From d1d82adca1dbb02382d7ccf49b8830816e8fa00f Mon Sep 17 00:00:00 2001
From: yehudah <yehudah@b8457f37-d9ea-0310-8a92-e5e31aec5664>
Date: Mon, 19 Aug 2019 20:57:47 +0000
Subject: Security issues

---
 Postman/Phpmailer/PostsmtpMailer.php               |  3 ++
 .../PostmanAbstractAuthenticationManager.php       |  3 ++
 .../Postman-Auth/PostmanAuthenticationManager.php  |  3 ++
 .../PostmanAuthenticationManagerFactory.php        |  3 ++
 .../PostmanGoogleAuthenticationManager.php         |  3 ++
 .../PostmanMicrosoftAuthenticationManager.php      |  3 ++
 .../PostmanNonOAuthAuthenticationManager.php       |  3 ++
 .../PostmanStateIdMissingException.php             |  3 ++
 .../PostmanYahooAuthenticationManager.php          |  3 ++
 .../PostmanConfigurationController.php             | 21 ++++++++++++++
 .../PostmanImportableConfiguration.php             |  4 +++
 .../PostmanRegisterConfigurationSettings.php       |  6 +++-
 .../Postman-Configuration/PostmanSmtpDiscovery.php |  4 +++
 .../Postman-Configuration/postman_manual_config.js |  2 ++
 Postman/Postman-Configuration/postman_wizard.js    | 22 ++++++++++-----
 .../Postman-Connectivity-Test/Postman-PortTest.php |  4 +++
 .../PostmanConnectivityTestController.php          | 18 ++++++++++++
 .../Postman-Connectivity-Test/postman_port_test.js | 12 +++++---
 Postman/Postman-Controller/PostmanAdminPointer.php |  4 +++
 .../PostmanDashboardWidgetController.php           |  4 +++
 .../PostmanManageConfigurationAjaxHandler.php      |  4 +++
 .../PostmanWelcomeController.php                   |  3 ++
 .../PostmanDiagnosticTestController.php            | 12 ++++++++
 .../Postman-Diagnostic-Test/postman_diagnostics.js |  3 +-
 .../PostmanEmailLogController.php                  | 22 +++++++++++----
 .../Postman-Email-Log/PostmanEmailLogPostType.php  |  3 ++
 .../Postman-Email-Log/PostmanEmailLogService.php   |  4 +++
 Postman/Postman-Email-Log/PostmanEmailLogView.php  | 10 +++++--
 Postman/Postman-Mail/PostmanContactForm7.php       |  3 ++
 .../Postman-Mail/PostmanDefaultModuleTransport.php |  4 +++
 Postman/Postman-Mail/PostmanEmailAddress.php       |  4 +++
 .../PostmanGmailApiModuleTransport.php             |  4 +++
 .../PostmanGmailApiModuleZendMailTransport.php     |  4 +++
 Postman/Postman-Mail/PostmanMailEngine.php         |  4 +++
 Postman/Postman-Mail/PostmanMailgunMailEngine.php  |  4 +++
 Postman/Postman-Mail/PostmanMailgunTransport.php   |  4 +++
 Postman/Postman-Mail/PostmanMandrillMailEngine.php |  4 +++
 Postman/Postman-Mail/PostmanMandrillTransport.php  |  4 +++
 Postman/Postman-Mail/PostmanMessage.php            |  4 +++
 Postman/Postman-Mail/PostmanModuleTransport.php    |  4 +++
 Postman/Postman-Mail/PostmanMyMailConnector.php    |  4 +++
 Postman/Postman-Mail/PostmanSendGridMailEngine.php |  3 ++
 Postman/Postman-Mail/PostmanSendGridTransport.php  |  4 +++
 .../Postman-Mail/PostmanSmtpModuleTransport.php    |  4 +++
 Postman/Postman-Mail/PostmanTransportRegistry.php  |  4 +++
 Postman/Postman-Mail/PostmanWooCommerce.php        |  3 ++
 Postman/Postman-Mail/PostmanZendMailEngine.php     |  4 +++
 ...ostmanZendMailTransportConfigurationFactory.php |  4 +++
 .../PostmanSendTestEmailController.php             |  9 ++++++
 .../postman_send_test_email.js                     |  3 +-
 Postman/Postman.php                                | 33 +++-------------------
 Postman/PostmanAdminController.php                 |  4 +++
 Postman/PostmanAjaxController.php                  |  4 +++
 Postman/PostmanConfigTextHelper.php                |  4 +++
 Postman/PostmanEmailLogs.php                       |  4 ++-
 Postman/PostmanInputSanitizer.php                  |  3 ++
 Postman/PostmanInstaller.php                       |  4 +++
 Postman/PostmanLogger.php                          |  4 +++
 Postman/PostmanMessageHandler.php                  |  3 ++
 Postman/PostmanOAuthToken.php                      |  3 ++
 Postman/PostmanOptions.php                         |  3 ++
 Postman/PostmanPluginFeedback.php                  |  6 ++--
 Postman/PostmanPreRequisitesCheck.php              |  3 ++
 Postman/PostmanSession.php                         |  3 ++
 Postman/PostmanState.php                           |  3 ++
 Postman/PostmanUtils.php                           |  8 ++++--
 Postman/PostmanViewController.php                  | 14 ++++-----
 Postman/PostmanWpMail.php                          |  6 ++--
 Postman/PostmanWpMailBinder.php                    |  3 ++
 Postman/notifications/INotify.php                  |  3 ++
 Postman/notifications/PostmanMailNotify.php        |  4 ++-
 Postman/notifications/PostmanNotify.php            |  3 ++
 Postman/notifications/PostmanPushoverNotify.php    |  4 ++-
 Postman/notifications/PostmanSlackNotify.php       |  4 ++-
 postman-smtp.php                                   |  3 ++
 script/postman.js                                  |  9 ++++++
 76 files changed, 356 insertions(+), 67 deletions(-)

diff --git a/Postman/Phpmailer/PostsmtpMailer.php b/Postman/Phpmailer/PostsmtpMailer.php
index 9eee0a7..b3a421b 100644
--- a/Postman/Phpmailer/PostsmtpMailer.php
+++ b/Postman/Phpmailer/PostsmtpMailer.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 require_once ABSPATH . WPINC . '/class-phpmailer.php';
 require_once ABSPATH . WPINC . '/class-smtp.php';
 
diff --git a/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php b/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php
index 75d734b..7402ba7 100644
--- a/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php
+++ b/Postman/Postman-Auth/PostmanAbstractAuthenticationManager.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( "PostmanAbstractAuthenticationManager" )) {
 	
 	require_once 'PostmanAuthenticationManager.php';
diff --git a/Postman/Postman-Auth/PostmanAuthenticationManager.php b/Postman/Postman-Auth/PostmanAuthenticationManager.php
index 56cc697..c405459 100644
--- a/Postman/Postman-Auth/PostmanAuthenticationManager.php
+++ b/Postman/Postman-Auth/PostmanAuthenticationManager.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! interface_exists ( "PostmanAuthenticationManager" )) {
 	interface PostmanAuthenticationManager {
 		const POSTMAN_AUTHORIZATION_IN_PROGRESS = 'request_oauth_permission';
diff --git a/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php b/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php
index fec81a1..799b999 100644
--- a/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php
+++ b/Postman/Postman-Auth/PostmanAuthenticationManagerFactory.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( "PostmanAuthenticationManagerFactory" )) {
 	
