Index: /controller/wpsg_AdminController.class.php
===================================================================
--- /controller/wpsg_AdminController.class.php	(revision 7557)
+++ /controller/wpsg_AdminController.class.php	(revision 7558)
@@ -1499,5 +1499,5 @@
 		public function kundendatenAction()
 		{
-
+			
 			$this->shop->view['pflicht'] = $this->get_option('wpsg_admin_pflicht');
 
@@ -1518,4 +1518,6 @@
 			{
 
+				check_admin_referer('wpsg-admin-kundendaten-code');
+				
 				$this->shop->view['id'] = $_REQUEST['kv_id'];
 				$this->shop->view['field'] = $this->shop->view['pflicht']['custom'][$_REQUEST['kv_id']];
@@ -1525,7 +1527,8 @@
 			}
 
-			if (isset($_REQUEST['submit']))
-			{
+			if (isset($_REQUEST['submit'])) {
  
+				check_admin_referer('wpsg-admin-kundendaten');
+				
 			    $this->shop->update_option('wpsg_customerpreset_shipping', $_REQUEST['wpsg_customerpreset_shipping'], false, false, WPSG_SANITIZE_VALUES, array_keys($this->shop->arShipping));
 			    $this->shop->update_option('wpsg_customerpreset_payment', $_REQUEST['wpsg_customerpreset_payment'], false, false, array_keys($this->shop->arPayment));
@@ -1593,7 +1596,8 @@
 			}
 
-			if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'add')
-			{
-
+			if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'add') {
+
+				check_admin_referer('wpsg-admin-kundendaten-add');
+				
 				if (!is_array($this->shop->view['pflicht'])) $this->shop->view['pflicht'] = array();
 				$this->shop->view['pflicht']['custom'][] = array(
@@ -1608,7 +1612,7 @@
 				die($this->shop->render(WPSG_PATH_VIEW.'/admin/kundendaten_tab2.phtml'));
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'remove')
-			{
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'remove') {
+				
+				check_admin_referer('wpsg-admin-kundendaten-delete');
 
 				unset($this->shop->view['pflicht']['custom'][$_REQUEST['kv_index']]);
@@ -1830,4 +1834,6 @@
 			
 			if (isset($_REQUEST['download'])) {
+				
+				check_admin_referer('wpsg-admin-widerrufsbelehrung-download');
 				
 				wpsg_header::PDFPlugin(WPSG_PATH_UPLOADS.'wpsg_revocation/'.$this->get_option('wpsg_revocationform'));
@@ -1891,7 +1897,8 @@
 			}
 
-			if (wpsg_isSizedString($_REQUEST['do']) && $_REQUEST['do'] == 'generateWiderrufsformular')
-			{
-
+			if (wpsg_isSizedString($_REQUEST['do']) && $_REQUEST['do'] == 'generateWiderrufsformular') {
+				
+				check_admin_referer('wpsg-admin-widerrufsbelehrung-generate');
+				
 				if (!file_exists(WPSG_PATH_UPLOADS.'wpsg_revocation/')) mkdir(WPSG_PATH_UPLOADS.'wpsg_revocation/', 0775, true);
 
@@ -1907,6 +1914,7 @@
 
 			}
-			else if (wpsg_isSizedString($_REQUEST['do']) && $_REQUEST['do'] == 'removeWiderrufsformular')
-			{
+			else if (wpsg_isSizedString($_REQUEST['do']) && $_REQUEST['do'] == 'removeWiderrufsformular') {
+				
+				check_admin_referer('wpsg-admin-widerrufsbelehrung-delete');
 
 				$bOK = unlink(WPSG_PATH_UPLOADS.'wpsg_revocation/'.$this->shop->get_option('wpsg_revocationform'));
@@ -2091,4 +2099,6 @@
 			}
 			else if (@$_REQUEST['subaction'] == "dataprotection") {
+				
+				check_admin_referer('wpsg-admin-dataprotection');
 				
 				$this->update_option('dataprotectioncommissioner', $_REQUEST['dataprotectioncommissioner'], false, false, WPSG_SANITIZE_CHECKBOX);
@@ -2311,7 +2321,8 @@
 
