diff --git a/admin/core/um-admin-actions.php b/admin/core/um-admin-actions.php index c2b3a378..b2815ba0 100644 --- a/admin/core/um-admin-actions.php +++ b/admin/core/um-admin-actions.php @@ -240,8 +240,8 @@ $uri = add_query_arg('user[]', $user_id, $uri); $redirect = add_query_arg('user[]', $user_id, $redirect); } - $uri = add_query_arg('confirm', 1, $uri); - $redirect = add_query_arg('_refer', urlencode($uri), $redirect); + $uri = add_query_arg('_refer', $_POST['_wp_http_referer'], $redirect); + $redirect = add_query_arg('confirm', 1, $uri); exit( wp_redirect($redirect) ); diff --git a/admin/core/um-admin-notices.php b/admin/core/um-admin-notices.php index 9586ed72..fd2b3ebd 100644 --- a/admin/core/um-admin-notices.php +++ b/admin/core/um-admin-notices.php @@ -161,18 +161,20 @@ class UM_Admin_Notices { case 'confirm_delete': - $confirm_uri = urldecode($_REQUEST['_refer']); + $confirm_uri = sanitize_text_field( urldecode($_REQUEST['_wp_http_referer']) ); $users = ''; - foreach( $_REQUEST['user'] as $user_id ) { - $user = get_userdata( $user_id ); - $users .= '#' . $user_id . ': ' . $user->user_login . '
'; + if( isset( $_REQUEST['user'] ) ){ + foreach( $_REQUEST['user'] as $user_id ) { + $user = get_userdata( $user_id ); + $users .= '#' . $user_id . ': ' . $user->user_login . '
'; + } } $ignore = admin_url('users.php'); $messages[0]['err_content'] = sprintf(__('Are you sure you want to delete the selected user(s)? The following users will be deleted:

%s

This cannot be undone!','ultimatemember'), $users); - $messages[0]['err_content'] .= '

' . __('Remove','ultimatemember') . '  ' . __('Undo','ultimatemember') . '

'; + $messages[0]['err_content'] .= '

' . __('Remove','ultimatemember') . '  ' . __('Undo','ultimatemember') . '

'; break;