Nonce check

Check nonce before editing post counts in the Admin area

includes/admin/class-admin.php

@@ -232,6 +232,13 @@ public function admin_enqueue_scripts() {
 			TOP_TEN_VERSION,
 			true
 		);
+		wp_localize_script(
+			'top-ten-admin-js',
+			'top_ten_admin',
+			array(
+				'nonce' => wp_create_nonce( 'top_ten_admin_nonce' ),
+			)
+		);
 		wp_register_style(
 			'tptn-admin-ui-css',
 			TOP_TEN_PLUGIN_URL . 'includes/admin/css/top-10-admin.min.css',

includes/admin/js/admin-scripts.js

@@ -111,7 +111,8 @@ jQuery(document).ready(function ($) {
 				action: 'tptn_edit_count_ajax',
 				post_id: post_id,
 				total_count: value,
-				total_count_original: count
+				total_count_original: count,
+				top_ten_admin_nonce: top_ten_admin.nonce
 			},
 			success: function (response) {
 				if (response === false) {

includes/class-counter.php

@@ -383,6 +383,8 @@ public static function delete_count( $post_id, $blog_id, $daily = false ) {
 	 * @since 2.9.0
 	 */
 	public static function edit_count_ajax() {
+		// Security check.
+		check_ajax_referer( 'top_ten_admin_nonce', 'top_ten_admin_nonce' );
 
 		if ( ! isset( $_REQUEST['total_count'] ) || ! isset( $_REQUEST['post_id'] ) || ! isset( $_REQUEST['total_count_original'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			wp_die();

readme.txt

@@ -156,6 +156,9 @@ Release post: [https://webberzone.com/announcements/top-10-v3-3-0/](https://webb
 	* Check if `$wp_filters['the_content']` is set. Fixes a PHP warning for users running WordPress before 6.1
 	* `Import_Export` Class: Fix unnecessary check for `network_admin_menu` filter; Minor code fixes to set headers before outputting data
 
+* Security fix:
+	* Check nonce before editing post counts in the Admin area
+
 = 3.3.2 =
 
 * Enhancements: