Changeset 3287271
- Timestamp:
- 05/04/2025 06:06:02 PM (10 months ago)
- Location:
- stop-user-enumeration
- Files:
-
- 12 edited
- 1 copied
-
tags/1.7.2 (copied) (copied from stop-user-enumeration/trunk)
-
tags/1.7.2/changelog.txt (modified) (1 diff)
-
tags/1.7.2/frontend/class-frontend.php (modified) (4 diffs)
-
tags/1.7.2/includes/vendor/composer/installed.php (modified) (2 diffs)
-
tags/1.7.2/languages/stop-user-enumeration.pot (modified) (3 diffs)
-
tags/1.7.2/readme.txt (modified) (1 diff)
-
tags/1.7.2/stop-user-enumeration.php (modified) (1 diff)
-
trunk/changelog.txt (modified) (1 diff)
-
trunk/frontend/class-frontend.php (modified) (4 diffs)
-
trunk/includes/vendor/composer/installed.php (modified) (2 diffs)
-
trunk/languages/stop-user-enumeration.pot (modified) (3 diffs)
-
trunk/readme.txt (modified) (1 diff)
-
trunk/stop-user-enumeration.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
stop-user-enumeration/tags/1.7.2/changelog.txt
r3282442 r3287271 1 1 == Changelog == 2 = 1.7.2 = 3 * Fix ability to by-pass the WP REST API protection functionality, props Bob @ WpScan 4 2 5 = 1.7.1 = 3 6 * add developer hooks and filters for extending plugin functionality -
stop-user-enumeration/tags/1.7.2/frontend/class-frontend.php
r3282442 r3287271 109 109 // Get the IP address of the request 110 110 $ip = $this->get_ip(); 111 111 112 112 // Allow filtering of the IP address for integration with external services 113 113 $ip = apply_filters( 'stop_user_enumeration_ip', $ip ); … … 131 131 error_log( "Attempted user enumeration from " . esc_html( $ip ) ); 132 132 } 133 133 134 134 // Action hook for add-ons to process enumeration attempts (limit login, blocklists, etc.) 135 135 do_action( 'stop_user_enumeration_attempt', $ip ); … … 188 188 if ( 'on' === Core::sue_get_option( 'stop_rest_user', 'off' ) ) { 189 189 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 190 $request_uri = ( isset( $_SERVER['REQUEST_URI'] ) ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI']) ) : '';190 $request_uri = ( isset( $_SERVER['REQUEST_URI'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_SERVER['REQUEST_URI'] ) ) ) : ''; 191 191 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 192 $rest_route = ( isset( $_REQUEST['rest_route'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['rest_route']) ) : '';192 $rest_route = ( isset( $_REQUEST['rest_route'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_REQUEST['rest_route'] ) ) ) : ''; 193 193 $pattern = apply_filters( 'stop_user_enumeration_rest_stop_match', '/users/i' ); 194 194 if ( ( preg_match( $pattern, $request_uri ) !== 0 ) || ( preg_match( $pattern, $rest_route ) !== 0 ) ) { … … 198 198 return $access; // check not exception 199 199 } 200 200 201 201 // Get IP address for logging and filtering 202 202 $ip = $this->get_ip(); 203 203 204 204 // Filter to allow extensions to determine if blocking should occur 205 205 $should_block = apply_filters( 'stop_user_enumeration_should_block', true, $ip ); 206 206 207 207 if ( $should_block ) { 208 208 $this->sue_log(); 209 209 210 return new WP_Error( 'rest_cannot_access', esc_html__( 'Only authenticated users can access the User endpoint REST API.', 'stop-user-enumeration' ), array( 'status' => rest_authorization_required_code() ) ); 210 211 } -
stop-user-enumeration/tags/1.7.2/includes/vendor/composer/installed.php
r3282442 r3287271 4 4 'pretty_version' => 'dev-main', 5 5 'version' => 'dev-main', 6 'reference' => ' df3c3d40306aa96fb00e8506f9aeba9ba9a477a1',6 'reference' => '1956095bc022fb1bd97264975c077e311373472c', 7 7 'type' => 'wordpress-plugin', 8 8 'install_path' => __DIR__ . '/../../../', … … 32 32 'pretty_version' => 'dev-main', 33 33 'version' => 'dev-main', 34 'reference' => ' df3c3d40306aa96fb00e8506f9aeba9ba9a477a1',34 'reference' => '1956095bc022fb1bd97264975c077e311373472c', 35 35 'type' => 'wordpress-plugin', 36 36 'install_path' => __DIR__ . '/../../../', -
stop-user-enumeration/tags/1.7.2/languages/stop-user-enumeration.pot
r3282442 r3287271 3 3 msgid "" 4 4 msgstr "" 5 "Project-Id-Version: Stop User Enumeration 1.7. 1\n"5 "Project-Id-Version: Stop User Enumeration 1.7.2\n" 6 6 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/stop-user-enumeration\n" 7 7 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" … … 10 10 "Content-Type: text/plain; charset=UTF-8\n" 11 11 "Content-Transfer-Encoding: 8bit\n" 12 "POT-Creation-Date: 2025-0 4-26T15:20:35+00:00\n"12 "POT-Creation-Date: 2025-05-04T18:03:23+00:00\n" 13 13 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" 14 14 "X-Generator: WP-CLI 2.10.0\n" … … 136 136 msgstr "" 137 137 138 #: frontend/class-frontend.php:2 09138 #: frontend/class-frontend.php:210 139 139 msgid "Only authenticated users can access the User endpoint REST API." 140 140 msgstr "" -
stop-user-enumeration/tags/1.7.2/readme.txt
r3282442 r3287271 6 6 Tested up to: 6.8 7 7 Requires PHP: 7.4 8 Stable tag: 1.7. 18 Stable tag: 1.7.2 9 9 License: GPLv2 or later 10 10 License URI: http://www.gnu.org/licenses/gpl-2.0.html -
stop-user-enumeration/tags/1.7.2/stop-user-enumeration.php
r3282442 r3287271 4 4 Plugin URI: https://fullworksplugins.com/products/stop-user-enumeration/ 5 5 Description: Helps secure your site against hacking attacks through detecting User Enumeration 6 Version: 1.7. 16 Version: 1.7.2 7 7 Author: Fullworks 8 8 Requires at least: 6.3 -
stop-user-enumeration/trunk/changelog.txt
r3282442 r3287271 1 1 == Changelog == 2 = 1.7.2 = 3 * Fix ability to by-pass the WP REST API protection functionality, props Bob @ WpScan 4 2 5 = 1.7.1 = 3 6 * add developer hooks and filters for extending plugin functionality -
stop-user-enumeration/trunk/frontend/class-frontend.php
r3282442 r3287271 109 109 // Get the IP address of the request 110 110 $ip = $this->get_ip(); 111 111 112 112 // Allow filtering of the IP address for integration with external services 113 113 $ip = apply_filters( 'stop_user_enumeration_ip', $ip ); … … 131 131 error_log( "Attempted user enumeration from " . esc_html( $ip ) ); 132 132 } 133 133 134 134 // Action hook for add-ons to process enumeration attempts (limit login, blocklists, etc.) 135 135 do_action( 'stop_user_enumeration_attempt', $ip ); … … 188 188 if ( 'on' === Core::sue_get_option( 'stop_rest_user', 'off' ) ) { 189 189 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 190 $request_uri = ( isset( $_SERVER['REQUEST_URI'] ) ) ? sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI']) ) : '';190 $request_uri = ( isset( $_SERVER['REQUEST_URI'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_SERVER['REQUEST_URI'] ) ) ) : ''; 191 191 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 192 $rest_route = ( isset( $_REQUEST['rest_route'] ) ) ? sanitize_text_field( wp_unslash( $_REQUEST['rest_route']) ) : '';192 $rest_route = ( isset( $_REQUEST['rest_route'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_REQUEST['rest_route'] ) ) ) : ''; 193 193 $pattern = apply_filters( 'stop_user_enumeration_rest_stop_match', '/users/i' ); 194 194 if ( ( preg_match( $pattern, $request_uri ) !== 0 ) || ( preg_match( $pattern, $rest_route ) !== 0 ) ) { … … 198 198 return $access; // check not exception 199 199 } 200 200 201 201 // Get IP address for logging and filtering 202 202 $ip = $this->get_ip(); 203 203 204 204 // Filter to allow extensions to determine if blocking should occur 205 205 $should_block = apply_filters( 'stop_user_enumeration_should_block', true, $ip ); 206 206 207 207 if ( $should_block ) { 208 208 $this->sue_log(); 209 209 210 return new WP_Error( 'rest_cannot_access', esc_html__( 'Only authenticated users can access the User endpoint REST API.', 'stop-user-enumeration' ), array( 'status' => rest_authorization_required_code() ) ); 210 211 } -
stop-user-enumeration/trunk/includes/vendor/composer/installed.php
r3282442 r3287271 4 4 'pretty_version' => 'dev-main', 5 5 'version' => 'dev-main', 6 'reference' => ' df3c3d40306aa96fb00e8506f9aeba9ba9a477a1',6 'reference' => '1956095bc022fb1bd97264975c077e311373472c', 7 7 'type' => 'wordpress-plugin', 8 8 'install_path' => __DIR__ . '/../../../', … … 32 32 'pretty_version' => 'dev-main', 33 33 'version' => 'dev-main', 34 'reference' => ' df3c3d40306aa96fb00e8506f9aeba9ba9a477a1',34 'reference' => '1956095bc022fb1bd97264975c077e311373472c', 35 35 'type' => 'wordpress-plugin', 36 36 'install_path' => __DIR__ . '/../../../', -
stop-user-enumeration/trunk/languages/stop-user-enumeration.pot
r3282442 r3287271 3 3 msgid "" 4 4 msgstr "" 5 "Project-Id-Version: Stop User Enumeration 1.7. 1\n"5 "Project-Id-Version: Stop User Enumeration 1.7.2\n" 6 6 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/stop-user-enumeration\n" 7 7 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" … … 10 10 "Content-Type: text/plain; charset=UTF-8\n" 11 11 "Content-Transfer-Encoding: 8bit\n" 12 "POT-Creation-Date: 2025-0 4-26T15:20:35+00:00\n"12 "POT-Creation-Date: 2025-05-04T18:03:23+00:00\n" 13 13 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" 14 14 "X-Generator: WP-CLI 2.10.0\n" … … 136 136 msgstr "" 137 137 138 #: frontend/class-frontend.php:2 09138 #: frontend/class-frontend.php:210 139 139 msgid "Only authenticated users can access the User endpoint REST API." 140 140 msgstr "" -
stop-user-enumeration/trunk/readme.txt
r3282442 r3287271 6 6 Tested up to: 6.8 7 7 Requires PHP: 7.4 8 Stable tag: 1.7. 18 Stable tag: 1.7.2 9 9 License: GPLv2 or later 10 10 License URI: http://www.gnu.org/licenses/gpl-2.0.html -
stop-user-enumeration/trunk/stop-user-enumeration.php
r3282442 r3287271 4 4 Plugin URI: https://fullworksplugins.com/products/stop-user-enumeration/ 5 5 Description: Helps secure your site against hacking attacks through detecting User Enumeration 6 Version: 1.7. 16 Version: 1.7.2 7 7 Author: Fullworks 8 8 Requires at least: 6.3
Note: See TracChangeset
for help on using the changeset viewer.