WordPress.org
Get WordPress

Plugin Directory

Changeset 2988176


Ignore:
Timestamp:
11/02/2023 05:42:57 PM (2 years ago)
Author:
mailmunch
Message:

add nonce validation

Location:
mailmunch
Files:
1 deleted
10 edited
2 copied

Legend:

Unmodified
Added
Removed

  • mailmunch/tags/3.1.5/admin/class-mailmunch-admin.php

    r2210451 r2988176  
    111111        wp_enqueue_script( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'js/mailmunch-admin.js', array( 'jquery' ), $this->version, false );
    112112
     113        // Register the new script
     114        wp_register_script( 'mailchimp_mailmunch_script', plugin_dir_url( __FILE__ ) . 'js/mailmunch-admin.js', array( 'jquery' ), $this->version, false );
     115        // enqueue it
     116    wp_enqueue_script( 'mailchimp_mailmunch_script' );
     117        // localize it for ajax calls
     118        wp_localize_script( 'mailchimp_mailmunch_script', 'mailmunch_nonces', array(
     119            'delete_widget' => wp_create_nonce('mailmunch_delete_widget'),
     120            'change_email_status' => wp_create_nonce('mailmunch_change_email_status'),
     121            'delete_email' => wp_create_nonce('mailmunch_delete_email'),
     122        ));
     123
    113124    }
    114125
     
    130141
    131142    public function delete_widget() {
    132         $this->initiate_api();
    133         echo json_encode($this->mailmunch_api->deleteWidget($_POST['widget_id']));
     143        // Check if nonce is set and valid and if the current user has 'manage_options' capability (typically administrators).
     144    if ( isset($_POST['nonce']) && wp_verify_nonce($_POST['nonce'], 'mailmunch_delete_widget') && current_user_can('manage_options') ) {
     145            $this->initiate_api();
     146            echo json_encode($this->mailmunch_api->deleteWidget($_POST['widget_id']));
     147    } else {
     148            echo json_encode(array('error' => 'Permission denied.')); // Optionally, you can return an error message.
     149    }
     150    exit;
     151    }
     152
     153    public function change_email_status() {
     154        // Check if nonce is set and valid and if the current user has 'manage_options' capability (typically administrators).
     155        if ( isset($_POST['nonce']) && wp_verify_nonce($_POST['nonce'], 'mailmunch_change_email_status') && current_user_can('manage_options') ) {
     156            $this->initiate_api();
     157            echo json_encode($this->mailmunch_api->changeEmailStatus($_POST['email_id'], $_POST['email_status']));
     158        } else {
     159            echo json_encode(array('error' => 'Permission denied.')); // Optionally, you can return an error message.
     160        }
    134161        exit;
    135162    }
    136    
    137     public function change_email_status() {
    138         $this->initiate_api();
    139         echo json_encode($this->mailmunch_api->changeEmailStatus($_POST['email_id'], $_POST['email_status']));
    140         exit;
    141     }
    142    
     163
    143164    public function delete_email() {
    144         $this->initiate_api();
    145         echo json_encode($this->mailmunch_api->deleteEmail($_POST['email_id']));
     165        // Check if nonce is set and valid and if the current user has 'manage_options' capability (typically administrators).
     166        if ( isset($_POST['nonce']) && wp_verify_nonce($_POST['nonce'], 'mailmunch_delete_email') && current_user_can('manage_options') ) {
     167            $this->initiate_api();
     168            echo json_encode($this->mailmunch_api->deleteEmail($_POST['email_id']));
     169        } else {
     170            echo json_encode(array('error' => 'Permission denied.')); // Optionally, you can return an error message.
     171        }
    146172        exit;
    147173    }
     
    263289     */
    264290    public function settings_page() {
    265         $this->initiate_api();
    266         if ($_POST) {
    267             $this->mailmunch_api->setSetting('auto_embed', $_POST['auto_embed']);
    268             $this->mailmunch_api->setSetting('landing_pages_enabled', $_POST['landing_pages_enabled']);
    269         }
    270         require_once(plugin_dir_path(__FILE__) . 'partials/mailmunch-settings.php');
     291    $this->initiate_api();
     292
     293    // Add nonce check
     294    if (isset($_POST['mailmunch_settings_nonce']) && wp_verify_nonce($_POST['mailmunch_settings_nonce'], 'mailmunch_settings_action')) {
     295            // Nonce is valid; process the form data
     296            if (isset($_POST['auto_embed'])) {
     297                $this->mailmunch_api->setSetting('auto_embed', $_POST['auto_embed']);
     298            }
     299            if (isset($_POST['landing_pages_enabled'])) {
     300                $this->mailmunch_api->setSetting('landing_pages_enabled', $_POST['landing_pages_enabled']);
     301            }
     302    }
     303
     304    require_once(plugin_dir_path(__FILE__) . 'partials/mailmunch-settings.php');
    271305    }
    272306

  • mailmunch/tags/3.1.5/admin/js/mailmunch-admin.js

    r1773621 r2988176  
    3636        url: ajaxurl,
    3737        type: 'POST',
    38         data: {action: 'delete_widget', widget_id: $(this).data('widget-id')},
     38        data: {action: 'delete_widget', widget_id: $(this).data('widget-id'), nonce: mailmunch_nonces.delete_widget},
    3939        dataType: 'json',
    4040        success: function(data) {
     
    5858        url: ajaxurl,
    5959        type: 'POST',
    60         data: {action: 'change_email_status', email_status: $(this).data('email-status'), email_id: $(this).data('email-id')},
     60        data: {action: 'change_email_status', email_status: $(this).data('email-status'), email_id: $(this).data('email-id'), nonce: mailmunch_nonces.change_email_status},
    6161        dataType: 'json',
    6262        success: function(data) {
     
    8080        url: ajaxurl,
    8181        type: 'POST',
    82         data: {action: 'delete_email', email_id: $(this).data('email-id')},
     82        data: {action: 'delete_email', email_id: $(this).data('email-id'), nonce: mailmunch_nonces.delete_email},
    8383        dataType: 'json',
    8484        success: function(data) {

  • mailmunch/tags/3.1.5/admin/partials/mailmunch-settings.php

    r1623385 r2988176  
    11<form method="POST" id="mailmunch-settings">
     2<?php wp_nonce_field('mailmunch_settings_action', 'mailmunch_settings_nonce'); ?>
    23<?php
    34  $autoEmbed = $this->mailmunch_api->getSetting('auto_embed');

  • mailmunch/tags/3.1.5/includes/class-mailmunch.php

    r2210464 r2988176  
    2424define( 'MAILMUNCH_POST_TYPE', 'mailmunch_page' );
    2525define( 'MAILMUNCH_PLUGIN_DIRECTORY', 'mailmunch' );
    26 define( 'MAILMUNCH_VERSION', '3.1.2' );
     26define( 'MAILMUNCH_VERSION', '3.1.5' );
    2727
    2828/**

  • mailmunch/tags/3.1.5/mailmunch.php

    r2210464 r2988176  
    1717 * Plugin URI:        http://www.mailmunch.com
    1818 * Description:       The best free plugin to get more email subscribers. Beautiful signup forms and landing pages that integrate with MailChimp, Constant Contact, AWeber, Campaign Monitor and more.
    19  * Version:           3.1.2
     19 * Version:           3.1.5
    2020 * Author:            MailMunch
    2121 * Author URI:        http://www.mailmunch.com

  • mailmunch/tags/3.1.5/readme.txt

    r2791140 r2988176  
    33Tags: signup form, newsletter, newsletters, subscribe, popup, exit popup, exit intent, subscribers, subscription, popover, lightbox, analytics, collect email, optin, optin form, optin forms, double optin, list builder, email form, lead, leads, mailchimp, mailchimp form, mailchimp newsletter, mailchimp plugin, mailchimp signup, mailchimp signup forms, mailchimp signup form, mailchimp widget, mailchimp subscribe, constant contact, contact contact form, constant contact newsletter, constant contact plugin, constant contact signup, constant contact signup forms, constant contact signup form, constant contact widget, constant contact subscribe, aweber, aweber form, aweber forms, aweber signup form, aweber plugin
    44Requires at least: 3.0.1
    5 Tested up to: 6.0.2
    6 Stable tag: 3.1.2
     5Tested up to: 6.2.2
     6Stable tag: 3.1.5
    77License: GPLv2 or later
    88License URI: http://www.gnu.org/licenses/gpl-2.0.html

  • mailmunch/trunk/admin/class-mailmunch-admin.php

    r2982510 r2988176  
    111111        wp_enqueue_script( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'js/mailmunch-admin.js', array( 'jquery' ), $this->version, false );
    112112
     113        // Register the new script
     114        wp_register_script( 'mailchimp_mailmunch_script', plugin_dir_url( __FILE__ ) . 'js/mailmunch-admin.js', array( 'jquery' ), $this->version, false );
     115        // enqueue it
     116    wp_enqueue_script( 'mailchimp_mailmunch_script' );
     117        // localize it for ajax calls
     118        wp_localize_script( 'mailchimp_mailmunch_script', 'mailmunch_nonces', array(
     119            'delete_widget' => wp_create_nonce('mailmunch_delete_widget'),
     120            'change_email_status' => wp_create_nonce('mailmunch_change_email_status'),
     121            'delete_email' => wp_create_nonce('mailmunch_delete_email'),
     122        ));
     123
    113124    }
    114125
     
    130141
    131142    public function delete_widget() {
    132     if (current_user_can('manage_options')) { // Check if the current user has 'manage_options' capability (typically administrators).
     143        // Check if nonce is set and valid and if the current user has 'manage_options' capability (typically administrators).
     144    if ( isset($_POST['nonce']) && wp_verify_nonce($_POST['nonce'], 'mailmunch_delete_widget') && current_user_can('manage_options') ) {
    133145            $this->initiate_api();
    134146            echo json_encode($this->mailmunch_api->deleteWidget($_POST['widget_id']));
     
    140152
    141153    public function change_email_status() {
    142         if (current_user_can('manage_options')) { // Check if the current user has 'manage_options' capability (typically administrators).
     154        // Check if nonce is set and valid and if the current user has 'manage_options' capability (typically administrators).
     155        if ( isset($_POST['nonce']) && wp_verify_nonce($_POST['nonce'], 'mailmunch_change_email_status') && current_user_can('manage_options') ) {
    143156            $this->initiate_api();
    144157            echo json_encode($this->mailmunch_api->changeEmailStatus($_POST['email_id'], $_POST['email_status']));
     
    150163
    151164    public function delete_email() {
    152         if (current_user_can('manage_options')) { // Check if the current user has 'manage_options' capability (typically administrators).
     165        // Check if nonce is set and valid and if the current user has 'manage_options' capability (typically administrators).
     166        if ( isset($_POST['nonce']) && wp_verify_nonce($_POST['nonce'], 'mailmunch_delete_email') && current_user_can('manage_options') ) {
    153167            $this->initiate_api();
    154168            echo json_encode($this->mailmunch_api->deleteEmail($_POST['email_id']));

  • mailmunch/trunk/admin/js/mailmunch-admin.js

    r1773621 r2988176  
    3636        url: ajaxurl,
    3737        type: 'POST',
    38         data: {action: 'delete_widget', widget_id: $(this).data('widget-id')},
     38        data: {action: 'delete_widget', widget_id: $(this).data('widget-id'), nonce: mailmunch_nonces.delete_widget},
    3939        dataType: 'json',
    4040        success: function(data) {
     
    5858        url: ajaxurl,
    5959        type: 'POST',
    60         data: {action: 'change_email_status', email_status: $(this).data('email-status'), email_id: $(this).data('email-id')},
     60        data: {action: 'change_email_status', email_status: $(this).data('email-status'), email_id: $(this).data('email-id'), nonce: mailmunch_nonces.change_email_status},
    6161        dataType: 'json',
    6262        success: function(data) {
     
    8080        url: ajaxurl,
    8181        type: 'POST',
    82         data: {action: 'delete_email', email_id: $(this).data('email-id')},
     82        data: {action: 'delete_email', email_id: $(this).data('email-id'), nonce: mailmunch_nonces.delete_email},
    8383        dataType: 'json',
    8484        success: function(data) {

  • mailmunch/trunk/includes/class-mailmunch.php

    r2982520 r2988176  
    2424define( 'MAILMUNCH_POST_TYPE', 'mailmunch_page' );
    2525define( 'MAILMUNCH_PLUGIN_DIRECTORY', 'mailmunch' );
    26 define( 'MAILMUNCH_VERSION', '3.1.4' );
     26define( 'MAILMUNCH_VERSION', '3.1.5' );
    2727
    2828/**

  • mailmunch/trunk/mailmunch.php

    r2982520 r2988176  
    1717 * Plugin URI:        http://www.mailmunch.com
    1818 * Description:       The best free plugin to get more email subscribers. Beautiful signup forms and landing pages that integrate with MailChimp, Constant Contact, AWeber, Campaign Monitor and more.
    19  * Version:           3.1.4
     19 * Version:           3.1.5
    2020 * Author:            MailMunch
    2121 * Author URI:        http://www.mailmunch.com

  • mailmunch/trunk/readme.txt

    r2982520 r2988176  
    44Requires at least: 3.0.1
    55Tested up to: 6.2.2
    6 Stable tag: 3.1.4
     6Stable tag: 3.1.5
    77License: GPLv2 or later
    88License URI: http://www.gnu.org/licenses/gpl-2.0.html
Note: See TracChangeset for help on using the changeset viewer.