diff --git a/includes/deprecated.php b/includes/deprecated.php index 0898690..404d80c 100644 --- a/includes/deprecated.php +++ b/includes/deprecated.php @@ -1,13 +1,16 @@ ID ) ) { @@ -235,8 +237,9 @@ function pmpromc_additional_lists_on_checkout() { * Sets Session variables. */ function pmpromc_pmpro_paypalexpress_session_vars() { - if ( isset( $_REQUEST['additional_lists'] ) ) { - $_SESSION['additional_lists'] = $_REQUEST['additional_lists']; + // Nonce not needed as this only runs within the PMPro checkout process. + if ( isset( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended + $_SESSION['additional_lists'] = $_REQUEST['additional_lists']; // phpcs:ignore WordPress.Security.NonceVerification.Recommended } } add_action( 'pmpro_paypalexpress_session_vars', 'pmpromc_pmpro_paypalexpress_session_vars' ); @@ -257,10 +260,11 @@ function pmpromc_pmpro_checkout_before_change_membership_level() { */ function pmpromc_pmpro_after_checkout( $user_id, $order ) { pmpromc_pmpro_after_change_membership_level( $order->membership_id, $user_id ); - if ( empty( $_REQUEST['additional_lists'] ) ) { - $_REQUEST['additional_lists'] = array(); + // Nonce not needed as this only runs within the PMPro checkout process. + if ( empty( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended + $_REQUEST['additional_lists'] = array(); // phpcs:ignore WordPress.Security.NonceVerification.Recommended } - pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] ); + pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended } add_action( 'pmpro_after_checkout', 'pmpromc_pmpro_after_checkout', 15, 2 ); diff --git a/includes/profile.php b/includes/profile.php index de24060..3309636 100644 --- a/includes/profile.php +++ b/includes/profile.php @@ -112,13 +112,14 @@ function pmpromc_add_custom_user_profile_fields( $user ) { // Saving additional lists on profile save. function pmpromc_save_custom_user_profile_fields( $user_id ) { + // Nonce checks not needed as nonces would already be checked whenever this function is called. // Only if additional lists is set. - if ( ! isset( $_REQUEST['additional_lists_profile'] ) ) { + if ( ! isset( $_REQUEST['additional_lists_profile'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended return; } // Get user's new additional lists. - if ( empty( $_REQUEST['additional_lists'] ) ) { + if ( empty( $_REQUEST['additional_lists'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended $_REQUEST['additional_lists'] = array(); } @@ -135,11 +136,11 @@ function pmpromc_save_custom_user_profile_fields( $user_id ) { if ( 1 == $options['profile_update'] || - ! empty( array_diff( $current_lists, $_REQUEST['additional_lists'] ) ) || - ! empty( array_diff( $_REQUEST['additional_lists'], $current_lists ) ) + ! empty( array_diff( $current_lists, $_REQUEST['additional_lists'] ) ) || // phpcs:ignore WordPress.Security.NonceVerification.Recommended + ! empty( array_diff( $_REQUEST['additional_lists'], $current_lists ) ) // phpcs:ignore WordPress.Security.NonceVerification.Recommended ) { // Option set to update MC on every profile save or opt-in lists have changed. - pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] ); + pmpromc_set_user_additional_list_meta( $user_id, $_REQUEST['additional_lists'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended } } add_action( 'personal_options_update', 'pmpromc_save_custom_user_profile_fields' ); diff --git a/includes/settings.php b/includes/settings.php index a17dfae..ea90ef5 100644 --- a/includes/settings.php +++ b/includes/settings.php @@ -471,7 +471,8 @@ function pmpromc_option_memberships_lists($level) */ function pmpromc_admin_init_sync() { - if (is_admin() && !empty($_REQUEST['page']) && $_REQUEST['page'] == 'pmpromc_options' && !empty($_REQUEST['sync'])) { + // Nonce check not needed as we are not changing any data. + if (is_admin() && !empty($_REQUEST['page']) && $_REQUEST['page'] == 'pmpromc_options' && !empty($_REQUEST['sync'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended if (!current_user_can('manage_options')) wp_die('You do not have sufficient permission to access this page.'); else {