Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3405892

Timestamp:

11/29/2025 05:12:29 PM (4 months ago)

Author:

foomagoo

Message:

Fixed possible SQL injection on the plugin search page

Location:

plugin-organizer

Files:

: 33 added
: 5 edited

tags/10.2.4 (added)
tags/10.2.4/css (added)
tags/10.2.4/css/PO-admin-global.css (added)
tags/10.2.4/css/PO-admin.css (added)
tags/10.2.4/js (added)
tags/10.2.4/js/validation.js (added)
tags/10.2.4/lib (added)
tags/10.2.4/lib/PO_Ajax.class.php (added)
tags/10.2.4/lib/PO_Template.class.php (added)
tags/10.2.4/lib/PluginOrganizer.class.php (added)
tags/10.2.4/lib/PluginOrganizerMU.class.php (added)
tags/10.2.4/plugin-organizer.php (added)
tags/10.2.4/readme.txt (added)
tags/10.2.4/screenshot-1.jpg (added)
tags/10.2.4/screenshot-2.jpg (added)
tags/10.2.4/screenshot-3.jpg (added)
tags/10.2.4/screenshot-4.jpg (added)
tags/10.2.4/screenshot-5.jpg (added)
tags/10.2.4/screenshot-6.jpg (added)
tags/10.2.4/tpl (added)
tags/10.2.4/tpl/common_js.php (added)
tags/10.2.4/tpl/globalPlugins.php (added)
tags/10.2.4/tpl/global_plugins_js.php (added)
tags/10.2.4/tpl/groupAndOrder.php (added)
tags/10.2.4/tpl/group_and_order_js.php (added)
tags/10.2.4/tpl/postMetaBox.php (added)
tags/10.2.4/tpl/ptPlugins.php (added)
tags/10.2.4/tpl/pt_plugins_js.php (added)
tags/10.2.4/tpl/searchPlugins.php (added)
tags/10.2.4/tpl/search_plugins_js.php (added)
tags/10.2.4/tpl/settings.php (added)
tags/10.2.4/tpl/settings_page_js.php (added)
tags/10.2.4/uninstall.php (added)
trunk/lib/PO_Ajax.class.php (modified) (4 diffs)
trunk/lib/PluginOrganizer.class.php (modified) (2 diffs)
trunk/lib/PluginOrganizerMU.class.php (modified) (2 diffs)
trunk/plugin-organizer.php (modified) (1 diff)
trunk/readme.txt (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

plugin-organizer/trunk/lib/PO_Ajax.class.php

-                      r3265047
+                      r3405892
         $postIDsQuery = "SELECT post_id FROM ".$wpdb->prefix."po_plugins WHERE post_type != 'plugin_filter' AND post_id != 0 AND permalink NOT LIKE [ESC_LIKE] GROUP BY post_id";
         $postIDsQuery = preg_replace('/\[ESC_LIKE\]/', "'".$wpdb->esc_like($newSiteAddress)."%'", $postIDsQuery);
+        $postIDsQuery = preg_replace('/\[ESC_LIKE\]/', "'".esc_sql($newSiteAddress)."%'", $postIDsQuery);
         $postIDs = $wpdb->get_results($postIDsQuery, ARRAY_A);
 …
         $sql = $this->PO->prepare_in("SELECT COUNT(*) FROM ".$wpdb->prefix."po_plugins WHERE post_type='global_plugin_lists' AND post_id=0 AND user_role IN ([R_IN]) AND (disabled_plugins LIKE [ESC_LIKE] OR disabled_mobile_plugins LIKE [ESC_LIKE]".$groupSearch.")", $availableRoles, '[R_IN]');
         $sql = preg_replace('/\[ESC_LIKE\]/', "'%".$wpdb->esc_like($postedPluginPath)."%'", $sql);
+        $sql = preg_replace('/\[ESC_LIKE\]/', "'%".esc_sql($postedPluginPath)."%'", $sql);
         $pluginSearchResult = $wpdb->get_var($sql);
 …
         $sql = $this->PO->prepare_in("SELECT COUNT(*) FROM ".$wpdb->prefix."po_plugins WHERE post_type='search_plugin_lists' AND post_id=0 AND user_role IN ([R_IN]) AND (disabled_plugins LIKE [ESC_LIKE] OR disabled_mobile_plugins LIKE [ESC_LIKE]".$groupSearch.")", $availableRoles, '[R_IN]');
         $sql = preg_replace('/\[ESC_LIKE\]/', "'%".$wpdb->esc_like($postedPluginPath)."%'", $sql);
+        $sql = preg_replace('/\[ESC_LIKE\]/', "'%".esc_sql($postedPluginPath)."%'", $sql);
         $pluginSearchResult = $wpdb->get_var($sql);
 …
         $sql = $this->PO->prepare_in("SELECT post_id FROM ".$wpdb->prefix."po_plugins WHERE post_id!=0 AND user_role IN ([R_IN]) AND (disabled_plugins LIKE [ESC_LIKE] OR disabled_mobile_plugins LIKE [ESC_LIKE]".$groupSearch.") GROUP BY post_id", $availableRoles, '[R_IN]');
         $sql = preg_replace('/\[ESC_LIKE\]/', "'%".$wpdb->esc_like($postedPluginPath)."%'", $sql);
+        $sql = preg_replace('/\[ESC_LIKE\]/', "'%".esc_sql($postedPluginPath)."%'", $sql);
         $pluginSearchResult = $wpdb->get_var($sql);
         $pluginSearchResult = $wpdb->get_results($sql, ARRAY_A);

plugin-organizer/trunk/lib/PluginOrganizer.class.php

r3265047	r3405892
246	246	global $pagenow;
247	247	##Check version and activate if needed.
248		if (get_option("PO_version_num") != "10.2.3" && !in_array($pagenow, array("plugins.php", "update-core.php", "update.php"))) {
	248	if (get_option("PO_version_num") != "10.2.4" && !in_array($pagenow, array("plugins.php", "update-core.php", "update.php"))) {
249	249	$this->activate();
250	250	}
…	…
562	562	}
563	563
564		if (get_option("PO_version_num") != "10.2.3") {
565		update_option("PO_version_num", "10.2.3");
	564	if (get_option("PO_version_num") != "10.2.4") {
	565	update_option("PO_version_num", "10.2.4");
566	566	}
567	567

plugin-organizer/trunk/lib/PluginOrganizerMU.class.php

-                      r3265047
+                      r3405892
 Plugin URI: https://www.sterup.com/wordpress-plugins/plugin-organizer/
 Description: A plugin for specifying the load order of your plugins.
 Version: 10.2.3
+Version: 10.2.4
 Author: Jeff Sterup
 Author URI: https://www.sterup.com
 …
             $this->set_requested_permalink();
             if (get_option('PO_updating_plugin') != '1' && get_option("PO_version_num") != "10.2.3") {
+            if (get_option('PO_updating_plugin') != '1' && get_option("PO_version_num") != "10.2.4") {
                 $newPluginList = $pluginList;
                 $this->adminMsg[] = '<strong>WARNING:</strong> Selective plugin loading for Plugin Organizer has been disabled because the version numbers of the MU plugin and the standard plugin don\'t match.<br />The current version number returned from the database is '.get_option("PO_version_num").' and the current MU plugin version number is 10.2.3.<br />If you are using a caching plugin try clearing the cache.';
+                $this->adminMsg[] = '<strong>WARNING:</strong> Selective plugin loading for Plugin Organizer has been disabled because the version numbers of the MU plugin and the standard plugin don\'t match.<br />The current version number returned from the database is '.get_option("PO_version_num").' and the current MU plugin version number is 10.2.4.<br />If you are using a caching plugin try clearing the cache.';
             } else {
                 $sql = "SELECT disabled_plugins, disabled_mobile_plugins, disabled_groups, disabled_mobile_groups FROM ".$wpdb->prefix."po_plugins WHERE post_type='global_plugin_lists' AND post_id=0";

plugin-organizer/trunk/plugin-organizer.php

r3265047	r3405892
4	4	Plugin URI: https://www.sterup.com/wordpress-plugins/plugin-organizer/
5	5	Description: A plugin to disable plugins on indivudual pages and change the order that they are loaded in.
6		Version: 10.2.3
	6	Version: 10.2.4
7	7	Author: Jeff Sterup
8	8	Author URI: https://www.sterup.com

plugin-organizer/trunk/readme.txt

-                      r3265047
+                      r3405892
 Tags: plugin organizer, plugin load order, disable plugins by post or page, turn off plugins for post or page
 Requires at least: 4.6.0
 Tested up to: 6.8
 Stable tag: 10.2.3
+Tested up to: 6.9
+Stable tag: 10.2.4
 License: GPLv2
 …
 == Changelog ==
+= 10.2.4 =
+Fixed possible SQL injection on the plugin search page.
 = 10.2.3 =
 Removed all references to WP Spamshield since the plugin no longer exists and is no longer a threat to Plugin Organizer users
 …
 == Upgrade Notice ==
+= 10.2.3 =
+Removed all references to WP Spamshield since the plugin no longer exists and is no longer a threat to Plugin Organizer users
+Fixed a few typos in the settings help text
+Moved debug messages to the browser console to prevent display problems
+Removed custom CSS settings because they are no longer needed with console debug messages
+= 10.2.4 =
+Fixed possible SQL injection on the plugin search page.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory