Index: /controller/wpsg_AdminController.class.php
===================================================================
--- /controller/wpsg_AdminController.class.php	(revision 7558)
+++ /controller/wpsg_AdminController.class.php	(revision 7560)
@@ -382,9 +382,9 @@
 		 * Verwaltung der Registrierung
 		 */
-		public function registrierungAction()
-		{
-
-			if (wpsg_isSizedString($_REQUEST['do'], 'activatemodul'))
-			{
+		public function registrierungAction() {
+
+			if (wpsg_isSizedString($_REQUEST['do'], 'activatemodul')) {
+				
+				check_admin_referer('wpsg-admin-licence-activatemodul');
 				
 				try
@@ -468,8 +468,8 @@
 				}
 				
-			}
-			else if (wpsg_isSizedString($_REQUEST['do'], 'saveRegister'))
-			{
-
+			} else if (wpsg_isSizedString($_REQUEST['do'], 'saveRegister')) {
+
+				check_admin_referer('wpsg-admin-licence-register');
+				
 				foreach($_REQUEST['register'] as $k => $v)
 					$_REQUEST['register'][$k] = wpsg_xss($v);
@@ -509,7 +509,7 @@
 				}
 				
-			}
-			else if (wpsg_isSizedString($_REQUEST['do'], 'domainRegister'))
-			{
+			} else if (wpsg_isSizedString($_REQUEST['do'], 'domainRegister')) {
+				
+				check_admin_referer('wpsg-admin-licence-domainRegister');
 				
 				$api_return = wpsg_api_call('domainRegister', array($_SERVER['HTTP_HOST']));
@@ -553,12 +553,11 @@
 				}
 				
-			}
-			else if (wpsg_isSizedString($_REQUEST['do'], 'domainDeRegister'))
-			{
+			} else if (wpsg_isSizedString($_REQUEST['do'], 'domainDeRegister')) {
+			
+				check_admin_referer('wpsg-admin-licence-domainDeRegister');
 				
 				$api_return = wpsg_api_call('domainDeRegister', array($_SERVER['HTTP_HOST']));
 					
-				try
-				{
+				try {
 					
 					if ($api_return['returnCode'] === 1)
@@ -588,7 +587,5 @@
 					}
 					
-				}
-				catch (Exception $e)
-				{
+				} catch (Exception $e) {
 				
 					$this->addBackendError($e->getMessage());
@@ -919,20 +916,12 @@
 		 * Wird aufgerufen wenn die Versandzonen verwaltet werden sollen
 		 */
-		public function vzAction()
-		{
-
-			if (isset($_REQUEST['submit']))
-			{
-
-				$this->shop->addBackendMessage(__('Einstellungen der Versandzonen wurden erfolgreich gespeichert.', 'wpsg'));
-				$this->shop->redirect(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=vz');
-
-			}
-
+		public function vzAction() {
+			
 			$this->shop->view['arVZ'] = $this->db->fetchAssocField("SELECT VZ.`id`, VZ.`name` FROM `".WPSG_TBL_VZ."` AS VZ WHERE 1 ORDER BY VZ.`name` ASC ", "id", "name");
 
-			if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'add')
-			{
-
+			if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'add') {
+				
+				check_admin_referer('wpsg-admin-versandzonen-add');
+				
 				// Neue Zone anlegen
 				$new_name = __('Anklicken um Bezeichnung zu Àndern ...', 'wpsg');
@@ -946,15 +935,15 @@
 				die($this->vz_listAction());
 
-			}
-			else if (@$_REQUEST['do'] == 'loadStandard')
-			{
-
+			} else if (@$_REQUEST['do'] == 'loadStandard') {
+				
+				check_admin_referer('wpsg-admin-versandzonen-loadStandard');
+				
 				$this->loadStandardLaenderVz();
 
 				die($this->vz_listAction());
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'remove')
-			{
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'remove') {
+				
+				check_admin_referer('wpsg-admin-versandzonen-delete');
 
 				// Versandzone löschen
@@ -963,29 +952,31 @@
 				die($this->vz_listAction());
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'inlinedit')
-			{
-
-				// Inline Edit
-				$data = array();
-
-				$_REQUEST['vz_id'] = wpsg_sinput("key", $_REQUEST['vz_id']);
-
-				if ($_REQUEST['field'] == 'name')
-				{
-
-					$_REQUEST['value'] = wpsg_sinput("text_field", $_REQUEST['value']);
-					$this->shop->addTranslationString('vz_'.$_REQUEST['vz_id'], wpsg_sinput("text_field", $_REQUEST['value']));
-
-				}
-				else $data[$_REQUEST['field']] = wpsg_q(wpsg_sinput("key", $_REQUEST['value']));
-
-				$this->db->UpdateQuery(WPSG_TBL_VZ, $data, "`id` = '".wpsg_q($_REQUEST['vz_id'])."'");
-
-				die(stripslashes($_REQUEST['value']));
-
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'save_plz')
-			{
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'inlinedit') {
+				
+				check_admin_referer('wpsg-admin-versandzonen-inline_edit-'.$_REQUEST['vz_id']);
+
+				// Eingaben prÃŒfen
+				if (!wpsg_checkInput($_REQUEST['vz_id'], WPSG_SANITIZE_INT) || !wpsg_checkInput($_REQUEST['value'], WPSG_SANITIZE_TEXTFIELD) || !wpsg_checkInput($_REQUEST['field'], WPSG_SANITIZE_TEXTFIELD)) 
+					throw new \Exception(__('Parameterfehler!', 'wpsg'));
+				
+				$field = wpsg_xss($_REQUEST['field']);
+				$value = wpsg_xss($_REQUEST['value']);
+				$vz_id = intval($_REQUEST['vz_id']);
+				
+				if ($field === 'name') {
+					
+					$this->shop->addTranslationString('vz_'.$vz_id, $value);
+					
+				}
+				
+				$data[$field] = $value;
+				
+				$this->db->UpdateQuery(WPSG_TBL_VZ, $data, "`id` = '".wpsg_q($vz_id)."'");
+
+				die(stripslashes($value));
+
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'save_plz') {
+				
+				check_admin_referer('wpsg-admin-versandzonen-save_plz');
 
 				$this->db->UpdateQuery(WPSG_TBL_VZ, array(
@@ -1002,12 +993,12 @@
 		 * Ist fÌr das Deinstallieren zustÀndig
 		 */
-		public function deinstallierenAction()
-		{
+		public function deinstallierenAction() {
 
 			global $wpdb;
 
-			if (isset($_REQUEST['submit']))
-			{
-
+			if (isset($_REQUEST['submit'])) {
+
+				check_admin_referer('wpsg-admin-deinstall');
+				
 				// Sanitization
 				foreach($_REQUEST as $k => $v)
@@ -1141,22 +1132,20 @@
 		 * Wird aufgerufen wenn die LÀnder verwaltet werden sollen
 		 */
-		public function laenderAction()
-		{
-
-			if (isset($_REQUEST['submit']))
-			{
-
-				if (!wpsg_isSizedArray($_REQUEST['arDelete']))
-				{
+		public function laenderAction() {
+
+			if (isset($_REQUEST['submit'])) {
+				
+				check_admin_referer('wpsg-admin-laender');
+
+				if (!wpsg_isSizedArray($_REQUEST['arDelete'])) {
 
 					$this->addBackendError(__('Bitte mindestens ein Land zum löschen auswÀhlen.', 'wpsg'));
 
-				}
-				else
-				{
-
-					foreach ($_REQUEST['arDelete'] as $country_id => $c)
-					{
-
+				} else  {
+
+					foreach ($_REQUEST['arDelete'] as $country_id => $c) {
+
+						if (!wpsg_checkInput($country_id, WPSG_SANITIZE_INT)) throw new wpsg\wpsg_exception();
+						
 						$oCountry = wpsg_country::getInstance(wpsg_sinput("key", $country_id));
 						$oCountry->delete();
@@ -1171,6 +1160,7 @@
 			}
 
-			if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'save')
-			{
+			if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'save') {
+				
+				check_admin_referer('wpsg-laender-save');
 
 				$form_data = []; parse_str($_REQUEST['form_data'], $form_data);
@@ -1211,7 +1201,7 @@
 				die($this->laenderList());
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'eu_import')
-			{
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'eu_import') {
+				
+				check_admin_referer('wpsg-laender-eu_import');
 
 				// EU Import
@@ -1221,7 +1211,7 @@
 				die($this->laenderList());
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'import')
-			{
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'import') {
+				
+				check_admin_referer('wpsg-laender-import');
 
 				$this->loadStandardLaenderVz();
@@ -1230,8 +1220,8 @@
 				die($this->laenderList());
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'remove')
-			{
-
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'remove') {
+
+				check_admin_referer('wpsg-laender-delete');
+				
 				$this->clearMessages();
 				$oCountry = wpsg_country::getInstance($_REQUEST['land_id']);
@@ -1240,8 +1230,8 @@
 				die("1");
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'add')
-			{
-
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'add') {
+				
+				check_admin_referer('wpsg-laender-add');
+				
 				$this->shop->view['vz'] = $this->db->fetchAssocField("SELECT `id`, `name` FROM `".WPSG_TBL_VZ."` ORDER BY `name` ASC", "id", "name");
 
@@ -1255,8 +1245,8 @@
 				die($this->shop->render(WPSG_PATH_VIEW.'/admin/laender_edit.phtml'));
 
-			}
-			else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'edit')
-			{
-
+			} else if (isset($_REQUEST['do']) && $_REQUEST['do'] == 'edit') {
+
+				check_admin_referer('wpsg-laender-edit');
+				
 				$this->shop->view['vz'] = $this->db->fetchAssocField("SELECT `id`, `name` FROM `".WPSG_TBL_VZ."` ORDER BY `name` ASC", "id", "name");
 				$this->shop->view['land'] = $this->db->fetchRow("SELECT * FROM `".WPSG_TBL_LAND."` WHERE `id` = '".wpsg_q($_REQUEST['land_id'])."' ");
@@ -1715,4 +1705,6 @@
 			if (isset($_REQUEST['submit']))
 			{
+				
+				check_admin_referer('wpsg-admin-emailconf');
 
 			    $this->update_option('wpsg_htmlmail', $_REQUEST['wpsg_htmlmail'], false, false, WPSG_SANITIZE_CHECKBOX);
Index: /lib/wpsg_exception.php
===================================================================
--- /lib/wpsg_exception.php	(revision 7560)
+++ /lib/wpsg_exception.php	(revision 7560)
@@ -0,0 +1,25 @@
+<?php
+	
+	declare(strict_types=1);
+	
+	/**
+	 * User: Daschmi (daschmi@daschmi.de)
+	 * Date: 09.09.2019
+	 * Time: 10:18
+	 */ 
+    
+    namespace wpsg;
+    
+    use Throwable;
+
+	class wpsg_exception extends \Exception {
+    	
+    	public function __construct(string $message = "", int $code = 0, Throwable $previous = null) {
+		
+    		if ($message === "") $message = __('Parameterfehler!', 'wpsg');
+    		
+			parent::__construct($message, $code, $previous);
+			
+		}
+	
+	}
Index: /views/admin/deinstall.phtml
===================================================================
--- /views/admin/deinstall.phtml	(revision 7558)
+++ /views/admin/deinstall.phtml	(revision 7560)
@@ -23,4 +23,6 @@
 	<form name="form1" class="form-horizontal" method="post" enctype="multipart/form-data" action="<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&amp;noheader=1&amp;subaction=<?php echo $_REQUEST['subaction']; ?>">
 
+		<?php echo wp_nonce_field('wpsg-admin-deinstall'); ?>
+		
 		<p><?php echo __('Bitte wÀhlen Sie aus, was Sie entfernen möchten?', 'wpsg'); ?></p>
 
Index: /views/admin/emailconf.phtml
===================================================================
--- /views/admin/emailconf.phtml	(revision 7558)
+++ /views/admin/emailconf.phtml	(revision 7560)
@@ -26,4 +26,6 @@
 	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo wpsg_hspc(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=emailconf&noheader=1'); ?>">
 
+		<?php wp_nonce_field('wpsg-admin-emailconf'); ?>
+		
 		<?php echo wpsg_drawForm_AdminboxStart('Allgemeine Einstellungen', 'wpsg'); ?>
 		<?php $logoPath = wpsg_getUploadDir('wpsg_mailconf').'wpsg_email_logo.jpg'; ?>
Index: /views/admin/laender.phtml
===================================================================
--- /views/admin/laender.phtml	(revision 7558)
+++ /views/admin/laender.phtml	(revision 7560)
@@ -38,4 +38,6 @@
 	<form name="form1" method="post" enctype="multipart/form-data" action="<?php echo wpsg_hspc(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=laender&noheader=1'); ?>">
 
+		<?php echo wp_nonce_field('wpsg-admin-laender'); ?>
+		
 		<?php echo wpsg_drawForm_AdminboxStart(__('LÀnderverwaltung', 'wpsg')); ?>
 
@@ -64,11 +66,14 @@
 	    function wpsg_country_check_all() { jQuery('td.col_check input').each(function() { jQuery(this).prop('checked', !jQuery(this).prop('checked')); } ); }
 
-		function wpsg_country_remove(land_id)
-		{
+		function wpsg_country_remove(land_id) {
 
 			if (!confirm('<?php echo __('Sind Sie sich sicher?', 'wpsg'); ?>')) return false;
 
 			jQuery.ajax( {
-				url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=remove&noheader=1',
+				url: '<?php 
+					
+					echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=remove&noheader=1', 'wpsg-laender-delete'));
+					
+				?>',
 				data: {
 					land_id: land_id
@@ -93,5 +98,9 @@
 
 			jQuery.ajax( {
-				url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=add&noheader=1',				
+				url: '<?php 
+					
+					echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=add&noheader=1', 'wpsg-laender-add'));
+					
+				?>',				
 				success: function(data) { jQuery('#Modal_wpsg_country_edit .modal-body').html(data); }
 			} );
@@ -101,6 +110,5 @@
 		} // function wpsg_country_add()
 
-        function wpsg_country_import()
-        {
+        function wpsg_country_import() {
 
             if (!confirm('<?php echo __('Sind Sie sich sicher?', 'wpsg'); ?>')) return false;
@@ -109,5 +117,9 @@
 
             jQuery.ajax( {
-                url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=import&noheader=1',
+                url: '<?php 
+					
+					echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=import&noheader=1', 'wpsg-laender-import'));
+					
+				?>',
                 success: function(data) {
 
@@ -129,5 +141,9 @@
 
             jQuery.ajax( {
-                url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=eu_import&noheader=1',
+                url: '<?php 
+					
+					echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=eu_import&noheader=1', 'wpsg-laender-eu_import'));
+					
+				?>',
                 success: function(data) {
 
@@ -147,5 +163,9 @@
 
 			jQuery.ajax( {
-				url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=save&noheader=1',
+				url: '<?php
+					 
+					echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=save&noheader=1', 'wpsg-laender-save'));
+					
+				?>',
 				data: {
 					form_data: jQuery('#wpsg_land_edit_form_edit').serialize()
@@ -167,5 +187,12 @@
 
 			jQuery.ajax( {
-				url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=edit&noheader=1&land_id=' + land_id,
+				url: '<?php 
+					
+					echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=laender&do=edit&noheader=1', 'wpsg-laender-edit'));
+					
+				?>',
+				data: {
+					land_id: land_id
+				},
 				success: function(data) { jQuery('#Modal_wpsg_country_edit .modal-body').html(data); }
 			} );
Index: /views/admin/laender_edit.phtml
===================================================================
--- /views/admin/laender_edit.phtml	(revision 7558)
+++ /views/admin/laender_edit.phtml	(revision 7560)
@@ -1,4 +1,4 @@
 <form id="wpsg_land_edit_form_edit" class="form-horizontal">
-
+ 
 	<?php if (wpsg_isSizedInt($this->view['land']['id'])) { ?>
 	<input type="hidden" name="id" value="<?php echo $this->view['land']['id']; ?>" />
Index: /views/admin/licence.phtml
===================================================================
--- /views/admin/licence.phtml	(revision 7558)
+++ /views/admin/licence.phtml	(revision 7560)
@@ -75,4 +75,6 @@
                         <form method="POST" action="<?php echo WPSG_URL_WP ?>wp-admin/admin.php?page=wpsg-Admin&action=registrierung&noheader=1&do=saveRegister">
                             
