Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3365319

Timestamp:

09/21/2025 03:07:54 PM (7 months ago)

Author:

webfiable

Message:

Update to version 1.4.1 from GitHub

Location:

webfiable-info

Files:

: 31 added
: 7 edited
: 1 copied

assets/banner-1544x500.png (added)
assets/banner-772x250.png (modified) (1 prop) (previous)
assets/icon-128x128.png (modified) (1 prop) (previous)
assets/icon-256x256.png (modified) (1 prop) (previous)
tags/1.4.1 (copied) (copied from webfiable-info/trunk)
tags/1.4.1/.gitattributes (added)
tags/1.4.1/.github (added)
tags/1.4.1/.github/workflows (added)
tags/1.4.1/.github/workflows/release.yml (added)
tags/1.4.1/.gitignore (added)
tags/1.4.1/.wordpress-org (added)
tags/1.4.1/.wordpress-org/banner-1544x500.png (added)
tags/1.4.1/.wordpress-org/banner-772x250.png (added)
tags/1.4.1/.wordpress-org/icon-128x128.png (added)
tags/1.4.1/.wordpress-org/icon-256x256.png (added)
tags/1.4.1/LICENSE (added)
tags/1.4.1/README.md (added)
tags/1.4.1/composer.json (added)
tags/1.4.1/composer.lock (added)
tags/1.4.1/phpcs.xml (added)
tags/1.4.1/readme.txt (modified) (3 diffs)
tags/1.4.1/webfiable-info.php (modified) (2 diffs)
trunk/.gitattributes (added)
trunk/.github (added)
trunk/.github/workflows (added)
trunk/.github/workflows/release.yml (added)
trunk/.gitignore (added)
trunk/.wordpress-org (added)
trunk/.wordpress-org/banner-1544x500.png (added)
trunk/.wordpress-org/banner-772x250.png (added)
trunk/.wordpress-org/icon-128x128.png (added)
trunk/.wordpress-org/icon-256x256.png (added)
trunk/LICENSE (added)
trunk/README.md (added)
trunk/composer.json (added)
trunk/composer.lock (added)
trunk/phpcs.xml (added)
trunk/readme.txt (modified) (3 diffs)
trunk/webfiable-info.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

webfiable-info/assets/banner-772x250.png
- Property svn:mime-type changed from application/octet-stream to image/png
webfiable-info/assets/icon-128x128.png
- Property svn:mime-type changed from application/octet-stream to image/png
webfiable-info/assets/icon-256x256.png
- Property svn:mime-type changed from application/octet-stream to image/png

