### Key Information 1. **Enhanced Security Measures** - Removed `wp_ajax_nopriv_*` actions that could be triggered by unauthenticated users, to prevent security risks caused by unauthorized access. 2. **Improved Deserialization Handling** - Enhanced the security of the deserialization function `nxt_unserialize_replace` to ensure that only controlled data (such as database data, not user input) is deserialized. - Added PHP version checking, using different deserialization methods for different PHP versions to avoid PHP object injection. 3. **Strengthened Permission Verification** - Ensured that only administrators (users with "manage_options" capability) can perform specific actions. - Added user login and admin permission checks for each operation. 4. **Updated Comments** - Added detailed security comments explaining the purpose of security measures, such as preventing PHP object injection and unauthorized access. ```markdown ### Code Change Highlights - **Removed Unauthorized Access Interfaces**: ```php -add_action('wp_ajax_nopriv_nxt_replace_url','nxt_replace_url'); -add_action('wp_ajax_nopriv_nxt_replace_confirm_url','nxt_replace_confirm_url'); ``` - **Enhanced Deserialization Security**: ```php if ( version_compare( PHP_VERSION, '7.0.0', '>=' ) ) { $unserialized = @unserialize( $serialized_string, array( 'allowed_classes' => false ) ); } else { if ( preg_match( '/O:\d+:"[^\/', $serialized_string ) ) { return $data; } $unserialized = @unserialize( $serialized_string ); } ```