+							<?php wp_nonce_field('wpsg-admin-licence-register'); ?>
+							
                             <?php $strLicenceLabel = ''; ?>
                             <?php if ($wpsg_update_data['licence_model'] === 'enterprise') { $strLicenceLabel = __('Enterprise', 'wpsg'); ?>
@@ -121,5 +123,9 @@
                                         <td class="col_action">
                                             
-                                            <a href="<?php echo WPSG_URL_WP ?>wp-admin/admin.php?page=wpsg-Admin&action=registrierung&noheader=1&do=domainDeRegister" class="btn btn-warning btn-sm"><?php echo __('Registrierung aufheben'); ?></a>
+                                            <a href="<?php 
+												
+												echo wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&action=registrierung&noheader=1&do=domainDeRegister', 'wpsg-admin-licence-domainDeRegister');
+												
+											?>" class="btn btn-warning btn-sm"><?php echo __('Registrierung aufheben'); ?></a>
                                             
                                         </td>
@@ -143,5 +149,9 @@
                             <br />
                             
-                            <a href="<?php echo WPSG_URL_WP ?>wp-admin/admin.php?page=wpsg-Admin&action=registrierung&noheader=1&do=domainRegister" class="btn btn-primary"><?php echo __('Diese Domain registrieren', 'wpsg'); ?></a>
+                            <a href="<?php
+								
+								echo wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&action=registrierung&noheader=1&do=domainRegister', 'wpsg-admin-licence-domainRegister');
+								
+							?>" class="btn btn-primary"><?php echo __('Diese Domain registrieren', 'wpsg'); ?></a>
                                                     
                         <?php } else if (in_array($_SERVER['HTTP_HOST'], $wpsg_update_data['domainData'])) { ?>
@@ -162,4 +172,6 @@
                         <form method="POST" action="<?php echo WPSG_URL_WP ?>wp-admin/admin.php?page=wpsg-Admin&action=registrierung&noheader=1&do=activatemodul&source=licence">
 						
+							<?php echo wp_nonce_field('wpsg-admin-licence-activatemodul'); ?>
+							
                             <fieldset>
                                 <legend style="padding-top:0px;"><?php echo __('Modulcode aktivieren', 'wpsg'); ?></legend>
@@ -250,5 +262,5 @@
                                                     echo '<br />';
                                                     echo wpsg_translate(__('<a href="#1#">Version installieren</a>.', 'wpsg'), WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&action=registrierung&noheader=1&do=installModul&modul='.$modul_key.'&source=licence');
-                                                    
+                                                                                                        
                                                 }
                                                 
Index: /views/admin/versandzonen.phtml
===================================================================
--- /views/admin/versandzonen.phtml	(revision 7558)
+++ /views/admin/versandzonen.phtml	(revision 7560)
@@ -32,5 +32,5 @@
 </div>
 
-<script type="text/javascript">/* <![CDATA[ */
+<script>
 
 	/**
@@ -43,5 +43,9 @@
 		
 		jQuery.ajax( {
-			url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=add&noheader=1',
+			url: '<?php 
+				
+				echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=add&noheader=1', 'wpsg-admin-versandzonen-add'));
+				
+			?>',
 			success: function(data) {
 				jQuery('#wpsg_vz_list').html(data);
@@ -64,5 +68,9 @@
 		
 		jQuery.ajax( {
-			url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=remove&noheader=1',
+			url: '<?php 
+				
+				echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=remove&noheader=1', 'wpsg-admin-versandzonen-delete'));
+				
+			?>',
 			data: {
 				vz_id: vz_id
@@ -77,6 +85,6 @@
 	} // function wpsg_removeVZ(vz_id)
 
-	function wpsg_editPLZ(vz_id)
-	{
+	function wpsg_editPLZ(vz_id) {
+		
 		jQuery('#vz_' + vz_id + '_plz').attr('style', 'display:display');
 
@@ -84,9 +92,12 @@
 	}
 
-	function wpsg_savePLZ(vz_id)
-	{
+	function wpsg_savePLZ(vz_id) {
 	
 		jQuery.ajax( {
-			url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=save_plz&noheader=1',
+			url: '<?php 
+				
+				echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=save_plz&noheader=1', 'wpsg-admin-versandzonen-save_plz'));
+				
+			?>',
 			data: {
 				vz_id: vz_id,
@@ -102,6 +113,5 @@
 	}
 
-	function wpsg_loadStandard()
-	{
+	function wpsg_loadStandard() {
 
 		if (!confirm('<?php echo __('Sind Sie sich sicher, dass sie die Standard Versandzonen und LÀnder laden möchten? Die alten Versandzonen und LÀnder gehen verloren.', 'wpsg'); ?>')) return false;
@@ -110,5 +120,9 @@
 
 		jQuery.ajax( {
-			url: '<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=loadStandard&noheader=1',
+			url: '<?php 
+				
+				echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=loadStandard&noheader=1', 'wpsg-admin-versandzonen-loadStandard'));
+			
+			?>',
 			success: function(data) {
 				jQuery('#wpsg_vz_list').html(data);
@@ -120,3 +134,3 @@
 	} // function wpsg_loadStandard()
 	
-/* ]]> */</script>
+</script>
Index: /views/admin/versandzonen_list.phtml
===================================================================
--- /views/admin/versandzonen_list.phtml	(revision 7558)
+++ /views/admin/versandzonen_list.phtml	(revision 7560)
@@ -36,12 +36,16 @@
 			<a class="glyphicon glyphicon-trash" href="#" title="<?php echo __('Versandzone löschen', 'wpsg'); ?>" onclick="return wpsg_removeVZ(<?php echo $vz['id']; ?>);"></a>
 			
-			<script type="text/javascript">/* <![CDATA[ */
+			<script>
 
-				jQuery('#vz_<?php echo $vz['id']; ?>_name').wpsg_editable('<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=inlinedit&noheader=1', {
+				jQuery('#vz_<?php echo $vz['id']; ?>_name').wpsg_editable('<?php
+					
+						echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=inlinedit&noheader=1', 'wpsg-admin-versandzonen-inline_edit-'.$vz['id']));
+					
+					?>', {
 					submitdata: { 
 			    		field: 'name',
 			    		vz_id: '<?php echo $vz['id']; ?>'
 					}, 					
-					submit  : '<?php echo __('Speichern', 'wpsg'); ?>',
+					submit: '<?php echo __('Speichern', 'wpsg'); ?>',
 					placeholder: '<?php echo __('Zum Bearbeiten anklicken ...', 'wpsg'); ?>',
 					indicator: '<?php echo __('Speicher ...', 'wpsg'); ?>',
@@ -49,10 +53,14 @@
 				});
 			
-				jQuery('#vz_<?php echo $vz['id']; ?>_value').wpsg_editable('<?php echo WPSG_URL_WP; ?>wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=inlinedit&noheader=1', {
+				jQuery('#vz_<?php echo $vz['id']; ?>_value').wpsg_editable('<?php 
+					
+						echo html_entity_decode(wp_nonce_url(WPSG_URL_WP.'wp-admin/admin.php?page=wpsg-Admin&subaction=vz&do=inlinedit&noheader=1', 'wpsg-admin-versandzonen-inline_edit-'.$vz['id'])); 
+										
+					?>', {
 					submitdata: { 
 			    		field: 'value',
 			    		vz_id: '<?php echo $vz['id']; ?>'
 					}, 					
-					submit  : '<?php echo __('Speichern', 'wpsg'); ?>',
+					submit: '<?php echo __('Speichern', 'wpsg'); ?>',
 					placeholder: '<?php echo __('Zum Bearbeiten anklicken ...', 'wpsg'); ?>',
 					indicator: '<?php echo __('Speicher ...', 'wpsg'); ?>',
@@ -60,5 +68,5 @@
 				});
 
-				/* ]]> */</script>		
+				</script>		
 		</td>
 	</tr>