Add security nonces.

brettshumaker · Oct 31, 2023 · 90bd46b · 90bd46b
1 parent db6fd24
commit 90bd46b
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 6 deletions.
diff --git a/trunk/README.txt b/trunk/README.txt
@@ -2,9 +2,9 @@
 Contributors: brettshumaker
 Tags: staff list, staff directory, employee list, staff, employee, employees
 Requires at least: 3.0
-Tested up to: 6.3
+Tested up to: 6.3.2
 Requires PHP: 5.4
-Stable tag: 2.2.4
+Stable tag: 2.2.5
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -47,6 +47,9 @@ Alright, here's a few things to try:
 
 == Changelog ==
 
+= 2.2.5 =
+- FIXED: Added security nonces
+
 = 2.2.4 =
 - FIXED: Added additional escaping
 

diff --git a/trunk/admin/class-simple-staff-list-admin.php b/trunk/admin/class-simple-staff-list-admin.php
@@ -122,11 +122,13 @@ public function enqueue_scripts() {
 	 * @since   2.0
 	 */
 	public function ajax_flush_rewrite_rules() {
+		// Check the security nonce before doing anything.
+		if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'sslp_flush_rewrite_rules' ) ) {
+			wp_send_json_error();
+		}
 
 		flush_rewrite_rules();
-
 		wp_send_json_success();
-
 	}
 
 	/**

diff --git a/trunk/admin/partials/simple-staff-list-options-display.php b/trunk/admin/partials/simple-staff-list-options-display.php
@@ -33,6 +33,7 @@
 	jQuery(document).ready(function($) {
 		var data = {
 			'action': 'sslp_flush_rewrite_rules',
+			'security': '<?php echo esc_attr( wp_create_nonce( 'sslp_flush_rewrite_rules' ) ); ?>'
 		}
 
 		$.post( "<?php echo esc_attr( admin_url( 'admin-ajax.php' ) ); ?>", data, function(response){});

diff --git a/trunk/includes/class-simple-staff-list.php b/trunk/includes/class-simple-staff-list.php
@@ -68,7 +68,7 @@ class Simple_Staff_List {
 	public function __construct() {
 
 		$this->plugin_name = 'simple-staff-list';
-		$this->version     = '2.2.4';
+		$this->version     = '2.2.5';
 
 		$this->load_dependencies();
 		$this->set_locale();

diff --git a/trunk/simple-staff-list.php b/trunk/simple-staff-list.php
@@ -15,7 +15,7 @@
  * Plugin Name:       Simple Staff List
  * Plugin URI:        https://wordpress.org/plugins/simple-staff-list/
  * Description:       A simple plugin to build and display a staff listing for your website.
- * Version:           2.2.4
+ * Version:           2.2.5
  * Author:            Brett Shumaker
  * Author URI:        http://www.brettshumaker.com
  * License:           GPL-2.0+