1 files changed, 21 insertions, 0 deletions

diff --git a/Postman/Postman-Configuration/PostmanConfigurationController.php b/Postman/Postman-Configuration/PostmanConfigurationController.php
index a81605a..4cade58 100644
--- a/Postman/Postman-Configuration/PostmanConfigurationController.php
+++ b/Postman/Postman-Configuration/PostmanConfigurationController.php
@@ -1,4 +1,8 @@
 <?php
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
 require_once( 'PostmanRegisterConfigurationSettings.php' );
 class PostmanConfigurationController {
 	const CONFIGURATION_SLUG = 'postman/configuration';
@@ -207,6 +211,9 @@ class PostmanConfigurationController {
 		print '</ul>';
 
 		print '<form method="post" action="options.php">';
+
+		wp_nonce_field('post-smtp', 'security');
+
 		// This prints out all hidden setting fields
 		settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME );
 
@@ -441,6 +448,8 @@ class PostmanConfigurationController {
 		printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::STEALTH_MODE, $this->options->isStealthModeEnabled() );
 		printf( '<input type="hidden" id="input_%2$s" name="%1$s[%2$s]" value="%3$s" />', PostmanOptions::POSTMAN_OPTIONS, PostmanOptions::TEMPORARY_DIRECTORY, $this->options->getTempDirectory() );
 
+		wp_nonce_field('post-smtp', 'security' );
+
 		// display the setting text
 		settings_fields( PostmanAdminController::SETTINGS_GROUP_NAME );
 
@@ -622,6 +631,9 @@ class PostmanGetHostnameByEmailAjaxController extends PostmanAbstractAjaxHandler
 	 * This Ajax function retrieves the smtp hostname for a give e-mail address
 	 */
 	function getAjaxHostnameByEmail() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$goDaddyHostDetected = $this->getBooleanRequestParameter( 'go_daddy' );
 		$email = $this->getRequestParameter( 'email' );
 		$d = new PostmanSmtpDiscovery( $email );
@@ -656,6 +668,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler {
 	 * @throws Exception
 	 */
 	function getManualConfigurationViaAjax() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$queryTransportType = $this->getTransportTypeFromRequest();
 		$queryAuthType = $this->getAuthenticationTypeFromRequest();
 		$queryHostname = $this->getHostnameFromRequest();
@@ -686,6 +701,9 @@ class PostmanManageConfigurationAjaxHandler extends PostmanAbstractAjaxHandler {
 	 * The UI response is built so the user may choose a different socket with different options.
 	 */
 	function getWizardConfigurationViaAjax() {
+
+	    check_admin_referer('post-smtp', 'security');
+
 		$this->logger->debug( 'in getWizardConfiguration' );
 		$originalSmtpServer = $this->getRequestParameter( 'original_smtp_server' );
 		$queryHostData = $this->getHostDataFromRequest();
@@ -895,6 +913,9 @@ class PostmanImportConfigurationAjaxController extends PostmanAbstractAjaxHandle
 	 * and pushes them into the Postman configuration screen.
 	 */
 	function getConfigurationFromExternalPluginViaAjax() {
+
+        check_admin_referer('post-smtp', 'security');
+
 		$importableConfiguration = new PostmanImportableConfiguration();
 		$plugin = $this->getRequestParameter( 'plugin' );
 		$this->logger->debug( 'Looking for config=' . $plugin );