diff --git a/lib/Router/Endpoints/Queue.php b/lib/Router/Endpoints/Queue.php
index 5589aac954..9170ea044a 100644
--- a/lib/Router/Endpoints/Queue.php
+++ b/lib/Router/Endpoints/Queue.php
@@ -8,6 +8,7 @@ if(!defined('ABSPATH')) exit;
 class Queue {
   const ENDPOINT = 'queue';
   const ACTION_RUN = 'run';
+  public $allowed_actions = array(self::ACTION_RUN);
 
   function run($data) {
     $queue = new Daemon($data);
diff --git a/lib/Router/Endpoints/Subscription.php b/lib/Router/Endpoints/Subscription.php
index ea22ae9258..0de66e3295 100644
--- a/lib/Router/Endpoints/Subscription.php
+++ b/lib/Router/Endpoints/Subscription.php
@@ -7,6 +7,14 @@ if(!defined('ABSPATH')) exit;
 
 class Subscription {
   const ENDPOINT = 'subscription';
+  const ACTION_CONFIRM = 'confirm';
+  const ACTION_MANAGE = 'manage';
+  const ACTION_UNSUBSCRIBE = 'unsubscribe';
+  public $allowed_actions = array(
+    self::ACTION_CONFIRM,
+    self::ACTION_MANAGE,
+    self::ACTION_UNSUBSCRIBE
+  );
 
   function confirm($data) {
     $subscription = new UserSubscription\Pages('confirm', $data);
diff --git a/lib/Router/Endpoints/Track.php b/lib/Router/Endpoints/Track.php
index 7abeaf8f85..5cb3060543 100644
--- a/lib/Router/Endpoints/Track.php
+++ b/lib/Router/Endpoints/Track.php
@@ -14,6 +14,10 @@ class Track {
   const ENDPOINT = 'track';
   const ACTION_CLICK = 'click';
   const ACTION_OPEN = 'open';
+  public $allowed_actions = array(
+    self::ACTION_CLICK,
+    self::ACTION_OPEN
+  );
 
   function click($data) {
     $click_event = new Clicks();
diff --git a/lib/Router/Endpoints/ViewInBrowser.php b/lib/Router/Endpoints/ViewInBrowser.php
index 5c8e65bb75..9bb265f046 100644
--- a/lib/Router/Endpoints/ViewInBrowser.php
+++ b/lib/Router/Endpoints/ViewInBrowser.php
@@ -11,6 +11,7 @@ if(!defined('ABSPATH')) exit;
 class ViewInBrowser {
   const ENDPOINT = 'view_in_browser';
   const ACTION_VIEW = 'view';
+  public $allowed_actions = array(self::ACTION_VIEW);
 
   function view($data) {
     $data = $this->_processBrowserPreviewData($data);
diff --git a/lib/Router/Front.php b/lib/Router/Front.php
index 8d7b3969bf..d9345fc425 100644
--- a/lib/Router/Front.php
+++ b/lib/Router/Front.php
@@ -31,7 +31,7 @@ class Front {
 
     if(!$this->api_request) return;
     if(!$this->endpoint || !class_exists($class)) {
-      self::terminateRequest(self::RESPONSE_ERROR, __('Invalid Router endpoint.'));
+      self::terminateRequest(self::RESPONSE_ERROR, __('Invalid router endpoint.'));
     }
     $this->callEndpoint(
       $class,
@@ -41,10 +41,10 @@ class Front {
   }
 
   function callEndpoint($endpoint, $action, $data) {
-    if(!method_exists($endpoint, $action)) {
-      self::terminateRequest(self::RESPONSE_ERROR, __('Invalid Router action.'));
-    }
     $endpoint = new $endpoint();
+    if(!method_exists($endpoint, $action) || !in_array($action, $endpoint->allowed_actions)) {
+      self::terminateRequest(self::RESPONSE_ERROR, __('Invalid router action.'));
+    }
     call_user_func(
       array(
         $endpoint,