1.7.13

CHANGELOG.md

@@ -1,6 +1,9 @@
 # Changelog
 This file hosts the complete changelog of this plugin.
 
+## 1.7.13
+* added nonce checks to msf form admin delete and duplicate
+
 ## 1.7.12
 * fixed the vulnerable to Cross Site Request Forgery (CSRF) 
 

includes/admin/msf-admin.class.php

@@ -232,9 +232,21 @@ public function menu() {
 		if ($edit) {
 			$this->edit($_GET['edit']);
 		} elseif ($delete) {
-			$this->delete($_GET['delete']);
+			// Verify the nonce for deleting
+			if (isset($_GET['_wpnonce']) && wp_verify_nonce($_GET['_wpnonce'], 'delete_nonce')) {
+				$this->delete($_GET['delete']);
+			} else {
+				// Handle the case where the nonce is invalid
+				wp_die('Security check failed');
+			}
 		} elseif ($duplicate) {
-			$this->duplicate($_GET['duplicate']);
+			// Verify the nonce for duplicating
+			if (isset($_GET['_wpnonce']) && wp_verify_nonce($_GET['_wpnonce'], 'duplicate_nonce')) {
+				$this->duplicate($_GET['duplicate']);
+			} else {
+				// Handle the case where the nonce is invalid
+				wp_die('Security check failed');
+			}
 		} else {
 			$this->table();
 		}

includes/admin/msf-list-table.class.php

@@ -57,13 +57,13 @@ public function column_default($item, $column_name) {
 
 	private function generate_query_url($action, $id) {
 		$query = remove_query_arg(array('edit', 'delete', 'duplicate'));
-		return esc_url(
-			add_query_arg(
-				array(
-					$action => $id,
-				), $query
-			)
-		);
+		$url = add_query_arg(array($action => $id), $query);
+
+		// Create a unique action name for the nonce based on the action and the ID
+		$nonce_action = $action . '_nonce';
+
+		// Add the nonce to the URL
+		return wp_nonce_url($url, $nonce_action);
 	}
 
 	public function column_title($item) {

lang/multi-step-form.pot

@@ -297,15 +297,15 @@ msgstr ""
 msgid "Not installed/active"
 msgstr ""
 
-#: includes/admin/msf-admin.class.php:275
+#: includes/admin/msf-admin.class.php:287
 msgid "Invalid JSON-File. Check your syntax."
 msgstr ""
 
-#: includes/admin/msf-admin.class.php:303
+#: includes/admin/msf-admin.class.php:315
 msgid "Forms must be imported as JSON files"
 msgstr ""
 
-#: includes/admin/msf-admin.class.php:408, includes/admin/partials/msf-editor.php:8
+#: includes/admin/msf-admin.class.php:420, includes/admin/partials/msf-editor.php:8
 msgid "Success. Form saved."
 msgstr ""
 

mondula-form-wizard.php

@@ -1,7 +1,7 @@
 <?php
 /*
  * Plugin Name: Multi Step Form
- * Version: 1.7.12
+ * Version: 1.7.13
  * Plugin URI: http://www.mondula.com/
  * Description: Create and embed Multi Step Form.
  * Author: Mondula GmbH
@@ -82,7 +82,7 @@ function msf_drop_tables($tables = array(), $blog_id = null) {
  * @return object Mondula_Form_Wizard
  */
 function Mondula_Form_Wizard() {
-	$instance = Mondula_Form_Wizard::instance(__FILE__, '1.7.12');
+	$instance = Mondula_Form_Wizard::instance(__FILE__, '1.7.13');
 
 	if (is_null($instance->settings)) {
 		$instance->settings = Mondula_Form_Wizard_Settings::instance($instance);

readme.txt

@@ -3,7 +3,7 @@ Contributors: mondula2016
 Tags: multi, step, forms, multi step form, multi-step, steps, feedback, email, contact form, progress bar, form builder, dynamic, ajax, formular
 Requires at least: 5.0
 Tested up to: 6.3.1
-Stable tag: 1.7.12
+Stable tag: 1.7.13
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -84,6 +84,9 @@ A.  **[Find them here](https://mondula.com/en/multi-step-form-faqs/ "Multi Step
 
 == Changelog ==
 
+= 1.7.13 = 
+* added nonce checks to msf form admin delete and duplicate
+
 = 1.7.12 = 
 * fixed the vulnerable to Cross Site Request Forgery (CSRF)