Merge pull request #242 from TycheSoftwares/issue-241

Fixed Vulnerable to Broken Access Control

checkout-fees-for-woocommerce.php

@@ -210,10 +210,14 @@ public static function ts_admin_notices_scripts() {
 		 * Remove query string to the admin url.
 		 */
 		public static function ts_reset_tracking_setting() {
-			if ( isset( $_GET ['ts_action'] ) && 'reset_tracking' === $_GET ['ts_action'] ) { // phpcs:ignore
-				Tyche_Plugin_Tracking::reset_tracker_setting( 'pgbf_lite' );
-				$ts_url = remove_query_arg( 'ts_action' );
-				wp_safe_redirect( $ts_url );
+			$nonce = isset( $_GET ['nonce'] ) ? $_GET['nonce'] : '';//phpcs:ignore
+			if ( is_user_logged_in() && current_user_can( 'manage_options' ) && wp_verify_nonce( $nonce, 'ts_nonce_action' ) ) {
+				if ( isset( $_GET ['ts_action'] ) && 'reset_tracking' === $_GET ['ts_action'] ) {
+					Tyche_Plugin_Tracking::reset_tracker_setting( 'pgbf_lite' );
+					$ts_url = remove_query_arg( 'ts_action' );
+					$ts_url = remove_query_arg( 'nonce' );
+					wp_safe_redirect( $ts_url );
+				}
 			}
 		}
 

includes/settings/class-alg-wc-settings-checkout-fees.php

@@ -156,7 +156,8 @@ public function output_custom_link( $value ) {
 		public static function add_admin_field_reset_button( $value ) {
 			if ( 'ts_reset_tracking' === $value['id'] ) {
 				$description = WC_Admin_Settings::get_field_description( $value );
-				$ts_action   = 'admin.php?page=wc-settings&tab=alg_checkout_fees&ts_action=reset_tracking';
+				$nonce       = wp_create_nonce( 'ts_nonce_action' );
+				$ts_action   = 'admin.php?page=wc-settings&tab=alg_checkout_fees&ts_action=reset_tracking&nonce=' . $nonce;
 				?>
 				<tr valign="top">
 					<th scope="row" class="titledesc">
@@ -175,7 +176,6 @@ class="<?php echo esc_attr( $value['class'] ); ?>"
 				<?php
 			}
 		}
-
 	}
 
 endif;