I checked your code and some of the things are not OK. I suggest you to consider the following:
1.) Your AJAX endpoint is not protected
Currently anyone can send requests to your AJAX endpoint and enter data from anywhere, to solve this make use of WordPress nonces.
The principle is to create a nonce
server-side, send the same nonce
(you either print it into the header and get with jQuery
, then merge with the data object you are obtaining from the serialize()
method) from the AJAX call in the data object. The final step is to verify the nonce
using the method wp_verify_nonce()
before saving the data and if the nonce
is invalid simply don’t proceed to save the data.
2.) You need more validation
As i can see in the code you don’t validate any of the $_POST
array variables. This is a huge problem and you will get a lot of data that is damaged or no sense.