 	require_once 'PostmanGoogleAuthenticationManager.php';
diff --git a/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php b/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php
index 4bbe27b..c00afba 100644
--- a/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php
+++ b/Postman/Postman-Auth/PostmanGoogleAuthenticationManager.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( "PostmanGoogleAuthenticationManager" )) {
 	
 	require_once 'PostmanAbstractAuthenticationManager.php';
diff --git a/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php b/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php
index a724f04..96fb529 100644
--- a/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php
+++ b/Postman/Postman-Auth/PostmanMicrosoftAuthenticationManager.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( "PostmanMicrosoftAuthenticationManager" )) {
 	
 	require_once 'PostmanAbstractAuthenticationManager.php';
diff --git a/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php b/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php
index 7ab1b5a..ed4f0c3 100644
--- a/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php
+++ b/Postman/Postman-Auth/PostmanNonOAuthAuthenticationManager.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( "PostmanNonOAuthAuthenticationManager" )) {
 	
 	require_once 'PostmanAuthenticationManager.php';
diff --git a/Postman/Postman-Auth/PostmanStateIdMissingException.php b/Postman/Postman-Auth/PostmanStateIdMissingException.php
index 94a973d..afa16c2 100644
--- a/Postman/Postman-Auth/PostmanStateIdMissingException.php
+++ b/Postman/Postman-Auth/PostmanStateIdMissingException.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( 'PostmanStateIdMissingException' )) {
 	class PostmanStateIdMissingException extends Exception {
 	}
diff --git a/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php b/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php
index 56d7b9e..86c35d9 100644
--- a/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php
+++ b/Postman/Postman-Auth/PostmanYahooAuthenticationManager.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( "PostmanYahooAuthenticationManager" )) {
 	
 	require_once 'PostmanAbstractAuthenticationManager.php';
diff --git a/Postman/Postman-Configuration/PostmanConfigurationController.php b/Postman/Postman-Configuration/PostmanConfigurationController.php
index a81605a..4cade58 100644
--- a/Postman/Postman-Configuration/PostmanConfigurationController.php
+++ b/Postman/Postman-Configuration/PostmanConfigurationController.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once( 'PostmanRegisterConfigurationSettings.php' );
 class PostmanConfigurationController {
 	const CONFIGURATION_SLUG = 'postman/configuration';
@@ -207,6 +211,9 @@ class PostmanConfigurationController {
 		print '</ul>';
 
 		print '<form method="post" action="options.php">';
+
+		wp_nonce_field('post-smtp', 'security');
+
 		// This prints out all hidden setting fields
 		settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME );
 
@@ -441,6 +448,8 @@ class PostmanConfigurationController {
 		printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::STEALTH_MODE, $this->options->isStealthModeEnabled() );
 		printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::TEMPORARY_DIRECTORY, $this->options->getTempDirectory() );
 
+		wp_nonce_field('post-smtp', 'security' );
+
 		// display the setting text
 		settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME );
 
@@ -622,6 +631,9 @@ class PostmanGetHostnameByEmailAjaxController extends PostmanAbstractAjaxHandler
 	 * This Ajax function retrieves the smtp hostname for a give e-mail address
 	 */
 	function getAjaxHostnameByEmail() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$goDaddyHostDetected = $this->getBooleanRequestParameter( 'go_daddy' );
 		$email = $this->getRequestParameter( 'email' );
 		$d = new PostmanSmtpDiscovery( $email );
@@ -656,6 +668,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler {
 	 * @throws Exception
 	 */
 	function getManualConfigurationViaAjax() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$queryTransportType = $this->getTransportTypeFromRequest();
 		$queryAuthType = $this->getAuthenticationTypeFromRequest();
 		$queryHostname = $this->getHostnameFromRequest();
@@ -686,6 +701,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler {
 	 * The UI response is built so the user may choose a different socket with different options.
 	 */
 	function getWizardConfigurationViaAjax() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$this->logger->debug( 'in getWizardConfiguration' );
 		$originalSmtpServer = $this->getRequestParameter( 'original_smtp_server' );
 		$queryHostData = $this->getHostDataFromRequest();
@@ -895,6 +913,9 @@ class PostmanImportConfigurationAjaxController extends PostmanAbstractAjaxHandle
 	 * and pushes them into the Postman configuration screen.
 	 */
 	function getConfigurationFromExternalPluginViaAjax() {
+
+        check_admin_referer('post-smtp', 'security');
+
 		$importableConfiguration = new PostmanImportableConfiguration();
 		$plugin = $this->getRequestParameter( 'plugin' );
 		$this->logger->debug( 'Looking for config=' . $plugin );
diff --git a/Postman/Postman-Configuration/PostmanImportableConfiguration.php b/Postman/Postman-Configuration/PostmanImportableConfiguration.php
index ba807d3..0008221 100644
--- a/Postman/Postman-Configuration/PostmanImportableConfiguration.php
+++ b/Postman/Postman-Configuration/PostmanImportableConfiguration.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! interface_exists ( 'PostmanPluginOptions' )) {
 	interface PostmanPluginOptions {
 		public function getPluginSlug();
diff --git a/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php b/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php
index 84305a3..6ddebd7 100644
--- a/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php
+++ b/Postman/Postman-Configuration/PostmanRegisterConfigurationSettings.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 class PostmanSettingsRegistry {
 
 	private $options;
@@ -11,7 +15,7 @@ class PostmanSettingsRegistry {
 	 * Fires on the admin_init method
 	 */
 	public function on_admin_init() {
-				$this->registerSettings();
+        $this->registerSettings();
 	}
 
