Changeset 3146567

Timestamp:

09/04/2024 05:28:37 PM (18 months ago)

Author:

ignitionwp

Message:

Security improvement on nonce verifications and small bug fix for receipt settings.

Location:

ignitiondeck/trunk

Files:

• classes/class-idf-wizard.php (modified) (2 diffs)
• classes/class-tgm-plugin-activation.php (modified) (1 diff)
• idf-admin.php (modified) (1 diff)
• idf.php (modified) (2 diffs)
• readme.txt (modified) (2 diffs)

ignitiondeck/trunk/classes/class-idf-wizard.php

@@ -687 +687 @@
             );
 
-            $receipts = get_option( 'md_receipt_settings' );
+            $receipts = maybe_unserialize( get_option( 'md_receipt_settings' ) );
             $coname   = isset( $receipts['coname'] ) ? $receipts['coname'] : '';
             $coemail  = isset( $receipts['coemail'] ) ? $receipts['coemail'] : '';
@@ -744 +744 @@
             $coname              = sanitize_text_field( $_POST['co_name'] );
             $coemail             = sanitize_text_field( $_POST['co_email'] );
-            $receipts            = get_option( 'md_receipt_settings' );
+            $receipts            = maybe_unserialize(get_option( 'md_receipt_settings' ));
             $receipts['coname']  = $coname;
             $receipts['coemail'] = $coemail;

ignitiondeck/trunk/classes/class-tgm-plugin-activation.php

@@ -1774 +1774 @@
                 }
                 // Core update screen.
-                if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( $_POST['_wpnonce'], 'upgrade-core' ) ) {
+                if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], 'upgrade-core' ) ) {
                     return false;
                 }

ignitiondeck/trunk/idf-admin.php

@@ -87 +87 @@
  */
 function idf_main_menu() {
-    //add condition to pass check_admin_referer() warning 
-    if ( isset( $_POST['_idf_main_menu_helper'] ) && isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( $_POST['_wpnonce'], '_wpnonce' ) ) {
-        return false;
+    // Verify nonce if _idf_main_menu_helper is set, regardless of request method
+    if ( isset($_POST['_idf_main_menu_helper']) && 
+        ( ! isset($_POST['_wpnonce']) || ! wp_verify_nonce($_POST['_wpnonce'], '_wpnonce'))) {
+        return false;
     }
     // Check user capabilities.

ignitiondeck/trunk/idf.php

@@ -8 +8 @@
 URI: https://IgnitionDeck.com
 Description: A crowdfunding and ecommerce plugin for WordPress that helps you crowdfund, pre-order, and sell goods online.
-Version: 1.10.1
+Version: 1.10.2
 Author: IgnitionDeck
 Author URI: https://IgnitionDeck.com
@@ -18 +18 @@
 require_once 'idf-globals.php';
 global $active_plugins, $idf_current_version;
-$idf_current_version = '1.10.1';
+$idf_current_version = '1.10.2';
 require_once 'idf-update.php';
 require_once 'classes/class-idf_requirements.php';

ignitiondeck/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 4.9
 Tested up to: 6.6
-Stable tag: 1.10.1
+Stable tag: 1.10.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -139 +139 @@
 == Changelog ==
 
+= 1.10.2 =
+
+* Improved security of nonce verification in a couple places
+* Fixed an issue when receipt settings where not always being saved correctly
+
 = 1.10.1 =