webfiable-info/tags/1.4.1/readme.txt

-                      r3244047
+                      r3365319
 Requires at least: 5.0
 Tested up to: 6.7
 Stable tag: 1.4
+Stable tag: 1.4.1
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 …
 The Webfiable Info plugin is a component of the Webfiable security service, designed to help you maintain a robust security posture for your WordPress website. By securely gathering information about your site's plugins, themes, and WordPress version, the plugin enables the Webfiable service to perform in-depth analysis and provide weekly recommendations tailored to your specific configuration.
-To verify the plugin's functionality, users and reviewers can visit the **`/webfiable` endpoint** on their website after activation. This endpoint provides encrypted website configuration data for security monitoring. An example of this can be seen at:
-* **Live Example:** [https://webfiable.com/webfiable/](https://webfiable.com/webfiable/)
-== External Services ==
-This plugin connects to the **Webfiable API** to:
-. **Retrieve an RSA public key**, which is required for encrypting website configuration data before making it available to the Webfiable service.
-. **Expose encrypted website configuration data** through the `/webfiable` endpoint, which is queried by `app.webfiable.com` to generate a **security posture report**.
-**Data Sent:**
-- **Public Key Retrieval:** No user-specific data is sent; only a request to retrieve the RSA public key.
-- **Configuration Data Transmission:** The plugin encrypts and exposes the following website information at the `/webfiable` endpoint:
-  - Installed plugins (names, slugs, and versions).
-  - Installed themes (names, slugs, and versions).
-  - WordPress version.
-**When Data is Sent:**
-- **Public Key Retrieval:** Occurs when encryption is required for the `/webfiable` endpoint.
-- **Configuration Data Transmission:** Happens when `app.webfiable.com` queries the `/webfiable` endpoint to fetch encrypted data for security posture reporting.
-**Service URL:**
-- [https://app.webfiable.com/public-key.json](https://app.webfiable.com/public-key.json) *(for RSA key retrieval)*
-**Terms of Service:**
-- [https://webfiable.com/terminos-de-servicio/](https://webfiable.com/terminos-de-servicio/)
-**Privacy Policy:**
-- [https://webfiable.com/politica-privacidad/](https://webfiable.com/politica-privacidad/)
 == Features ==
 …
 * **RSA Key Management**: The RSA encryption ensures that only the Webfiable service can decrypt the transmitted data, using a private key that remains secure on the Webfiable infrastructure.
 == How to Verify Plugin Functionality ==
+== Why It Is Secure ==
+Once installed and activated, users can verify the functionality of the Webfiable Info plugin by:
+. **Advanced Encryption Techniques**: Webfiable Info employs AES-256 for data encryption, a standard widely recognized for its strength and security. The AES key is then encrypted with RSA-2048, ensuring that even if the data is intercepted, it cannot be decrypted without the corresponding private RSA key, which is securely stored by Webfiable.
+. **Checking the `/webfiable` Endpoint**: Visit `https://yourwebsite.com/webfiable/` to confirm that the plugin is providing encrypted configuration data.
+. **Comparing with an Example Site**: You can see an example of the plugin's functionality at:
+   - [https://webfiable.com/webfiable/](https://webfiable.com/webfiable/)
+. **Ensuring Data Security**: The data exposed at this endpoint is encrypted and can only be decrypted by the Webfiable service.
+. **Data Integrity**: The use of a unique IV for each transmission guarantees that your data remains confidential and secure, preventing any potential attackers from predicting or replicating encrypted data streams.
+. **Confidentiality by Design**: The plugin is designed to collect only the necessary information for security analysis, ensuring that your website's sensitive data is handled with the utmost care and never exposed.
 == Installation ==

webfiable-info/tags/1.4.1/webfiable-info.php

-                      r3244047
+                      r3365319
  * Plugin URI: https://webfiable.com/webfiable-info
  * Description: Ensure your website's security posture and configuration health with monitoring and recommendations.
  * Version: 1.4
+ * Version: 1.4.1
  * Author: Webfiable Team
  * Author URI: https://webfiable.com
 …
  * License URI: https://www.gnu.org/licenses/gpl-3.0.html
  * Text Domain: webfiable-info
+ *
+ * @package Webfiable_Info
  */
 // Prevent direct access
 if (!defined('ABSPATH')) {
     exit;
+// Prevent direct access.
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+// Fetch RSA public key dynamically from Webfiable API
+function webfiable_get_public_key() {
+    $response = wp_remote_get('https://app.webfiable.com/public-key.json');
+// RSA public key (provided by the user).
+define(
+    'WEBFIABLE_RSA_PUBLIC_KEY',
+    '-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8y6jWyyz5yJzdj1kdDJ
+KDU54+MryJYTBHogyq8m+557Q8gciul2cAZexdhC6EkIzI/hxwNi/t6fcLiK0hdC
+nVaP6B/xkZPuURW/cjtKbCBXo0CLTMNnJSxhECI4Xq5l5koiThdhSvDlqsuMWy
+xCUUlbvU9Vg+MmiaEiRtZT7Nd5/NSqftqqdiVH0Q6sUd2OEFYPwnDI5615ALLH+h
+XeaQhTu053Tpqcw6cMNbqOCc9Gk6esoM69oNHtXR2tKxxzWldwb0+mRRypUiPLUn
+/n/9w5jnPrNsYGu1PVLXb+wlspPyZCSItq4zkzkFPYKvQ7u+U2UY28dHqSeHJhGd
+FQIDAQAB
+-----END PUBLIC KEY-----'
+);
+    if (is_wp_error($response)) {
+        return null;
+    }
+/**
+ * Registers the custom rewrite rule for the `webfiable` endpoint.
+ *
+ * Hooked to `init`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_register_route() {
+    add_rewrite_rule( '^webfiable$', 'index.php?webfiable_route=1', 'top' );
+}
+add_action( 'init', 'webfiable_register_route' );
+    $status_code = wp_remote_retrieve_response_code($response);
+    if ($status_code !== 200) {
+        return null;
+    }
+/**
+ * Adds the `webfiable_route` query var so WordPress recognizes the endpoint.
+ *
+ * Hooked to `query_vars`.
+ *
+ * @since 1.4
+ * @param string[] $vars List of public query vars.
+ * @return string[] Modified list of query vars.
+ */
+function webfiable_add_query_vars( $vars ) {
+    $vars[] = 'webfiable_route';
+    return $vars;
+}
+add_filter( 'query_vars', 'webfiable_add_query_vars' );
+    $body = wp_remote_retrieve_body($response);
+    if (empty($body)) {
+        return null;
+    }
+/**
+ * Handles the request to the `webfiable` endpoint and outputs an encrypted JSON payload.
+ *
+ * Hooked to `template_redirect`.
+ *
+ * Collects WP version, installed plugins and themes, builds a payload, encrypts it
+ * with a random AES-256-CBC key/IV, encrypts that key with the RSA public key,
+ * and returns base64-encoded values.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_template_redirect() {
+    if ( get_query_var( 'webfiable_route' ) ) {
+    // Decode JSON
+    $decoded = json_decode($body, true);
+    if (json_last_error() !== JSON_ERROR_NONE) {
+        return null;
+    }
+        // Get all installed plugins.
+        $installed_plugins = get_plugins();
+        $plugins_info      = array();
+    if (!isset($decoded['PublicKey']) || empty($decoded['PublicKey'])) {
+        return null;
+    }
+        foreach ( $installed_plugins as $plugin_slug => $plugin_data ) {
+            $plugins_info[] = array(
+                'name'        => $plugin_data['Name'],
+                'slug'        => dirname( $plugin_slug ),
+                'version'     => $plugin_data['Version'],
+                'description' => wp_strip_all_tags( $plugin_data['Description'] ),  // Remove HTML tags from description.
+            );
+        }
+    // Restore proper RSA key formatting
+    $public_key = "-----BEGIN PUBLIC KEY-----\n" .
+                  wordwrap(trim($decoded['PublicKey']), 64, "\n", true) .
+                  "\n-----END PUBLIC KEY-----";
+        // Get all installed themes.
+        $installed_themes = wp_get_themes();
+        $themes_info      = array();
+    // Verify if OpenSSL recognizes the key
+    $openssl_key = openssl_pkey_get_public($public_key);
+    if (!$openssl_key) {
+        return null;
+    }
+        foreach ( $installed_themes as $theme_slug => $theme_data ) {
+            $themes_info[] = array(
+                'name'        => $theme_data->get( 'Name' ),
+                'slug'        => $theme_data->get_stylesheet(),
+                'version'     => $theme_data->get( 'Version' ),
+                'description' => wp_strip_all_tags( $theme_data->get( 'Description' ) ),  // Remove HTML tags from description.
+            );
+        }
+    return $public_key;
+        // Get the WordPress version.
+        $wordpress_version = get_bloginfo( 'version' );
+        // Merge all info into one array.
+        $all_info = array(
+            'wordpress_version' => $wordpress_version,
+            'plugins'           => $plugins_info,
+            'themes'            => $themes_info,
+        );
+        // Convert to JSON.
+        $json_data = wp_json_encode( $all_info );
+        // Generate a 256-bit AES key.
+        $aes_key = openssl_random_pseudo_bytes( 32 );
+        // Encrypt the JSON data with the AES key.
+        $encrypted_data = openssl_encrypt( $json_data, 'AES-256-CBC', $aes_key, OPENSSL_RAW_DATA, $iv = openssl_random_pseudo_bytes( 16 ) );
+        // Encrypt the AES key with the RSA public key.
+        openssl_public_encrypt( $aes_key, $encrypted_key, WEBFIABLE_RSA_PUBLIC_KEY );
+        // Return both the encrypted AES key and the encrypted JSON data.
+        // We base64-encode binary values to transport them safely in JSON.
+        // phpcs:disable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- Transport encoding, not obfuscation.
+        $encoded_key  = base64_encode( $encrypted_key );
+        $encoded_iv   = base64_encode( $iv );
+        $encoded_data = base64_encode( $encrypted_data );
+        // phpcs:enable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+        $response = array(
+            'encrypted_key' => $encoded_key,
+            'iv'            => $encoded_iv,
+            'data'          => $encoded_data,
+        );
+        // Send JSON response.
+        wp_send_json( $response );
+        exit;
+    }
+}
+add_action( 'template_redirect', 'webfiable_template_redirect' );
+// Register the custom endpoint
+function webfiable_register_route() {
+    add_rewrite_rule('^webfiable$', 'index.php?webfiable_route=1', 'top');
+/**
+ * Flushes rewrite rules on plugin activation so the custom endpoint works immediately.
+ *
+ * Calls our route registrar and then flushes the rules. This should only run on activation,
+ * never on every request (for performance reasons).
+ *
+ * Hooked via `register_activation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_flush_rewrite_rules() {
+    webfiable_register_route();
+    flush_rewrite_rules();
+}
 add_action('init', 'webfiable_register_route');
+register_activation_hook( __FILE__, 'webfiable_flush_rewrite_rules' );
+// Add the query var so WP recognizes the custom route
+function webfiable_add_query_vars($vars) {
+    $vars[] = 'webfiable_route';
+    return $vars;
+/**
+ * Flushes rewrite rules on plugin deactivation to remove the custom endpoint.
+ *
+ * Hooked via `register_deactivation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_deactivate() {
+    flush_rewrite_rules();
+}
+add_filter('query_vars', 'webfiable_add_query_vars');
+// Handle the request and return encrypted JSON response
+function webfiable_template_redirect() {
+    if (get_query_var('webfiable_route')) {
+        // Fetch the public key dynamically when handling requests
+        $public_key = webfiable_get_public_key();
+        if (!$public_key) {
+            wp_send_json_error(['error' => 'Failed to retrieve public key. Cannot proceed with encryption.'], 500);
+            exit;
+        }
+        // Get all installed plugins
+        $installed_plugins = get_plugins();
+        $plugins_info = [];
+        foreach ($installed_plugins as $plugin_slug => $plugin_data) {
+            $plugins_info[] = [
+                'name'        => $plugin_data['Name'],
+                'slug'        => dirname($plugin_slug),
+                'version'     => $plugin_data['Version'],
+                'description' => wp_strip_all_tags($plugin_data['Description']),
+            ];
+        }
+        // Get all installed themes
+        $installed_themes = wp_get_themes();
+        $themes_info = [];
+        foreach ($installed_themes as $theme_slug => $theme_data) {
+            $themes_info[] = [
+                'name'        => $theme_data->get('Name'),
+                'slug'        => $theme_data->get_stylesheet(),
+                'version'     => $theme_data->get('Version'),
+                'description' => wp_strip_all_tags($theme_data->get('Description')),
+            ];
+        }
+        // Get the WordPress version
+        $wordpress_version = get_bloginfo('version');
+        // Merge all info into one array
+        $all_info = [
+            'wordpress_version' => $wordpress_version,
+            'plugins'           => $plugins_info,
+            'themes'            => $themes_info,
+        ];
+        // Convert to JSON
+        $json_data = json_encode($all_info);
+        // Generate a 256-bit AES key
+        $aes_key = openssl_random_pseudo_bytes(32);
+        $iv = openssl_random_pseudo_bytes(16);
+        // Encrypt the JSON data with the AES key
+        $encrypted_data = openssl_encrypt($json_data, 'AES-256-CBC', $aes_key, OPENSSL_RAW_DATA, $iv);
+        // Ensure that AES encryption worked before proceeding
+        if ($encrypted_data === false) {
+            wp_send_json_error(['error' => 'AES encryption failed.'], 500);
+            exit;
+        }
+        // Encrypt the AES key with the fetched RSA public key
+        if (!openssl_public_encrypt($aes_key, $encrypted_key, $public_key)) {
+            wp_send_json_error(['error' => 'RSA encryption failed. Invalid public key.'], 500);
+            exit;
+        }
+        // Return both the encrypted AES key and the encrypted JSON data
+        $response = [
+            'encrypted_key' => base64_encode($encrypted_key),
+            'iv'            => base64_encode($iv),
+            'data'          => base64_encode($encrypted_data),
+        ];
+        // Send JSON response
+        wp_send_json($response);
+        exit;
+    }
+}
+add_action('template_redirect', 'webfiable_template_redirect');
+// Ensure that the rewrite rules are flushed after the plugin is activated
+function webfiable_flush_rewrite_rules() {
+    webfiable_register_route();
+    flush_rewrite_rules();
+}
+register_activation_hook(__FILE__, 'webfiable_flush_rewrite_rules');
+// Flush rewrite rules on deactivation to avoid conflicts
+function webfiable_deactivate() {
+    flush_rewrite_rules();
+}
+register_deactivation_hook(__FILE__, 'webfiable_deactivate');
+register_deactivation_hook( __FILE__, 'webfiable_deactivate' );

webfiable-info/trunk/readme.txt

-                      r3244047
+                      r3365319
 Requires at least: 5.0
 Tested up to: 6.7
 Stable tag: 1.4
+Stable tag: 1.4.1
 License: GPLv3 or later
 License URI: https://www.gnu.org/licenses/gpl-3.0.html
 …
 The Webfiable Info plugin is a component of the Webfiable security service, designed to help you maintain a robust security posture for your WordPress website. By securely gathering information about your site's plugins, themes, and WordPress version, the plugin enables the Webfiable service to perform in-depth analysis and provide weekly recommendations tailored to your specific configuration.
-To verify the plugin's functionality, users and reviewers can visit the **`/webfiable` endpoint** on their website after activation. This endpoint provides encrypted website configuration data for security monitoring. An example of this can be seen at:
-* **Live Example:** [https://webfiable.com/webfiable/](https://webfiable.com/webfiable/)
-== External Services ==
-This plugin connects to the **Webfiable API** to:
-. **Retrieve an RSA public key**, which is required for encrypting website configuration data before making it available to the Webfiable service.
-. **Expose encrypted website configuration data** through the `/webfiable` endpoint, which is queried by `app.webfiable.com` to generate a **security posture report**.
-**Data Sent:**
-- **Public Key Retrieval:** No user-specific data is sent; only a request to retrieve the RSA public key.
-- **Configuration Data Transmission:** The plugin encrypts and exposes the following website information at the `/webfiable` endpoint:
-  - Installed plugins (names, slugs, and versions).
-  - Installed themes (names, slugs, and versions).
-  - WordPress version.
-**When Data is Sent:**
-- **Public Key Retrieval:** Occurs when encryption is required for the `/webfiable` endpoint.
-- **Configuration Data Transmission:** Happens when `app.webfiable.com` queries the `/webfiable` endpoint to fetch encrypted data for security posture reporting.
-**Service URL:**
-- [https://app.webfiable.com/public-key.json](https://app.webfiable.com/public-key.json) *(for RSA key retrieval)*
-**Terms of Service:**
-- [https://webfiable.com/terminos-de-servicio/](https://webfiable.com/terminos-de-servicio/)
-**Privacy Policy:**
-- [https://webfiable.com/politica-privacidad/](https://webfiable.com/politica-privacidad/)
 == Features ==
 …
 * **RSA Key Management**: The RSA encryption ensures that only the Webfiable service can decrypt the transmitted data, using a private key that remains secure on the Webfiable infrastructure.
 == How to Verify Plugin Functionality ==
+== Why It Is Secure ==
+Once installed and activated, users can verify the functionality of the Webfiable Info plugin by:
+. **Advanced Encryption Techniques**: Webfiable Info employs AES-256 for data encryption, a standard widely recognized for its strength and security. The AES key is then encrypted with RSA-2048, ensuring that even if the data is intercepted, it cannot be decrypted without the corresponding private RSA key, which is securely stored by Webfiable.
+. **Checking the `/webfiable` Endpoint**: Visit `https://yourwebsite.com/webfiable/` to confirm that the plugin is providing encrypted configuration data.
+. **Comparing with an Example Site**: You can see an example of the plugin's functionality at:
+   - [https://webfiable.com/webfiable/](https://webfiable.com/webfiable/)
+. **Ensuring Data Security**: The data exposed at this endpoint is encrypted and can only be decrypted by the Webfiable service.
+. **Data Integrity**: The use of a unique IV for each transmission guarantees that your data remains confidential and secure, preventing any potential attackers from predicting or replicating encrypted data streams.
+. **Confidentiality by Design**: The plugin is designed to collect only the necessary information for security analysis, ensuring that your website's sensitive data is handled with the utmost care and never exposed.
 == Installation ==