 	/**
diff --git a/Postman/Postman-Configuration/PostmanSmtpDiscovery.php b/Postman/Postman-Configuration/PostmanSmtpDiscovery.php
index 44da3bb..67a58b3 100644
--- a/Postman/Postman-Configuration/PostmanSmtpDiscovery.php
+++ b/Postman/Postman-Configuration/PostmanSmtpDiscovery.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! class_exists ( 'PostmanSmtpMappings' )) {
 	class PostmanSmtpMappings {
 		// if an email is in this domain array, it is a known smtp server (easy lookup)
diff --git a/Postman/Postman-Configuration/postman_manual_config.js b/Postman/Postman-Configuration/postman_manual_config.js
index 293df28..a47df1a 100644
--- a/Postman/Postman-Configuration/postman_manual_config.js
+++ b/Postman/Postman-Configuration/postman_manual_config.js
@@ -77,11 +77,13 @@ function reloadOauthSection() {
 	var hostname = jQuery(postman_hostname_element_name).val();
 	var transport = jQuery('#input_transport_type').val();
 	var authtype = jQuery('select#input_auth_type').val();
+	var security = jQuery('#security').val();
 	var data = {
 		'action' : 'manual_config',
 		'auth_type' : authtype,
 		'hostname' : hostname,
 		'transport' : transport,
+		'security' : security
 	};
 	jQuery.post(ajaxurl, data, function(response) {
 		if (response.success) {
diff --git a/Postman/Postman-Configuration/postman_wizard.js b/Postman/Postman-Configuration/postman_wizard.js
index c29edb4..d844322 100644
--- a/Postman/Postman-Configuration/postman_wizard.js
+++ b/Postman/Postman-Configuration/postman_wizard.js
@@ -33,7 +33,8 @@ function checkGoDaddyAndCheckEmail(email) {
 		'action' : 'postman_wizard_port_test',
 		'hostname' : 'relay-hosting.secureserver.net',
 		'port' : 25,
-		'timeout' : 3
+		'timeout' : 3,
+		'security' : jQuery('#security').val(),
 	};
 	goDaddy = 'unknown';
 	checkedEmail = false;
@@ -50,7 +51,8 @@ function checkEmail(goDaddyHostDetected, email) {
 	var data = {
 		'action' : 'postman_check_email',
 		'go_daddy' : goDaddyHostDetected,
-		'email' : email
+		'email' : email,
+		'security' : jQuery('#security').val()
 	};
 	jQuery.post(
 			ajaxurl,
@@ -282,7 +284,8 @@ function getHostsToCheck(hostname) {
 	var data = {
 		'action' : 'postman_get_hosts_to_test',
 		'hostname' : hostname,
-		'original_smtp_server' : smtpDiscovery.hostname
+		'original_smtp_server' : smtpDiscovery.hostname,
+		'security' : jQuery('#security').val(),
 	};
 	jQuery.post(ajaxurl, data, function(response) {
 		if (postmanValidateAjaxResponseWithPopup(response)) {
@@ -311,7 +314,8 @@ function handleHostsToCheckResponse(response) {
 			'action' : 'postman_wizard_port_test',
 			'hostname' : hostname,
 			'port' : port,
-			'transport' : transport
+			'transport' : transport,
+			'security' : jQuery('#security').val(),
 		};
 		postThePortTest(hostname, port, data);
 	}
@@ -358,6 +362,7 @@ function handlePortTestResponse(hostname, port, data, response) {
 	} else {
 		// SMTP failed, try again on the SMTPS port
 		data['action'] = 'postman_wizard_port_test_smtps';
+		data['security'] = jQuery('#security').val();
 		postThePortTest(hostname, port, data);
 	}
 }
@@ -386,7 +391,8 @@ function afterPortsChecked() {
 		var data = {
 			'action' : 'get_wizard_configuration_options',
 			'original_smtp_server' : smtpDiscovery.hostname,
-			'host_data' : connectivtyTestResults
+			'host_data' : connectivtyTestResults,
+			'security': jQuery('#security').val()
 		};
 		postTheConfigurationRequest(data);
 		hide('#connectivity_test_status');
@@ -403,7 +409,8 @@ function userOverrideMenu() {
 				"input:radio[name='user_socket_override']:checked").val(),
 		'user_auth_override' : jQuery(
 				"input:radio[name='user_auth_override']:checked").val(),
-		'host_data' : connectivtyTestResults
+		'host_data' : connectivtyTestResults,
+		'security' : jQuery('#security').val()
 	};
 	postTheConfigurationRequest(data);
 }
@@ -544,7 +551,8 @@ function getConfiguration() {
 	if (plugin != '') {
 		var data = {
 			'action' : 'import_configuration',
-			'plugin' : plugin
+			'plugin' : plugin,
+			'_wpnonce' : jQuery('#_wpnonce').val(),
 		};
 		jQuery
 				.post(
diff --git a/Postman/Postman-Connectivity-Test/Postman-PortTest.php b/Postman/Postman-Connectivity-Test/Postman-PortTest.php
index 91d18f1..adbe530 100644
--- a/Postman/Postman-Connectivity-Test/Postman-PortTest.php
+++ b/Postman/Postman-Connectivity-Test/Postman-PortTest.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once ("registered-domain-libs-master/PHP/effectiveTLDs.inc.php");
 require_once ("registered-domain-libs-master/PHP/regDomain.inc.php");
 
diff --git a/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php b/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php
index b423c05..3e17dbd 100644
--- a/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php
+++ b/Postman/Postman-Connectivity-Test/PostmanConnectivityTestController.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 
 class PostmanConnectivityTestController {
 
@@ -137,6 +140,9 @@ class PostmanConnectivityTestController {
 		print '<p>';
 		print __( 'This test determines which well-known ports are available for Postman to use.', 'post-smtp' );
 		print '<form id="port_test_form_id" method="post">';
+
+		wp_nonce_field('post-smtp', 'security' );
+
 		printf( '<label for="hostname">%s</label>', __( 'Outgoing Mail Server Hostname', 'post-smtp' ) );
 		$this->port_test_hostname_callback();
 		submit_button( _x( 'Begin Test', 'Button Label', 'post-smtp' ), 'primary', 'begin-port-test', true );
@@ -205,6 +211,9 @@ class PostmanPortTestAjaxController {
 	 * combinations to run the connectivity test on
 	 */
 	function getPortsToTestViaAjax() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$queryHostname = PostmanUtils::getRequestParameter( 'hostname' );
 		// originalSmtpServer is what SmtpDiscovery thinks the SMTP server should be, given an email address
 		$originalSmtpServer = PostmanUtils::getRequestParameter( 'original_smtp_server' );
@@ -222,6 +231,9 @@ class PostmanPortTestAjaxController {
 	 * This Ajax function retrieves whether a TCP port is open or not
 	 */
 	function runPortQuizTest() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$hostname = 'portquiz.net';
 		$port = intval( PostmanUtils::getRequestParameter( 'port' ) );
 		$this->logger->debug( 'testing TCP port: hostname ' . $hostname . ' port ' . $port );
@@ -235,6 +247,9 @@ class PostmanPortTestAjaxController {
 	 * This is called by both the Wizard and Port Test
 	 */
 	function runSmtpTest() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$hostname = trim( PostmanUtils::getRequestParameter( 'hostname' ) );
 		$port = intval( PostmanUtils::getRequestParameter( 'port' ) );
 		$transport = trim( PostmanUtils::getRequestParameter( 'transport' ) );
@@ -258,6 +273,9 @@ class PostmanPortTestAjaxController {
 	 * This Ajax function retrieves whether a TCP port is open or not
 	 */
 	function runSmtpsTest() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$hostname = trim( PostmanUtils::getRequestParameter( 'hostname' ) );
 		$port = intval( PostmanUtils::getRequestParameter( 'port' ) );
 		$transport = trim( PostmanUtils::getRequestParameter( 'transport' ) );
diff --git a/Postman/Postman-Connectivity-Test/postman_port_test.js b/Postman/Postman-Connectivity-Test/postman_port_test.js
index 138b4ef..1d5c3fb 100644
--- a/Postman/Postman-Connectivity-Test/postman_port_test.js
+++ b/Postman/Postman-Connectivity-Test/postman_port_test.js
@@ -23,7 +23,8 @@ jQuery(document).ready(function() {
 		var hostname = jQuery(postman_hostname_element_name).val();
 		var data = {
 			'action' : 'postman_get_hosts_to_test',
-			'hostname' : hostname
+			'hostname' : hostname,
+			'security' : jQuery('#security').val(),
 		};
 
