet. I'd be surprised to see a nonce, my guess is they just call the standard Wordpress function to require auth.
There's surely a better way to do it without accepting code via the query string. Keep the code on the server and have that function only refer to an index or something perhaps?
There's surely a better way to do it without accepting code via the query string. Keep the code on the server and have that function only refer to an index or something perhaps?