Changeset 3480946

Timestamp:

03/12/2026 08:44:20 AM (2 weeks ago)

Author:

bestwpdeveloper

Message:

Security fix: Added capability check and nonce verification - v1.3.2

Location:

cv-builder/trunk

Files:

• assets/public/js/qr-page-link.js (modified) (3 diffs)
• assets/public/signature/signature.js (modified) (3 diffs)
• bwdcv-boots.php (modified) (1 diff)
• includes/registration-form.php (modified) (2 diffs)
• readme.txt (modified) (2 diffs)
• wp-cv-builder.php (modified) (2 diffs)

cv-builder/trunk/assets/public/js/qr-page-link.js

@@ -1 @@
-
 document.addEventListener('DOMContentLoaded', function () {
     if (typeof QRCode === 'undefined') {
@@ -6 +5 @@
     }
 
-    const qrCodeCanvas = document.getElementById('qr-code-canvas');
+    const qrCanvases = document.querySelectorAll('canvas[data-url]');
+    if (!qrCanvases.length) return;
 
-    if (!qrCodeCanvas) return;
+    qrCanvases.forEach(function (qrCodeCanvas) {
+        const {
+            url,
+            qrColor = '#000000',
+            qrBgColor = '#ffffff',
+            qrWidth = '150',
+            qrMargin = '2',
+            qrCorrectionLevel = 'L'
+        } = qrCodeCanvas.dataset;
 
-    const {
-        url,
-        qrColor = '#000000',
-        qrBgColor = '#ffffff',
-        qrWidth = '150',
-        qrMargin = '2',
-        qrCorrectionLevel = 'L'
-    } = qrCodeCanvas.dataset;
+        if (!url) return;
 
-    if (url) {
         const qrCodeOptions = {
             color: {
@@ -33 +33 @@
             if (error) console.error('QR Code generation failed:', error);
         });
-    }
+    });
 });

cv-builder/trunk/assets/public/signature/signature.js

@@ -2 +2 @@
 
 function showContent(tabIndex) {
-        const contents = document.querySelectorAll('.tab-content');
+    const contents = document.querySelectorAll('.tab-content');
     contents.forEach((content) => content.classList.remove('active-content'));
     const tabs = document.querySelectorAll('.tab');
@@ -178 +178 @@
         $.post(
             wpSignatureCombo.ajax_url,
-            { action: 'bwdcv_save_signature', image_data: imageData },
+            { 
+                action: 'bwdcv_save_signature', 
+                security: wpSignatureCombo.nonce,
+                image_data: imageData 
+            },
             function (response) {
                 const result = JSON.parse(response);
@@ -235 +239 @@
     }
     textFontSignttre();
-    })(jQuery);
+})(jQuery);
 
 (function ($) {

cv-builder/trunk/bwdcv-boots.php

@@ -147 +147 @@
             'bwdcv-qr-page-link',
             $asset_url . 'js/qr-page-link.js',
-            array( 'jquery', 'bwdcv-qr-code' ),
+            array( 'bwdcv-qr-code' ),
             BWDCV_VERSION,
             true

cv-builder/trunk/includes/registration-form.php

@@ -36 +36 @@
         // Signature
         add_action( 'wp_ajax_bwdcv_save_signature', [ $this, 'wp_save_signature_image' ] );
-        add_action( 'wp_ajax_nopriv_bwdcv_save_signature', [ $this, 'wp_save_signature_image' ] );
+        // add_action( 'wp_ajax_nopriv_bwdcv_save_signature', [ $this, 'wp_save_signature_image' ] );
         add_action( 'wp_enqueue_scripts', [ $this, 'wp_signature_enqueue_assets' ] );
         // Loss pass form
@@ -526 +526 @@
             wp_enqueue_script( 'wp-signature-combo-js', plugin_dir_url( __FILE__ ) . '../assets/public/signature/signature.js', [ 'jquery' ], null, true );
             wp_enqueue_style( 'wp-signature-combo-css', plugin_dir_url( __FILE__ ) . '../assets/public/signature/signature.css' );
-            wp_localize_script( 'wp-signature-combo-js', 'wpSignatureCombo', [ 'ajax_url' => admin_url( 'admin-ajax.php' ) ] );
+            wp_localize_script( 'wp-signature-combo-js', 'wpSignatureCombo', [
+                'ajax_url' => admin_url( 'admin-ajax.php' ),
+                'nonce'    => wp_create_nonce( 'bwdcv_save_signature_nonce' ),
+            ] );
         }
     }
 
     public function wp_save_signature_image() {
-        if ( isset( $_POST['image_data'] ) ) {
-            $image_data    = $_POST['image_data'];
-            $upload_dir    = wp_upload_dir();
-            $file_name     = 'signature_' . time() . '.png';
-            $file_path     = $upload_dir['path'] . '/' . $file_name;
-            $decoded_image = base64_decode( str_replace( 'data:image/png;base64,', '', $image_data ) );
-            file_put_contents( $file_path, $decoded_image );
-            $attachment    = [
-                'guid'           => $upload_dir['url'] . '/' . $file_name,
-                'post_mime_type' => 'image/png',
-                'post_title'     => sanitize_file_name( $file_name ),
-                'post_content'   => '',
-                'post_status'    => 'inherit',
-            ];
-            $attachment_id = wp_insert_attachment( $attachment, $file_path );
-            require_once( ABSPATH . 'wp-admin/includes/image.php' );
-            $metadata = wp_generate_attachment_metadata( $attachment_id, $file_path );
-            wp_update_attachment_metadata( $attachment_id, $metadata );
-
-            echo wp_json_encode( [ 'success' => true, 'image_url' => $upload_dir['url'] . '/' . $file_name ] );
-        }
+
+        check_ajax_referer( 'bwdcv_save_signature_nonce', 'security' );
+
+        if ( ! current_user_can( 'cv_editor' ) ) {
+            wp_send_json_error( [ 'message' => 'Unauthorized' ], 403 );
+            return;
+        }
+
+        if ( ! isset( $_POST['image_data'] ) ) {
+            wp_send_json_error( [ 'message' => 'No image data' ], 400 );
+            return;
+        }
+
+        $image_data = $_POST['image_data'];
+        if ( ! str_starts_with( $image_data, 'data:image/png;base64,' ) ) {
+            wp_send_json_error( [ 'message' => 'Invalid image format' ], 400 );
+            return;
+        }
+        $base64_data   = str_replace( 'data:image/png;base64,', '', $image_data );
+        $decoded_image = base64_decode( $base64_data, true );
+
+        if ( $decoded_image === false ) {
+            wp_send_json_error( [ 'message' => 'Invalid base64 data' ], 400 );
+            return;
+        }
+
+        $upload_dir    = wp_upload_dir();
+        $file_name     = 'signature_' . time() . '.png';
+        $file_path     = $upload_dir['path'] . '/' . $file_name;
+        file_put_contents( $file_path, $decoded_image );
+        $attachment    = [
+            'guid'           => $upload_dir['url'] . '/' . $file_name,
+            'post_mime_type' => 'image/png',
+            'post_title'     => sanitize_file_name( $file_name ),
+            'post_content'   => '',
+            'post_status'    => 'inherit',
+        ];
+        $attachment_id = wp_insert_attachment( $attachment, $file_path );
+        require_once( ABSPATH . 'wp-admin/includes/image.php' );
+        $metadata = wp_generate_attachment_metadata( $attachment_id, $file_path );
+        wp_update_attachment_metadata( $attachment_id, $metadata );
+
+        echo wp_json_encode( [ 'success' => true, 'image_url' => $upload_dir['url'] . '/' . $file_name ] );
         wp_die();
     }

cv-builder/trunk/readme.txt

@@ -6 +6 @@
 Tested up to: 6.9
 Requires PHP: 7.0
-Stable tag: 1.3.1
+Stable tag: 1.3.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -145 +145 @@
 == Changelog ==
 
+= 1.3.2 =
+* Security fix: Added capability check and nonce verification
+
 = 1.3.1 =
 * Fixed wp.org review issues

cv-builder/trunk/wp-cv-builder.php

@@ -4 +4 @@
  * Description: WP CV Builder with eye-catching style with 24+ preset design.
  * Plugin URI:  https://wpcvbuilder.com/
- * Version:     1.3.1
+ * Version:     1.3.2
  * Author:      Best WP Developer
  * Author URI:  https://bestwpdeveloper.com/
@@ -41 +41 @@
 
 define( 'BWDCV_PLUGIN_NAME', plugin_basename( __DIR__ ) );
-define( "BWDCV_VERSION", '1.3.1' );
+define( "BWDCV_VERSION", '1.3.2' );
 define( 'BWDCV_FILE', __FILE__ );
 define( 'BWDCV_DIR', __DIR__ );