WordPress.org
Get WordPress

Plugin Directory

Changeset 3475639


Ignore:
Timestamp:
03/05/2026 12:37:02 PM (3 weeks ago)
Author:
wpDataTables
Message:

New update

Location:
wpdatatables
Files:
2288 added
9 edited

Legend:

Unmodified
Added
Removed

  • wpdatatables/trunk/config/config.inc.php

    r3472397 r3475639  
    1010// Current version
    1111
    12 define('WDT_CURRENT_VERSION', '6.5.0.1');
     12define('WDT_CURRENT_VERSION', '6.5.0.2');
    1313
    1414// Version when hooks are updated

  • wpdatatables/trunk/readme.txt

    r3472397 r3475639  
    77Tested up to: 6.9.1
    88Requires PHP: 7.4
    9 Stable tag: 6.5.0.1
     9Stable tag: 6.5.0.2
    1010License: GPLv2 or later
    1111License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    425425
    426426= Where do I report security bugs found in this plugin? =
    427 
    428 Please report security bugs found in the source code of the wpDataTables plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/9e5fb453-4d67-4ae9-8d4b-2aeOblec5589). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
     427Please report security bugs found in the source code of the wpDataTables plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/9e5fb453-4d67-4ae9-8d4b-2ae0b1ec5589). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.
    429428
    430429== Screenshots ==
     
    444443
    445444== Changelog ==
     445= 6.5.0.2 =
     446* Fixed vulnerability issue with Local File Inclusion (LFI).
     447Other small bug fixes and stability improvements.
     448
    446449= 6.5.0.1 =
    447450* Added wpDataTables capabilities for viewing tables and charts.

  • wpdatatables/trunk/source/class.wdtsettingscontroller.php

    r3024905 r3475639  
    2222                } else {
    2323                    $setting = sanitize_textarea_field($setting);
     24                }
     25            } elseif ($key === 'wdtInterfaceLanguage') {
     26                // Security Fix: Prevent Path Traversal / LFI for language file (CVE-2026-28039)
     27                if (!empty($setting)) {
     28                    // Only allow basename (no directory traversal)
     29                    $setting = basename(sanitize_text_field($setting));
     30
     31                    // Verify it's a valid language file
     32                    if (substr($setting, -8) !== '.inc.php') {
     33                        $setting = ''; // Invalid format, reject it
     34                    } else {
     35                        // Double-check the file exists in the lang directory
     36                        $langPath = WDT_ROOT_PATH . 'source/lang/' . $setting;
     37                        if (!file_exists($langPath) || !is_file($langPath)) {
     38                            $setting = ''; // File doesn't exist, reject it
     39                        }
     40                    }
    2441                }
    2542            } else{

  • wpdatatables/trunk/source/class.wpdatachart.php

    r3152381 r3475639  
    466466    public static function build($constructedChartData, $loadFromDB = false)
    467467    {
    468         $wdtChart = 'Wdt' . ucfirst($constructedChartData['engine']) . 'Chart' . '\Wdt' . ucfirst($constructedChartData['engine']) . 'Chart';
    469         $chartClassFileName = 'class.' . $constructedChartData['engine'] . '.wpdatachart.php';
     468        // Security Fix: Whitelist valid chart engines to prevent LFI
     469        $validEngines = array('google', 'chartjs', 'highcharts', 'apexcharts');
     470
     471        $engine = isset($constructedChartData['engine']) ? strtolower(sanitize_text_field($constructedChartData['engine'])) : 'google';
     472
     473        if (!in_array($engine, $validEngines, true)) {
     474            // Invalid engine, default to google
     475            $engine = 'google';
     476        }
     477
     478        $wdtChart = 'Wdt' . ucfirst($engine) . 'Chart' . '\Wdt' . ucfirst($engine) . 'Chart';
     479        $chartClassFileName = 'class.' . $engine . '.wpdatachart.php';
    470480        require_once(WDT_ROOT_PATH . 'source/' . $chartClassFileName);
    471481        return new $wdtChart($constructedChartData, $loadFromDB);

  • wpdatatables/trunk/source/class.wpdatacolumn.php

    r2924601 r3475639  
    671671            $wdtColumnType = 'string';
    672672        }
     673
     674        // Security Fix: Whitelist valid column types to prevent LFI
     675        $validColumnTypes = array(
     676            'string', 'int', 'float', 'date', 'datetime', 'time', 'link', 'email',
     677            'image', 'file', 'formula', 'masterdetail', 'attachment'
     678        );
     679
     680        // Normalize and validate column type
     681        $wdtColumnType = strtolower(sanitize_text_field($wdtColumnType));
     682
     683        if (!in_array($wdtColumnType, $validColumnTypes, true)) {
     684            // Invalid column type, default to string
     685            $wdtColumnType = 'string';
     686        }
     687
    673688        $columnObj = ucfirst($wdtColumnType) . 'WDTColumn';
    674         $columnFormatterFileName = 'class.' . strtolower($wdtColumnType) . '.wpdatacolumn.php';
     689        $columnFormatterFileName = 'class.' . $wdtColumnType . '.wpdatacolumn.php';
    675690        require_once($columnFormatterFileName);
    676691        return new $columnObj($properties);

  • wpdatatables/trunk/source/class.wpdatatable.php

    r3249379 r3475639  
    526526    }
    527527
     528    /**
     529     * @throws WDTException
     530     */
    528531    public function setInterfaceLanguage($lang)
    529532    {
     
    531534            throw new WDTException('Incorrect language parameter!');
    532535        }
    533         if (!file_exists(WDT_ROOT_PATH . 'source/lang/' . $lang)) {
     536
     537        // Security Fix: Prevent Path Traversal / LFI attacks (CVE-2026-28039)
     538        // Remove any path traversal attempts and allow only valid filenames
     539        $lang = basename($lang);
     540
     541        // Additional security: Only allow .inc.php extension
     542        if (substr($lang, -8) !== '.inc.php') {
     543            throw new WDTException('Invalid language file format!');
     544        }
     545
     546        // Build the safe path
     547        $safePath = WDT_ROOT_PATH . 'source/lang/' . $lang;
     548
     549        // Verify the resolved path is still within the lang directory
     550        $realPath = realpath($safePath);
     551        $realLangDir = realpath(WDT_ROOT_PATH . 'source/lang/');
     552
     553        if ($realPath === false || strpos($realPath, $realLangDir) !== 0) {
     554            throw new WDTException('Language file not found or path traversal detected!');
     555        }
     556
     557        if (!file_exists($safePath)) {
    534558            throw new WDTException('Language file not found');
    535559        }
    536         $this->_interfaceLanguage = WDT_ROOT_PATH . 'source/lang/' . $lang;
     560
     561        $this->_interfaceLanguage = $safePath;
    537562    }
    538563

  • wpdatatables/trunk/source/class.wpdatatablecache.php

    r3010404 r3475639  
    328328                    $objReader = WPDataTable::createObjectReader($source);
    329329                if (isset($tableData) && $tableData->file_location == 'wp_any_url'){
     330                    // Security Fix: Validate URL before file_get_contents to prevent SSRF/LFI
     331                    if (!filter_var($source, FILTER_VALIDATE_URL)) {
     332                        throw new Exception('Invalid URL format!');
     333                    }
     334
     335                    // Prevent access to local files via file:// protocol
     336                    $parsedUrl = parse_url($source);
     337                    if (!isset($parsedUrl['scheme']) || !in_array(strtolower($parsedUrl['scheme']), array('http', 'https'), true)) {
     338                        throw new Exception('Only HTTP and HTTPS protocols are allowed!');
     339                    }
     340
    330341                    $file = @file_get_contents($source);
    331342                    if ($file === false){

  • wpdatatables/trunk/templates/admin/dashboard/dashboard.inc.php

    r3472397 r3475639  
    344344                            <i class="wpdt-icon-info-circle-full"></i>
    345345                            <ul>
    346                                 <li>Added a new page for managing user permissions with wpDataTables capabilities for viewing tables and charts.</li>
     346                                <li>Fixed vulnerability issue with Local File Inclusion (LFI).</li>
    347347                                <li>Other small bug fixes and stability improvements.</li>
    348348                            </ul>

  • wpdatatables/trunk/wpdatatables.php

    r3472397 r3475639  
    44Plugin URI: https://wpdatatables.com
    55Description: Create responsive, sortable tables & charts from Excel, CSV or PHP. Add tables & charts to any post in minutes with DataTables.
    6 Version: 6.5.0.1
     6Version: 6.5.0.2
    77Author: TMS-Plugins
    88Author URI: https://tmsproducts.io
Note: See TracChangeset for help on using the changeset viewer.