Smartling · vsolovei-smartling · Jun 5, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/inc/Smartling/Bootstrap.php b/inc/Smartling/Bootstrap.php
@@ -181,6 +181,12 @@ private function initRoles(): void
     #[NoReturn]
     public function updateGlobalExpertSettings(): void
     {
+        check_ajax_referer('smartling_expert_global_settings', '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP)) {
+            wp_send_json(['error' => 'Insufficient permissions'], 403);
+            return;
+        }
+
         $data = $_POST['params'];
 
         $rawPageSize = (int)$data['pageSize'];

diff --git a/inc/Smartling/ContentTypes/CustomPostType.php b/inc/Smartling/ContentTypes/CustomPostType.php
@@ -95,6 +95,7 @@ protected function registerJobWidget(): void
             ->addArgument($di->getDefinition('site.helper'))
             ->addArgument($di->getDefinition('manager.submission'))
             ->addArgument($di->getDefinition('site.cache'))
+            ->addArgument($di->getDefinition('wp.proxy'))
             ->addMethodCall('setServedContentType', [$this->getSystemName()]);
         $di->get($tag)->register();
     }

diff --git a/inc/Smartling/ContentTypes/CustomTaxonomyType.php b/inc/Smartling/ContentTypes/CustomTaxonomyType.php
@@ -95,6 +95,7 @@ protected function registerJobWidget()
             ->addArgument($di->getDefinition('site.helper'))
             ->addArgument($di->getDefinition('manager.submission'))
             ->addArgument($di->getDefinition('site.cache'))
+            ->addArgument($di->getDefinition('wp.proxy'))
             ->addMethodCall('setServedContentType', [static::getSystemName()])
             ->addMethodCall('setBaseType', ['taxonomy']);
         $di->get($tag)->register();

diff --git a/inc/Smartling/Helpers/UiMessageHelper.php b/inc/Smartling/Helpers/UiMessageHelper.php
@@ -9,10 +9,17 @@ class UiMessageHelper
 
     public static function dismissMessage(): void
     {
+        check_ajax_referer(self::DISMISS_MESSAGE_ACTION, '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_MENU_CAP)) {
+            wp_send_json_error(['message' => 'Insufficient permissions'], 403);
+            return;
+        }
         $cache = self::getCache();
-        if (array_key_exists('hash', $_GET)) {
-            $cache->set(self::CACHE_KEY_PREFIX . $_GET['hash'], true, 60 * 60 * 180);
+        $hash = isset($_POST['hash']) ? sanitize_text_field(wp_unslash($_POST['hash'])) : '';
+        if ($hash !== '') {
+            $cache->set(self::CACHE_KEY_PREFIX . $hash, true, 60 * 60 * 180);
         }
+        wp_send_json_success();
     }
 
     public static function displayMessages(): void
@@ -55,8 +62,9 @@ private static function getClickHandler(string $string): string
     {
         $action = self::DISMISS_MESSAGE_ACTION;
         $hash = self::getCacheHash($string);
+        $nonce = wp_create_nonce(self::DISMISS_MESSAGE_ACTION);
         return <<<JS
-jQuery.post(ajaxurl + '?action=$action&hash=$hash');
+jQuery.post(ajaxurl + '?action=$action', {hash: '$hash', _wpnonce: '$nonce'});
 this.parentNode.parentNode.style.display='none';
 return false;
 JS;

diff --git a/inc/Smartling/Services/ContentRelationsHandler.php b/inc/Smartling/Services/ContentRelationsHandler.php
@@ -5,6 +5,8 @@
 use Exception;
 use Smartling\Exception\SmartlingHumanReadableException;
 use Smartling\Helpers\LoggerSafeTrait;
+use Smartling\Helpers\SmartlingUserCapabilities;
+use Smartling\Helpers\WordpressFunctionProxyHelper;
 use Smartling\Models\UserCloneRequest;
 use Smartling\Models\UserTranslationRequest;
 