webfiable-info/trunk/webfiable-info.php

-                      r3244047
+                      r3365319
  * Plugin URI: https://webfiable.com/webfiable-info
  * Description: Ensure your website's security posture and configuration health with monitoring and recommendations.
  * Version: 1.4
+ * Version: 1.4.1
  * Author: Webfiable Team
  * Author URI: https://webfiable.com
 …
  * License URI: https://www.gnu.org/licenses/gpl-3.0.html
  * Text Domain: webfiable-info
+ *
+ * @package Webfiable_Info
  */
 // Prevent direct access
 if (!defined('ABSPATH')) {
     exit;
+// Prevent direct access.
+if ( ! defined( 'ABSPATH' ) ) {
+    exit;
+}
+// Fetch RSA public key dynamically from Webfiable API
+function webfiable_get_public_key() {
+    $response = wp_remote_get('https://app.webfiable.com/public-key.json');
+// RSA public key (provided by the user).
+define(
+    'WEBFIABLE_RSA_PUBLIC_KEY',
+    '-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8y6jWyyz5yJzdj1kdDJ
+KDU54+MryJYTBHogyq8m+557Q8gciul2cAZexdhC6EkIzI/hxwNi/t6fcLiK0hdC
+nVaP6B/xkZPuURW/cjtKbCBXo0CLTMNnJSxhECI4Xq5l5koiThdhSvDlqsuMWy
+xCUUlbvU9Vg+MmiaEiRtZT7Nd5/NSqftqqdiVH0Q6sUd2OEFYPwnDI5615ALLH+h
+XeaQhTu053Tpqcw6cMNbqOCc9Gk6esoM69oNHtXR2tKxxzWldwb0+mRRypUiPLUn
+/n/9w5jnPrNsYGu1PVLXb+wlspPyZCSItq4zkzkFPYKvQ7u+U2UY28dHqSeHJhGd
+FQIDAQAB
+-----END PUBLIC KEY-----'
+);
+    if (is_wp_error($response)) {
+        return null;
+    }
+/**
+ * Registers the custom rewrite rule for the `webfiable` endpoint.
+ *
+ * Hooked to `init`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_register_route() {
+    add_rewrite_rule( '^webfiable$', 'index.php?webfiable_route=1', 'top' );
+}
+add_action( 'init', 'webfiable_register_route' );
+    $status_code = wp_remote_retrieve_response_code($response);
+    if ($status_code !== 200) {
+        return null;
+    }
+/**
+ * Adds the `webfiable_route` query var so WordPress recognizes the endpoint.
+ *
+ * Hooked to `query_vars`.
+ *
+ * @since 1.4
+ * @param string[] $vars List of public query vars.
+ * @return string[] Modified list of query vars.
+ */
+function webfiable_add_query_vars( $vars ) {
+    $vars[] = 'webfiable_route';
+    return $vars;
+}
+add_filter( 'query_vars', 'webfiable_add_query_vars' );
+    $body = wp_remote_retrieve_body($response);
+    if (empty($body)) {
+        return null;
+    }
+/**
+ * Handles the request to the `webfiable` endpoint and outputs an encrypted JSON payload.
+ *
+ * Hooked to `template_redirect`.
+ *
+ * Collects WP version, installed plugins and themes, builds a payload, encrypts it
+ * with a random AES-256-CBC key/IV, encrypts that key with the RSA public key,
+ * and returns base64-encoded values.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_template_redirect() {
+    if ( get_query_var( 'webfiable_route' ) ) {
+    // Decode JSON
+    $decoded = json_decode($body, true);
+    if (json_last_error() !== JSON_ERROR_NONE) {
+        return null;
+    }
+        // Get all installed plugins.
+        $installed_plugins = get_plugins();
+        $plugins_info      = array();
+    if (!isset($decoded['PublicKey']) || empty($decoded['PublicKey'])) {
+        return null;
+    }
+        foreach ( $installed_plugins as $plugin_slug => $plugin_data ) {
+            $plugins_info[] = array(
+                'name'        => $plugin_data['Name'],
+                'slug'        => dirname( $plugin_slug ),
+                'version'     => $plugin_data['Version'],
+                'description' => wp_strip_all_tags( $plugin_data['Description'] ),  // Remove HTML tags from description.
+            );
+        }
+    // Restore proper RSA key formatting
+    $public_key = "-----BEGIN PUBLIC KEY-----\n" .
+                  wordwrap(trim($decoded['PublicKey']), 64, "\n", true) .
+                  "\n-----END PUBLIC KEY-----";
