Changeset 2353220

Timestamp:

08/05/2020 02:55:28 PM (5 years ago)

Author:

wfmatt

Message:

7.4.10 - August 5, 2020

• Improvement: Prevent author sitemap from leaking usernames in WordPress >= 5.5.0.
• Fix: Prevent Wordfence auto-update from running if the user has enabled auto-update through WordPress.
• Fix: Added default permission_callback params to Wordfence Central REST routes.
• Fix: Fixed missing styling on WAF optimization admin notice.

Location:

wordfence

Files:

• tags/7.4.10 (copied) (copied from wordfence/trunk)
• tags/7.4.10/css/activity-report-widget.1594219913.css (deleted)
• tags/7.4.10/css/activity-report-widget.1596638737.css (added)
• tags/7.4.10/css/diff.1594219913.css (deleted)
• tags/7.4.10/css/diff.1596638737.css (added)
• tags/7.4.10/css/dt_table.1594219913.css (deleted)
• tags/7.4.10/css/dt_table.1596638737.css (added)
• tags/7.4.10/css/fullLog.1594219913.css (deleted)
• tags/7.4.10/css/fullLog.1596638737.css (added)
• tags/7.4.10/css/iptraf.1594219913.css (deleted)
• tags/7.4.10/css/iptraf.1596638737.css (added)
• tags/7.4.10/css/jquery-ui-timepicker-addon.1594219913.css (deleted)
• tags/7.4.10/css/jquery-ui-timepicker-addon.1596638737.css (added)
• tags/7.4.10/css/jquery-ui.min.1594219913.css (deleted)
• tags/7.4.10/css/jquery-ui.min.1596638737.css (added)
• tags/7.4.10/css/jquery-ui.structure.min.1594219913.css (deleted)
• tags/7.4.10/css/jquery-ui.structure.min.1596638737.css (added)
• tags/7.4.10/css/jquery-ui.theme.min.1594219913.css (deleted)
• tags/7.4.10/css/jquery-ui.theme.min.1596638737.css (added)
• tags/7.4.10/css/main.1594219913.css (deleted)
• tags/7.4.10/css/main.1596638737.css (added)
• tags/7.4.10/css/phpinfo.1594219913.css (deleted)
• tags/7.4.10/css/phpinfo.1596638737.css (added)
• tags/7.4.10/css/wf-adminbar.1594219913.css (deleted)
• tags/7.4.10/css/wf-adminbar.1596638737.css (added)
• tags/7.4.10/css/wf-colorbox.1594219913.css (deleted)
• tags/7.4.10/css/wf-colorbox.1596638737.css (added)
• tags/7.4.10/css/wf-font-awesome.1594219913.css (deleted)
• tags/7.4.10/css/wf-font-awesome.1596638737.css (added)
• tags/7.4.10/css/wf-global.1594219913.css (deleted)
• tags/7.4.10/css/wf-global.1596638737.css (added)
• tags/7.4.10/css/wf-ionicons.1594219913.css (deleted)
• tags/7.4.10/css/wf-ionicons.1596638737.css (added)
• tags/7.4.10/css/wf-onboarding.1594219913.css (deleted)
• tags/7.4.10/css/wf-onboarding.1596638737.css (added)
• tags/7.4.10/css/wf-roboto-font.1594219913.css (deleted)
• tags/7.4.10/css/wf-roboto-font.1596638737.css (added)
• tags/7.4.10/css/wfselect2.min.1594219913.css (deleted)
• tags/7.4.10/css/wfselect2.min.1596638737.css (added)
• tags/7.4.10/css/wordfenceBox.1594219913.css (deleted)
• tags/7.4.10/css/wordfenceBox.1596638737.css (added)
• tags/7.4.10/js/Chart.bundle.min.1594219913.js (deleted)
• tags/7.4.10/js/Chart.bundle.min.1596638737.js (added)
• tags/7.4.10/js/admin.1594219913.js (deleted)
• tags/7.4.10/js/admin.1596638737.js (added)
• tags/7.4.10/js/admin.ajaxWatcher.1594219913.js (deleted)
• tags/7.4.10/js/admin.ajaxWatcher.1596638737.js (added)
• tags/7.4.10/js/admin.liveTraffic.1594219913.js (deleted)
• tags/7.4.10/js/admin.liveTraffic.1596638737.js (added)
• tags/7.4.10/js/date.1594219913.js (deleted)
• tags/7.4.10/js/date.1596638737.js (added)
• tags/7.4.10/js/jquery-ui-timepicker-addon.1594219913.js (deleted)
• tags/7.4.10/js/jquery-ui-timepicker-addon.1596638737.js (added)
• tags/7.4.10/js/jquery.colorbox-min.1594219913.js (deleted)
• tags/7.4.10/js/jquery.colorbox-min.1596638737.js (added)
• tags/7.4.10/js/jquery.colorbox.1594219913.js (deleted)
• tags/7.4.10/js/jquery.colorbox.1596638737.js (added)
• tags/7.4.10/js/jquery.dataTables.min.1594219913.js (deleted)
• tags/7.4.10/js/jquery.dataTables.min.1596638737.js (added)
• tags/7.4.10/js/jquery.qrcode.min.1594219913.js (deleted)
• tags/7.4.10/js/jquery.qrcode.min.1596638737.js (added)
• tags/7.4.10/js/jquery.tmpl.min.1594219913.js (deleted)
• tags/7.4.10/js/jquery.tmpl.min.1596638737.js (added)
• tags/7.4.10/js/jquery.tools.min.1594219913.js (deleted)
• tags/7.4.10/js/jquery.tools.min.1596638737.js (added)
• tags/7.4.10/js/knockout-3.3.0.1594219913.js (deleted)
• tags/7.4.10/js/knockout-3.3.0.1596638737.js (added)
• tags/7.4.10/js/wfdashboard.1594219913.js (deleted)
• tags/7.4.10/js/wfdashboard.1596638737.js (added)
• tags/7.4.10/js/wfdropdown.1594219913.js (deleted)
• tags/7.4.10/js/wfdropdown.1596638737.js (added)
• tags/7.4.10/js/wfglobal.1594219913.js (deleted)
• tags/7.4.10/js/wfglobal.1596638737.js (added)
• tags/7.4.10/js/wfpopover.1594219913.js (deleted)
• tags/7.4.10/js/wfpopover.1596638737.js (added)
• tags/7.4.10/js/wfselect2.min.1594219913.js (deleted)
• tags/7.4.10/js/wfselect2.min.1596638737.js (added)
• tags/7.4.10/lib/menu_options.php (modified) (1 diff)
• tags/7.4.10/lib/rest-api/wfRESTAuthenticationController.php (modified) (1 diff)
• tags/7.4.10/lib/wfConfig.php (modified) (1 diff)
• tags/7.4.10/lib/wordfenceClass.php (modified) (2 diffs)
• tags/7.4.10/modules/login-security/css/admin-global.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/admin-global.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/admin.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/admin.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/colorbox.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/colorbox.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/font-awesome.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/font-awesome.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/ionicons.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/ionicons.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/jquery-ui-timepicker-addon.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/jquery-ui-timepicker-addon.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/jquery-ui.min.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/jquery-ui.min.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/jquery-ui.structure.min.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/jquery-ui.structure.min.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/jquery-ui.theme.min.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/jquery-ui.theme.min.1596638737.css (added)
• tags/7.4.10/modules/login-security/css/login.1594219913.css (deleted)
• tags/7.4.10/modules/login-security/css/login.1596638737.css (added)
• tags/7.4.10/modules/login-security/js/admin-global.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/admin-global.1596638737.js (added)
• tags/7.4.10/modules/login-security/js/admin.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/admin.1596638737.js (added)
• tags/7.4.10/modules/login-security/js/jquery-ui-timepicker-addon.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/jquery-ui-timepicker-addon.1596638737.js (added)
• tags/7.4.10/modules/login-security/js/jquery.colorbox.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/jquery.colorbox.1596638737.js (added)
• tags/7.4.10/modules/login-security/js/jquery.colorbox.min.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/jquery.colorbox.min.1596638737.js (added)
• tags/7.4.10/modules/login-security/js/jquery.qrcode.min.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/jquery.qrcode.min.1596638737.js (added)
• tags/7.4.10/modules/login-security/js/jquery.tmpl.min.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/jquery.tmpl.min.1596638737.js (added)
• tags/7.4.10/modules/login-security/js/login.1594219913.js (deleted)
• tags/7.4.10/modules/login-security/js/login.1596638737.js (added)
• tags/7.4.10/modules/login-security/wordfence-login-security.php (modified) (1 diff)
• tags/7.4.10/readme.txt (modified) (2 diffs)
• tags/7.4.10/views/waf/options-group-brute-force.php (modified) (1 diff)
• tags/7.4.10/wordfence.php (modified) (2 diffs)
• trunk/css/activity-report-widget.1594219913.css (deleted)
• trunk/css/activity-report-widget.1596638737.css (added)
• trunk/css/diff.1594219913.css (deleted)
• trunk/css/diff.1596638737.css (added)
• trunk/css/dt_table.1594219913.css (deleted)
• trunk/css/dt_table.1596638737.css (added)
• trunk/css/fullLog.1594219913.css (deleted)
• trunk/css/fullLog.1596638737.css (added)
• trunk/css/iptraf.1594219913.css (deleted)
• trunk/css/iptraf.1596638737.css (added)
• trunk/css/jquery-ui-timepicker-addon.1594219913.css (deleted)
• trunk/css/jquery-ui-timepicker-addon.1596638737.css (added)
• trunk/css/jquery-ui.min.1594219913.css (deleted)
• trunk/css/jquery-ui.min.1596638737.css (added)
• trunk/css/jquery-ui.structure.min.1594219913.css (deleted)
• trunk/css/jquery-ui.structure.min.1596638737.css (added)
• trunk/css/jquery-ui.theme.min.1594219913.css (deleted)
• trunk/css/jquery-ui.theme.min.1596638737.css (added)
• trunk/css/main.1594219913.css (deleted)
• trunk/css/main.1596638737.css (added)
• trunk/css/phpinfo.1594219913.css (deleted)
• trunk/css/phpinfo.1596638737.css (added)
• trunk/css/wf-adminbar.1594219913.css (deleted)
• trunk/css/wf-adminbar.1596638737.css (added)
• trunk/css/wf-colorbox.1594219913.css (deleted)
• trunk/css/wf-colorbox.1596638737.css (added)
• trunk/css/wf-font-awesome.1594219913.css (deleted)
• trunk/css/wf-font-awesome.1596638737.css (added)
• trunk/css/wf-global.1594219913.css (deleted)
• trunk/css/wf-global.1596638737.css (added)
• trunk/css/wf-ionicons.1594219913.css (deleted)
• trunk/css/wf-ionicons.1596638737.css (added)
• trunk/css/wf-onboarding.1594219913.css (deleted)
• trunk/css/wf-onboarding.1596638737.css (added)
• trunk/css/wf-roboto-font.1594219913.css (deleted)
• trunk/css/wf-roboto-font.1596638737.css (added)
• trunk/css/wfselect2.min.1594219913.css (deleted)
• trunk/css/wfselect2.min.1596638737.css (added)
• trunk/css/wordfenceBox.1594219913.css (deleted)
• trunk/css/wordfenceBox.1596638737.css (added)
• trunk/js/Chart.bundle.min.1594219913.js (deleted)
• trunk/js/Chart.bundle.min.1596638737.js (added)
• trunk/js/admin.1594219913.js (deleted)
• trunk/js/admin.1596638737.js (added)
• trunk/js/admin.ajaxWatcher.1594219913.js (deleted)
• trunk/js/admin.ajaxWatcher.1596638737.js (added)
• trunk/js/admin.liveTraffic.1594219913.js (deleted)
• trunk/js/admin.liveTraffic.1596638737.js (added)
• trunk/js/date.1594219913.js (deleted)
• trunk/js/date.1596638737.js (added)
• trunk/js/jquery-ui-timepicker-addon.1594219913.js (deleted)
• trunk/js/jquery-ui-timepicker-addon.1596638737.js (added)
• trunk/js/jquery.colorbox-min.1594219913.js (deleted)
• trunk/js/jquery.colorbox-min.1596638737.js (added)
• trunk/js/jquery.colorbox.1594219913.js (deleted)
• trunk/js/jquery.colorbox.1596638737.js (added)
• trunk/js/jquery.dataTables.min.1594219913.js (deleted)
• trunk/js/jquery.dataTables.min.1596638737.js (added)
• trunk/js/jquery.qrcode.min.1594219913.js (deleted)
• trunk/js/jquery.qrcode.min.1596638737.js (added)
• trunk/js/jquery.tmpl.min.1594219913.js (deleted)
• trunk/js/jquery.tmpl.min.1596638737.js (added)
• trunk/js/jquery.tools.min.1594219913.js (deleted)
• trunk/js/jquery.tools.min.1596638737.js (added)
• trunk/js/knockout-3.3.0.1594219913.js (deleted)
• trunk/js/knockout-3.3.0.1596638737.js (added)
• trunk/js/wfdashboard.1594219913.js (deleted)
• trunk/js/wfdashboard.1596638737.js (added)
• trunk/js/wfdropdown.1594219913.js (deleted)
• trunk/js/wfdropdown.1596638737.js (added)
• trunk/js/wfglobal.1594219913.js (deleted)
• trunk/js/wfglobal.1596638737.js (added)
• trunk/js/wfpopover.1594219913.js (deleted)
• trunk/js/wfpopover.1596638737.js (added)
• trunk/js/wfselect2.min.1594219913.js (deleted)
• trunk/js/wfselect2.min.1596638737.js (added)
• trunk/lib/menu_options.php (modified) (1 diff)
• trunk/lib/rest-api/wfRESTAuthenticationController.php (modified) (1 diff)
• trunk/lib/wfConfig.php (modified) (1 diff)
• trunk/lib/wordfenceClass.php (modified) (2 diffs)
• trunk/modules/login-security/css/admin-global.1594219913.css (deleted)
• trunk/modules/login-security/css/admin-global.1596638737.css (added)
• trunk/modules/login-security/css/admin.1594219913.css (deleted)
• trunk/modules/login-security/css/admin.1596638737.css (added)
• trunk/modules/login-security/css/colorbox.1594219913.css (deleted)
• trunk/modules/login-security/css/colorbox.1596638737.css (added)
• trunk/modules/login-security/css/font-awesome.1594219913.css (deleted)
• trunk/modules/login-security/css/font-awesome.1596638737.css (added)
• trunk/modules/login-security/css/ionicons.1594219913.css (deleted)
• trunk/modules/login-security/css/ionicons.1596638737.css (added)
• trunk/modules/login-security/css/jquery-ui-timepicker-addon.1594219913.css (deleted)
• trunk/modules/login-security/css/jquery-ui-timepicker-addon.1596638737.css (added)
• trunk/modules/login-security/css/jquery-ui.min.1594219913.css (deleted)
• trunk/modules/login-security/css/jquery-ui.min.1596638737.css (added)
• trunk/modules/login-security/css/jquery-ui.structure.min.1594219913.css (deleted)
• trunk/modules/login-security/css/jquery-ui.structure.min.1596638737.css (added)
• trunk/modules/login-security/css/jquery-ui.theme.min.1594219913.css (deleted)
• trunk/modules/login-security/css/jquery-ui.theme.min.1596638737.css (added)
• trunk/modules/login-security/css/login.1594219913.css (deleted)
• trunk/modules/login-security/css/login.1596638737.css (added)
• trunk/modules/login-security/js/admin-global.1594219913.js (deleted)
• trunk/modules/login-security/js/admin-global.1596638737.js (added)
• trunk/modules/login-security/js/admin.1594219913.js (deleted)
• trunk/modules/login-security/js/admin.1596638737.js (added)
• trunk/modules/login-security/js/jquery-ui-timepicker-addon.1594219913.js (deleted)
• trunk/modules/login-security/js/jquery-ui-timepicker-addon.1596638737.js (added)
• trunk/modules/login-security/js/jquery.colorbox.1594219913.js (deleted)
• trunk/modules/login-security/js/jquery.colorbox.1596638737.js (added)
• trunk/modules/login-security/js/jquery.colorbox.min.1594219913.js (deleted)
• trunk/modules/login-security/js/jquery.colorbox.min.1596638737.js (added)
• trunk/modules/login-security/js/jquery.qrcode.min.1594219913.js (deleted)
• trunk/modules/login-security/js/jquery.qrcode.min.1596638737.js (added)
• trunk/modules/login-security/js/jquery.tmpl.min.1594219913.js (deleted)
• trunk/modules/login-security/js/jquery.tmpl.min.1596638737.js (added)
• trunk/modules/login-security/js/login.1594219913.js (deleted)
• trunk/modules/login-security/js/login.1596638737.js (added)
• trunk/modules/login-security/wordfence-login-security.php (modified) (1 diff)
• trunk/readme.txt (modified) (2 diffs)
• trunk/views/waf/options-group-brute-force.php (modified) (1 diff)
• trunk/wordfence.php (modified) (2 diffs)

wordfence/tags/7.4.10/lib/menu_options.php

@@ -122 +122 @@
                 'wf-option-loginSec-maskLoginErrors' => __('Don\'t let WordPress reveal valid users in login errors', 'wordfence'),
                 'wf-option-loginSec-blockAdminReg' => __('Prevent users registering "admin" username if it doesn\'t exist', 'wordfence'),
-                'wf-option-loginSec-disableAuthorScan' => __('Prevent discovery of usernames through "/?author=N" scans, the oEmbed API, and the WordPress REST API', 'wordfence'),
+                'wf-option-loginSec-disableAuthorScan' => __('Prevent discovery of usernames through "/?author=N" scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps', 'wordfence'),
                 'wf-option-other-blockBadPOST' => __('Block IPs who send POST requests with blank User-Agent and Referer', 'wordfence'),
                 'wf-option-blockCustomText' => __('Custom text shown on block pages', 'wordfence'),

wordfence/tags/7.4.10/lib/rest-api/wfRESTAuthenticationController.php

@@ -29 +29 @@
             'methods'  => WP_REST_Server::READABLE,
             'callback' => array($this, 'nonce'),
+            'permission_callback' => '__return_true',
         ));
         register_rest_route('wordfence/v1', '/authenticate', array(
             'methods'  => WP_REST_Server::CREATABLE,
             'callback' => array($this, 'authenticate'),
+            'permission_callback' => '__return_true',
         ));
         register_rest_route('wordfence/v1', '/authenticate-premium', array(
             'methods'  => WP_REST_Server::CREATABLE,
             'callback' => array($this, 'authenticatePremium'),
+            'permission_callback' => '__return_true',
         ));
     }

wordfence/tags/7.4.10/lib/wfConfig.php

@@ -935 +935 @@
         if (version_compare(PHP_VERSION, '5.3', '<')) {
             return;
+        }
+
+        // Prevent WF auto-update if the user has enabled auto-update through the plugins page.
+        if (version_compare(wfUtils::getWPVersion(), '5.5-x', '>=')) {
+            $autoUpdatePlugins = get_site_option('auto_update_plugins');
+            if (is_array($autoUpdatePlugins) && in_array(WORDFENCE_BASENAME, $autoUpdatePlugins)) {
+                return;
+            }
         }
 

wordfence/tags/7.4.10/lib/wordfenceClass.php

@@ -1271 +1271 @@
             add_filter('rest_request_before_callbacks', 'wordfence::jsonAPIAuthorFilter', 99, 3);
             add_filter('rest_post_dispatch', 'wordfence::jsonAPIAdjustHeaders', 99, 3);
+            add_filter('wp_sitemaps_users_pre_url_list', '__return_false', 99, 0);
+            add_filter('wp_sitemaps_add_provider', 'wordfence::wpSitemapUserProviderFilter', 99, 2);
         }
         
@@ -2559 +2561 @@
         
         return $response;
+    }
+    public static function wpSitemapUserProviderFilter($provider, $name) {
+        if ($name === 'users') {
+            return false;
+        }
+        return $provider;
     }
     public static function _filterCentralFromLiveTraffic($dispatch_result, $request, $route, $handler) {

wordfence/tags/7.4.10/modules/login-security/wordfence-login-security.php

@@ -28 +28 @@
     
     define('WORDFENCE_LS_VERSION', '1.0.5');
-    define('WORDFENCE_LS_BUILD_NUMBER', '1594219913');
+    define('WORDFENCE_LS_BUILD_NUMBER', '1596638737');
     
     if (!defined('WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES')) { define('WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES', 15); }

wordfence/tags/7.4.10/readme.txt

@@ -4 +4 @@
 Requires at least: 3.9
 Requires PHP: 5.3
-Tested up to: 5.4
-Stable tag: 7.4.9
+Tested up to: 5.5
+Stable tag: 7.4.10
 
 Secure your website with the most comprehensive WordPress security plugin. Firewall, malware scan, blocking, live traffic, login security & more.
@@ -183 +183 @@
 
 == Changelog ==
+
+= 7.4.10 - August 5, 2020 =
+
+* Improvement: Prevent author sitemap from leaking usernames in WordPress >= 5.5.0.
+* Fix: Prevent Wordfence auto-update from running if the user has enabled auto-update through WordPress.
+* Fix: Added default `permission_callback` params to Wordfence Central REST routes.
+* Fix: Fixed missing styling on WAF optimization admin notice.
 
 = 7.4.9 - July 8, 2020 =

wordfence/tags/7.4.10/views/waf/options-group-brute-force.php

@@ -212 +212 @@
                             'disabledValue' => 0,
                             'value' => wfConfig::get('loginSec_disableAuthorScan') ? 1 : 0,
-                            'title' => __('Prevent discovery of usernames through \'/?author=N\' scans, the oEmbed API, and the WordPress REST API', 'wordfence'),
+                            'title' => __('Prevent discovery of usernames through \'/?author=N\' scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps', 'wordfence'),
                             'helpLink' => wfSupportController::supportURL(wfSupportController::ITEM_FIREWALL_WAF_OPTION_PREVENT_AUTHOR_SCAN),
                         ))->render();

wordfence/tags/7.4.10/wordfence.php

@@ -5 +5 @@
 Description: Wordfence Security - Anti-virus, Firewall and Malware Scan
 Author: Wordfence
-Version: 7.4.9
+Version: 7.4.10
 Author URI: http://www.wordfence.com/
 Network: true
@@ -16 +16 @@
     exit;
 }
-define('WORDFENCE_VERSION', '7.4.9');
-define('WORDFENCE_BUILD_NUMBER', '1594219913');
+define('WORDFENCE_VERSION', '7.4.10');
+define('WORDFENCE_BUILD_NUMBER', '1596638737');
 define('WORDFENCE_BASENAME', function_exists('plugin_basename') ? plugin_basename(__FILE__) :
     basename(dirname(__FILE__)) . '/' . basename(__FILE__));

wordfence/trunk/lib/menu_options.php

@@ -122 +122 @@
                 'wf-option-loginSec-maskLoginErrors' => __('Don\'t let WordPress reveal valid users in login errors', 'wordfence'),
                 'wf-option-loginSec-blockAdminReg' => __('Prevent users registering "admin" username if it doesn\'t exist', 'wordfence'),
-                'wf-option-loginSec-disableAuthorScan' => __('Prevent discovery of usernames through "/?author=N" scans, the oEmbed API, and the WordPress REST API', 'wordfence'),
+                'wf-option-loginSec-disableAuthorScan' => __('Prevent discovery of usernames through "/?author=N" scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps', 'wordfence'),
                 'wf-option-other-blockBadPOST' => __('Block IPs who send POST requests with blank User-Agent and Referer', 'wordfence'),
                 'wf-option-blockCustomText' => __('Custom text shown on block pages', 'wordfence'),

wordfence/trunk/lib/rest-api/wfRESTAuthenticationController.php

@@ -29 +29 @@
             'methods'  => WP_REST_Server::READABLE,
             'callback' => array($this, 'nonce'),
+            'permission_callback' => '__return_true',
         ));
         register_rest_route('wordfence/v1', '/authenticate', array(
             'methods'  => WP_REST_Server::CREATABLE,
             'callback' => array($this, 'authenticate'),
+            'permission_callback' => '__return_true',
         ));
         register_rest_route('wordfence/v1', '/authenticate-premium', array(
             'methods'  => WP_REST_Server::CREATABLE,
             'callback' => array($this, 'authenticatePremium'),
+            'permission_callback' => '__return_true',
         ));
     }

wordfence/trunk/lib/wfConfig.php

@@ -935 +935 @@
         if (version_compare(PHP_VERSION, '5.3', '<')) {
             return;
+        }
+
+        // Prevent WF auto-update if the user has enabled auto-update through the plugins page.
+        if (version_compare(wfUtils::getWPVersion(), '5.5-x', '>=')) {
+            $autoUpdatePlugins = get_site_option('auto_update_plugins');
+            if (is_array($autoUpdatePlugins) && in_array(WORDFENCE_BASENAME, $autoUpdatePlugins)) {
+                return;
+            }
         }
 

wordfence/trunk/lib/wordfenceClass.php

@@ -1271 +1271 @@
             add_filter('rest_request_before_callbacks', 'wordfence::jsonAPIAuthorFilter', 99, 3);
             add_filter('rest_post_dispatch', 'wordfence::jsonAPIAdjustHeaders', 99, 3);
+            add_filter('wp_sitemaps_users_pre_url_list', '__return_false', 99, 0);
+            add_filter('wp_sitemaps_add_provider', 'wordfence::wpSitemapUserProviderFilter', 99, 2);
         }
         
@@ -2559 +2561 @@
         
         return $response;
+    }
+    public static function wpSitemapUserProviderFilter($provider, $name) {
+        if ($name === 'users') {
+            return false;
+        }
+        return $provider;
     }
     public static function _filterCentralFromLiveTraffic($dispatch_result, $request, $route, $handler) {

wordfence/trunk/modules/login-security/wordfence-login-security.php

@@ -28 +28 @@
     
     define('WORDFENCE_LS_VERSION', '1.0.5');
-    define('WORDFENCE_LS_BUILD_NUMBER', '1594219913');
+    define('WORDFENCE_LS_BUILD_NUMBER', '1596638737');
     
     if (!defined('WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES')) { define('WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES', 15); }

wordfence/trunk/readme.txt

@@ -4 +4 @@
 Requires at least: 3.9
 Requires PHP: 5.3
-Tested up to: 5.4
+Tested up to: 5.5
 Stable tag: 7.4.9
 
@@ -183 +183 @@
 
 == Changelog ==
+
+= 7.4.10 - August 5, 2020 =
+
+* Improvement: Prevent author sitemap from leaking usernames in WordPress >= 5.5.0.
+* Fix: Prevent Wordfence auto-update from running if the user has enabled auto-update through WordPress.
+* Fix: Added default `permission_callback` params to Wordfence Central REST routes.
+* Fix: Fixed missing styling on WAF optimization admin notice.
 
 = 7.4.9 - July 8, 2020 =

wordfence/trunk/views/waf/options-group-brute-force.php

@@ -212 +212 @@
                             'disabledValue' => 0,
                             'value' => wfConfig::get('loginSec_disableAuthorScan') ? 1 : 0,
-                            'title' => __('Prevent discovery of usernames through \'/?author=N\' scans, the oEmbed API, and the WordPress REST API', 'wordfence'),
+                            'title' => __('Prevent discovery of usernames through \'/?author=N\' scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps', 'wordfence'),
                             'helpLink' => wfSupportController::supportURL(wfSupportController::ITEM_FIREWALL_WAF_OPTION_PREVENT_AUTHOR_SCAN),
                         ))->render();

wordfence/trunk/wordfence.php

@@ -5 +5 @@
 Description: Wordfence Security - Anti-virus, Firewall and Malware Scan
 Author: Wordfence
-Version: 7.4.9
+Version: 7.4.10
 Author URI: http://www.wordfence.com/
 Network: true
@@ -16 +16 @@
     exit;
 }
-define('WORDFENCE_VERSION', '7.4.9');
-define('WORDFENCE_BUILD_NUMBER', '1594219913');
+define('WORDFENCE_VERSION', '7.4.10');
+define('WORDFENCE_BUILD_NUMBER', '1596638737');
 define('WORDFENCE_BASENAME', function_exists('plugin_basename') ? plugin_basename(__FILE__) :
     basename(dirname(__FILE__)) . '/' . basename(__FILE__));