Changeset 3151072

Timestamp:

09/12/2024 08:27:56 PM (17 months ago)

Author:

imw3

Message:

• Fixed broken access control vulnerability.
• Compatible with WordPress 6.6.2

Location:

my-wp-brand

Files:

• tags/1.1.3 (added)
• tags/1.1.3/assets (added)
• tags/1.1.3/assets/css (added)
• tags/1.1.3/assets/css/style-my-wp-brand.css (added)
• tags/1.1.3/assets/js (added)
• tags/1.1.3/assets/js/style-my-wp-brand.js (added)
• tags/1.1.3/mwb-side-menu.php (added)
• tags/1.1.3/mwb.php (added)
• tags/1.1.3/readme.txt (added)
• trunk/assets/js/style-my-wp-brand.js (modified) (7 diffs)
• trunk/mwb-side-menu.php (modified) (9 diffs)
• trunk/mwb.php (modified) (7 diffs)
• trunk/readme.txt (modified) (3 diffs)

my-wp-brand/trunk/assets/js/style-my-wp-brand.js

@@ -23 +23 @@
      * Set login logo
      * 
-     * 
      * @version 1.0.0
      */
@@ -44 +43 @@
     /**
      * @ajax mwb-plugin-form
+     * 
+     * @version 1.0.0
+     * @version 1.1.3 Implemented a nonce value in the data object to enhance security.
      */
     $("#mwb-plugins-form").submit((e) => {
@@ -62 +64 @@
                 action: 'mwb_plugins_form',
                 plugins: plugins_data,
+                nonce: mwb_ajax.nonce,
             },
             success: (response) => {
@@ -72 +75 @@
     /**
      * @ajax mwb-style-form
+     * 
+     * @version 1.0.0
+     * @version 1.1.3 Implemented a nonce value in the data object to enhance security.
      */
     $("#mwb-style-form").submit((e) => {
@@ -82 +88 @@
             data: {
                 action: 'mwb_style_ajax',
+                nonce: mwb_ajax.nonce,
                 hidden_admin_bar_logo: $("#show-admin-bar-logo").attr("src") ? $("#show-admin-bar-logo").attr("src") : '',
                 hidden_login_logo: $("#show-login-logo").attr("src") ? $("#show-login-logo").attr("src") : '',
@@ -94 +101 @@
     /**
      * @ajax mwb-author-form
+     * 
+     * @version 1.0.0
+     * @version 1.1.3 Implemented a nonce value in the data object to enhance security.
      */
     $("#mwb-author-form").submit((e) => {
@@ -104 +114 @@
             data: {
                 action: 'mwb_author_form',
+                nonce: mwb_ajax.nonce,
                 wp_version_hide: document.getElementById("wp-version-hide").checked === true ? 'on' : 'off',
                 wp_admin_footer_text: $("#wp-admin-footer-text").val() ? $("#wp-admin-footer-text").val() : '',

my-wp-brand/trunk/mwb-side-menu.php

@@ -30 +30 @@
          * @var { $sub_menu_list } Admin all sub menu list.
          */
-        $menu_list = isset( $_POST['menu_list'] ) ? sanitize_text_field( json_encode( $_POST['menu_list'] ) ) : array();
-        $sub_menu_list = isset( $_POST['sub_menu_list'] ) ? sanitize_text_field( json_encode( $_POST['sub_menu_list'] ) ) : array();
+        $menu_list = isset( $_POST['menu_list'] ) ? sanitize_text_field( wp_json_encode( $_POST['menu_list'] ) ) : array();
+        $sub_menu_list = isset( $_POST['sub_menu_list'] ) ? sanitize_text_field( wp_json_encode( $_POST['sub_menu_list'] ) ) : array();
 
         /**
@@ -108 +108 @@
         $remove_side_array          = $new_menu_list;
         $remove_sub_side_array      = $new_sub_menu_list;
-        $json_remove_side_array     = json_encode( $remove_side_array ); 
-        $json_remove_sub_side_array = json_encode( $remove_sub_side_array );
+        $json_remove_side_array     = wp_json_encode( $remove_side_array ); 
+        $json_remove_sub_side_array = wp_json_encode( $remove_sub_side_array );
         
         /**
          * @var { $top_menu_list } Admin all top menu list.
          */
-        $top_menu_list = isset( $_POST['top_menu_list'] ) ? sanitize_text_field( json_encode( $_POST['top_menu_list'] ) ) : array();
+        $top_menu_list = isset( $_POST['top_menu_list'] ) ? sanitize_text_field( wp_json_encode( $_POST['top_menu_list'] ) ) : array();
         
         /**
@@ -148 +148 @@
 
         $remove_top_array      = $new_menu_list;
-        $json_remove_top_array = json_encode( $remove_top_array ); 
+        $json_remove_top_array = wp_json_encode( $remove_top_array ); 
         
         /**
@@ -192 +192 @@
 
       if( $_GET['message'] == 'save' ) {
-        echo $msg =  '<div id="message" class="updated notice notice-success is-dismissible"><p>'. esc_html( 'Your changes has been updated.' ) .'</p></div>';
+        echo $msg =  '<div id="message" class="updated notice notice-success is-dismissible"><p>'. esc_html__( 'Your changes has been updated.', MWB_TEXTDOMAIN ) .'</p></div>';
       }
 
       if( $_GET['message'] == 'default' ) {
-        echo $msg =  '<div id="message" class="updated notice notice-success is-dismissible"><p>'. esc_html( 'Your default setting has been setup.' ) .'</p></div>';
+        echo $msg =  '<div id="message" class="updated notice notice-success is-dismissible"><p>'. esc_html__( 'Your default setting has been setup.', MWB_TEXTDOMAIN ) .'</p></div>';
       }
 
@@ -302 +302 @@
                 <td class="primary_menu_seprator">
                   <span class="dashicons-before  <?php echo esc_attr( $row['6'] ); ?>"></span> 
-                  <span><?php echo esc_attr( strip_tags( $row['0'] ) ); ?></span>
+                  <span><?php echo esc_attr( wp_strip_all_tags( $row['0'] ) ); ?></span>
                 </td>
 
@@ -333 +333 @@
                     <td>
                       <span class="dashicons dashicons-arrow-right-alt sub-icon"></span> 
-                      <span><?php echo esc_attr( strip_tags( $rows['0'] ) ); ?></span>
+                      <span><?php echo esc_attr( wp_strip_all_tags( $rows['0'] ) ); ?></span>
                     </td>
                     <?php foreach ( $roles as $role_key=>$role ) { ?> 
@@ -421 +421 @@
                   <td>
                     <span id="wp-admin-bar-<?php echo esc_attr( $row->id ); ?>"></span> 
-                    <span># <?php echo esc_attr( strip_tags( $row->title ) ); ?></span>
+                    <span># <?php echo esc_attr( wp_strip_all_tags( $row->title ) ); ?></span>
                   </td>
                   <?php foreach ( $roles as $role_key => $role ) { ?>  
@@ -444 +444 @@
                             <span id="wp-admin-bar-<?php echo esc_attr( $child_menu->id ); ?>"></span> 
                             <span class="dashicons dashicons-arrow-right-alt sub-icon"></span>
-                            <span> <?php echo esc_attr( strip_tags( $child_menu->title ) ); ?></span>
+                            <span> <?php echo esc_attr( wp_strip_all_tags( $child_menu->title ) ); ?></span>
                           </td>
                           <?php foreach ( $roles as $role_key=>$role ) { ?> 
@@ -589 +589 @@
         //this is the patch for the wordpress 4 or may be latetest version for the customize menu only
         if( $pare_child[0] == 'themes.php' ) {
-          $parse_data = parse_url( $pare_child[1] );
+          $parse_data = wp_parse_url( $pare_child[1] );
           if( $parse_data['path'] == 'customize.php' ) {
             unset( $submenu['themes.php'][6] );

my-wp-brand/trunk/mwb.php

@@ -12 +12 @@
  * Plugin URI:  https://imw3.com/product/my-wp-brand
  * Description: My Brand plugin is used to customize admin panel.
- * Version:     1.1.2
+ * Version:     1.1.3
  * Author:      imw3
  * Author URI:  https://imw3.com/
@@ -36 +36 @@
             /**
              * Action hooks
+             * 
              * @version 1.0.0
+             * @version 1.1.3 Removed unnecessary wp_ajax_nopriv hooks
              */
             add_action( 'admin_menu' , array( $this , 'mwb_manage_admin_menu' ) );
@@ -44 +46 @@
             add_action( 'wp_ajax_mwb_plugins_form' , array( $this , 'mwb_plugins_form' ) );
             add_action( 'login_enqueue_scripts' , array( $this , 'mwb_manage_login_form' ) );
-            add_action( 'wp_ajax_nopriv_mwb_style_ajax' , array( $this , 'mwb_style_ajax' ) );
-            add_action( 'wp_ajax_nopriv_mwb_author_form' , array( $this , 'mwb_author_form' ) );
-            add_action( 'wp_ajax_nopriv_mwb_plugins_form' , array( $this , 'mwb_plugins_form' ) );
             add_action( 'admin_bar_menu' , array( $this , 'mwb_manage_admin_top_bar_menu' ) , 1 );
             add_action( 'admin_enqueue_scripts' , array( $this , 'mwb_enqueue_scripts_and_styles' ) );
@@ -107 +106 @@
             wp_enqueue_script('jquery'); 
 
-            wp_localize_script( 'jquery', 'mwb_ajax', array( 'url' => admin_url( 'admin-ajax.php' ) ) );
+            wp_localize_script( 'jquery', 'mwb_ajax', array( 
+                'url' => admin_url( 'admin-ajax.php' ),
+                'nonce' => wp_create_nonce( 'ajax-nonce' )
+            ));
 
         }
@@ -544 +546 @@
          * @ajax 
          *  -> mwb plugins form
+         * 
+         * @since 1.0.0
+         * @since 1.1.3 Added user capability verification and nonce verification.
          */
         public function mwb_plugins_form(){
-            
+
+            if ( ! current_user_can( 'manage_options' ) ) {
+                exit;
+            }
+
+            if ( isset( $_POST['nonce'] ) && ! wp_verify_nonce( $_POST['nonce'] , 'ajax-nonce' ) ) {
+                die('The token has expired!');
+            }
+
             if ( empty( get_option( 'hide-plugins' ) ) ) { 
                 add_option( 'hide-plugins' , array_map( 'sanitize_text_field', $_POST['plugins'] ) );
@@ -562 +575 @@
          * @ajax 
          *  -> mwb style form
+         * 
+         * @since 1.0.0
+         * @since 1.1.3 Added user capability verification and nonce verification.
          */
         public function mwb_style_ajax() {
+
+            if ( ! current_user_can( 'manage_options' ) ) {
+                exit;
+            }
+
+            if ( isset( $_POST['nonce'] ) && ! wp_verify_nonce( $_POST['nonce'] , 'ajax-nonce' ) ) {
+                die('The token has expired!');
+            }
 
             /**
@@ -592 +616 @@
          * @ajax 
          *  -> mwb author form
+         * 
+         * @since 1.0.0
+         * @since 1.1.3 Added user capability verification and nonce verification.
          */
         public function mwb_author_form() {
+
+            if ( ! current_user_can( 'manage_options' ) ) {
+                exit;
+            }
+
+            if ( isset( $_POST['nonce'] ) && ! wp_verify_nonce( $_POST['nonce'] , 'ajax-nonce' ) ) {
+                die('The token has expired!');
+            }
 
             /**

my-wp-brand/trunk/readme.txt

@@ -1 +1 @@
 === My Wp Brand – Hide menu & Hide Plugin ===
-Contributors: imw3, riyazuddin, mohammadazad
-Tags: hide menu, hide plugin, hide version, admin menu, change logo, menu,
+Contributors: imw3, mohammadazad, riyazuddin
+Tags: hide menu, hide plugin, hide version, admin menu, change logo,
 Requires at least: 6.5
-Tested up to: 6.6
+Tested up to: 6.6.2
 Requires PHP: 7.4
-Stable tag: 1.1.2
+Stable tag: 1.1.3
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
@@ -54 +54 @@
 == Installation ==
 
-1. Install via the built-in WordPress plugin installer. Or download and unzip my-wp-brand.zip inside the plugin’s directory for your site (typically wp-content/plugins/)
-2. Activate the plugin through the ‘Plugins’ admin menu in WordPress.
-3. Go to “Setting” -> “Wp Brand” and check or tick mark those plugin / menus that you want to hide from admin. (You can also use the “Settings” link in the plugin’s entry on the admin “Plugins” page).
+1. Install via the built-in WordPress plugin installer. Or download and unzip my-wp-brand.zip inside the plugin’s directory for your site (typically wp-content/plugins/)
+2. Activate the plugin through the ‘Plugins’ admin menu in WordPress.
+3. Go to “Setting” -> “Wp Brand” and check or tick mark those plugin / menus that you want to hide from admin. (You can also use the “Settings” link in the plugin’s entry on the admin “Plugins” page).
 
 == Changelog ==
@@ -74 +74 @@
 * Fix Minor Bug.
 * Compatible with WordPress 6.6
+
+= 1.1.3 =
+* Fixed broken access control vulnerability.
+* Compatible with WordPress 6.6.2