+        // Get all installed themes.
+        $installed_themes = wp_get_themes();
+        $themes_info      = array();
+    // Verify if OpenSSL recognizes the key
+    $openssl_key = openssl_pkey_get_public($public_key);
+    if (!$openssl_key) {
+        return null;
+    }
+        foreach ( $installed_themes as $theme_slug => $theme_data ) {
+            $themes_info[] = array(
+                'name'        => $theme_data->get( 'Name' ),
+                'slug'        => $theme_data->get_stylesheet(),
+                'version'     => $theme_data->get( 'Version' ),
+                'description' => wp_strip_all_tags( $theme_data->get( 'Description' ) ),  // Remove HTML tags from description.
+            );
+        }
+    return $public_key;
+        // Get the WordPress version.
+        $wordpress_version = get_bloginfo( 'version' );
+        // Merge all info into one array.
+        $all_info = array(
+            'wordpress_version' => $wordpress_version,
+            'plugins'           => $plugins_info,
+            'themes'            => $themes_info,
+        );
+        // Convert to JSON.
+        $json_data = wp_json_encode( $all_info );
+        // Generate a 256-bit AES key.
+        $aes_key = openssl_random_pseudo_bytes( 32 );
+        // Encrypt the JSON data with the AES key.
+        $encrypted_data = openssl_encrypt( $json_data, 'AES-256-CBC', $aes_key, OPENSSL_RAW_DATA, $iv = openssl_random_pseudo_bytes( 16 ) );
+        // Encrypt the AES key with the RSA public key.
+        openssl_public_encrypt( $aes_key, $encrypted_key, WEBFIABLE_RSA_PUBLIC_KEY );
+        // Return both the encrypted AES key and the encrypted JSON data.
+        // We base64-encode binary values to transport them safely in JSON.
+        // phpcs:disable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode -- Transport encoding, not obfuscation.
+        $encoded_key  = base64_encode( $encrypted_key );
+        $encoded_iv   = base64_encode( $iv );
+        $encoded_data = base64_encode( $encrypted_data );
+        // phpcs:enable WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_encode
+        $response = array(
+            'encrypted_key' => $encoded_key,
+            'iv'            => $encoded_iv,
+            'data'          => $encoded_data,
+        );
+        // Send JSON response.
+        wp_send_json( $response );
+        exit;
+    }
+}
+add_action( 'template_redirect', 'webfiable_template_redirect' );
+// Register the custom endpoint
+function webfiable_register_route() {
+    add_rewrite_rule('^webfiable$', 'index.php?webfiable_route=1', 'top');
+/**
+ * Flushes rewrite rules on plugin activation so the custom endpoint works immediately.
+ *
+ * Calls our route registrar and then flushes the rules. This should only run on activation,
+ * never on every request (for performance reasons).
+ *
+ * Hooked via `register_activation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_flush_rewrite_rules() {
+    webfiable_register_route();
+    flush_rewrite_rules();
+}
 add_action('init', 'webfiable_register_route');
+register_activation_hook( __FILE__, 'webfiable_flush_rewrite_rules' );
+// Add the query var so WP recognizes the custom route
+function webfiable_add_query_vars($vars) {
+    $vars[] = 'webfiable_route';
+    return $vars;
+/**
+ * Flushes rewrite rules on plugin deactivation to remove the custom endpoint.
+ *
+ * Hooked via `register_deactivation_hook()`.
+ *
+ * @since 1.4
+ * @return void
+ */
+function webfiable_deactivate() {
+    flush_rewrite_rules();
+}
+add_filter('query_vars', 'webfiable_add_query_vars');
+// Handle the request and return encrypted JSON response
+function webfiable_template_redirect() {
+    if (get_query_var('webfiable_route')) {
+        // Fetch the public key dynamically when handling requests
+        $public_key = webfiable_get_public_key();
+        if (!$public_key) {
+            wp_send_json_error(['error' => 'Failed to retrieve public key. Cannot proceed with encryption.'], 500);
+            exit;
+        }
+        // Get all installed plugins
+        $installed_plugins = get_plugins();
+        $plugins_info = [];
+        foreach ($installed_plugins as $plugin_slug => $plugin_data) {
+            $plugins_info[] = [
+                'name'        => $plugin_data['Name'],
+                'slug'        => dirname($plugin_slug),
+                'version'     => $plugin_data['Version'],
+                'description' => wp_strip_all_tags($plugin_data['Description']),
+            ];
+        }
+        // Get all installed themes
+        $installed_themes = wp_get_themes();
+        $themes_info = [];
+        foreach ($installed_themes as $theme_slug => $theme_data) {
+            $themes_info[] = [
+                'name'        => $theme_data->get('Name'),
+                'slug'        => $theme_data->get_stylesheet(),
+                'version'     => $theme_data->get('Version'),
+                'description' => wp_strip_all_tags($theme_data->get('Description')),
+            ];
+        }
+        // Get the WordPress version
+        $wordpress_version = get_bloginfo('version');
+        // Merge all info into one array
+        $all_info = [
+            'wordpress_version' => $wordpress_version,
+            'plugins'           => $plugins_info,
+            'themes'            => $themes_info,
+        ];
+        // Convert to JSON
+        $json_data = json_encode($all_info);
+        // Generate a 256-bit AES key
+        $aes_key = openssl_random_pseudo_bytes(32);
+        $iv = openssl_random_pseudo_bytes(16);
+        // Encrypt the JSON data with the AES key
+        $encrypted_data = openssl_encrypt($json_data, 'AES-256-CBC', $aes_key, OPENSSL_RAW_DATA, $iv);
+        // Ensure that AES encryption worked before proceeding
+        if ($encrypted_data === false) {
+            wp_send_json_error(['error' => 'AES encryption failed.'], 500);
+            exit;
+        }
+        // Encrypt the AES key with the fetched RSA public key
+        if (!openssl_public_encrypt($aes_key, $encrypted_key, $public_key)) {
+            wp_send_json_error(['error' => 'RSA encryption failed. Invalid public key.'], 500);
+            exit;
+        }
+        // Return both the encrypted AES key and the encrypted JSON data
+        $response = [
+            'encrypted_key' => base64_encode($encrypted_key),
+            'iv'            => base64_encode($iv),
+            'data'          => base64_encode($encrypted_data),
+        ];
+        // Send JSON response
+        wp_send_json($response);
+        exit;
+    }
+}
+add_action('template_redirect', 'webfiable_template_redirect');
+// Ensure that the rewrite rules are flushed after the plugin is activated
+function webfiable_flush_rewrite_rules() {
+    webfiable_register_route();
+    flush_rewrite_rules();
+}
+register_activation_hook(__FILE__, 'webfiable_flush_rewrite_rules');
+// Flush rewrite rules on deactivation to avoid conflicts
+function webfiable_deactivate() {
+    flush_rewrite_rules();
+}
+register_deactivation_hook(__FILE__, 'webfiable_deactivate');
+register_deactivation_hook( __FILE__, 'webfiable_deactivate' );

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory

Context Navigation

Changeset 3365319

Legend:

webfiable-info/assets/banner-772x250.png

webfiable-info/assets/icon-128x128.png

webfiable-info/assets/icon-256x256.png

webfiable-info/tags/1.4.1/readme.txt

webfiable-info/tags/1.4.1/webfiable-info.php

webfiable-info/trunk/readme.txt

webfiable-info/trunk/webfiable-info.php

Download in other formats: