What is CVE-2026-40796?

CVE-2026-40796 is a medium-severity vulnerability in the WPPizza – A Restaurant Plugin for WordPress, affecting versions up to 3.19.9. It allows authenticated attackers with Subscriber-level access or higher to exploit AJAX handlers and extract sensitive user or configuration data.

Who is affected by this vulnerability?

Users of the WPPizza plugin for WordPress who are running versions 3.19.9 or earlier are affected. Specifically, authenticated users with Subscriber-level access or greater can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WPPizza plugin installed on your WordPress site. If it is version 3.19.9 or earlier, your site is at risk.

How can I fix CVE-2026-40796?

The vulnerability can be fixed by updating the WPPizza plugin to version 3.20 or later, where the issue has been patched with proper capability checks for AJAX actions.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level, suggesting that while the attack requires authentication, the potential for sensitive information exposure is significant, making it a concern for site administrators.

What types of information can be exposed?

Exploitation of this vulnerability can expose sensitive information such as customer names, email addresses, order details, and potentially payment information, leading to privacy violations.

How does the exploitation process work?

An authenticated attacker can send a POST request to the WordPress AJAX endpoint with specific parameters that trigger vulnerable actions. The AJAX handlers do not check user permissions, allowing the attacker to receive sensitive data.

What measures can be taken to mitigate this vulnerability?

In addition to updating the plugin, site administrators should review user roles and permissions to limit access to sensitive features. Regularly auditing plugins and their versions is also advisable.

What is the root cause of this vulnerability?

The root cause lies in missing capability checks in several AJAX action handlers within the plugin’s code. This oversight allowed authenticated users to access sensitive data without proper authorization.

How does the proof of concept demonstrate the issue?

The proof of concept shows that an authenticated user can invoke vulnerable AJAX actions without needing a valid nonce or specific capabilities, resulting in the exposure of sensitive data.

Are there any additional security measures recommended?

In addition to updating the plugin, consider implementing security plugins that monitor user activity, enforce strong password policies, and regularly back up your site to mitigate risks from potential vulnerabilities.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the WPPizza plugin temporarily or restricting access to user roles that do not need to interact with the plugin until a patch can be applied.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 17, 2026

CVE-2026-40796: WPPizza – A Restaurant Plugin <= 3.19.9 – Authenticated (Subscriber+) Information Exposure (wppizza)

CVE ID CVE-2026-40796

Plugin wppizza

Severity Medium (CVSS 4.3)

CWE 200

Vulnerable Version 3.19.9

Patched Version 3.20

Disclosed April 28, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-40796: This is an Information Exposure vulnerability in the WPPizza – A Restaurant Plugin for WordPress, affecting versions up to and including 3.19.9. Authenticated attackers with Subscriber-level access or higher can extract sensitive user or configuration data via AJAX handlers that lacked proper authorization checks.

Root Cause: The vulnerability stems from missing capability checks in multiple AJAX action handlers within the file `wppizza/ajax/ajax.wppizza.php`. Specifically, the actions `admin-delete-order`, `admin-order-history`, `admin-view-order`, and `admin-change-status` did not verify that the authenticated user possessed the required `wppizza_cap_orderhistory` or `wppizza_cap_delete_order` capabilities. Additionally, the `admin-delete-order` action lacked a check for `wppizza_cap_delete_order` before processing the deletion. The code diff shows that all capability checks were previously absent and were added in the patched version between lines 69-100 of `ajax.wppizza.php`. The file `wppizza/ajax/admin.ajax.wppizza.php` also lacked an `ABSPATH` check, allowing direct script access.

Exploitation: An authenticated attacker with Subscriber-level privileges can send a POST request to the WordPress AJAX endpoint (`/wp-admin/admin-ajax.php`) with the `action` parameter set to a WPPizza-specific handler, and the `vars[type]` parameter set to one of the vulnerable actions such as `admin-order-history` or `admin-view-order`. The attacker does not need to provide a valid nonce or any special capability. The request is processed, and sensitive order data (potentially including customer details, order items, and configuration) is returned in the response. The AJAX handler in the vulnerable version executes without checking the user’s permissions, exposing information that should be restricted to administrators or users with specific order management roles.

Patch Analysis: The patch adds comprehensive capability checks before executing each sensitive AJAX action. In `ajax.wppizza.php`, a new block (lines 69-100) checks if the user is logged in and possesses `wppizza_cap_orderhistory` for order-related actions. A separate check for `wppizza_cap_delete_order` is added for `admin-delete-order`. Additionally, an `ABSPATH` check was added to both AJAX bootstrap files to prevent direct script execution. The patch also adds a check to ensure the saving of options via `admin_options_validate` requires the appropriate capability, and various output escaping functions (e.g., `esc_html`, `wp_kses_post`) were added to prevent other potential issues.

Impact: Successful exploitation allows an authenticated attacker with Subscriber-level access to view sensitive order information, including customer names, email addresses, order contents, and potentially payment or configuration data. This information exposure could lead to privacy violations, targeted phishing attacks, or further compromise of the WordPress installation. The CVSS score of 4.3 reflects the low attack complexity and the fact that authentication is required, but the potential for data leakage is significant for a restaurant plugin handling customer orders.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wppizza/ajax/admin.ajax.wppizza.php
+++ b/wppizza/ajax/admin.ajax.wppizza.php
@@ -1,7 +1,7 @@
 <?php
-if(!defined('DOING_AJAX') || !DOING_AJAX){
+if( !defined('DOING_AJAX') || !DOING_AJAX || !defined('ABSPATH') ){
 	header('HTTP/1.0 400 Bad Request', true, 400);
-	print"you cannot call this script directly";
+	print"You cannot call this script directly.";
   exit; //just for good measure
 }
 /**testing variables ***********************/
--- a/wppizza/ajax/ajax.wppizza.php
+++ b/wppizza/ajax/ajax.wppizza.php
@@ -2,9 +2,9 @@
 /**************************************************
 	[ajax only]
 **************************************************/
-if(!defined('DOING_AJAX') || !DOING_AJAX){
+if( !defined('DOING_AJAX') || !DOING_AJAX || !defined('ABSPATH') ){
 	header('HTTP/1.0 400 Bad Request', true, 400);
-	print"you cannot call this script directly";
+	print"You cannot call this script directly.";
   exit; //just for good measure
 }
 /**************************************************
@@ -40,23 +40,69 @@
 /**************************************************
 	[add globals to use]
 **************************************************/
-global $wppizza_options, $blog_id;
+global $wppizza_options, $blog_id, $current_user;


-/**************************************************
+/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
+*
+*
+*
+*	Nonce/Auth/Credentials/Caps checks
+*
+*
+*
+*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/***/*/*/*/*/*/*/*/*/*/*/*/*/***/*/*/*/*/*/
+
+/*-------------------------------------------------
 	[some frontend ajax calls should check the nonce too]
 	to be expanded if needs be.....
-**************************************************/
+-------------------------------------------------*/
 if(isset($_POST['vars']['type']) && in_array( $_POST['vars']['type'], array('admin-delete-order', 'admin-change-status', 'admin-view-order', 'admin-order-history') ) ){
 	$wppizza_ajax_nonce = '' . WPPIZZA_PREFIX . '_ajax_nonce';
 	if (! isset( $_POST['vars']['nonce'] ) || !wp_verify_nonce(  $_POST['vars']['nonce'] , $wppizza_ajax_nonce ) ) {
 		header('HTTP/1.0 403 Forbidden [F]', true, 403);
 		print"Forbidden [F]. Invalid Nonce.";
-		exit; //just for good measure
+		exit(); //just for good measure
 	}
 }

+/*-------------------------------------------------
+	additional auth/capability checks
+	for certain order (history) related ajax calls
+-------------------------------------------------*/
+if(isset($_POST['vars']['type']) && in_array( $_POST['vars']['type'], array('admin-delete-order', 'admin-order-history', 'admin-view-order', 'admin-change-status') ) ){
+	//logged in user only with wppizza_cap_orderhistory privileges
+	if (!is_user_logged_in() || empty($current_user->allcaps['wppizza_cap_orderhistory'])){
+		$obj = array();
+		$obj['access_prohibited'] = __('Sorry, you are not allowed to access this page.', 'default' );
+		print"".json_encode($obj)."";
+		exit();
+	}
+}
+/*-------------------------------------------------
+	Delete order needs additional credentials
+-------------------------------------------------*/
+if( isset($_POST['vars']['type']) && $_POST['vars']['type']=='admin-delete-order' && !empty($_POST['vars']['uoKey']) ){
+
+	/* missing wppizza_cap_delete_order capabilities */
+	if(!current_user_can('wppizza_cap_delete_order')){
+		$obj['update_prohibited'] = __('Error: You need order delete permissions to perform this action.', 'wppizza-admin');
+		print"".json_encode($obj)."";
+	exit();
+	}
+}

+/*-------------------------------------------------
+	saving/update disabled by constant
+	for selected actions
+-------------------------------------------------*/
+if(isset($_POST['vars']['type']) && in_array( $_POST['vars']['type'], array('admin-delete-order', 'admin-change-status') ) && !empty($_POST['vars']['uoKey']) ){
+	if(WPPIZZA_DEV_ADMIN_NO_SAVE){
+		$obj['update_prohibited'] = __('Update Prohibited', 'wppizza-admin');
+		print"".json_encode($obj)."";
+	exit();
+	}
+}

 /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
 *
@@ -1061,7 +1107,7 @@
 		ini object
 	*********/
 	$obj = array();
-	$obj['button_value'] = __( 'Log In' );
+	$obj['button_value'] = __( 'Log In', 'default' );

 	/*********
 		parse posted vars
@@ -1102,7 +1148,7 @@
 		[output error if any]
 	***************************************************************/
 	if(!$valid_login){
-		$wp_error = new WP_Error('authentication_failed', __('<strong>ERROR</strong>: Invalid username or incorrect password.'));/*native wp localization*/
+		$wp_error = new WP_Error('authentication_failed', __('<strong>Error:</strong> Invalid username, email address or incorrect password.', 'default' ));
 		$obj['error'] = '<span class="' . WPPIZZA_PREFIX . '-login-error">'.$wp_error->get_error_message().'</span>';
 	}

@@ -1577,18 +1623,6 @@
 	*************************************************************************************/
 	if( isset($_POST['vars']['type']) && $_POST['vars']['type']=='admin-change-status' && !empty($_POST['vars']['uoKey']) ){

-
-		/*
-			saving disabled
-		*/
-		if(WPPIZZA_DEV_ADMIN_NO_SAVE){
-			$obj['update_prohibited'] = __('Update Prohibited', 'wppizza-admin');
-			print"".json_encode($obj)."";
-		exit();
-		}
-
-
-
 		/*
 			get unique order key and split into blog/order id
 		*/
@@ -1688,23 +1722,6 @@
 	if( isset($_POST['vars']['type']) && $_POST['vars']['type']=='admin-delete-order' && !empty($_POST['vars']['uoKey']) ){

 		/*
-			saving disabled
-		*/
-		if(WPPIZZA_DEV_ADMIN_NO_SAVE){
-			$obj['update_prohibited'] = __('Update Prohibited', 'wppizza-admin');
-			print"".json_encode($obj)."";
-		exit();
-		}
-		/*
-			missing credentials
-		*/
-		if(!current_user_can('wppizza_cap_delete_order')){
-			$obj['update_prohibited'] = __('Error: You need order delete permissions to perform this action.', 'wppizza-admin');
-			print"".json_encode($obj)."";
-		exit();
-		}
-
-		/*
 			blog_id / order id
 		*/
 		$_id = explode('_', $_POST['vars']['uoKey']);
@@ -1715,6 +1732,7 @@
 		/* delete from db */
 		$res = WPPIZZA()->db->delete_order($order_delete_id, $blog_id);
 		/* ajax alert */
+		/* Translators: 1: Order ID */
 		$obj['success']="".sprintf(__('Order #%s deleted', 'wppizza-admin'), $order_delete_id )."";


--- a/wppizza/classes/admin/class.wppizza.admin.helpers.php
+++ b/wppizza/classes/admin/class.wppizza.admin.helpers.php
@@ -226,8 +226,8 @@
 			'end_size'     => 3,
 			'mid_size'     => 1,
 			'prev_next'    => True,
-			'prev_text'    => __('« Previous'),
-			'next_text'    => __('Next »'),
+			'prev_text'    => __('« Previous', 'default' ),
+			'next_text'    => __('Next »', 'default' ),
 			'type'         => 'plain',
 			'add_args'     => False,
 			'add_fragment' => $add_fragment,
@@ -327,11 +327,11 @@
 		$str=str_replace(PHP_EOL,'',$str);
 		/**first convert all " to ' */
 		$str=str_replace('"',''',$str);
-		/*strip tags*/
+		/*strip tags. contrary to wp_strip_all_tags , this will leave what's between the tags*/
 		$str=strip_tags($str);
 		/*trim*/
 		$str=trim($str);
-		/*now ltes replace totally invalid things*/
+		/*now let's replace totally invalid things*/
 		$str=str_replace($charRemove,'',$str);
 		/*convert remaining namely single quotes */
 		//$str=htmlspecialchars($str,ENT_QUOTES);
--- a/wppizza/classes/admin/class.wppizza.install_update.php
+++ b/wppizza/classes/admin/class.wppizza.install_update.php
@@ -21,6 +21,7 @@
 class WPPIZZA_INSTALL_UPDATE{

 	function __construct() {
+
 		/* register plugin checking for requirements */
 		register_activation_hook( WPPIZZA_PLUGIN_INDEX, array($this, 'check_requirements'));
 		/* check if we are installing or updating */
@@ -29,7 +30,6 @@
 		add_action('admin_notices', array( $this, 'admin_nagscreens') );
 		/** admin ajax **/
 		add_action('wppizza_ajax_admin', array( $this, 'admin_nagscreens_ajax'));
-
 	}
 	/**************************************
 	*
@@ -67,7 +67,7 @@
 		/*
 			redirect after install for wppizza to show up
 		*/
-		wp_redirect(admin_url('edit.php?post_type='.WPPIZZA_POST_TYPE.'&page=order_settings'));
+		wp_safe_redirect(admin_url('edit.php?post_type='.WPPIZZA_POST_TYPE.'&page=order_settings'));
 	exit();
 	}
 	/*************************************
@@ -1066,11 +1066,12 @@
 			dismissible notices
 		*/
 		$nag_notices = array();
+
 		/*
 			install notice
 		*/
 		if(empty($wppizza_options['plugin_data']['upgrade']) && !empty($wppizza_options['plugin_data']['nag_notice'])){
-
+
 			/*
 				links and nonces
 			*/
@@ -1082,25 +1083,30 @@
 				markup
 			*/
 			$nag_notices['install'] = '';
+			/* Translators: 1: WPPizza Name as defined by constant */
 			$nag_notices['install'].='<b>'.sprintf(__('%s Installed. Thank you. ','wppizza-admin'),WPPIZZA_NAME).'</b><br/><br/>';
 			$nag_notices['install'].='<br/>';
 			$nag_notices['install'].='<b>'.__('Quick start:.','wppizza-admin').'</b><br/>';
+			/* Translators: 1: WPPizza Name as defined by constant */
 			$nag_notices['install'].='<b>'.sprintf(__('A) Go to "Appearance -> Widget" and put the "%s  widget" - setting type to "cart" - into a sidebar.','wppizza-admin'), WPPIZZA_NAME).'</b><br/>';
-			$nag_notices['install'].='<b>'.sprintf(__('B) Add the created %s pages to your menu by going to "Appearance -> Menu" (Suggestion: use "Our Menu" as parent page and add all other %s created pages as children of it)','wppizza-admin'), WPPIZZA_NAME, WPPIZZA_NAME).'</b><br/>';
+			/* Translators: 1,2: WPPizza Name as defined by constant */
+			$nag_notices['install'].='<b>'.sprintf(__('B) Add the created %1$s pages to your menu by going to "Appearance -> Menu" (Suggestion: use "Our Menu" as parent page and add all other %2$s created pages as children of it)','wppizza-admin'), WPPIZZA_NAME, WPPIZZA_NAME).'</b><br/>';
 			$nag_notices['install'].='<b>'.__('C) Go to "Settings -> General" and ensure your timezone setting is correct','wppizza-admin').'</b><br/>';
+			/* Translators: 1: WPPizza Name as defined by constant */
 			$nag_notices['install'].='<b>'.sprintf(__('D) Go to "%s -> Opening Times" and edit as appropriate.','wppizza-admin'), WPPIZZA_NAME).'</b><br/>';
 			$nag_notices['install'].='<br/>';
-			$nag_notices['install'].='<b>'.__('For more details please make sure to read the <a href="'.$pluginInfoInstallationUrl.'" target="_blank">"Installation Instructions"</a> and <a href="'.$pluginInfoFaqUrl.'" target="_blank">"FAQ"</a>','wppizza-admin').'</b>';
+			/* Translators: 1: WPPizza Install Instructions URL, 2: WPPizza FAQ's URL */
+			$nag_notices['install'].='<b>'.sprintf(__('For more details please make sure to read the <a href="%1$s" target="_blank">"Installation Instructions"</a> and <a href="%2$s" target="_blank">"FAQ"</a>','wppizza-admin'), $pluginInfoInstallationUrl, $pluginInfoFaqUrl ).'</b>';
 			$nag_notices['install'].='<br/><br/>';
 		}

 		/*output*/
 		if(!empty($nag_notices)){
 			foreach($nag_notices as $key => $nag_notice){
-				print'<div id="'.WPPIZZA_PREFIX.'_admin_notice_'.$key.'" class="notice notice-success '.WPPIZZA_PREFIX.'_admin_notice" style="padding:20px;">'.$nag_notice.'<br/><a href="javascript:void(0);" onclick="wppizza_dismiss_notice(''.$key.''); return false;" class="button-primary">'.__('Dismiss','wppizza-admin').'</a></div>';
+				print'<div id="'.esc_attr(WPPIZZA_PREFIX.'_admin_notice_'.$key).'" class="notice notice-success '.esc_attr(WPPIZZA_PREFIX.'_admin_notice').'" style="padding:20px;">'.wp_kses_post($nag_notice).'<br/><a href="javascript:void(0);" onclick="wppizza_dismiss_notice(''.esc_js($key).''); return false;" class="button-primary">'.esc_html(__('Dismiss','wppizza-admin')).'</a></div>';
 			}
 			//adding nonce
-			print $nonce;
+			print wp_kses_post($nonce);
 		}