@@ -44,7 +46,8 @@ class ContentRelationsHandler extends BaseAjaxServiceAbstract
     public const FORM_ACTION_UPLOAD = 'upload';
 
     private ContentRelationsDiscoveryService $service;
-    public function __construct(ContentRelationsDiscoveryService $service)
+
+    public function __construct(ContentRelationsDiscoveryService $service, private WordpressFunctionProxyHelper $wpProxy)
     {
         parent::__construct($_GET);
         $this->service = $service;
@@ -78,6 +81,12 @@ public function register(): void
      */
     public function createSubmissionsHandler(array $data = null): void
     {
+        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+        if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->returnError('permission.denied', 'Insufficient permissions', 403);
+            return;
+        }
+
         if ($data === null) {
             $data = $_POST;
         }
@@ -95,6 +104,12 @@ public function createSubmissionsHandler(array $data = null): void
 
     public function actionHandler(): void
     {
+        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+        if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->returnError('permission.denied', 'Insufficient permissions', 403);
+            return;
+        }
+
         $data = $_GET;
         $data['targetBlogIds'] = $this->convertTargetBlogIds($data['targetBlogIds']);
         try {

diff --git a/inc/Smartling/WP/Controller/CheckStatusController.php b/inc/Smartling/WP/Controller/CheckStatusController.php
@@ -21,6 +21,9 @@ public function wp_enqueue()
         wp_enqueue_script($this->pluginInfo->getName() . "submission", $this->pluginInfo
                 ->getUrl() . 'js/smartling-submissions-check.js', ['jquery'], $this->pluginInfo
             ->getVersion(), false);
+        wp_localize_script($this->pluginInfo->getName() . "submission", 'smartlingCheckStatus', [
+            'nonce' => wp_create_nonce('smartling_check_status'),
+        ]);
     }
 
     public function register(): void
@@ -36,6 +39,12 @@ public function register(): void
      */
     public function ajaxHandler()
     {
+        check_ajax_referer('smartling_check_status', '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            wp_send_json(['error' => 'Insufficient permissions'], 403);
+            return false;
+        }
+
         if ($_REQUEST["action"] === "ajax_submissions_update_status") {
 
             $items = $this->checkItems($_REQUEST["ids"]);

diff --git a/inc/Smartling/WP/Controller/ConfigurationProfileFormController.php b/inc/Smartling/WP/Controller/ConfigurationProfileFormController.php
@@ -31,6 +31,9 @@ public function wp_enqueue(): void
         foreach ($jsFiles as $jFile) {
             wp_enqueue_script($jFile, $jFile, ['jquery'], $ver, false);
         }
+        wp_localize_script($jsPath . 'configuration-profile-form.js', 'smartlingProfileForm', [
+            'expertSettingsNonce' => wp_create_nonce('smartling_expert_global_settings'),
+        ]);
     }
 
     public function register(): void
@@ -47,6 +50,12 @@ public function register(): void
 
     public function initTestConnectionEndpoint(): void
     {
+        check_ajax_referer('smartling_test_connection', '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP)) {
+            wp_send_json(['status' => 403, 'message' => 'Insufficient permissions'], 403);
+            return;
+        }
+
         $data =& $_POST;
 
         $result = [

diff --git a/inc/Smartling/WP/Controller/ConfigurationProfilesController.php b/inc/Smartling/WP/Controller/ConfigurationProfilesController.php
@@ -52,6 +52,9 @@ public function wp_enqueue(): void
             $this->pluginInfo->getVersion(),
             false
         );
+        wp_localize_script($this->pluginInfo->getName() . 'settings', 'smartlingConnector', [
+            'nonce' => wp_create_nonce('smartling_connector_ajax'),
+        ]);
         wp_enqueue_script(
             $this->pluginInfo->getName() . 'settings-admin-footer',
             $this->pluginInfo->getUrl() . 'js/smartling-connector-gutenberg-lock-attributes.js',

diff --git a/inc/Smartling/WP/Controller/ContentEditJobController.php b/inc/Smartling/WP/Controller/ContentEditJobController.php
@@ -4,22 +4,44 @@
 
 use DateTimeZone;
 use Exception;
+use Smartling\ApiWrapperInterface;
 use Smartling\Bootstrap;
+use Smartling\DbAl\LocalizationPluginProxyInterface;
 use Smartling\Exceptions\SmartlingApiException;
 use Smartling\Helpers\ArrayHelper;
+use Smartling\Helpers\Cache;
 use Smartling\Helpers\DateTimeHelper;
 use Smartling\Helpers\DiagnosticsHelper;
 use Smartling\Helpers\HtmlTagGeneratorHelper;
+use Smartling\Helpers\PluginInfo;
 use Smartling\Helpers\SiteHelper;
 use Smartling\Helpers\SmartlingUserCapabilities;
+use Smartling\Helpers\WordpressFunctionProxyHelper;
 use Smartling\Settings\SettingsManager;
+use Smartling\Submissions\SubmissionManager;
 use Smartling\Vendor\Smartling\Jobs\JobStatus;
 use Smartling\WP\WPAbstract;
 use Smartling\WP\WPHookInterface;
 
