Changeset 3248584

Timestamp:

02/28/2025 03:52:43 PM (12 months ago)

Author:

xpro

Message:

V 1.4.6.8 – 28 Feb 2025

Fix: Resolved vulnerability issue in the Button Widget.
Fix: Resolved vulnerability issue in the Animated Link Widget.

Location:

xpro-elementor-addons/trunk

Files:

• assets/js/xpro-widgets.js (modified) (1 diff)
• changelog.txt (modified) (1 diff)
• readme.txt (modified) (2 diffs)
• widgets/animated-link/animated-link.php (modified) (2 diffs)
• widgets/animated-link/layout/frontend.php (modified) (1 diff)
• widgets/button/button.php (modified) (2 diffs)
• widgets/button/layout/frontend.php (modified) (1 diff)
• xpro-elementor-addons.php (modified) (3 diffs)

xpro-elementor-addons/trunk/assets/js/xpro-widgets.js

@@ -517 +517 @@
                 r = "",
                 a = e.find("#xpro-icon-box-lottie");
-                console.log(i);
             "" !== t.hover_animation &&
                 i.hover(

xpro-elementor-addons/trunk/changelog.txt

@@ +1 @@
+= V 1.4.6.8 – 28 Feb 2025
+
+Fix: Resolved vulnerability issue in the Button Widget.
+Fix: Resolved vulnerability issue in the Animated Link Widget.
+
+
 = V 1.4.6.7 – 25 Feb 2025
 

xpro-elementor-addons/trunk/readme.txt

@@ -1 +1 @@
 === 140+ Widgets | Xpro Addons For Elementor - FREE ===
 Plugin Name: Xpro Addons For Elementor (140+ Widgets & Free Theme Builder)
-Version: 1.4.6.7
+Version: 1.4.6.8
 Contributors: Xpro
 Tags: elementor, widgets for elementor, elementor widgets, addons for elementor, woocommerce elementor
@@ -266 +266 @@
 == Changelog ==
 
+= V 1.4.6.8 – 28 Feb 2025
+
+Fix: Resolved vulnerability issue in the Button Widget.
+Fix: Resolved vulnerability issue in the Animated Link Widget.
+
+
 = V 1.4.6.7 – 25 Feb 2025
 

xpro-elementor-addons/trunk/widgets/animated-link/animated-link.php

@@ -229 +229 @@
         );
 
-        if ( current_user_can( 'administrator' ) ) {
+        if ( current_user_can( 'manage_options' ) ) { 
             $this->add_control(
                 'onclick_event',
@@ -363 +363 @@
     }
 
+    public static function check_capability( $capability ) {
+        $post = get_post();
+        if ( ! $post ) {
+            return false;
+        }
+        $post_author_id = $post->post_author;
+        return user_can( $post_author_id, $capability );
+    }
+
     /**
      * Render image widget output on the frontend.

xpro-elementor-addons/trunk/widgets/animated-link/layout/frontend.php

@@ -9 +9 @@
 $attr    .= $settings['link']['is_external'] ? ' target="_blank"' : '';
 $attr    .= $settings['link']['nofollow'] ? ' rel="nofollow"' : '';
-
-// Sanitize the link URL
 $attr    .= $settings['link']['url'] ? ' href="' . esc_url( $settings['link']['url'] ) . '"' : '';
 
-// Sanitize the onclick event
 // $attr    .= ( $settings['onclick_event'] ) ? ' onclick="' . esc_js( $settings['onclick_event'] ) . '"' : '';
-$attr .= !empty( $settings['onclick_event'] ?? '' )  ? ' onclick="' . esc_js( $settings['onclick_event'] ) . '"'  : '';
+
+if ( !empty( $settings['onclick_event'] ) && self::check_capability( 'manage_options' ) ) {
+    $attr .= ' onclick="' . esc_attr( $settings['onclick_event'] ) . '"';
+}
 
 if ( $settings['link'] && $settings['link']['custom_attributes'] ) {

xpro-elementor-addons/trunk/widgets/button/button.php

@@ -257 +257 @@
         );
 
-        if ( current_user_can( 'administrator' ) ) {
+        if ( current_user_can( 'manage_options' ) ) { 
             $this->add_control(
                 'onclick_event',
@@ -744 +744 @@
     }
 
+    public static function check_capability( $capability ) {
+        $post = get_post();
+        if ( ! $post ) {
+            return false;
+        }
+        $post_author_id = $post->post_author;
+        return user_can( $post_author_id, $capability );
+    }
+
     /**
      * Render image widget output on the frontend.

xpro-elementor-addons/trunk/widgets/button/layout/frontend.php

@@ -9 +9 @@
 $attr    .= $settings['link']['url'] ? ' href="' . esc_url ( $settings['link']['url'] ) . '"' : '';
 // $attr    .= ( $settings['onclick_event'] ) ? ' onclick="' . esc_js ( $settings['onclick_event'] ) . '"' : '';
-$attr .= !empty( $settings['onclick_event'] ?? '' )  ? ' onclick="' . esc_js( $settings['onclick_event'] ) . '"'  : '';
+
+if ( !empty( $settings['onclick_event'] ) && self::check_capability( 'manage_options' ) ) {
+    $attr .= ' onclick="' . esc_attr( $settings['onclick_event'] ) . '"';
+}
 
 if ( $settings['link'] && $settings['link']['custom_attributes'] ) {

xpro-elementor-addons/trunk/xpro-elementor-addons.php

@@ -4 +4 @@
  * Description: A complete Elementor Addons Pack to enhance your web designing experience. Create amazing websites with 50+ FREE Widgets, Extensions & more.
  * Plugin URI:  https://elementor.wpxpro.com/
- * Version:     1.4.6.7
+ * Version:     1.4.6.8
  * Author:      Xpro
  * Author URI:  https://www.wpxpro.com/
@@ -14 +14 @@
 defined( 'ABSPATH' ) || die();
 
-define( 'XPRO_ELEMENTOR_ADDONS_VERSION', '1.4.6.7' );
+define( 'XPRO_ELEMENTOR_ADDONS_VERSION', '1.4.6.8' );
 define( 'INNER_ELEMENTOR_WIDGET_CONTAINER', false );
 define( 'XPRO_ELEMENTOR_ADDONS__FILE__', __FILE__ );
@@ -67 +67 @@
      * @var string The plugin version.
      */
-    const VERSION = '1.4.6.7';
+    const VERSION = '1.4.6.8';
 
     /**