From 309a45fb2a22778eeb704ebb1cb1f4223296de72 Mon Sep 17 00:00:00 2001
From: Harald Eilertsen <haraldei@anduin.net>
Date: Fri, 17 Sep 2021 17:04:58 +0200
Subject: Add CSRF checks to new venue form

---
 includes/admin/views/giglog_admin_page.php | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'includes/admin/views/giglog_admin_page.php')

diff --git a/includes/admin/views/giglog_admin_page.php b/includes/admin/views/giglog_admin_page.php
index b7f6247..13c08b9 100644
--- a/includes/admin/views/giglog_admin_page.php
+++ b/includes/admin/views/giglog_admin_page.php
@@ -167,6 +167,13 @@ if ( !class_exists( 'GiglogAdmin_AdminPage' ) ) {
 
             if(isset($_POST['newvenue']))
             {
+                if (!isset($_POST['giglog_new_venue_nonce'])
+                    || wp_verify_nonce($_POST['giglog_new_venue_nonce'], plugin_basename( __FILE__ )))
+                {
+                    header("{$_SERVER['SERVER_PROTOCOL']} 403 Forbidden");
+                    wp_die('CSRF validation failed.', 403);
+                }
+
                 if (empty($_POST['venuename']) || empty($_POST['venuecity'])) {
                     echo '<script language="javascript">alert("You are missing a value, venue was not created"); </script>';
                 }
-- 
cgit v1.2.3