 		/*
@@ -1121,11 +1127,12 @@
 			$staticFromEmail=$wppizza_options['order_settings']['order_email_from'];
 			$pos = strpos($staticFromEmail, $domain);
 			if ($pos === false) {
+				/* Translators: 1,4: WPPizza Name as defined by constant, 2,3: Domain name the plugin is installed on. */
 				$static_notices['dmarc'] = sprintf(__('<b>EMAIL DMARC POLICIES:</b><br /><br />
-					Due to policy changes by many email servers (yahoo, google hotmail - others may follow suit) it is <span style="color:red; font-weight:600">strongly advised to set a static email address in %s -> Order Settings -> "From email address"</span>, that corrosponds to your domain name.<br />
-					As your domain appears to be <b>"%s"</b> you should <span style="color:red; font-weight:600">set an email address like "abc@%s"</span><br />
+					Due to policy changes by many email servers (yahoo, google hotmail - others may follow suit) it is <span style="color:red; font-weight:600">strongly advised to set a static email address in %1$s -> Order Settings -> "From email address"</span>, that corrosponds to your domain name.<br />
+					As your domain appears to be <b>"%2$s"</b> you should <span style="color:red; font-weight:600">set an email address like "abc@%3$s"</span><br />
 					<span style="color:red; font-weight:600">If you do NOT do this, some emails might NOT get delivered to you and/or your customers</span> as they might be in violation of DMARC policies.<br /><br />
-					<b>This notice will remain until acted upon or you forcefully switch it off in %s -> Order Settings -> "Turn Off DMARC Notice" .</b><br /><br />
+					<b>This notice will remain until acted upon or you forcefully switch it off in %4$s -> Order Settings -> "Turn Off DMARC Notice" .</b><br /><br />
 					Thank you<br/>(search on your favourite searchengine for "DMARC" if you would like to find out more.)','wppizza-admin'), WPPIZZA_NAME, $domain, $domain, WPPIZZA_NAME );
 			}
 		}
@@ -1133,7 +1140,7 @@
 		/*output*/
 		if(!empty($static_notices)){
 			foreach($static_notices as $key => $static_notice){
-				print'<div id="'.WPPIZZA_PREFIX.'_admin_notice_'.$key.'" class="notice notice-error '.WPPIZZA_PREFIX.'_admin_notice" style="padding:20px;">'.$static_notice.'</div>';
+				print'<div id="'.esc_attr(WPPIZZA_PREFIX.'_admin_notice_'.$key).'" class="notice notice-error '.esc_attr(WPPIZZA_PREFIX.'_admin_notice').'" style="padding:20px;">'.wp_kses_post($static_notice).'</div>';

 			}
 		}
@@ -1145,12 +1152,13 @@
 	*
 	********************************************************************************************************************************************************/
 	function admin_nagscreens_ajax($wppizza_options){
+
 		/******************************************************
 			[dismiss install nag]
 		******************************************************/
 		if(!empty($_POST['vars']['field']) && $_POST['vars']['field']=='dismiss-notice'){
 			if($_POST['vars']['key'] == 'install'){
-    			$wppizza_options['plugin_data']['nag_notice']=0;
+    			$wppizza_options['plugin_data']['nag_notice'] = 0;
     			update_option(WPPIZZA_SLUG, $wppizza_options);
         		die();
 			}
@@ -1184,25 +1192,30 @@
 			checks and error messages
 		*/
 		/* mbstring */
+		/* Translators: 1: WPPizza Name as defined by constant. */
 		$check['mbstring'] = array('check' => function_exists( 'mb_internal_encoding' ), 'notice' => sprintf( __( "%s requires the mbstring extension to be installed", 'wppizza-admin'), WPPIZZA_NAME));

 		/* php */
 		$min_version_php = '5.3';
-		$check['php_min_version'] = array('check' => version_compare( $min_version_php , PHP_VERSION, '<' ), 'notice' => sprintf( __( "%s requires PHP version %s or higher", 'wppizza-admin'), WPPIZZA_NAME, $min_version_php ));
+		/* Translators: 1: WPPizza Name as defined by constant, 2: Required Php version number */
+		$check['php_min_version'] = array('check' => version_compare( $min_version_php , PHP_VERSION, '<' ), 'notice' => sprintf( __( "%1$s requires PHP version %2$s or higher", 'wppizza-admin'), WPPIZZA_NAME, $min_version_php ));

 		/* mysql */
 		$min_version_sql = '5.5';
-		$check['mysql_min_version'] = array('check' => version_compare( $min_version_sql, $wpdb->db_version(), '<' ), 'notice' => sprintf( __( "%s requires MySQL version %s or higher", 'wppizza-admin'), WPPIZZA_NAME, $min_version_sql ));
+		/* Translators: 1: WPPizza Name as defined by constant, 2: Required MySql version number */
+		$check['mysql_min_version'] = array('check' => version_compare( $min_version_sql, $wpdb->db_version(), '<' ), 'notice' => sprintf( __( "%1$s requires MySQL version %2$s or higher", 'wppizza-admin'), WPPIZZA_NAME, $min_version_sql ));

 		/* session support*/
 		$session_support = (session_start()) ?  true : false;
+		/* Translators: 1: WPPizza Name as defined by constant */
 		$check['session_support'] = array('check' => $session_support , 'notice' => sprintf( __( "%s requires PHP session support", 'wppizza-admin'), WPPIZZA_NAME));


-		/* session savepath*/
-		$ssp = ini_get( 'session.save_path' );
-		$session_save_path = (!empty($ssp)) ?  true : false;
-		$check['session_save_path'] = array('check' => $session_save_path , 'notice' => sprintf(__( "%s requires PHP session support. Your <a href='http://php.net/manual/en/function.session-save-path.php'>session.save_path</a> in your php.ini does not appear to be set. This must be set and be read/writeable for sessions to work.", 'wppizza-admin'), WPPIZZA_NAME));
+		/* session savepath - disabled since 3.20 as a) path might not be explicitly set [especially on Win], b) if session_start() works above it should all be fine anyway */
+#		$ssp = ini_get( 'session.save_path' );
+#		$session_save_path = (!empty($ssp)) ?  true : false;
+#		/* Translators: 1: WPPizza Name as defined by constant */
+#		$check['session_save_path'] = array('check' => $session_save_path , 'notice' => sprintf(__( "%s requires PHP session support. Your <a href='http://php.net/manual/en/function.session-save-path.php'>session.save_path</a> in your php.ini does not appear to be set. This must be set and be read/writeable for sessions to work.", 'wppizza-admin'), WPPIZZA_NAME));


 		/* check max_input_vars*/
@@ -1213,7 +1226,8 @@
 		/* wppizza min version if updating to v3*/
 		if(!empty($wppizza_options)){
 			$min_version_wppizza = '2.16.11.10';
-			$check['wppizza_v3_update'] = array('check' => version_compare( $min_version_wppizza, $wppizza_options['plugin_data']['version'], '<' ), 'notice' => sprintf( __( "To update %s to version 3+, you must first update to version %s+ of the version 2 branch", 'wppizza-admin'), WPPIZZA_NAME, $min_version_wppizza ));
+			/* Translators: 1: WPPizza Name as defined by constant, 2: Required minimum WPPizza version number */
+			$check['wppizza_v3_update'] = array('check' => version_compare( $min_version_wppizza, $wppizza_options['plugin_data']['version'], '<' ), 'notice' => sprintf( __( "To update %1$s to version 3+, you must first update to version %2$s+ of the version 2 branch", 'wppizza-admin'), WPPIZZA_NAME, $min_version_wppizza ));
 		}

 		/*
@@ -1231,11 +1245,14 @@
 		*/
 		if(empty($requirements_met)){
 			$error = '';
+			/* Translators: 1: WPPizza Name as defined by constant */
 			$error .= '<div style="text-align:center"><b>' .sprintf( __( "%s de-activated ", 'wppizza-admin'), WPPIZZA_NAME ).'</b></div>';
 			$error .= '<br /><br />';
-			$error .= '<b>' . sprintf( __( "Sorry, there were some problems activating the %s plugin:", 'wppizza-admin'), WPPIZZA_NAME, WPPIZZA_VERSION ).'</b>';
+			/* Translators: 1: WPPizza Name as defined by constant */
+			$error .= '<b>' . sprintf( __( "Sorry, there were some problems activating the %s plugin:", 'wppizza-admin'), WPPIZZA_NAME ).'</b>';
 			$error .= '<br /><br />';
-			$error .= sprintf( __( "The following requirements must be met for %s version %s to work: ", 'wppizza-admin'), WPPIZZA_NAME, WPPIZZA_VERSION );
+			/* Translators: 1: WPPizza Name as defined by constant, 2: WPPizza version number that is being installed */
+			$error .= sprintf( __( "The following requirements must be met for %1$s version %2$s to work: ", 'wppizza-admin'), WPPIZZA_NAME, WPPIZZA_VERSION );
 			$error .= '<br />';
 			$error .= '<ul>';
 			foreach($notices as $notice){
@@ -1250,7 +1267,7 @@

 			deactivate_plugins(WPPIZZA_PLUGIN_INDEX);

-			wp_die( $error );
+			wp_die( wp_kses_post($error) );
 		exit();/* just for good measure */
 		}
 	return ;
--- a/wppizza/classes/admin/class.wppizza.register_gateways.php
+++ b/wppizza/classes/admin/class.wppizza.register_gateways.php
@@ -412,6 +412,7 @@
                             'options' => '',
                             'validateCallback' => 'wppizza_validate_string',
                             'label' => __('Frontend Label','wppizza-admin'),
+                            /* Translators: 1: Default Gateway Name derived from gateway class name after the starting WPPIZZA_GATEWAY_...... */
                             'descr' => '['.sprintf(__('displays "%s" if empty','wppizza-admin'),$gateway_object->gatewayName).']<br/>['.__('Used in emails and frontend. However, it is only being displayed on frontend order page if more than one gateway installed, activated and enabled','wppizza-admin').']',
                             'placeholder' => '',
                             'wpml' => true
--- a/wppizza/classes/admin/class.wppizza.user_caps.inc.php
+++ b/wppizza/classes/admin/class.wppizza.user_caps.inc.php
@@ -1,3 +1,4 @@
+<?php if ( ! defined( 'ABSPATH' ) ) exit;/*Exit if accessed directly*/ ?>
 <?php
 /********************************************************************************************

@@ -361,14 +362,33 @@

 						/* role name */
 						$str .= "<input type='hidden' name='".$plugin_slug."[".$section_key."][".$roleName."]' value='".$roleName."'>";
+
 						/* role name label */
 						$str .= "<span class='wppizza_label_100'>".translate_user_role($v['name']).":</span>";

+						/* put it into table*/
+						$str .= "<table>";
+						$str .= "<tr>";
+						$rCount = 1;
+						$newTr = 7;
+						$rCountTotal = count($user_capabilities);
+						foreach($user_capabilities as $access_key=>$access_array){
+
+							// last one, add colspan
+							$str .= $rCountTotal == $rCount ? '<td colspan="'. ( $newTr - ($rCount % $newTr ) + 1 ) .'">' : '<td>';
+								$str .= "<label><input name='".$plugin_slug."[".$section_key."][".$roleName."][".$access_array['cap']."]' type='checkbox' ". checked(!empty($userRole->capabilities[$access_array['cap']]),true,false)." value='".$access_array['cap']."' />".$access_array['name']."</label>";
+							$str .= "</td>";
+
+							// next row every $newTr
+							if(is_int($rCount / $newTr) ){
+								$str .= "</tr><tr>";
+							}


-						foreach($user_capabilities as $access_key=>$access_array){
-							$str .= "<span><label><input name='".$plugin_slug."[".$section_key."][".$roleName."][".$access_array['cap']."]' type='checkbox' ". checked(!empty($userRole->capabilities[$access_array['cap']]),true,false)." value='".$access_array['cap']."' />".$access_array['name']."</label></span>";
+						$rCount++;
 						}
+						$str .= "</tr>";
+						$str .= "</table>";

 					$str .= "</div>";
 				}
@@ -376,7 +396,7 @@

 		/* echo (default) */
 		if($echo){
-			echo $str;
+			echo wp_kses($str, WPPIZZA_SLUG);
 		return;
 		}

--- a/wppizza/classes/admin/class.wppizza.wp_admin.php
+++ b/wppizza/classes/admin/class.wppizza.wp_admin.php
@@ -37,13 +37,13 @@

 	    /******************
 	    	ajax nonce in footer for all admin pages
-
-	    	Note: also needed for non-wppizza admin pages for:
-	    	-	dashboard widgets,
-	    	-	order notifications on non-wppizza pages,
+
+	    	Note: also needed for non-wppizza admin pages for:
+	    	-	dashboard widgets,
+	    	-	order notifications on non-wppizza pages,
 	    	-	dismissal of install notices
 	    	etc
-	 	******************/
+	 	******************/
 		add_action('admin_footer', array($this, 'wppizza_ajax_nonce'));

 	}
@@ -77,8 +77,8 @@
 			$dbw = ob_get_clean();


-			print"".$dbw."";
-			exit();
+			print wp_kses_post($dbw);
+		exit();
 		}

 	}
@@ -97,13 +97,48 @@
 *
 *********************************************************/
     public function admin_options_validate($input){
-    	global $wppizza_options;
+    	global $wppizza_options, $pagenow;

     	/* no saving/editing alowed, just return options as they were, but ALWAYS bypass on install */
     	if(WPPIZZA_DEV_ADMIN_NO_SAVE && !empty($wppizza_options)){
     		return 	$wppizza_options;
     	}

+    	/* unless we are actually saving options, skip everything else */
+    	$current_screen  = get_current_screen();
+    	if( ( !empty($current_screen) && $current_screen -> id != 'options' ) ){
+    		return $wppizza_options ;
+    	}
+
+       	/* let's make sure user has required caps for all that he/she wants to update */
+    	if(!empty($_POST[WPPIZZA_SLUG])){
+   		foreach($_POST[WPPIZZA_SLUG] as $cap_id => $page_options){
+
+   			/*
+   				some exemptions where one single capability is set for multiple parts
+   			*/
+   			if( $cap_id == 'confirmation_form' )						{ $cap_id = 'order_form'; /* granted cap */}
+   			if( $cap_id == 'sizes' )									{ $cap_id = 'meal_sizes'; /* granted cap */}
+   			if( $cap_id == 'allergens' || $cap_id == 'foodtype' )		{ $cap_id = 'additives'; /* granted cap */}
+   			if( $cap_id == 'opening_times_format' )						{ $cap_id = 'openingtimes'; /* granted cap */}
+   			if( $cap_id == 'prices_format' )							{ $cap_id = 'layout'; /* granted cap */}
+   			if( $cap_id == 'templates_apply' )							{ $cap_id = 'templates'; /* granted cap */}
+   			if( $cap_id == 'access' )									{ $cap_id = 'access_rights'; /* granted cap */}
+   			if( $cap_id == 'cron' )										{ $cap_id = 'tools'; /* granted cap */}
+
+
+
+   			if( !current_user_can( 'wppizza_cap_'.$cap_id ) ) {
+				#global $current_user;
+				#print_r($current_user->allcaps);
+				wp_die(
+					'<h1>'.esc_html(WPPIZZA_NAME .' "'.$cap_id.'"').': ' . __( 'You need a higher access level to update these options.', 'wppizza-admin' ) . '</h1>' .
+					'<p>' . esc_html(__( 'Sorry, you are not permitted to update these options.', 'wppizza-admin' )) . '</p>',
+					403
+				);
+   			}
+   		}}
+
 		/**get previously saved options unless it's a new install**/
 		$options=($wppizza_options==0) ? array() : $wppizza_options;

@@ -119,6 +154,7 @@

 		/**register applicable/new WPML strings on options save*/
 		//require(WPPIZZA_PATH .'inc/wpml.register.strings.php');
+
 	return $options;
     }

@@ -190,13 +226,13 @@
 		$localize['fnStatusChanged'] = $fnStatusChanged; /* add to localized script */
 		/* filterable */
 		$localize = apply_filters('wppizza_filter_admin_js_localize', $localize);
-
-		/** analogous with wppizza_filter_js_extend in frontend **/
+
+		/** analogous with wppizza_filter_js_extend in frontend **/
 		$localize['extend'] = apply_filters('wppizza_filter_js_extend_admin', array() );//

 		wp_localize_script( WPPIZZA_SLUG.'-global', WPPIZZA_SLUG, $localize );
 	}
-
+
 /*********************************************************
 *
 *		[ adding wppizza_ajax_nonce to footer ]
@@ -205,8 +241,8 @@
 	function wppizza_ajax_nonce(){
 		wp_nonce_field( '' . WPPIZZA_PREFIX . '_ajax_nonce','' . WPPIZZA_PREFIX . '_ajax_nonce', true, true);
 	return;
-	}
-
+	}
+
 }
 $WPPIZZA_WP_ADMIN=new WPPIZZA_WP_ADMIN();
 ?>
 No newline at end of file
--- a/wppizza/classes/class.wppizza.dashboard_widgets.php
+++ b/wppizza/classes/class.wppizza.dashboard_widgets.php
@@ -59,7 +59,7 @@
 		//access control
 		if (!current_user_can('wppizza_cap_reports')){
 			if(empty($return_markup)){
-				echo '<center><h2>'.__('Forbidden','wppizza-admin').'</h2></center>';
+				echo '<center><h2>'.esc_html(__('Forbidden','wppizza-admin')).'</h2></center>';
 			}else{
 				return '<center><h2>'.__('Forbidden','wppizza-admin').'</h2></center>';
 			}
@@ -327,9 +327,9 @@


 		if(empty($return_markup)){
-			echo $markup;
+			echo wp_kses_post($markup);
 		}else{
-			return $markup;
+			return wp_kses_post($markup);
 		}
 	}
 }
--- a/wppizza/classes/class.wppizza.filters.php
+++ b/wppizza/classes/class.wppizza.filters.php
@@ -24,6 +24,7 @@

 		add_action('init', array( $this, 'wppizza_allow_options_filter'), 5);/*allow filtering of options. let's use a reasonably high priority, but after session initialization**/

+
 		/*
 			adds a couple of action hooks  - reasonably early - that only run
 			when a frontend page is requested or a frontend ajax call was made
@@ -47,8 +48,11 @@
 		add_filter( 'wppizza_filter_order_date', array( $this, 'wppizza_filter_order_date'),10);

 		/***dont put "WPPizza Categories" in title tag */
-		add_filter( 'wp_title', array( $this, 'wppizza_filter_title_tag'),20,3);
-
+		add_filter( 'wp_title', array( $this, 'wppizza_filter_title_tag'), 20, 3);
+
+		/* allow some additional html when escaping markup in certain places, since 3.20 */
+		add_filter( 'wp_kses_allowed_html', array( $this, 'wppizza_filter_wp_kses_allowed_html'), 10, 2 );
+
 		/***filter tax display */
 		add_filter( 'wppizza_filter_combine_taxes', array( $this, 'wppizza_filter_combine_taxes'));

@@ -930,7 +934,7 @@
 			/**for safeties sake loop through all conotations (though the last one probanly does the trick) */
 			$catTitleSearch[] = __('WPPizza Categories', 'wppizza-admin');
 			$catTitleSearch[] = __('Categories WPPizza', 'wppizza-admin');
-			$catTitleSearch[] = WPPIZZA_NAME . ' ' .__('Categories');
+			$catTitleSearch[] = WPPIZZA_NAME . ' ' .__('Categories', 'default' );

 			foreach($catTitleSearch as $strSearch){

@@ -962,6 +966,52 @@

 	/*******************************************************************************
 	*
+	*	[allow some additional html when escaping markup in certain places]
+	*	@ since 3.2
+	*
+	*******************************************************************************/
+	function wppizza_filter_wp_kses_allowed_html($tags, $context ){
+
+
+		if( WPPIZZA_SLUG === $context )	{
+			static $custom_tags;
+
+			# all standard post tags
+			$custom_tags = wp_kses_allowed_html( 'post' );
+
+			# allow inputs
+			$custom_tags['input'] = array(
+				'id'	=>	true,
+				'name'	=>	true,
+				'type'	=>	true,
+				'value'	=>	true,
+				'size'	=>	true,
+				'class'	=>	true,
+				'checked'	=>	true,
+			);
+			// allow selects. To be determined when/if needed
+			#$custom_tags['select'] = array(
+			#	'id'	=>	true,
+			#	'name'	=>	true,
+			#	'type'	=>	true,
+			#	'value'	=>	true,
+			#	'size'	=>	true,
+			#	'class'	=>	true,
+			#	'options'	=>	true,
+			#	//might need to be an array, tyo be determined when needed
+			#	'options'	=>	array('selected' => true),
+			#	'selected'	=>	true,
+			#);
+
+		return $custom_tags;
+		}
+
+
+
+	return $tags;
+	}
+	/*******************************************************************************
+	*
 	*
 	*	[filter the way taxes are displayed
 	*
--- a/wppizza/classes/class.wppizza.i18n.php
+++ b/wppizza/classes/class.wppizza.i18n.php
@@ -46,14 +46,17 @@
   		*/
   		$plugin_text_domain_path =  apply_filters('wppizza_filter_textdomain_path', dirname(plugin_basename( __DIR__ ) ) . '/lang');
   		if(is_admin()){
+
         	// admin localization strings
-        	load_plugin_textdomain('wppizza-admin', false, $plugin_text_domain_path );
+        	load_plugin_textdomain('wppizza-admin', false, $plugin_text_domain_path  );
+
         	// load after admin to insert default localization strings
         	load_plugin_textdomain('wppizza', false, $plugin_text_domain_path );
+
   		}else{
         	// frontend dev constants - not loaded by default (but can be enabled by constant) as it's kind of overkill loading these for very little benefit,
         	if(WPPIZZA_DEV_LOAD_TEXTDOMAIN){
-        		load_plugin_textdomain('wppizza_dev', false, $plugin_text_domain_path );
+        		load_plugin_textdomain('wppizza-dev', false, $plugin_text_domain_path );
         	}
   		}
     return;
--- a/wppizza/classes/class.wppizza.order.php
+++ b/wppizza/classes/class.wppizza.order.php
@@ -339,10 +339,10 @@
 				/*
 					add to array
 				*/
-				$order_results['sections']['customer']['login'] = array('label' => __('Login'), 'value' => $getUserData->user_login, 'type' =>'text');
-				$order_results['sections']['customer']['first_name'] = array('label' => __('First Name'), 'value' => $getUserData->first_name, 'type' =>'text');
-				$order_results['sections']['customer']['last_name'] = array('label' => __('Last Name'), 'value' => $getUserData->last_name, 'type' =>'text');
-				$order_results['sections']['customer']['email'] = array('label' => __('Email'), 'value' => $getUserData->user_email, 'type' =>'email');
+				$order_results['sections']['customer']['login'] = array('label' => __('Login', 'default' ), 'value' => $getUserData->user_login, 'type' =>'text');
+				$order_results['sections']['customer']['first_name'] = array('label' => __('First Name', 'default' ), 'value' => $getUserData->first_name, 'type' =>'text');
+				$order_results['sections']['customer']['last_name'] = array('label' => __('Last Name', 'default' ), 'value' => $getUserData->last_name, 'type' =>'text');
+				$order_results['sections']['customer']['email'] = array('label' => __('Email', 'default' ), 'value' => $getUserData->user_email, 'type' =>'email');
 			}

 			/*********
@@ -354,10 +354,10 @@
 					$array=explode(" ",trim($order_results['sections']['customer']['cname']['value']));
 					$arLen=count($array);
 					if(isset($array[0])){
-						$order_results['sections']['customer']['first_name'] = array('label' => __('First Name'), 'value' => trim($array[0]), 'type' =>'text', 'class_ident' => 'wp_first_name');
+						$order_results['sections']['customer']['first_name'] = array('label' => __('First Name', 'default' ), 'value' => trim($array[0]), 'type' =>'text', 'class_ident' => 'wp_first_name');
 					}
 					if($arLen>1){
-						$order_results['sections']['customer']['last_name'] = array('label' => __('Last Name'), 'value' => trim($array[($arLen-1)]), 'type' =>'text', 'class_ident' => 'wp_last_name');
+						$order_results['sections']['customer']['last_name'] = array('label' => __('Last Name', 'default' ), 'value' => trim($array[($arLen-1)]), 'type' =>'text', 'class_ident' => 'wp_last_name');
 					}
 				}
 			}
@@ -2958,7 +2958,7 @@
 				if(!empty($show_tips)){
 					$summary['tips'][0]['sort']					=	70;
 					$summary['tips'][0]['class_ident']			=	'tips';
-					$summary['tips'][0]['label']				=	$blog_options['localization']['tips'] . (!empty($_SESSION[WPPIZZA_SLUG.'_userdata']['ctips_type'] && $_SESSION[WPPIZZA_SLUG.'_userdata']['ctips_type'] == 'pc' ) ? '<span class="tips_pc">'.$_SESSION[WPPIZZA_SLUG.'_userdata'][$ctips_pc].'%</span>': '' ) ;//add percentage selection if defined
+					$summary['tips'][0]['label']				=	$blog_options['localization']['tips'] . ( !empty($_SESSION[WPPIZZA_SLUG.'_userdata']['ctips_type']) && $_SESSION[WPPIZZA_SLUG.'_userdata']['ctips_type'] == 'pc'  ? '<span class="tips_pc">'.$_SESSION[WPPIZZA_SLUG.'_userdata'][$ctips_pc].'%</span>': '' ) ;//add percentage selection if defined
 					$summary['tips'][0]['value']				=	$order_values['summary']['tips'] ;
 					$summary['tips'][0]['value_formatted']		=	wppizza_format_price($order_values['summary']['tips'], $currency) ;
 				}
--- a/wppizza/classes/class.wppizza.order_execute.php
+++ b/wppizza/classes/class.wppizza.order_execute.php
@@ -92,6 +92,7 @@
 			$result['error'][] = array(
 				'critical'=> true, /* force sending of email to admin */
 				'error_id'=> 10005,
+				/* Translators: 1: php session save path as setup on server */
 				'error_message' => sprintf(__('Missing hash - are your php sessions set up correctly %s ?','wppizza-admin'), '[session.save_path = '.$ssp.']') ,
 				'wp_error' => ''
 			);
@@ -161,6 +162,7 @@
 			$result['error'][] = array(
 				'critical'=> false, /* true to force sending of email to admin */
 				'error_id'=> 20000 ,
+				/* Translators: 1: Currently selected gateway that is not in fact available */
 				'error_message' => sprintf(__('Selected gateway %s unavailable','wppizza-admin'), $trace) ,
 				'wp_error' => ''
 			);
@@ -828,7 +830,8 @@
 			$result['error'][] = array(
 				'critical'=> true, /* force sending of email to admin */
 				'error_id'=> 10002,
-				'error_message' => $ipn_error_prefix . __('TEMPLATES: '.print_r($email_templates['error'], true).'','wppizza-admin'),
+				/* Translators: 1: error details */
+				'error_message' => $ipn_error_prefix . sprintf(__('TEMPLATES: %s','wppizza-admin'), print_r($email_templates['error'], true) ),
 				'wp_error' => '',
 				'wp_last_query' => print_r($wpdb->last_query, true)
 			);
@@ -862,7 +865,8 @@
 				$result['error'][] = array(
 					'critical'=> true, /* force sending of email to admin */
 					'error_id'=> 10003,
-					'error_message' => $ipn_error_prefix .  __('EMAIL TO SHOP FAILED: '.print_r(nl2br(print_r($email_results['shop'], true)), true).'','wppizza-admin'),
+					/* Translators: 1: error details mail results */
+					'error_message' => $ipn_error_prefix .  sprintf(__('EMAIL TO SHOP FAILED: %s','wppizza-admin'), print_r(nl2br(print_r($email_results['shop'], true)), true) ),
 					'wp_error' => '',
 					'wp_last_query' => print_r($wpdb->last_query, true)

