Merge pull request #874 from wpdev10/master

Fix Max entries per csv file option in Import/Export setting not show…

Author: kprajapatii

admin/views/html-admin-settings-import-export-users.php

@@ -109,7 +109,7 @@
 $uwp_chunk_sizes = apply_filters('uwp_ie_csv_chunks_options', $uwp_chunk_sizes);
 $uwp_chunk_sizes_opts = '';
 foreach ($uwp_chunk_sizes as $value => $title) {
-    $uwp_chunk_sizes_opts .= '<option value="' . $value . '" ' . selected($value, 5000, false) . '>' . $title . '</option>';
+    $uwp_chunk_sizes_opts .= '<option value="' . esc_attr($value) . '" ' . selected($value, 5000, false) . '>' . esc_attr($title) . '</option>';
 }
 
 $users_count = count_users();
@@ -124,7 +124,7 @@
                 <tbody>
                 <tr>
                     <th class=""><label for="uwp_ie_chunk_size"><?php esc_html_e( 'Max entries per csv file:', 'userswp' );?></label></th>
-                    <td><select name="uwp_ie_chunk_size" class="aui-select2" id="uwp_ie_chunk_size" data-ucount = "<?php echo esc_attr( $total_users );?>" style="min-width:140px"><?php echo esc_attr( $uwp_chunk_sizes_opts );?></select><p class="description"><?php esc_html_e( 'The maximum number of entries per csv file (default to 5000, you might want to lower this to prevent memory issues.)', 'userswp' );?></p></td>
+                    <td><select name="uwp_ie_chunk_size" class="aui-select2" id="uwp_ie_chunk_size" data-ucount = "<?php echo esc_attr( $total_users );?>" style="min-width:140px"><?php echo $uwp_chunk_sizes_opts; ?></select><p class="description"><?php esc_html_e( 'The maximum number of entries per csv file (default to 5000, you might want to lower this to prevent memory issues.)', 'userswp' );?></p></td>
                 </tr>
                 </tbody>
             </table>

includes/class-profile.php

@@ -1509,8 +1509,17 @@ public function add_uwp_plupload_param( $params ) {
 	 * @return      void
 	 */
 	public function ajax_avatar_banner_upload() {
-		// Image upload handler
-		// todo: security checks
+
+        if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'uwp_avatar_banner_upload_nonce' ) ) {
+            $result['error'] = aui()->alert( array(
+                'type'    => 'danger',
+                'content' => __( "Security check failed.", "userswp" )
+            ) );
+            $return          = json_encode( $result );
+            echo $return; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+            die();
+        }
+
 		$type   = strip_tags( esc_sql( $_POST['uwp_popup_type'] ) );
 		$result = array();
 
@@ -1764,6 +1773,8 @@ public function crop_submit_form( $type = 'avatar' ) {
 
 		$content_wrap = $design_style == 'bootstrap' ? '.uwp-profile-image-change-modal .modal-content' : '#uwp-popup-modal-wrap';
 		$bg_color = apply_filters('uwp_crop_image_bg_color', '', $type);
+
+        $ajax_nonce = wp_create_nonce( 'uwp_avatar_banner_upload_nonce' );
 		?>
 
         <script type="text/javascript">
@@ -1805,6 +1816,8 @@ public function crop_submit_form( $type = 'avatar' ) {
                         // our AJAX identifier
                         fd.append('action', 'uwp_avatar_banner_upload');
                         fd.append('uwp_popup_type', '<?php echo esc_attr( $type ); ?>');
+                        // Add nonce for security
+                        fd.append('security', '<?php echo esc_js( $ajax_nonce ); ?>');
 
                         $("#progressBar").show().removeClass('d-none');
 
@@ -1853,7 +1866,8 @@ public function crop_submit_form( $type = 'avatar' ) {
                                         minSize: [uwp_full_width, uwp_full_height]
                                     });
                                 }
-                            }
+                            },
+
                         });
                     });
 

readme.txt

@@ -152,6 +152,10 @@ Yes, you can customize it with Elementor, but also with Gutenberg, Divi, Beaver
 
 == Changelog ==
 
+= 1.2.54 - 2026-01-TBD =
+* Max entries per csv file option in Import/Export setting not showing options - FIXED
+* Check nonce while profile image and cover image crop - FIXED/SECURITY
+
 = 1.2.53 - 2026-01-08 =
 * Prevent duplicate event handlers in registration form switcher causing multiple AJAX requests - FIXED
 * Password strength doesn't enable/disable register button based on Minimum password strength setting - FIXED