Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3494684

Timestamp:

03/30/2026 02:26:20 PM (2 days ago)

Author:

lwsdevelopers

Message:

Fix "Arbitrary Content Deletion in MyRewards" ticket ID: ad9d6479-7107-4663-994c-4a07b91e0d99.

Location:

woorewards/trunk

Files:

: 8 edited

assets/lws-adminpanel/include/internal/pages.php (modified) (2 diffs)
assets/lws-adminpanel/include/pages/field/button.php (modified) (2 diffs)
assets/lws-adminpanel/js/fields.js (modified) (1 diff)
assets/lws-adminpanel/lws-adminpanel.php (modified) (2 diffs)
include/pointsflow/action.php (modified) (2 diffs)
include/ui/adminscreens/pointsmanagement.php (modified) (2 diffs)
readme.txt (modified) (2 diffs)
woorewards.php (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

woorewards/trunk/assets/lws-adminpanel/include/internal/pages.php

-                      r3463447
+                      r3494684
                 exit(0);
+            $nonce = sanitize_text_field(wp_unslash($data['lws_adminpanel_triggerable_button_nonce'] ?? ''));
+            if (!\wp_verify_nonce($nonce, 'lws_adminpanel_triggerable_button_nonce')) {
+                \wp_send_json_error(__("Token expired. Please reload the page and retry.", 'lws-adminpanel'));
+            }
             $response = $this->trigAjaxButton($this->pages, $button, $data);
             if( !is_null($response) )
 …
         foreach( $tree as $node )
+        {
+            $rights = $node['rights'] ?? '';
+            if ($rights && !\current_user_can($rights)) {
+                continue;
+            }
             if( is_array($node) )
+            {

woorewards/trunk/assets/lws-adminpanel/include/pages/field/button.php

-                      r3458815
+                      r3494684
                 $attrs['data-action'] = $submit;
+            }
+            $nonce = $this->getExtraValue('nonce', false);
+            if ($nonce) {
+                $attrs['data-adm-btn-nonce'] = \wp_create_nonce( $nonce );
+            }
+        }
         if ($this->getExtraValue('disabled', false))
 …
+        }
+        if( $triggable ) {
+            // security
+            $out .= sprintf(
+                '<input type="hidden" value="%s" name="lws_adminpanel_triggerable_button_nonce"/>',
+                \esc_attr(\wp_create_nonce('lws_adminpanel_triggerable_button_nonce'))
+            );
+        }
         $attrs = $this->getDomAttributes($attrs);
         $out .= "<div class='lws-adm-btn$class' id='{$this->m_Id}' type='button'{$attrs}>$text</div>";
+        if( $triggable || $submit ) // answer zone
+        if( $triggable || $submit ) {
+            // answer zone
             $out .= "<div class='lws-adm-btn-trigger-response'></div>";
+        }
         if( isset($this->extra['container']) )

woorewards/trunk/assets/lws-adminpanel/js/fields.js

-                      r3350120
+                      r3494684
 main.next(".lws-adm-btn-trigger-response").html(response.data);}else{alert(lws_adminpanel.triggerError)}}}).fail(function(d,textStatus,error){main.removeClass('disabled');main.find('.lws-loader').remove();main.replaceWith("<p class='lws-error'>Trigger error, status: "+textStatus+", error: "+error+"</p>").show()});return!1});$('body').on('click','.lws_adm_btn_group_submit',function(e){e.preventDefault();var main=$(this);if(main.hasClass('disabled'))return!1;main.addClass('disabled');if(!main.find('.lws-loader').length)
 main.append($("<div>",{'class':'lws-loader'}).append($("<div>",{'class':'animation'})));setTimeout(function(){main.removeClass('disabled');main.find('.lws-loader').remove()},5000);var form=$('<form>',{'method':main.data('method'),'action':'get'==main.data('method')?lws_ajax.url:main.data('action'),'style':'display: none;'});if('get'==main.data('method'))
+form.append($('<input>',{'name':'action','value':main.data('action')}));form.append($(this).closest('.lws-form-div').clone());form.appendTo('body').trigger('submit');setTimeout(function(){form.remove()},1000);return!1});$(document).on('click',function(e){if($(e.target).closest(".lwss-disable-on-clic-out").length==0){if($(e.target).closest(".lwss-hide-on-clic-out").length==0)
+form.append($('<input>',{'name':'action','value':main.data('action')}));let n=main.data('adm-btn-nonce');if(n){form.append($('<input>',{'name':'lws_btn_nonce','value':n}))}
+form.append($(this).closest('.lws-form-div').clone());form.appendTo('body').trigger('submit');setTimeout(function(){form.remove()},1000);return!1});$(document).on('click',function(e){if($(e.target).closest(".lwss-disable-on-clic-out").length==0){if($(e.target).closest(".lwss-hide-on-clic-out").length==0)
 $(".lwss-hide-on-clic-out").fadeOut();if($(e.target).closest(".lwss-fold-on-clic-out").length==0)
 $(".lwss-fold-on-clic-out").slideUp();}});$(document).on('keyup',function(e){if((e.keyCode||e.which||e.charCode||0)===27){$(".lwss-hide-on-clic-out").fadeOut();$(".lwss-fold-on-clic-out").slideUp()}});$('form').on('change',"input, textarea, select, .gizmo",function(event,internal){if(undefined!=internal&&'ignore'==internal)

woorewards/trunk/assets/lws-adminpanel/lws-adminpanel.php

-                      r3487131
+                      r3494684
  * Author: Long Watch Studio
  * Author URI: https://longwatchstudio.com
  * Version: 5.7.4
+ * Version: 5.7.5
  * Text Domain: lws-adminpanel
+ *
 …
 add_filter('lws_adminpanel_versions', function($versions){
     $versions['5.7.4'] = __FILE__;
+    $versions['5.7.5'] = __FILE__;
     return $versions;
 });

woorewards/trunk/include/pointsflow/action.php

-                      r3463447
+                      r3494684
     function exportWR()
+    {
+        if (!\wp_verify_nonce(sanitize_text_field(wp_unslash($_REQUEST['lws_btn_nonce'] ?? '')), 'woorewards-lite' . '-export-wr')) {
+            \wp_die('forbidden', 403);
+        }
         if( !\current_user_can('manage_options') )
             \wp_die('forbidden', 403);
 …
     function exportPoints()
+    {
+        if (!\wp_verify_nonce(sanitize_text_field(wp_unslash($_REQUEST['lws_btn_nonce'] ?? '')), 'woorewards-lite' . '-export-points')) {
+            \wp_die('forbidden', 403);
+        }
         if( !\current_user_can('manage_options') )
             \wp_die('forbidden', 403);

woorewards/trunk/include/ui/adminscreens/pointsmanagement.php

-                      r3463447
+                      r3494684
                         'extra' => array(
                             'link' => array('ajax' => 'woorewards-lite' . '-export-wr'),
+                            'nonce' => 'woorewards-lite' . '-export-wr',
+                        )
                     ),
 …
                         'extra' => array(
                             'link' => array('ajax' => 'woorewards-lite' . '-export-points'),
+                            'nonce' => 'woorewards-lite' . '-export-points',
+                        )
                     ),

woorewards/trunk/readme.txt

-                      r3487131
+                      r3494684
 Tested up to: 6.9
 Requires PHP: 7.3.0
 Stable tag: 5.7.3.1
+Stable tag: 5.7.4
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 5.7.4 =
+* Fix - Vulnerability ad9d6479-7107-4663-994c-4a07b91e0d99 — Arbitrary Content Deletion in MyRewards
 = 5.7.3.1 =
 * Tag - WooCommerce 10.6

woorewards/trunk/woorewards.php

-                      r3487131
+                      r3494684
  * Author: Long Watch Studio
  * Author URI: https://longwatchstudio.com
  * Version: 5.7.3.1
+ * Version: 5.7.4
  * License: GPLv2 or later
  * Text Domain: woorewards-lite
 …
     private function defineConstants()
+    {
         define('LWS_WOOREWARDS_VERSION', '5.7.3.1');
+        define('LWS_WOOREWARDS_VERSION', '5.7.4');
         define('LWS_WOOREWARDS_FILE', __FILE__);
         define('LWS_WOOREWARDS_DOMAIN', 'woorewards-lite');
 …
     public function addPluginVersion($url)
+    {
         return '5.7.3.1';
+        return '5.7.4';
+    }

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory