diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index 7c7fdf6b0..02c430fc0 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -520,7 +520,12 @@ jobs:
- name: Fix permissions for Cypress output
if: always()
- run: sudo chown -R $USER:$USER tests/e2e/cypress
+ run: |
+ if [ -d tests/e2e/cypress ]; then
+ sudo chown -R $USER:$USER tests/e2e/cypress
+ else
+ echo "Cypress output directory not found; skipping permission fix."
+ fi
- name: Upload Cypress screenshots
if: always()
@@ -540,4 +545,9 @@ jobs:
- name: Stop WordPress Environment
if: always()
- run: npm run env:stop
+ run: |
+ if [ -f package.json ]; then
+ npm run env:stop
+ else
+ echo "package.json not found; skipping WordPress environment stop."
+ fi
diff --git a/assets/js/setup-wizard.js b/assets/js/setup-wizard.js
index d7718d1e8..ab8d1b7f5 100644
--- a/assets/js/setup-wizard.js
+++ b/assets/js/setup-wizard.js
@@ -104,6 +104,7 @@
action: wu_setup_settings.ajax_action || 'wu_setup_install',
installer: content,
'dry-run': wu_setup_settings.dry_run,
+ _wpnonce: wu_setup_settings.install_nonce,
},
success(data) {
diff --git a/assets/js/setup-wizard.min.js b/assets/js/setup-wizard.min.js
index 8bc8e88cf..cdb073bb0 100644
--- a/assets/js/setup-wizard.min.js
+++ b/assets/js/setup-wizard.min.js
@@ -1 +1 @@
-if((l=>{window._wu_block_ui_polyfill=wu_block_ui_polyfill,wu_block_ui_polyfill=function(){},l(document).ready(function(){l("#poststuff").on("submit","form",function(t){t.preventDefault();let a=l(this),i=a.find("table[data-id]").data("id"),o=(a.find("[name=next]").attr("disabled","disabled"),a.find("tr[data-content]")),d=(o=o.filter(function(){var t=l(this).find("input[type=checkbox]");return!t.length||t.is(":checked")}),0),r=0;!function n(t){window.onbeforeunload=function(){return""};if(0===t.length)return o.length!==d&&"migration"!==i||(window.onbeforeunload=null,_wu_block_ui_polyfill(l("#poststuff .inside")),setTimeout(()=>{a.get(0).submit()},100)),a.find("[name=next]").removeAttr("disabled"),!1;let s=l(t);let e=s.data("content");s.get(0).scrollIntoView({behavior:"smooth",block:"center",inline:"nearest"});s.find("td.status").attr("class","").addClass("status").find("> span").html(wu_setup[e].installing).end().find(".spinner").addClass("is-active").end().find("a.help").slideUp();l.ajax({url:ajaxurl,method:"post",data:{action:wu_setup_settings.ajax_action||"wu_setup_install",installer:e,"dry-run":wu_setup_settings.dry_run},success(t){!0===t.success?(s.find("td.status").attr("class","").addClass("status wu-text-green-600").find("> span").html(wu_setup[e].success).end().find(".spinner").removeClass("is-active"),s.removeAttr("data-content"),d++):s.find("td.status").attr("class","").addClass("status wu-text-red-400").find("> span").html(t.data[0].message).end().find(".spinner").removeClass("is-active").end().find("a.help").slideDown(),r++,n(o.eq(r))},error(t){let e=wu_setup_settings.generic_error_message||"An error occurred.";t.responseJSON&&t.responseJSON.data&&t.responseJSON.data[0]&&(e=t.responseJSON.data[0].message||e),s.find("td.status").attr("class","").addClass("status wu-text-red-400").find("> span").html(e).end().find(".spinner").removeClass("is-active").end().find("a.help").slideDown(),r++,n(o.eq(r))}})}(o.eq(r))}),l("#poststuff [name=next]").removeAttr("disabled")})})(jQuery),"function"!=typeof wu_initialize_tooltip){let t=function(){jQuery('[role="tooltip"]').tipTip({attribute:"aria-label"})},e=function(t){return jQuery(t).wu_block({message:"Please wait...",overlayCSS:{backgroundColor:"#FFF",opacity:.6},css:{padding:0,margin:0,width:"50%",fontSize:"14px !important",top:"40%",left:"35%",textAlign:"center",color:"#000",border:"none",backgroundColor:"none",cursor:"wait"}}),jQuery(t)};jQuery(document).ready(function(){t()})}
\ No newline at end of file
