From 2f847c16b608a93a12f013d840306a49566deaa4 Mon Sep 17 00:00:00 2001 From: razvanaldea89 <44024114+razvanaldea89@users.noreply.github.com> Date: Wed, 23 Mar 2022 09:17:30 +0200 Subject: [PATCH 1/4] security exploit fix --- includes/class-rsvp-admin.php | 2 +- includes/class-rsvp-helper.php | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/includes/class-rsvp-admin.php b/includes/class-rsvp-admin.php index dd949d4..a2cdd3c 100644 --- a/includes/class-rsvp-admin.php +++ b/includes/class-rsvp-admin.php @@ -101,7 +101,7 @@ public function submenu_pages() { 'RSVP Export', 'RSVP Export', 'publish_posts', - 'rsvp-admin-export', + 'rsvp-admin-export/' . wp_create_nonce( 'rsvp-export-attendees' ), array( $rsvp_helper, 'rsvp_admin_export' ) ); add_submenu_page( diff --git a/includes/class-rsvp-helper.php b/includes/class-rsvp-helper.php index d328d1b..0b8fa6c 100644 --- a/includes/class-rsvp-helper.php +++ b/includes/class-rsvp-helper.php @@ -28,7 +28,7 @@ function __construct() { add_action( 'admin_init', array( $this, 'bulk_delete_attendees' ) ); add_action( 'admin_init', array( $this, 'bulk_delete_questions' ) ); - add_action( 'init', array( $this, 'rsvp_admin_export' ) ); + add_action( 'admin_init', array( $this, 'rsvp_admin_export' ) ); } @@ -209,8 +209,13 @@ public function get_custom_questions() { */ public function rsvp_admin_export() { - if ( ( isset( $_GET['page'] ) && ( strToLower( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) == 'rsvp-admin-export' ) ) || - ( isset( $_POST['rsvp-bulk-action'] ) && ( 'export' === strToLower( sanitize_text_field( wp_unslash( $_POST['rsvp-bulk-action'] ) ) ) ) ) ) { + if ( isset( $_GET['page'] ) ) { + + $page = explode( '/', strToLower( sanitize_text_field( wp_unslash( $_GET['page'] ) ) ) ); + + if ( 'rsvp-admin-export' !== $page[0] || ! wp_verify_nonce( $page[1], 'rsvp-export-attendees' ) ) { + return; + } global $wpdb; From 0399df6b2251f2fea4622d308d8fac225b6de630 Mon Sep 17 00:00:00 2001 From: razvanaldea89 <44024114+razvanaldea89@users.noreply.github.com> Date: Wed, 23 Mar 2022 09:18:35 +0200 Subject: [PATCH 2/4] version bump; changelog update; --- languages/rsvp.pot | 2 +- package-lock.json | 2 +- package.json | 2 +- readme.txt | 5 ++++- wp-rsvp.php | 4 ++-- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/languages/rsvp.pot b/languages/rsvp.pot index dcef5d6..d9ab64b 100644 --- a/languages/rsvp.pot +++ b/languages/rsvp.pot @@ -2,7 +2,7 @@ # This file is distributed under the GPLv3. msgid "" msgstr "" -"Project-Id-Version: RSVP 2.7.6\n" +"Project-Id-Version: RSVP 2.7.7\n" "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/rsvp\n" "POT-Creation-Date: 2022-01-12 12:04:13+00:00\n" "MIME-Version: 1.0\n" diff --git a/package-lock.json b/package-lock.json index 69017b0..6ed2400 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "rsvp", - "version": "2.7.6", + "version": "2.7.7", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 4d91750..cbf255c 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "rsvp", "main": "Gruntfile.js", - "version": "2.7.6, + "version": "2.7.7, "author": "WPChill", "license": "GPL v3", "repository": "https://github.com/WPChill/rsvp", diff --git a/readme.txt b/readme.txt index 4c352dc..9d7c64d 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: rsvp, event, event management, attendee management, event planning, weddin Requires at least: 5.6 Tested up to: 5.9 Requires PHP: 5.6 -Stable tag: 2.7.6 +Stable tag: 2.7.7 License: GPLv3 or later License URI: http://www.gnu.org/licenses/gpl-3.0.html @@ -93,6 +93,9 @@ For example if you have a page that is /rsvp for domain example.com your URL mig == Changelog == += 2.7.7 - 23.03.2022 = +* Fixed: Security exploit + = 2.7.6 - 21.03.2022 = * Fixed: Sorting attendees no longer logs out the user (https://github.com/WPChill/rsvp/issues/76) * Changed: Moved upsell in "Events" page under the table. (https://github.com/WPChill/rsvp/issues/55) diff --git a/wp-rsvp.php b/wp-rsvp.php index d5f8d18..02a4cfc 100644 --- a/wp-rsvp.php +++ b/wp-rsvp.php @@ -2,13 +2,13 @@ /** * @package rsvp * @author WPChill - * @version 2.7.6 + * @version 2.7.7 * Plugin Name: RSVP * Text Domain: rsvp-plugin * Plugin URI: http://wordpress.org/extend/plugins/rsvp/ * Description: This plugin allows guests to RSVP to an event. It was made initially for weddings but could be used for other things. * Author: WPChill - * Version: 2.7.6 + * Version: 2.7.7 * Author URI: https://wpchill.com * License: GPLv3 * Copyright 2010-2020 Mike de Libero mikede@mde-dev.com From beaf558af3ca02a0c021ef8a411405977901de0f Mon Sep 17 00:00:00 2001 From: razvanaldea89 <44024114+razvanaldea89@users.noreply.github.com> Date: Wed, 23 Mar 2022 09:31:37 +0200 Subject: [PATCH 3/4] more sanitization --- includes/class-rsvp-admin.php | 2 +- includes/class-rsvp-helper.php | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/includes/class-rsvp-admin.php b/includes/class-rsvp-admin.php index a2cdd3c..94e002e 100644 --- a/includes/class-rsvp-admin.php +++ b/includes/class-rsvp-admin.php @@ -249,7 +249,7 @@ public function rsvp_admin_guest() { $attendeeId = $wpdb->insert_id; } if ( isset( $_POST['associatedAttendees'] ) && is_array( $_POST['associatedAttendees'] ) ) { - foreach ( array_map( 'sanitize_text_field', array_map( 'wp_unslash', $_POST['associatedAttendees'] ) ) as $aid ) { + foreach ( array_map( 'sanitize_text_field', array_map( 'wp_unslash', $_POST['associatedAttendees'] ) ) as $aid ) { //phpcs:ignore if ( is_numeric( $aid ) && ( $aid > 0 ) ) { $wpdb->insert( ASSOCIATED_ATTENDEES_TABLE, diff --git a/includes/class-rsvp-helper.php b/includes/class-rsvp-helper.php index 0b8fa6c..1b64254 100644 --- a/includes/class-rsvp-helper.php +++ b/includes/class-rsvp-helper.php @@ -682,9 +682,9 @@ public function update_questions_order() { public function bulk_delete_attendees() { if( isset( $_GET['rsvp-bulk-action'] ) && -1 != $_GET['rsvp-bulk-action'] ){ - $rsvp_bulk_action = $_GET['rsvp-bulk-action']; + $rsvp_bulk_action = sanitize_text_field( wp_unslash( $_GET['rsvp-bulk-action'] ) ); }elseif( isset( $_GET['rsvp-bulk-action2'] ) && -1 != $_GET['rsvp-bulk-action2'] ){ - $rsvp_bulk_action = $_GET['rsvp-bulk-action2']; + $rsvp_bulk_action = sanitize_text_field( wp_unslash($_GET['rsvp-bulk-action2'] ) ); }else{ $rsvp_bulk_action = false; } @@ -716,9 +716,9 @@ public function bulk_delete_attendees() { public function bulk_delete_questions() { if( isset( $_GET['rsvp-bulk-action'] ) && -1 != $_GET['rsvp-bulk-action'] ){ - $rsvp_bulk_action = $_GET['rsvp-bulk-action']; + sanitize_text_field( wp_unslash( $rsvp_bulk_action = $_GET['rsvp-bulk-action'] ) ); }elseif( isset( $_GET['rsvp-bulk-action2'] ) && -1 != $_GET['rsvp-bulk-action2'] ){ - $rsvp_bulk_action = $_GET['rsvp-bulk-action2']; + sanitize_text_field( wp_unslash( $rsvp_bulk_action = $_GET['rsvp-bulk-action2'] ) ); }else{ $rsvp_bulk_action = false; } From 5d052d3ab437ae4c87b2ea81b0bfd3739404d978 Mon Sep 17 00:00:00 2001 From: razvanaldea89 <44024114+razvanaldea89@users.noreply.github.com> Date: Wed, 23 Mar 2022 09:31:59 +0200 Subject: [PATCH 4/4] changelog update; --- readme.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/readme.txt b/readme.txt index 9d7c64d..80d437b 100644 --- a/readme.txt +++ b/readme.txt @@ -95,6 +95,7 @@ For example if you have a page that is /rsvp for domain example.com your URL mig = 2.7.7 - 23.03.2022 = * Fixed: Security exploit +* Fixed: Sanitizations = 2.7.6 - 21.03.2022 = * Fixed: Sorting attendees no longer logs out the user (https://github.com/WPChill/rsvp/issues/76)