diff --git a/admin/views/html-admin-settings-import-export-users.php b/admin/views/html-admin-settings-import-export-users.php
index d14a90ea..85760faa 100644
--- a/admin/views/html-admin-settings-import-export-users.php
+++ b/admin/views/html-admin-settings-import-export-users.php
@@ -109,7 +109,7 @@
$uwp_chunk_sizes = apply_filters('uwp_ie_csv_chunks_options', $uwp_chunk_sizes);
$uwp_chunk_sizes_opts = '';
foreach ($uwp_chunk_sizes as $value => $title) {
- $uwp_chunk_sizes_opts .= '';
+ $uwp_chunk_sizes_opts .= '';
}
$users_count = count_users();
@@ -124,7 +124,7 @@
|
- |
+ |
diff --git a/includes/class-profile.php b/includes/class-profile.php
index 1c1341b0..ca34e002 100644
--- a/includes/class-profile.php
+++ b/includes/class-profile.php
@@ -1509,8 +1509,17 @@ public function add_uwp_plupload_param( $params ) {
* @return void
*/
public function ajax_avatar_banner_upload() {
- // Image upload handler
- // todo: security checks
+
+ if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'uwp_avatar_banner_upload_nonce' ) ) {
+ $result['error'] = aui()->alert( array(
+ 'type' => 'danger',
+ 'content' => __( "Security check failed.", "userswp" )
+ ) );
+ $return = json_encode( $result );
+ echo $return; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+ die();
+ }
+
$type = strip_tags( esc_sql( $_POST['uwp_popup_type'] ) );
$result = array();
@@ -1764,6 +1773,8 @@ public function crop_submit_form( $type = 'avatar' ) {
$content_wrap = $design_style == 'bootstrap' ? '.uwp-profile-image-change-modal .modal-content' : '#uwp-popup-modal-wrap';
$bg_color = apply_filters('uwp_crop_image_bg_color', '', $type);
+
+ $ajax_nonce = wp_create_nonce( 'uwp_avatar_banner_upload_nonce' );
?>