pr: [Nightly Fix] - Security - Validate Tools Ajax Nonce

[jewel-claw]

What

The tools AJAX router accepted the upload_form action without validating the admin nonce.

Why

That left the form import endpoint open to CSRF from another site for authenticated admins with tools access.

Fix

Validate wpf_admin_nonce in GlobalTools::handleEndPoint() before dispatching any route. Existing per-route nonce checks remain compatible.

Confidence

Confirmed in code review and validated with php -l on the modified file.

[greptile-apps]

PR author is not in the allowed authors list.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Overview

Severity	Count
CRITICAL	0
WARNING	0
SUGGESTION	0

Analysis

This PR adds CSRF protection to the handleEndPoint() method in GlobalTools.php by adding nonce validation (wpfValidateNonce('wpf_admin_nonce')) at line 26. This is a security improvement that protects the endpoint from CSRF attacks.

The change:

• Adds nonce validation at the entry point of the AJAX handler
• Uses the existing wpfValidateNonce() function already used elsewhere in the codebase
• Validates before any processing occurs, preventing unauthorized actions
• Covers all three routes handled by this endpoint: get_forms, export_form, and upload_form

This follows the same pattern used in other methods in this class (getForms(), exportFormJson()) which also have nonce validation.

Files Reviewed (1 file)

• includes/Classes/Tools/GlobalTools.php - Security improvement