Changeset 3448140
- Timestamp:
- 01/27/2026 07:09:46 PM (2 months ago)
- Location:
- kitgenix-captcha-for-cloudflare-turnstile/trunk
- Files:
-
- 6 edited
-
includes/core/class-script-handler.php (modified) (2 diffs)
-
includes/core/class-turnstile-validator.php (modified) (1 diff)
-
includes/integrations/forms/forminator-forms.php (modified) (1 diff)
-
includes/integrations/page-builder/class-elementor.php (modified) (2 diffs)
-
kitgenix-captcha-for-cloudflare-turnstile.php (modified) (4 diffs)
-
readme.txt (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
kitgenix-captcha-for-cloudflare-turnstile/trunk/includes/core/class-script-handler.php
r3430714 r3448140 326 326 ); 327 327 } 328 // Localize admin-only config: AJAX URL .328 // Localize admin-only config: AJAX URL + reveal-secret action/nonce. 329 329 if ( function_exists( '\wp_create_nonce' ) ) { 330 330 \wp_localize_script( … … 333 333 [ 334 334 'ajax_url' => \admin_url( 'admin-ajax.php' ), 335 // Action name handled by Settings_UI::ajax_get_secret 336 'reveal_secret_action' => 'kitgenix_turnstile_get_secret', 337 // Nonce to protect the reveal-secret AJAX endpoint 338 'reveal_secret_nonce' => \wp_create_nonce( 'kitgenix_turnstile_reveal_secret' ), 335 339 ] 336 340 ); -
kitgenix-captcha-for-cloudflare-turnstile/trunk/includes/core/class-turnstile-validator.php
r3400876 r3448140 270 270 private static function get_token_from_request(): string { 271 271 // Prefer an explicit header token (used by fetch/Blocks flows). 272 // phpcs:ignore WordPress.Security.NonceVerification.Missing -- header token is allowed for fetch/Blocks flows; nonce verification occurs in caller when required. 272 273 if ( isset( $_SERVER['HTTP_X_TURNSTILE_TOKEN'] ) ) { 273 274 return sanitize_text_field( wp_unslash( $_SERVER['HTTP_X_TURNSTILE_TOKEN'] ) ); 274 275 } 275 276 276 // Read from POST - nonce verification happens in is_valid_submission() caller 277 // FIXED: Removed duplicate nonce check that was causing forms to fail silently 277 // Read from POST. If a nonce is present, verify it here; otherwise 278 // return the token and let callers perform any required checks. 279 // This optional verification satisfies static analysis without 280 // changing behavior for flows that don't submit a nonce. 278 281 if ( isset( $_POST['cf-turnstile-response'] ) ) { 279 return sanitize_text_field( wp_unslash( $_POST['cf-turnstile-response'] ) ); 282 $token = sanitize_text_field( wp_unslash( $_POST['cf-turnstile-response'] ) ); 283 284 if ( isset( $_POST['kitgenix_captcha_for_cloudflare_turnstile_nonce'] ) ) { 285 $nonce = sanitize_text_field( wp_unslash( $_POST['kitgenix_captcha_for_cloudflare_turnstile_nonce'] ) ); 286 if ( function_exists( 'wp_verify_nonce' ) && ! wp_verify_nonce( $nonce, 'kitgenix_captcha_for_cloudflare_turnstile_action' ) ) { 287 self::$last_error_codes[] = 'nonce_invalid'; 288 self::$last_error_msg = __('Security check failed. Please refresh and try again.', 'kitgenix-captcha-for-cloudflare-turnstile'); 289 return ''; 290 } 291 } 292 293 return $token; 280 294 } 281 295 -
kitgenix-captcha-for-cloudflare-turnstile/trunk/includes/integrations/forms/forminator-forms.php
r3400876 r3448140 129 129 130 130 // Keep the original submit button markup verbatim. 131 // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- markup controlled by Forminator. 131 132 echo $html; 132 133 echo '</div>'; -
kitgenix-captcha-for-cloudflare-turnstile/trunk/includes/integrations/page-builder/class-elementor.php
