Merge pull request #2 from Automattic/fix/rating-settings-nonce

Add/check nonce when saving Rating advanced settings
Automattic · Nov 8, 2023 · 7c2cf5d · 7c2cf5d
2 parents 48370e6 + d2acc08
commit 7c2cf5d
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/polldaddy.php b/polldaddy.php
@@ -3622,6 +3622,7 @@ function rating_settings() {
 			                <input type="hidden" name="type" value="<?php echo $report_type; ?>" />
 							<input type="hidden" name="rating_id" value="<?php echo $rating_id; ?>" />
 							<input type="hidden" name="action" value="update-rating" />
+							<?php wp_nonce_field( 'action-update-rating_' . $report_type ); ?>
 			            </div>
 			        </div>
 			    </div>
@@ -4051,6 +4052,8 @@ function update_rating() {
 		$type = 'post';
 		$set = new stdClass;
 
+		check_admin_referer( 'action-update-rating_' . $_POST[ 'type' ] );
+
 		if ( isset( $_REQUEST['rating_id'] ) )
 			$rating_id = (int) $_REQUEST['rating_id'];