 		totalPortsTested = 0;
@@ -71,7 +72,8 @@ function portQuizTest(socket, hostname, port) {
 	var data = {
 		'action' : 'postman_port_quiz_test',
 		'hostname' : hostname,
-		'port' : port
+		'port' : port,
+		'_wpnonce' : jQuery('#_wpnonce').val(),
 	};
 	jQuery.post(
 			ajaxurl,
@@ -104,7 +106,8 @@ function firstServiceTest(socket, hostname, port, open) {
 	var data = {
 		'action' : 'postman_test_port',
 		'hostname' : hostname,
-		'port' : port
+		'port' : port,
+		'security' : jQuery('#security').val(),
 	};
 	jQuery
 			.post(
@@ -197,7 +200,8 @@ function portTest3(socket, hostname, port, open) {
 	var data = {
 		'action' : 'postman_test_smtps',
 		'hostname' : hostname,
-		'port' : port
+		'port' : port,
+		'_wpnonce' : jQuery('#_wpnonce').val(),
 	};
 	jQuery
 			.post(
diff --git a/Postman/Postman-Controller/PostmanAdminPointer.php b/Postman/Postman-Controller/PostmanAdminPointer.php
index 15fb52d..a05376b 100644
--- a/Postman/Postman-Controller/PostmanAdminPointer.php
+++ b/Postman/Postman-Controller/PostmanAdminPointer.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! class_exists ( 'PostmanAdminPointer' )) {
 	
 	/**
diff --git a/Postman/Postman-Controller/PostmanDashboardWidgetController.php b/Postman/Postman-Controller/PostmanDashboardWidgetController.php
index 6233315..8f6bae6 100644
--- a/Postman/Postman-Controller/PostmanDashboardWidgetController.php
+++ b/Postman/Postman-Controller/PostmanDashboardWidgetController.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! class_exists ( "PostmanDashboardWidgetController" )) {
 	
 	//
diff --git a/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php b/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php
index 1260dad..82472c3 100644
--- a/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php
+++ b/Postman/Postman-Controller/PostmanManageConfigurationAjaxHandler.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 class PostmanWizardSocket {
 	
 	// these variables are populated by the Port Test
diff --git a/Postman/Postman-Controller/PostmanWelcomeController.php b/Postman/Postman-Controller/PostmanWelcomeController.php
index 869848a..e37d3e8 100644
--- a/Postman/Postman-Controller/PostmanWelcomeController.php
+++ b/Postman/Postman-Controller/PostmanWelcomeController.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 
 class PostmanWelcomeController {
 
diff --git a/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php b/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php
index 82eb558..18a3ec5 100644
--- a/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php
+++ b/Postman/Postman-Diagnostic-Test/PostmanDiagnosticTestController.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 class PostmanDiagnosticTestController {
 	const DIAGNOSTICS_SLUG = 'postman/diagnostics';
 
@@ -100,6 +103,12 @@ class PostmanDiagnosticTestController {
 
 		PostmanViewController::outputChildPageHeader( __( 'Diagnostic Test', 'post-smtp' ) );
 
+		?>
+        <form>
+            <?php wp_nonce_field('post-smtp', 'security' ); ?>
+        </form>
+        <?php
+
 		printf( '<h4>%s</h4>', __( 'Are you having issues with Postman?', 'post-smtp' ) );
 		/* translators: where %1$s and %2$s are the URLs to the Troubleshooting and Support Forums on WordPress.org */
 		printf( '<p style="margin:0 10px">%s</p>', sprintf( __( 'Please check the <a href="%1$s">troubleshooting and error messages</a> page and the <a href="%2$s">support forum</a>.', 'post-smtp' ), 'https://wordpress.org/plugins/post-smtp/other_notes/', 'https://wordpress.org/support/plugin/post-smtp' ) );
@@ -208,6 +217,9 @@ class PostmanGetDiagnosticsViaAjax {
 	/**
 	 */
 	public function getDiagnostics() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 	    $curl = curl_version();
 		$transportRegistry = PostmanTransportRegistry::getInstance();
         $this->addToDiagnostics( 'Mailer', PostmanOptions::getInstance()->getSmtpMailer() );
diff --git a/Postman/Postman-Diagnostic-Test/postman_diagnostics.js b/Postman/Postman-Diagnostic-Test/postman_diagnostics.js
index 4aeaa5c..140668e 100644
--- a/Postman/Postman-Diagnostic-Test/postman_diagnostics.js
+++ b/Postman/Postman-Diagnostic-Test/postman_diagnostics.js
@@ -6,7 +6,8 @@ jQuery(document).ready(function() {
  */
 function getDiagnosticData() {
 	var data = {
-		'action' : 'postman_diagnostics'
+		'action' : 'postman_diagnostics',
+		'security' : jQuery('#security').val()
 	};
 	jQuery.post(ajaxurl, data, function(response) {
 		if (response.success) {
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogController.php b/Postman/Postman-Email-Log/PostmanEmailLogController.php
index 79751f3..d22b265 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogController.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogController.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once dirname(__DIR__) . '/PostmanEmailLogs.php';
 require_once 'PostmanEmailLogService.php';
 require_once 'PostmanEmailLogView.php';
@@ -73,7 +77,7 @@ class PostmanEmailLogController {
 	/**
 	 */
 	public function resendMail() {
-		check_ajax_referer( 'resend', 'security' );
+        check_admin_referer( 'resend', 'security' );
 
 		// get the email address of the recipient from the HTTP Request
 		$postid = $this->getRequestParameter( 'email' );
@@ -200,8 +204,13 @@ class PostmanEmailLogController {
 		// only do this for administrators
 		if ( PostmanUtils::isAdmin() ) {
 			$this->logger->trace( 'handling view item' );
-			$postid = $_REQUEST ['email'];
+			$postid = absint( $_REQUEST ['email'] );
 			$post = get_post( $postid );
+
+			if ( $post->post_type !== 'postman_sent_mail' ) {
+			    return;
+            }
+
 			$meta_values = PostmanEmailLogs::get_data( $postid );
 			// https://css-tricks.com/examples/hrs/
 			print '<html><head><style>body {font-family: monospace;} hr {
@@ -369,18 +378,21 @@ class PostmanEmailLogController {
 	?>
 
 	<form id="postman-email-log-filter" method="post">
+        <input type="hidden" action="post-smtp-filter" value="1">
+        <?php wp_nonce_field('post-smtp', 'post-smtp-log'); ?>
+
 		<div id="email-log-filter" class="postman-log-row">
 			<div class="form-control">
 				<label for="from_date"><?php _e( 'From Date', 'post-smtp' ); ?></label>
-				<input id="from_date" class="email-log-date" value="<?php echo $from_date; ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>">
+				<input id="from_date" class="email-log-date" value="<?php echo esc_attr($from_date); ?>" type="text" name="from_date" placeholder="<?php _e( 'From Date', 'post-smtp' ); ?>">
 			</div>
 			<div class="form-control">
 				<label for="to_date"><?php _e( 'To Date', 'post-smtp' ); ?></label>		
-				<input id="to_date" class="email-log-date" value="<?php echo $to_date; ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>">
+				<input id="to_date" class="email-log-date" value="<?php echo esc_attr($to_date); ?>" type="text" name="to_date" placeholder="<?php _e( 'To Date', 'post-smtp' ); ?>">
 			</div>
 			<div class="form-control">
 				<label for="search"><?php _e( 'Search', 'post-smtp' ); ?></label>		
-				<input id="search" type="text" name="search" value="<?php echo $search; ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>">
+				<input id="search" type="text" name="search" value="<?php echo esc_attr($search); ?>" placeholder="<?php _e( 'Search', 'post-smtp' ); ?>">
 			</div>
 			<div class="form-control">
 				<label id="postman_page_records"><?php _e( 'Records per page', 'post-smtp' ); ?></label>
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogPostType.php b/Postman/Postman-Email-Log/PostmanEmailLogPostType.php
index 38ab1d0..cf297db 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogPostType.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogPostType.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( 'PostmanEmailLogPostType' )) {
 	
 	/**
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogService.php b/Postman/Postman-Email-Log/PostmanEmailLogService.php
index b1b1dff..75c3879 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogService.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogService.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if ( ! class_exists( 'PostmanEmailLog' ) ) {
 	class PostmanEmailLog {
 		public $sender;
diff --git a/Postman/Postman-Email-Log/PostmanEmailLogView.php b/Postman/Postman-Email-Log/PostmanEmailLogView.php
index a9722bd..02da123 100644
--- a/Postman/Postman-Email-Log/PostmanEmailLogView.php
+++ b/Postman/Postman-Email-Log/PostmanEmailLogView.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 require_once dirname(__DIR__) . '/PostmanEmailLogs.php';
 
 /**
@@ -260,8 +262,12 @@ class PostmanEmailLogView extends WP_List_Table {
 	 *       ************************************************************************
 	 */
 	function prepare_items() {
+	    if ( isset( $_POST['action'] ) && $_POST['action'] == 'post-smtp-filter' ) {
+            if ( ! wp_verify_nonce( $_REQUEST['post-smtp-log'], 'post-smtp' ) )
+                die( 'Security check' );
+        }
 
-		/**
+            /**
 		 * First, lets decide how many records per page to show
 		 */
 		$per_page = isset( $_POST['postman_page_records'] ) ? absint( $_POST['postman_page_records'] ) : 10;
diff --git a/Postman/Postman-Mail/PostmanContactForm7.php b/Postman/Postman-Mail/PostmanContactForm7.php
index 40fd698..8792b08 100644
--- a/Postman/Postman-Mail/PostmanContactForm7.php
+++ b/Postman/Postman-Mail/PostmanContactForm7.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 class Postsmtp_ContactForm7 {
 
     private $result_error;
diff --git a/Postman/Postman-Mail/PostmanDefaultModuleTransport.php b/Postman/Postman-Mail/PostmanDefaultModuleTransport.php
index 3234a26..e52c754 100644
--- a/Postman/Postman-Mail/PostmanDefaultModuleTransport.php
+++ b/Postman/Postman-Mail/PostmanDefaultModuleTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'PostmanModuleTransport.php';
 if (! class_exists ( 'PostmanSmtpModuleTransport' )) {
 	class PostmanDefaultModuleTransport extends PostmanAbstractZendModuleTransport implements PostmanZendModuleTransport {
diff --git a/Postman/Postman-Mail/PostmanEmailAddress.php b/Postman/Postman-Mail/PostmanEmailAddress.php
index 123064d..d29b0f4 100644
--- a/Postman/Postman-Mail/PostmanEmailAddress.php
+++ b/Postman/Postman-Mail/PostmanEmailAddress.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! class_exists ( 'PostmanEmailAddress' )) {
 	class PostmanEmailAddress {
 		private $name;
diff --git a/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php b/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php
index 98fc1f1..fc9e351 100644
--- a/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php
+++ b/Postman/Postman-Mail/PostmanGmailApiModuleTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'PostmanModuleTransport.php';
 
 /**
diff --git a/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php b/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php
index 544d5fb..b190772 100644
--- a/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php
+++ b/Postman/Postman-Mail/PostmanGmailApiModuleZendMailTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 /**
  * Zend Framework
  *
diff --git a/Postman/Postman-Mail/PostmanMailEngine.php b/Postman/Postman-Mail/PostmanMailEngine.php
index 16c799a..046178b 100644
--- a/Postman/Postman-Mail/PostmanMailEngine.php
+++ b/Postman/Postman-Mail/PostmanMailEngine.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! interface_exists ( "PostmanMailEngine" )) {
 
 	interface PostmanMailEngine {
diff --git a/Postman/Postman-Mail/PostmanMailgunMailEngine.php b/Postman/Postman-Mail/PostmanMailgunMailEngine.php
index abb0466..ce1ebb7 100644
--- a/Postman/Postman-Mail/PostmanMailgunMailEngine.php
+++ b/Postman/Postman-Mail/PostmanMailgunMailEngine.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'mailgun/mailgun.php';
 
 use Mailgun\Mailgun;
diff --git a/Postman/Postman-Mail/PostmanMailgunTransport.php b/Postman/Postman-Mail/PostmanMailgunTransport.php
index 63173db..b56cadf 100644
--- a/Postman/Postman-Mail/PostmanMailgunTransport.php
+++ b/Postman/Postman-Mail/PostmanMailgunTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'PostmanModuleTransport.php';
 /**
  * Postman Mailgun module
diff --git a/Postman/Postman-Mail/PostmanMandrillMailEngine.php b/Postman/Postman-Mail/PostmanMandrillMailEngine.php
index 6ecc156..74980d3 100644
--- a/Postman/Postman-Mail/PostmanMandrillMailEngine.php
+++ b/Postman/Postman-Mail/PostmanMandrillMailEngine.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if ( ! class_exists( 'PostmanMandrillMailEngine' ) ) {
 
 	require_once 'mailchimp-mandrill-api-php-da3adc10042e/src/Mandrill.php';
diff --git a/Postman/Postman-Mail/PostmanMandrillTransport.php b/Postman/Postman-Mail/PostmanMandrillTransport.php
index 8284660..3279f2b 100644
--- a/Postman/Postman-Mail/PostmanMandrillTransport.php
+++ b/Postman/Postman-Mail/PostmanMandrillTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'PostmanModuleTransport.php';
 /**
  * Postman Mandrill module
diff --git a/Postman/Postman-Mail/PostmanMessage.php b/Postman/Postman-Mail/PostmanMessage.php
index 7f8949e..12099ba 100644
--- a/Postman/Postman-Mail/PostmanMessage.php
+++ b/Postman/Postman-Mail/PostmanMessage.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if ( ! class_exists( 'PostmanMessage' ) ) {
 
 	require_once 'PostmanEmailAddress.php';
diff --git a/Postman/Postman-Mail/PostmanModuleTransport.php b/Postman/Postman-Mail/PostmanModuleTransport.php
index 12d3d17..a0874e3 100644
--- a/Postman/Postman-Mail/PostmanModuleTransport.php
+++ b/Postman/Postman-Mail/PostmanModuleTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 /**
  * Keep the interface_exists check here for Postman Gmail API Extension users!
  * 
diff --git a/Postman/Postman-Mail/PostmanMyMailConnector.php b/Postman/Postman-Mail/PostmanMyMailConnector.php
index f6b7e54..507b4e0 100644
--- a/Postman/Postman-Mail/PostmanMyMailConnector.php
+++ b/Postman/Postman-Mail/PostmanMyMailConnector.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 define( 'MAILSTER_POSTMAN_REQUIRED_VERSION', '2.0' );
 define( 'MAILSTER_POSTMAN_ID', 'postman' );
 
diff --git a/Postman/Postman-Mail/PostmanSendGridMailEngine.php b/Postman/Postman-Mail/PostmanSendGridMailEngine.php
index 311d7cc..2ffb8e2 100644
--- a/Postman/Postman-Mail/PostmanSendGridMailEngine.php
+++ b/Postman/Postman-Mail/PostmanSendGridMailEngine.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 
 if ( ! class_exists( 'PostmanSendGridMailEngine' ) ) {
 
diff --git a/Postman/Postman-Mail/PostmanSendGridTransport.php b/Postman/Postman-Mail/PostmanSendGridTransport.php
index efac416..47a0638 100644
--- a/Postman/Postman-Mail/PostmanSendGridTransport.php
+++ b/Postman/Postman-Mail/PostmanSendGridTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'PostmanModuleTransport.php';
 /**
  * Postman SendGrid module
diff --git a/Postman/Postman-Mail/PostmanSmtpModuleTransport.php b/Postman/Postman-Mail/PostmanSmtpModuleTransport.php
index 08e833f..f7d8009 100644
--- a/Postman/Postman-Mail/PostmanSmtpModuleTransport.php
+++ b/Postman/Postman-Mail/PostmanSmtpModuleTransport.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'PostmanModuleTransport.php';
 
 /**
diff --git a/Postman/Postman-Mail/PostmanTransportRegistry.php b/Postman/Postman-Mail/PostmanTransportRegistry.php
index 5af2493..4de782a 100644
--- a/Postman/Postman-Mail/PostmanTransportRegistry.php
+++ b/Postman/Postman-Mail/PostmanTransportRegistry.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once 'PostmanModuleTransport.php';
 require_once 'PostmanZendMailTransportConfigurationFactory.php';
 
diff --git a/Postman/Postman-Mail/PostmanWooCommerce.php b/Postman/Postman-Mail/PostmanWooCommerce.php
index feee32e..1768881 100644
--- a/Postman/Postman-Mail/PostmanWooCommerce.php
+++ b/Postman/Postman-Mail/PostmanWooCommerce.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 
 if ( ! class_exists( 'PostmanWoocommerce' ) ) {
 	class PostmanWoocommerce {
diff --git a/Postman/Postman-Mail/PostmanZendMailEngine.php b/Postman/Postman-Mail/PostmanZendMailEngine.php
index 86905f8..82da37c 100644
--- a/Postman/Postman-Mail/PostmanZendMailEngine.php
+++ b/Postman/Postman-Mail/PostmanZendMailEngine.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if ( ! class_exists( 'PostmanZendMailEngine' ) ) {
 
 	require_once 'Zend-1.12.10/Loader.php';
diff --git a/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php b/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php
index 08e1810..23fdc41 100644
--- a/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php
+++ b/Postman/Postman-Mail/PostmanZendMailTransportConfigurationFactory.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! interface_exists ( 'PostmanZendMailTransportConfigurationFactory' )) {
 	interface PostmanZendMailTransportConfigurationFactory {
 		static function createConfig(PostmanTransport $transport);
diff --git a/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php b/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php
index b569c98..1a207c8 100644
--- a/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php
+++ b/Postman/Postman-Send-Test-Email/PostmanSendTestEmailController.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 class PostmanSendTestEmailController {
 	const EMAIL_TEST_SLUG = 'postman/email_test';
 	const RECIPIENT_EMAIL_FIELD_NAME = 'postman_recipient_email';
@@ -127,6 +131,8 @@ class PostmanSendTestEmailController {
 
 		printf( '<form id="postman_test_email_wizard" method="post" action="%s">', PostmanUtils::getSettingsPageUrl() );
 
+		wp_nonce_field('post-smtp', 'security' );
+
 		// Step 1
 		printf( '<h5>%s</h5>', __( 'Specify the Recipient', 'post-smtp' ) );
 		print '<fieldset>';
@@ -199,6 +205,9 @@ class PostmanSendTestEmailAjaxController extends PostmanAbstractAjaxHandler {
 	 * This Ajax sends a test email
 	 */
 	function sendTestEmailViaAjax() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		// get the email address of the recipient from the HTTP Request
 		$email = $this->getRequestParameter( 'email' );
 
diff --git a/Postman/Postman-Send-Test-Email/postman_send_test_email.js b/Postman/Postman-Send-Test-Email/postman_send_test_email.js
index c3e9f07..ab69d1f 100644
--- a/Postman/Postman-Send-Test-Email/postman_send_test_email.js
+++ b/Postman/Postman-Send-Test-Email/postman_send_test_email.js
@@ -107,7 +107,8 @@ function postHandleStepChange(event, currentIndex, priorIndex, myself) {
 		jQuery('li').addClass('disabled');
 		var data = {
 			'action' : 'postman_send_test_email',
-			'email' : jQuery(postman_email_test.recipient).val()
+			'email' : jQuery(postman_email_test.recipient).val(),
+			'security' : jQuery('#security').val()
 		};
 		jQuery('#postman_test_message_status').html(postman_email_test.sending);
 		jQuery('#postman_test_message_status').css('color', 'blue');
diff --git a/Postman/Postman.php b/Postman/Postman.php
index 71c7cfd..0f36edf 100644
--- a/Postman/Postman.php
+++ b/Postman/Postman.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 /**
  * Postman execution begins here:
  * - the default Postman transports are loaded
@@ -155,9 +157,6 @@ class Postman {
 			$active_plugins = (array)get_option('active_plugins', array());
 			if (in_array('sitepress-multilingual-cms/sitepress.php', $active_plugins) && !get_option('postman_wpml_fixed')) {
 				add_action('admin_notices', array($this, 'post_smtp_wpml_admin_notice'));
-
-				// Temp: Just a quick solution, need to find a better option.
-				add_action('admin_init', array($this, 'postman_fix_wpml'));
 			}
 		}
 
@@ -181,30 +180,6 @@ class Postman {
 
 	}
 
-	public function post_smtp_wpml_admin_notice() {
-		$class = 'notice notice-error';
-		$title =  __( 'Post SMTP notice!', 'post-smtp' );
-		$intro = __( 'WPML is installed and has a known bug with Post SMTP and few other plugins - you better upgrade, but we can try to fix it.', 'post-smtp' );
-		$text = __( 'Click here to fix', 'post-smtp' );
-		$message = '<br><a href="' . esc_url( add_query_arg( 'action', 'postman_fix_wpml', get_permalink() ) ) . '">' . $text . '</a>';
-
-		printf( '<div class="%1$s"><h2>%2$s</h2><p>%3$s</p><p>%4$s</p></div>', esc_attr( $class ), $title, $intro, $message );
-	}
-
-	public function postman_fix_wpml() {
-		if ( isset( $_GET['action'] ) && $_GET['action'] == 'postman_fix_wpml' ) {
-			$wpml_file_path = WP_PLUGIN_DIR . '/sitepress-multilingual-cms/inc/utilities/wpml-data-encryptor.class.php';
-
-			if ( file_exists( $wpml_file_path ) ) {
-				$content = file_get_contents( $wpml_file_path );
-				$content = str_replace( "require_once ABSPATH . '/wp-includes/pluggable.php';", "//require_once ABSPATH . '/wp-includes/pluggable.php';", $content );
-				file_put_contents( $wpml_file_path, $content );
-			}
-
-			update_option( 'postman_wpml_fixed', true );
-			wp_redirect( esc_url( remove_query_arg( 'action' ) ) );
-		}
-	}
 
 	/**
 	 * Functions to execute on the plugins_loaded event
@@ -436,7 +411,7 @@ class Postman {
 			$message .= (sprintf( ' %s | %s', $goToEmailLog, $goToSettings ));
 			$message .= '<input type="hidden" name="security" class="security" value="' . wp_create_nonce('postsmtp') . '">';
 			
-			$hide = get_option('postman_release_version_not_configured' );
+			$hide = get_option('postman_release_version' );
 
 			if ( $msg['error'] == true && ! $hide ) {
 				$this->messageHandler->printMessage( $message, 'postman-not-configured-notice notice notice-error is-dismissible' );
diff --git a/Postman/PostmanAdminController.php b/Postman/PostmanAdminController.php
index f92bc2c..e871821 100644
--- a/Postman/PostmanAdminController.php
+++ b/Postman/PostmanAdminController.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if ( ! class_exists( 'PostmanAdminController' ) ) {
 
 	require_once 'PostmanOptions.php';
diff --git a/Postman/PostmanAjaxController.php b/Postman/PostmanAjaxController.php
index 88ec369..e8e54b6 100644
--- a/Postman/PostmanAjaxController.php
+++ b/Postman/PostmanAjaxController.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! class_exists ( 'PostmanAbstractAjaxHandler' )) {
 	
 	require_once ('PostmanPreRequisitesCheck.php');
diff --git a/Postman/PostmanConfigTextHelper.php b/Postman/PostmanConfigTextHelper.php
index 6bc23fe..8ba5ef0 100644
--- a/Postman/PostmanConfigTextHelper.php
+++ b/Postman/PostmanConfigTextHelper.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if ( ! interface_exists( 'PostmanConfigTextHelper' ) ) {
 	interface PostmanConfigTextHelper {
 		public function isOauthHost();
diff --git a/Postman/PostmanEmailLogs.php b/Postman/PostmanEmailLogs.php
index c7b6175..b25bfbb 100644
--- a/Postman/PostmanEmailLogs.php
+++ b/Postman/PostmanEmailLogs.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 class PostmanEmailLogs {
 
     private $db;
diff --git a/Postman/PostmanInputSanitizer.php b/Postman/PostmanInputSanitizer.php
index 561ce28..e33f6c4 100644
--- a/Postman/PostmanInputSanitizer.php
+++ b/Postman/PostmanInputSanitizer.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if ( ! class_exists( 'PostmanInputSanitizer' ) ) {
 	class PostmanInputSanitizer {
 		private $logger;
diff --git a/Postman/PostmanInstaller.php b/Postman/PostmanInstaller.php
index 0563679..01c6a07 100644
--- a/Postman/PostmanInstaller.php
+++ b/Postman/PostmanInstaller.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once( 'PostmanOAuthToken.php' );
 require_once( 'PostmanOptions.php' );
 
diff --git a/Postman/PostmanLogger.php b/Postman/PostmanLogger.php
index c606e25..5454c60 100644
--- a/Postman/PostmanLogger.php
+++ b/Postman/PostmanLogger.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 if (! class_exists ( "PostmanLogger" )) {
 	
 	//
diff --git a/Postman/PostmanMessageHandler.php b/Postman/PostmanMessageHandler.php
index 7a218e8..cd9220d 100644
--- a/Postman/PostmanMessageHandler.php
+++ b/Postman/PostmanMessageHandler.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( 'PostmanMessageHandler' )) {
 	
 	require_once ('PostmanSession.php');
diff --git a/Postman/PostmanOAuthToken.php b/Postman/PostmanOAuthToken.php
index 1f4de78..1cd9634 100644
--- a/Postman/PostmanOAuthToken.php
+++ b/Postman/PostmanOAuthToken.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( 'PostmanOAuthToken.php' )) {
 	
 	class PostmanOAuthToken {
diff --git a/Postman/PostmanOptions.php b/Postman/PostmanOptions.php
index 57fe658..d890124 100644
--- a/Postman/PostmanOptions.php
+++ b/Postman/PostmanOptions.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if ( ! interface_exists( 'PostmanOptionsInterface' ) ) {
 	interface PostmanOptionsInterface {
 		/**
diff --git a/Postman/PostmanPluginFeedback.php b/Postman/PostmanPluginFeedback.php
index b31011d..7465377 100644
--- a/Postman/PostmanPluginFeedback.php
+++ b/Postman/PostmanPluginFeedback.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 class PostmanPluginFeedback {
 	function __construct() {
 		add_filter( 'plugin_action_links_' . plugin_basename( POST_BASE ), array( $this, 'insert_deactivate_link_id' ) );
@@ -152,4 +154,4 @@ class PostmanPluginFeedback {
 	<?php
 	}
 }
-new PostmanPluginFeedback;
+//new PostmanPluginFeedback;
diff --git a/Postman/PostmanPreRequisitesCheck.php b/Postman/PostmanPreRequisitesCheck.php
index 884ecdf..c187a9b 100644
--- a/Postman/PostmanPreRequisitesCheck.php
+++ b/Postman/PostmanPreRequisitesCheck.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( 'PostmanPreRequisitesCheck' )) {
 	class PostmanPreRequisitesCheck {
 		public static function checkIconv() {
diff --git a/Postman/PostmanSession.php b/Postman/PostmanSession.php
index 4243f2b..f1128b4 100644
--- a/Postman/PostmanSession.php
+++ b/Postman/PostmanSession.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( 'PostmanSession' )) {
 	
 	/**
diff --git a/Postman/PostmanState.php b/Postman/PostmanState.php
index ac251fa..4b077e0 100644
--- a/Postman/PostmanState.php
+++ b/Postman/PostmanState.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( "PostmanState" )) {
 	
 	/**
diff --git a/Postman/PostmanUtils.php b/Postman/PostmanUtils.php
index 6858fe3..335d0f3 100644
--- a/Postman/PostmanUtils.php
+++ b/Postman/PostmanUtils.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 require_once 'PostmanLogger.php';
 require_once 'PostmanState.php';
 
