From 5f3a9ec1e99a399ccd51bd27698cbf3d1fbff760 Mon Sep 17 00:00:00 2001
From: Champ Camba <heychampsupertramp@gmail.com>
Date: Fri, 13 Apr 2018 19:13:56 +0800
Subject: [PATCH] Add nonce in save settings

---
 includes/admin/core/class-admin-settings.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/includes/admin/core/class-admin-settings.php b/includes/admin/core/class-admin-settings.php
index 38798dce..d9b02190 100644
--- a/includes/admin/core/class-admin-settings.php
+++ b/includes/admin/core/class-admin-settings.php
@@ -1286,8 +1286,11 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) {
 					);
 					?>
 
+
 					<p class="submit">
 						<input type="submit" name="submit" id="submit" class="button button-primary" value="<?php _e( 'Save Changes', 'ultimate-member' ) ?>" />
+						<?php $um_settings_nonce = wp_create_nonce( 'um-settings-nonce' ); ?>
+						<input type="hidden" name="__umnonce" value="<?php echo $um_settings_nonce; ?>" />
 					</p>
 				</form>
 
@@ -1397,7 +1400,18 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) {
 		 *
 		 */
 		function save_settings_handler() {
+
+			
+
 			if ( isset( $_POST['um-settings-action'] ) && 'save' == $_POST['um-settings-action'] && ! empty( $_POST['um_options'] ) ) {
+
+				$nonce = $_POST['__umnonce'];
+
+				if ( ( ! wp_verify_nonce( $nonce, 'um-settings-nonce' ) || empty( $nonce ) ) || ! current_user_can('manage_options') ) {
+				    // This nonce is not valid.
+				    wp_die( 'Security Check' ); 
+				}
+
 				/**
 				 * UM hook
 				 *