plugin updates

wp/wp-content/plugins/advanced-custom-fields-pro/includes/ajax/class-acf-ajax-query-users.php

@@ -11,6 +11,39 @@ if ( ! class_exists( 'ACF_Ajax_Query_Users' ) ) :
 		/** @var string The AJAX action name. */
 		var $action = 'acf/ajax/query_users';
 
+		/**
+		 * Verifies the request.
+		 *
+		 * @since 6.3.2
+		 *
+		 * @param array $request The request args.
+		 * @return  (bool|WP_Error) True on success, WP_Error on fail.
+		 */
+		public function verify_request( $request ) {
+			if ( empty( $request['nonce'] ) || empty( $request['field_key'] ) ) {
+				return new WP_Error( 'acf_invalid_args', __( 'Invalid request args.', 'acf' ), array( 'status' => 404 ) );
+			}
+
+			$nonce  = $request['nonce'];
+			$action = $request['field_key'];
+
+			if ( isset( $request['conditional_logic'] ) && true === (bool) $request['conditional_logic'] ) {
+				if ( ! acf_current_user_can_admin() ) {
+					return new WP_Error( 'acf_invalid_permissions', __( 'Sorry, you do not have permission to do that.', 'acf' ) );
+				}
+
+				// Use the standard ACF admin nonce.
+				$nonce  = '';
+				$action = '';
+			}
+
+			if ( ! acf_verify_ajax( $nonce, $action ) ) {
+				return new WP_Error( 'acf_invalid_nonce', __( 'Invalid nonce.', 'acf' ), array( 'status' => 404 ) );
+			}
+
+			return true;
+		}
+
 		/**
 		 * init_request
 		 *