@@ -1912,6 +1916,7 @@
 					if($is_notice){
 						$print['tx_error_'.$k.''] .= '----------------------------------------'.PHP_EOL;
 						$print['tx_error_'.$k.''] .= __('Note:','wppizza-admin').PHP_EOL;
+						/* Translators: 1: WPPizza Name as defined by constant */
 						$print['tx_error_'.$k.''] .= sprintf(__('Email notices of this kind (i.e non-critcal errors) can be turned off in "%s -> Settings -> Logging -> Errors to admin email".','wppizza-admin'), WPPIZZA_NAME) . PHP_EOL;
 						$print['tx_error_'.$k.''] .= __('However, notices will still be logged if "Log failed orders" has been enabled.','wppizza-admin');
 						$print['tx_error_'.$k.''] .= PHP_EOL.'----------------------------------------';
--- a/wppizza/classes/class.wppizza.register_posttype_taxonomy.php
+++ b/wppizza/classes/class.wppizza.register_posttype_taxonomy.php
@@ -76,6 +76,7 @@

 		$args = array(
 			'labels'        => $labels,
+			/* Translators: 1: WPPizza Name as defined by constant */
 			'description'   => sprintf( __( 'Holds %1$s  menu items data', 'wppizza-admin'), WPPIZZA_NAME ),
 			'show_ui'		=> true,
 			'public'        => true,
@@ -122,17 +123,17 @@

 		  // Add new taxonomy, make it hierarchical (like categories)
 		  $labels = array(
-		    'name' => WPPIZZA_NAME. ' ' ._x( 'Categories', 'taxonomy general name' ),
-		    'singular_name' => _x( 'Category', 'taxonomy singular name' ),
-		    'search_items' =>  __( 'Search Categories' ),
-		    'all_items' => __( 'All Categories' ),
-		    'parent_item' => __( 'Parent Category' ),
-		    'parent_item_colon' => __( 'Parent Category:' ),
-		    'edit_item' => __( 'Edit Category' ),
-		    'update_item' => __( 'Update Category' ),
-		    'add_new_item' => __( 'Add New Category' ),
-		    'new_item_name' => __( 'New Category Name' ),
-		    'menu_name' => __( 'Categories' )
+		    'name' => WPPIZZA_NAME. ' ' ._x( 'Categories', 'taxonomy general name', 'default' ),
+		    'singular_name' => _x( 'Category', 'taxonomy singular name', 'default' ),
+		    'search_items' =>  __( 'Search Categories', 'default' ),
+		    'all_items' => __( 'All Categories', 'default' ),
+		    'parent_item' => __( 'Parent Category', 'default' ),
+		    'parent_item_colon' => __( 'Parent Category:', 'default' ),
+		    'edit_item' => __( 'Edit Category', 'default' ),
+		    'update_item' => __( 'Update Category', 'default' ),
+		    'add_new_item' => __( 'Add Category', 'default' ),
+		    'new_item_name' => __( 'New Category Name', 'default' ),
+		    'menu_name' => __( 'Categories', 'default' )
 		  );
 		/** filter labels **/
 		$labels = apply_filters('wppizza_filter_ctx_lbls', $labels);
@@ -173,21 +174,21 @@

 		// Add new taxonomy, NOT hierarchical (like tags)
 		$labels = array(
-			'name' => _x( 'Tags', 'taxonomy general name' ),
-			'singular_name' => _x( 'Tag', 'taxonomy singular name' ),
-			'search_items' =>  __( 'Search Tags' ),
-			'popular_items' => __( 'Popular Tags' ),
-			'all_items' => __( 'All Tags' ),
+			'name' => _x( 'Tags', 'taxonomy general name', 'default' ),
+			'singular_name' => _x( 'Tag', 'taxonomy singular name', 'default' ),
+			'search_items' =>  __( 'Search Tags', 'default' ),
+			'popular_items' => __( 'Popular Tags', 'default' ),
+			'all_items' => __( 'All Tags', 'default' ),
 			'parent_item' => null,
 			'parent_item_colon' => null,
-			'edit_item' => __( 'Edit Tag' ),
-			'update_item' => __( 'Update Tag' ),
-			'add_new_item' => __( 'Add New Tag' ),
-			'new_item_name' => __( 'New Tag Name' ),
-			'separate_items_with_commas' => __( 'Separate tags with commas' ),
-			'add_or_remove_items' => __( 'Add or remove tags' ),
-			'choose_from_most_used' => __( 'Choose from the most used tags' ),
-			'menu_name' => __( 'Tags' ),
+			'edit_item' => __( 'Edit Tag', 'default' ),
+			'update_item' => __( 'Update Tag', 'default' ),
+			'add_new_item' => __( 'Add New Tag', 'default' ),
+			'new_item_name' => __( 'New Tag Name', 'default' ),
+			'separate_items_with_commas' => __( 'Separate tags with commas', 'default' ),
+			'add_or_remove_items' => __( 'Add or remove tags', 'default' ),
+			'choose_from_most_used' => __( 'Choose from the most used tags', 'default' ),
+			'menu_name' => __( 'Tags', 'default' ),
 		);
 		/** filter labels **/
 		$labels = apply_filters('wppizza_filter_tags_lbls', $labels);
--- a/wppizza/classes/class.wppizza.sales_data.php
+++ b/wppizza/classes/class.wppizza.sales_data.php
@@ -455,7 +455,7 @@
 		global $wppizza_options;

 		if( version_compare( PHP_VERSION, '5.3', '<' )) {
-			print"<div id='wppizza-report-error'>".__('Sorry, reporting is only available with php >=5.3','wppizza-admin')."</div>";
+			print"<div id='wppizza-report-error'>".esc_html(__('Sorry, reporting is only available with php >=5.3','wppizza-admin'))."</div>";
 			return;
 		}

@@ -2050,6 +2050,7 @@

 				/*boxes right*/
 				$boxrt[]=array('id'=>'wppizza-report-top10-volume', 'class'=>'', 'lbl'=>__('Best/Worst sellers by Volume - All','wppizza-admin'),'val'=>$htmlBsVol.$htmlWsVol);
+				/* Translators: 1: Percentage sign */
 				$boxrt[]=array('id'=>'wppizza-report-top10-value', 'class'=>'', 'lbl'=>sprintf(__('Best/Worst sellers by Value - All [%s of order total]','wppizza-admin'), '%') ,'val'=>$htmlBsVal.$htmlWsVal);
 				$boxrt[]=array('id'=>'wppizza-report-nonsellers', 'class'=>'', 'lbl'=>__('Non-Sellers - All','wppizza-admin'),'val'=>$htmlNoSellers);
 			}
@@ -2068,6 +2069,7 @@

 				/*boxes right*/
 				$boxrt[]=array('id'=>'wppizza-report-top10-volume', 'class'=>'', 'lbl'=>__('Best/Worst sellers by Volume [in range]','wppizza-admin'),'val'=>$htmlBsVol.$htmlWsVol);
+				/* Translators: 1: Percentage sign */
 				$boxrt[]=array('id'=>'wppizza-report-top10-value', 'class'=>'', 'lbl'=>sprintf(__('Best/Worst sellers by Value [%s of all orders in range]','wppizza-admin'), '%'),'val'=>$htmlBsVal.$htmlWsVal);
 				$boxrt[]=array('id'=>'wppizza-report-nonsellers', 'class'=>'', 'lbl'=>__('Non-Sellers [in range]','wppizza-admin'),'val'=>$htmlNoSellers);

@@ -2269,7 +2271,7 @@
 		}
 		$ordersQuery.='as order_date, "'.$blog_id.'" as blog_id FROM '.$wpdbPrefix . WPPIZZA_TABLE_ORDERS .' WHERE payment_status IN ("COMPLETED") AND order_status != "REJECTED" ';
 		$ordersQuery.= $oQuery;
-		$ordersQuery.='ORDER BY order_date ASC';
+		$ordersQuery.=' ORDER BY order_date ASC';

 		/*
 			allow filtering , passing on additional "where" parameters
@@ -2388,6 +2390,7 @@
 			$condition = key($parameters);
 			foreach($parameters as $fragments){
 				foreach($fragments as $q){
+					//prepare each fragment
 					$query[] = $wpdb->prepare("".$q['column']." ".$q['comparison']." %s", $q['value']);
 				}
 			}
@@ -2395,7 +2398,7 @@
 		$i++;
 		}
 		$querystring = implode(' ',$oQuery);
-	/* resturn as string */
+	/* return as string */
 	return $querystring;
 	}
 }
--- a/wppizza/classes/class.wppizza.scripts_styles.php
+++ b/wppizza/classes/class.wppizza.scripts_styles.php
@@ -195,7 +195,7 @@
 				enqueue dashicons for cartimage under prices and empty image/photo placeholder
 			*/
 			$css_enqueue_ident='dashicons';
-			$enqueue_styles_ident[$css_enqueue_ident] = wp_register_style($css_enqueue_ident, get_stylesheet_uri(), array($dependency_last_style));
+			$enqueue_styles_ident[$css_enqueue_ident] = wp_register_style($css_enqueue_ident, get_stylesheet_uri(), array($dependency_last_style), $wp_scripts->default_version);
 			$dependency_last_style = $css_enqueue_ident;


@@ -700,7 +700,7 @@
 		if(!empty($wppizza_options['layout']['prettify_js_alerts'])){
 			$miscOptions['pjsa'] = array();
 			$miscOptions['pjsa']['h1'] = get_bloginfo( 'name' );
-			$miscOptions['pjsa']['ok'] = __('OK');
+			$miscOptions['pjsa']['ok'] = __('OK', 'default' );
 		}

 		/**pretty photo style - if enabled **/
--- a/wppizza/classes/class.wppizza.user.php
+++ b/wppizza/classes/class.wppizza.user.php
@@ -245,7 +245,7 @@

