--- artifacts/sms-alert-3.9.5/sms-alert/handler/forms/class-wpresetpassword.php 2026-05-04 02:44:12.000000000 +0000 +++ artifacts/sms-alert-3.9.6/sms-alert/handler/forms/class-wpresetpassword.php 2026-06-27 09:59:06.000000000 +0000 @@ -65,7 +65,8 @@ */ public function routeData() { - if (! empty($_REQUEST['option']) && sanitize_text_field(wp_unslash($_REQUEST['option'])) === 'smsalert-change-password-form' ) { + SmsAlertUtility::checkSession(); + if (! empty($_REQUEST['option']) && (sanitize_text_field(wp_unslash($_REQUEST['option'])) === 'smsalert-change-password-form') && isset($_SESSION[ $this->form_session_var ]) && strcasecmp($_SESSION[ $this->form_session_var ], 'validated') === 0 ) { $this->handleSmsalertChangedPwd($_POST); } } @@ -210,6 +211,7 @@ if (! isset($_SESSION[ $this->form_session_var ]) ) { return; } + $_SESSION[ $this->form_session_var ] = 'validated'; smsalertAskForResetPassword( sanitize_text_field($_SESSION['user_login']), sanitize_text_field($_SESSION['phone_number_mo']),