Fix: add nonce to paypal disconnect (#7503)

Co-authored-by: Jon Waldstein <[email protected]>

assets/src/js/admin/paypal-commerce/index.js

@@ -314,6 +314,7 @@ window.addEventListener('DOMContentLoaded', function () {
                     formData.append('action', 'give_paypal_commerce_disconnect_account');
                     formData.append('mode', button.getAttribute('data-mode'));
                     formData.append('keep-webhooks', Boolean(keepWebhooks));
+                    formData.append('_ajax_nonce', button.getAttribute('data-nonce'));
 
                     requestData.method = 'POST';
                     requestData.body = formData;

src/PaymentGateways/PayPalCommerce/AdminSettingFields.php

@@ -13,6 +13,7 @@
  * Class AdminSettingFields
  * @package Give\PaymentGateways\PayPalCommerce
  *
+ * @unreleased added nonce to disconnect button
  * @since 2.9.0
  */
 class AdminSettingFields
@@ -472,7 +473,9 @@ class="button-wrap disconnection-setting<?php echo ! $canShowAccountInformation
                                 <span class="actions">
                                     <button
                                         class="js-give-paypal-disconnect-paypal-account"
-                                        data-mode="<?php echo $paypalSetting->mode; ?>">
+                                        data-mode="<?php echo $paypalSetting->mode; ?>"
+                                        data-nonce="<?php echo esc_attr(wp_create_nonce('give_paypal_commerce_disconnect_account')); ?>"
+                                    >
                                         <?php esc_html_e('Disconnect', 'give'); ?>
                                     </button>
                                 </span>

src/PaymentGateways/PayPalCommerce/AjaxRequestHandler.php

@@ -184,13 +184,16 @@ public function onGetPartnerUrlAjaxRequestHandler()
     /**
      * give_paypal_commerce_disconnect_account ajax request handler.
      *
+     * @unreleased added security nonce check
      * @since 3.13.0 Add new $keepWebhooks option
      * @since 2.30.0 Add support for mode param.
      * @since 2.25.0 Remove merchant seller token.
      * @since 2.9.0
      */
     public function removePayPalAccount()
     {
+        check_ajax_referer( 'give_paypal_commerce_disconnect_account');
+
         if (! current_user_can('manage_give_settings')) {
             wp_send_json_error(['error' => esc_html__('You are not allowed to perform this action.', 'give')]);
         }