AJAX nonce verification enabled

includes/class-wpliveticker2.php

@@ -248,6 +248,7 @@ class WPLiveticker2 {
 			'ajax_object',
 			array(
 				'ajax_url'      => admin_url( 'admin-ajax.php' ),
+				'nonce'         => wp_create_nonce( 'wplt2_update-ticks' ),
 				'poll_interval' => self::$_options['poll_interval'] * 1000,
 			)
 		);
@@ -259,8 +260,8 @@ class WPLiveticker2 {
 	 * @return void
 	 */
 	public static function ajax_update() {
-		// TODO: re-enable security checks.
-		// check_ajax_referer( 'wplt2_update-ticks' );
+		// Verify AJAX nonce.
+		check_ajax_referer( 'wplt2_update-ticks' );
 
 		// Extract update requests.
 		if ( isset( $_POST['update'] ) && is_array( $_POST['update'] ) ) {
@@ -284,7 +285,7 @@ class WPLiveticker2 {
 						),
 						'date_query'     => array(
 							'after' => date( 'c', $last_poll ),
-						)
+						),
 					);
 
 					$query = new WP_Query( $query_args );

scripts/wp-liveticker2.js

@@ -12,6 +12,7 @@ WPLT2.init = function () {
 	});
 	// Extract AJAX settings.
 	WPLT2.ajaxURL = ajax_object.ajax_url;
+	WPLT2.nonce = ajax_object.nonce;
 	WPLT2.pollInterval = ajax_object.poll_interval;
 	// Trigger update, if necessary.
 	if (WPLT2.ticker.length > 0 && WPLT2.pollInterval > 0) {
@@ -32,8 +33,9 @@ WPLT2.update = function () {
 	jQuery.post(
 		WPLT2.ajaxURL,
 		{
-			'action': 'wplt2_update-ticks',
-			'update': updateReq
+			'action'  : 'wplt2_update-ticks',
+			'_ajax_nonce': WPLT2.nonce,
+			'update'     : updateReq
 		},
 		function (res) {
 			try {