Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3444373

Timestamp:

01/21/2026 07:32:42 PM (2 months ago)

Author:

wiredimpact

Message:

Fixed vulnerability where unauthenticated volunteer form submissions could overwrite first name, last name and phone number data for non-volunteer roles.

Location:

wired-impact-volunteer-management/trunk

Files:

: 6 edited

README.txt (modified) (2 diffs)
cypress/support/commands.js (modified) (6 diffs)
includes/class-volunteer.php (modified) (14 diffs)
includes/class-wi-volunteer-management.php (modified) (1 diff)
languages/wired-impact-volunteer-management.pot (modified) (2 diffs)
wivm.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

wired-impact-volunteer-management/trunk/README.txt

-                      r3429767
+                      r3444373
 Tested up to: 6.9
 Requires PHP: 5.2.4
 Stable tag: 2.8
+Stable tag: 2.8.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 2.8.1 =
+* Fixed vulnerability where unauthenticated volunteer form submissions could overwrite first name, last name and phone number data for non-volunteer roles.
 = 2.8 =
 * Updated Cypress tests to work with WordPress 6.9.

wired-impact-volunteer-management/trunk/cypress/support/commands.js

-                      r3242201
+                      r3444373
     cy.exec(Cypress.env('wpCLIPrefix') + ' post delete $(' + Cypress.env('wpCLIPrefix') + ' post list --post_type=volunteer_opp --format=ids) --force');
     cy.exec(Cypress.env('wpCLIPrefix') + ' post create --post_type=volunteer_opp --post_title="Clean up Trash" --post_status="publish"').then((result) => {
         let stdOutParts = result.stdout.slice(0, -1);
         stdOutParts     = stdOutParts.split(' ');
 …
  */
 Cypress.Commands.add('trashAllGravityFormsForms', () => {
     cy.exec(Cypress.env('wpCLIPrefix') + ' gf form delete $(' + Cypress.env('wpCLIPrefix') + ' gf form list --format=ids)');
 });
 …
     const formJSON = {"fields":[{"type":"name","id":1,"formId":6,"label":"Name","adminLabel":"","isRequired":false,"size":"large","errorMessage":"","visibility":"visible","nameFormat":"advanced","inputs":[{"id":"1.2","label":"Prefix","name":"","autocompleteAttribute":"honorific-prefix","choices":[{"text":"Dr.","value":"Dr."},{"text":"Miss","value":"Miss"},{"text":"Mr.","value":"Mr."},{"text":"Mrs.","value":"Mrs."},{"text":"Ms.","value":"Ms."},{"text":"Mx.","value":"Mx."},{"text":"Prof.","value":"Prof."},{"text":"Rev.","value":"Rev."}],"isHidden":true,"inputType":"radio"},{"id":"1.3","label":"First","name":"","autocompleteAttribute":"given-name"},{"id":"1.4","label":"Middle","name":"","autocompleteAttribute":"additional-name","isHidden":true},{"id":"1.6","label":"Last","name":"","autocompleteAttribute":"family-name"},{"id":"1.8","label":"Suffix","name":"","autocompleteAttribute":"honorific-suffix","isHidden":true}],"description":"","allowsPrepopulate":false,"inputMask":false,"inputMaskValue":"","inputMaskIsCustom":"","maxLength":"","inputType":"","labelPlacement":"","descriptionPlacement":"","subLabelPlacement":"","placeholder":"","cssClass":"","inputName":"","noDuplicates":false,"defaultValue":"","enableAutocomplete":false,"autocompleteAttribute":"","choices":"","conditionalLogic":"","productField":"","layoutGridColumnSpan":"","enableEnhancedUI":0,"layoutGroupId":"b7373b44","fields":"","displayOnly":""},{"type":"phone","id":3,"formId":6,"label":"Phone","adminLabel":"","isRequired":false,"size":"large","errorMessage":"","visibility":"visible","inputs":null,"phoneFormat":"international","autocompleteAttribute":"tel","description":"","allowsPrepopulate":false,"inputMask":false,"inputMaskValue":"","inputMaskIsCustom":"","maxLength":"","inputType":"","labelPlacement":"","descriptionPlacement":"","subLabelPlacement":"","placeholder":"","cssClass":"","inputName":"","noDuplicates":false,"defaultValue":"","enableAutocomplete":false,"choices":"","conditionalLogic":"","productField":"","layoutGridColumnSpan":12,"enableEnhancedUI":0,"layoutGroupId":"33f7781e","fields":"","displayOnly":""},{"type":"email","id":4,"formId":6,"label":"Email","adminLabel":"","isRequired":false,"size":"large","errorMessage":"","visibility":"visible","inputs":null,"autocompleteAttribute":"email","description":"","allowsPrepopulate":false,"inputMask":false,"inputMaskValue":"","inputMaskIsCustom":"","maxLength":"","inputType":"","labelPlacement":"","descriptionPlacement":"","subLabelPlacement":"","placeholder":"","cssClass":"","inputName":"","noDuplicates":false,"defaultValue":"","enableAutocomplete":false,"choices":"","conditionalLogic":"","productField":"","layoutGridColumnSpan":12,"emailConfirmEnabled":"","enableEnhancedUI":0,"layoutGroupId":"9467c1ea","fields":"","displayOnly":""},{"type":"select","id":6,"formId":6,"label":"T-Shirt Size","adminLabel":"","isRequired":false,"size":"large","errorMessage":"","visibility":"visible","validateState":true,"inputs":null,"choices":[{"text":"Extra Small","value":"Extra Small","isSelected":false,"price":""},{"text":"Small","value":"Small","isSelected":false,"price":""},{"text":"Medium","value":"Medium","isSelected":false,"price":""},{"text":"Large","value":"Large","isSelected":false,"price":""},{"text":"Extra Large","value":"Extra Large","isSelected":false,"price":""}],"description":"","allowsPrepopulate":false,"inputMask":false,"inputMaskValue":"","inputMaskIsCustom":false,"maxLength":"","inputType":"","labelPlacement":"","descriptionPlacement":"","subLabelPlacement":"","placeholder":"","cssClass":"","inputName":"","noDuplicates":false,"defaultValue":"","enableAutocomplete":false,"autocompleteAttribute":"","conditionalLogic":"","productField":"","layoutGridColumnSpan":12,"enablePrice":"","enableEnhancedUI":0,"layoutGroupId":"73e95759","multipleFiles":false,"maxFiles":"","calculationFormula":"","calculationRounding":"","enableCalculation":"","disableQuantity":false,"displayAllCategories":false,"useRichTextEditor":false,"errors":[],"fields":""},{"type":"textarea","id":5,"formId":6,"label":"Why do you want to volunteer with us?","adminLabel":"","isRequired":false,"size":"medium","errorMessage":"","visibility":"visible","inputs":null,"description":"","allowsPrepopulate":false,"inputMask":false,"inputMaskValue":"","inputMaskIsCustom":false,"maxLength":"","inputType":"","labelPlacement":"","descriptionPlacement":"","subLabelPlacement":"","placeholder":"","cssClass":"","inputName":"","noDuplicates":false,"defaultValue":"","enableAutocomplete":false,"autocompleteAttribute":"","choices":"","conditionalLogic":"","productField":"","layoutGridColumnSpan":12,"form_id":"","useRichTextEditor":false,"enableEnhancedUI":0,"layoutGroupId":"a96865a7","multipleFiles":false,"maxFiles":"","calculationFormula":"","calculationRounding":"","enableCalculation":"","disableQuantity":false,"displayAllCategories":false,"errors":[],"fields":""}],"button":{"type":"text","text":"","imageUrl":"","width":"auto","location":"bottom","layoutGridColumnSpan":12},"title":"Volunteer Signup","description":"","version":"2.7.17.1","id":6,"markupVersion":2,"nextFieldId":7,"useCurrentUserAsAuthor":true,"postContentTemplateEnabled":false,"postTitleTemplateEnabled":false,"postTitleTemplate":"","postContentTemplate":"","lastPageButton":null,"pagination":null,"firstPageCssClass":null,"confirmations":[{"id":"65734ead4e58d","name":"Default Confirmation","isDefault":true,"type":"message","message":"Thanks for signing up to volunteer!","url":"","pageId":"","queryString":"","event":"","disableAutoformat":false,"page":"","conditionalLogic":[]}],"notifications":[{"id":"65734ead4e18f","isActive":true,"to":"{admin_email}","name":"Admin Notification","event":"form_submission","toType":"email","subject":"New submission from {form_title}","message":"{all_fields}"}]};
     cy.exec(Cypress.env('wpCLIPrefix') + ' gf form create "Volunteer Signup" "" --form-json=\'' + JSON.stringify(formJSON) + '\'').then((result) => {
         const stdOutParts = result.stdout.split(' ');
         const formID      = stdOutParts[stdOutParts.length - 1];
 …
  */
 Cypress.Commands.add('deleteAllMailCatcherEmails', () => {
     cy.request('DELETE', 'http://127.0.0.1:1080/messages').then((response) => {
         expect(response.status).to.eq(204);
 …
 /**
+ * Get the WordPress iframe content editor so we can test inside of it.
+ * Get the WordPress block editor content area.
+ *
+ * In WordPress 6.3+, the post editor may or may not use an iframe depending
+ * on theme type and other conditions. This command handles both cases.
+ *
  * You must also set chromeWebSecurity to false in cypress.config.js
  * to work with iframes.
+ *
+ *
+ * @see https://make.wordpress.org/core/2023/07/18/miscellaneous-editor-changes-in-wordpress-6-3/
  * @see https://github.com/cypress-io/cypress-example-recipes/tree/master/examples/blogs__iframes
- * @see https://on.cypress.io/wrap
  */
 Cypress.Commands.add('getBlockEditorIFrameBody', () => {
 …
     cy.log('getBlockEditorIFrameBody');
+    return cy
+        .get('iframe[name="editor-canvas"]', { log: false })
+        .its('0.contentDocument.body', { log: false }).should('not.be.empty')
+        .then((body) => cy.wrap(body, { log: false }))
+    return cy.get('body').then(($body) => {
+        const $iframe = $body.find('iframe[name="editor-canvas"]');
+        if ($iframe.length) {
+            // Editor is iframed
+            return cy
+                .get('iframe[name="editor-canvas"]', { log: false })
+                .its('0.contentDocument.body', { log: false }).should('not.be.empty')
+                .then((body) => cy.wrap(body, { log: false }));
+        } else {
+            // Editor is not iframed
+            return cy.get('.editor-styles-wrapper', { log: false });
+        }
+    });
 });

wired-impact-volunteer-management/trunk/includes/class-volunteer.php

-                      r3008933
+                      r3444373
      */
     public function set_meta(){
         $user_data = get_userdata( $this->ID );
+        $user_data  = get_userdata( $this->ID );
         $this->meta = array(
             'first_name'                => $user_data->first_name,
             'last_name'                 => $user_data->last_name,
             'email'                     => $user_data->user_email,
             'phone'                     => $this->format_phone_number( get_user_option( 'phone', $this->ID ) ),
             'notes'                     => esc_textarea( get_user_option( 'notes', $this->ID ) ),
             'num_volunteer_opps'        => $this->get_num_volunteer_opps(),
             'first_volunteer_opp_time'  => $this->get_first_volunteer_opp_time()
+            'first_name'               => $user_data->first_name,
+            'last_name'                => $user_data->last_name,
+            'email'                    => $user_data->user_email,
+            'phone'                    => $this->format_phone_number( get_user_option( 'phone', $this->ID ) ),
+            'notes'                    => esc_textarea( get_user_option( 'notes', $this->ID ) ),
+            'num_volunteer_opps'       => $this->get_num_volunteer_opps(),
+            'first_volunteer_opp_time' => $this->get_first_volunteer_opp_time()
         );
+    }
 …
+     *
      * @todo   Remove duplicates of this method that exist in other classes
+     *
      * @param  int $unformmated_number Phone number in only integers
+     *
+     * @param  int $unformatted_number Phone number in only integers.
      * @return string Phone number formatted to look nice.
      */
     public function format_phone_number( $unformatted_number ){
+    public function format_phone_number( $unformatted_number ) {
         $formatted_number = '';
 …
     /**
      * Get the number of volunteer opportunities this volunteer has signed up for.
+     *
+     *
      * @return int Number of volunteer opportunities signed up for
      */
 …
      * This is used to display the year the person started volunteering within the admin. It's worth
      * noting that this isn't the time of the opportunity, but rather when they RSVPed.
+     *
+     *
      * @return string The date and time of the first volunteer RSVP.
      */
 …
      * Get an array with all of the volunteer opportunities this person has signed up for.
+     *
      * First we pull only the IDs of the posts that have been signed up for with the most recent one they signed
+     * First we pull only the IDs of the posts that have been signed up for with the most recent one they signed
      * up for first. Then we create a new WI_Volunteer_Management_Opportunity object for each and return it.
+     *
 …
         switch( $type ){
             //All Volunteer Opportunities
+            // All Volunteer Opportunities.
             case 'all':
                 $query = "
                          SELECT post_id
 …
                 $query_values = array( $this->ID, 1 );
                 break;
             //One-Time Volunteer Opportunities
             //For this query we joined the postmeta table on itself in order to use two meta values.
+            // One-Time Volunteer Opportunities.
+            // For this query we joined the postmeta table on itself in order to use two meta values.
             case 'one-time':
                 $query = "
                          SELECT rsvps.post_id
 …
                 break;
             //Flexible Volunteer Opportunities
+            // Flexible Volunteer Opportunities.
             case 'flexible':
                 $query = "
                          SELECT rsvps.post_id
 …
         $volunteer_opps = $wpdb->get_results( $wpdb->prepare( $query, $query_values ) );
         //Use post id to grab a bunch info on each opportunity and store in the same variable using &.
         foreach( $volunteer_opps as &$opp ){
+        // Use post id to grab a bunch info on each opportunity and store in the same variable using &.
+        foreach ( $volunteer_opps as &$opp ) {
             $opp = new WI_Volunteer_Management_Opportunity( $opp->post_id );
+        }
 …
     /**
      * Remove an RSVP for a user for a specific volunteer opportunity. This is usually done through AJAX.
+     *
      * @param  int $post_id ID of the volunteer opportunity to have its RSVP removed
+     *
+     * @param  int $post_id ID of the volunteer opportunity to have its RSVP removed.
      * @return int|bool The number of rows updated or false if error
      */
 …
         global $wpdb;
         $status = $wpdb->update(
             $wpdb->prefix  . 'volunteer_rsvps',
+        $status = $wpdb->update(
+            $wpdb->prefix  . 'volunteer_rsvps',
             array( //Data to update
                 'rsvp' => 0
             ),
+            ),
             array( //Where
                 'user_id' => $this->ID,
                 'post_id' => $post_id
             ),
+            ),
             array( '%d' ), //Data formats
             array( '%d', '%d' ) //Where formats
 …
      * volunteer including the contact info, notes on them and which volunteer opportunities they signed up for.
+     *
-     * @param int $user_id The volunteer's ID.
      * @return string The URL needed to view this volunteer's information.
      */
 …
             $user_id = wp_insert_user( $userdata );
+        } else { // If the user already exists, update the user based on their email address.
+            $userdata['ID'] = $existing_user;
+            $user_id = wp_update_user( $userdata );
+            // Update phone for new users.
+            update_user_option( $user_id, 'phone', preg_replace( '/[^0-9]/', '', $form_fields['wivm_phone'] ) );
+        } else {
+            // User already exists: only update their data if they have the volunteer role.
+            // This prevents unauthenticated users from overwriting data for admins or other roles.
+            $user_id       = $existing_user;
+            $should_update = $this->should_update_existing_user( $existing_user );
+            if ( $should_update ) {
+                $userdata['ID'] = $existing_user;
+                wp_update_user( $userdata );
+                update_user_option( $user_id, 'phone', preg_replace( '/[^0-9]/', '', $form_fields['wivm_phone'] ) );
+            }
             // On multisite we need to add the user to this site if they don't have access.
             if ( is_multisite() && ! is_user_member_of_blog( $userdata['ID'] ) ) {
                 add_user_to_blog( get_current_blog_id(), $userdata['ID'], 'volunteer' );
                 update_user_option( $userdata['ID'], 'notes', '' );
+            if ( is_multisite() && ! is_user_member_of_blog( $existing_user ) ) {
+                add_user_to_blog( get_current_blog_id(), $existing_user, 'volunteer' );
+                update_user_option( $existing_user, 'notes', '' );
+            }
+        }
-        // Update custom user meta for new and existing volunteers.
-        update_user_option( $user_id, 'phone', preg_replace( '/[^0-9]/', '', $form_fields['wivm_phone'] ) );
         $this->ID = $user_id;
 …
     /**
+     * Check if an existing user's data should be updated after volunteer form submission.
+     *
+     * Only users with the "volunteer" role should have their data updated.
+     * This protects admin accounts and other user types from having their
+     * data overwritten by unauthenticated form submissions.
+     *
+     * @param int $user_id The ID of the existing user.
+     * @return bool True if the user's data should be updated, false otherwise.
+     */
+    private function should_update_existing_user( $user_id ) {
+        $user = get_userdata( $user_id );
+        if ( ! $user ) {
+            return false;
+        }
+        // Only allow updates for users with the volunteer role.
+        $should_update = in_array( 'volunteer', (array) $user->roles, true );
+        /**
+         * Filter whether an existing user's data should be updated after volunteer form submission.
+         *
+         * @param bool    $should_update Whether the user's data should be updated.
+         * @param int     $user_id       The ID of the existing user.
+         * @param WP_User $user          The user object.
+         */
+        return apply_filters( 'wivm_should_update_existing_volunteer', $should_update, $user_id, $user );
+    }
+    /**
      * Delete RSVPs for this user.
+     *
      * This is typically done right before the user is deleted from WordPress entirely.
+     *
+     *
      * @return int|bool Int for number of rows updated of false on error
      */
     public function delete_rsvps(){
+    public function delete_rsvps() {
         global $wpdb;
         $delete_info = $wpdb->delete(
                 $wpdb->prefix  . "volunteer_rsvps",
                 array( 'user_id' => $this->ID ),
                 array( '%d' )
+            $wpdb->prefix . 'volunteer_rsvps',
+            array( 'user_id' => $this->ID ),
+            array( '%d' )
         );
         return $delete_info;
+    }
 } //class WI_Volunteer_Management_Volunteer

wired-impact-volunteer-management/trunk/includes/class-wi-volunteer-management.php

r3429767	r3444373
69	69
70	70	$this->plugin_name = 'wired-impact-volunteer-management';
71		$this->version = '2.8';
	71	$this->version = '2.8.1';
72	72
73	73	$this->load_dependencies();

wired-impact-volunteer-management/trunk/languages/wired-impact-volunteer-management.pot

-                      r3429767
+                      r3444373
 # Copyright (C) 2025 Wired Impact
+# Copyright (C) 2026 Wired Impact
 # This file is distributed under the GPL-2.0+.
 msgid ""
 msgstr ""
 "Project-Id-Version: Wired Impact Volunteer Management 2.8\n"
+"Project-Id-Version: Wired Impact Volunteer Management 2.8.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/wired-impact-volunteer-management\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 …
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "POT-Creation-Date: 2025-12-30T18:09:42+00:00\n"
+"POT-Creation-Date: 2026-01-21T17:56:37+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.11.0\n"

wired-impact-volunteer-management/trunk/wivm.php

r3429767	r3444373
17	17	* Plugin URI: https://wiredimpact.com/wordpress-plugins-for-nonprofits/volunteer-management/
18	18	* Description: A simple, free way to keep track of your nonprofit’s volunteers and opportunities.
19		* Version: 2.8
	19	* Version: 2.8.1
20	20	* Requires at least: 6.3
21	21	* Requires PHP: 5.2.4

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: