From 14bce3f87282e17b7214bf09e795c2550bcd858c Mon Sep 17 00:00:00 2001
From: mehedifoysal <mehedifoysal8@gmail.com>
Date: Thu, 21 Mar 2024 12:41:44 +0600
Subject: [PATCH 1/7] nonce fields sanitize

---
 admin/tf-options/classes/TF_Metabox.php              |  3 +--
 admin/tf-options/classes/TF_Settings.php             |  4 ++--
 admin/tf-options/classes/TF_Taxonomy_Metabox.php     |  2 +-
 inc/booking-details/apartment/booking-details.php    |  5 ++---
 .../apartment/single-booking-details.php             |  2 +-
 inc/booking-details/hotel/booking-details.php        |  2 +-
 inc/booking-details/hotel/single-booking-details.php |  2 +-
 inc/booking-details/tour/booking-details.php         |  2 +-
 inc/booking-details/tour/single-booking-details.php  |  2 +-
 inc/classes/class-setup-wizard.php                   |  2 +-
 inc/functions.php                                    |  4 ++--
 inc/functions/functions-apartment.php                |  4 ++--
 inc/functions/functions-helper.php                   |  2 +-
 inc/functions/functions-hotel.php                    | 12 ++++++------
 inc/functions/functions-review.php                   |  2 +-
 inc/functions/functions-tour.php                     |  4 ++--
 inc/functions/functions-wishlist.php                 | 12 ++++++------
 inc/functions/functions_order.php                    | 12 ++++++------
 inc/functions/woocommerce/wc-apartment.php           |  2 +-
 inc/functions/woocommerce/wc-hotel.php               |  2 +-
 inc/functions/woocommerce/wc-tour.php                |  2 +-
 templates/common/search-results.php                  |  2 +-
 templates/template-parts/search/design-2.php         |  2 +-
 23 files changed, 43 insertions(+), 45 deletions(-)

diff --git a/admin/tf-options/classes/TF_Metabox.php b/admin/tf-options/classes/TF_Metabox.php
index 8ea23c02e..c5afe6779 100644
--- a/admin/tf-options/classes/TF_Metabox.php
+++ b/admin/tf-options/classes/TF_Metabox.php
@@ -149,8 +149,7 @@ public function tf_meta_box_content( $post ) {
 		 */
 		public function save_metabox( $post_id ) {
 			// Check if a nonce is valid.
-
-			if ( !empty($_POST['tf_meta_box_nonce']) && ! wp_verify_nonce( esc_attr($_POST['tf_meta_box_nonce']), 'tf_meta_box_nonce_action' ) ) {
+			if ( !empty($_POST['tf_meta_box_nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_meta_box_nonce'])), 'tf_meta_box_nonce_action' ) ) {
 				return;
 			}
 
diff --git a/admin/tf-options/classes/TF_Settings.php b/admin/tf-options/classes/TF_Settings.php
index fc5e9b6ba..314a55e1c 100644
--- a/admin/tf-options/classes/TF_Settings.php
+++ b/admin/tf-options/classes/TF_Settings.php
@@ -749,7 +749,7 @@ public function save_options() {
 
 
 			// Check if a nonce is valid.
-			if (  !isset( $_POST['tf_option_nonce'] ) || !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['tf_option_nonce'] ) ), 'tf_option_nonce_action' ) ) {
+			if (  !empty( $_POST['tf_option_nonce'] ) && !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['tf_option_nonce'] ) ), 'tf_option_nonce_action' ) ) {
 				return;
 			}
 
@@ -871,7 +871,7 @@ public function tf_ajax_save_options() {
 				'message' => __( 'Something went wrong!', 'tourfic' ),
 			];
 
-			if( ! empty( $_POST['tf_option_nonce'] ) && wp_verify_nonce( $_POST['tf_option_nonce'], 'tf_option_nonce_action' ) ) {
+			if( ! empty( $_POST['tf_option_nonce'] ) && wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_option_nonce'])), 'tf_option_nonce_action' ) ) {
 
 				if(isset($_POST['tf_import_option']) && !empty(wp_unslash( trim( $_POST['tf_import_option']) )) ){
 
diff --git a/admin/tf-options/classes/TF_Taxonomy_Metabox.php b/admin/tf-options/classes/TF_Taxonomy_Metabox.php
index 000b546e6..b7d173f07 100644
--- a/admin/tf-options/classes/TF_Taxonomy_Metabox.php
+++ b/admin/tf-options/classes/TF_Taxonomy_Metabox.php
@@ -112,7 +112,7 @@ public function tf_taxonomy_content( $term ) {
 		public function save_taxonomy( $term_id ) {
 
 			// Check if a nonce is valid.
-			if ( !empty($_POST['tf_taxonomy_nonce']) && ! wp_verify_nonce( esc_attr($_POST['tf_taxonomy_nonce']), 'tf_taxonomy_nonce_action' ) ) {
+			if ( !empty($_POST['tf_taxonomy_nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_taxonomy_nonce'])), 'tf_taxonomy_nonce_action' ) ) {
 				return;
 			}
 
diff --git a/inc/booking-details/apartment/booking-details.php b/inc/booking-details/apartment/booking-details.php
index 7895da12b..7a02785b6 100644
--- a/inc/booking-details/apartment/booking-details.php
+++ b/inc/booking-details/apartment/booking-details.php
@@ -1,7 +1,6 @@
 <?php 
-if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'updates' ) ) {
-    // This nonce is not valid.
-    die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
+if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
+    die( esc_html_e( 'Security Reasons', 'tourfic' ) );
 }
 ?>
 <div class="tf-booking-header-filter">
diff --git a/inc/booking-details/apartment/single-booking-details.php b/inc/booking-details/apartment/single-booking-details.php
index 664b43dcf..10ec65a69 100644
--- a/inc/booking-details/apartment/single-booking-details.php
+++ b/inc/booking-details/apartment/single-booking-details.php
@@ -9,7 +9,7 @@
             </a>
         </div>
         <?php 
-        if ( ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'tf_booking_details' ) ) {
+        if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
             // This nonce is not valid.
             die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
         }
diff --git a/inc/booking-details/hotel/booking-details.php b/inc/booking-details/hotel/booking-details.php
index af4d1f5a3..9aa33a5c3 100644
--- a/inc/booking-details/hotel/booking-details.php
+++ b/inc/booking-details/hotel/booking-details.php
@@ -1,5 +1,5 @@
 <?php 
-if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'updates' ) ) {
+if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
     // This nonce is not valid.
     die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
 }
diff --git a/inc/booking-details/hotel/single-booking-details.php b/inc/booking-details/hotel/single-booking-details.php
index 0794d8b43..773008917 100644
--- a/inc/booking-details/hotel/single-booking-details.php
+++ b/inc/booking-details/hotel/single-booking-details.php
@@ -9,7 +9,7 @@
             </a>
         </div>
         <?php 
-        if ( ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'tf_booking_details' ) ) {
+        if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
             // This nonce is not valid.
             die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
         }
diff --git a/inc/booking-details/tour/booking-details.php b/inc/booking-details/tour/booking-details.php
index 1a8768737..67b10d2bb 100644
--- a/inc/booking-details/tour/booking-details.php
+++ b/inc/booking-details/tour/booking-details.php
@@ -1,5 +1,5 @@
 <?php 
-if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'updates' ) ) {
+if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
     // This nonce is not valid.
     die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
 }
diff --git a/inc/booking-details/tour/single-booking-details.php b/inc/booking-details/tour/single-booking-details.php
index 162fbaf79..c061cd0a3 100644
--- a/inc/booking-details/tour/single-booking-details.php
+++ b/inc/booking-details/tour/single-booking-details.php
@@ -9,7 +9,7 @@
             </a>
         </div>
         <?php 
-        if ( ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'tf_booking_details' ) ) {
+        if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
             // This nonce is not valid.
             die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
         }
diff --git a/inc/classes/class-setup-wizard.php b/inc/classes/class-setup-wizard.php
index f684b66a6..740b76e5d 100644
--- a/inc/classes/class-setup-wizard.php
+++ b/inc/classes/class-setup-wizard.php
@@ -939,7 +939,7 @@ private function tf_setup_wizard_steps_header( $active_step = 1 ) {
 		function tf_setup_wizard_submit_ajax() {
 