 		/* h3 header */
 		if($wppizza_options['localization']['user_profile_label_additional_info']!=''){
-			print'<h3>'.$wppizza_options['localization']['user_profile_label_additional_info'].'</h3>';
+			print'<h3>'.esc_html($wppizza_options['localization']['user_profile_label_additional_info']).'</h3>';
 		}

 		print'<table class="form-table">';
@@ -256,22 +256,22 @@

 				$selectedValue = !empty($userMetaData[''.WPPIZZA_SLUG.'_'.$field['key'].'']) ? (maybe_unserialize($userMetaData['wppizza_'.$field['key'].''])) : '';

-				print'<tr><th><label for="'.WPPIZZA_SLUG.'_'.$field['key'].'">' . $field['lbl'] . '</label></th><td>';
+				print'<tr><th><label for="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'">' . esc_html($field['lbl']) . '</label></th><td>';

 					/**normal text input**/
 					if ( $field['type']=='text'){
-			    		print'<input type="text" name="'.WPPIZZA_SLUG.'_'.$field['key'].'" id="'.WPPIZZA_SLUG.'_'.$field['key'].'" value="'.$selectedValue.'" class="regular-text" />';
+			    		print'<input type="text" name="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" id="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" value="'.esc_attr($selectedValue).'" class="regular-text" />';
 					}
 					/**textareas**/
 					if ( $field['type']=='textarea'){
-						print'<textarea name="'.WPPIZZA_SLUG.'_'.$field['key'].'" id="'.WPPIZZA_SLUG.'_'.$field['key'].'" rows="5" cols="30">'.$selectedValue.'</textarea>';
+						print'<textarea name="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" id="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" rows="5" cols="30">'.esc_textarea($selectedValue).'</textarea>';
 					}
 					/**select**/
 					if ( $field['type']=='select'){

 						$setVal = wppizza_decode_entities_trim($selectedValue);

-						print'<select name="'.WPPIZZA_SLUG.'_'.$field['key'].'" id="'.WPPIZZA_SLUG.'_'.$field['key'].'">';
+						print'<select name="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" id="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'">';

 							print'<option value="">-----------</option>';

@@ -279,19 +279,19 @@

 								$optVal = wppizza_decode_entities_trim($value);

-								print'<option value="'.$value.'" '.selected($optVal, $setVal, false).'>'.$value.'</option>';
+								print'<option value="'.esc_attr($value).'" '.selected($optVal, $setVal, false).'>'.esc_html($value).'</option>';

 							}
 						print'</select>';
 					}
 					/**checkbox**/
 					if ($field['type']=='checkbox'){
-						print'<input type="checkbox" name="'.WPPIZZA_SLUG.'_'.$field['key'].'" id="'.WPPIZZA_SLUG.'_'.$field['key'].'" value="1" '.checked(!empty($selectedValue),true,false).' />';
+						print'<input type="checkbox" name="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" id="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" value="1" '.checked(!empty($selectedValue),true,false).' />';
 					}
 					/**multicheckbox**/
 					if ($field['type']=='multicheckbox'){
 						foreach($field['value'] as $mKey => $multicheckbox_value){
-							echo'<span><input type="checkbox" name="'.WPPIZZA_SLUG.'_'.$field['key'].'['.$mKey.']" id="'.WPPIZZA_SLUG.'_'.$field['key'].'_'.$mKey.'"  '.checked(!empty($selectedValue[$mKey]),true,false).' value="'.$multicheckbox_value.'"/>'.$multicheckbox_value.' </span>';
+							echo'<span><input type="checkbox" name="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'['.esc_attr($mKey).']" id="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key'].'_'.$mKey).'"  '.checked(!empty($selectedValue[$mKey]),true,false).' value="'.esc_attr($multicheckbox_value).'"/>'.esc_html($multicheckbox_value).' </span>';
 						}
 					}
 					/**radio**/
@@ -303,7 +303,7 @@

 							$optVal = wppizza_decode_entities_trim($radio_value);

-							echo'<span><input type="radio" name="'.WPPIZZA_SLUG.'_'.$field['key'].'" id="'.WPPIZZA_SLUG.'_'.$field['key'].'"  '.checked($optVal, $setVal, false).' value="'.$radio_value.'"/>'.$radio_value.' </span>';
+							echo'<span><input type="radio" name="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'" id="'.esc_attr(WPPIZZA_SLUG.'_'.$field['key']).'"  '.checked($optVal, $setVal, false).' value="'.esc_attr($radio_value).'"/>'.esc_html($radio_value).' </span>';
 						}
 					}
 				print"</td></tr>";
@@ -343,47 +343,47 @@
 			*/
 	 		echo'<p>';
 	 			/* label */
-	 			echo'<label for="' . $name_id . '">';
+	 			echo'<label for="' . esc_attr($name_id) . '">';
 	 			/* text input */
 	 			if ( $field['type']=='text'){
-	 				echo''.$field['lbl'].'<br />';
-	 				echo'<input type="text" name="' . $name_id . '" id="' . $name_id . '" class="' . $class . '" value="'. $input_value . '" size="20" />';
+	 				echo''.esc_html($field['lbl']).'<br />';
+	 				echo'<input type="text" name="' . esc_attr($name_id) . '" id="' . esc_attr($name_id) . '" class="' . esc_attr($class) . '" value="'. esc_attr($input_value) . '" size="20" />';
 	 			}
 				/**textareas**/
 				if ( $field['type']=='textarea'){
-					echo''.$field['lbl'].'<br />';
-					print'<textarea name="' . $name_id . '" id="' . $name_id . '" class="' . $class . '" rows="5" cols="30">' . $input_value . '</textarea>';
+					echo''.esc_html($field['lbl']).'<br />';
+					print'<textarea name="' . esc_attr($name_id) . '" id="' . esc_attr($name_id) . '" class="' . esc_attr($class) . '" rows="5" cols="30">' . esc_textarea($input_value) . '</textarea>';
 				}
 				/**select**/
 				if ( $field['type']=='select'){
-					echo''.$field['lbl'].'<br />';
-					print'<select name="' . $name_id . '" id="' . $name_id . '" class="' . $class . '">';
+					echo''.esc_html($field['lbl']).'<br />';
+					print'<select name="' . esc_attr($name_id) . '" id="' . esc_attr($name_id) . '" class="' . esc_attr($class) . '">';
 						print'<option value="">--------</option>';
 						foreach($field['value'] as $key => $select_value){
-							print'<option value="' . $key . '" '.selected($key,$select_value,false).'>' . $select_value . '</option>';
+							print'<option value="' . esc_attr($key) . '" '.selected($key,$select_value,false).'>' . esc_html($select_value) . '</option>';
 						}
 					print'</select>';
 				}
 				/**checkbox**/
 				if ( $field['type']=='checkbox'){
-					echo''.$field['lbl'].' ';
-					echo'<input type="checkbox" name="' . $name_id . '" id="' . $name_id . '" class="" value="1" />';
+					echo''.esc_html($field['lbl']).' ';
+					echo'<input type="checkbox" name="' . esc_attr($name_id) . '" id="' . esc_attr($name_id) . '" class="" value="1" />';
 				}
 				/**multicheckbox**/
 				if ( $field['type'] == 'multicheckbox'){
-					echo''.$field['lbl'].'<br />';
+					echo''.esc_html($field['lbl']).'<br />';
 					foreach($field['value'] as $key => $select_value){
 						/* show multi checkbox options */
-						echo'<span><input type="checkbox" name="' . $name_id . '[]" id="' . $name_id . '_'.$key.'"  value="'. $key . '" />'.$select_value.' </span>';
+						echo'<span><input type="checkbox" name="' . esc_attr($name_id) . '[]" id="' . esc_attr($name_id . '_'.$key).'"  value="'. esc_attr($key) . '" />'.esc_html($select_value).' </span>';
 					}
 				}
 				/**radio**/
 				if ( $field['type']=='radio'){
-					echo''.$field['lbl'].'<br />';
+					echo''.esc_html($field['lbl']).'<br />';
 					$i=0;
 					foreach($field['value'] as $key => $select_value){
 						/* show radio options, preselecting first one */
-						echo'<span><input type="radio" name="' . $name_id . '" id="' . $name_id . '"  value="'. $key . '"  '.checked($i,0,false).'/>'.$select_value.' </span>';
+						echo'<span><input type="radio" name="' . esc_attr($name_id) . '" id="' . esc_attr($name_id) . '"  value="'. esc_attr($key) . '"  '.checked($i,0,false).'/>'.esc_html($select_value).' </span>';
 					$i++;
 					}
 				}
--- a/wppizza/classes/class.wppizza.widgets.php
+++ b/wppizza/classes/class.wppizza.widgets.php
@@ -31,7 +31,8 @@
         		description under widget
         		IMPORTANT : OMIT textdomain in gettext call here as it will not work for whatever reason and stop all translations !!!
         	*/
-        	'description' => sprintf( __( '%s Widgets'), WPPIZZA_NAME),
+        	/* Translators: 1: WPPizza Name as defined by constant */
+        	'description' => sprintf( __( '%s Widgets' ), WPPIZZA_NAME),
     	);
 		parent::__construct(false, WPPIZZA_NAME, $widget_options );
 	}
@@ -308,20 +309,20 @@
 		  	$loggedinonly = !empty($instance['loggedinonly']) ? true : false;

 		?>
-		<div id="<?php echo $this->id; ?>" class="<?php echo WPPIZZA_SLUG; ?>">
+		<div id="<?php echo esc_attr($this->id); ?>" class="<?php echo esc_attr(WPPIZZA_SLUG); ?>">

