Fixes

PDowney · web-flow · commit 0ab86cea7a7e · 2026-02-28T17:41:48.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+- **CSRF in admin_init**: Restored nonce verification in `admin_init()` before processing form data to prevent CSRF. The v1.5.1 removal was incorrect — without it, `$_POST` is accessed before any security check.
+- **XSS in Success Notice**: Wrapped `sprintf()` output in `esc_html()` (using `__()` instead of `esc_html__()` for the format string) to properly escape the final rendered output.
+
 ## [1.5.1] - 2026-02-23
 ### Fixed
 - **Double-Escaping in Product Dropdown**: Removed premature `esc_html()` calls in `get_products_for_dropdown()` that caused double-escaping when rendered. Escaping now occurs only at render time in `render_product_selection_field()`.
diff --git a/free-gift-bulk-coupon-generator.php b/free-gift-bulk-coupon-generator.php
@@ -117,8 +117,11 @@ public function add_admin_menu() {
 	 * Initialize admin functionality
 	 */
 	public function admin_init() {
-		// Handle form submission — nonce verified inside handle_coupon_generation().
+		// Handle form submission with nonce verification.
 		if ( isset( $_POST['scg_generate_coupons'] ) ) {
+			if ( ! isset( $_POST['scg_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['scg_nonce'] ) ), 'scg_generate_coupons_action' ) ) {
+				return;
+			}
 			$this->handle_coupon_generation();
 		}
 	}
@@ -243,10 +246,12 @@ function () {
 				'admin_notices',
 				function () use ( $generated_coupons ) {
 					echo '<div class="notice notice-success is-dismissible"><p>' .
-						sprintf(
-							/* translators: %d: Number of coupons generated */
-							esc_html__( 'Successfully generated %d coupons.', 'wc-free-gift-coupons-bulk-coupons-generator' ),
-							(int) $generated_coupons
+						esc_html(
+							sprintf(
+								/* translators: %d: Number of coupons generated */
+								__( 'Successfully generated %d coupons.', 'wc-free-gift-coupons-bulk-coupons-generator' ),
+								(int) $generated_coupons
+							)
 						) .
 						 '</p></div>';
 				}
diff --git a/readme.txt b/readme.txt
@@ -108,6 +108,10 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 == Changelog ==
 
+= Unreleased =
+* **CSRF Fix**: Restored nonce verification in `admin_init()` before processing form data.
+* **XSS Fix**: Properly escaped `sprintf()` output in success notice.
+
 = 1.5.1 =
 * **Double-Escaping Fix**: Fixed product names being double-escaped in the dropdown and success notices.
 * **Rate Limiting Fix**: Validation errors no longer lock users out for 5 minutes.
