Changeset 3315967
- Timestamp:
- 06/22/2025 06:49:53 PM (9 months ago)
- Location:
- stop-user-enumeration
- Files:
-
- 14 deleted
- 16 edited
- 1 copied
-
tags/1.7.3 (copied) (copied from stop-user-enumeration/trunk)
-
tags/1.7.3/admin/class-admin-pages.php (modified) (1 diff)
-
tags/1.7.3/changelog.txt (modified) (1 diff)
-
tags/1.7.3/frontend/class-frontend.php (modified) (4 diffs)
-
tags/1.7.3/includes/class-core.php (modified) (2 diffs)
-
tags/1.7.3/includes/vendor/alanef/free_plugin_lib/composer.json (deleted)
-
tags/1.7.3/includes/vendor/alanef/free_plugin_lib/package.json (deleted)
-
tags/1.7.3/includes/vendor/composer/installed.php (modified) (2 diffs)
-
tags/1.7.3/includes/vendor/composer/installers/.editorconfig (deleted)
-
tags/1.7.3/includes/vendor/composer/installers/.travis.yml (deleted)
-
tags/1.7.3/includes/vendor/composer/installers/composer.json (deleted)
-
tags/1.7.3/includes/vendor/composer/installers/phpunit.xml.dist (deleted)
-
tags/1.7.3/includes/vendor/composer/installers/tests (deleted)
-
tags/1.7.3/languages/stop-user-enumeration.pot (modified) (3 diffs)
-
tags/1.7.3/readme.txt (modified) (2 diffs)
-
tags/1.7.3/stop-user-enumeration.php (modified) (2 diffs)
-
trunk/admin/class-admin-pages.php (modified) (1 diff)
-
trunk/changelog.txt (modified) (1 diff)
-
trunk/frontend/class-frontend.php (modified) (4 diffs)
-
trunk/includes/class-core.php (modified) (2 diffs)
-
trunk/includes/vendor/alanef/free_plugin_lib/composer.json (deleted)
-
trunk/includes/vendor/alanef/free_plugin_lib/package.json (deleted)
-
trunk/includes/vendor/composer/installed.php (modified) (2 diffs)
-
trunk/includes/vendor/composer/installers/.editorconfig (deleted)
-
trunk/includes/vendor/composer/installers/.travis.yml (deleted)
-
trunk/includes/vendor/composer/installers/composer.json (deleted)
-
trunk/includes/vendor/composer/installers/phpunit.xml.dist (deleted)
-
trunk/includes/vendor/composer/installers/tests (deleted)
-
trunk/languages/stop-user-enumeration.pot (modified) (3 diffs)
-
trunk/readme.txt (modified) (2 diffs)
-
trunk/stop-user-enumeration.php (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
stop-user-enumeration/tags/1.7.3/admin/class-admin-pages.php
r3282442 r3315967 71 71 // toggle 72 72 $('.if-js-closed').removeClass('if-js-closed').addClass('closed'); 73 postboxes.add_postbox_toggles( '<?php echo esc_attr( $page_hook_id ); ?>');73 postboxes.add_postbox_toggles(<?php echo wp_json_encode( $page_hook_id ); ?>); 74 74 // display spinner 75 75 $('#fx-smb-form').submit(function () { -
stop-user-enumeration/tags/1.7.3/changelog.txt
r3287271 r3315967 1 1 == Changelog == 2 = 1.7.2 = 2 = 1.7.3 = 3 * Fixed URL-encoding bypass vulnerability in REST API protection 4 * Fixed simple-jwt-login bypass vulnerability by checking exceptions only in route paths, not query parameters 5 * Improved REST API security by using WordPress REST API methods instead of checking REQUEST_URI 6 * Enhanced IP address validation using FILTER_VALIDATE_IP 7 * Fixed X-Forwarded-For header handling to properly parse multiple IPs 8 9 = it ran further ithink but ℹ Starting 'wp cli info' on the cli container. 10 11 OS: Linux 6.11.0-1015-azure #15~24.04.1-Ubuntu SMP Thu May 1 02:52:08 UTC 2025 x86_64 12 Shell: 13 PHP binary: /usr/local/bin/php 14 PHP version: 7.4.33 15 php.ini used: /usr/local/etc/php/php.ini 16 MySQL binary: /usr/bin/mysql 17 MySQL version: mysql Ver 15.1 Distrib 10.6.10-MariaDB, for Linux (x86_64) using readline 5.1 18 SQL modes: 19 WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli 20 WP-CLI vendor dir: phar://wp-cli.phar/vendor 21 WP_CLI phar path: /var/www/html 22 WP-CLI packages dir: 23 WP-CLI cache dir: /home/runner/.wp-cli/cache 24 WP-CLI global config: 25 WP-CLI project config: 26 WP-CLI version: 2.7.1 27 ✔ Ran `wp cli info` in 'cli'. (in 0s 311ms) 28 ℹ Starting 'wp plugin list' on the cli container. 