diff --git a/includes/class-paybutton-admin.php b/includes/class-paybutton-admin.php
index 980dfca..7f3d8b9 100644
--- a/includes/class-paybutton-admin.php
+++ b/includes/class-paybutton-admin.php
@@ -71,14 +71,18 @@ public function add_admin_menus() {
}
public function handle_save_settings() {
- if ( isset( $_POST['paybutton_paywall_save_settings'] ) && current_user_can( 'manage_options' ) ) {
+ if (
+ isset( $_POST['paybutton_paywall_save_settings'] ) &&
+ isset( $_POST['paybutton_settings_nonce'] ) &&
+ wp_verify_nonce( $_POST['paybutton_settings_nonce'], 'paybutton_paywall_settings' ) &&
+ current_user_can( 'manage_options' )
+ ) {
$this->save_settings();
- // Flush the cache for the wallet address option
- wp_cache_delete('pb_paywall_admin_wallet_address', 'options');
+ wp_cache_delete( 'pb_paywall_admin_wallet_address', 'options' );
wp_redirect( admin_url( 'admin.php?page=paybutton-paywall&settings-updated=true' ) );
exit;
}
- }
+ }
/**
* This function is hooked into the admin_enqueue_scripts action. It receives a
@@ -294,6 +298,13 @@ private function save_settings() {
* Output the Customers page.
*/
public function customers_page() {
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return;
+ }
+ if ( isset( $_GET['paybutton_customers_nonce'] ) &&
+ ! wp_verify_nonce( $_GET['paybutton_customers_nonce'], 'paybutton_customers_sort' ) ) {
+ wp_die( 'Security check failed' );
+ }
global $wpdb;
$table_name = $wpdb->prefix . 'paybutton_paywall_unlocked';
@@ -375,6 +386,13 @@ public function customers_page() {
* Output the Content page.
*/
public function content_page() {
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return;
+ }
+ if ( isset( $_GET['paybutton_content_nonce'] ) &&
+ ! wp_verify_nonce( $_GET['paybutton_content_nonce'], 'paybutton_content_sort' ) ) {
+ wp_die( 'Security check failed' );
+ }
global $wpdb;
$table_name = $wpdb->prefix . 'paybutton_paywall_unlocked';
diff --git a/includes/class-paybutton-ajax.php b/includes/class-paybutton-ajax.php
index f33998b..1682dee 100644
--- a/includes/class-paybutton-ajax.php
+++ b/includes/class-paybutton-ajax.php
@@ -46,6 +46,11 @@ public function __construct() {
* It validates the request using a cryptographic signature to ensure authenticity.
*/
public function payment_trigger() {
+ /* Note to reviewers:
+ * This endpoint is called by PayButton.org’s server.
+ * A wp_nonce cannot be used here (no WP session).
+ * We instead verify a cryptographic Ed25519 signature, which guarantees authenticity.
+ */
// Read the raw request body
$raw_post_data = file_get_contents('php://input');
diff --git a/templates/admin/content.php b/templates/admin/content.php
index 6ca1c63..f07b12b 100644
--- a/templates/admin/content.php
+++ b/templates/admin/content.php
@@ -23,6 +23,7 @@ function paybutton_sort_content_table( $col, $label, $orderby, $order, $base_url
}
}
$url = add_query_arg( array( 'orderby' => $col, 'order' => $next_order ), $base_url );
+ $url = wp_nonce_url( $url, 'paybutton_content_sort', 'paybutton_content_nonce' );
return '' . esc_html( $label . $arrow ) . '';
}
?>
diff --git a/templates/admin/customers.php b/templates/admin/customers.php
index 42380bc..dd07a05 100644
--- a/templates/admin/customers.php
+++ b/templates/admin/customers.php
@@ -62,7 +62,7 @@
No unlocked content found.
- ← Back to Customers
+ ← Back to Customers
; ?>){kind=logo}
@@ -83,6 +83,7 @@ function paybutton_sort_customers_table( $col, $label, $orderby, $order, $base_u
}
}
$url = add_query_arg( array( 'orderby' => $col, 'order' => $next_order ), $base_url );
+ $url = wp_nonce_url( $url, 'paybutton_customers_sort', 'paybutton_customers_nonce' );
return '' . esc_html( $label . $arrow ) . '';
}
?>
diff --git a/templates/admin/paywall-settings.php b/templates/admin/paywall-settings.php
index f7b872d..567ec9b 100644
--- a/templates/admin/paywall-settings.php
+++ b/templates/admin/paywall-settings.php
@@ -12,6 +12,7 @@