 			    <p>
-			    	<label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e("Widget Title", 'wppizza-admin'); ?>:</label>
-			    	<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo $title; ?>" />
+			    	<label for="<?php echo esc_attr($this->get_field_id( 'title' )); ?>"><?php esc_attr_e("Widget Title", 'wppizza-admin'); ?>:</label>
+			    	<input class="widefat" id="<?php echo esc_attr($this->get_field_id( 'title' )); ?>" name="<?php echo esc_attr($this->get_field_name( 'title' )); ?>" type="text" value="<?php echo esc_attr($title); ?>" />
 			    	<br/>
-			    	<input class="checkbox" type="checkbox" id="<?php echo $this->get_field_id('suppresstitle'); ?>" name="<?php echo $this->get_field_name('suppresstitle'); ?>" <?php echo $suppresstitle; ?> value="1" />
-			    	<label for="<?php echo $this->get_field_id( 'suppresstitle' ); ?>"><?php _e("Suppress Title ?", 'wppizza-admin'); ?></label>
+			    	<input class="checkbox" type="checkbox" id="<?php echo esc_attr($this->get_field_id('suppresstitle')); ?>" name="<?php echo esc_attr($this->get_field_name('suppresstitle')); ?>" <?php echo $suppresstitle; ?> value="1" />
+			    	<label for="<?php echo esc_attr($this->get_field_id( 'suppresstitle' )); ?>"><?php _e("Suppress Title ?", 'wppizza-admin'); ?></label>

 			    </p>

 			    <p class="<?php echo WPPIZZA_SLUG; ?>-type">
-			    	<label for="<?php echo $this->get_field_id( 'type' ); ?>"><?php _e("Widget Type", 'wppizza-admin'); ?>:</label>
-			        <select id="<?php echo $this->get_field_id( 'type' ); ?>" class="widefat <?php echo WPPIZZA_SLUG; ?>-widget-select" name="<?php echo $this->get_field_name( 'type' ); ?>">
+			    	<label for="<?php echo esc_attr($this->get_field_id( 'type' )); ?>"><?php _e("Widget Type", 'wppizza-admin'); ?>:</label>
+			        <select id="<?php echo esc_attr($this->get_field_id( 'type' )); ?>" class="widefat <?php echo WPPIZZA_SLUG; ?>-widget-select" name="<?php echo esc_attr($this->get_field_name( 'type' )); ?>">
 			        <?php foreach($this->wppizza_shortcode_type_options() as $key => $val){ ?>
 			        	<option value="<?php echo $key; ?>" <?php selected($key,$type,true) ?>><?php echo $val; ?></option>
 			        <?php } ?>
@@ -341,7 +342,7 @@
 				        </select><br/>
 				        <input class="checkbox" type="checkbox" id="<?php echo $this->get_field_id('as_dropdown'); ?>" name="<?php echo $this->get_field_name('as_dropdown'); ?>" <?php echo $as_dropdown; ?> value="1" />
 				    	<label for="<?php echo $this->get_field_id( 'as_dropdown' ); ?>"><?php _e("As dropdown ?", 'wppizza-admin'); ?></label><br/>
-				        <small style="color:blue"><?php _e("Please refer to <a href='http://docs.wp-pizza.com/getting-started/?section=setup' target='_blank'>Set-Up</a> and  <a href='http://docs.wp-pizza.com/shortcodes/?section=navigation' target='_blank'>Navigation Shortcode/Widget</a> documentation when using this widget (or shortcode) to display the navigation", 'wppizza-admin'); ?></small>
+				        <small style="color:blue"><?php echo sprintf( __('Please refer to <a href="%1$s" target="_blank">Set-Up</a> and <a href="%2$s" target="_blank">Navigation Shortcode/Widget</a> documentation when using this widget (or shortcode) to display the navigation', "wppizza-admin"), "https://docs.wp-pizza.com/getting-started/?section=setup" , "https://docs.wp-pizza.com/shortcodes/?section=navigation"); ?></small>
 					</p>

 				    <p class="<?php echo WPPIZZA_SLUG; ?>-selected-orderpage" <?php if($type=='orderpage'){echo "style='display:block'";}else{echo "style='display:none'";} ?>>
@@ -421,7 +422,7 @@

 				    	<input class="checkbox" type="checkbox" id="<?php echo $this->get_field_id('wppizza'); ?>" name="<?php echo $this->get_field_name('wppizza'); ?>" <?php checked($posttypewppizza,true,true) ?> value="1" />
 				    	<label for="<?php echo $this->get_field_id( 'wppizza' ); ?>"><?php _e("wppizza menu items", 'wppizza-admin'); ?>
-				    	<small style="color:blue;"><br> <?php _e('If enabled, create a <a href="http://docs.wp-pizza.com/developers/?section=wppizza-markup-single-single-php">single page</a> and <a href="https://docs.wp-pizza.com/developers/?section=wppizza-markup-search-search-php">search page</a> appropriate for your theme', 'wppizza-admin'); ?></small>
+				    	<small style="color:blue;"><br> <?php echo sprintf(__('If enabled, create a <a href="%1$s">single page</a> and <a href="%2$s">search page</a> appropriate for your theme', 'wppizza-admin'), "https://docs.wp-pizza.com/developers/?section=wppizza-markup-single-single-php", "https://docs.wp-pizza.com/developers/?section=wppizza-markup-search-search-php"); ?></small>
 				    	</label>
 				    	<br/>

--- a/wppizza/classes/class.wppizza.wpml.php
+++ b/wppizza/classes/class.wppizza.wpml.php
@@ -219,8 +219,10 @@
 			$settings['fields'][$this->section_key][$field] = array(__('(De)Register WPML Strings', 'wppizza-admin') , array(
 				'value_key'=>$field,
 				'option_key'=>$this->settings_page,
-				'label'=>sprintf( __( 'If you have enabled/added WPML *after* installing or updating %s, check this box and save to register all translatable %s strings.', 'wppizza-admin'), WPPIZZA_NAME, WPPIZZA_NAME),
+				/* Translators: 1,2: WPPizza Name as defined by constant */
+				'label'=>sprintf( __( 'If you have enabled/added WPML *after* installing or updating %1$s, check this box and save to register all translatable %2$s strings.', 'wppizza-admin'), WPPIZZA_NAME, WPPIZZA_NAME),
 				'description'=>array(
+					/* Translators: 1: WPPizza Name as defined by constant */
 					sprintf(__( 'Note: Once WPML string translations have been registered, you can also run this again at any time to de-register any obsolete %s translations that may have been added over time (such as removed additives, sizes etc)', 'wppizza-admin'), WPPIZZA_NAME)
 				)
 			));
--- a/wppizza/classes/markup/email_print.php
+++ b/wppizza/classes/markup/email_print.php
@@ -247,8 +247,10 @@
 										/*label for order is made up of 3 labels*/
 										if($section_key=='order'){
 											$orderlbl=implode(' | ',$section['labels']['parameters']);
+											/* Translators: 1: Section titles such as 'Site Details', 'Overview', 'Customer Details'... */
 											$mar

Frequently Asked Questions

What is CVE-2026-40796?
Overview of the vulnerability
CVE-2026-40796 is a medium-severity vulnerability in the WPPizza – A Restaurant Plugin for WordPress, affecting versions up to 3.19.9. It allows authenticated attackers with Subscriber-level access or higher to exploit AJAX handlers and extract sensitive user or configuration data.
Who is affected by this vulnerability?
Identifying impacted users
Users of the WPPizza plugin for WordPress who are running versions 3.19.9 or earlier are affected. Specifically, authenticated users with Subscriber-level access or greater can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, verify the version of the WPPizza plugin installed on your WordPress site. If it is version 3.19.9 or earlier, your site is at risk.
How can I fix CVE-2026-40796?
Updating the plugin
The vulnerability can be fixed by updating the WPPizza plugin to version 3.20 or later, where the issue has been patched with proper capability checks for AJAX actions.
What does the CVSS score of 4.3 indicate?
Understanding severity levels
A CVSS score of 4.3 indicates a medium severity level, suggesting that while the attack requires authentication, the potential for sensitive information exposure is significant, making it a concern for site administrators.
What types of information can be exposed?
Sensitive data risks
Exploitation of this vulnerability can expose sensitive information such as customer names, email addresses, order details, and potentially payment information, leading to privacy violations.
How does the exploitation process work?
Mechanics of the attack
An authenticated attacker can send a POST request to the WordPress AJAX endpoint with specific parameters that trigger vulnerable actions. The AJAX handlers do not check user permissions, allowing the attacker to receive sensitive data.
What measures can be taken to mitigate this vulnerability?
Preventive actions
In addition to updating the plugin, site administrators should review user roles and permissions to limit access to sensitive features. Regularly auditing plugins and their versions is also advisable.
What is the root cause of this vulnerability?
Code analysis
The root cause lies in missing capability checks in several AJAX action handlers within the plugin’s code. This oversight allowed authenticated users to access sensitive data without proper authorization.
How does the proof of concept demonstrate the issue?
Understanding the exploitation example
The proof of concept shows that an authenticated user can invoke vulnerable AJAX actions without needing a valid nonce or specific capabilities, resulting in the exposure of sensitive data.
Are there any additional security measures recommended?
Best practices for WordPress security
In addition to updating the plugin, consider implementing security plugins that monitor user activity, enforce strong password policies, and regularly back up your site to mitigate risks from potential vulnerabilities.
What should I do if I cannot update the plugin immediately?
Interim protective steps
If immediate updates are not possible, consider disabling the WPPizza plugin temporarily or restricting access to user roles that do not need to interact with the plugin until a patch can be applied.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations