Add nonce to the form on Seravo update setting page

This is a standard security procedure to reduce risk of url abuse. The form now has a nonce field which is checked by the backend.
Seravo · May 5, 2017 · 1e1edc6 · 1e1edc6
1 parent 6aefd69
commit 1e1edc6
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/lib/updates-page.php b/lib/updates-page.php
@@ -46,6 +46,7 @@
   <p>Seravo's upkeep service includes that your WordPress site is kept up-to-date with quick security updates and regular tested updates of both WordPress core and plugins. If you want full control of updates yourself, you can opt-out from Seravo updates.</p>
 
   <form name="toggle_seravo_updates" action="<?php echo esc_url( admin_url('admin-post.php') ); ?>" method="post">
+    <?php wp_nonce_field( 'toggle-seravo-updates-on-or-off' ); ?>
     <input type="hidden" name="action" value="toggle_seravo_updates">
     <input id="seravo_updates" name="seravo_updates" type="checkbox" <?php echo $checked; ?>> Seravo updates enabled<br><br>
     <input type="submit" value="Save settings">

diff --git a/modules/updates.php b/modules/updates.php
@@ -33,6 +33,8 @@ public static function load_updates_page() {
     }
 
     public static function seravo_admin_toggle_seravo_updates() {
+      check_admin_referer( 'toggle-seravo-updates-on-or-off' );
+
       $site = getenv('USER');
       $ch = curl_init('http://localhost:8888/v1/site/' . $site);