Changeset 3209705

Timestamp:

12/18/2024 08:49:31 AM (13 months ago)

Author:

mightyforms

Message:

security fix

Location:

mightyforms

Files:

• tags/1.3.10 (copied) (copied from mightyforms/trunk)
• tags/1.3.10/gutenberg_block/mightyforms_block/blocks.build.js (copied) (copied from mightyforms/trunk/gutenberg_block/mightyforms_block/blocks.build.js)
• tags/1.3.10/gutenberg_source_code/dist/blocks.build.js (deleted)
• tags/1.3.10/gutenberg_source_code/src/block/mainComponent.js (deleted)
• tags/1.3.10/js/script.js (modified) (2 diffs)
• tags/1.3.10/mightyforms.php (modified) (1 diff)
• tags/1.3.10/readme.txt (copied) (copied from mightyforms/trunk/readme.txt) (2 diffs)
• tags/1.3.10/shortcode.php (modified) (1 diff)
• tags/1.3.10/views/application.php (modified) (2 diffs)
• tags/1.3.10/views/forms.php (modified) (1 diff)
• tags/1.3.10/views/how-to.php (copied) (copied from mightyforms/trunk/views/how-to.php)
• trunk/assets (deleted)
• trunk/js/mightyforms-loader.js (deleted)
• trunk/js/script.js (modified) (2 diffs)
• trunk/mightyforms.php (modified) (1 diff)
• trunk/readme.txt (modified) (2 diffs)
• trunk/shortcode.php (modified) (1 diff)
• trunk/views/application.php (modified) (2 diffs)
• trunk/views/forms.php (modified) (1 diff)
• trunk/views/settings.php (deleted)

mightyforms/tags/1.3.10/js/script.js

@@ -12 +12 @@
                 ajaxurl, {
                 action: 'upsert_user_api_key',
-                userApiKey: null
+                userApiKey: null,
+                nonce: jQuery('[name=mf_reconnect]').val(),
             }, function (response) {
                 if (JSON.parse(response).success) {
@@ -59 +60 @@
                 ajaxurl, {
                 action: 'upsert_user_api_key',
-                userApiKey: post.data
+                userApiKey: post.data,
+                nonce: jQuery('[name=mf_login]').val(),
             }, function (response) {
                 console.log(response)

mightyforms/tags/1.3.10/mightyforms.php

@@ -4 +4 @@
     Plugin Name: MightyForms
     Description: Powerful web forms - made easy. Quickly create beautiful forms for any website with this intuitive Drag & Drop online form builder.
-    Version: 1.3.8
+    Version: 1.3.10
     Author: Porthas Inc.
     Author URI: https://porthas.com

mightyforms/tags/1.3.10/readme.txt

@@ -5 +5 @@
 Requires at least: 3.0.0
 Tested up to: 6.5.2
-Stable tag: 1.3.9
+Stable tag: 1.3.10
 Requires PHP: 5.6
 License: GPLv2 or later
@@ -274 +274 @@
 == Changelog ==
 
+= 1.3.10 =
+* Security fixes
+
 = 1.3.9 =
 * Small fixes

mightyforms/tags/1.3.10/shortcode.php

@@ -11 +11 @@
 {
     return '<!-- MightyForms Section -->
-    <div class="mighty-form" id="' . $atts['id'] . '"></div>
+    <div class="mighty-form" id="' . esc_attr($atts['id']) . '"></div>
     <script async src="https://form.mightyforms.com/loader/v1/mightyforms.min.js"></script>
     <!-- End MightyForms Section -->';

mightyforms/tags/1.3.10/views/application.php

@@ -31 +31 @@
         </div>
         <div class="application-box">
+            <?php wp_nonce_field('user_api_key','mf_login'); ?>
             <iframe id="mf" src="<?php echo $iframe_src; ?>" frameborder="0" style="width: 100%;"></iframe>
         </div>
@@ -50 +51 @@
 {
     try {
+        if (!current_user_can('manage_options') || empty($_POST['nonce'])
+            || !wp_verify_nonce($_POST['nonce'], 'user_api_key')
+        ) {
+            throw new Exception('Access denied');
+        }
+
         $api_key = esc_sql($_POST['userApiKey']);
 

mightyforms/tags/1.3.10/views/forms.php

@@ -70 +70 @@
                             <h3>Your forms and shortcodes.</h3>
                             <button>Reconnect</button>
+                            <?php wp_nonce_field('user_api_key','mf_reconnect'); ?>
                         </div>
                         <p>If you want to show your form in a page or post - just copy the form's shortcode and paste it into your

mightyforms/trunk/js/script.js

@@ -12 +12 @@
                 ajaxurl, {
                 action: 'upsert_user_api_key',
-                userApiKey: null
+                userApiKey: null,
+                nonce: jQuery('[name=mf_reconnect]').val(),
             }, function (response) {
                 if (JSON.parse(response).success) {
@@ -59 +60 @@
                 ajaxurl, {
                 action: 'upsert_user_api_key',
-                userApiKey: post.data
+                userApiKey: post.data,
+                nonce: jQuery('[name=mf_login]').val(),
             }, function (response) {
                 console.log(response)

mightyforms/trunk/mightyforms.php

@@ -4 +4 @@
     Plugin Name: MightyForms
     Description: Powerful web forms - made easy. Quickly create beautiful forms for any website with this intuitive Drag & Drop online form builder.
-    Version: 1.3.8
+    Version: 1.3.10
     Author: Porthas Inc.
     Author URI: https://porthas.com

mightyforms/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 3.0.0
 Tested up to: 6.5.2
-Stable tag: 1.3.9
+Stable tag: 1.3.10
 Requires PHP: 5.6
 License: GPLv2 or later
@@ -274 +274 @@
 == Changelog ==
 
+= 1.3.10 =
+* Security fixes
+
 = 1.3.9 =
 * Small fixes

mightyforms/trunk/shortcode.php

@@ -11 +11 @@
 {
     return '<!-- MightyForms Section -->
-    <div class="mighty-form" id="' . $atts['id'] . '"></div>
+    <div class="mighty-form" id="' . esc_attr($atts['id']) . '"></div>
     <script async src="https://form.mightyforms.com/loader/v1/mightyforms.min.js"></script>
     <!-- End MightyForms Section -->';

mightyforms/trunk/views/application.php

@@ -31 +31 @@
         </div>
         <div class="application-box">
+            <?php wp_nonce_field('user_api_key','mf_login'); ?>
             <iframe id="mf" src="<?php echo $iframe_src; ?>" frameborder="0" style="width: 100%;"></iframe>
         </div>
@@ -50 +51 @@
 {
     try {
+        if (!current_user_can('manage_options') || empty($_POST['nonce'])
+            || !wp_verify_nonce($_POST['nonce'], 'user_api_key')
+        ) {
+            throw new Exception('Access denied');
+        }
+
         $api_key = esc_sql($_POST['userApiKey']);
 

mightyforms/trunk/views/forms.php

@@ -70 +70 @@
                             <h3>Your forms and shortcodes.</h3>
                             <button>Reconnect</button>
+                            <?php wp_nonce_field('user_api_key','mf_reconnect'); ?>
                         </div>
                         <p>If you want to show your form in a page or post - just copy the form's shortcode and paste it into your