Changeset 3468574

Timestamp:

02/24/2026 11:05:01 AM (5 weeks ago)

Author:

babbardel

Message:

Security: add capability checks to AJAX handlers. Update changelog and metadata for 2.10.6.

Location:

customify/trunk

Files:

• includes/class-customify-style-manager.php (modified) (1 diff)
• includes/extras.php (modified) (1 diff)
• readme.txt (modified) (1 diff)

customify/trunk/includes/class-customify-style-manager.php

@@ -870 +870 @@
             check_ajax_referer( 'customify_style_manager_user_feedback', 'nonce' );
 
+            if ( ! current_user_can( 'manage_options' ) ) {
+                wp_send_json_error( esc_html__( 'You do not have permission to perform this action.', 'customify' ) );
+            }
+
             if ( empty( $_POST['type'] ) ) {
                 wp_send_json_error( esc_html__( 'No type provided', 'customify' ) );

customify/trunk/includes/extras.php

@@ -442 +442 @@
     check_ajax_referer( 'customify_migrate_customizations_from_parent_to_child_theme', 'nonce_migrate' );
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( esc_html__( 'You do not have permission to perform this action.', 'customify' ) );
+    }
+
     $parent_theme = wp_get_theme( get_template() );
     if ( ! $parent_theme->exists() ) {

customify/trunk/readme.txt

@@ -32 +32 @@
 
 = 2.10.6 =
+* Security: added capability checks to AJAX handlers for defense-in-depth.
 * Fix inline font script breaking AJAX-based theme navigation.
+* PHP 8.x compatibility: added null safety guards for array operations.
+* Updated minimum PHP requirement to 7.4.
+* Updated minimum WordPress requirement to 5.9.
+* Tested with WordPress 6.9.
 
 = 2.10.5 =