 			// Add nonce for security and authentication.
-			if ( isset( $_POST['tf_setup_wizard_nonce'] ) && ! wp_verify_nonce( $_POST['tf_setup_wizard_nonce'], 'tf_setup_wizard_action' ) ) {
+			if ( !empty( $_POST['tf_setup_wizard_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_setup_wizard_nonce'])), 'tf_setup_wizard_action' ) ) {
 				return;
 			}
 
diff --git a/inc/functions.php b/inc/functions.php
index f8b1e2553..b5d0e991e 100644
--- a/inc/functions.php
+++ b/inc/functions.php
@@ -1773,7 +1773,7 @@ function dateSetToFields(selectedDates, instance) {
 add_action( 'wp_ajax_tf_trigger_filter', 'tf_search_result_ajax_sidebar' );
 function tf_search_result_ajax_sidebar() {
 	// Check nonce security
-	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+	if ( !empty( $_POST['_nonce'] ) && !wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	/**
@@ -2986,7 +2986,7 @@ function tf_affiliate_install_callback() {
 		'status'  => 'error',
 		'message' => esc_html__( 'Something went wrong. Please try again.', 'tourfic' )
 	];
-	$nonce    = isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '';
+	$nonce    = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash($_POST['nonce']) ) : '';
 	if ( ! wp_verify_nonce( $nonce, 'tf_affiliate_install' ) ) {
 		wp_send_json_error( $response );
 	}
diff --git a/inc/functions/functions-apartment.php b/inc/functions/functions-apartment.php
index a2153060a..66f5b1f40 100644
--- a/inc/functions/functions-apartment.php
+++ b/inc/functions/functions-apartment.php
@@ -2594,7 +2594,7 @@ function tf_apartment_host_rating( $author_id ) {
 if ( ! function_exists( 'tf_apartment_room_quick_view' ) ) {
 	function tf_apartment_room_quick_view() {
 		// Check nonce security
-		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$meta = get_post_meta( sanitize_text_field( $_POST['post_id'] ), 'tf_apartment_opt', true );
@@ -2891,7 +2891,7 @@ function tf_apartment_feature_assign_taxonomies( $post_id, $post, $old_status )
 if ( ! function_exists( 'tf_apartments_search_ajax_callback' ) ) {
 	function tf_apartments_search_ajax_callback() {
 		// Check nonce security
-		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$response = [
diff --git a/inc/functions/functions-helper.php b/inc/functions/functions-helper.php
index e313cc3a2..9a397528e 100644
--- a/inc/functions/functions-helper.php
+++ b/inc/functions/functions-helper.php
@@ -641,7 +641,7 @@ class="regular-text"/><br/>
  */
 if ( ! function_exists( 'tf_save_extra_user_profile_fields' ) ) {
 	function tf_save_extra_user_profile_fields( $user_id ) {
-		if ( empty( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'update-user_' . $user_id ) ) {
+		if ( !empty( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'update-user_' . $user_id ) ) {
 			return;
 		}
 
diff --git a/inc/functions/functions-hotel.php b/inc/functions/functions-hotel.php
index 7eb9404a3..3e0d646f4 100644
--- a/inc/functions/functions-hotel.php
+++ b/inc/functions/functions-hotel.php
@@ -333,7 +333,7 @@ function get_hotel_locations() {
 
 function tf_hotel_airport_service_callback() {
 	// Check nonce security
-	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	$meta            = get_post_meta( sanitize_key( $_POST['id'] ), 'tf_hotels_opt', true );
@@ -702,7 +702,7 @@ function tf_hotel_airport_service_callback() {
 function tf_room_availability_callback() {
 
 	// Check nonce security
-	if ( ! isset( $_POST['tf_room_avail_nonce'] ) || ! wp_verify_nonce( $_POST['tf_room_avail_nonce'], 'check_room_avail_nonce' ) ) {
+	if ( ! empty( $_POST['tf_room_avail_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_avail_nonce'])), 'check_room_avail_nonce' ) ) {
 		return;
 	}
 
@@ -3674,7 +3674,7 @@ function tf_remove_room_order_ids() {
 
 function tf_hotel_quickview_callback() {
 	// Check nonce security
-	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	$meta = get_post_meta( $_POST['post_id'], 'tf_hotels_opt', true );
@@ -4081,7 +4081,7 @@ function tf_hotel_quickview_callback() {
 
 function tf_hotel_archive_popup_qv_callback(){
 	// Check nonce security
-	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	if( !empty($_POST['post_type']) && "tf_hotel"==$_POST['post_type']){
@@ -4187,7 +4187,7 @@ function tf_hotel_total_room_adult_child( $hotel_id, $type = 'room' ) {
 if ( ! function_exists( 'tf_hotel_search_ajax_callback' ) ) {
 	function tf_hotel_search_ajax_callback() {
 		// Check nonce security
-		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$response = [
@@ -4260,7 +4260,7 @@ function tf_hotel_filter_by_features( $features ) {
 
 	function tf_hotel_booking_popup_callback() {
 		// Check nonce security
-		if ( ! isset( $_POST['tf_room_booking_nonce'] ) || ! wp_verify_nonce( $_POST['tf_room_booking_nonce'], 'check_room_booking_nonce' ) ) {
+		if ( ! empty( $_POST['tf_room_booking_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_booking_nonce'])), 'check_room_booking_nonce' ) ) {
 			return;
 		}
 
diff --git a/inc/functions/functions-review.php b/inc/functions/functions-review.php
index d2f79a4e7..ecd4b5eaa 100644
--- a/inc/functions/functions-review.php
+++ b/inc/functions/functions-review.php
@@ -291,7 +291,7 @@ function tf_save_rating( $comment_id, $comment_approved, $commentdata ) {
 		// Get the post ID from the comment data
         $post_id = $commentdata['comment_post_ID'];
 		// Check nonce security
-		if ( ! isset( $_POST['_wp_unfiltered_html_comment'] ) || ! wp_verify_nonce( $_POST['_wp_unfiltered_html_comment'], 'unfiltered-html-comment_' . $post_id ) ) {
+		if ( ! empty( $_POST['_wp_unfiltered_html_comment'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_wp_unfiltered_html_comment'])), 'unfiltered-html-comment_' . $post_id ) ) {
 			return;
 		}
 		if ( ( isset( $_POST[ TF_COMMENT_META ] ) ) && ( '' !== $_POST[ TF_COMMENT_META ] ) ) {
diff --git a/inc/functions/functions-tour.php b/inc/functions/functions-tour.php
index f54748042..347ea6e04 100644
--- a/inc/functions/functions-tour.php
+++ b/inc/functions/functions-tour.php
@@ -3530,7 +3530,7 @@ function tf_filter_tour_by_without_date( $period, &$total_posts, array &$not_fou
 if ( ! function_exists( 'tf_tour_search_ajax_callback' ) ) {
 	function tf_tour_search_ajax_callback() {
 		// Check nonce security
-		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$response = [
@@ -3707,7 +3707,7 @@ function tf_tour_type_assign_taxonomies( $post_id, $post, $old_status ) {
 add_action( 'wp_ajax_tf_tour_booking_popup', 'tf_tour_booking_popup_callback' );
 function tf_tour_booking_popup_callback() {
 	// Check nonce security
-	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( $_POST['_nonce'], 'tf_ajax_nonce' ) ) {
+	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	$response             = array();
diff --git a/inc/functions/functions-wishlist.php b/inc/functions/functions-wishlist.php
index da0407f61..a641f562b 100644
--- a/inc/functions/functions-wishlist.php
+++ b/inc/functions/functions-wishlist.php
@@ -15,8 +15,8 @@
 function tf_add_to_wishlists()
 {
     // Check nonce security
-	if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'wishlist-nonce' ) ) {
-		die('Whoops!');
+	if ( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['nonce'])), 'wishlist-nonce' ) ) {
+		die(esc_html_e( 'Nonce verification failed', 'tourfic' ));
 	}
 
     if (isset($_POST)) {
@@ -119,8 +119,8 @@ function tf_generate_table_for_user($type)
 function tf_generate_table_guest()
 {
     // Check nonce security
-	if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'populate-wishlist-guest-nonce' ) ) {
-		die('Whoops!');
+	if ( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['nonce'])), 'populate-wishlist-guest-nonce' ) ) {
+		die(esc_html_e( 'Nonce verification failed', 'tourfic' ));
 	}
 
     if (isset($_POST)) {
@@ -157,8 +157,8 @@ function tf_generate_table($ids, $type = null)
 function tf_remove_wishlist()
 {
     // Check nonce security
-	if ( ! isset( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'], 'wishlist-nonce' ) ) {
-		die('Whoops!');
+	if ( ! empty( $_GET['nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['nonce'])), 'wishlist-nonce' ) ) {
+		die(esc_html_e( 'Nonce verification failed', 'tourfic' ));
 	}
 
     if (isset($_GET)) {
diff --git a/inc/functions/functions_order.php b/inc/functions/functions_order.php
index cc1ff02cb..ef725d95a 100644
--- a/inc/functions/functions_order.php
+++ b/inc/functions/functions_order.php
@@ -46,9 +46,9 @@ function tf_add_order_submenu() {
 if ( ! function_exists( 'tf_tour_booking_page_callback' ) ) {
 	function tf_tour_booking_page_callback() {
 
-		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'updates' ) && ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'tf_booking_details' ) ) ) {
+		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
 			// This nonce is not valid.
-			die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
+			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
 		}
 
 		if(!empty($_GET['order_id']) && !empty($_GET['action']) && !empty($_GET['book_id'])){
@@ -181,9 +181,9 @@ function tf_tour_booking_page_callback() {
 if ( ! function_exists( 'tf_hotel_booking_page_callback' ) ) {
 	function tf_hotel_booking_page_callback() {
 
-		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'updates' ) && ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'tf_booking_details' ) ) ) {
+		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
 			// This nonce is not valid.
-			die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
+			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
 		}
 
 		if(!empty($_GET['order_id']) && !empty($_GET['action']) && !empty($_GET['book_id'])){
@@ -312,9 +312,9 @@ function tf_hotel_booking_page_callback() {
 if ( ! function_exists( 'tf_apartment_booking_page_callback' ) ) {
 	function tf_apartment_booking_page_callback() {
 
-		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'updates' ) && ! wp_verify_nonce( esc_attr($_REQUEST['nonce']), 'tf_booking_details' ) ) ) {
+		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
 			// This nonce is not valid.
-			die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
+			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
 		}
 
 		if(!empty($_GET['order_id']) && !empty($_GET['action']) && !empty($_GET['book_id'])){
diff --git a/inc/functions/woocommerce/wc-apartment.php b/inc/functions/woocommerce/wc-apartment.php
index 0e916893f..05b0442de 100644
--- a/inc/functions/woocommerce/wc-apartment.php
+++ b/inc/functions/woocommerce/wc-apartment.php
@@ -12,7 +12,7 @@ function tf_apartment_booking_callback() {
 	$tf_apartment_data = [];
 
 	// Check nonce security
-	if ( ! isset( $_POST['tf_apartment_nonce'] ) || ! wp_verify_nonce( $_POST['tf_apartment_nonce'], 'tf_apartment_booking' ) ) {
+	if ( ! empty( $_POST['tf_apartment_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_apartment_nonce'])), 'tf_apartment_booking' ) ) {
 		return;
 	}
 
diff --git a/inc/functions/woocommerce/wc-hotel.php b/inc/functions/woocommerce/wc-hotel.php
index 8695ec358..7e6a8cfe3 100644
--- a/inc/functions/woocommerce/wc-hotel.php
+++ b/inc/functions/woocommerce/wc-hotel.php
@@ -21,7 +21,7 @@
 function tf_hotel_booking_callback() {
 
 	// Check nonce security
-	if ( ! isset( $_POST['tf_room_booking_nonce'] ) || ! wp_verify_nonce( $_POST['tf_room_booking_nonce'], 'check_room_booking_nonce' ) ) {
+	if ( ! empty( $_POST['tf_room_booking_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_booking_nonce'])), 'check_room_booking_nonce' ) ) {
 		return;
 	}
 
diff --git a/inc/functions/woocommerce/wc-tour.php b/inc/functions/woocommerce/wc-tour.php
index 669cd3ad8..cc80a2624 100644
--- a/inc/functions/woocommerce/wc-tour.php
+++ b/inc/functions/woocommerce/wc-tour.php
@@ -10,7 +10,7 @@
 add_action( 'wp_ajax_nopriv_tf_tours_booking', 'tf_tours_booking_function' );
 function tf_tours_booking_function() {
 
-	if ( ! isset( $_POST['_ajax_nonce'] ) || ! wp_verify_nonce( $_POST['_ajax_nonce'], 'tf_ajax_nonce' ) ) {
+	if ( ! empty( $_POST['_ajax_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_ajax_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 
diff --git a/templates/common/search-results.php b/templates/common/search-results.php
index 2d4eb8eb3..32ef03a47 100644
--- a/templates/common/search-results.php
+++ b/templates/common/search-results.php
@@ -5,7 +5,7 @@
 $tf_apartment_arc_selected_template = ! empty( tf_data_types(tfopt( 'tf-template' ))['apartment-archive'] ) ?  tf_data_types(tfopt( 'tf-template' ))['apartment-archive'] : 'default';
 
 // Check nonce security
-if ( ! isset( $_GET['_nonce'] ) || ! wp_verify_nonce( $_GET['_nonce'], 'tf_ajax_nonce' ) ) {
+if ( ! empty( $_GET['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['_nonce'])), 'tf_ajax_nonce' ) ) {
 	return;
 }
 
diff --git a/templates/template-parts/search/design-2.php b/templates/template-parts/search/design-2.php
index 9100e1ada..1b1d40c2b 100644
--- a/templates/template-parts/search/design-2.php
+++ b/templates/template-parts/search/design-2.php
@@ -1,7 +1,7 @@
 <div class="tf-template-3">
 <?php 
 // Check nonce security
-if ( ! isset( $_GET['_nonce'] ) || ! wp_verify_nonce( $_GET['_nonce'], 'tf_ajax_nonce' ) ) {
+if ( ! empty( $_GET['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['_nonce'])), 'tf_ajax_nonce' ) ) {
 	return;
 }
 if( !empty($_GET['type']) && $_GET['type']=="tf_tours" ){

From a6d8c276792e0207167b0ccad7f0b958734c4dfe Mon Sep 17 00:00:00 2001
From: mehedifoysal <mehedifoysal8@gmail.com>
Date: Thu, 21 Mar 2024 13:28:35 +0600
Subject: [PATCH 2/7] replace isset insted of empty innonce verify

---
 admin/tf-options/classes/TF_Metabox.php            |  2 +-
 admin/tf-options/classes/TF_Settings.php           |  4 ++--
 admin/tf-options/classes/TF_Taxonomy_Metabox.php   |  2 +-
 inc/booking-details/apartment/booking-details.php  |  2 +-
 .../apartment/single-booking-details.php           |  2 +-
 inc/booking-details/hotel/booking-details.php      |  2 +-
 .../hotel/single-booking-details.php               |  2 +-
 inc/booking-details/tour/booking-details.php       |  2 +-
 .../tour/single-booking-details.php                |  2 +-
 inc/classes/class-setup-wizard.php                 |  2 +-
 inc/functions.php                                  |  5 ++---
 inc/functions/functions-apartment.php              |  4 ++--
 inc/functions/functions-helper.php                 |  2 +-
 inc/functions/functions-hotel.php                  | 14 +++++++-------
 inc/functions/functions-review.php                 |  2 +-
 inc/functions/functions-tour.php                   |  4 ++--
 inc/functions/functions-wishlist.php               |  6 +++---
 inc/functions/functions_order.php                  |  6 +++---
 inc/functions/woocommerce/wc-apartment.php         |  2 +-
 inc/functions/woocommerce/wc-hotel.php             |  2 +-
 inc/functions/woocommerce/wc-tour.php              |  2 +-
 templates/common/search-results.php                |  2 +-
 templates/template-parts/search/design-2.php       |  2 +-
 23 files changed, 37 insertions(+), 38 deletions(-)

diff --git a/admin/tf-options/classes/TF_Metabox.php b/admin/tf-options/classes/TF_Metabox.php
index c5afe6779..6206934ac 100644
--- a/admin/tf-options/classes/TF_Metabox.php
+++ b/admin/tf-options/classes/TF_Metabox.php
@@ -149,7 +149,7 @@ public function tf_meta_box_content( $post ) {
 		 */
 		public function save_metabox( $post_id ) {
 			// Check if a nonce is valid.
-			if ( !empty($_POST['tf_meta_box_nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_meta_box_nonce'])), 'tf_meta_box_nonce_action' ) ) {
+			if ( !isset($_POST['tf_meta_box_nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_meta_box_nonce'])), 'tf_meta_box_nonce_action' ) ) {
 				return;
 			}
 
diff --git a/admin/tf-options/classes/TF_Settings.php b/admin/tf-options/classes/TF_Settings.php
index 314a55e1c..bff48de50 100644
--- a/admin/tf-options/classes/TF_Settings.php
+++ b/admin/tf-options/classes/TF_Settings.php
@@ -749,7 +749,7 @@ public function save_options() {
 
 
 			// Check if a nonce is valid.
-			if (  !empty( $_POST['tf_option_nonce'] ) && !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['tf_option_nonce'] ) ), 'tf_option_nonce_action' ) ) {
+			if (  !isset( $_POST['tf_option_nonce'] ) || !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['tf_option_nonce'] ) ), 'tf_option_nonce_action' ) ) {
 				return;
 			}
 
@@ -871,7 +871,7 @@ public function tf_ajax_save_options() {
 				'message' => __( 'Something went wrong!', 'tourfic' ),
 			];
 
-			if( ! empty( $_POST['tf_option_nonce'] ) && wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_option_nonce'])), 'tf_option_nonce_action' ) ) {
+			if( isset( $_POST['tf_option_nonce'] ) || wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_option_nonce'])), 'tf_option_nonce_action' ) ) {
 
 				if(isset($_POST['tf_import_option']) && !empty(wp_unslash( trim( $_POST['tf_import_option']) )) ){
 
diff --git a/admin/tf-options/classes/TF_Taxonomy_Metabox.php b/admin/tf-options/classes/TF_Taxonomy_Metabox.php
index b7d173f07..24ba105a0 100644
--- a/admin/tf-options/classes/TF_Taxonomy_Metabox.php
+++ b/admin/tf-options/classes/TF_Taxonomy_Metabox.php
@@ -112,7 +112,7 @@ public function tf_taxonomy_content( $term ) {
 		public function save_taxonomy( $term_id ) {
 
 			// Check if a nonce is valid.
-			if ( !empty($_POST['tf_taxonomy_nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_taxonomy_nonce'])), 'tf_taxonomy_nonce_action' ) ) {
+			if ( !isset($_POST['tf_taxonomy_nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_taxonomy_nonce'])), 'tf_taxonomy_nonce_action' ) ) {
 				return;
 			}
 
diff --git a/inc/booking-details/apartment/booking-details.php b/inc/booking-details/apartment/booking-details.php
index 7a02785b6..99a30920b 100644
--- a/inc/booking-details/apartment/booking-details.php
+++ b/inc/booking-details/apartment/booking-details.php
@@ -1,5 +1,5 @@
 <?php 
-if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
+if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
     die( esc_html_e( 'Security Reasons', 'tourfic' ) );
 }
 ?>
diff --git a/inc/booking-details/apartment/single-booking-details.php b/inc/booking-details/apartment/single-booking-details.php
index 10ec65a69..8d0337bab 100644
--- a/inc/booking-details/apartment/single-booking-details.php
+++ b/inc/booking-details/apartment/single-booking-details.php
@@ -9,7 +9,7 @@
             </a>
         </div>
         <?php 
-        if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
+        if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
             // This nonce is not valid.
             die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
         }
diff --git a/inc/booking-details/hotel/booking-details.php b/inc/booking-details/hotel/booking-details.php
index 9aa33a5c3..8266c5ff4 100644
--- a/inc/booking-details/hotel/booking-details.php
+++ b/inc/booking-details/hotel/booking-details.php
@@ -1,5 +1,5 @@
 <?php 
-if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
+if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
     // This nonce is not valid.
     die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
 }
diff --git a/inc/booking-details/hotel/single-booking-details.php b/inc/booking-details/hotel/single-booking-details.php
index 773008917..744a798f5 100644
--- a/inc/booking-details/hotel/single-booking-details.php
+++ b/inc/booking-details/hotel/single-booking-details.php
@@ -9,7 +9,7 @@
             </a>
         </div>
         <?php 
-        if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
+        if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
             // This nonce is not valid.
             die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
         }
diff --git a/inc/booking-details/tour/booking-details.php b/inc/booking-details/tour/booking-details.php
index 67b10d2bb..3c2e6d0dd 100644
--- a/inc/booking-details/tour/booking-details.php
+++ b/inc/booking-details/tour/booking-details.php
@@ -1,5 +1,5 @@
 <?php 
-if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
+if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
     // This nonce is not valid.
     die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
 }
diff --git a/inc/booking-details/tour/single-booking-details.php b/inc/booking-details/tour/single-booking-details.php
index c061cd0a3..b6a3cc8c6 100644
--- a/inc/booking-details/tour/single-booking-details.php
+++ b/inc/booking-details/tour/single-booking-details.php
@@ -9,7 +9,7 @@
             </a>
         </div>
         <?php 
-        if ( !empty($_REQUEST['nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
+        if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
             // This nonce is not valid.
             die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
         }
diff --git a/inc/classes/class-setup-wizard.php b/inc/classes/class-setup-wizard.php
index 740b76e5d..05ec46058 100644
--- a/inc/classes/class-setup-wizard.php
+++ b/inc/classes/class-setup-wizard.php
@@ -939,7 +939,7 @@ private function tf_setup_wizard_steps_header( $active_step = 1 ) {
 		function tf_setup_wizard_submit_ajax() {
 
 			// Add nonce for security and authentication.
-			if ( !empty( $_POST['tf_setup_wizard_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_setup_wizard_nonce'])), 'tf_setup_wizard_action' ) ) {
+			if ( !isset( $_POST['tf_setup_wizard_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_setup_wizard_nonce'])), 'tf_setup_wizard_action' ) ) {
 				return;
 			}
 
diff --git a/inc/functions.php b/inc/functions.php
index b5d0e991e..05a5f4288 100644
--- a/inc/functions.php
+++ b/inc/functions.php
@@ -1773,7 +1773,7 @@ function dateSetToFields(selectedDates, instance) {
 add_action( 'wp_ajax_tf_trigger_filter', 'tf_search_result_ajax_sidebar' );
 function tf_search_result_ajax_sidebar() {
 	// Check nonce security
-	if ( !empty( $_POST['_nonce'] ) && !wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+	if ( !isset( $_POST['_nonce'] ) || !wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	/**
@@ -2986,8 +2986,7 @@ function tf_affiliate_install_callback() {
 		'status'  => 'error',
 		'message' => esc_html__( 'Something went wrong. Please try again.', 'tourfic' )
 	];
-	$nonce    = isset( $_POST['nonce'] ) ? sanitize_text_field( wp_unslash($_POST['nonce']) ) : '';
-	if ( ! wp_verify_nonce( $nonce, 'tf_affiliate_install' ) ) {
+	if ( !isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash($_POST['nonce']) ), 'tf_affiliate_install' ) ) {
 		wp_send_json_error( $response );
 	}
 	if ( current_user_can( 'activate_plugins' ) ) {
diff --git a/inc/functions/functions-apartment.php b/inc/functions/functions-apartment.php
index 66f5b1f40..642343688 100644
--- a/inc/functions/functions-apartment.php
+++ b/inc/functions/functions-apartment.php
@@ -2594,7 +2594,7 @@ function tf_apartment_host_rating( $author_id ) {
 if ( ! function_exists( 'tf_apartment_room_quick_view' ) ) {
 	function tf_apartment_room_quick_view() {
 		// Check nonce security
-		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$meta = get_post_meta( sanitize_text_field( $_POST['post_id'] ), 'tf_apartment_opt', true );
@@ -2891,7 +2891,7 @@ function tf_apartment_feature_assign_taxonomies( $post_id, $post, $old_status )
 if ( ! function_exists( 'tf_apartments_search_ajax_callback' ) ) {
 	function tf_apartments_search_ajax_callback() {
 		// Check nonce security
-		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$response = [
diff --git a/inc/functions/functions-helper.php b/inc/functions/functions-helper.php
index 9a397528e..77b4785a4 100644
--- a/inc/functions/functions-helper.php
+++ b/inc/functions/functions-helper.php
@@ -641,7 +641,7 @@ class="regular-text"/><br/>
  */
 if ( ! function_exists( 'tf_save_extra_user_profile_fields' ) ) {
 	function tf_save_extra_user_profile_fields( $user_id ) {
-		if ( !empty( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'update-user_' . $user_id ) ) {
+		if ( !isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'update-user_' . $user_id ) ) {
 			return;
 		}
 
diff --git a/inc/functions/functions-hotel.php b/inc/functions/functions-hotel.php
index 3e0d646f4..d1889f843 100644
--- a/inc/functions/functions-hotel.php
+++ b/inc/functions/functions-hotel.php
@@ -333,7 +333,7 @@ function get_hotel_locations() {
 
 function tf_hotel_airport_service_callback() {
 	// Check nonce security
-	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	$meta            = get_post_meta( sanitize_key( $_POST['id'] ), 'tf_hotels_opt', true );
@@ -702,7 +702,7 @@ function tf_hotel_airport_service_callback() {
 function tf_room_availability_callback() {
 
 	// Check nonce security
-	if ( ! empty( $_POST['tf_room_avail_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_avail_nonce'])), 'check_room_avail_nonce' ) ) {
+	if ( ! isset( $_POST['tf_room_avail_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_avail_nonce'])), 'check_room_avail_nonce' ) ) {
 		return;
 	}
 
@@ -3638,7 +3638,7 @@ function tf_remove_order_ids_from_room() {
  */
 add_action( 'wp_ajax_tf_remove_room_order_ids', 'tf_remove_room_order_ids' );
 function tf_remove_room_order_ids() {
-	if( !empty($_POST['_ajax_nonce']) && !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_ajax_nonce'] ) ), 'updates' ) ){
+	if( !isset($_POST['_ajax_nonce']) || !wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_ajax_nonce'] ) ), 'updates' ) ){
         return;
     }
 	
@@ -3674,7 +3674,7 @@ function tf_remove_room_order_ids() {
 
 function tf_hotel_quickview_callback() {
 	// Check nonce security
-	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	$meta = get_post_meta( $_POST['post_id'], 'tf_hotels_opt', true );
@@ -4081,7 +4081,7 @@ function tf_hotel_quickview_callback() {
 
 function tf_hotel_archive_popup_qv_callback(){
 	// Check nonce security
-	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	if( !empty($_POST['post_type']) && "tf_hotel"==$_POST['post_type']){
@@ -4187,7 +4187,7 @@ function tf_hotel_total_room_adult_child( $hotel_id, $type = 'room' ) {
 if ( ! function_exists( 'tf_hotel_search_ajax_callback' ) ) {
 	function tf_hotel_search_ajax_callback() {
 		// Check nonce security
-		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$response = [
@@ -4260,7 +4260,7 @@ function tf_hotel_filter_by_features( $features ) {
 
 	function tf_hotel_booking_popup_callback() {
 		// Check nonce security
-		if ( ! empty( $_POST['tf_room_booking_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_booking_nonce'])), 'check_room_booking_nonce' ) ) {
+		if ( ! isset( $_POST['tf_room_booking_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_booking_nonce'])), 'check_room_booking_nonce' ) ) {
 			return;
 		}
 
diff --git a/inc/functions/functions-review.php b/inc/functions/functions-review.php
index ecd4b5eaa..946b6adcd 100644
--- a/inc/functions/functions-review.php
+++ b/inc/functions/functions-review.php
@@ -291,7 +291,7 @@ function tf_save_rating( $comment_id, $comment_approved, $commentdata ) {
 		// Get the post ID from the comment data
         $post_id = $commentdata['comment_post_ID'];
 		// Check nonce security
-		if ( ! empty( $_POST['_wp_unfiltered_html_comment'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_wp_unfiltered_html_comment'])), 'unfiltered-html-comment_' . $post_id ) ) {
+		if ( ! isset( $_POST['_wp_unfiltered_html_comment'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_wp_unfiltered_html_comment'])), 'unfiltered-html-comment_' . $post_id ) ) {
 			return;
 		}
 		if ( ( isset( $_POST[ TF_COMMENT_META ] ) ) && ( '' !== $_POST[ TF_COMMENT_META ] ) ) {
diff --git a/inc/functions/functions-tour.php b/inc/functions/functions-tour.php
index 347ea6e04..c28d123c2 100644
--- a/inc/functions/functions-tour.php
+++ b/inc/functions/functions-tour.php
@@ -3530,7 +3530,7 @@ function tf_filter_tour_by_without_date( $period, &$total_posts, array &$not_fou
 if ( ! function_exists( 'tf_tour_search_ajax_callback' ) ) {
 	function tf_tour_search_ajax_callback() {
 		// Check nonce security
-		if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+		if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 			return;
 		}
 		$response = [
@@ -3707,7 +3707,7 @@ function tf_tour_type_assign_taxonomies( $post_id, $post, $old_status ) {
 add_action( 'wp_ajax_tf_tour_booking_popup', 'tf_tour_booking_popup_callback' );
 function tf_tour_booking_popup_callback() {
 	// Check nonce security
-	if ( ! empty( $_POST['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
+	if ( ! isset( $_POST['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 	$response             = array();
diff --git a/inc/functions/functions-wishlist.php b/inc/functions/functions-wishlist.php
index a641f562b..dbc01e84a 100644
--- a/inc/functions/functions-wishlist.php
+++ b/inc/functions/functions-wishlist.php
@@ -15,7 +15,7 @@
 function tf_add_to_wishlists()
 {
     // Check nonce security
-	if ( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['nonce'])), 'wishlist-nonce' ) ) {
+	if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['nonce'])), 'wishlist-nonce' ) ) {
 		die(esc_html_e( 'Nonce verification failed', 'tourfic' ));
 	}
 
@@ -119,7 +119,7 @@ function tf_generate_table_for_user($type)
 function tf_generate_table_guest()
 {
     // Check nonce security
-	if ( ! empty( $_POST['nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['nonce'])), 'populate-wishlist-guest-nonce' ) ) {
+	if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['nonce'])), 'populate-wishlist-guest-nonce' ) ) {
 		die(esc_html_e( 'Nonce verification failed', 'tourfic' ));
 	}
 
@@ -157,7 +157,7 @@ function tf_generate_table($ids, $type = null)
 function tf_remove_wishlist()
 {
     // Check nonce security
-	if ( ! empty( $_GET['nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['nonce'])), 'wishlist-nonce' ) ) {
+	if ( ! isset( $_GET['nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['nonce'])), 'wishlist-nonce' ) ) {
 		die(esc_html_e( 'Nonce verification failed', 'tourfic' ));
 	}
 
diff --git a/inc/functions/functions_order.php b/inc/functions/functions_order.php
index ef725d95a..da7f47290 100644
--- a/inc/functions/functions_order.php
+++ b/inc/functions/functions_order.php
@@ -46,7 +46,7 @@ function tf_add_order_submenu() {
 if ( ! function_exists( 'tf_tour_booking_page_callback' ) ) {
 	function tf_tour_booking_page_callback() {
 
-		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
+		if ( !isset($_REQUEST['nonce']) || (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
 			// This nonce is not valid.
 			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
 		}
@@ -181,7 +181,7 @@ function tf_tour_booking_page_callback() {
 if ( ! function_exists( 'tf_hotel_booking_page_callback' ) ) {
 	function tf_hotel_booking_page_callback() {
 
-		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
+		if ( !isset($_REQUEST['nonce']) || (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
 			// This nonce is not valid.
 			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
 		}
@@ -312,7 +312,7 @@ function tf_hotel_booking_page_callback() {
 if ( ! function_exists( 'tf_apartment_booking_page_callback' ) ) {
 	function tf_apartment_booking_page_callback() {
 
-		if ( !empty($_REQUEST['nonce']) && (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
+		if ( !isset($_REQUEST['nonce']) || (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
 			// This nonce is not valid.
 			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
 		}
diff --git a/inc/functions/woocommerce/wc-apartment.php b/inc/functions/woocommerce/wc-apartment.php
index 05b0442de..13bcc603f 100644
--- a/inc/functions/woocommerce/wc-apartment.php
+++ b/inc/functions/woocommerce/wc-apartment.php
@@ -12,7 +12,7 @@ function tf_apartment_booking_callback() {
 	$tf_apartment_data = [];
 
 	// Check nonce security
-	if ( ! empty( $_POST['tf_apartment_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_apartment_nonce'])), 'tf_apartment_booking' ) ) {
+	if ( ! isset( $_POST['tf_apartment_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_apartment_nonce'])), 'tf_apartment_booking' ) ) {
 		return;
 	}
 
diff --git a/inc/functions/woocommerce/wc-hotel.php b/inc/functions/woocommerce/wc-hotel.php
index 7e6a8cfe3..8e79a7a8c 100644
--- a/inc/functions/woocommerce/wc-hotel.php
+++ b/inc/functions/woocommerce/wc-hotel.php
@@ -21,7 +21,7 @@
 function tf_hotel_booking_callback() {
 
 	// Check nonce security
-	if ( ! empty( $_POST['tf_room_booking_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_booking_nonce'])), 'check_room_booking_nonce' ) ) {
+	if ( ! isset( $_POST['tf_room_booking_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['tf_room_booking_nonce'])), 'check_room_booking_nonce' ) ) {
 		return;
 	}
 
diff --git a/inc/functions/woocommerce/wc-tour.php b/inc/functions/woocommerce/wc-tour.php
index cc80a2624..9961caa6e 100644
--- a/inc/functions/woocommerce/wc-tour.php
+++ b/inc/functions/woocommerce/wc-tour.php
@@ -10,7 +10,7 @@
 add_action( 'wp_ajax_nopriv_tf_tours_booking', 'tf_tours_booking_function' );
 function tf_tours_booking_function() {
 
-	if ( ! empty( $_POST['_ajax_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_ajax_nonce'])), 'tf_ajax_nonce' ) ) {
+	if ( ! isset( $_POST['_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['_ajax_nonce'])), 'tf_ajax_nonce' ) ) {
 		return;
 	}
 
diff --git a/templates/common/search-results.php b/templates/common/search-results.php
index 32ef03a47..3f7f011ca 100644
--- a/templates/common/search-results.php
+++ b/templates/common/search-results.php
@@ -5,7 +5,7 @@
 $tf_apartment_arc_selected_template = ! empty( tf_data_types(tfopt( 'tf-template' ))['apartment-archive'] ) ?  tf_data_types(tfopt( 'tf-template' ))['apartment-archive'] : 'default';
 
 // Check nonce security
-if ( ! empty( $_GET['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['_nonce'])), 'tf_ajax_nonce' ) ) {
+if ( !isset( $_GET['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['_nonce'])), 'tf_ajax_nonce' ) ) {
 	return;
 }
 
diff --git a/templates/template-parts/search/design-2.php b/templates/template-parts/search/design-2.php
index 1b1d40c2b..42e83c996 100644
--- a/templates/template-parts/search/design-2.php
+++ b/templates/template-parts/search/design-2.php
@@ -1,7 +1,7 @@
 <div class="tf-template-3">
 <?php 
 // Check nonce security
-if ( ! empty( $_GET['_nonce'] ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['_nonce'])), 'tf_ajax_nonce' ) ) {
+if ( ! isset( $_GET['_nonce'] ) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_GET['_nonce'])), 'tf_ajax_nonce' ) ) {
 	return;
 }
 if( !empty($_GET['type']) && $_GET['type']=="tf_tours" ){

From 3c2573a7b53a1f794ab20a9b8d388cd6f72c5e0b Mon Sep 17 00:00:00 2001
From: Jahid Hasan <jahidhasancmt7@gmail.com>
Date: Thu, 21 Mar 2024 13:51:51 +0600
Subject: [PATCH 3/7] esc issue fixed

---
 inc/classes/class-setup-wizard.php    | 14 +++++++-------
 inc/functions/functions-apartment.php |  6 +++++-
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/inc/classes/class-setup-wizard.php b/inc/classes/class-setup-wizard.php
index 05ec46058..e500b32d0 100644
--- a/inc/classes/class-setup-wizard.php
+++ b/inc/classes/class-setup-wizard.php
@@ -257,7 +257,7 @@ private function tf_setup_step_travelfic() {
                             </svg>
                         </div>
                     </div>
-                    <p class="tf-setup-step-desc"><?php esc_html_e( "Travelfic is a WordPress theme created by us to improve your site’s frontend. While Tourfic </br>manages your backend and booking, Travelfic ensures your travel site looks great and </br>operates smoothly. ", "tourfic" ) ?><a href="https://wordpress.org/themes/travelfic/" target="_blank"><?php esc_html_e("Know more about Travelfic", "tourfic"); ?></a></p>
+                    <p class="tf-setup-step-desc"><?php esc_html_e( "Travelfic is a WordPress theme created by us to improve your site’s frontend. While Tourfic manages your backend and booking, Travelfic ensures your travel site looks great and operates smoothly. ", "tourfic" ) ?><a href="https://wordpress.org/themes/travelfic/" target="_blank"><?php esc_html_e("Know more about Travelfic", "tourfic"); ?></a></p>
 
                     <div class="setup-theme-style">
                         <img src="<?php echo esc_url(TF_ASSETS_ADMIN_URL) . 'images/themes.png' ?>" alt="<?php esc_attr_e( 'Travelfic Theme', 'tourfic' ) ?>">
@@ -425,7 +425,7 @@ private function tf_setup_step_three() {
 
                     <div class="tf-hotel-setup-wizard">
                         <h3 class="tf-setup-step-subtitle"><?php esc_html_e( 'Hotel settings', 'tourfic' ) ?></h3>
-                        <p class="tf-setup-step-desc"><?php esc_html_e( 'These settings can be overridden from <span>Tourfic Settings > Hotel Settings</span>', 'tourfic' ) ?></p>
+                        <p class="tf-setup-step-desc"><?php echo wp_kses_post( 'These settings can be overridden from <span>Tourfic Settings > Hotel Settings</span>' ) ?></p>
 
                         <div class="setup-form-group tf-setup-group-general">
                             <!--Review Section-->
@@ -464,7 +464,7 @@ class="tf-switch" <?php echo empty( $tf_hotel_share ) ? esc_attr( 'checked' ) :
 
                     <div class="tf-tour-setup-wizard">
                         <h3 class="tf-setup-step-subtitle"><?php esc_html_e( 'Tour settings', 'tourfic' ) ?></h3>
-                        <p class="tf-setup-step-desc"><?php esc_html_e( 'These settings can be overridden from <span>Tourfic Settings > Tour Settings</span>', 'tourfic' ) ?></p>
+                        <p class="tf-setup-step-desc"><?php echo wp_kses_post( 'These settings can be overridden from <span>Tourfic Settings > Tour Settings</span>' ) ?></p>
 
                         <div class="setup-form-group  tf-setup-group-general">
                             <!--Review Section-->
@@ -503,7 +503,7 @@ class="tf-switch" <?php echo empty( $tf_tour_related ) ? esc_attr( 'checked' ) :
 
                     <div class="tf-apartment-setup-wizard">
                         <h3 class="tf-setup-step-subtitle"><?php esc_html_e( 'Apartment settings', 'tourfic' ) ?></h3>
-                        <p class="tf-setup-step-desc"><?php esc_html_e( 'These settings can be overridden from <span>Tourfic Settings > Apartment Settings</span>', 'tourfic' ) ?></p>
+                        <p class="tf-setup-step-desc"><?php echo wp_kses_post( 'These settings can be overridden from <span>Tourfic Settings > Apartment Settings</span>' ) ?></p>
 
                         <div class="setup-form-group">
                             <!--Review Section-->
@@ -590,7 +590,7 @@ private function tf_setup_step_four() {
                     <div class="tf-hotel-setup-wizard">
 
                         <h3 class="tf-setup-step-subtitle"><?php esc_html_e( 'Hotel Template', 'tourfic' ) ?></h3>
-                        <p class="tf-setup-step-desc"><?php esc_html_e( 'These settings can be overridden from <span>Tourfic Settings > Hotel Settings</span>', 'tourfic' ) ?></p>
+                        <p class="tf-setup-step-desc"><?php echo wp_kses_post( 'These settings can be overridden from <span>Tourfic Settings > Hotel Settings</span>' ) ?></p>
 
                         <div class="setup-form-group">
                             <!--Hotel Single Template-->
@@ -670,7 +670,7 @@ private function tf_setup_step_four() {
                     <div class="tf-tour-setup-wizard">
 
                         <h3 class="tf-setup-step-subtitle"><?php esc_html_e( 'Tour settings', 'tourfic' ) ?></h3>
-                        <p class="tf-setup-step-desc"><?php esc_html_e( 'These settings can be overridden from <span>Tourfic Settings > Tour Settings</span>', 'tourfic' ) ?></p>
+                        <p class="tf-setup-step-desc"><?php echo wp_kses_post( 'These settings can be overridden from <span>Tourfic Settings > Tour Settings</span>' ) ?></p>
 
                         <div class="setup-form-group">
 
@@ -752,7 +752,7 @@ private function tf_setup_step_four() {
                     <div class="tf-apartment-setup-wizard">
 
                         <h3 class="tf-setup-step-subtitle"><?php esc_html_e( 'Apartment settings', 'tourfic' ) ?></h3>
-                        <p class="tf-setup-step-desc"><?php esc_html_e( 'These settings can be overridden from <span>Tourfic Settings > Apartment Settings</span>', 'tourfic' ) ?></p>
+                        <p class="tf-setup-step-desc"><?php wp_kses_post( 'These settings can be overridden from <span>Tourfic Settings > Apartment Settings</span>' ) ?></p>
 
                         <div class="setup-form-group">
                             
diff --git a/inc/functions/functions-apartment.php b/inc/functions/functions-apartment.php
index 642343688..d080c35e6 100644
--- a/inc/functions/functions-apartment.php
+++ b/inc/functions/functions-apartment.php
@@ -2895,12 +2895,13 @@ function tf_apartments_search_ajax_callback() {
 			return;
 		}
 		$response = [
-			'status'  => 'error',
+			'status'  => 'success',
 			'message' => '',
 		];
 
 		if ( tfopt( 'date_apartment_search' ) && ( ! isset( $_POST['check-in-out-date'] ) || empty( $_POST['check-in-out-date'] ) ) ) {
 			$response['message'] = esc_html__( 'Please select a date', 'tourfic' );
+			$response['status'] = 'error';
 		}
 
 		if ( tfopt( 'date_apartment_search' ) ) {
@@ -2908,6 +2909,9 @@ function tf_apartments_search_ajax_callback() {
 				$response['query_string'] = str_replace( '&action=tf_apartments_search', '', http_build_query( $_POST ) );
 				$response['status']       = 'success';
 			}
+		}else{
+			$response['query_string'] = str_replace( '&action=tf_apartments_search', '', http_build_query( $_POST ) );
+			$response['status']       = 'success';
 		}
 
 		echo wp_json_encode( $response );

From 1955944780097b53f59694ff5e6117b9715a24ef Mon Sep 17 00:00:00 2001
From: mehedifoysal <mehedifoysal8@gmail.com>
Date: Thu, 21 Mar 2024 14:14:51 +0600
Subject: [PATCH 4/7] nonce remove from booking details

---
 .../apartment/single-booking-details.php          |  7 +------
 .../hotel/single-booking-details.php              |  7 +------
 .../tour/single-booking-details.php               |  7 +------
 inc/functions/functions_order.php                 | 15 ---------------
 4 files changed, 3 insertions(+), 33 deletions(-)