 			}
-			else if (@$_REQUEST['subaction'] == 'includes')
-			{
-
+			else if (@$_REQUEST['subaction'] == 'includes') {
+
+				check_admin_referer('wpsg-admin-includes');
+				
 			    $this->update_option('wpsg_load_css', $_REQUEST['wpsg_load_css'], false, false, WPSG_SANITIZE_CHECKBOX);
 			    $this->update_option('wpsg_load_jquery', $_REQUEST['wpsg_load_jquery'], false, false, WPSG_SANITIZE_CHECKBOX);
@@ -2340,6 +2351,7 @@
 
 			}
-			else if (@$_REQUEST['subaction'] == 'kalkulation')
-			{
+			else if (@$_REQUEST['subaction'] == 'kalkulation') {
+				
+				check_admin_referer('wpsg-admin-kalkulation');
 
 			    $this->update_option('wpsg_kleinunternehmer', $_REQUEST['wpsg_kleinunternehmer'], false, false, WPSG_SANITIZE_CHECKBOX);
@@ -2354,7 +2366,7 @@
 				$this->redirect(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction='.$_REQUEST['subaction']);
 
-			}
-			else if (@$_REQUEST['subaction'] == 'access')
-			{
+			} else if (@$_REQUEST['subaction'] == 'access') {
+				
+				check_admin_referer('wpsg-admin-access');
 
 				$this->addBackendMessage(__('Berechtigungen gespeichert.', 'wpsg'));
@@ -2362,7 +2374,5 @@
 				if (wpsg_isSizedArray($_REQUEST['wpsg_cap']))
 				{
-					
-					\check_admin_referer('wpsg-save-admin-access');
-
+					 
 					// Sanitization
 					foreach ($_REQUEST['wpsg_cap'] as $k => $v) {
@@ -2416,7 +2426,8 @@
 
 			}
-			else if (@$_REQUEST['subaction'] == 'seiten')
-			{
-
+			else if (@$_REQUEST['subaction'] == 'seiten') {
+
+				check_admin_referer('wpsg-admin-seiten');
+				
 				// Seiten speichern
 				$this->createPage(__('Anfrageliste', 'wpsg'), 'wpsg_page_request', $_REQUEST['wpsg_page_request']);
@@ -2485,6 +2496,7 @@
 			{
 
-				if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'update')
-				{
+				if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'update') {
+					
+					check_admin_referer('wpsg-admin-db-update');
 
 					wpsg_install();
Index: /views/admin/access.phtml
===================================================================
--- /views/admin/access.phtml	(revision 7557)
+++ /views/admin/access.phtml	(revision 7558)
@@ -20,5 +20,5 @@
 	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo wpsg_hspc(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction='.$_REQUEST['subaction'].'&noheader=1'); ?>">
 		
-		<?php \wp_nonce_field('wpsg-save-admin-access'); ?>
+		<?php \wp_nonce_field('wpsg-admin-access'); ?>
 		
 		<?php global $wpdb; $arRoles = get_option($wpdb->prefix."user_roles"); ?>
Index: /views/admin/dataprotection.phtml
===================================================================
--- /views/admin/dataprotection.phtml	(revision 7557)
+++ /views/admin/dataprotection.phtml	(revision 7558)
@@ -18,6 +18,8 @@
 
 <div class="wpsg_admin_content form-horizontal">
-	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&amp;subaction=<?php echo $_REQUEST['subaction']; ?>&amp;noheader=1">
+	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=<?php echo $_REQUEST['subaction']; ?>&noheader=1">
 	
+		<?php echo wp_nonce_field('wpsg-admin-dataprotection'); ?>
+		
 		<div class="panel panel-default">
   			<div class="panel-heading clearfix">
Index: /views/admin/includes.phtml
===================================================================
--- /views/admin/includes.phtml	(revision 7557)
+++ /views/admin/includes.phtml	(revision 7558)
@@ -20,4 +20,6 @@
 	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=includes&noheader=1'; ?>">
 
+		<?php echo wp_nonce_field('wpsg-admin-includes'); ?>
+		
 		<?php echo wpsg_drawForm_AdminboxStart(__('Bibliotheken/Includes', 'wpsg')); ?>
 
Index: /views/admin/kalkulation.phtml
===================================================================
--- /views/admin/kalkulation.phtml	(revision 7557)
+++ /views/admin/kalkulation.phtml	(revision 7558)
@@ -19,5 +19,7 @@
 <div class="wpsg_admin_content form-horizontal">
 	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&amp;subaction=<?php echo $_REQUEST['subaction']; ?>&amp;noheader=1">
-	
+		
+		<?php echo wp_nonce_field('wpsg-admin-kalkulation'); ?>
+		
 		<div class="panel panel-default">
   			<div class="panel-heading clearfix">
Index: /views/admin/konfiguration.phtml
===================================================================
--- /views/admin/konfiguration.phtml	(revision 7557)
+++ /views/admin/konfiguration.phtml	(revision 7558)
@@ -33,6 +33,14 @@
 					</div>
 					<div class="wpsg_form_right">
-						<p><?php echo __("Die Version der Datenbank stimmt nicht mit der installierten Version ÃŒberein!<br />Bitte klicken Sie auf ", "wpsg").'<a href="'.WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&amp;subaction=allgemein&amp;do=update&amp;submit=1&amp;noheader=1">'.__("Aktualisieren", "wpsg").'</a>&nbsp;('.__("Produkte etc. werden dabei nicht gelÃ¶scht.", "wpsg"); ?>)</p>				
+						
+						<p>
+							<?php echo wpsg_translate(
+								__('Die Version der Datenbank stimmt nicht mit der installierten Version ÃŒberein!<br />Bitte klicken Sie auf <a href="#1#">Aktualisieren</a> Produkte etc. werden dabei nicht gelÃ¶scht.', 'wpsg'),
+								wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=allgemein&do=update&submit=1&noheader=1', 'wpsg-admin-db-update')							
+							); ?>
+						</p>
+						
 						<a rel="?page=wpsg-Admin&subaction=loadHelp&noheader=1&field=DBUpdate" href="?page=wpsg-Admin&subaction=loadHelp&noheader=1&field=DBUpdate" class="wpsg_glyphicon_right glyphicon glyphicon-question-sign"></a>
+						
 					</div>
 					<div class="wpsg_clear"></div>
@@ -40,5 +48,9 @@
 				<?php } else { ?>
 				<?php wpsg_drawForm_TextStart(); ?>		
-				<?php echo WPSG_VERSION; ?>&nbsp;<a href="<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&amp;subaction=allgemein&amp;do=update&amp;submit=1&amp;noheader=1"><?php echo __("Aktualisieren", "wpsg"); ?></a>
+				<?php echo WPSG_VERSION; ?>&nbsp;<a href="<?php 
+				
+					echo wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=allgemein&do=update&submit=1&noheader=1', 'wpsg-admin-db-update');
+					
+				?>"><?php echo __("Aktualisieren", "wpsg"); ?></a>
 				<?php echo wpsg_drawForm_TextEnd(__('Installierte DB Version', 'wpsg'), array('help' => 'DBUpdate')); ?>	
 				<?php } ?>
Index: /views/admin/kundendaten.phtml
===================================================================
--- /views/admin/kundendaten.phtml	(revision 7557)
+++ /views/admin/kundendaten.phtml	(revision 7558)
@@ -40,4 +40,6 @@
 	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=<?php echo $_REQUEST['subaction']; ?>&noheader=1">
 	
+		<?php echo wp_nonce_field('wpsg-admin-kundendaten'); ?>
+		
 		<div class="panel panel-default">
 			<div class="panel-heading clearfix">
@@ -78,5 +80,5 @@
 	</form>
 	
-	<script type="text/javascript">/* <![CDATA[ */
+	<script>
 
 		/**
@@ -89,5 +91,5 @@
 			
 			jQuery.ajax( {
-				url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=kundendaten&do=add&noheader=1',
+				url: '<?php echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=kundendaten&do=add&noheader=1', 'wpsg-admin-kundendaten-add')); ?>',
 				success: function(data) {
 					jQuery('#wpsg_kv_list').html(data);
@@ -110,5 +112,5 @@
 
 			jQuery.ajax( {
-				url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=kundendaten&do=remove&noheader=1',
+				url: '<?php echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=kundendaten&do=remove&noheader=1', 'wpsg-admin-kundendaten-delete')); ?>',
 				data: {
 					'kv_index': kv_index
@@ -133,8 +135,8 @@
 			jQuery('#wpsg_code_dialog .modal-body').html('<img src="<?php echo WPSG_URL; ?>views/gfx/ajax-loader.gif" alt="<?php echo __('Bitte warten ...', 'wpsg'); ?>" />');
 			
-			jQuery('#wpsg_code_dialog').modal( { } )
+			jQuery('#wpsg_code_dialog').modal( { } );
 			
 			jQuery.ajax( {
-    			url: 'admin.php?page=wpsg-Admin&subaction=kundendaten&noheader=1&show=code',
+    			url: '<?php echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=kundendaten&noheader=1&show=code', 'wpsg-admin-kundendaten-code')); ?>',
     			data: { 'kv_id': kv_index },
     			success: function(data) { jQuery('#wpsg_code_dialog .modal-body').html(data); }
@@ -154,5 +156,5 @@
 		} );
 	    
-	/* ]]> */</script>
+	</script>
 
 </div>
Index: /views/admin/seiten.phtml
===================================================================
--- /views/admin/seiten.phtml	(revision 7557)
+++ /views/admin/seiten.phtml	(revision 7558)
@@ -20,4 +20,6 @@
 	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo wpsg_hspc(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=seiten&noheader=1'); ?>">	
 
+		<?php wp_nonce_field('wpsg-admin-seiten'); ?>
+		
 		<?php echo wpsg_drawForm_AdminboxStart(__('Seitenkonfiguration', 'wpsg')); ?>
 			
Index: /views/admin/widerrufsbelehrung.phtml
===================================================================
--- /views/admin/widerrufsbelehrung.phtml	(revision 7557)
+++ /views/admin/widerrufsbelehrung.phtml	(revision 7558)
@@ -32,6 +32,14 @@
 			<?php if (wpsg_isSizedString($this->view['revocationform'])) { ?>
 			
-				<a target="_blank" href="<?php echo WPSG_URL_WP; ?>wp-admin/admin.php/?page=wpsg-Admin&subaction=widerrufsbelehrung&download&noheader=1"><?php echo $this->view['revocationform']; ?></a>
-				<a onclick="if (!confirm('<?php echo __('Sind Sie sich sicher, dass Sie das Widerrufsformular lÃ¶schen mÃ¶chten?', 'wpsg'); ?>')) return false;" style="float:right;" href="<?php echo WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung&noheader=1&do=removeWiderrufsformular'; ?>"><?php echo __('Widerrufsformular lÃ¶schen', 'wpsg'); ?></a>
+				<a target="_blank" href="<?php 
+					
+					echo wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php/?page=wpsg-Admin&subaction=widerrufsbelehrung&download&noheader=1', 'wpsg-admin-widerrufsbelehrung-download');
+
+				?>"><?php echo $this->view['revocationform']; ?></a>
+				<a onclick="if (!confirm('<?php echo __('Sind Sie sich sicher, dass Sie das Widerrufsformular lÃ¶schen mÃ¶chten?', 'wpsg'); ?>')) return false;" style="float:right;" href="<?php 
+					
+					echo wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung&noheader=1&do=removeWiderrufsformular', 'wpsg-admin-widerrufsbelehrung-delete'); 
+					
+				?>"><?php echo __('Widerrufsformular lÃ¶schen', 'wpsg'); ?></a>
 			
 			<?php } else { ?>
@@ -42,5 +50,9 @@
 			
 			<br /><br />
-			<a href="<?php echo WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung&noheader=1&do=generateWiderrufsformular'; ?>" class="button"><?php echo __('Standardformular aus Shopinfo erstellen', 'wpsg'); ?></a>
+			<a href="<?php 
+				
+				echo wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=widerrufsbelehrung&noheader=1&do=generateWiderrufsformular', 'wpsg-admin-widerrufsbelehrung-generate'); 
+				
+			?>" class="button"><?php echo __('Standardformular aus Shopinfo erstellen', 'wpsg'); ?></a>
 			<br /><br />