 class ContentEditJobController extends WPAbstract implements WPHookInterface
 {
     public const SMARTLING_JOB_API_PROXY = 'smartling_job_api_proxy';
+
+    private WordpressFunctionProxyHelper $wpProxy;
+
+    public function __construct(
+        ApiWrapperInterface $api,
+        LocalizationPluginProxyInterface $localizationPluginProxy,
+        PluginInfo $pluginInfo,
+        SettingsManager $settingsManager,
+        SiteHelper $siteHelper,
+        SubmissionManager $submissionManager,
+        Cache $cache,
+        WordpressFunctionProxyHelper $wpProxy,
+    ) {
+        parent::__construct($api, $localizationPluginProxy, $pluginInfo, $settingsManager, $siteHelper, $submissionManager, $cache);
+        $this->wpProxy = $wpProxy;
+    }
     /**
      * @var string
      */
@@ -65,6 +87,12 @@ public function setServedContentType($servedContentType)
     public function initJobApiProxy(): void
     {
         add_action('wp_ajax_' . self::SMARTLING_JOB_API_PROXY, function () {
+            $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+            if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+                $this->wpProxy->wp_send_json(['status' => 403, 'message' => 'Insufficient permissions'], 403);
+                return;
+            }
+
             $data =& $_POST;
 
             $result = [

diff --git a/inc/Smartling/WP/Controller/InstantTranslationController.php b/inc/Smartling/WP/Controller/InstantTranslationController.php
@@ -6,6 +6,7 @@
 use Smartling\Helpers\DateTimeHelper;
 use Smartling\Helpers\FileUriHelper;
 use Smartling\Helpers\LoggerSafeTrait;
+use Smartling\Helpers\SmartlingUserCapabilities;
 use Smartling\Helpers\WordpressFunctionProxyHelper;
 use Smartling\Submissions\SubmissionEntity;
 use Smartling\Submissions\SubmissionFactory;
@@ -36,7 +37,12 @@ public function register(): void
 
     public function handleRequestTranslation(): void
     {
-        $this->wpProxy->check_ajax_referer('smartling_instant_translation', '_wpnonce');
+        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+
+        if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->wpProxy->wp_send_json_error(['message' => 'Insufficient permissions'], 403);
+            return;
+        }
 
         try {
             $contentType = $this->wpProxy->sanitize_text_field($this->wpProxy->wp_unslash($_POST['contentType'] ?? ''));
@@ -133,7 +139,12 @@ public function handleRequestTranslation(): void
 
     public function handlePollStatus(): void
     {
-        $this->wpProxy->check_ajax_referer('smartling_instant_translation', '_wpnonce');
+        $this->wpProxy->check_ajax_referer('smartling_translation', '_wpnonce');
+
+        if (!$this->wpProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            $this->wpProxy->wp_send_json_error(['message' => 'Insufficient permissions'], 403);
+            return;
+        }
 
         try {
             $submissionId = (int)($_POST['submissionId'] ?? 0);

diff --git a/inc/Smartling/WP/Controller/LiveNotificationController.php b/inc/Smartling/WP/Controller/LiveNotificationController.php
@@ -8,6 +8,7 @@
 use Smartling\Helpers\DiagnosticsHelper;
 use Smartling\Helpers\LoggerSafeTrait;
 use Smartling\Helpers\PluginInfo;
+use Smartling\Helpers\SmartlingUserCapabilities;
 use Smartling\Models\NotificationParameters;
 use Smartling\Settings\SettingsManager;
 use Smartling\Submissions\SubmissionEntity;
@@ -98,11 +99,13 @@ public function placeJsConfig(): void
 
         $wrapperClassName = static::UI_NOTIFICATION_IDENTIFIER_CLASS;
         $wrapperClassNameGeneral = static::UI_NOTIFICATION_IDENTIFIER_CLASS_GENERAL;
+        $deleteNonce = wp_create_nonce(self::DELETE_NOTIFICATION_ACTION_NAME);
 
         echo <<<EOF
 <script>
     var firebaseConfig = $configs;
     var deleteNotificationEndpoint = "$deleteEndpoint";
+    var deleteNotificationNonce = "$deleteNonce";
     var firebaseIds = $firebaseIds;
     var notificationClassName = "$wrapperClassName";
     var notificationClassNameGeneral = "$wrapperClassNameGeneral";
@@ -113,6 +116,12 @@ public function placeJsConfig(): void
 
     public function deleteNotificationAjaxHandler(): void
     {
+        check_ajax_referer(self::DELETE_NOTIFICATION_ACTION_NAME, '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            wp_send_json(['code' => 'error', 'message' => 'Insufficient permissions'], 403);
+            return;
+        }
+
         $data = $_POST;
 
         $projectId = $data['project_id'];

diff --git a/inc/Smartling/WP/Controller/PostBasedWidgetControllerStd.php b/inc/Smartling/WP/Controller/PostBasedWidgetControllerStd.php
@@ -25,6 +25,7 @@ class PostBasedWidgetControllerStd extends WPAbstract implements WPHookInterface
     private const WIDGET_NAME = 'smartling_connector_widget';
     public const WIDGET_DATA_NAME = 'smartling';
     private const CONNECTOR_NONCE = 'smartling_connector_nonce';
+    private const AJAX_NONCE_ACTION = 'smartling_connector_ajax';
 
     protected string $servedContentType = 'undefined';
     protected string $needSave = 'Need to have title';
@@ -115,6 +116,12 @@ public function setNoOriginalFound($noOriginalFound)
 
     public function ajaxDownloadHandler(): void
     {
+        check_ajax_referer(self::AJAX_NONCE_ACTION, '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            wp_send_json(['status' => self::RESPONSE_AJAX_STATUS_FAIL, 'message' => 'Insufficient permissions'], 403);
+            return;
+        }
+
         $logSubmissions = [];
         $result = ['status' => self::RESPONSE_AJAX_STATUS_SUCCESS];
         $submissions = [];
@@ -175,6 +182,12 @@ private function validateTargetBlog($blogId)
 
     public function ajaxUploadHandler()
     {
+        check_ajax_referer(self::AJAX_NONCE_ACTION, '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_WIDGET_CAP)) {
+            wp_send_json(['status' => self::RESPONSE_AJAX_STATUS_FAIL, 'message' => 'Insufficient permissions'], 403);
+            return;
+        }
+
         $result = [];
 
         $data = &$_POST;

diff --git a/inc/Smartling/WP/Controller/TaxonomyLinksController.php b/inc/Smartling/WP/Controller/TaxonomyLinksController.php
@@ -19,6 +19,8 @@
 
 class TaxonomyLinksController extends WPAbstract implements WPHookInterface
 {
+    private const NONCE_ACTION = 'smartling_link_taxonomies';
+
     public function __construct(
         protected ApiWrapperInterface $api,
         PluginInfo $pluginInfo,
@@ -150,11 +152,17 @@ private function getMappedTerms()
 
     public function linkTaxonomies($data)
     {
+        $this->wordpressProxy->check_ajax_referer(self::NONCE_ACTION, '_wpnonce');
+        if (!$this->wordpressProxy->current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_MENU_CAP)) {
+            $this->wordpressProxy->wp_send_json_error(['message' => 'Insufficient permissions'], 403);
+            return;
+        }
+
         if ($data === "") {
             $data = $_POST;
         }
         if (!isset($data['sourceBlogId'], $data['sourceId'], $data['taxonomy'])) {
-            wp_send_json_error('Required parameter missing');
+            $this->wordpressProxy->wp_send_json_error('Required parameter missing');
         }
         $sourceBlogId = (int)$data['sourceBlogId'];
         $sourceId = (int)$data['sourceId'];
@@ -202,13 +210,13 @@ public function linkTaxonomies($data)
         }
         $submissions = array_merge($submissionsToAdd, $submissionsToUpdate);
         if (count(array_merge($submissions, $submissionsToDelete)) === 0) {
-            wp_send_json_error('No changes');
+            $this->wordpressProxy->wp_send_json_error('No changes');
         }
         $this->submissionManager->storeSubmissions($submissions);
         foreach ($submissionsToDelete as $submission) {
             $this->submissionManager->delete($submission);
         }
-        wp_send_json(['success' => true, 'submissions' => $this->getSubmissions()]);
+        $this->wordpressProxy->wp_send_json(['success' => true, 'submissions' => $this->getSubmissions()]);
     }
 
     /**

diff --git a/inc/Smartling/WP/Controller/TestRunController.php b/inc/Smartling/WP/Controller/TestRunController.php
@@ -152,6 +152,12 @@ public function getBlogs(): array
 
     public function testRun($data): void
     {
+        check_ajax_referer('smartling_test_run', '_wpnonce');
+        if (!current_user_can(SmartlingUserCapabilities::SMARTLING_CAPABILITY_PROFILE_CAP)) {
+            wp_send_json_error(['message' => 'Insufficient permissions'], 403);
+            return;
+        }
+
         if ($data === "") {
             $data = $_POST;
         }