nsquared-team · hsein-bitar · Oct 27, 2023 · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023
@@ -302,6 +302,12 @@ function hotspot_area_override_title_and_content( $value, $object_id, $args, $fi
 	function update_hotspot_area_details() {
 		if ( !isset( $_POST['_pid'] ) ) return;
 		check_ajax_referer( 'update-hotspot_'.$_POST['_pid'], 'ajaxnonce' );
+
+		if( ! current_user_can( 'delete_others_posts' ) ){
+			status_header(403);
+			nocache_headers();
+			wp_die('Bad Request: You do not have permission to access this page');
+		}
 
 		if ( isset( $_POST['_title'] ) ) {
 			$_POST['_title'] = wp_filter_nohtml_kses( $_POST['_title'] ); // also expects & returns slashes

@@ -28,6 +28,14 @@ public function process_import() {
 		if ( empty( $_POST['import_code'] ) ) {
 			return;
 		}
+
+		// verify nonce
+		if ( !wp_verify_nonce( $_POST['_wpnonce'], 'da_import_nonce' ) || ! current_user_can( 'delete_others_posts' ) ) {
+			status_header(403);
+			nocache_headers();
+			wp_die('Bad Request: You do not have permission to access this page');
+		}
+
 		$import_code = stripslashes($_POST['import_code']);
 		$import_array = json_decode( $import_code, true );
 		if ( empty( $import_array['0']['post']['ID'] ) ) {
@@ -81,6 +89,13 @@ public function get_export_array( $ids=array() ) {
 	}
 
 	public function get_export_json( $ids=array() ) {
+		// verify nonce
+		if ( !wp_verify_nonce( $_POST['_wpnonce'], 'da_export_nonce' ) || ! current_user_can( 'delete_others_posts' ) ) {
+			status_header(403);
+			nocache_headers();
+			wp_die('Bad Request: You do not have permission to access this page');
+		}
+
 		$export_array = $this->get_export_array( $ids );
 		return json_encode( $export_array );
 	}
@@ -92,15 +107,17 @@ public function admin_menu() {
 	}
 
 	public function output_import_export_page() {
-		// only allow users with capability: "delete_others_posts"
-		if ( ! current_user_can( 'delete_others_posts' ) ) {
-			return;
+		if( ! current_user_can( 'delete_others_posts' ) ){
+			status_header(403);
+			nocache_headers();
+			wp_die('Bad Request: You do not have permission to access this page');
 		}
 		?>
 		<div class="import">
 			<h3>Import</h3>
 			<p>If you've already exported from another site, paste the export code below:</p>
 			<form method="POST" name="import" action="edit.php?post_type=da_image&page=import_export">
+				<?php wp_nonce_field( 'da_import_nonce' ); ?>
 				<input type="hidden" name="action" value="import" />
 				<textarea name="import_code" cols="100" rows="5" placeholder=""></textarea><br />
 				<input type="submit" value="Import" />
@@ -124,6 +141,7 @@ public function output_import_export_page() {
 			<p>Choose images to export</p>
 			<form method="POST" name="export" action="edit.php?post_type=da_image&page=import_export">
 				<input type="hidden" name="action" value="export" />
+				<?php wp_nonce_field( 'da_export_nonce' ); ?>
 				<?php
 				$da_images = new WP_Query( array(
 					'post_type' => 'da_image',

@@ -910,6 +910,8 @@ public function can_save( $type = '' ) {
 			// check nonce.
 			&& isset( $_POST[ $this->cmb->nonce() ] )
 			&& wp_verify_nonce( $_POST[ $this->cmb->nonce() ], $this->cmb->nonce() )
+			// check permissions.
+			&& current_user_can( 'delete_others_posts' )
 			// check if autosave.
 			&& ! ( defined( 'DOING_AUTOSAVE' ) && DOING_AUTOSAVE )
 			// get the metabox types & compare it to this type.