weDevsOfficial · sapayth · Oct 7, 2025 · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/includes/Admin/Admin_Tools.php b/includes/Admin/Admin_Tools.php
@@ -456,6 +456,18 @@ public function enable_json_upload( $file ) {
      */
     public function import_forms() {
         check_ajax_referer( 'wpuf_admin_tools' );
+
+        // Security: Check user has proper admin capabilities
+        if ( ! current_user_can( wpuf_admin_role() ) ) {
+            wp_send_json_error(
+                new WP_Error(
+                    'wpuf_ajax_import_forms_error',
+                    __( 'Unauthorized operation', 'wp-user-frontend' )
+                ),
+                WP_Http::FORBIDDEN
+            );
+        }
+
         if ( ! isset( $_POST['file_id'] ) ) {
             wp_send_json_error(
                 new WP_Error(

diff --git a/includes/Ajax/Admin_Form_Builder_Ajax.php b/includes/Ajax/Admin_Form_Builder_Ajax.php
@@ -186,7 +186,7 @@
                $cat .= '<div class="wpuf-mt-6 wpuf-input-container taxonomy-container" data-taxonomy="' . esc_attr( $tax->name ) . '">';
                $cat .= '<div class="wpuf-flex wpuf-items-center">';
                $cat .= '<label for="' . esc_attr( $select_id ) . '" class="wpuf-text-sm wpuf-text-gray-700 wpuf-my-2">';
                $cat .= sprintf( __( 'Default %s %s', 'wp-user-frontend' ), $post_type, $tax->label );
                $cat .= '</label></div>';

                $cat .= '<select
@@ -201,7 +201,7 @@

                if ( ! is_wp_error( $categories ) && ! empty( $categories ) ) {
                    foreach ( $categories as $category ) {
                        $selected = in_array( $category->term_id, (array) $current_value ) ? 'selected="selected"' : '';
                        $cat .= '<option value="' . esc_attr( $category->term_id ) . '" ' . $selected . '>' . esc_html( $category->name ) . '</option>';
                    }
                }
@@ -219,6 +219,13 @@
     }
 
     public function get_roles() {
+        // Security: Check nonce and user capabilities
+        check_ajax_referer( 'wpuf-form-builder' );
+
+        if ( ! current_user_can( wpuf_admin_role() ) ) {
+            wp_send_json_error( __( 'Unauthorized operation', 'wp-user-frontend' ) );
+        }
+
         $roles = wpuf_get_user_roles();
 
         $html = '<div class="wpuf-mt-6 wpuf-input-container"><div class="wpuf-flex wpuf-items-center"><label for="default_category" class="wpuf-text-sm wpuf-text-gray-700 wpuf-my-2">' . __( 'Choose who can submit post ', 'wp-user-frontend' ) . '</label></div>';

diff --git a/includes/Ajax/Frontend_Form_Ajax.php b/includes/Ajax/Frontend_Form_Ajax.php
@@ -228,6 +228,22 @@ public function submit_post() {
         // if post_id is passed, we update the post
         if ( isset( $_POST['post_id'] ) ) {
             $post_id                   = intval( wp_unslash( $_POST['post_id'] ) );
+
+            // Verify the post exists
+            $post = get_post( $post_id );
+            if ( ! $post || is_wp_error( $post ) ) {
+                wpuf()->ajax->send_error( __( 'Post not found.', 'wp-user-frontend' ) );
+            }
+
+            // Security: Check if user has permission to edit this post (Broken Access Control fix)
+            $post_author = get_post_field( 'post_author', $post_id );
+            $current_user_id = get_current_user_id();
+
+            // Allow edit if: user is post author OR user has edit_others_posts capability
+            if ( $current_user_id !== $post_author && ! current_user_can( 'edit_others_posts' ) ) {
+                wpuf()->ajax->send_error( __( 'You do not have permission to edit this post.', 'wp-user-frontend' ) );
+            }
+
             $is_update                 = true;
             $postarr['ID']             = $post_id;
             $postarr['post_date']      = isset( $_POST['post_date'] ) ? sanitize_text_field( wp_unslash( $_POST['post_date'] ) ) : '';

diff --git a/includes/Frontend/Form_Preview.php b/includes/Frontend/Form_Preview.php
@@ -29,19 +29,26 @@
    private $form_id;

    /**
     * is_preview
     *
     * @var string
     */
    private $is_preview = true;

    public function __construct() {
         if ( ! isset( $_GET['wpuf_preview'] ) && empty( $_GET['wpuf'] ) ) {
             return;
         }
-        $this->form_id = isset( $_GET['form_id'] ) ? intval( $_GET['form_id'] ) : 0;
+
+        // Security: Check user has proper capabilities before allowing preview
+        if ( ! is_user_logged_in() || ! current_user_can( wpuf_admin_role() ) ) {
+            wp_die( __( 'You do not have permission to preview this form.', 'wp-user-frontend' ), 403 );
+        }
+
+        // Security: Validate and sanitize form_id parameter
+        $this->form_id = isset( $_GET['form_id'] ) ? absint( $_GET['form_id'] ) : 0;
         add_action( 'pre_get_posts', [ $this, 'pre_get_posts' ] );
         // add_filter( 'template_include', [ $this, 'template_include' ] );
         add_filter( 'the_title', [ $this, 'the_title' ] );
        add_filter( 'the_content', [ $this, 'the_content' ] );
        add_filter( 'get_the_excerpt', [ $this, 'the_content' ] );
@@ -76,19 +83,19 @@
     *
      * @return string
      */
     public function the_content( $content ) {
-        if ( $this->is_preview ) {
-            if ( ! is_user_logged_in() ) {
-                return __( 'You must be logged in to preview this form.', 'wp-user-frontend' );
-            }
-            $viewing_capability = apply_filters( 'wpuf_preview_form_cap',
-                'edit_posts' ); // at least has to be contributor
-            if ( ! current_user_can( $viewing_capability ) ) {
-                return __( 'Sorry, you are not eligible to preview this form.', 'wp-user-frontend' );
-            }
+        // Security: Double-check admin capabilities
+        if ( ! current_user_can( wpuf_admin_role() ) ) {
+            return __( 'You do not have permission to preview this form.', 'wp-user-frontend' );
+        }
+
+        // Security: Validate form_id is a valid integer to prevent injection
+        $form_id = absint( $this->form_id );
+        if ( $form_id === 0 ) {
+            return __( 'Invalid form ID.', 'wp-user-frontend' );
         }
 
-        return do_shortcode( sprintf( '[wpuf_form id="%d"]', $this->form_id ) );
+        return do_shortcode( sprintf( '[wpuf_form id="%d"]', $form_id ) );
     }
 
     /**

diff --git a/includes/Frontend_Render_Form.php b/includes/Frontend_Render_Form.php
@@ -5,7 +5,7 @@
 use WeDevs\Wpuf\Admin\Subscription;

 class Frontend_Render_Form {
    private static $_instance;

    public static $meta_key = 'wpuf_form';

@@ -39,13 +39,13 @@


    /**
     * render submit button
     *
     * @param [type] $form_id       [description]
     * @param [type] $form_settings [description]
     * @param [type] $post_id       [description]
     */
    public function submit_button( $form_id, $form_settings, $post_id = null ) { ?>

        <li class="wpuf-submit">
            <div class="wpuf-label">
@@ -84,7 +84,7 @@
    }

    /**
     * guest post field
     *
     * @param [type] $form_settings [description]
     */
@@ -118,7 +118,12 @@
      * @return void
      */
     public function preview_form() {
+        // Security: Check user has proper admin capabilities
+        if ( ! current_user_can( wpuf_admin_role() ) ) {
+            wp_send_json_error( __( 'Unauthorized operation', 'wp-user-frontend' ) );
+        }
+
         $form_id = isset( $_GET['form_id'] ) ? intval( wp_unslash( $_GET['form_id'] ) ) : 0;
 
         if ( $form_id ) {
            wp_enqueue_script( 'jquery' );
@@ -130,7 +135,7 @@
            <head>
                <meta charset="UTF-8">
                <title>__( 'Form Preview', 'wp-user-frontend' )</title>
                <link rel="stylesheet" href="<?php echo esc_url( plugins_url( 'assets/css/frontend-forms.css', __DIR__ ) ); ?>">

                <style type="text/css">
                    body {
@@ -150,7 +155,7 @@
                    }
                </style>

                <script type="text/javascript" src="<?php echo esc_url( includes_url( 'js/jquery/jquery.js' ) ); ?>"></script>
            </head>
            <body>
            <div class="container">
@@ -168,7 +173,7 @@
    }

    /**
     * render form
     *
     * @param [type] $form_id [description]
     * @param [type] $post_id [description]
@@ -323,7 +328,7 @@
                </div>
                <div >
                    <label >
                         <input type="checkbox" class="wpuf_is_featured" name="is_featured_item" value="1" <?php echo $is_featured ? 'checked' : ''; ?> >
                         <span class="wpuf-items-table-containermessage-box" id="remaining-feature-item"> <?php echo sprintf(
                            // translators: %1$s is Post type and %2$d is item
                            wp_kses_post( __( 'Mark the %1$s as featured (remaining %2$d)', 'wp-user-frontend' ) ), esc_html( $post_type ), esc_html( $featured_item ) ); ?></span>