Changeset 3463945

Timestamp:

02/18/2026 05:33:34 AM (5 weeks ago)

Author:

latepoint

Message:

Update to version 5.2.8 from GitHub

Location:

latepoint

Files:

• tags/5.2.8 (copied) (copied from latepoint/trunk)
• tags/5.2.8/.distignore (modified) (1 diff)
• tags/5.2.8/CHANGELOG.md (deleted)
• tags/5.2.8/latepoint.php (modified) (2 diffs)
• tags/5.2.8/lib/controllers/booking_form_settings_controller.php (modified) (1 diff)
• tags/5.2.8/lib/controllers/customers_controller.php (modified) (2 diffs)
• tags/5.2.8/lib/controllers/orders_controller.php (modified) (1 diff)
• tags/5.2.8/lib/helpers/customer_import_helper.php (modified) (1 diff)
• tags/5.2.8/lib/helpers/settings_helper.php (modified) (2 diffs)
• tags/5.2.8/lib/views/booking_form_settings/_booking_form_preview.php (modified) (2 diffs)
• tags/5.2.8/lib/views/booking_form_settings/show.php (modified) (1 diff)
• tags/5.2.8/readme.txt (modified) (3 diffs)
• trunk/.distignore (modified) (1 diff)
• trunk/CHANGELOG.md (deleted)
• trunk/latepoint.php (modified) (2 diffs)
• trunk/lib/controllers/booking_form_settings_controller.php (modified) (1 diff)
• trunk/lib/controllers/customers_controller.php (modified) (2 diffs)
• trunk/lib/controllers/orders_controller.php (modified) (1 diff)
• trunk/lib/helpers/customer_import_helper.php (modified) (1 diff)
• trunk/lib/helpers/settings_helper.php (modified) (2 diffs)
• trunk/lib/views/booking_form_settings/_booking_form_preview.php (modified) (2 diffs)
• trunk/lib/views/booking_form_settings/show.php (modified) (1 diff)
• trunk/readme.txt (modified) (3 diffs)

latepoint/tags/5.2.8/.distignore

@@ -51 +51 @@
 *.log
 *.zip
+CHANGELOG.md
+CLAUDE.md

latepoint/tags/5.2.8/latepoint.php

@@ -3 +3 @@
  * Plugin Name: LatePoint
  * Description: Appointment Scheduling Software for WordPress
- * Version: 5.2.7
+ * Version: 5.2.8
  * Author: LatePoint
  * Author URI: https://latepoint.com
@@ -30 +30 @@
          *
          */
-        public $version = '5.2.7';
+        public $version = '5.2.8';
         public $db_version = '2.3.0';
 

latepoint/tags/5.2.8/lib/controllers/booking_form_settings_controller.php

@@ -24 +24 @@
 
         public function reload_preview() {
+            // Verify nonce.
+            $this->check_nonce( 'reload_preview' );
+
             OsStepsHelper::set_cart_object();
             OsStepsHelper::set_booking_object();

latepoint/tags/5.2.8/lib/controllers/customers_controller.php

@@ -151 +151 @@
             $customer = new OsCustomerModel();
             // Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-            $customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+            // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+            $customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
             if ( $customer->save() ) {
                 // translators: %s is the html of a customer edit link
@@ -181 +182 @@
                     $old_customer_data = $customer->get_data_vars();
                     // Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-                    $customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+                    // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+                    $customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
                     if ( $customer->save() ) {
                         // translators: %s is the html of a customer edit link

latepoint/tags/5.2.8/lib/controllers/orders_controller.php

@@ -132 +132 @@
             }
             // Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-            // Use 'public' role to restrict which fields can be set via user input.
-            $customer->set_data( $customer_params, LATEPOINT_PARAMS_SCOPE_PUBLIC );
+            // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+            $customer->set_data( $customer_params, OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
             if ( $customer->save() ) {
                 if ( $is_new_customer ) {

latepoint/tags/5.2.8/lib/helpers/customer_import_helper.php

@@ -182 +182 @@
                 }
             }
-            $customer->set_data($save_data);
+            $customer->set_data($save_data, 'public');
 
             if ($customer->save()) {

latepoint/tags/5.2.8/lib/helpers/settings_helper.php

@@ -209 +209 @@
 
             // Security check: Ensure no dangerous SQL keywords in CREATE statement.
-            $dangerous_keywords = array( 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
+            $dangerous_keywords = array( 'SELECT', 'UNION', 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
             foreach ( $dangerous_keywords as $keyword ) {
                 if ( stripos( $create_statement, $keyword ) !== false ) {
@@ -232 +232 @@
                 foreach ( $table_data['data'] as $row ) {
                     if ( is_array( $row ) ) {
+                        // Security fix: Prevent mass assignment of wordpress_user_id during import.
+                        if ( $table === $wpdb->prefix . 'latepoint_customers' ) {
+                            unset( $row['wordpress_user_id'] );
+                        }
+
                         $insert_result = $wpdb->insert( $table, $row );
                         if ( $insert_result === false ) {

latepoint/tags/5.2.8/lib/views/booking_form_settings/_booking_form_preview.php

@@ -21 +21 @@
                 </div>
                 <div class="bf-side-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][side_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_heading')); ?></div>
-                <div class="bf-side-desc os-editable-basic editable-setting" data-setting-key="[<?php echo $selected_step_code;?>][side_panel_description]"><?php echo strip_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_description'), ['a', 'i', 'u', 'b', 'br']); ?></div>
+                <div
+                    class="bf-side-desc os-editable-basic editable-setting"
+                    data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][side_panel_description]"
+                >
+                    <?php echo strip_tags( OsStepsHelper::get_step_setting_value( $selected_step_code, 'side_panel_description' ), [ 'a', 'i', 'u', 'b', 'br' ] ); ?>
+                </div>
             </div>
             <div class="side-panel-extra os-editable editable-setting" data-setting-key="[shared][steps_support_text]">
-                <?php echo OsSettingsHelper::get_steps_support_text(); ?>
+                <?php echo wp_kses_post( OsSettingsHelper::get_steps_support_text() ); ?>
             </div>
         </div>
@@ -30 +35 @@
             <div class="bf-main-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_heading')); ?></div>
             <div class="bf-main-panel-content-wrapper">
-                <div class="bf-main-panel-content-before os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_before]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_before'); ?></div>
+                <div
+                    class="bf-main-panel-content-before os-editable editable-setting"
+                    data-placeholder="+"
+                    data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_before]"
+                >
+                    <?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_before' ) ); ?>
+                </div>
                 <div class="bf-main-panel-content">
                     <?php echo OsStepsHelper::get_step_content_preview($selected_step_code); ?>
                 </div>
-                <div class="bf-main-panel-content-after os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_after]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_after'); ?></div>
+                <div
+                    class="bf-main-panel-content-after os-editable editable-setting"
+                    data-placeholder="+"
+                    data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_after]"
+                >
+                    <?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_after' ) ); ?>
+                </div>
             </div>
             <div class="bf-main-panel-buttons">

latepoint/tags/5.2.8/lib/views/booking_form_settings/show.php

@@ -15 +15 @@
     <form class="booking-form-preview-settings"
           data-route-name="<?php echo esc_attr(OsRouterHelper::build_route_name( 'booking_form_settings', 'reload_preview' )); ?>">
+        <?php wp_nonce_field( 'reload_preview', '_wpnonce', false ); ?>
         <div class="bf-heading">
             <div class="latepoint-icon latepoint-icon-browser"></div>

latepoint/tags/5.2.8/readme.txt

@@ -1 +1 @@
 === LatePoint - Calendar Booking Plugin for Appointments and Events ===
 Contributors: latepoint
-Donate link: https://latepoint.com
 Tags: appointments, booking, scheduling, events, calendar
 Requires at least: 6.5
 Tested up to: 6.9
-Stable tag: 5.2.7
+Stable tag: 5.2.8
 Requires PHP: 7.4
 License: GPLv3
@@ -205 +204 @@
 == Changelog ==
 
+= 5.2.8 - February 18, 2026 =
+- Security: Addressed security bugs. Props to WordFence for reporting it.
+- Fix: Fixed admin notes field not saving properly for admin users when creating or updating customers/orders.
+
 = 5.2.7 - February 3, 2026 =
 - Security: Addressed security bugs. Props to WordFence for reporting it.
@@ -217 +220 @@
 - Fix: Fixes for customer login shortcode issues + OTP via SMS
 
-= 5.2.3 - September 28, 2025 =
-- New: Compact side menu
-- Fix: Fixes for customer authentication
-
 Full changelog can be found on our website: [Full Changelog](https://latepoint.com/changelog/)

latepoint/trunk/.distignore

@@ -51 +51 @@
 *.log
 *.zip
+CHANGELOG.md
+CLAUDE.md

latepoint/trunk/latepoint.php

@@ -3 +3 @@
  * Plugin Name: LatePoint
  * Description: Appointment Scheduling Software for WordPress
- * Version: 5.2.7
+ * Version: 5.2.8
  * Author: LatePoint
  * Author URI: https://latepoint.com
@@ -30 +30 @@
          *
          */
-        public $version = '5.2.7';
+        public $version = '5.2.8';
         public $db_version = '2.3.0';
 

latepoint/trunk/lib/controllers/booking_form_settings_controller.php

@@ -24 +24 @@
 
         public function reload_preview() {
+            // Verify nonce.
+            $this->check_nonce( 'reload_preview' );
+
             OsStepsHelper::set_cart_object();
             OsStepsHelper::set_booking_object();

latepoint/trunk/lib/controllers/customers_controller.php

@@ -151 +151 @@
             $customer = new OsCustomerModel();
             // Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-            $customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+            // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+            $customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
             if ( $customer->save() ) {
                 // translators: %s is the html of a customer edit link
@@ -181 +182 @@
                     $old_customer_data = $customer->get_data_vars();
                     // Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-                    $customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+                    // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+                    $customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
                     if ( $customer->save() ) {
                         // translators: %s is the html of a customer edit link

