* Installer to allow plugin installation via URL query.
namespace Automattic\WooCommerce\Admin;
defined( 'ABSPATH' ) || exit;
use Automattic\WooCommerce\Admin\API\Plugins;
use Automattic\WooCommerce\Admin\Features\TransientNotices;
public static function init() {
add_action( 'admin_init', array( __CLASS__, 'possibly_install_activate_plugins' ) );
* Check if an install or activation is being requested via URL query.
public static function possibly_install_activate_plugins() {
/* phpcs:disable WordPress.Security.NonceVerification.Recommended */
! isset( $_GET['plugin_action'] ) ||
! isset( $_GET['plugins'] ) ||
! current_user_can( 'install_plugins' ) ||
! isset( $_GET['nonce'] )
$nonce = sanitize_text_field( wp_unslash( $_GET['nonce'] ) );
if ( ! wp_verify_nonce( $nonce, 'install-plugin' ) ) {
wp_nonce_ays( 'install-plugin' );
$plugins = sanitize_text_field( wp_unslash( $_GET['plugins'] ) );
$plugin_action = sanitize_text_field( wp_unslash( $_GET['plugin_action'] ) );
/* phpcs:enable WordPress.Security.NonceVerification.Recommended */
$plugins_api = new Plugins();
switch ( $plugin_action ) {
$install_result = $plugins_api->install_plugins( array( 'plugins' => $plugins ) );
$activate_result = $plugins_api->activate_plugins( array( 'plugins' => $plugins ) );
$install_result = $plugins_api->install_plugins( array( 'plugins' => $plugins ) );
$activate_result = $plugins_api->activate_plugins( array( 'plugins' => implode( ',', $install_result['data']['installed'] ) ) );
self::cache_results( $plugins, $install_result, $activate_result );
self::redirect_to_referer();
* Display the results of installation and activation on the page.
* @param string $plugins Comma separated list of plugins.
* @param array $install_result Result of installation.
* @param array $activate_result Result of activation.
public static function cache_results( $plugins, $install_result, $activate_result ) {
if ( ! $install_result && ! $activate_result ) {
if ( is_wp_error( $install_result ) || is_wp_error( $activate_result ) ) {
$message = $activate_result ? $activate_result->get_error_message() : $install_result->get_error_message();
$message = $activate_result ? $activate_result['message'] : $install_result['message'];
'user_id' => get_current_user_id(),
'id' => 'plugin-installer-' . str_replace( ',', '-', $plugins ),
* Redirect back to the referring page if one exists.
public static function redirect_to_referer() {
$referer = wp_get_referer();
if ( $referer && 0 !== strpos( $referer, wp_login_url() ) ) {
wp_safe_redirect( $referer );
if ( ! isset( $_SERVER['REQUEST_URI'] ) ) {
$url = remove_query_arg( 'plugin_action', wp_unslash( $_SERVER['REQUEST_URI'] ) ); // phpcs:ignore sanitization ok.
$url = remove_query_arg( 'plugins', $url );
wp_safe_redirect( $url );
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
