Nonces and User Permissions Needed for Security

[xecdev]

Please add a nonce check to your input calls ($_POST, $_GET, $REQUEST) to prevent unauthorized access.

If you use wp_ajax_ to trigger submission checks, remember they also need a nonce check.

👮 Checking permissions: Keep in mind, a nonce check alone is not bulletproof security. Do not rely on nonces for authorization purposes. When needed, use it together with current_user_can() in order to prevent users without the right permissions from accessing things they shouldn't.

Also make sure that the nonce logic is correct by making sure it cannot be bypassed. Checking the nonce with current_user_can() is great, but mixing it with other checks can make the condition more complex and, without realising it, bypassable, remember that anything can be sent through an input, don't trust any input.

Keep performance in mind. Don't check for post submission outside of functions. Doing so means that the check will run on every single load of the plugin, which means that every single person who views any page on a site using your plugin will be checking for a submission. This will make your code slow and unwieldy for users on any high traffic site, leading to instability and eventually crashes.

The following links may assist you in development:

https://developer.wordpress.org/plugins/security/nonces/
https://developer.wordpress.org/plugins/javascript/ajax/#nonce
https://developer.wordpress.org/plugins/settings/settings-api/

From your plugin:

includes/class-paybutton-admin.php:296 No nonce check was found validating the origin of inputs in the lines 296-301 - in the context of the classMethod PayButton_Admin::customers_page()
# ↳ Line 301: $user_address = sanitize_text_field( $_GET['address'] );
# ↳ Line 317: $orderby = isset( $_GET['orderby'] ) ? sanitize_text_field( $_GET['orderby'] ) : 'unlocked_count';
# ↳ Line 321: $order = isset( $_GET['order'] ) ? strtoupper( sanitize_text_field( $_GET['order'] ) ) : 'DESC';
includes/class-paybutton-ajax.php:48 No nonce check was found validating the origin of inputs in the lines 48-50 - in the context of the classMethod PayButton_AJAX::payment_trigger()
# ↳ Line 50: $raw_post_data = file_get_contents('php://input');
includes/class-paybutton-admin.php:377 No nonce check was found validating the origin of inputs in the lines 377-442 - in the context of the classMethod PayButton_Admin::content_page()
# ↳ Line 442: $orderby = isset( $_GET['orderby'] ) ? sanitize_text_field( $_GET['orderby'] ) : 'unlock_count';
# ↳ Line 446: $order = isset( $_GET['order'] ) ? strtoupper( sanitize_text_field( $_GET['order'] ) ) : 'DESC';
includes/class-paybutton-admin.php:240 No nonce check was found validating the origin of inputs in the lines 240-241 - in the context of the classMethod PayButton_Admin::save_settings()
# ↳ Line 241: $address         = sanitize_text_field( $_POST['pb_paywall_admin_wallet_address'] );
# ↳ Line 242: $unit            = sanitize_text_field( $_POST['unit'] );
# ↳ Line 243: $raw_price       = floatval( $_POST['default_price'] );
# ↳ Line 244: $button_text     = sanitize_text_field( $_POST['paybutton_text'] );
# ↳ Line 245: $hover_text      = sanitize_text_field( $_POST['paybutton_hover_text'] );
# ↳ Line 246: $color_primary   = sanitize_hex_color( $_POST['paybutton_color_primary'] );
# ↳ Line 247: $color_secondary = sanitize_hex_color( $_POST['paybutton_color_secondary'] );
# ↳ Line 248: $color_tertiary  = sanitize_hex_color( $_POST['paybutton_color_tertiary'] );
# ↳ Line 250: $unlocked_indicator_bg_color   = sanitize_hex_color( $_POST['unlocked_indicator_bg_color'] );
# ↳ Line 251: $unlocked_indicator_text_color = sanitize_hex_color( $_POST['unlocked_indicator_text_color'] );
# ↳ Line 267: update_option( 'paybutton_sticky_header_bg_color', sanitize_hex_color( $_POST['sticky_header_bg_color'] ) ?: '#007bff' );
# ↳ Line 268: update_option( 'paybutton_sticky_header_text_color', sanitize_hex_color( $_POST['sticky_header_text_color'] ) ?: '#FFFFFF' );
# ↳ Line 269: update_option( 'paybutton_profile_button_bg_color', sanitize_hex_color( $_POST['profile_button_bg_color'] ) ?: '#ffc107' );
# ↳ Line 270: update_option( 'paybutton_profile_button_text_color', sanitize_hex_color( $_POST['profile_button_text_color'] ) ?: '#000' );
# ↳ Line 271: update_option( 'paybutton_logout_button_bg_color', sanitize_hex_color( $_POST['logout_button_bg_color'] ) ?: '#d9534f' );
# ↳ Line 272: update_option( 'paybutton_logout_button_text_color', sanitize_hex_color( $_POST['logout_button_text_color'] ) ?: '#FFFFFF' );
# ↳ Line 282: $raw_blacklist = sanitize_text_field( $_POST['paybutton_blacklist'] );
# ↳ Line 288: $public_key = sanitize_text_field( $_POST['paybutton_public_key'] );