+if((l=>{window._wu_block_ui_polyfill=wu_block_ui_polyfill,wu_block_ui_polyfill=function(){},l(document).ready(function(){l("#poststuff").on("submit","form",function(t){t.preventDefault();let a=l(this),i=a.find("table[data-id]").data("id"),o=(a.find("[name=next]").attr("disabled","disabled"),a.find("tr[data-content]")),d=(o=o.filter(function(){var t=l(this).find("input[type=checkbox]");return!t.length||t.is(":checked")}),0),r=0;!function n(t){window.onbeforeunload=function(){return""};if(0===t.length)return o.length!==d&&"migration"!==i||(window.onbeforeunload=null,_wu_block_ui_polyfill(l("#poststuff .inside")),setTimeout(()=>{a.get(0).submit()},100)),a.find("[name=next]").removeAttr("disabled"),!1;let s=l(t);let e=s.data("content");s.get(0).scrollIntoView({behavior:"smooth",block:"center",inline:"nearest"});s.find("td.status").attr("class","").addClass("status").find("> span").html(wu_setup[e].installing).end().find(".spinner").addClass("is-active").end().find("a.help").slideUp();l.ajax({url:ajaxurl,method:"post",data:{action:wu_setup_settings.ajax_action||"wu_setup_install",installer:e,"dry-run":wu_setup_settings.dry_run,_wpnonce:wu_setup_settings.install_nonce},success(t){!0===t.success?(s.find("td.status").attr("class","").addClass("status wu-text-green-600").find("> span").html(wu_setup[e].success).end().find(".spinner").removeClass("is-active"),s.removeAttr("data-content"),d++):s.find("td.status").attr("class","").addClass("status wu-text-red-400").find("> span").html(t.data[0].message).end().find(".spinner").removeClass("is-active").end().find("a.help").slideDown(),r++,n(o.eq(r))},error(t){let e=wu_setup_settings.generic_error_message||"An error occurred.";t.responseJSON&&t.responseJSON.data&&t.responseJSON.data[0]&&(e=t.responseJSON.data[0].message||e),s.find("td.status").attr("class","").addClass("status wu-text-red-400").find("> span").html(e).end().find(".spinner").removeClass("is-active").end().find("a.help").slideDown(),r++,n(o.eq(r))}})}(o.eq(r))}),l("#poststuff [name=next]").removeAttr("disabled")})})(jQuery),"function"!=typeof wu_initialize_tooltip){let t=function(){jQuery('[role="tooltip"]').tipTip({attribute:"aria-label"})},e=function(t){return jQuery(t).wu_block({message:"Please wait...",overlayCSS:{backgroundColor:"#FFF",opacity:.6},css:{padding:0,margin:0,width:"50%",fontSize:"14px !important",top:"40%",left:"35%",textAlign:"center",color:"#000",border:"none",backgroundColor:"none",cursor:"wait"}}),jQuery(t)};jQuery(document).ready(function(){t()})}
\ No newline at end of file
diff --git a/inc/admin-pages/class-multisite-setup-admin-page.php b/inc/admin-pages/class-multisite-setup-admin-page.php
index 6ddb81ec8..121737fc1 100644
--- a/inc/admin-pages/class-multisite-setup-admin-page.php
+++ b/inc/admin-pages/class-multisite-setup-admin-page.php
@@ -508,6 +508,12 @@ public function setup_install(): void {
exit;
}
+ if ( ! check_ajax_referer('wu_setup_install', '_wpnonce', false)) {
+ wp_send_json_error(new \WP_Error('bad-nonce', __('Security check failed. Please reload the page and try again.', 'ultimate-multisite')));
+
+ exit;
+ }
+
$installer = wu_request('installer', '');
$multisite_network_installer = Multisite_Network_Installer::get_instance();
$steps = $multisite_network_installer->get_steps();
diff --git a/inc/admin-pages/class-setup-wizard-admin-page.php b/inc/admin-pages/class-setup-wizard-admin-page.php
index d2526475f..62d5985d8 100644
--- a/inc/admin-pages/class-setup-wizard-admin-page.php
+++ b/inc/admin-pages/class-setup-wizard-admin-page.php
@@ -269,6 +269,12 @@ public function setup_install(): void {
exit;
}
+ if ( ! check_ajax_referer('wu_setup_install', '_wpnonce', false)) {
+ wp_send_json_error(new \WP_Error('bad-nonce', __('Security check failed. Please reload the page and try again.', 'ultimate-multisite')));
+
+ exit;
+ }
+
/*
* Load tables.
*/
diff --git a/inc/admin-pages/class-wizard-admin-page.php b/inc/admin-pages/class-wizard-admin-page.php
index a49354142..f2f2f35a7 100644
--- a/inc/admin-pages/class-wizard-admin-page.php
+++ b/inc/admin-pages/class-wizard-admin-page.php
@@ -516,6 +516,7 @@ public function render_installation_steps($steps, $checks = true) {
'wu_setup_settings',
[
'dry_run' => wu_request('dry-run', true),
+ 'install_nonce' => wp_create_nonce('wu_setup_install'),
'generic_error_message' => __('A server error happened while processing this item.', 'ultimate-multisite'),
]
);