latepoint/trunk/lib/controllers/orders_controller.php

@@ -132 +132 @@
             }
             // Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-            // Use 'public' role to restrict which fields can be set via user input.
-            $customer->set_data( $customer_params, LATEPOINT_PARAMS_SCOPE_PUBLIC );
+            // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+            $customer->set_data( $customer_params, OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
             if ( $customer->save() ) {
                 if ( $is_new_customer ) {

latepoint/trunk/lib/helpers/customer_import_helper.php

@@ -182 +182 @@
                 }
             }
-            $customer->set_data($save_data);
+            $customer->set_data($save_data, 'public');
 
             if ($customer->save()) {

latepoint/trunk/lib/helpers/settings_helper.php

@@ -209 +209 @@
 
             // Security check: Ensure no dangerous SQL keywords in CREATE statement.
-            $dangerous_keywords = array( 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
+            $dangerous_keywords = array( 'SELECT', 'UNION', 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
             foreach ( $dangerous_keywords as $keyword ) {
                 if ( stripos( $create_statement, $keyword ) !== false ) {
@@ -232 +232 @@
                 foreach ( $table_data['data'] as $row ) {
                     if ( is_array( $row ) ) {
+                        // Security fix: Prevent mass assignment of wordpress_user_id during import.
+                        if ( $table === $wpdb->prefix . 'latepoint_customers' ) {
+                            unset( $row['wordpress_user_id'] );
+                        }
+
                         $insert_result = $wpdb->insert( $table, $row );
                         if ( $insert_result === false ) {

latepoint/trunk/lib/views/booking_form_settings/_booking_form_preview.php

@@ -21 +21 @@
                 </div>
                 <div class="bf-side-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][side_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_heading')); ?></div>
-                <div class="bf-side-desc os-editable-basic editable-setting" data-setting-key="[<?php echo $selected_step_code;?>][side_panel_description]"><?php echo strip_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_description'), ['a', 'i', 'u', 'b', 'br']); ?></div>
+                <div
+                    class="bf-side-desc os-editable-basic editable-setting"
+                    data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][side_panel_description]"
+                >
+                    <?php echo strip_tags( OsStepsHelper::get_step_setting_value( $selected_step_code, 'side_panel_description' ), [ 'a', 'i', 'u', 'b', 'br' ] ); ?>
+                </div>
             </div>
             <div class="side-panel-extra os-editable editable-setting" data-setting-key="[shared][steps_support_text]">
-                <?php echo OsSettingsHelper::get_steps_support_text(); ?>
+                <?php echo wp_kses_post( OsSettingsHelper::get_steps_support_text() ); ?>
             </div>
         </div>
@@ -30 +35 @@
             <div class="bf-main-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_heading')); ?></div>
             <div class="bf-main-panel-content-wrapper">
-                <div class="bf-main-panel-content-before os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_before]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_before'); ?></div>
+                <div
+                    class="bf-main-panel-content-before os-editable editable-setting"
+                    data-placeholder="+"
+                    data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_before]"
+                >
+                    <?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_before' ) ); ?>
+                </div>
                 <div class="bf-main-panel-content">
                     <?php echo OsStepsHelper::get_step_content_preview($selected_step_code); ?>
                 </div>
-                <div class="bf-main-panel-content-after os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_after]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_after'); ?></div>
+                <div
+                    class="bf-main-panel-content-after os-editable editable-setting"
+                    data-placeholder="+"
+                    data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_after]"
+                >
+                    <?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_after' ) ); ?>
+                </div>
             </div>
             <div class="bf-main-panel-buttons">

latepoint/trunk/lib/views/booking_form_settings/show.php

@@ -15 +15 @@
     <form class="booking-form-preview-settings"
           data-route-name="<?php echo esc_attr(OsRouterHelper::build_route_name( 'booking_form_settings', 'reload_preview' )); ?>">
+        <?php wp_nonce_field( 'reload_preview', '_wpnonce', false ); ?>
         <div class="bf-heading">
             <div class="latepoint-icon latepoint-icon-browser"></div>

latepoint/trunk/readme.txt

@@ -1 +1 @@
 === LatePoint - Calendar Booking Plugin for Appointments and Events ===
 Contributors: latepoint
-Donate link: https://latepoint.com
 Tags: appointments, booking, scheduling, events, calendar
 Requires at least: 6.5
 Tested up to: 6.9
-Stable tag: 5.2.7
+Stable tag: 5.2.8
 Requires PHP: 7.4
 License: GPLv3
@@ -205 +204 @@
 == Changelog ==
 
+= 5.2.8 - February 18, 2026 =
+- Security: Addressed security bugs. Props to WordFence for reporting it.
+- Fix: Fixed admin notes field not saving properly for admin users when creating or updating customers/orders.
+
 = 5.2.7 - February 3, 2026 =
 - Security: Addressed security bugs. Props to WordFence for reporting it.
@@ -217 +220 @@
 - Fix: Fixes for customer login shortcode issues + OTP via SMS
 
-= 5.2.3 - September 28, 2025 =
-- New: Compact side menu
-- Fix: Fixes for customer authentication
-
 Full changelog can be found on our website: [Full Changelog](https://latepoint.com/changelog/)