Changeset 3459181

Timestamp:

02/11/2026 05:51:25 PM (11 days ago)

Author:

sided

Message:

Ship a security hotfix to the current WordPress plugin this week. It's a focused fix — add wp_verify_nonce() to all AJAX handlers, add current_user_can() checks, sanitize the $_POSTjsonObj? storage, and escape output.

Location:

sided/trunk

Files:

• includes/block-editor/index.js (modified) (3 diffs)
• includes/block-editor/sided-block-editor.php (modified) (1 diff)
• partials/functions.php (modified) (8 diffs)
• partials/sided-create-debate-from-block.php (modified) (1 diff)
• partials/sided-create-debate.php (modified) (1 diff)
• partials/sided-settings.php (modified) (6 diffs)
• readme.txt (modified) (1 diff)
• sided.php (modified) (1 diff)

sided/trunk/includes/block-editor/index.js

@@ -53 +53 @@
                     data: {
                         action: 'wpa_fetch_debates',
+                        sided_ajax_nonce: (typeof sidedBlockEditor !== 'undefined' && sidedBlockEditor.ajaxNonce) ? sidedBlockEditor.ajaxNonce : '',
                         searchText: event.target.value,
                         results_per_page: event.target.value.length === 0 ? 10 : 999
@@ -107 +108 @@
                     data: {
                         action: 'wpa_fetch_current_debate',
+                        sided_ajax_nonce: (typeof sidedBlockEditor !== 'undefined' && sidedBlockEditor.ajaxNonce) ? sidedBlockEditor.ajaxNonce : '',
                         debateId: debateId
                     },
@@ -471 +473 @@
                     data: {
                         action: 'wpa_fetch_current_debate',
+                        sided_ajax_nonce: (typeof sidedBlockEditor !== 'undefined' && sidedBlockEditor.ajaxNonce) ? sidedBlockEditor.ajaxNonce : '',
                         debateId: debateId
                     },

sided/trunk/includes/block-editor/sided-block-editor.php

@@ -23 +23 @@
     );
 
+    wp_localize_script(
+        'embed-sided-debates-block-editor',
+        'sidedBlockEditor',
+        array(
+            'ajaxNonce' => wp_create_nonce( 'sided_ajax' ),
+        )
+    );
+
     register_block_type(
         'sided/sided-debate-selector',

sided/trunk/partials/functions.php

@@ -111 +111 @@
                 if ($embed_placement_option['active'] == 'true' && $embed_placement_option['embed_location_on_page'] !== 'sidebar') {
                     return sprintf(
-                        '%s<div class="sided-widget" clientId="%d" placementId="%d"></div>', 
+                        '%s<div class="sided-widget" clientId="%s" placementId="%s"></div>',
                         $content,
-                        $sided_selected_network,
-                        $embed_placement_option['placement_id']
+                        esc_attr( (string) $sided_selected_network ),
+                        esc_attr( (string) $embed_placement_option['placement_id'] )
                     );
                 }
@@ -166 +166 @@
 
 add_action('wp_ajax_wpa_sided_initiate_script', 'sided_wpa_sided_initiate_script_callback');
-add_action('wp_ajax_nopriv_wpa_sided_initiate_script', 'sided_wpa_sided_initiate_script_callback');
 function sided_wpa_sided_initiate_script_callback()
 {
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
     echo esc_js(update_option('sided_sided_initiate_script', sanitize_text_field($_POST['checked'])));
     wp_die();
@@ -174 +179 @@
 
 add_action('wp_ajax_wpa_send_cats_to_sided', 'sided_wpa_send_cats_to_sided_callback');
-add_action('wp_ajax_nopriv_wpa_send_cats_to_sided', 'sided_wpa_send_cats_to_sided_callback');
 function sided_wpa_send_cats_to_sided_callback()
 {
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
     echo esc_js(update_option('send_cats_to_sided', sanitize_text_field($_POST['checked'])));
     wp_die();
@@ -182 +192 @@
 
 add_action('wp_ajax_wpa_send_tags_to_sided', 'sided_wpa_send_tags_to_sided_callback');
-add_action('wp_ajax_nopriv_wpa_send_tags_to_sided', 'sided_wpa_send_tags_to_sided_callback');
 function sided_wpa_send_tags_to_sided_callback()
 {
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
     echo esc_js(update_option('send_tags_to_sided', sanitize_text_field($_POST['checked'])));
     wp_die();
 }
 
-add_action('wp_ajax_nopriv_wpa_fetch_embed_placements', 'sided_wpa_fetch_embed_placements_callback');
 add_action('wp_ajax_wpa_fetch_embed_placements', 'sided_wpa_fetch_embed_placements_callback');
 function sided_wpa_fetch_embed_placements_callback()
 {
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
     update_option('sided_sided_selected_network', sanitize_text_field($_POST['selectedValue']));
     delete_option('sided_sided_embed_placement_options');
@@ -213 +233 @@
 }
 
-add_action('wp_ajax_nopriv_wpa_sided_generate_smart_poll', 'sided_wpa_sided_generate_smart_poll_callback');
 add_action('wp_ajax_wpa_sided_generate_smart_poll', 'sided_wpa_sided_generate_smart_poll_callback');
 function sided_wpa_sided_generate_smart_poll_callback()
 {
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
     //print_r($_POST['SPC_keyword_val']);
     $url = SIDED_API_URL . '/admin/debate/generateDebates?count=4&url=' . sanitize_text_field($_POST['SPC_keyword_val']);
@@ -239 +264 @@
 
 add_action('wp_ajax_wpa_save_embed_options', 'wpa_save_embed_options_callback');
-add_action('wp_ajax_nopriv_wpa_save_embed_options', 'wpa_save_embed_options_callback');
 function wpa_save_embed_options_callback()
 {
-    $_POST['jsonObj']['updated_at'] = current_datetime();
-    // commented on 2024-10-16, it was not saving embed placement options
-    // echo esc_js(update_option('sided_sided_embed_placement_options', esc_js($_POST['jsonObj'])));
-    
-    // changes made on 2024-10-16 to save embed placement options
-    if (get_option('sided_sided_embed_placement_options') == false) {
-        add_option('sided_sided_embed_placement_options', $_POST['jsonObj']);
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
+    $raw = isset( $_POST['jsonObj'] ) && is_array( $_POST['jsonObj'] ) ? wp_unslash( $_POST['jsonObj'] ) : array();
+    $allowed_locations = array( 'bottom_of_every_post', 'sidebar' );
+    $sanitized = array();
+    foreach ( $raw as $index => $item ) {
+        if ( ! is_array( $item ) ) {
+            continue;
+        }
+        $placement_id = isset( $item['placement_id'] ) ? absint( $item['placement_id'] ) : 0;
+        $embed_location = isset( $item['embed_location_on_page'] ) && in_array( $item['embed_location_on_page'], $allowed_locations, true )
+            ? $item['embed_location_on_page']
+            : 'bottom_of_every_post';
+        $sanitized[ $index ] = array(
+            'active'       => ! empty( $item['active'] ) && $item['active'] !== 'false' ? 'true' : 'false',
+            'placement_id' => $placement_id,
+            'placement_text' => isset( $item['placement_text'] ) ? sanitize_text_field( $item['placement_text'] ) : '',
+            'embed_location_on_page' => $embed_location,
+        );
+    }
+    $sanitized['updated_at'] = current_datetime();
+    if ( get_option( 'sided_sided_embed_placement_options' ) == false ) {
+        add_option( 'sided_sided_embed_placement_options', $sanitized );
     } else {
-        update_option('sided_sided_embed_placement_options', $_POST['jsonObj']);
-    }
-    // changes made on 2024-10-16 to save embed placement options end
+        update_option( 'sided_sided_embed_placement_options', $sanitized );
+    }
     wp_die();
 }
@@ -300 +343 @@
 }
 
-add_action('wp_ajax_nopriv_wpa_fetch_debates', 'wpa_fetch_debates_callback');
 add_action('wp_ajax_wpa_fetch_debates', 'wpa_fetch_debates_callback');
 function wpa_fetch_debates_callback()
 {
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
     $selected_network = get_option('sided_sided_selected_network') ? get_option('sided_sided_selected_network') : 1;
     //$selected_network = array_key_exists('selected_network', $_SESSION) ? $_SESSION['selected_network'] : 1;
@@ -328 +376 @@
 }
 
-add_action('wp_ajax_nopriv_wpa_fetch_current_debate', 'wpa_fetch_current_debate_callback');
 add_action('wp_ajax_wpa_fetch_current_debate', 'wpa_fetch_current_debate_callback');
 function wpa_fetch_current_debate_callback()
 {
-    
+    if ( ! isset( $_REQUEST['sided_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['sided_ajax_nonce'] ) ), 'sided_ajax' ) ) {
+        wp_send_json_error( array( 'message' => __( 'Security check failed.', 'sided' ) ), 403 );
+    }
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( array( 'message' => __( 'You do not have permission to perform this action.', 'sided' ) ), 403 );
+    }
     $debateId = isset($_GET['debateId']) ? sanitize_text_field($_GET['debateId']) : '';
     $url = SIDED_API_URL . '/debate/'.$debateId.'?deviceId='.$debateId;

sided/trunk/partials/sided-create-debate-from-block.php

@@ -330 +330 @@
         data: {
           action: 'wpa_sided_generate_smart_poll',
+          sided_ajax_nonce: '<?php echo esc_js( wp_create_nonce( 'sided_ajax' ) ); ?>',
           SPC_keyword_val: SPC_keyword.val(),
         },

sided/trunk/partials/sided-create-debate.php

@@ -316 +316 @@
         data: {
           action: 'wpa_sided_generate_smart_poll',
+          sided_ajax_nonce: '<?php echo esc_js( wp_create_nonce( 'sided_ajax' ) ); ?>',
           SPC_keyword_val: SPC_keyword.val(),
         },

sided/trunk/partials/sided-settings.php

@@ -121 +121 @@
 <?php 
 $placement_options_array = get_option('sided_sided_embed_placement_options');
-if (isset($placement_options_array['updated_at'])) {
-    unset($placement_options_array['updated_at']);
+if ( ! is_array( $placement_options_array ) ) {
+    $placement_options_array = array();
+}
+if ( isset( $placement_options_array['updated_at'] ) ) {
+    unset( $placement_options_array['updated_at'] );
+}
+$placement_options_safe = array();
+foreach ( $placement_options_array as $key => $item ) {
+    if ( ! is_array( $item ) ) {
+        continue;
+    }
+    $placement_options_safe[ $key ] = array(
+        'active'                  => isset( $item['active'] ) ? $item['active'] : 'false',
+        'placement_id'            => isset( $item['placement_id'] ) ? (int) $item['placement_id'] : 0,
+        'placement_text'          => isset( $item['placement_text'] ) ? esc_html( $item['placement_text'] ) : '',
+        'embed_location_on_page'  => isset( $item['embed_location_on_page'] ) ? esc_attr( $item['embed_location_on_page'] ) : 'bottom_of_every_post',
+    );
 }
 
 ?>
 <script type="text/javascript">
+var sided_ajax_nonce = '<?php echo esc_js( wp_create_nonce( 'sided_ajax' ) ); ?>';
 (function ($) {
     $('input[name="sided_initiate_script"]').change(function() {
         var data = {
             action: 'wpa_sided_initiate_script',
+            sided_ajax_nonce: sided_ajax_nonce,
             checked: $(this).is(":checked") ? true : false,
         };
@@ -141 +158 @@
         var data = {
             action: 'wpa_send_cats_to_sided',
+            sided_ajax_nonce: sided_ajax_nonce,
             checked: $(this).is(":checked") ? true : false,
         };
@@ -151 +169 @@
         var data = {
             action: 'wpa_send_tags_to_sided',
+            sided_ajax_nonce: sided_ajax_nonce,
             checked: $(this).is(":checked") ? true : false,
         };
@@ -167 +186 @@
           data: {
             action: 'wpa_fetch_embed_placements',
+            sided_ajax_nonce: sided_ajax_nonce,
             selectedValue: selectedValue
           },
@@ -186 +206 @@
     function fetch_selected_placements(){
         $('#placement-option-wrapper').html('');
-        var dataArray = $.parseJSON('<?php echo wp_json_encode($placement_options_array); ?>');
-        if(dataArray == ''){ $(".select_network").trigger("change"); }
+        var dataArray = <?php echo wp_json_encode( $placement_options_safe ); ?>;
+        if ( ! dataArray || dataArray.length === 0 ) { $(".select_network").trigger("change"); }
         $.each(dataArray , function(key, value){
             var checked = value['active'] == 'true' ? 'checked' : '';
@@ -204 +224 @@
         var data = {
             action: 'wpa_save_embed_options',
+            sided_ajax_nonce: sided_ajax_nonce,
             jsonObj: jsonObj,
         };

sided/trunk/readme.txt

@@ -5 +5 @@
 Requires at least: 4.7
 Tested up to: 6.5.3
-Stable tag: 1.4.11
+Stable tag: 1.4.12
 Requires PHP: 7.0
 License: GPLv2 or later

sided/trunk/sided.php

@@ -1 +1 @@
 <?php
 /**
-* Plugin Name: Sided
-* Plugin URI: https://sided.co/
-* Description: It is a wordpress plugin to embed sided polls in your Wordpress website.
-* Version: 1.4.11
-* Author: Sided
-**/
+ * Plugin Name: Sided
+ * Plugin URI: https://sided.co/
+ * Description: It is a wordpress plugin to embed sided polls in your Wordpress website.
+ * Version: 1.4.12
+ * Author: Sided
+ * Author URI: https://sided.co/
+ * License: GPLv2 or later
+ * License URI: https://www.gnu.org/licenses/gpl-2.0.html
+ * Text Domain: sided
+ */
 
-define( 'SIDED_VERSION', '1.4.11' );
+define( 'SIDED_VERSION', '1.4.12' );
 define( 'SIDED_PLUGIN', __FILE__ );
 define( 'SIDED_PLUGIN_DIR', untrailingslashit( dirname( SIDED_PLUGIN ) ) );