Verify nonces sent by plugin's admin forms

bgermann · Mar 5, 2023 · e3a984e · e3a984e
1 parent 9a04319
commit e3a984e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/cforms-corrupted.php b/cforms-corrupted.php
@@ -18,6 +18,11 @@
  */
 
 cforms2_check_access_priv();
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (!check_admin_referer("corruptedsettings"))
+        return;
+}
 ?>
 <div class="wrap">
     <h2><?php _e('cforms error', 'cforms2') ?></h2>
@@ -62,6 +67,7 @@
 
     <form name="corruptedsettings" class="corruptedsettings" method="POST">
 
+        <?php wp_nonce_field("corruptedsettings"); ?>
         <h3><?php _e('Corrupted cforms settings detected', 'cforms2'); ?></h3>
         <table class="form-table">
             <tr><td><?php _e('You can either try and fix the settings array or reset it and start from scratch.', 'cforms2'); ?> &nbsp;<input class="allbuttons deleteall" type="submit" name="resetsettings" id="resetsettings" value="<?php _e('RESET', 'cforms2'); ?>"/></td></tr>

diff --git a/cforms-global-settings.php b/cforms-global-settings.php
@@ -26,6 +26,11 @@
 if (cforms2_check_erased())
     return;
 
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (!check_admin_referer("cformsglobal"))
+        return;
+}
+
 $style = $cformsSettings['global']['cforms_css'];
 
 // Update Settings.
@@ -81,6 +86,7 @@
     <h2><?php _e('Global Settings', 'cforms2') ?></h2>
     <form enctype="multipart/form-data" id="cformsdata" name="mainform" method="post">
         <?php
+        wp_nonce_field("cformsglobal");
         if (isset($_POST['showinfo'])) {
             echo '<p>' . __('All the global and per form settings are listed here as JSON. You can use this as a backup tool if you like.', 'cforms2') . '</p>';
             echo '<h2>' . __('Warning!', 'cforms2') . '</h2><p>' . __('Please do not change anything here unless you know what you are doing!', 'cforms2') . '</p>';
@@ -303,6 +309,7 @@
 <div title="<?php _e('Uninstalling / Removing cforms', 'cforms2'); ?>" id="cf_delall_dialog">
     <fieldset class="cf_ed_main">
         <form name="deleteform" method="post">
+            <?php wp_nonce_field("cformsglobal"); ?>
             <div id="cf_target_del"><?php _e('Warning!', 'cforms2'); ?></div>
             <div class="controls">
                 <p><?php _e('Generally, simple deactivation of cforms does <strong>not</strong> erase any of its data. If you like to quit using cforms for good, please erase all data before deactivating the plugin.', 'cforms2') ?></p>

diff --git a/cforms-options.php b/cforms-options.php
@@ -26,6 +26,10 @@
 if (cforms2_check_erased())
     return;
 
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (!check_admin_referer("cformsdata"))
+        return;
+}
 
 $formcount = count(Cforms2\FormSettings::forms());
 
@@ -264,6 +268,7 @@
         </table>
         <input type="hidden" name="no" value="<?php echo $no_disp; ?>"/>
         <input type="hidden" name="noSub" value="<?php echo $no_disp; ?>" />
+        <?php wp_nonce_field("cformsdata"); ?>
 
         <p>
                     <?php _e('cformsII allows you to insert one or more customly designed contact forms, which can send the submission via email.', 'cforms2'); ?>