@@ -368,9 +371,9 @@ class PostmanUtils {
 	 */
 	static function postmanGetServerName() {
 		if ( ! empty( $_SERVER ['SERVER_NAME'] ) ) {
-			$serverName = $_SERVER ['SERVER_NAME'];
+			$serverName = sanitize_text_field($_SERVER ['SERVER_NAME']);
 		} else if ( ! empty( $_SERVER ['HTTP_HOST'] ) ) {
-			$serverName = $_SERVER ['HTTP_HOST'];
+			$serverName = sanitize_text_field($_SERVER ['HTTP_HOST']);
 		} else {
 			$serverName = 'localhost.localdomain';
 		}
@@ -410,6 +413,7 @@ class PostmanUtils {
 	 * @param mixed $callbackName
 	 */
 	public static function registerAjaxHandler( $actionName, $class, $callbackName ) {
+
 		if ( is_admin() ) {
 			$fullname = 'wp_ajax_' . $actionName;
 			// $this->logger->debug ( 'Registering ' . 'wp_ajax_' . $fullname . ' Ajax handler' );
diff --git a/Postman/PostmanViewController.php b/Postman/PostmanViewController.php
index 55a56e9..7d5c35d 100644
--- a/Postman/PostmanViewController.php
+++ b/Postman/PostmanViewController.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if ( ! class_exists( 'PostmanViewController' ) ) {
 	class PostmanViewController {
 		private $logger;
@@ -46,19 +49,19 @@ if ( ! class_exists( 'PostmanViewController' ) ) {
 
 
 		function dismiss_version_notify() {
-			check_ajax_referer( 'postsmtp', 'security' );
+            check_admin_referer( 'postsmtp', 'security' );
 
 			$result = update_option('postman_release_version', true );
 		}
 
         function dismiss_donation_notify() {
-            check_ajax_referer( 'postsmtp', 'security' );
+            check_admin_referer( 'postsmtp', 'security' );
 
             $result = update_option('postman_dismiss_donation', true );
         }
 
 		function delete_lock_file() {
-			check_ajax_referer( 'postman', 'security' );
+            check_admin_referer( 'postman', 'security' );
 
 			if ( ! PostmanUtils::lockFileExists() ) {
 				echo __('No lock file found.', 'post-smtp' );
@@ -295,7 +298,7 @@ if ( ! class_exists( 'PostmanViewController' ) ) {
 			print '</section>';
 			print '<section id="delete_settings">';
 			printf( '<h3><span>%s<span></h3>', $resetTitle );
-			print '<form method="POST" action="' . get_admin_url() . 'admin-post.php">';
+			print '<form class="post-smtp-reset-options" method="POST" action="' . get_admin_url() . 'admin-post.php">';
 			wp_nonce_field( PostmanAdminController::PURGE_DATA_SLUG );
 			printf( '<input type="hidden" name="action" value="%s" />', PostmanAdminController::PURGE_DATA_SLUG );
 			printf( '<p><span>%s</span></p><p><span>%s</span></p>', __( 'This will purge all of Postman\'s settings, including account credentials and the email log.', 'post-smtp' ), __( 'Are you sure?', 'post-smtp' ) );
@@ -375,9 +378,6 @@ if ( ! class_exists( 'PostmanViewController' ) ) {
                 printf( '<li><img class="align-middle" src="' . plugins_url( 'style/images/new.gif', dirname( __DIR__ ) . '/postman-smtp.php' ) . '"><a target="blank" class="align-middle" href="https://postmansmtp.com/category/guides/" class="welcome-icon postman_guides">%s</a></li>', __( 'Guides', 'post-smtp' ) );
                 print '</ul></div></div></div></div>';
                 ?>
-                <div class="twitter-iframe-wrap" style="min-width: 300px;">
-                    <a class="twitter-timeline" data-height="304" href="https://twitter.com/PostSMTP?ref_src=twsrc%5Etfw">Tweets by PostSMTP</a> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
-                </div>
             </div>
             <?php
 		}
diff --git a/Postman/PostmanWpMail.php b/Postman/PostmanWpMail.php
index 66b3279..85f3ebd 100644
--- a/Postman/PostmanWpMail.php
+++ b/Postman/PostmanWpMail.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if ( ! class_exists( 'PostmanWpMail' ) ) {
 
 	/**
@@ -75,7 +77,7 @@ if ( ! class_exists( 'PostmanWpMail' ) ) {
             $id = md5(uniqid(time()));
 
             if (isset($_SERVER["SERVER_NAME"])) {
-                $hostName = $_SERVER["SERVER_NAME"];
+                $hostName = sanitize_text_field($_SERVER["SERVER_NAME"]);
             } else {
                 $hostName = php_uname('n');
             }
diff --git a/Postman/PostmanWpMailBinder.php b/Postman/PostmanWpMailBinder.php
index 95eb898..575e1bb 100644
--- a/Postman/PostmanWpMailBinder.php
+++ b/Postman/PostmanWpMailBinder.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 if (! class_exists ( 'PostmanWpMailBinder' )) {
 	class PostmanWpMailBinder {
 		private $logger;
diff --git a/Postman/notifications/INotify.php b/Postman/notifications/INotify.php
index d330cbe..f40548d 100644
--- a/Postman/notifications/INotify.php
+++ b/Postman/notifications/INotify.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 interface Postman_Notify {
     public function send_message( $message );
 }
\ No newline at end of file
diff --git a/Postman/notifications/PostmanMailNotify.php b/Postman/notifications/PostmanMailNotify.php
index a76fb2a..922c304 100644
--- a/Postman/notifications/PostmanMailNotify.php
+++ b/Postman/notifications/PostmanMailNotify.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 class PostmanMailNotify implements Postman_Notify {
 
     public function send_message($message)
diff --git a/Postman/notifications/PostmanNotify.php b/Postman/notifications/PostmanNotify.php
index 365d708..7654ecb 100644
--- a/Postman/notifications/PostmanNotify.php
+++ b/Postman/notifications/PostmanNotify.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 require_once 'INotify.php';
 require_once 'PostmanMailNotify.php';
 require_once 'PostmanPushoverNotify.php';
diff --git a/Postman/notifications/PostmanPushoverNotify.php b/Postman/notifications/PostmanPushoverNotify.php
index 1c483b3..14ef7d2 100644
--- a/Postman/notifications/PostmanPushoverNotify.php
+++ b/Postman/notifications/PostmanPushoverNotify.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 class PostmanPushoverNotify implements Postman_Notify {
 
     public function send_message($message)
diff --git a/Postman/notifications/PostmanSlackNotify.php b/Postman/notifications/PostmanSlackNotify.php
index 41094ed..5b6fae3 100644
--- a/Postman/notifications/PostmanSlackNotify.php
+++ b/Postman/notifications/PostmanSlackNotify.php
@@ -1,5 +1,7 @@
 <?php
-
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 class PostmanSlackNotify implements Postman_Notify {
 
     public function send_message($message)
diff --git a/postman-smtp.php b/postman-smtp.php
index 4f4f706..effa6a8 100644
--- a/postman-smtp.php
+++ b/postman-smtp.php
@@ -1,4 +1,7 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
 /*
  * Plugin Name: Post SMTP
  * Plugin URI: https://wordpress.org/plugins/post-smtp/
diff --git a/script/postman.js b/script/postman.js
index edd33ac..696414a 100644
--- a/script/postman.js
+++ b/script/postman.js
@@ -1,6 +1,15 @@
 jQuery(document).ready(function($) {
 	$( ".email-log-date" ).datepicker();
 
+	$('.post-smtp-reset-options').on('submit', function(e) {
+		var result = confirm('Are you sure?');
+
+		if ( ! result ) {
+			e.preventDefault();
+			return false;
+		}
+	});
+
 	$('.notice-dismiss.postman-release-message').on('click', function() {
 		var $this = $(this);
 		var args = {
-- 
cgit v1.2.3