Changeset 3394838

Timestamp:

11/13/2025 08:32:07 AM (4 weeks ago)

Author:

Icegram

Message:

Preparing for 5.9.11 release

Location:

email-subscribers/trunk

Files:

• email-subscribers.php (modified) (2 diffs)
• lite/includes/classes/class-es-queue.php (modified) (1 diff)
• lite/includes/classes/class-ig-es-background-process-helper.php (modified) (2 diffs)
• lite/includes/controllers/class-es-campaign-controller.php (modified) (2 diffs)
• lite/includes/controllers/class-es-form-controller.php (modified) (1 diff)
• lite/includes/db/class-es-db.php (modified) (3 diffs)
• readme.txt (modified) (2 diffs)

email-subscribers/trunk/email-subscribers.php

@@ -4 +4 @@
  * Plugin URI: https://www.icegram.com/
  * Description: Add subscription forms on website, send HTML newsletters & automatically notify subscribers about new blog posts once it is published.
- * Version: 5.9.10
+ * Version: 5.9.11
  * Author: Icegram
  * Author URI: https://www.icegram.com/
@@ -188 +188 @@
 
 if ( ! defined( 'ES_PLUGIN_VERSION' ) ) {
-    define( 'ES_PLUGIN_VERSION', '5.9.10' );
+    define( 'ES_PLUGIN_VERSION', '5.9.11' );
 }
 

email-subscribers/trunk/lite/includes/classes/class-es-queue.php

@@ -1132 +1132 @@
         public function trigger_mailing_queue_sending() {
 
+            $can_access_campaign = ES_Common::ig_es_can_access( 'campaigns' );
+            $nonce = ig_es_get_request_data( 'nonce' );
+            
+            if ( ! $can_access_campaign ) { 
+                return;
+            } 
+
+            if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, 'ig-es-trigger-mailing-queue-sending-nonce' ) ) {
+                return;
+            }
+                
             // Call cron action only when it is not locked.
-            if ( ! ES()->cron->is_locked() ) {
-
+            if ( ! ES()->cron->is_locked() ) {      
                 // Start processing of campaigns which are scheduled for current date time.
                 do_action( 'ig_es_cron_worker' );

email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php

@@ -172 +172 @@
                 $action_id = as_schedule_single_action( $time, $action, array( $action_args ), 'email-subscribers' );
 
-                if ( ! empty( $action_id ) ) {
+                if ( ! empty( $action_id ) ) {  
                     if ( $process_asynchronously ) {
                         $request_args = array(
                             'action'    => 'ig_es_run_action_scheduler_task',
                             'action_id' => $action_id,
+                            'guid' => ES()->cron->get_cron_guid(),
                         );
                         self::send_async_ajax_request( $request_args, $should_wait );
                     }
-                    return $action_id;
+                    return $action_id;  
                 }
             }
@@ -195 +196 @@
 
             $action_id = ig_es_get_request_data( 'action_id' );
-
-            if ( ! empty( $action_id ) ) {
-                if ( class_exists( 'ActionScheduler_QueueRunner' ) ) {
-                    $queue_runner = ActionScheduler_QueueRunner::instance();
-                    $queue_runner->process_action( $action_id, 'email-subscribers' );
-                }
-            }
+            $guid      = ig_es_get_request_data( 'guid' );
+
+            if ( empty( $action_id ) ) {
+                return;
+            }
+
+            if ( empty( $guid ) || ! ES()->cron->is_valid_request( $guid ) ) {
+                return;
+            }
+
+            if ( class_exists( 'ActionScheduler_QueueRunner' ) ) {
+                $queue_runner = ActionScheduler_QueueRunner::instance();
+                $queue_runner->process_action( $action_id, 'email-subscribers' );
+            }
+                    
+                 
+                
+            
         }
 

email-subscribers/trunk/lite/includes/controllers/class-es-campaign-controller.php

@@ -104 +104 @@
                                 'action'        => 'ig_es_trigger_mailing_queue_sending',
                                 'campaign_hash' => $mailing_queue_hash,
+                                'nonce'         => wp_create_nonce( 'ig-es-trigger-mailing-queue-sending-nonce' ),
                                 );
                                 // Send an asynchronous request to trigger sending of campaign emails.
@@ -562 +563 @@
                         'action'        => 'ig_es_trigger_mailing_queue_sending',
                         'campaign_hash' => $mailing_queue_hash,
+                        'nonce'         => wp_create_nonce( 'ig-es-trigger-mailing-queue-sending-nonce' ),
                     );
                     // Send an asynchronous request to trigger sending of campaign emails.

email-subscribers/trunk/lite/includes/controllers/class-es-form-controller.php

@@ -720 +720 @@
             if ( isset( $form_data['settings'] ) && is_string( $form_data['settings'] ) ) {
                 // Try to unserialize settings if it's a string
-                $unserialized_settings = @unserialize( $form_data['settings'] );
+                $unserialized_settings = ig_es_maybe_unserialize( $form_data['settings'] );
                 if ( $unserialized_settings !== false ) {
                     $form_data['settings'] = $unserialized_settings;

email-subscribers/trunk/lite/includes/db/class-es-db.php

@@ -664 +664 @@
         }
 
-    // Get the first value from an array to check data structure
-    $first_value = array_slice( $values, 0, 1 );
-
-    $data = array_shift( $first_value );
-
-    // Set default values
-    $data = wp_parse_args( $data, $this->get_column_defaults() );
-
     // Initialise column format array
     $column_formats = $this->get_columns();
@@ -678 +670 @@
     unset( $column_formats[ $this->primary_key ] );
 
-    // Force fields to lower case
-    $data = array_change_key_case( $data );
-
-    // White list columns
-    $data = array_intersect_key( $data, $column_formats );
-
-    // Reorder $column_formats to match the order of columns given in $data
-    $data = wp_parse_args( $data, $this->get_column_defaults() );
-
-    // Collect ALL possible fields from ALL records in the batch to ensure consistent field list
+    // Get proper default values for columns
+    $column_defaults = $this->get_column_defaults();
+
+    // Normalize all records and collect all possible fields
     $all_fields = array();
+    $normalized_values = array();
+    
     foreach ( $values as $single_value ) {
+        // Force fields to lower case
         $single_value = array_change_key_case( $single_value );
+        // White list columns - only keep valid database columns
         $single_value = array_intersect_key( $single_value, $column_formats );
+        $normalized_values[] = $single_value;
         $all_fields = array_merge( $all_fields, array_keys( $single_value ) );
     }
     $all_fields = array_unique( $all_fields );
     
-    // Update column_formats to include only the fields present across all records
+    // If no fields found, nothing to insert
+    if ( empty( $all_fields ) ) {
+        return false;
+    }
+    
+    // Update column_formats to include only the fields present in the data
     $column_formats = array_intersect_key( $column_formats, array_flip( $all_fields ) );
     
-    // Update data defaults to include all fields
-    $data = array_merge( array_fill_keys( $all_fields, null ), $data );
-    $data = array_intersect_key( $data, $column_formats );
-
-    $data_keys = array_keys( $data );
-
-    $fields = array_keys( array_merge( array_flip( $data_keys ), $column_formats ) );       // Convert Batches into smaller chunk
-        $batches = array_chunk( $values, $length );
+    // Create default values for all fields using proper column defaults
+    $default_values = array();
+    foreach ( $all_fields as $field ) {
+        $default_values[ $field ] = isset( $column_defaults[ $field ] ) ? $column_defaults[ $field ] : null;
+    }
+
+    // Get field names for SQL query
+    $fields = array_keys( $column_formats );        // Convert Batches into smaller chunk
+        $batches = array_chunk( $normalized_values, $length );
 
         $error_flag = false;
@@ -722 +719 @@
 
                 $formats = array();
+                // Merge default NULL values with actual record values
+                $value_with_defaults = array_merge( $default_values, $value );
+                
                 foreach ( $column_formats as $column => $format ) {
-                    $final_values[] = isset( $value[ $column ] ) ? $value[ $column ] : $data[ $column ]; // set default if we don't have
+                    $final_values[] = isset( $value_with_defaults[ $column ] ) ? $value_with_defaults[ $column ] : null;
                     $formats[]      = $format;
                 }

email-subscribers/trunk/readme.txt

@@ -7 +7 @@
 Tested up to: 6.8
 Requires PHP: 7.0
-Stable tag: 5.9.10
+Stable tag: 5.9.11
 License: GPLv3
 
@@ -342 +342 @@
 == Upgrade Notice ==
 
-= 5.9.10 =
-
-* New: Revamped campaign edit interface for a smoother user experience  
-* Improvement: Enhanced audience dashboard UI for better usability  
-* Fix: Fixed broken links on the main dashboard page
+= 5.9.11 =
+
+* Improvements: Enhanced security for campaign sending and background task processing
+* Fix: Resolved a fatal error occurring during CSV import
 
 == Changelog ==
+
+**5.9.11 (13.11.2025)**
+
+* Fix: Fixed missing auth and nonce check vulnerability in background task processing library [Thanks to WordFence team]
+* Fix: Fixed PHP Object injection vulnerability in forms [Thanks to Patchstack team]
 
 **5.9.10 (11.11.2025)**