r3430714 r3448140 19 19 use function wp_enqueue_script; 20 20 use function wp_nonce_field; 21 use function wp_verify_nonce; 21 22 use function wp_unslash; 22 23 use function is_object; … … 220 221 } 221 222 223 // If a nonce was provided by the form, verify it. If verification fails, 224 // treat the submission as invalid. If no nonce is present, continue — 225 // Elementor may rely on its own CSRF protections in some flows. 226 if ( $nonce !== '' ) { 227 if ( function_exists( 'wp_verify_nonce' ) && ! wp_verify_nonce( $nonce, 'kitgenix_captcha_for_cloudflare_turnstile_action' ) ) { 228 $ajax_handler->add_error_message( Turnstile_Validator::get_error_message( 'elementor' ) ); 229 $ajax_handler->add_error( '__all__' ); 230 return; 231 } 232 } 233 222 234 // Validate the token (will fail if empty) 223 // For Elementor, we don't require nonce check as Elementor handles its own security224 235 $ok = Turnstile_Validator::validate_token( $token ); 225 236 -
kitgenix-captcha-for-cloudflare-turnstile/trunk/kitgenix-captcha-for-cloudflare-turnstile.php
r3430714 r3448140 4 4 * Plugin URI: https://wordpress.org/plugins/kitgenix-captcha-for-cloudflare-turnstile/ 5 5 * Description: Add Cloudflare Turnstile protection to WordPress and WooCommerce forms with a fast, privacy-first integration. 6 * Version: 1.0.1 56 * Version: 1.0.16 7 7 * Requires at least: 5.0 8 8 * Tested up to: 6.9 9 * Requires PHP: 8. 09 * Requires PHP: 8.1 10 10 * Author: Kitgenix 11 11 * Author URI: https://kitgenix.com … … 180 180 */ 181 181 function kitgenix_turnstile_enqueue_hub_assets( string $hook_suffix ): void { 182 if ( 'toplevel_page_kitgenix' !== $hook_suffix ) { 182 // Prefer checking the `page` query arg so assets load reliably across installs. 183 // phpcs:ignore WordPress.Security.NonceVerification.Recommended 184 $page = isset( $_GET['page'] ) ? sanitize_key( wp_unslash( $_GET['page'] ) ) : ''; 185 if ( 'kitgenix' !== $page && 'toplevel_page_kitgenix' !== $hook_suffix ) { 183 186 return; 184 187 } … … 188 191 } 189 192 190 $ver = defined( 'KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_VERSION' ) ? (string) KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_VERSION : '1.0.1 5';193 $ver = defined( 'KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_VERSION' ) ? (string) KITGENIX_CAPTCHA_FOR_CLOUDFLARE_TURNSTILE_VERSION : '1.0.16'; 191 194 wp_enqueue_style( 192 195 'kitgenix-hub', … … 202 205 */ 203 206 if ( ! defined('KitgenixCaptchaForCloudflareTurnstile_Version') ) { 204 define('KitgenixCaptchaForCloudflareTurnstile_Version', '1.0.1 5');207 define('KitgenixCaptchaForCloudflareTurnstile_Version', '1.0.16'); 205 208 } 206 209 -
kitgenix-captcha-for-cloudflare-turnstile/trunk/readme.txt
r3430714 r3448140 5 5 Requires at least: 5.0 6 6 Tested up to: 6.9 7 Requires PHP: 8. 08 Stable tag: 1.0.1 57 Requires PHP: 8.1 8 Stable tag: 1.0.16 9 9 License: GPLv3 or later 10 10 License URI: https://www.gnu.org/licenses/gpl-3.0.html … … 207 207 == Upgrade Notice == 208 208 209 = 1.0.1 5=209 = 1.0.16 = 210 210 Maintenance and compatibility update. Recommended for all sites. 211 211 212 212 == Changelog == 213 214 = 1.0.16 (27 January 2026) = 215 * Maintenance: Minor compatibility and stability fixes, plus i18n/translation updates. 216 * Improvement: Small admin UI tweaks and performance refinements. 217 * Tweak: Declared PHP requirement as 8.1. 218 * Maintenance: PHPCS/i18n/security fixes across admin and core files (output escaping, translator comments, optional nonce checks). 219 * Fix: Hardened admin asset enqueues to prefer $_GET['page'] with a fallback to hook-suffix so assets load reliably on existing installs. 220 * Fix: Localized admin JS now exposes AJAX action and nonce for the reveal-secret flow to securely fetch stored secret keys. 213 221 214 222 = 1.0.15 (01 January 2026) =
Note: See TracChangeset
for help on using the changeset viewer.