Fix bulk action nonce verification.

anderly · anderly · commit 1eaf3cfd90ca · 2024-01-15T17:42:18.000-06:00
diff --git a/assets/js/admin.js b/assets/js/admin.js
@@ -6,6 +6,20 @@
 		init: function() {
 			$( document )
 				.on( 'click', 'a.dul-quick-links', SS_DUL.toggleDisabled )
+				.on( 'ready', SS_DUL.copyNonce )
+		},
+
+		/**
+		 * Clone the nonce field
+		 * @param {*} e
+		 */
+		copyNonce: function( e ) {
+			if ($('input#_dulnonce').length == 0 && $('input#_wpnonce').length == 1) {
+				let $nonce = $('input#_wpnonce');
+				let $form = $nonce.parent();
+				let $newnonce = $nonce.clone().attr('id','_dulnonce').attr('name','_dulnonce');
+				$form.append($newnonce);
+			}
 		},
 
 		/**
diff --git a/disable-user-login.php b/disable-user-login.php
@@ -3,7 +3,7 @@
  * Plugin Name: Disable User Login
  * Plugin URI:  http://wordpress.org/plugins/disable-user-login
  * Description: Provides the ability to disable user accounts and prevent them from logging in.
- * Version:     1.3.8
+ * Version:     1.3.9
  *
  * Author:      Saint Systems
  * Author URI:  https://www.saintsystems.com
diff --git a/includes/class-ss-disable-user-login-plugin.php b/includes/class-ss-disable-user-login-plugin.php
@@ -15,7 +15,7 @@ final class SS_Disable_User_Login_Plugin {
 	 *
 	 * @var string
 	 */
-	private static $version = '1.3.8';
+	private static $version = '1.3.9';
 
 	/**
 	 * Plugin singleton instance
@@ -449,6 +449,9 @@ public function bulk_action_disable_users($bulk_actions) {
 	 * @since 1.0.6
 	 */
 	public function handle_bulk_disable_users( $redirect_to, $doaction, $user_ids ) {
+
+		check_admin_referer( 'bulk-users', '_dulnonce' );
+
 		if ( $doaction !== 'disable_user_login' && $doaction !== 'enable_user_login' ) {
 			return $redirect_to;
 		}
diff --git a/readme.txt b/readme.txt
@@ -5,8 +5,8 @@ Tags: users, user, login, account, disable
 Requires at least: 4.7.0
 Tested up to: 6.4.2
 Requires PHP: 5.6
-Stable tag: 1.3.8
-Version: 1.3.8
+Stable tag: 1.3.9
+Version: 1.3.9
 License: GPLv3
 
 Provides the ability to disable user accounts and prevent them from logging in.
@@ -49,6 +49,9 @@ Yes, there is a filter in place for that, `disable_user_login.disabled_message`.
 
 == Changelog ==
 
+= 1.3.9 =
+* Fix bulk action nonce verification.
+
 = 1.3.8 =
 * Improved user-specific nonce validation.
 

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`* Plugin Name: Disable User Login`
`4`	`4`	`* Plugin URI: http://wordpress.org/plugins/disable-user-login`
`5`	`5`	`* Description: Provides the ability to disable user accounts and prevent them from logging in.`
`6`		`- * Version: 1.3.8`
	`6`	`+ * Version: 1.3.9`
`7`	`7`	`*`
`8`	`8`	`* Author: Saint Systems`
`9`	`9`	`* Author URI: https://www.saintsystems.com`