29 30 name status update version 31 hello inactive none 1.7.2 32 stop-user-enumeration active version higher than expected 1.7.3 33 ✔ Ran `wp plugin list` in 'cli'. (in 0s 481ms) 34 ℹ Starting 'wp plugin list-checks' on the cli container. 35 36 Error: 'list-checks' is not a registered subcommand of 'plugin'. See 'wp help plugin' for available subcommands. 37 38 ✖ Command failed with exit code 1bu1.7.2 = 3 39 * Fix ability to by-pass the WP REST API protection functionality, props Bob @ WpScan 4 40 -
stop-user-enumeration/tags/1.7.3/frontend/class-frontend.php
r3287271 r3315967 14 14 15 15 use WP_Error; 16 use WP_REST_Server; 17 use WP_REST_Request; 16 18 17 19 class FrontEnd { … … 150 152 if ( isset( $_SERVER['HTTP_CF_CONNECTING_IP'] ) ) { 151 153 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 152 $ipaddress = filter_var( $_SERVER['HTTP_CF_CONNECTING_IP'] );154 $ipaddress = filter_var( $_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP ); 153 155 } elseif ( isset( $_SERVER['HTTP_CLIENT_IP'] ) ) { 154 156 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 155 $ipaddress = filter_var( $_SERVER['HTTP_CLIENT_IP'] );157 $ipaddress = filter_var( $_SERVER['HTTP_CLIENT_IP'], FILTER_VALIDATE_IP ); 156 158 } elseif ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { 157 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 158 $ipaddress = filter_var( $_SERVER['HTTP_X_FORWARDED_FOR'] ); 159 // X-Forwarded-For can contain multiple IPs, take the first one 160 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- not form input, will be validated 161 $ips = explode( ',', sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) ); 162 $ipaddress = filter_var( trim( $ips[0] ), FILTER_VALIDATE_IP ); 159 163 } elseif ( isset( $_SERVER['HTTP_X_FORWARDED'] ) ) { 160 164 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 161 $ipaddress = filter_var( $_SERVER['HTTP_X_FORWARDED'] );165 $ipaddress = filter_var( $_SERVER['HTTP_X_FORWARDED'], FILTER_VALIDATE_IP ); 162 166 } elseif ( isset( $_SERVER['HTTP_FORWARDED_FOR'] ) ) { 163 167 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 164 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED_FOR'] );168 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED_FOR'], FILTER_VALIDATE_IP ); 165 169 } elseif ( isset( $_SERVER['HTTP_FORWARDED'] ) ) { 166 170 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 167 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED'] );171 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED'], FILTER_VALIDATE_IP ); 168 172 } elseif ( isset( $_SERVER['REMOTE_ADDR'] ) ) { 169 173 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 170 $ipaddress = filter_var( $_SERVER['REMOTE_ADDR'] );174 $ipaddress = filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP ); 171 175 } 172 176 … … 177 181 * Restricts access to the User endpoint in the REST API to logged-in users only. 178 182 * 179 * This method checks if the 'stop_rest_user' option is enabled. If it is, it validates the request URI180 * and REST route to see if they matchthe pattern for user endpoints. If the request is not from a logged-in user183 * This method checks if the 'stop_rest_user' option is enabled. If it is, it validates the REST request route 184 * to see if it matches the pattern for user endpoints. If the request is not from a logged-in user 181 185 * and does not match the exception pattern, it logs the attempt and returns an error. 182 186 * 183 * @param mixed $access The current access status. 184 * 185 * @return mixed The modified access status or a WP_Error if access is denied. 186 */ 187 public function only_allow_logged_in_rest_access_to_users( $access ) { 187 * @param mixed $result The response to send to the client. Usually a WP_REST_Response or WP_Error. 188 * @param WP_REST_Server $server Server instance. 189 * @param WP_REST_Request $request Request used to generate the response. 190 * 191 * @return mixed The modified result or a WP_Error if access is denied. 192 */ 193 public function only_allow_logged_in_rest_access_to_users( $result, $server, $request ) { 188 194 if ( 'on' === Core::sue_get_option( 'stop_rest_user', 'off' ) ) { 189 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 190 $request_uri = ( isset( $_SERVER['REQUEST_URI'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_SERVER['REQUEST_URI'] ) ) ) : ''; 191 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 192 $rest_route = ( isset( $_REQUEST['rest_route'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_REQUEST['rest_route'] ) ) ) : ''; 193 $pattern = apply_filters( 'stop_user_enumeration_rest_stop_match', '/users/i' ); 194 if ( ( preg_match( $pattern, $request_uri ) !== 0 ) || ( preg_match( $pattern, $rest_route ) !== 0 ) ) { 195 // Get the actual REST route from the request object 196 $route = $request->get_route(); 197 // Check if this is a users endpoint 198 $pattern = apply_filters( 'stop_user_enumeration_rest_stop_match', '#^/wp/v[0-9]+/users#i' ); 199 if ( ! empty( $route ) && preg_match( $pattern, $route ) !== 0 ) { 195 200 if ( ! is_user_logged_in() ) { 196 $exception = apply_filters( 'stop_user_enumeration_rest_allowed_match', '/simple-jwt-login/i' ); //default exception rule simple-jwt-login 197 if ( ( preg_match( $exception, $request_uri ) !== 0 ) || ( preg_match( $exception, $rest_route ) !== 0 ) ) { 198 return $access; // check not exception 201 // Check for simple-jwt-login exception - only in the actual route, not in parameters 202 $exception = apply_filters( 'stop_user_enumeration_rest_allowed_match', '#^/simple-jwt-login/#i' ); 203 if ( preg_match( $exception, $route ) !== 0 ) { 204 return $result; // Allow access for exception routes 199 205 } 200 206 … … 214 220 } 215 221 216 return $ access;222 return $result; 217 223 } 218 224 -
stop-user-enumeration/tags/1.7.3/includes/class-core.php
r2852582 r3315967 127 127 /** 128 128 * Register all of the hooks related to the admin area functionality 129 * of the plugin. /home/alan/Google/Projects/WordPressPlugins/get-directions-orig129 * of the plugin. 130 130 * 131 131 */ … … 178 178 179 179 $this->loader->add_action( 'init', $plugin_public, 'check_request' ); 180 $this->loader->add_ action( 'rest_authentication_errors', $plugin_public, 'only_allow_logged_in_rest_access_to_users');180 $this->loader->add_filter( 'rest_pre_dispatch', $plugin_public, 'only_allow_logged_in_rest_access_to_users', 10, 3 ); 181 181 if ( 'on' === $this->sue_get_option( 'stop_sitemap', 'off' ) ) { 182 182 $this->loader->add_filter( 'wp_sitemaps_add_provider', $plugin_public, 'remove_author_sitemap', 10, 2 ); -
stop-user-enumeration/tags/1.7.3/includes/vendor/composer/installed.php
r3287271 r3315967 4 4 'pretty_version' => 'dev-main', 5 5 'version' => 'dev-main', 6 'reference' => ' 1956095bc022fb1bd97264975c077e311373472c',6 'reference' => '6ffddee56d5d535eb64d10c4bcf0942755b48504', 7 7 'type' => 'wordpress-plugin', 8 8 'install_path' => __DIR__ . '/../../../', … … 32 32 'pretty_version' => 'dev-main', 33 33 'version' => 'dev-main', 34 'reference' => ' 1956095bc022fb1bd97264975c077e311373472c',34 'reference' => '6ffddee56d5d535eb64d10c4bcf0942755b48504', 35 35 'type' => 'wordpress-plugin', 36 36 'install_path' => __DIR__ . '/../../../', -
stop-user-enumeration/tags/1.7.3/languages/stop-user-enumeration.pot
r3287271 r3315967 3 3 msgid "" 4 4 msgstr "" 5 "Project-Id-Version: Stop User Enumeration 1.7. 2\n"5 "Project-Id-Version: Stop User Enumeration 1.7.3\n" 6 6 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/stop-user-enumeration\n" 7 7 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" … … 10 10 "Content-Type: text/plain; charset=UTF-8\n" 11 11 "Content-Transfer-Encoding: 8bit\n" 12 "POT-Creation-Date: 2025-0 5-04T18:03:23+00:00\n"12 "POT-Creation-Date: 2025-06-21T18:37:16+00:00\n" 13 13 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" 14 14 "X-Generator: WP-CLI 2.10.0\n" … … 132 132 msgstr "" 133 133 134 #: frontend/class-frontend.php:8 0134 #: frontend/class-frontend.php:82 135 135 msgid "forbidden - number in author name not allowed = " 136 136 msgstr "" 137 137 138 #: frontend/class-frontend.php:21 0138 #: frontend/class-frontend.php:216 139 139 msgid "Only authenticated users can access the User endpoint REST API." 140 140 msgstr "" -
stop-user-enumeration/tags/1.7.3/readme.txt
r3287271 r3315967 6 6 Tested up to: 6.8 7 7 Requires PHP: 7.4 8 Stable tag: 1.7. 28 Stable tag: 1.7.3 9 9 License: GPLv2 or later 10 10 License URI: http://www.gnu.org/licenses/gpl-2.0.html … … 95 95 You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. [Report a security vulnerability.](https://patchstack.com/database/vdp/stop-user-enumeration) 96 96 97 == Privacy == 98 99 This plugin includes an optional email feature for plugin news and updates. When enabled: 100 101 * Your email address may be sent to https://fullworksplugins.com for important plugin updates and security notices 102 * This is completely optional and requires your explicit consent via the opt-in form in the plugin settings 103 * No data is collected or transmitted without your permission 104 * You can opt-out at any time from the plugin settings 105 * No other personal data is collected or transmitted to external services 106 107 The plugin logs attempted user enumeration attacks locally using WordPress's standard logging system: 108 * IP addresses of potential attackers are logged locally for security monitoring 109 * These logs remain on your server and are not transmitted to any external service 110 * Logs can be used with fail2ban or similar tools for enhanced security 111 112 For more information about data handling, please visit https://fullworksplugins.com/privacy-policy/ 113 97 114 == Upgrade Notice == 98 115 -
stop-user-enumeration/tags/1.7.3/stop-user-enumeration.php
r3287271 r3315967 4 4 Plugin URI: https://fullworksplugins.com/products/stop-user-enumeration/ 5 5 Description: Helps secure your site against hacking attacks through detecting User Enumeration 6 Version: 1.7. 26 Version: 1.7.3 7 7 Author: Fullworks 8 8 Requires at least: 6.3 … … 43 43 44 44 // Define the plugin version constant. 45 define( 'STOP_USER_ENUMERATION_PLUGIN_VERSION', '1.7 ' );45 define( 'STOP_USER_ENUMERATION_PLUGIN_VERSION', '1.7.3' ); 46 46 47 47 // Include the autoloader to dynamically include the classes. -
stop-user-enumeration/trunk/admin/class-admin-pages.php
r3282442 r3315967 71 71 // toggle 72 72 $('.if-js-closed').removeClass('if-js-closed').addClass('closed'); 73 postboxes.add_postbox_toggles( '<?php echo esc_attr( $page_hook_id ); ?>');73 postboxes.add_postbox_toggles(<?php echo wp_json_encode( $page_hook_id ); ?>); 74 74 // display spinner 75 75 $('#fx-smb-form').submit(function () { -
stop-user-enumeration/trunk/changelog.txt
