Security: add capability checks to AJAX handlers

Added current_user_can('manage_options') checks to the theme migration
and user feedback AJAX handlers for defense-in-depth. Updated changelog.

Fixes #250

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: georgeolaru

includes/class-customify-style-manager.php

@@ -869,6 +869,10 @@ public function should_ask_for_feedback( $timestamp_limit = false ) {
 		public function user_feedback_callback() {
 			check_ajax_referer( 'customify_style_manager_user_feedback', 'nonce' );
 
+			if ( ! current_user_can( 'manage_options' ) ) {
+				wp_send_json_error( esc_html__( 'You do not have permission to perform this action.', 'customify' ) );
+			}
+
 			if ( empty( $_POST['type'] ) ) {
 				wp_send_json_error( esc_html__( 'No type provided', 'customify' ) );
 			}

includes/extras.php

@@ -441,6 +441,10 @@ function customify_migrate_customizations_from_parent_to_child_theme() {
 	// Check nonce.
 	check_ajax_referer( 'customify_migrate_customizations_from_parent_to_child_theme', 'nonce_migrate' );
 
+	if ( ! current_user_can( 'manage_options' ) ) {
+		wp_send_json_error( esc_html__( 'You do not have permission to perform this action.', 'customify' ) );
+	}
+
 	$parent_theme = wp_get_theme( get_template() );
 	if ( ! $parent_theme->exists() ) {
 		wp_send_json_error();

readme.txt

@@ -31,7 +31,12 @@ This plugin is **primarily intended** to be used together with [Pixelgrade theme
 == Changelog ==
 
 = 2.10.6 =
+* Security: added capability checks to AJAX handlers for defense-in-depth.
 * Fix inline font script breaking AJAX-based theme navigation.
+* PHP 8.x compatibility: added null safety guards for array operations.
+* Updated minimum PHP requirement to 7.4.
+* Updated minimum WordPress requirement to 5.9.
+* Tested with WordPress 6.9.
 
 = 2.10.5 =
 * Security fixes.