Multisite-Ultimate · superdav42 · Apr 22, 2025 · Apr 18, 2025
diff --git a/inc/admin-pages/class-checkout-form-edit-admin-page.php b/inc/admin-pages/class-checkout-form-edit-admin-page.php
@@ -1518,11 +1518,16 @@ public function get_object() {
 	 */
 	public function handle_save() {
 
-		if ( ! wu_request('restrict_by_country') || empty($_POST['allowed_countries'])) {
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in parent::handle_save()
+		if ( ! wu_request('restrict_by_country') || (isset($_POST['allowed_countries']) && empty($_POST['allowed_countries']))) {
 			$_POST['allowed_countries'] = [];
 		}
 
-		$_POST['settings'] = json_decode(stripslashes((string) $_POST['_settings']), true);
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in parent::handle_save()
+		if (isset($_POST['_settings'])) {
+			// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- We're using json_decode which handles sanitization
+			$_POST['settings'] = json_decode(wp_unslash((string) $_POST['_settings']), true);
+		}
 
 		/**
 		 * Prevent parents redirect to perform additional checks to destroy session.

diff --git a/inc/admin-pages/class-domain-edit-admin-page.php b/inc/admin-pages/class-domain-edit-admin-page.php
@@ -191,6 +191,7 @@ public function domain_extra_delete_fields($fields, $domain) {
 	 */
 	public function domain_after_delete_actions($domain): void {
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in the form handler
 		$new_primary_domain_name = wu_request('set_domain_as_primary');
 
 		$new_primary_domain = wu_get_domain($new_primary_domain_name);
@@ -550,14 +551,17 @@ public function has_title(): bool {
 	 */
 	public function handle_save(): void {
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in parent::handle_save()
 		if ( ! wu_request('primary_domain')) {
 			$_POST['primary_domain'] = false;
 		}
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in parent::handle_save()
 		if ( ! wu_request('active')) {
 			$_POST['active'] = false;
 		}
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in parent::handle_save()
 		if ( ! wu_request('secure')) {
 			$_POST['secure'] = false;
 		}

diff --git a/inc/admin-pages/class-site-edit-admin-page.php b/inc/admin-pages/class-site-edit-admin-page.php
@@ -125,7 +125,7 @@ public function register_forms(): void {
 
 		add_filter(
 			'wu_data_json_success_delete_site_modal',
-			fn($data_json) => [
+			fn($unused_data_json) => [
 				'redirect_url' => wu_network_admin_url('wp-ultimo-sites', ['deleted' => 1]),
 			]
 		);
@@ -141,6 +141,7 @@ public function register_forms(): void {
 	 */
 	public function add_new_site_template_warning_message(): void {
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Just checking if we need to show a message
 		if (wu_request('wu-new-model')) {
 			if ( ! $this->get_object() || $this->get_object()->get_type() !== Site_Type::SITE_TEMPLATE) {
 				return;
@@ -180,7 +181,7 @@ public function add_new_site_template_warning_message(): void {
 	 * @since 2.0.0
 	 * @return void
 	 */
-	function render_transfer_site_modal(): void {
+	public function render_transfer_site_modal(): void {
 
 		$site = wu_get_site(wu_request('id'));
 
@@ -249,8 +250,10 @@ public function handle_transfer_site_modal(): void {
 
 		global $wpdb;
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in the form handler
 		$site = wu_get_site(wu_request('id'));
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in the form handler
 		$target_membership = wu_get_membership(wu_request('target_membership_id'));
 
 		if ( ! $site) {
@@ -580,7 +583,6 @@ public function register_widgets(): void {
 					'scraper'           => [
 						'type'    => 'submit',
 						'title'   => __('Take Screenshot', 'wp-multisite-waas'),
-						'title'   => __('Take Screenshot', 'wp-multisite-waas'),
 						'classes' => 'button wu-w-full',
 					],
 				],
@@ -724,6 +726,7 @@ public function get_object() {
 			return $this->object;
 		}
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Just getting the object ID from the URL
 		$item_id = wu_request('id', 0);
 
 		$item = wu_get_site($item_id);
@@ -757,9 +760,11 @@ public function has_title(): bool {
 	 */
 	public function handle_save() {
 
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in parent::handle_save()
 		$_POST['categories'] = wu_get_isset($_POST, 'categories', []);
 
-		if ($_POST['type'] !== Site_Type::CUSTOMER_OWNED) {
+		// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verification happens in parent::handle_save()
+		if (isset($_POST['type']) && Site_Type::CUSTOMER_OWNED !== $_POST['type']) {
 			$_POST['membership_id'] = false;
 			$_POST['customer_id']   = false;
 		}

diff --git a/inc/compat/class-multiple-accounts-compat.php b/inc/compat/class-multiple-accounts-compat.php
@@ -130,9 +130,9 @@ public function fix_user_query(string $query): string {
 			 * escape the %s placeholder, which will break the query.
 			 */
 			return sprintf(
-				"SELECT u.* 
-				FROM $wpdb->users u 
-				JOIN $wpdb->usermeta m on u.id = m.user_id 
+				"SELECT u.*
+				FROM $wpdb->users u
+				JOIN $wpdb->usermeta m on u.id = m.user_id
 				WHERE m.meta_key = \"wp_%d_capabilities\"
 				AND u.user_email%s",
 				$site_id,
@@ -338,14 +338,17 @@ public function handle_reset_password(): void {
 
 		// Only run in the right case
 		if (wu_request('action') === 'retrievepassword' || wu_request('wc_reset_password')) {
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Password reset functionality, nonce is verified elsewhere
 
 			// Only do thing if is login by email
-			if (is_email($_REQUEST['user_login'])) {
-				$user = $this->get_right_user($_REQUEST['user_login']);
-
-				$_REQUEST['user_login'] = $user->user_login;
-
-				$_POST['user_login'] = $user->user_login;
+			if (isset($_REQUEST['user_login']) && is_email($_REQUEST['user_login'])) {
+				// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.NonceVerification.Recommended -- Password reset functionality, nonce is verified elsewhere
+				$user = $this->get_right_user(sanitize_email(wp_unslash($_REQUEST['user_login'])));
+
+				if ($user) {
+					$_REQUEST['user_login'] = $user->user_login;
+					$_POST['user_login']    = $user->user_login;
+				}
 			}
 		}
 	}
@@ -479,7 +482,7 @@ protected function get_right_user($email, $password = false) {
 
 		// Loop the results and check which one is in this group
 		foreach ($users->results as $user_with_email) {
-			$conditions = false == $password ? true : wp_check_password($password, $user_with_email->user_pass, $user_with_email->ID);
+			$conditions = false === $password ? true : wp_check_password($password, $user_with_email->user_pass, $user_with_email->ID);
 
 			// Check for the pertinence of that user in this site
 			if ($conditions && $this->user_can_for_blog($user_with_email, get_current_blog_id(), 'read')) {