r3287271 r3315967 1 1 == Changelog == 2 = 1.7.2 = 2 = 1.7.3 = 3 * Fixed URL-encoding bypass vulnerability in REST API protection 4 * Fixed simple-jwt-login bypass vulnerability by checking exceptions only in route paths, not query parameters 5 * Improved REST API security by using WordPress REST API methods instead of checking REQUEST_URI 6 * Enhanced IP address validation using FILTER_VALIDATE_IP 7 * Fixed X-Forwarded-For header handling to properly parse multiple IPs 8 9 = it ran further ithink but ℹ Starting 'wp cli info' on the cli container. 10 11 OS: Linux 6.11.0-1015-azure #15~24.04.1-Ubuntu SMP Thu May 1 02:52:08 UTC 2025 x86_64 12 Shell: 13 PHP binary: /usr/local/bin/php 14 PHP version: 7.4.33 15 php.ini used: /usr/local/etc/php/php.ini 16 MySQL binary: /usr/bin/mysql 17 MySQL version: mysql Ver 15.1 Distrib 10.6.10-MariaDB, for Linux (x86_64) using readline 5.1 18 SQL modes: 19 WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli 20 WP-CLI vendor dir: phar://wp-cli.phar/vendor 21 WP_CLI phar path: /var/www/html 22 WP-CLI packages dir: 23 WP-CLI cache dir: /home/runner/.wp-cli/cache 24 WP-CLI global config: 25 WP-CLI project config: 26 WP-CLI version: 2.7.1 27 ✔ Ran `wp cli info` in 'cli'. (in 0s 311ms) 28 ℹ Starting 'wp plugin list' on the cli container. 29 30 name status update version 31 hello inactive none 1.7.2 32 stop-user-enumeration active version higher than expected 1.7.3 33 ✔ Ran `wp plugin list` in 'cli'. (in 0s 481ms) 34 ℹ Starting 'wp plugin list-checks' on the cli container. 35 36 Error: 'list-checks' is not a registered subcommand of 'plugin'. See 'wp help plugin' for available subcommands. 37 38 ✖ Command failed with exit code 1bu1.7.2 = 3 39 * Fix ability to by-pass the WP REST API protection functionality, props Bob @ WpScan 4 40 -
stop-user-enumeration/trunk/frontend/class-frontend.php
r3287271 r3315967 14 14 15 15 use WP_Error; 16 use WP_REST_Server; 17 use WP_REST_Request; 16 18 17 19 class FrontEnd { … … 150 152 if ( isset( $_SERVER['HTTP_CF_CONNECTING_IP'] ) ) { 151 153 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 152 $ipaddress = filter_var( $_SERVER['HTTP_CF_CONNECTING_IP'] );154 $ipaddress = filter_var( $_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP ); 153 155 } elseif ( isset( $_SERVER['HTTP_CLIENT_IP'] ) ) { 154 156 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 155 $ipaddress = filter_var( $_SERVER['HTTP_CLIENT_IP'] );157 $ipaddress = filter_var( $_SERVER['HTTP_CLIENT_IP'], FILTER_VALIDATE_IP ); 156 158 } elseif ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) { 157 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 158 $ipaddress = filter_var( $_SERVER['HTTP_X_FORWARDED_FOR'] ); 159 // X-Forwarded-For can contain multiple IPs, take the first one 160 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash,WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- not form input, will be validated 161 $ips = explode( ',', sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) ); 162 $ipaddress = filter_var( trim( $ips[0] ), FILTER_VALIDATE_IP ); 159 163 } elseif ( isset( $_SERVER['HTTP_X_FORWARDED'] ) ) { 160 164 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 161 $ipaddress = filter_var( $_SERVER['HTTP_X_FORWARDED'] );165 $ipaddress = filter_var( $_SERVER['HTTP_X_FORWARDED'], FILTER_VALIDATE_IP ); 162 166 } elseif ( isset( $_SERVER['HTTP_FORWARDED_FOR'] ) ) { 163 167 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 164 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED_FOR'] );168 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED_FOR'], FILTER_VALIDATE_IP ); 165 169 } elseif ( isset( $_SERVER['HTTP_FORWARDED'] ) ) { 166 170 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 167 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED'] );171 $ipaddress = filter_var( $_SERVER['HTTP_FORWARDED'], FILTER_VALIDATE_IP ); 168 172 } elseif ( isset( $_SERVER['REMOTE_ADDR'] ) ) { 169 173 // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- not form input 170 $ipaddress = filter_var( $_SERVER['REMOTE_ADDR'] );174 $ipaddress = filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP ); 171 175 } 172 176 … … 177 181 * Restricts access to the User endpoint in the REST API to logged-in users only. 178 182 * 179 * This method checks if the 'stop_rest_user' option is enabled. If it is, it validates the request URI180 * and REST route to see if they matchthe pattern for user endpoints. If the request is not from a logged-in user183 * This method checks if the 'stop_rest_user' option is enabled. If it is, it validates the REST request route 184 * to see if it matches the pattern for user endpoints. If the request is not from a logged-in user 181 185 * and does not match the exception pattern, it logs the attempt and returns an error. 182 186 * 183 * @param mixed $access The current access status. 184 * 185 * @return mixed The modified access status or a WP_Error if access is denied. 186 */ 187 public function only_allow_logged_in_rest_access_to_users( $access ) { 187 * @param mixed $result The response to send to the client. Usually a WP_REST_Response or WP_Error. 188 * @param WP_REST_Server $server Server instance. 189 * @param WP_REST_Request $request Request used to generate the response. 190 * 191 * @return mixed The modified result or a WP_Error if access is denied. 192 */ 193 public function only_allow_logged_in_rest_access_to_users( $result, $server, $request ) { 188 194 if ( 'on' === Core::sue_get_option( 'stop_rest_user', 'off' ) ) { 189 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 190 $request_uri = ( isset( $_SERVER['REQUEST_URI'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_SERVER['REQUEST_URI'] ) ) ) : ''; 191 // phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request 192 $rest_route = ( isset( $_REQUEST['rest_route'] ) ) ? sanitize_text_field( wp_unslash( rawurldecode( $_REQUEST['rest_route'] ) ) ) : ''; 193 $pattern = apply_filters( 'stop_user_enumeration_rest_stop_match', '/users/i' ); 194 if ( ( preg_match( $pattern, $request_uri ) !== 0 ) || ( preg_match( $pattern, $rest_route ) !== 0 ) ) { 195 // Get the actual REST route from the request object 196 $route = $request->get_route(); 197 // Check if this is a users endpoint 198 $pattern = apply_filters( 'stop_user_enumeration_rest_stop_match', '#^/wp/v[0-9]+/users#i' ); 199 if ( ! empty( $route ) && preg_match( $pattern, $route ) !== 0 ) { 195 200 if ( ! is_user_logged_in() ) { 196 $exception = apply_filters( 'stop_user_enumeration_rest_allowed_match', '/simple-jwt-login/i' ); //default exception rule simple-jwt-login 197 if ( ( preg_match( $exception, $request_uri ) !== 0 ) || ( preg_match( $exception, $rest_route ) !== 0 ) ) { 198 return $access; // check not exception 201 // Check for simple-jwt-login exception - only in the actual route, not in parameters 202 $exception = apply_filters( 'stop_user_enumeration_rest_allowed_match', '#^/simple-jwt-login/#i' ); 203 if ( preg_match( $exception, $route ) !== 0 ) { 204 return $result; // Allow access for exception routes 199 205 } 200 206 … … 214 220 } 215 221 216 return $ access;222 return $result; 217 223 } 218 224 -
stop-user-enumeration/trunk/includes/class-core.php
r2852582 r3315967 127 127 /** 128 128 * Register all of the hooks related to the admin area functionality 129 * of the plugin. /home/alan/Google/Projects/WordPressPlugins/get-directions-orig129 * of the plugin. 130 130 * 131 131 */ … … 178 178 179 179 $this->loader->add_action( 'init', $plugin_public, 'check_request' ); 180 $this->loader->add_ action( 'rest_authentication_errors', $plugin_public, 'only_allow_logged_in_rest_access_to_users');180 $this->loader->add_filter( 'rest_pre_dispatch', $plugin_public, 'only_allow_logged_in_rest_access_to_users', 10, 3 ); 181 181 if ( 'on' === $this->sue_get_option( 'stop_sitemap', 'off' ) ) { 182 182 $this->loader->add_filter( 'wp_sitemaps_add_provider', $plugin_public, 'remove_author_sitemap', 10, 2 ); -
stop-user-enumeration/trunk/includes/vendor/composer/installed.php
r3287271 r3315967 4 4 'pretty_version' => 'dev-main', 5 5 'version' => 'dev-main', 6 'reference' => ' 1956095bc022fb1bd97264975c077e311373472c',6 'reference' => '6ffddee56d5d535eb64d10c4bcf0942755b48504', 7 7 'type' => 'wordpress-plugin', 8 8 'install_path' => __DIR__ . '/../../../', … … 32 32 'pretty_version' => 'dev-main', 33 33 'version' => 'dev-main', 34 'reference' => ' 1956095bc022fb1bd97264975c077e311373472c',34 'reference' => '6ffddee56d5d535eb64d10c4bcf0942755b48504', 35 35 'type' => 'wordpress-plugin', 36 36 'install_path' => __DIR__ . '/../../../', -
stop-user-enumeration/trunk/languages/stop-user-enumeration.pot
r3287271 r3315967 3 3 msgid "" 4 4 msgstr "" 5 "Project-Id-Version: Stop User Enumeration 1.7. 2\n"5 "Project-Id-Version: Stop User Enumeration 1.7.3\n" 6 6 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/stop-user-enumeration\n" 7 7 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" … … 10 10 "Content-Type: text/plain; charset=UTF-8\n" 11 11 "Content-Transfer-Encoding: 8bit\n" 12 "POT-Creation-Date: 2025-0 5-04T18:03:23+00:00\n"12 "POT-Creation-Date: 2025-06-21T18:37:16+00:00\n" 13 13 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" 14 14 "X-Generator: WP-CLI 2.10.0\n" … … 132 132 msgstr "" 133 133 134 #: frontend/class-frontend.php:8 0134 #: frontend/class-frontend.php:82 135 135 msgid "forbidden - number in author name not allowed = " 136 136 msgstr "" 137 137 138 #: frontend/class-frontend.php:21 0138 #: frontend/class-frontend.php:216 139 139 msgid "Only authenticated users can access the User endpoint REST API." 140 140 msgstr "" -
stop-user-enumeration/trunk/readme.txt
r3287271 r3315967 6 6 Tested up to: 6.8 7 7 Requires PHP: 7.4 8 Stable tag: 1.7. 28 Stable tag: 1.7.3 9 9 License: GPLv2 or later 10 10 License URI: http://www.gnu.org/licenses/gpl-2.0.html … … 95 95 You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. [Report a security vulnerability.](https://patchstack.com/database/vdp/stop-user-enumeration) 96 96 97 == Privacy == 98 99 This plugin includes an optional email feature for plugin news and updates. When enabled: 100 101 * Your email address may be sent to https://fullworksplugins.com for important plugin updates and security notices 102 * This is completely optional and requires your explicit consent via the opt-in form in the plugin settings 103 * No data is collected or transmitted without your permission 104 * You can opt-out at any time from the plugin settings 105 * No other personal data is collected or transmitted to external services 106 107 The plugin logs attempted user enumeration attacks locally using WordPress's standard logging system: 108 * IP addresses of potential attackers are logged locally for security monitoring 109 * These logs remain on your server and are not transmitted to any external service 110 * Logs can be used with fail2ban or similar tools for enhanced security 111 112 For more information about data handling, please visit https://fullworksplugins.com/privacy-policy/ 113 97 114 == Upgrade Notice == 98 115 -
stop-user-enumeration/trunk/stop-user-enumeration.php
r3287271 r3315967 4 4 Plugin URI: https://fullworksplugins.com/products/stop-user-enumeration/ 5 5 Description: Helps secure your site against hacking attacks through detecting User Enumeration 6 Version: 1.7. 26 Version: 1.7.3 7 7 Author: Fullworks 8 8 Requires at least: 6.3 … … 43 43 44 44 // Define the plugin version constant. 45 define( 'STOP_USER_ENUMERATION_PLUGIN_VERSION', '1.7 ' );45 define( 'STOP_USER_ENUMERATION_PLUGIN_VERSION', '1.7.3' ); 46 46 47 47 // Include the autoloader to dynamically include the classes.
Note: See TracChangeset
for help on using the changeset viewer.