diff --git a/inc/booking-details/apartment/single-booking-details.php b/inc/booking-details/apartment/single-booking-details.php
index 8d0337bab..c7fe2932b 100644
--- a/inc/booking-details/apartment/single-booking-details.php
+++ b/inc/booking-details/apartment/single-booking-details.php
@@ -8,12 +8,7 @@
                 <?php esc_html_e("Back", "tourfic"); ?>
             </a>
         </div>
-        <?php 
-        if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
-            // This nonce is not valid.
-            die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
-        }
-
+        <?php
         global $wpdb;
         $tf_order_details = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}tf_order_data WHERE id = %s AND order_id = %s",sanitize_key( $_GET['book_id'] ), sanitize_key( $_GET['order_id'] ) ) );
         ?>
diff --git a/inc/booking-details/hotel/single-booking-details.php b/inc/booking-details/hotel/single-booking-details.php
index 744a798f5..529a97193 100644
--- a/inc/booking-details/hotel/single-booking-details.php
+++ b/inc/booking-details/hotel/single-booking-details.php
@@ -8,12 +8,7 @@
                 <?php esc_html_e("Back", "tourfic"); ?>
             </a>
         </div>
-        <?php 
-        if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
-            // This nonce is not valid.
-            die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
-        }
-
+        <?php
         global $wpdb;
         $tf_order_details = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}tf_order_data WHERE id = %s AND order_id = %s",sanitize_key( $_GET['book_id'] ), sanitize_key( $_GET['order_id'] ) ) );
         ?>
diff --git a/inc/booking-details/tour/single-booking-details.php b/inc/booking-details/tour/single-booking-details.php
index b6a3cc8c6..d017bbb96 100644
--- a/inc/booking-details/tour/single-booking-details.php
+++ b/inc/booking-details/tour/single-booking-details.php
@@ -8,12 +8,7 @@
                 <?php esc_html_e("Back", "tourfic"); ?>
             </a>
         </div>
-        <?php 
-        if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) {
-            // This nonce is not valid.
-            die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
-        }
-
+        <?php
         global $wpdb;
         $tf_order_details = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}tf_order_data WHERE id = %s AND order_id = %s",sanitize_key( $_GET['book_id'] ), sanitize_key( $_GET['order_id'] ) ) );
         ?>
diff --git a/inc/functions/functions_order.php b/inc/functions/functions_order.php
index da7f47290..90bd08647 100644
--- a/inc/functions/functions_order.php
+++ b/inc/functions/functions_order.php
@@ -46,11 +46,6 @@ function tf_add_order_submenu() {
 if ( ! function_exists( 'tf_tour_booking_page_callback' ) ) {
 	function tf_tour_booking_page_callback() {
 
-		if ( !isset($_REQUEST['nonce']) || (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
-			// This nonce is not valid.
-			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
-		}
-
 		if(!empty($_GET['order_id']) && !empty($_GET['action']) && !empty($_GET['book_id'])){
 			/**
 			 * Booking Details showing new template
@@ -181,11 +176,6 @@ function tf_tour_booking_page_callback() {
 if ( ! function_exists( 'tf_hotel_booking_page_callback' ) ) {
 	function tf_hotel_booking_page_callback() {
 
-		if ( !isset($_REQUEST['nonce']) || (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
-			// This nonce is not valid.
-			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
-		}
-
 		if(!empty($_GET['order_id']) && !empty($_GET['action']) && !empty($_GET['book_id'])){
 			/**
 			 * Booking Details showing new template
@@ -312,11 +302,6 @@ function tf_hotel_booking_page_callback() {
 if ( ! function_exists( 'tf_apartment_booking_page_callback' ) ) {
 	function tf_apartment_booking_page_callback() {
 
-		if ( !isset($_REQUEST['nonce']) || (! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'tf_booking_details' ) ) ) {
-			// This nonce is not valid.
-			die( esc_html_e( 'Nonce verification failed', 'tourfic' ) );
-		}
-
 		if(!empty($_GET['order_id']) && !empty($_GET['action']) && !empty($_GET['book_id'])){
 			/**
 			 * Booking Details showing new template

From f907af144923108262a4fb8a6b15d5a762d07ab1 Mon Sep 17 00:00:00 2001
From: mehedifoysal <mehedifoysal8@gmail.com>
Date: Thu, 21 Mar 2024 14:15:56 +0600
Subject: [PATCH 5/7] nonce remove from booking details

---
 inc/booking-details/apartment/booking-details.php | 5 -----
 inc/booking-details/hotel/booking-details.php     | 6 ------
 inc/booking-details/tour/booking-details.php      | 6 ------
 3 files changed, 17 deletions(-)

diff --git a/inc/booking-details/apartment/booking-details.php b/inc/booking-details/apartment/booking-details.php
index 99a30920b..cbab6f0fb 100644
--- a/inc/booking-details/apartment/booking-details.php
+++ b/inc/booking-details/apartment/booking-details.php
@@ -1,8 +1,3 @@
-<?php 
-if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
-    die( esc_html_e( 'Security Reasons', 'tourfic' ) );
-}
-?>
 <div class="tf-booking-header-filter">
     <div class="tf-left-search-filter">
         <div class="tf-bulk-action-form">
diff --git a/inc/booking-details/hotel/booking-details.php b/inc/booking-details/hotel/booking-details.php
index 8266c5ff4..c389aca4b 100644
--- a/inc/booking-details/hotel/booking-details.php
+++ b/inc/booking-details/hotel/booking-details.php
@@ -1,9 +1,3 @@
-<?php 
-if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
-    // This nonce is not valid.
-    die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
-}
-?>
 <div class="tf-booking-header-filter">
     <div class="tf-left-search-filter">
         <div class="tf-bulk-action-form">
diff --git a/inc/booking-details/tour/booking-details.php b/inc/booking-details/tour/booking-details.php
index 3c2e6d0dd..5f9ef6099 100644
--- a/inc/booking-details/tour/booking-details.php
+++ b/inc/booking-details/tour/booking-details.php
@@ -1,9 +1,3 @@
-<?php 
-if ( !isset($_REQUEST['nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_REQUEST['nonce'])), 'updates' ) ) {
-    // This nonce is not valid.
-    die( esc_html_e( 'Security Reasons', 'tourfic' ) ); 
-}
-?>
 <div class="tf-booking-header-filter">
     <div class="tf-left-search-filter">
         <div class="tf-bulk-action-form">

From aebddfe8829332bd7a4d66da884d9305ade2244c Mon Sep 17 00:00:00 2001
From: Ashik384 <39790492+Ashik384@users.noreply.github.com>
Date: Thu, 21 Mar 2024 14:49:54 +0600
Subject: [PATCH 6/7] = 2.11.22 - 21 March 2024 =

= 2.11.22 - 21 March 2024 =

- Updated: Nonce Validation and escaping patches
- Updated: Security and Minor Bugs
---
 readme.txt | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/readme.txt b/readme.txt
index a0db11378..df516b6e3 100644
--- a/readme.txt
+++ b/readme.txt
@@ -3,7 +3,7 @@ Contributors: themefic, kamrul0424, jahidcse, mehedi890, mdashikul, mainulsunvi,
 Tags: travel-booking, hotel-booking, tour-booking, room-booking, woocommerce-accommodation-booking
 Requires at least: 5.4
 Tested up to: 6.4.3
-Stable tag: 2.11.21
+Stable tag: 2.11.22
 Requires PHP: 7.4
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -322,6 +322,11 @@ We provide full support on the WordPress.org forums. In addition, please feel fr
 
 == Changelog ==
 
+= 2.11.22 - 21 March 2024 =
+
+- Updated: Nonce Validation and escaping patches
+- Updated: Security and Minor Bugs
+
 = 2.11.21 - 19 March 2024 =
 
 - Fixed: Nonce Validation and escaping issues

From 96c4940d524cc08f1e19996fc4dfab08996ee5d2 Mon Sep 17 00:00:00 2001
From: Ashik384 <39790492+Ashik384@users.noreply.github.com>
Date: Thu, 21 Mar 2024 14:53:17 +0600
Subject: [PATCH 7/7] = 2.11.22 - 21 March 2024 =

= 2.11.22 - 21 March 2024 =
---
 tourfic.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tourfic.php b/tourfic.php
index cce30900d..ee99d836d 100644
--- a/tourfic.php
+++ b/tourfic.php
@@ -7,7 +7,7 @@
  * Author URI:      https://themefic.com
  * Text Domain:     tourfic
  * Domain Path:     /lang/
- * Version:         2.11.21
+ * Version:         2.11.22
  * Tested up to:    6.4.3
  * WC tested up to: 8.6
  * Requires PHP:    7.4
@@ -55,7 +55,7 @@
  * @since 1.0
  */
 if ( ! defined( 'TOURFIC' ) ) {
-	define( 'TOURFIC', '2.11.21' );
+	define( 'TOURFIC', '2.11.22' );
 }
 
 /**