- $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
- update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+ $action = 'save_wporg_username_' . get_current_user_id();
+ if ( isset( $_GET['_wpnonce'] ) && wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $action ) ) {
+ $user = isset( $_GET['user'] ) ? wp_unslash( $_GET['user'] ) : get_user_option( 'wporg_favorites' );
+ update_user_meta( get_current_user_id(), 'wporg_favorites', $user );
+ } else {
+ $user = get_user_option( 'wporg_favorites' );
+ }