Changeset 3495943

vulntitan/tags/2.1.17/CHANGELOG.md

-                      r3490735
+                      r3495943
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.1.17] - 2026-03-31
+### Added
+- Logged comments that land in the WordPress moderation queue into the firewall activity stream and weekly digest reporting.
+- Expanded the weekly digest protection profile and activity summaries to cover comment moderation and form-spam signals.
+### Changed
+- Refined the weekly digest email layout so two-column sections collapse cleanly on mobile screens.
+### Security
+- Hardened malware and integrity scan actions with stricter capability checks, safer in-root path validation, and server-side verification of auto-fix targets.
+- Enforced signed anti-spam tokens and CAPTCHA handling on REST comment submissions when anonymous REST comments are exposed elsewhere.
+- Tightened trusted proxy handling, bounded anti-spam token lifetimes, rate-limited 2FA challenge attempts, and moved maintenance self-heal work off the hot request path.
 ## [2.1.16] - 2026-03-25

vulntitan/tags/2.1.17/assets/js/malware-scanner.js

-                      r3483103
+                      r3495943
                 $feedback.text('').css('color', '#94a3b8');
-                const patterns = Array.isArray(finding.patterns) ? finding.patterns.join(', ') : (finding.type || '');
                 $.post(ajaxurl, {
                     action: 'vulntitan_malware_fix_finding',
                     nonce: VulnTitan.nonce,
                     file_path: item.file || '',
+                    line: lineNumber,
+                    expected_code: finding.code || '',
+                    patterns: patterns
+                    line: lineNumber
                 }, function (response) {
                     if (response && response.success) {

vulntitan/tags/2.1.17/assets/js/malware-scanner.min.js

-                      r3483103
+                      r3495943
                 $feedback.text('').css('color', '#94a3b8');
-                const patterns = Array.isArray(finding.patterns) ? finding.patterns.join(', ') : (finding.type || '');
                 $.post(ajaxurl, {
                     action: 'vulntitan_malware_fix_finding',
                     nonce: VulnTitan.nonce,
                     file_path: item.file || '',
+                    line: lineNumber,
+                    expected_code: finding.code || '',
+                    patterns: patterns
+                    line: lineNumber
                 }, function (response) {
                     if (response && response.success) {

vulntitan/tags/2.1.17/includes/Admin/Ajax.php

-                      r3485911
+                      r3495943
 class Ajax
+{
+    protected const FILE_OPERATIONS_CAPABILITY_FILTER = 'vulntitan_file_operations_capability';
     public function register(): void
+    {
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $scanner = new MalwareScanner(get_option('vulntitan_malware_scan_scope', 'all'));
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $file = realpath( sanitize_text_field( wp_unslash( $_POST['file_path'] ?? '' ) ) );
+        if (!$file || strpos($file, ABSPATH) !== 0 || !file_exists($file)) {
+        $this->requireFileOperationsCapability();
+        $resolved = $this->resolveFilePathWithinWordPress((string) wp_unslash($_POST['file_path'] ?? ''));
+        if ($resolved === null) {
             wp_send_json_error(['message' => esc_html__('Invalid or missing file.', 'vulntitan')]);
+        }
 …
         try {
             $scanner = new MalwareScanner(get_option('vulntitan_malware_scan_scope', 'all'));
             $result = $scanner->scanSingleFile($file);
+            $result = $scanner->scanSingleFile($resolved['absolute']);
             wp_send_json_success([
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $filePaths = $_POST['file_paths'] ?? [];
 …
         foreach ($filePaths as $inputPath) {
+            // Normalize: if path is absolute, convert it to relative
+            if (strpos($inputPath, ABSPATH) === 0) {
+                $relativePath = ltrim(str_replace(ABSPATH, '', $inputPath), '/\\');
+            } else {
+                $relativePath = ltrim($inputPath, '/\\');
+            }
+            $absolutePath = ABSPATH . $relativePath;
+            // Ensure the resolved path stays within WP directory (security check)
+            $realAbsolute = realpath($absolutePath);
+            $realBase = realpath(ABSPATH);
+            if (!$realAbsolute || strpos($realAbsolute, $realBase) !== 0) {
+            $resolved = $this->resolveFilePathWithinWordPress((string) $inputPath);
+            if ($resolved === null) {
                 $results[] = [
                     'file' => $relativePath,
+                    'file' => ltrim(str_replace('\\', '/', (string) $inputPath), '/'),
                     'status' => 'skipped',
                     'skipped' => true,
 …
                 continue;
+            }
+            if (!file_exists($realAbsolute)) {
+            try {
+                $findings = $scanner->scanSingleFile($resolved['absolute']);
                 $results[] = [
+                    'file' => $relativePath,
+                    'status' => 'skipped',
+                    'skipped' => true,
+                    'reason' => esc_html__('File not found.', 'vulntitan'),
+                ];
+                continue;
+            }
+            try {
+                $findings = $scanner->scanSingleFile($realAbsolute);
+                $results[] = [
+                    'file'      => $relativePath,
+                    'file'      => $resolved['relative'],
                     'status'    => !empty($findings) ? 'infected' : 'clean',
                     'findings'  => $findings,
 …
             } catch (Throwable $e) {
                 $results[] = [
                     'file'  => $relativePath,
+                    'file'  => $resolved['relative'],
                     'status' => 'error',
                     'error' => $e->getMessage(),
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $filePath = sanitize_text_field(wp_unslash($_POST['file_path'] ?? ''));
         $lineNumber = isset($_POST['line']) ? (int) $_POST['line'] : 0;
-        $expectedCodeRaw = wp_unslash($_POST['expected_code'] ?? '');
-        $patternsRaw = wp_unslash($_POST['patterns'] ?? '');
-        $expectedCode = is_string($expectedCodeRaw) ? trim(substr($expectedCodeRaw, 0, 2000)) : '';
-        $patterns = is_string($patternsRaw) ? trim(substr($patternsRaw, 0, 300)) : '';
         if ($filePath === '' || $lineNumber < 1) {
 …
+        }
+        if (!$this->isFixablePatternList($patterns)) {
+            wp_send_json_error(['message' => esc_html__('Auto-fix is disabled for low-risk findings.', 'vulntitan')]);
+        }
+        $relativePath = ltrim(str_replace('\\', '/', $filePath), '/');
+        $absolutePath = ABSPATH . $relativePath;
+        $realAbsolute = realpath($absolutePath);
+        $realBase = realpath(ABSPATH);
+        if (!$realAbsolute || !$realBase || strpos($realAbsolute, $realBase) !== 0 || !is_file($realAbsolute)) {
+        $resolved = $this->resolveFilePathWithinWordPress($filePath);
+        if ($resolved === null) {
             wp_send_json_error(['message' => esc_html__('Invalid or unsafe file path.', 'vulntitan')]);
+        }
+        $relativePath = $resolved['relative'];
+        $realAbsolute = $resolved['absolute'];
+        $finding = $this->getFixableMalwareFinding($realAbsolute, $lineNumber);
+        if ($finding === null) {
+            wp_send_json_error(['message' => esc_html__('Auto-fix requires a current high-risk finding on the selected line.', 'vulntitan')]);
+        }
 …
         $updatedLine = $originalLine;
         $appliedMode = 'quarantine_line';
+        $expectedCode = trim(substr((string) ($finding['code'] ?? ''), 0, 2000));
+        $patterns = $this->normalizeFixablePatternList($finding['patterns'] ?? []);
         $normalizedExpectedCode = str_replace(["\r", "\n"], '', $expectedCode);
 …
+    }
+    protected function getFixableMalwareFinding(string $absolutePath, int $lineNumber): ?array
+    {
+        try {
+            $scanner = new MalwareScanner(get_option('vulntitan_malware_scan_scope', 'all'));
+            $findings = $scanner->scanSingleFile($absolutePath);
+        } catch (Throwable $e) {
+            return null;
+        }
+        foreach ($findings as $finding) {
+            if (!is_array($finding) || (int) ($finding['line'] ?? 0) !== $lineNumber) {
+                continue;
+            }
+            $patterns = $this->normalizeFixablePatternList($finding['patterns'] ?? []);
+            if (!$this->isFixablePatternList($patterns)) {
+                continue;
+            }
+            return $finding;
+        }
+        return null;
+    }
+    /**
+     * @param mixed $patterns
+     */
+    protected function normalizeFixablePatternList($patterns): string
+    {
+        if (!is_array($patterns)) {
+            return '';
+        }
+        $items = [];
+        foreach ($patterns as $pattern) {
+            $value = sanitize_key((string) $pattern);
+            if ($value !== '') {
+                $items[] = $value;
+            }
+        }
+        return implode(', ', array_values(array_unique($items)));
+    }
     protected function isFixablePatternList(string $patterns): bool
+    {
 …
+    }
+    protected function requireFileOperationsCapability(): void
+    {
+        if ($this->currentUserCanManageFileOperations()) {
+            return;
+        }
+        wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+    }
+    protected function currentUserCanManageFileOperations(): bool
+    {
+        $defaultCapability = is_multisite() ? 'manage_network_plugins' : 'update_plugins';
+        $capability = apply_filters(self::FILE_OPERATIONS_CAPABILITY_FILTER, $defaultCapability);
+        $capability = is_string($capability) && $capability !== '' ? $capability : $defaultCapability;
+        return current_user_can($capability);
+    }
+    protected function resolveFilePathWithinWordPress(string $inputPath): ?array
+    {
+        $inputPath = trim($inputPath);
+        if ($inputPath === '') {
+            return null;
+        }
+        $basePath = realpath(ABSPATH);
+        if (!$basePath) {
+            return null;
+        }
+        $normalizedBase = untrailingslashit(wp_normalize_path($basePath));
+        $normalizedInput = wp_normalize_path($inputPath);
+        if ($normalizedInput === $normalizedBase || strpos($normalizedInput, $normalizedBase . '/') === 0) {
+            $relativePath = ltrim(substr($normalizedInput, strlen($normalizedBase)), '/');
+        } else {
+            $relativePath = ltrim(str_replace('\\', '/', $inputPath), '/');
+        }
+        if ($relativePath === '') {
+            return null;
+        }
+        $absolutePath = realpath(trailingslashit($basePath) . $relativePath);
+        if (!$absolutePath || !is_file($absolutePath) || !$this->isPathInsideBase($absolutePath, $basePath)) {
+            return null;
+        }
+        $normalizedAbsolute = untrailingslashit(wp_normalize_path($absolutePath));
+        return [
+            'absolute' => $absolutePath,
+            'relative' => ltrim(substr($normalizedAbsolute, strlen($normalizedBase)), '/'),
+        ];
+    }
+    protected function isPathInsideBase(string $path, string $basePath): bool
+    {
+        $normalizedPath = untrailingslashit(wp_normalize_path($path));
+        $normalizedBase = untrailingslashit(wp_normalize_path($basePath));
+        return $normalizedPath === $normalizedBase || strpos($normalizedPath, $normalizedBase . '/') === 0;
+    }
     public function integrityScanInit(): void
+    {
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         if (!BaselineBuilder::exists()) {
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $file = sanitize_text_field(wp_unslash($_POST['file_path'] ?? ''));
+        if ($file === '') {
+            wp_send_json_error(['message' => esc_html__('File not found.', 'vulntitan')]);
+        }
+        if (strpos($file, ABSPATH) === 0) {
+            $relative = ltrim(str_replace(ABSPATH, '', $file), '/\\');
+        } else {
+            $relative = ltrim($file, '/\\');
+        }
+        $absolutePath = ABSPATH . $relative;
+        $realAbsolute = realpath($absolutePath);
+        $realBase = realpath(ABSPATH);
+        if (!$realAbsolute || !$realBase || strpos($realAbsolute, $realBase) !== 0 || !file_exists($realAbsolute)) {
+        $this->requireFileOperationsCapability();
+        $resolved = $this->resolveFilePathWithinWordPress((string) wp_unslash($_POST['file_path'] ?? ''));
+        if ($resolved === null) {
             wp_send_json_error(['message' => esc_html__('File not found.', 'vulntitan')]);
+        }
 …
             $scanner->loadBaseline();
+            $relativePath = ltrim(str_replace($realBase, '', $realAbsolute), '/\\');
+            $result = $scanner->scanSingleFile($relativePath);
+            $result = $scanner->scanSingleFile($resolved['relative']);
             wp_send_json_success([
 …
         $startedAt = microtime(true);
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $queueId = sanitize_text_field( wp_unslash( $_POST['queue_id'] ?? '' ) );

vulntitan/tags/2.1.17/includes/Admin/Pages/Firewall.php

-                      r3486040
+                      r3495943
                                                         <span class="vulntitan-firewall-field-label"><?php esc_html_e('Trusted Proxy IPs', 'vulntitan'); ?></span>
                                                         <textarea id="vulntitan-firewall-trusted-proxies" class="vulntitan-firewall-textarea" rows="4" placeholder="203.0.113.10"></textarea>
+                                                        <small class="vulntitan-firewall-field-help"><?php esc_html_e('Add one IP per line or comma-separated. Only these proxies will be trusted for X-Forwarded-For / X-Real-IP headers.', 'vulntitan'); ?></small>
+                                                        <small class="vulntitan-firewall-field-help"><?php esc_html_e('Add one IP or CIDR per line or comma-separated. Only these proxies will be trusted for X-Forwarded-For / X-Real-IP headers.', 'vulntitan'); ?></small>
+                                                        <small class="vulntitan-firewall-field-help"><?php esc_html_e('Private proxy addresses are not trusted automatically. List them here if your reverse proxy or load balancer terminates traffic on a private network.', 'vulntitan'); ?></small>
                                                         <small class="vulntitan-firewall-field-help"><?php esc_html_e('If you use Cloudflare, enable the toggle above (no manual IP list needed).', 'vulntitan'); ?></small>
                                                     </label>

vulntitan/tags/2.1.17/includes/Plugin.php

-                      r3485911
+                      r3495943
     protected const FIREWALL_LOG_CLEANUP_HOOK = 'vulntitan_cleanup_firewall_logs';
     protected const WEEKLY_SUMMARY_EMAIL_HOOK = 'vulntitan_send_weekly_summary_email';
+    protected const COMPONENT_HEALTH_CHECK_TRANSIENT = 'vulntitan_component_health_check';
+    protected const COMPONENT_HEALTH_CHECK_TTL = 12 * HOUR_IN_SECONDS;
+    protected const COMPONENT_HEALTH_CHECK_RETRY_TTL = 15 * MINUTE_IN_SECONDS;
     public $admin;
 …
+    {
         $this->maybe_generate_baseline();
         $this->ensure_firewall_components();
+        $this->maybeEnsureFirewallComponents();
         $this->register_scheduled_events();
         $this->register_cli_commands();
 …
         wp_clear_scheduled_hook(self::FIREWALL_LOG_CLEANUP_HOOK);
         wp_clear_scheduled_hook(self::WEEKLY_SUMMARY_EMAIL_HOOK);
+        delete_transient(self::COMPONENT_HEALTH_CHECK_TRANSIENT);
         FirewallService::removeMuLoader();
+    }
 …
+    }
+    protected function ensure_firewall_components(): void
+    {
+        FirewallService::ensureTable();
+        FirewallService::installMuLoader();
+        VulnerabilityRiskService::ensureTables();
+    protected function maybeEnsureFirewallComponents(): void
+    {
+        if (!$this->shouldRunComponentHealthCheck()) {
+            return;
+        }
+        $success = $this->ensure_firewall_components();
+        set_transient(
+            self::COMPONENT_HEALTH_CHECK_TRANSIENT,
+            $success ? 'ok' : 'retry',
+            $success ? self::COMPONENT_HEALTH_CHECK_TTL : self::COMPONENT_HEALTH_CHECK_RETRY_TTL
+        );
+    }
+    protected function shouldRunComponentHealthCheck(): bool
+    {
+        if (defined('WP_INSTALLING') && WP_INSTALLING) {
+            return false;
+        }
+        if (get_transient(self::COMPONENT_HEALTH_CHECK_TRANSIENT)) {
+            return false;
+        }
+        if (defined('WP_CLI') && WP_CLI) {
+            return true;
+        }
+        if (defined('DOING_CRON') && DOING_CRON) {
+            return true;
+        }
+        if (function_exists('wp_doing_ajax') && wp_doing_ajax()) {
+            return false;
+        }
+        return is_admin();
+    }
+    protected function ensure_firewall_components(): bool
+    {
+        $firewallReady = FirewallService::ensureTable();
+        $muLoader = FirewallService::installMuLoader();
+        $vulnerabilityReady = VulnerabilityRiskService::ensureTables();
+        return $firewallReady && !empty($muLoader['success']) && $vulnerabilityReady;
+    }

vulntitan/tags/2.1.17/includes/Services/CaptchaService.php

-                      r3483537
+                      r3495943
     protected static bool $booted = false;
     protected static bool $renderedWidget = false;
+    protected static array $commentRequestFieldOverrides = [];
     public static function boot(): void
 …
         add_filter('registration_errors', [__CLASS__, 'verifyRegistrationCaptcha'], 20, 3);
         add_action('lostpassword_post', [__CLASS__, 'verifyLostPasswordCaptcha'], 10, 2);
+        add_filter('preprocess_comment', [__CLASS__, 'clearCommentRequestContext'], 1);
+        add_filter('rest_preprocess_comment', [__CLASS__, 'captureRestCommentContext'], 5, 2);
         add_filter('pre_comment_approved', [__CLASS__, 'verifyCommentCaptcha'], 8, 2);
+    }
 …
         if (!self::isContextEnabled(self::CONTEXT_COMMENT) || !self::isProviderConfigured()) {
-            return $approved;
+        }
-        if (defined('REST_REQUEST') && REST_REQUEST) {
             return $approved;
+        }
 …
         $field = $provider === 'turnstile' ? 'cf-turnstile-response' : 'h-captcha-response';
+        if (array_key_exists($field, self::$commentRequestFieldOverrides)) {
+            return trim((string) self::$commentRequestFieldOverrides[$field]);
+        }
         return trim((string) wp_unslash($_POST[$field] ?? $_REQUEST[$field] ?? ''));
+    }
+    /**
+     * @param array<string,mixed> $commentData
+     * @return array<string,mixed>
+     */
+    public static function clearCommentRequestContext(array $commentData): array
+    {
+        self::$commentRequestFieldOverrides = [];
+        return $commentData;
+    }
+    /**
+     * @param array<string,mixed> $preparedComment
+     * @return array<string,mixed>
+     */
+    public static function captureRestCommentContext(array $preparedComment, $request): array
+    {
+        self::$commentRequestFieldOverrides = self::extractRestCommentRequestFields($request);
+        return $preparedComment;
+    }
+    protected static function extractRestCommentRequestFields($request): array
+    {
+        if (!is_object($request) || !method_exists($request, 'get_param')) {
+            return [];
+        }
+        $fields = [];
+        foreach (['cf-turnstile-response', 'h-captcha-response'] as $field) {
+            $value = $request->get_param($field);
+            if (is_scalar($value) || $value === null) {
+                $fields[$field] = trim((string) $value);
+            }
+        }
+        return $fields;
+    }

vulntitan/tags/2.1.17/includes/Services/CommentSpamService.php

-                      r3490735
+                      r3495943
     protected const RATE_LIMIT_PREFIX = 'vulntitan_cs_rate_';
     protected const MIN_TOKEN_AGE = 1;
+    protected const MAX_TOKEN_AGE = 2 * HOUR_IN_SECONDS;
+    protected const MAX_TOKEN_FUTURE_SKEW = 5 * MINUTE_IN_SECONDS;
     protected const SHORT_COMMENT_MAX_WORDS = 3;
     protected const SHORT_COMMENT_MAX_LENGTH = 40;
 …
      */
     protected static ?array $pendingDecision = null;
+    protected static array $requestFieldOverrides = [];
     public static function boot(): void
 …
             $postId = (int) get_the_ID();
+        }
+        if ($postId <= 0 && function_exists('get_queried_object_id')) {
+            $postId = (int) get_queried_object_id();
+        }
         echo '<p class="comment-form-vulntitan-honeypot" style="position:absolute;left:-9999px;top:auto;width:1px;height:1px;overflow:hidden;" aria-hidden="true">';
 …
     public static function captureCommentDecision(array $commentData): array
+    {
+        self::$requestFieldOverrides = [];
         self::$pendingDecision = self::evaluateDecision($commentData, false);
 …
     public static function captureRestCommentDecision(array $preparedComment, $request): array
+    {
+        self::$requestFieldOverrides = self::extractRestRequestFields($request);
         self::$pendingDecision = self::evaluateDecision($preparedComment, true);
 …
+        }
+        if (!$isRest) {
+            $tokenValidation = self::validateFormToken((string) self::readRequestField(self::TOKEN_FIELD), $postId);
+            if (!empty($tokenValidation['present']) && empty($tokenValidation['valid'])) {
+                return self::buildDecisionFromSuspiciousAction(
+                    (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                    'invalid_form_token',
+                    __('Comment form token validation failed.', 'vulntitan'),
+                    [
+                        'post_id' => $postId,
+                        'rate_count' => $rateCount,
+                        'window_minutes' => $rateWindowMinutes,
+                    ],
+                    [
+                        'comment_hash' => self::buildCommentHash($normalizedContent),
+                    ]
+                );
+            }
+            $minSeconds = max(self::MIN_TOKEN_AGE, (int) ($settings['submission_min_submit_seconds'] ?? $settings['comment_min_submit_seconds'] ?? 3));
+            $tokenAge = (int) ($tokenValidation['age'] ?? 0);
+            if (!empty($tokenValidation['valid']) && $tokenAge > 0 && $tokenAge < $minSeconds) {
+                return self::buildDecisionFromSuspiciousAction(
+                    (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                    'submitted_too_fast',
+                    __('Comment was submitted faster than the configured minimum time threshold.', 'vulntitan'),
+                    [
+                        'post_id' => $postId,
+                        'rate_count' => $rateCount,
+                        'window_minutes' => $rateWindowMinutes,
+                        'submitted_after_seconds' => $tokenAge,
+                        'minimum_seconds' => $minSeconds,
+                    ],
+                    [
+                        'comment_hash' => self::buildCommentHash($normalizedContent),
+                    ]
+                );
+            }
+        $tokenValidation = self::validateFormToken((string) self::readRequestField(self::TOKEN_FIELD), $postId);
+        if ($isRest && !self::isAuthenticatedCommenter($commentData) && empty($tokenValidation['present'])) {
+            return self::buildDecisionFromSuspiciousAction(
+                (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                'missing_form_token',
+                __('REST comment request is missing the signed anti-spam token.', 'vulntitan'),
+                [
+                    'post_id' => $postId,
+                    'rate_count' => $rateCount,
+                    'window_minutes' => $rateWindowMinutes,
+                ],
+                [
+                    'comment_hash' => self::buildCommentHash($normalizedContent),
+                ]
+            );
+        }
+        if (!empty($tokenValidation['present']) && empty($tokenValidation['valid'])) {
+            return self::buildDecisionFromSuspiciousAction(
+                (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                'invalid_form_token',
+                __('Comment form token validation failed.', 'vulntitan'),
+                [
+                    'post_id' => $postId,
+                    'rate_count' => $rateCount,
+                    'window_minutes' => $rateWindowMinutes,
+                ],
+                [
+                    'comment_hash' => self::buildCommentHash($normalizedContent),
+                ]
+            );
+        }
+        $minSeconds = max(self::MIN_TOKEN_AGE, (int) ($settings['submission_min_submit_seconds'] ?? $settings['comment_min_submit_seconds'] ?? 3));
+        $tokenAge = (int) ($tokenValidation['age'] ?? 0);
+        if (!empty($tokenValidation['valid']) && $tokenAge > 0 && $tokenAge < $minSeconds) {
+            return self::buildDecisionFromSuspiciousAction(
+                (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                'submitted_too_fast',
+                __('Comment was submitted faster than the configured minimum time threshold.', 'vulntitan'),
+                [
+                    'post_id' => $postId,
+                    'rate_count' => $rateCount,
+                    'window_minutes' => $rateWindowMinutes,
+                    'submitted_after_seconds' => $tokenAge,
+                    'minimum_seconds' => $minSeconds,
+                ],
+                [
+                    'comment_hash' => self::buildCommentHash($normalizedContent),
+                ]
+            );
+        }
 …
         $tokenPostId = (int) $postIdRaw;
         $expected = wp_hash($timestampRaw . '|' . $postIdRaw . '|' . self::TOKEN_FIELD);
+        $now = time();
+        $age = max(0, $now - $timestamp);
         if ($timestamp <= 0 || $tokenPostId < 0 || !hash_equals($expected, $signature)) {
 …
+        }
+        if ($timestamp > ($now + self::MAX_TOKEN_FUTURE_SKEW) || $age > self::getTokenMaxAge()) {
+            return [
+                'present' => true,
+                'valid' => false,
+                'age' => $age,
+            ];
+        }
         return [
             'present' => true,
             'valid' => true,
             'age' => max(0, time() - $timestamp),
+            'age' => $age,
         ];
+    }
+    protected static function getTokenMaxAge(): int
+    {
+        $maxAge = (int) apply_filters('vulntitan_comment_token_max_age', self::MAX_TOKEN_AGE);
+        return max(self::MIN_TOKEN_AGE, $maxAge);
+    }
     protected static function readRequestField(string $field): string
+    {
+        if (array_key_exists($field, self::$requestFieldOverrides)) {
+            return trim((string) self::$requestFieldOverrides[$field]);
+        }
         if (!isset($_REQUEST[$field])) {
             return '';
 …
         return trim((string) $value);
+    }
+    protected static function extractRestRequestFields($request): array
+    {
+        if (!is_object($request) || !method_exists($request, 'get_param')) {
+            return [];
+        }
+        $fields = [];
+        foreach ([self::TOKEN_FIELD, self::HONEYPOT_FIELD] as $field) {
+            $value = $request->get_param($field);
+            if (is_scalar($value) || $value === null) {
+                $fields[$field] = trim((string) $value);
+            }
+        }
+        return $fields;
+    }
+}

vulntitan/tags/2.1.17/includes/Services/ContactFormSpamService.php

-                      r3485911
+                      r3495943
     protected const RATE_LIMIT_PREFIX = 'vulntitan_cf7_rate_';
     protected const MIN_TOKEN_AGE = 1;
+    protected const MAX_TOKEN_AGE = 2 * HOUR_IN_SECONDS;
+    protected const MAX_TOKEN_FUTURE_SKEW = 5 * MINUTE_IN_SECONDS;
     protected static bool $booted = false;
 …
         $tokenFormId = (int) $formIdRaw;
         $expected = wp_hash($timestampRaw . '|' . $formIdRaw . '|' . self::TOKEN_FIELD);
+        $now = time();
+        $age = max(0, $now - $timestamp);
         if ($timestamp <= 0 || $tokenFormId < 0 || !hash_equals($expected, $signature)) {
 …
+        }
+        if ($timestamp > ($now + self::MAX_TOKEN_FUTURE_SKEW) || $age > self::getTokenMaxAge($formId)) {
+            return [
+                'present' => true,
+                'valid' => false,
+                'age' => $age,
+            ];
+        }
         return [
             'present' => true,
             'valid' => true,
             'age' => max(0, time() - $timestamp),
+            'age' => $age,
         ];
+    }
+    protected static function getTokenMaxAge(int $formId): int
+    {
+        $maxAge = (int) apply_filters('vulntitan_form_token_max_age', self::MAX_TOKEN_AGE, 'contact_form_7', $formId);
+        return max(self::MIN_TOKEN_AGE, $maxAge);
+    }

vulntitan/tags/2.1.17/includes/Services/FirewallService.php

-                      r3490735
+                      r3495943
         $remoteAddr = isset($server['REMOTE_ADDR']) ? trim((string) $server['REMOTE_ADDR']) : '';
         $settings = self::getSettings();
+        $trustedProxies = self::getTrustedProxyIps($settings);
+        $trustCloudflare = !empty($settings['trust_cloudflare']);
+        $trustForwarded = self::isTrustedProxy($remoteAddr, $trustedProxies)
+            || ($trustCloudflare && self::isCloudflareIp($remoteAddr));
+        $trustForwarded = self::shouldTrustForwardedHeaders($remoteAddr, $settings);
         if ($trustForwarded) {
 …
         $trustCloudflare = !empty($settings['trust_cloudflare']);
         $isCloudflare = self::isCloudflareIp($remoteAddr);
+        $trustForwarded = self::isTrustedProxy($remoteAddr, $trustedProxies)
+            || ($trustCloudflare && $isCloudflare);
+        $trustForwarded = self::shouldTrustForwardedHeaders($remoteAddr, $settings);
         return [
 …
+        }
+        $trusted = array_filter(array_map('trim', $trusted), static function ($ip) {
+            return $ip !== '';
+        });
+        return array_values(array_unique($trusted));
+        return self::sanitizeTrustedProxyList($trusted);
+    }
+    protected static function shouldTrustForwardedHeaders(string $remoteAddr, ?array $settings = null): bool
+    {
+        if ($settings === null) {
+            $settings = self::getSettings();
+        }
+        $trustedProxies = self::getTrustedProxyIps($settings);
+        if (self::isTrustedProxy($remoteAddr, $trustedProxies)) {
+            return true;
+        }
+        return !empty($settings['trust_cloudflare']) && self::isCloudflareIp($remoteAddr);
+    }
 …
+        }
+        if (in_array($remoteAddr, $trustedProxies, true)) {
+            return true;
+        }
+        return self::isPrivateIp($remoteAddr);
+        foreach ($trustedProxies as $trustedProxy) {
+            $rule = self::sanitizeTrustedProxyRule((string) $trustedProxy);
+            if ($rule === '') {
+                continue;
+            }
+            if (strpos($rule, '/') !== false) {
+                if (self::ipInCidr($remoteAddr, $rule)) {
+                    return true;
+                }
+                continue;
+            }
+            if ($remoteAddr === $rule) {
+                return true;
+            }
+        }
+        return false;
+    }
 …
         );
         $lockoutAllowlist = self::sanitizeIpList($settings['lockout_allowlist_ips'] ?? $defaults['lockout_allowlist_ips']);
         $trustedProxies = self::sanitizeIpList($settings['trusted_proxies'] ?? $defaults['trusted_proxies']);
+        $trustedProxies = self::sanitizeTrustedProxyList($settings['trusted_proxies'] ?? $defaults['trusted_proxies']);
         $weeklySummaryRecipient = sanitize_email((string) ($settings['weekly_summary_email_recipient'] ?? $defaults['weekly_summary_email_recipient']));
 …
+    }
+    protected static function sanitizeTrustedProxyList($value): array
+    {
+        if (is_array($value)) {
+            $rawItems = $value;
+        } else {
+            $rawItems = preg_split('/[\r\n,]+/', (string) $value) ?: [];
+        }
+        $rules = [];
+        foreach ($rawItems as $item) {
+            $rule = self::sanitizeTrustedProxyRule((string) $item);
+            if ($rule === '') {
+                continue;
+            }
+            $rules[$rule] = $rule;
+        }
+        return array_values($rules);
+    }
+    protected static function sanitizeTrustedProxyRule(string $rule): string
+    {
+        $rule = trim($rule);
+        if ($rule === '') {
+            return '';
+        }
+        if (strpos($rule, '/') === false) {
+            return self::sanitizeIp($rule);
+        }
+        [$ip, $maskRaw] = explode('/', $rule, 2);
+        $ip = self::sanitizeIp($ip);
+        if ($ip === '' || !preg_match('/^\d{1,3}$/', $maskRaw)) {
+            return '';
+        }
+        $mask = (int) $maskRaw;
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            if ($mask < 0 || $mask > 32) {
+                return '';
+            }
+        } elseif (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            if ($mask < 0 || $mask > 128) {
+                return '';
+            }
+        } else {
+            return '';
+        }
+        return $ip . '/' . $mask;
+    }
     protected static function sanitizeRoleList($value, array $fallback): array
+    {

vulntitan/tags/2.1.17/includes/Services/FluentFormSpamService.php

-                      r3485911
+                      r3495943
     protected const RATE_LIMIT_PREFIX = 'vulntitan_fluentforms_rate_';
     protected const MIN_TOKEN_AGE = 1;
+    protected const MAX_TOKEN_AGE = 2 * HOUR_IN_SECONDS;
+    protected const MAX_TOKEN_FUTURE_SKEW = 5 * MINUTE_IN_SECONDS;
     protected const BLOCK_MESSAGE = 'Your submission was blocked because the system detected spam or abuse. Remove excessive links and try again.';
 …
         $tokenFormId = (int) $formIdRaw;
         $expected = wp_hash($timestampRaw . '|' . $formIdRaw . '|' . self::TOKEN_FIELD);
+        $now = time();
+        $age = max(0, $now - $timestamp);
         if ($timestamp <= 0 || $tokenFormId < 0 || !hash_equals($expected, $signature)) {
 …
+        }
+        if ($timestamp > ($now + self::MAX_TOKEN_FUTURE_SKEW) || $age > self::getTokenMaxAge($formId)) {
+            return [
+                'present' => true,
+                'valid' => false,
+                'age' => $age,
+            ];
+        }
         return [
             'present' => true,
             'valid' => true,
             'age' => max(0, time() - $timestamp),
+            'age' => $age,
         ];
+    }
+    protected static function getTokenMaxAge(int $formId): int
+    {
+        $maxAge = (int) apply_filters('vulntitan_form_token_max_age', self::MAX_TOKEN_AGE, 'fluent_forms', $formId);
+        return max(self::MIN_TOKEN_AGE, $maxAge);
+    }

vulntitan/tags/2.1.17/includes/Services/LoginSecurityService.php

-                      r3483537
+                      r3495943
     protected const CHALLENGE_TTL = 10 * MINUTE_IN_SECONDS;
     protected const RECOVERY_PREVIEW_TTL = 15 * MINUTE_IN_SECONDS;
+    protected const ATTEMPT_PREFIX = 'vulntitan_2fa_attempt_';
+    protected const BLOCK_PREFIX = 'vulntitan_2fa_block_';
+    protected const MAX_CHALLENGE_ATTEMPTS = 5;
+    protected const ATTEMPT_WINDOW = 10 * MINUTE_IN_SECONDS;
+    protected const BLOCK_TTL = 10 * MINUTE_IN_SECONDS;
     protected static bool $booted = false;
 …
+        }
+        $rateLimit = self::getTwoFactorRateLimitState($user->ID, FirewallService::detectClientIp());
+        if (!empty($rateLimit['blocked'])) {
+            return new WP_Error(
+                'vulntitan_2fa_rate_limited',
+                self::getTwoFactorRateLimitMessage((int) ($rateLimit['remaining_seconds'] ?? self::BLOCK_TTL))
+            );
+        }
         $challengeId = self::createChallenge($user);
         $redirectUrl = add_query_arg([
 …
+        }
+        $ipAddress = FirewallService::detectClientIp();
+        $rateLimit = self::getTwoFactorRateLimitState($user->ID, $ipAddress);
+        if (!empty($rateLimit['blocked'])) {
+            self::deleteChallenge($challengeId);
+            self::renderChallengePage(
+                __('Two-Factor Authentication', 'vulntitan'),
+                self::getTwoFactorRateLimitMessage((int) ($rateLimit['remaining_seconds'] ?? self::BLOCK_TTL)),
+                [],
+                true
+            );
+        }
         if (strtoupper((string) ($_SERVER['REQUEST_METHOD'] ?? 'GET')) === 'POST') {
             $nonce = isset($_POST[self::CHALLENGE_NONCE]) ? (string) wp_unslash($_POST[self::CHALLENGE_NONCE]) : '';
 …
                 if ($isValid) {
                     self::deleteChallenge($challengeId);
+                    self::clearTwoFactorRateLimitState($user->ID, $ipAddress);
                     self::finalizeAuthenticatedLogin(
                         $user,
 …
                     'reason' => 'Invalid two-factor verification code.',
                 ]);
+                $rateLimit = self::recordFailedTwoFactorAttempt($user, $ipAddress);
+                if (!empty($rateLimit['blocked'])) {
+                    self::deleteChallenge($challengeId);
+                    self::renderChallengePage(
+                        __('Two-Factor Authentication', 'vulntitan'),
+                        self::getTwoFactorRateLimitMessage((int) ($rateLimit['remaining_seconds'] ?? self::BLOCK_TTL)),
+                        [],
+                        true
+                    );
+                }
                 $errorMessage = __('The verification code was invalid. Please try again.', 'vulntitan');
 …
+    }
+    protected static function getTwoFactorRateLimitState(int $userId, string $ipAddress): array
+    {
+        $blockedUntil = (int) get_transient(self::getTwoFactorBlockKey($userId, $ipAddress));
+        if ($blockedUntil > time()) {
+            return [
+                'blocked' => true,
+                'remaining_seconds' => max(1, $blockedUntil - time()),
+            ];
+        }
+        if ($blockedUntil > 0) {
+            delete_transient(self::getTwoFactorBlockKey($userId, $ipAddress));
+        }
+        return [
+            'blocked' => false,
+            'remaining_seconds' => 0,
+        ];
+    }
+    protected static function recordFailedTwoFactorAttempt(WP_User $user, string $ipAddress): array
+    {
+        $attemptKey = self::getTwoFactorAttemptKey($user->ID, $ipAddress);
+        $data = get_transient($attemptKey);
+        if (!is_array($data)) {
+            $data = [
+                'count' => 0,
+                'started_at' => time(),
+            ];
+        }
+        $data['count'] = max(0, (int) ($data['count'] ?? 0)) + 1;
+        $data['started_at'] = (int) ($data['started_at'] ?? time());
+        set_transient($attemptKey, $data, self::ATTEMPT_WINDOW);
+        if ((int) $data['count'] < self::MAX_CHALLENGE_ATTEMPTS) {
+            return [
+                'blocked' => false,
+                'remaining_seconds' => 0,
+            ];
+        }
+        $blockedUntil = time() + self::BLOCK_TTL;
+        set_transient(self::getTwoFactorBlockKey($user->ID, $ipAddress), $blockedUntil, self::BLOCK_TTL);
+        delete_transient($attemptKey);
+        FirewallService::logEvent('login_blocked', [
+            'ip_address' => $ipAddress,
+            'username' => $user->user_login,
+            'user_id' => $user->ID,
+            'event_source' => 'login_security',
+            'rule_group' => 'two_factor',
+            'rule_id' => 'totp_rate_limited',
+            'reason' => 'Too many invalid two-factor verification attempts.',
+            'details' => [
+                'attempts' => (int) $data['count'],
+                'retry_after_seconds' => self::BLOCK_TTL,
+            ],
+        ]);
+        return [
+            'blocked' => true,
+            'remaining_seconds' => self::BLOCK_TTL,
+        ];
+    }
+    protected static function clearTwoFactorRateLimitState(int $userId, string $ipAddress): void
+    {
+        delete_transient(self::getTwoFactorAttemptKey($userId, $ipAddress));
+        delete_transient(self::getTwoFactorBlockKey($userId, $ipAddress));
+    }
+    protected static function getTwoFactorAttemptKey(int $userId, string $ipAddress): string
+    {
+        return self::ATTEMPT_PREFIX . md5($userId . '|' . ($ipAddress !== '' ? $ipAddress : 'unknown'));
+    }
+    protected static function getTwoFactorBlockKey(int $userId, string $ipAddress): string
+    {
+        return self::BLOCK_PREFIX . md5($userId . '|' . ($ipAddress !== '' ? $ipAddress : 'unknown'));
+    }
+    protected static function getTwoFactorRateLimitMessage(int $remainingSeconds): string
+    {
+        return sprintf(
+            __('Too many two-factor verification attempts. Try again in %d minute(s).', 'vulntitan'),
+            max(1, (int) ceil($remainingSeconds / MINUTE_IN_SECONDS))
+        );
+    }
     protected static function renderChallengePage(string $title, string $message = '', array $context = [], bool $isFatal = false): void
+    {

vulntitan/tags/2.1.17/readme.txt

-                      r3490735
+                      r3495943
 Tested up to: 6.9
 Requires PHP: 7.4
 Stable tag: 2.1.16
+Stable tag: 2.1.17
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 - XML-RPC allow, disable, or rate-limit policy controls with IP allowlisting
 - Weak-password blocking during profile updates, password resets, and compatible registrations
 - Comment Shield with honeypot, submit-time validation, duplicate detection, guest link limits, and IP rate limiting
+- Comment Shield with honeypot, signed tokens, submit-time validation, duplicate detection, guest link limits, IP rate limiting, and moderation-aware logging
 - Form Shield for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and IP rate limiting
 - Form spam blocks are logged into the WAF/live feed with provider-aware source labels for easier review
 - Suspicious comments can be held for moderation or blocked immediately
+- REST comments can enforce signed anti-spam tokens and CAPTCHA when anonymous REST commenting is enabled elsewhere
 - Configurable custom login slug so administrators can use a private login URL instead of the default `wp-login.php`
 - Default `wp-login.php` and guest `wp-admin` access can be hidden behind a `404` response when custom login is enabled
 - Weekly executive security report email with 7-day firewall, login abuse, WAF, and comment spam statistics
+- Weekly executive security report email with 7-day firewall, login abuse, WAF, form spam, and comment moderation statistics
 = Security-First Architecture =
 …
 - Secure storage and cleanup of scan queues and logs
 - Hardened backup handling outside `ABSPATH` by default
+- Hardened malware and integrity scan actions with stricter capability checks and in-root path validation
 - Adaptive performance tuning for safe large-site scanning
 …
 == Changelog ==
+= v2.1.17 - 31 Mar, 2026 =
+* Hardened malware and integrity scan actions with stricter capability checks, boundary-safe path validation, and server-side verification of auto-fix targets.
+* Closed the conditional REST comment bypass by enforcing signed anti-spam tokens and comment CAPTCHA on REST comment submissions as well.
+* Added stronger 2FA challenge throttling, tighter proxy trust handling, bounded anti-spam token lifetimes, and reduced hot-path maintenance overhead.
+* Expanded release metadata and readme coverage for comment moderation, digest reporting, and hardening updates.
 = v2.1.16 - 25 Mar, 2026 =

vulntitan/tags/2.1.17/vulntitan.php

-                      r3490735
+                      r3495943
  * Plugin URI: https://vulntitan.com/vulntitan/
  * Description: VulnTitan is a WordPress security plugin with vulnerability scanning, malware detection, file integrity monitoring, comment and form anti-spam protection, and a built-in firewall with WAF payload rules and login protection.
  * Version: 2.1.16
+ * Version: 2.1.17
  * Author: Jaroslav Svetlik
  * Author URI: https://vulntitan.com
 …
 // Define plugin constants
 define('VULNTITAN_PLUGIN_VERSION', VULNTITAN_DEVELOPMENT ? uniqid() : '2.1.16');
+define('VULNTITAN_PLUGIN_VERSION', VULNTITAN_DEVELOPMENT ? uniqid() : '2.1.17');
 define('VULNTITAN_PLUGIN_BASENAME', plugin_basename(__FILE__));
 define('VULNTITAN_PLUGIN_DIR', untrailingslashit(plugin_dir_path(__FILE__)));

vulntitan/trunk/CHANGELOG.md

-                      r3490735
+                      r3495943
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.1.17] - 2026-03-31
+### Added
+- Logged comments that land in the WordPress moderation queue into the firewall activity stream and weekly digest reporting.
+- Expanded the weekly digest protection profile and activity summaries to cover comment moderation and form-spam signals.
+### Changed
+- Refined the weekly digest email layout so two-column sections collapse cleanly on mobile screens.
+### Security
+- Hardened malware and integrity scan actions with stricter capability checks, safer in-root path validation, and server-side verification of auto-fix targets.
+- Enforced signed anti-spam tokens and CAPTCHA handling on REST comment submissions when anonymous REST comments are exposed elsewhere.
+- Tightened trusted proxy handling, bounded anti-spam token lifetimes, rate-limited 2FA challenge attempts, and moved maintenance self-heal work off the hot request path.
 ## [2.1.16] - 2026-03-25

vulntitan/trunk/assets/js/malware-scanner.js

-                      r3483103
+                      r3495943
                 $feedback.text('').css('color', '#94a3b8');
-                const patterns = Array.isArray(finding.patterns) ? finding.patterns.join(', ') : (finding.type || '');
                 $.post(ajaxurl, {
                     action: 'vulntitan_malware_fix_finding',
                     nonce: VulnTitan.nonce,
                     file_path: item.file || '',
+                    line: lineNumber,
+                    expected_code: finding.code || '',
+                    patterns: patterns
+                    line: lineNumber
                 }, function (response) {
                     if (response && response.success) {

vulntitan/trunk/assets/js/malware-scanner.min.js

-                      r3483103
+                      r3495943
                 $feedback.text('').css('color', '#94a3b8');
-                const patterns = Array.isArray(finding.patterns) ? finding.patterns.join(', ') : (finding.type || '');
                 $.post(ajaxurl, {
                     action: 'vulntitan_malware_fix_finding',
                     nonce: VulnTitan.nonce,
                     file_path: item.file || '',
+                    line: lineNumber,
+                    expected_code: finding.code || '',
+                    patterns: patterns
+                    line: lineNumber
                 }, function (response) {
                     if (response && response.success) {

vulntitan/trunk/includes/Admin/Ajax.php

-                      r3485911
+                      r3495943
 class Ajax
+{
+    protected const FILE_OPERATIONS_CAPABILITY_FILTER = 'vulntitan_file_operations_capability';
     public function register(): void
+    {
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $scanner = new MalwareScanner(get_option('vulntitan_malware_scan_scope', 'all'));
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $file = realpath( sanitize_text_field( wp_unslash( $_POST['file_path'] ?? '' ) ) );
+        if (!$file || strpos($file, ABSPATH) !== 0 || !file_exists($file)) {
+        $this->requireFileOperationsCapability();
+        $resolved = $this->resolveFilePathWithinWordPress((string) wp_unslash($_POST['file_path'] ?? ''));
+        if ($resolved === null) {
             wp_send_json_error(['message' => esc_html__('Invalid or missing file.', 'vulntitan')]);
+        }
 …
         try {
             $scanner = new MalwareScanner(get_option('vulntitan_malware_scan_scope', 'all'));
             $result = $scanner->scanSingleFile($file);
+            $result = $scanner->scanSingleFile($resolved['absolute']);
             wp_send_json_success([
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $filePaths = $_POST['file_paths'] ?? [];
 …
         foreach ($filePaths as $inputPath) {
+            // Normalize: if path is absolute, convert it to relative
+            if (strpos($inputPath, ABSPATH) === 0) {
+                $relativePath = ltrim(str_replace(ABSPATH, '', $inputPath), '/\\');
+            } else {
+                $relativePath = ltrim($inputPath, '/\\');
+            }
+            $absolutePath = ABSPATH . $relativePath;
+            // Ensure the resolved path stays within WP directory (security check)
+            $realAbsolute = realpath($absolutePath);
+            $realBase = realpath(ABSPATH);
+            if (!$realAbsolute || strpos($realAbsolute, $realBase) !== 0) {
+            $resolved = $this->resolveFilePathWithinWordPress((string) $inputPath);
+            if ($resolved === null) {
                 $results[] = [
                     'file' => $relativePath,
+                    'file' => ltrim(str_replace('\\', '/', (string) $inputPath), '/'),
                     'status' => 'skipped',
                     'skipped' => true,
 …
                 continue;
+            }
+            if (!file_exists($realAbsolute)) {
+            try {
+                $findings = $scanner->scanSingleFile($resolved['absolute']);
                 $results[] = [
+                    'file' => $relativePath,
+                    'status' => 'skipped',
+                    'skipped' => true,
+                    'reason' => esc_html__('File not found.', 'vulntitan'),
+                ];
+                continue;
+            }
+            try {
+                $findings = $scanner->scanSingleFile($realAbsolute);
+                $results[] = [
+                    'file'      => $relativePath,
+                    'file'      => $resolved['relative'],
                     'status'    => !empty($findings) ? 'infected' : 'clean',
                     'findings'  => $findings,
 …
             } catch (Throwable $e) {
                 $results[] = [
                     'file'  => $relativePath,
+                    'file'  => $resolved['relative'],
                     'status' => 'error',
                     'error' => $e->getMessage(),
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $filePath = sanitize_text_field(wp_unslash($_POST['file_path'] ?? ''));
         $lineNumber = isset($_POST['line']) ? (int) $_POST['line'] : 0;
-        $expectedCodeRaw = wp_unslash($_POST['expected_code'] ?? '');
-        $patternsRaw = wp_unslash($_POST['patterns'] ?? '');
-        $expectedCode = is_string($expectedCodeRaw) ? trim(substr($expectedCodeRaw, 0, 2000)) : '';
-        $patterns = is_string($patternsRaw) ? trim(substr($patternsRaw, 0, 300)) : '';
         if ($filePath === '' || $lineNumber < 1) {
 …
+        }
+        if (!$this->isFixablePatternList($patterns)) {
+            wp_send_json_error(['message' => esc_html__('Auto-fix is disabled for low-risk findings.', 'vulntitan')]);
+        }
+        $relativePath = ltrim(str_replace('\\', '/', $filePath), '/');
+        $absolutePath = ABSPATH . $relativePath;
+        $realAbsolute = realpath($absolutePath);
+        $realBase = realpath(ABSPATH);
+        if (!$realAbsolute || !$realBase || strpos($realAbsolute, $realBase) !== 0 || !is_file($realAbsolute)) {
+        $resolved = $this->resolveFilePathWithinWordPress($filePath);
+        if ($resolved === null) {
             wp_send_json_error(['message' => esc_html__('Invalid or unsafe file path.', 'vulntitan')]);
+        }
+        $relativePath = $resolved['relative'];
+        $realAbsolute = $resolved['absolute'];
+        $finding = $this->getFixableMalwareFinding($realAbsolute, $lineNumber);
+        if ($finding === null) {
+            wp_send_json_error(['message' => esc_html__('Auto-fix requires a current high-risk finding on the selected line.', 'vulntitan')]);
+        }
 …
         $updatedLine = $originalLine;
         $appliedMode = 'quarantine_line';
+        $expectedCode = trim(substr((string) ($finding['code'] ?? ''), 0, 2000));
+        $patterns = $this->normalizeFixablePatternList($finding['patterns'] ?? []);
         $normalizedExpectedCode = str_replace(["\r", "\n"], '', $expectedCode);
 …
+    }
+    protected function getFixableMalwareFinding(string $absolutePath, int $lineNumber): ?array
+    {
+        try {
+            $scanner = new MalwareScanner(get_option('vulntitan_malware_scan_scope', 'all'));
+            $findings = $scanner->scanSingleFile($absolutePath);
+        } catch (Throwable $e) {
+            return null;
+        }
+        foreach ($findings as $finding) {
+            if (!is_array($finding) || (int) ($finding['line'] ?? 0) !== $lineNumber) {
+                continue;
+            }
+            $patterns = $this->normalizeFixablePatternList($finding['patterns'] ?? []);
+            if (!$this->isFixablePatternList($patterns)) {
+                continue;
+            }
+            return $finding;
+        }
+        return null;
+    }
+    /**
+     * @param mixed $patterns
+     */
+    protected function normalizeFixablePatternList($patterns): string
+    {
+        if (!is_array($patterns)) {
+            return '';
+        }
+        $items = [];
+        foreach ($patterns as $pattern) {
+            $value = sanitize_key((string) $pattern);
+            if ($value !== '') {
+                $items[] = $value;
+            }
+        }
+        return implode(', ', array_values(array_unique($items)));
+    }
     protected function isFixablePatternList(string $patterns): bool
+    {
 …
+    }
+    protected function requireFileOperationsCapability(): void
+    {
+        if ($this->currentUserCanManageFileOperations()) {
+            return;
+        }
+        wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+    }
+    protected function currentUserCanManageFileOperations(): bool
+    {
+        $defaultCapability = is_multisite() ? 'manage_network_plugins' : 'update_plugins';
+        $capability = apply_filters(self::FILE_OPERATIONS_CAPABILITY_FILTER, $defaultCapability);
+        $capability = is_string($capability) && $capability !== '' ? $capability : $defaultCapability;
+        return current_user_can($capability);
+    }
+    protected function resolveFilePathWithinWordPress(string $inputPath): ?array
+    {
+        $inputPath = trim($inputPath);
+        if ($inputPath === '') {
+            return null;
+        }
+        $basePath = realpath(ABSPATH);
+        if (!$basePath) {
+            return null;
+        }
+        $normalizedBase = untrailingslashit(wp_normalize_path($basePath));
+        $normalizedInput = wp_normalize_path($inputPath);
+        if ($normalizedInput === $normalizedBase || strpos($normalizedInput, $normalizedBase . '/') === 0) {
+            $relativePath = ltrim(substr($normalizedInput, strlen($normalizedBase)), '/');
+        } else {
+            $relativePath = ltrim(str_replace('\\', '/', $inputPath), '/');
+        }
+        if ($relativePath === '') {
+            return null;
+        }
+        $absolutePath = realpath(trailingslashit($basePath) . $relativePath);
+        if (!$absolutePath || !is_file($absolutePath) || !$this->isPathInsideBase($absolutePath, $basePath)) {
+            return null;
+        }
+        $normalizedAbsolute = untrailingslashit(wp_normalize_path($absolutePath));
+        return [
+            'absolute' => $absolutePath,
+            'relative' => ltrim(substr($normalizedAbsolute, strlen($normalizedBase)), '/'),
+        ];
+    }
+    protected function isPathInsideBase(string $path, string $basePath): bool
+    {
+        $normalizedPath = untrailingslashit(wp_normalize_path($path));
+        $normalizedBase = untrailingslashit(wp_normalize_path($basePath));
+        return $normalizedPath === $normalizedBase || strpos($normalizedPath, $normalizedBase . '/') === 0;
+    }
     public function integrityScanInit(): void
+    {
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         if (!BaselineBuilder::exists()) {
 …
         check_ajax_referer('vulntitan_ajax_scan', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $file = sanitize_text_field(wp_unslash($_POST['file_path'] ?? ''));
+        if ($file === '') {
+            wp_send_json_error(['message' => esc_html__('File not found.', 'vulntitan')]);
+        }
+        if (strpos($file, ABSPATH) === 0) {
+            $relative = ltrim(str_replace(ABSPATH, '', $file), '/\\');
+        } else {
+            $relative = ltrim($file, '/\\');
+        }
+        $absolutePath = ABSPATH . $relative;
+        $realAbsolute = realpath($absolutePath);
+        $realBase = realpath(ABSPATH);
+        if (!$realAbsolute || !$realBase || strpos($realAbsolute, $realBase) !== 0 || !file_exists($realAbsolute)) {
+        $this->requireFileOperationsCapability();
+        $resolved = $this->resolveFilePathWithinWordPress((string) wp_unslash($_POST['file_path'] ?? ''));
+        if ($resolved === null) {
             wp_send_json_error(['message' => esc_html__('File not found.', 'vulntitan')]);
+        }
 …
             $scanner->loadBaseline();
+            $relativePath = ltrim(str_replace($realBase, '', $realAbsolute), '/\\');
+            $result = $scanner->scanSingleFile($relativePath);
+            $result = $scanner->scanSingleFile($resolved['relative']);
             wp_send_json_success([
 …
         $startedAt = microtime(true);
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => esc_html__('Insufficient permissions.', 'vulntitan')], 403);
+        }
+        $this->requireFileOperationsCapability();
         $queueId = sanitize_text_field( wp_unslash( $_POST['queue_id'] ?? '' ) );

vulntitan/trunk/includes/Admin/Pages/Firewall.php

-                      r3486040
+                      r3495943
                                                         <span class="vulntitan-firewall-field-label"><?php esc_html_e('Trusted Proxy IPs', 'vulntitan'); ?></span>
                                                         <textarea id="vulntitan-firewall-trusted-proxies" class="vulntitan-firewall-textarea" rows="4" placeholder="203.0.113.10"></textarea>
+                                                        <small class="vulntitan-firewall-field-help"><?php esc_html_e('Add one IP per line or comma-separated. Only these proxies will be trusted for X-Forwarded-For / X-Real-IP headers.', 'vulntitan'); ?></small>
+                                                        <small class="vulntitan-firewall-field-help"><?php esc_html_e('Add one IP or CIDR per line or comma-separated. Only these proxies will be trusted for X-Forwarded-For / X-Real-IP headers.', 'vulntitan'); ?></small>
+                                                        <small class="vulntitan-firewall-field-help"><?php esc_html_e('Private proxy addresses are not trusted automatically. List them here if your reverse proxy or load balancer terminates traffic on a private network.', 'vulntitan'); ?></small>
                                                         <small class="vulntitan-firewall-field-help"><?php esc_html_e('If you use Cloudflare, enable the toggle above (no manual IP list needed).', 'vulntitan'); ?></small>
                                                     </label>

vulntitan/trunk/includes/Plugin.php

-                      r3485911
+                      r3495943
     protected const FIREWALL_LOG_CLEANUP_HOOK = 'vulntitan_cleanup_firewall_logs';
     protected const WEEKLY_SUMMARY_EMAIL_HOOK = 'vulntitan_send_weekly_summary_email';
+    protected const COMPONENT_HEALTH_CHECK_TRANSIENT = 'vulntitan_component_health_check';
+    protected const COMPONENT_HEALTH_CHECK_TTL = 12 * HOUR_IN_SECONDS;
+    protected const COMPONENT_HEALTH_CHECK_RETRY_TTL = 15 * MINUTE_IN_SECONDS;
     public $admin;
 …
+    {
         $this->maybe_generate_baseline();
         $this->ensure_firewall_components();
+        $this->maybeEnsureFirewallComponents();
         $this->register_scheduled_events();
         $this->register_cli_commands();
 …
         wp_clear_scheduled_hook(self::FIREWALL_LOG_CLEANUP_HOOK);
         wp_clear_scheduled_hook(self::WEEKLY_SUMMARY_EMAIL_HOOK);
+        delete_transient(self::COMPONENT_HEALTH_CHECK_TRANSIENT);
         FirewallService::removeMuLoader();
+    }
 …
+    }
+    protected function ensure_firewall_components(): void
+    {
+        FirewallService::ensureTable();
+        FirewallService::installMuLoader();
+        VulnerabilityRiskService::ensureTables();
+    protected function maybeEnsureFirewallComponents(): void
+    {
+        if (!$this->shouldRunComponentHealthCheck()) {
+            return;
+        }
+        $success = $this->ensure_firewall_components();
+        set_transient(
+            self::COMPONENT_HEALTH_CHECK_TRANSIENT,
+            $success ? 'ok' : 'retry',
+            $success ? self::COMPONENT_HEALTH_CHECK_TTL : self::COMPONENT_HEALTH_CHECK_RETRY_TTL
+        );
+    }
+    protected function shouldRunComponentHealthCheck(): bool
+    {
+        if (defined('WP_INSTALLING') && WP_INSTALLING) {
+            return false;
+        }
+        if (get_transient(self::COMPONENT_HEALTH_CHECK_TRANSIENT)) {
+            return false;
+        }
+        if (defined('WP_CLI') && WP_CLI) {
+            return true;
+        }
+        if (defined('DOING_CRON') && DOING_CRON) {
+            return true;
+        }
+        if (function_exists('wp_doing_ajax') && wp_doing_ajax()) {
+            return false;
+        }
+        return is_admin();
+    }
+    protected function ensure_firewall_components(): bool
+    {
+        $firewallReady = FirewallService::ensureTable();
+        $muLoader = FirewallService::installMuLoader();
+        $vulnerabilityReady = VulnerabilityRiskService::ensureTables();
+        return $firewallReady && !empty($muLoader['success']) && $vulnerabilityReady;
+    }

vulntitan/trunk/includes/Services/CaptchaService.php

-                      r3483537
+                      r3495943
     protected static bool $booted = false;
     protected static bool $renderedWidget = false;
+    protected static array $commentRequestFieldOverrides = [];
     public static function boot(): void
 …
         add_filter('registration_errors', [__CLASS__, 'verifyRegistrationCaptcha'], 20, 3);
         add_action('lostpassword_post', [__CLASS__, 'verifyLostPasswordCaptcha'], 10, 2);
+        add_filter('preprocess_comment', [__CLASS__, 'clearCommentRequestContext'], 1);
+        add_filter('rest_preprocess_comment', [__CLASS__, 'captureRestCommentContext'], 5, 2);
         add_filter('pre_comment_approved', [__CLASS__, 'verifyCommentCaptcha'], 8, 2);
+    }
 …
         if (!self::isContextEnabled(self::CONTEXT_COMMENT) || !self::isProviderConfigured()) {
-            return $approved;
+        }
-        if (defined('REST_REQUEST') && REST_REQUEST) {
             return $approved;
+        }
 …
         $field = $provider === 'turnstile' ? 'cf-turnstile-response' : 'h-captcha-response';
+        if (array_key_exists($field, self::$commentRequestFieldOverrides)) {
+            return trim((string) self::$commentRequestFieldOverrides[$field]);
+        }
         return trim((string) wp_unslash($_POST[$field] ?? $_REQUEST[$field] ?? ''));
+    }
+    /**
+     * @param array<string,mixed> $commentData
+     * @return array<string,mixed>
+     */
+    public static function clearCommentRequestContext(array $commentData): array
+    {
+        self::$commentRequestFieldOverrides = [];
+        return $commentData;
+    }
+    /**
+     * @param array<string,mixed> $preparedComment
+     * @return array<string,mixed>
+     */
+    public static function captureRestCommentContext(array $preparedComment, $request): array
+    {
+        self::$commentRequestFieldOverrides = self::extractRestCommentRequestFields($request);
+        return $preparedComment;
+    }
+    protected static function extractRestCommentRequestFields($request): array
+    {
+        if (!is_object($request) || !method_exists($request, 'get_param')) {
+            return [];
+        }
+        $fields = [];
+        foreach (['cf-turnstile-response', 'h-captcha-response'] as $field) {
+            $value = $request->get_param($field);
+            if (is_scalar($value) || $value === null) {
+                $fields[$field] = trim((string) $value);
+            }
+        }
+        return $fields;
+    }

vulntitan/trunk/includes/Services/CommentSpamService.php

-                      r3490735
+                      r3495943
     protected const RATE_LIMIT_PREFIX = 'vulntitan_cs_rate_';
     protected const MIN_TOKEN_AGE = 1;
+    protected const MAX_TOKEN_AGE = 2 * HOUR_IN_SECONDS;
+    protected const MAX_TOKEN_FUTURE_SKEW = 5 * MINUTE_IN_SECONDS;
     protected const SHORT_COMMENT_MAX_WORDS = 3;
     protected const SHORT_COMMENT_MAX_LENGTH = 40;
 …
      */
     protected static ?array $pendingDecision = null;
+    protected static array $requestFieldOverrides = [];
     public static function boot(): void
 …
             $postId = (int) get_the_ID();
+        }
+        if ($postId <= 0 && function_exists('get_queried_object_id')) {
+            $postId = (int) get_queried_object_id();
+        }
         echo '<p class="comment-form-vulntitan-honeypot" style="position:absolute;left:-9999px;top:auto;width:1px;height:1px;overflow:hidden;" aria-hidden="true">';
 …
     public static function captureCommentDecision(array $commentData): array
+    {
+        self::$requestFieldOverrides = [];
         self::$pendingDecision = self::evaluateDecision($commentData, false);
 …
     public static function captureRestCommentDecision(array $preparedComment, $request): array
+    {
+        self::$requestFieldOverrides = self::extractRestRequestFields($request);
         self::$pendingDecision = self::evaluateDecision($preparedComment, true);
 …
+        }
+        if (!$isRest) {
+            $tokenValidation = self::validateFormToken((string) self::readRequestField(self::TOKEN_FIELD), $postId);
+            if (!empty($tokenValidation['present']) && empty($tokenValidation['valid'])) {
+                return self::buildDecisionFromSuspiciousAction(
+                    (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                    'invalid_form_token',
+                    __('Comment form token validation failed.', 'vulntitan'),
+                    [
+                        'post_id' => $postId,
+                        'rate_count' => $rateCount,
+                        'window_minutes' => $rateWindowMinutes,
+                    ],
+                    [
+                        'comment_hash' => self::buildCommentHash($normalizedContent),
+                    ]
+                );
+            }
+            $minSeconds = max(self::MIN_TOKEN_AGE, (int) ($settings['submission_min_submit_seconds'] ?? $settings['comment_min_submit_seconds'] ?? 3));
+            $tokenAge = (int) ($tokenValidation['age'] ?? 0);
+            if (!empty($tokenValidation['valid']) && $tokenAge > 0 && $tokenAge < $minSeconds) {
+                return self::buildDecisionFromSuspiciousAction(
+                    (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                    'submitted_too_fast',
+                    __('Comment was submitted faster than the configured minimum time threshold.', 'vulntitan'),
+                    [
+                        'post_id' => $postId,
+                        'rate_count' => $rateCount,
+                        'window_minutes' => $rateWindowMinutes,
+                        'submitted_after_seconds' => $tokenAge,
+                        'minimum_seconds' => $minSeconds,
+                    ],
+                    [
+                        'comment_hash' => self::buildCommentHash($normalizedContent),
+                    ]
+                );
+            }
+        $tokenValidation = self::validateFormToken((string) self::readRequestField(self::TOKEN_FIELD), $postId);
+        if ($isRest && !self::isAuthenticatedCommenter($commentData) && empty($tokenValidation['present'])) {
+            return self::buildDecisionFromSuspiciousAction(
+                (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                'missing_form_token',
+                __('REST comment request is missing the signed anti-spam token.', 'vulntitan'),
+                [
+                    'post_id' => $postId,
+                    'rate_count' => $rateCount,
+                    'window_minutes' => $rateWindowMinutes,
+                ],
+                [
+                    'comment_hash' => self::buildCommentHash($normalizedContent),
+                ]
+            );
+        }
+        if (!empty($tokenValidation['present']) && empty($tokenValidation['valid'])) {
+            return self::buildDecisionFromSuspiciousAction(
+                (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                'invalid_form_token',
+                __('Comment form token validation failed.', 'vulntitan'),
+                [
+                    'post_id' => $postId,
+                    'rate_count' => $rateCount,
+                    'window_minutes' => $rateWindowMinutes,
+                ],
+                [
+                    'comment_hash' => self::buildCommentHash($normalizedContent),
+                ]
+            );
+        }
+        $minSeconds = max(self::MIN_TOKEN_AGE, (int) ($settings['submission_min_submit_seconds'] ?? $settings['comment_min_submit_seconds'] ?? 3));
+        $tokenAge = (int) ($tokenValidation['age'] ?? 0);
+        if (!empty($tokenValidation['valid']) && $tokenAge > 0 && $tokenAge < $minSeconds) {
+            return self::buildDecisionFromSuspiciousAction(
+                (string) ($settings['comment_suspicious_action'] ?? 'hold'),
+                'submitted_too_fast',
+                __('Comment was submitted faster than the configured minimum time threshold.', 'vulntitan'),
+                [
+                    'post_id' => $postId,
+                    'rate_count' => $rateCount,
+                    'window_minutes' => $rateWindowMinutes,
+                    'submitted_after_seconds' => $tokenAge,
+                    'minimum_seconds' => $minSeconds,
+                ],
+                [
+                    'comment_hash' => self::buildCommentHash($normalizedContent),
+                ]
+            );
+        }
 …
         $tokenPostId = (int) $postIdRaw;
         $expected = wp_hash($timestampRaw . '|' . $postIdRaw . '|' . self::TOKEN_FIELD);
+        $now = time();
+        $age = max(0, $now - $timestamp);
         if ($timestamp <= 0 || $tokenPostId < 0 || !hash_equals($expected, $signature)) {
 …
+        }
+        if ($timestamp > ($now + self::MAX_TOKEN_FUTURE_SKEW) || $age > self::getTokenMaxAge()) {
+            return [
+                'present' => true,
+                'valid' => false,
+                'age' => $age,
+            ];
+        }
         return [
             'present' => true,
             'valid' => true,
             'age' => max(0, time() - $timestamp),
+            'age' => $age,
         ];
+    }
+    protected static function getTokenMaxAge(): int
+    {
+        $maxAge = (int) apply_filters('vulntitan_comment_token_max_age', self::MAX_TOKEN_AGE);
+        return max(self::MIN_TOKEN_AGE, $maxAge);
+    }
     protected static function readRequestField(string $field): string
+    {
+        if (array_key_exists($field, self::$requestFieldOverrides)) {
+            return trim((string) self::$requestFieldOverrides[$field]);
+        }
         if (!isset($_REQUEST[$field])) {
             return '';
 …
         return trim((string) $value);
+    }
+    protected static function extractRestRequestFields($request): array
+    {
+        if (!is_object($request) || !method_exists($request, 'get_param')) {
+            return [];
+        }
+        $fields = [];
+        foreach ([self::TOKEN_FIELD, self::HONEYPOT_FIELD] as $field) {
+            $value = $request->get_param($field);
+            if (is_scalar($value) || $value === null) {
+                $fields[$field] = trim((string) $value);
+            }
+        }
+        return $fields;
+    }
+}

vulntitan/trunk/includes/Services/ContactFormSpamService.php

-                      r3485911
+                      r3495943
     protected const RATE_LIMIT_PREFIX = 'vulntitan_cf7_rate_';
     protected const MIN_TOKEN_AGE = 1;
+    protected const MAX_TOKEN_AGE = 2 * HOUR_IN_SECONDS;
+    protected const MAX_TOKEN_FUTURE_SKEW = 5 * MINUTE_IN_SECONDS;
     protected static bool $booted = false;
 …
         $tokenFormId = (int) $formIdRaw;
         $expected = wp_hash($timestampRaw . '|' . $formIdRaw . '|' . self::TOKEN_FIELD);
+        $now = time();
+        $age = max(0, $now - $timestamp);
         if ($timestamp <= 0 || $tokenFormId < 0 || !hash_equals($expected, $signature)) {
 …
+        }
+        if ($timestamp > ($now + self::MAX_TOKEN_FUTURE_SKEW) || $age > self::getTokenMaxAge($formId)) {
+            return [
+                'present' => true,
+                'valid' => false,
+                'age' => $age,
+            ];
+        }
         return [
             'present' => true,
             'valid' => true,
             'age' => max(0, time() - $timestamp),
+            'age' => $age,
         ];
+    }
+    protected static function getTokenMaxAge(int $formId): int
+    {
+        $maxAge = (int) apply_filters('vulntitan_form_token_max_age', self::MAX_TOKEN_AGE, 'contact_form_7', $formId);
+        return max(self::MIN_TOKEN_AGE, $maxAge);
+    }

vulntitan/trunk/includes/Services/FirewallService.php

-                      r3490735
+                      r3495943
         $remoteAddr = isset($server['REMOTE_ADDR']) ? trim((string) $server['REMOTE_ADDR']) : '';
         $settings = self::getSettings();
+        $trustedProxies = self::getTrustedProxyIps($settings);
+        $trustCloudflare = !empty($settings['trust_cloudflare']);
+        $trustForwarded = self::isTrustedProxy($remoteAddr, $trustedProxies)
+            || ($trustCloudflare && self::isCloudflareIp($remoteAddr));
+        $trustForwarded = self::shouldTrustForwardedHeaders($remoteAddr, $settings);
         if ($trustForwarded) {
 …
         $trustCloudflare = !empty($settings['trust_cloudflare']);
         $isCloudflare = self::isCloudflareIp($remoteAddr);
+        $trustForwarded = self::isTrustedProxy($remoteAddr, $trustedProxies)
+            || ($trustCloudflare && $isCloudflare);
+        $trustForwarded = self::shouldTrustForwardedHeaders($remoteAddr, $settings);
         return [
 …
+        }
+        $trusted = array_filter(array_map('trim', $trusted), static function ($ip) {
+            return $ip !== '';
+        });
+        return array_values(array_unique($trusted));
+        return self::sanitizeTrustedProxyList($trusted);
+    }
+    protected static function shouldTrustForwardedHeaders(string $remoteAddr, ?array $settings = null): bool
+    {
+        if ($settings === null) {
+            $settings = self::getSettings();
+        }
+        $trustedProxies = self::getTrustedProxyIps($settings);
+        if (self::isTrustedProxy($remoteAddr, $trustedProxies)) {
+            return true;
+        }
+        return !empty($settings['trust_cloudflare']) && self::isCloudflareIp($remoteAddr);
+    }
 …
+        }
+        if (in_array($remoteAddr, $trustedProxies, true)) {
+            return true;
+        }
+        return self::isPrivateIp($remoteAddr);
+        foreach ($trustedProxies as $trustedProxy) {
+            $rule = self::sanitizeTrustedProxyRule((string) $trustedProxy);
+            if ($rule === '') {
+                continue;
+            }
+            if (strpos($rule, '/') !== false) {
+                if (self::ipInCidr($remoteAddr, $rule)) {
+                    return true;
+                }
+                continue;
+            }
+            if ($remoteAddr === $rule) {
+                return true;
+            }
+        }
+        return false;
+    }
 …
         );
         $lockoutAllowlist = self::sanitizeIpList($settings['lockout_allowlist_ips'] ?? $defaults['lockout_allowlist_ips']);
         $trustedProxies = self::sanitizeIpList($settings['trusted_proxies'] ?? $defaults['trusted_proxies']);
+        $trustedProxies = self::sanitizeTrustedProxyList($settings['trusted_proxies'] ?? $defaults['trusted_proxies']);
         $weeklySummaryRecipient = sanitize_email((string) ($settings['weekly_summary_email_recipient'] ?? $defaults['weekly_summary_email_recipient']));
 …
+    }
+    protected static function sanitizeTrustedProxyList($value): array
+    {
+        if (is_array($value)) {
+            $rawItems = $value;
+        } else {
+            $rawItems = preg_split('/[\r\n,]+/', (string) $value) ?: [];
+        }
+        $rules = [];
+        foreach ($rawItems as $item) {
+            $rule = self::sanitizeTrustedProxyRule((string) $item);
+            if ($rule === '') {
+                continue;
+            }
+            $rules[$rule] = $rule;
+        }
+        return array_values($rules);
+    }
+    protected static function sanitizeTrustedProxyRule(string $rule): string
+    {
+        $rule = trim($rule);
+        if ($rule === '') {
+            return '';
+        }
+        if (strpos($rule, '/') === false) {
+            return self::sanitizeIp($rule);
+        }
+        [$ip, $maskRaw] = explode('/', $rule, 2);
+        $ip = self::sanitizeIp($ip);
+        if ($ip === '' || !preg_match('/^\d{1,3}$/', $maskRaw)) {
+            return '';
+        }
+        $mask = (int) $maskRaw;
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            if ($mask < 0 || $mask > 32) {
+                return '';
+            }
+        } elseif (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            if ($mask < 0 || $mask > 128) {
+                return '';
+            }
+        } else {
+            return '';
+        }
+        return $ip . '/' . $mask;
+    }
     protected static function sanitizeRoleList($value, array $fallback): array
+    {

vulntitan/trunk/includes/Services/FluentFormSpamService.php

-                      r3485911
+                      r3495943
     protected const RATE_LIMIT_PREFIX = 'vulntitan_fluentforms_rate_';
     protected const MIN_TOKEN_AGE = 1;
+    protected const MAX_TOKEN_AGE = 2 * HOUR_IN_SECONDS;
+    protected const MAX_TOKEN_FUTURE_SKEW = 5 * MINUTE_IN_SECONDS;
     protected const BLOCK_MESSAGE = 'Your submission was blocked because the system detected spam or abuse. Remove excessive links and try again.';
 …
         $tokenFormId = (int) $formIdRaw;
         $expected = wp_hash($timestampRaw . '|' . $formIdRaw . '|' . self::TOKEN_FIELD);
+        $now = time();
+        $age = max(0, $now - $timestamp);
         if ($timestamp <= 0 || $tokenFormId < 0 || !hash_equals($expected, $signature)) {
 …
+        }
+        if ($timestamp > ($now + self::MAX_TOKEN_FUTURE_SKEW) || $age > self::getTokenMaxAge($formId)) {
+            return [
+                'present' => true,
+                'valid' => false,
+                'age' => $age,
+            ];
+        }
         return [
             'present' => true,
             'valid' => true,
             'age' => max(0, time() - $timestamp),
+            'age' => $age,
         ];
+    }
+    protected static function getTokenMaxAge(int $formId): int
+    {
+        $maxAge = (int) apply_filters('vulntitan_form_token_max_age', self::MAX_TOKEN_AGE, 'fluent_forms', $formId);
+        return max(self::MIN_TOKEN_AGE, $maxAge);
+    }

vulntitan/trunk/includes/Services/LoginSecurityService.php

-                      r3483537
+                      r3495943
     protected const CHALLENGE_TTL = 10 * MINUTE_IN_SECONDS;
     protected const RECOVERY_PREVIEW_TTL = 15 * MINUTE_IN_SECONDS;
+    protected const ATTEMPT_PREFIX = 'vulntitan_2fa_attempt_';
+    protected const BLOCK_PREFIX = 'vulntitan_2fa_block_';
+    protected const MAX_CHALLENGE_ATTEMPTS = 5;
+    protected const ATTEMPT_WINDOW = 10 * MINUTE_IN_SECONDS;
+    protected const BLOCK_TTL = 10 * MINUTE_IN_SECONDS;
     protected static bool $booted = false;
 …
+        }
+        $rateLimit = self::getTwoFactorRateLimitState($user->ID, FirewallService::detectClientIp());
+        if (!empty($rateLimit['blocked'])) {
+            return new WP_Error(
+                'vulntitan_2fa_rate_limited',
+                self::getTwoFactorRateLimitMessage((int) ($rateLimit['remaining_seconds'] ?? self::BLOCK_TTL))
+            );
+        }
         $challengeId = self::createChallenge($user);
         $redirectUrl = add_query_arg([
 …
+        }
+        $ipAddress = FirewallService::detectClientIp();
+        $rateLimit = self::getTwoFactorRateLimitState($user->ID, $ipAddress);
+        if (!empty($rateLimit['blocked'])) {
+            self::deleteChallenge($challengeId);
+            self::renderChallengePage(
+                __('Two-Factor Authentication', 'vulntitan'),
+                self::getTwoFactorRateLimitMessage((int) ($rateLimit['remaining_seconds'] ?? self::BLOCK_TTL)),
+                [],
+                true
+            );
+        }
         if (strtoupper((string) ($_SERVER['REQUEST_METHOD'] ?? 'GET')) === 'POST') {
             $nonce = isset($_POST[self::CHALLENGE_NONCE]) ? (string) wp_unslash($_POST[self::CHALLENGE_NONCE]) : '';
 …
                 if ($isValid) {
                     self::deleteChallenge($challengeId);
+                    self::clearTwoFactorRateLimitState($user->ID, $ipAddress);
                     self::finalizeAuthenticatedLogin(
                         $user,
 …
                     'reason' => 'Invalid two-factor verification code.',
                 ]);
+                $rateLimit = self::recordFailedTwoFactorAttempt($user, $ipAddress);
+                if (!empty($rateLimit['blocked'])) {
+                    self::deleteChallenge($challengeId);
+                    self::renderChallengePage(
+                        __('Two-Factor Authentication', 'vulntitan'),
+                        self::getTwoFactorRateLimitMessage((int) ($rateLimit['remaining_seconds'] ?? self::BLOCK_TTL)),
+                        [],
+                        true
+                    );
+                }
                 $errorMessage = __('The verification code was invalid. Please try again.', 'vulntitan');
 …
+    }
+    protected static function getTwoFactorRateLimitState(int $userId, string $ipAddress): array
+    {
+        $blockedUntil = (int) get_transient(self::getTwoFactorBlockKey($userId, $ipAddress));
+        if ($blockedUntil > time()) {
+            return [
+                'blocked' => true,
+                'remaining_seconds' => max(1, $blockedUntil - time()),
+            ];
+        }
+        if ($blockedUntil > 0) {
+            delete_transient(self::getTwoFactorBlockKey($userId, $ipAddress));
+        }
+        return [
+            'blocked' => false,
+            'remaining_seconds' => 0,
+        ];
+    }
+    protected static function recordFailedTwoFactorAttempt(WP_User $user, string $ipAddress): array
+    {
+        $attemptKey = self::getTwoFactorAttemptKey($user->ID, $ipAddress);
+        $data = get_transient($attemptKey);
+        if (!is_array($data)) {
+            $data = [
+                'count' => 0,
+                'started_at' => time(),
+            ];
+        }
+        $data['count'] = max(0, (int) ($data['count'] ?? 0)) + 1;
+        $data['started_at'] = (int) ($data['started_at'] ?? time());
+        set_transient($attemptKey, $data, self::ATTEMPT_WINDOW);
+        if ((int) $data['count'] < self::MAX_CHALLENGE_ATTEMPTS) {
+            return [
+                'blocked' => false,
+                'remaining_seconds' => 0,
+            ];
+        }
+        $blockedUntil = time() + self::BLOCK_TTL;
+        set_transient(self::getTwoFactorBlockKey($user->ID, $ipAddress), $blockedUntil, self::BLOCK_TTL);
+        delete_transient($attemptKey);
+        FirewallService::logEvent('login_blocked', [
+            'ip_address' => $ipAddress,
+            'username' => $user->user_login,
+            'user_id' => $user->ID,
+            'event_source' => 'login_security',
+            'rule_group' => 'two_factor',
+            'rule_id' => 'totp_rate_limited',
+            'reason' => 'Too many invalid two-factor verification attempts.',
+            'details' => [
+                'attempts' => (int) $data['count'],
+                'retry_after_seconds' => self::BLOCK_TTL,
+            ],
+        ]);
+        return [
+            'blocked' => true,
+            'remaining_seconds' => self::BLOCK_TTL,
+        ];
+    }
+    protected static function clearTwoFactorRateLimitState(int $userId, string $ipAddress): void
+    {
+        delete_transient(self::getTwoFactorAttemptKey($userId, $ipAddress));
+        delete_transient(self::getTwoFactorBlockKey($userId, $ipAddress));
+    }
+    protected static function getTwoFactorAttemptKey(int $userId, string $ipAddress): string
+    {
+        return self::ATTEMPT_PREFIX . md5($userId . '|' . ($ipAddress !== '' ? $ipAddress : 'unknown'));
+    }
+    protected static function getTwoFactorBlockKey(int $userId, string $ipAddress): string
+    {
+        return self::BLOCK_PREFIX . md5($userId . '|' . ($ipAddress !== '' ? $ipAddress : 'unknown'));
+    }
+    protected static function getTwoFactorRateLimitMessage(int $remainingSeconds): string
+    {
+        return sprintf(
+            __('Too many two-factor verification attempts. Try again in %d minute(s).', 'vulntitan'),
+            max(1, (int) ceil($remainingSeconds / MINUTE_IN_SECONDS))
+        );
+    }
     protected static function renderChallengePage(string $title, string $message = '', array $context = [], bool $isFatal = false): void
+    {

vulntitan/trunk/readme.txt

-                      r3490735
+                      r3495943
 Tested up to: 6.9
 Requires PHP: 7.4
 Stable tag: 2.1.16
+Stable tag: 2.1.17
 License: GPLv2
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 …
 - XML-RPC allow, disable, or rate-limit policy controls with IP allowlisting
 - Weak-password blocking during profile updates, password resets, and compatible registrations
 - Comment Shield with honeypot, submit-time validation, duplicate detection, guest link limits, and IP rate limiting
+- Comment Shield with honeypot, signed tokens, submit-time validation, duplicate detection, guest link limits, IP rate limiting, and moderation-aware logging
 - Form Shield for Contact Form 7 and Fluent Forms with honeypot, signed submit tokens, link heuristics, repeated-domain detection, and IP rate limiting
 - Form spam blocks are logged into the WAF/live feed with provider-aware source labels for easier review
 - Suspicious comments can be held for moderation or blocked immediately
+- REST comments can enforce signed anti-spam tokens and CAPTCHA when anonymous REST commenting is enabled elsewhere
 - Configurable custom login slug so administrators can use a private login URL instead of the default `wp-login.php`
 - Default `wp-login.php` and guest `wp-admin` access can be hidden behind a `404` response when custom login is enabled
 - Weekly executive security report email with 7-day firewall, login abuse, WAF, and comment spam statistics
+- Weekly executive security report email with 7-day firewall, login abuse, WAF, form spam, and comment moderation statistics
 = Security-First Architecture =
 …
 - Secure storage and cleanup of scan queues and logs
 - Hardened backup handling outside `ABSPATH` by default
+- Hardened malware and integrity scan actions with stricter capability checks and in-root path validation
 - Adaptive performance tuning for safe large-site scanning
 …
 == Changelog ==
+= v2.1.17 - 31 Mar, 2026 =
+* Hardened malware and integrity scan actions with stricter capability checks, boundary-safe path validation, and server-side verification of auto-fix targets.
+* Closed the conditional REST comment bypass by enforcing signed anti-spam tokens and comment CAPTCHA on REST comment submissions as well.
+* Added stronger 2FA challenge throttling, tighter proxy trust handling, bounded anti-spam token lifetimes, and reduced hot-path maintenance overhead.
+* Expanded release metadata and readme coverage for comment moderation, digest reporting, and hardening updates.
 = v2.1.16 - 25 Mar, 2026 =

vulntitan/trunk/vulntitan.php

-                      r3490735
+                      r3495943
  * Plugin URI: https://vulntitan.com/vulntitan/
  * Description: VulnTitan is a WordPress security plugin with vulnerability scanning, malware detection, file integrity monitoring, comment and form anti-spam protection, and a built-in firewall with WAF payload rules and login protection.
  * Version: 2.1.16
+ * Version: 2.1.17
  * Author: Jaroslav Svetlik
  * Author URI: https://vulntitan.com
 …
 // Define plugin constants
 define('VULNTITAN_PLUGIN_VERSION', VULNTITAN_DEVELOPMENT ? uniqid() : '2.1.16');
+define('VULNTITAN_PLUGIN_VERSION', VULNTITAN_DEVELOPMENT ? uniqid() : '2.1.17');
 define('VULNTITAN_PLUGIN_BASENAME', plugin_basename(__FILE__));
 define('VULNTITAN_PLUGIN_DIR', untrailingslashit(plugin_dir_path(__FILE__)));

Plugin Directory

Context Navigation

Legend:

vulntitan/tags/2.1.17/CHANGELOG.md

vulntitan/tags/2.1.17/assets/js/malware-scanner.js

vulntitan/tags/2.1.17/assets/js/malware-scanner.min.js

vulntitan/tags/2.1.17/includes/Admin/Ajax.php

vulntitan/tags/2.1.17/includes/Admin/Pages/Firewall.php

vulntitan/tags/2.1.17/includes/Plugin.php

vulntitan/tags/2.1.17/includes/Services/CaptchaService.php

vulntitan/tags/2.1.17/includes/Services/CommentSpamService.php

vulntitan/tags/2.1.17/includes/Services/ContactFormSpamService.php

vulntitan/tags/2.1.17/includes/Services/FirewallService.php

vulntitan/tags/2.1.17/includes/Services/FluentFormSpamService.php

vulntitan/tags/2.1.17/includes/Services/LoginSecurityService.php

vulntitan/tags/2.1.17/readme.txt

vulntitan/tags/2.1.17/vulntitan.php

vulntitan/trunk/CHANGELOG.md

vulntitan/trunk/assets/js/malware-scanner.js

vulntitan/trunk/assets/js/malware-scanner.min.js

vulntitan/trunk/includes/Admin/Ajax.php

vulntitan/trunk/includes/Admin/Pages/Firewall.php

vulntitan/trunk/includes/Plugin.php

vulntitan/trunk/includes/Services/CaptchaService.php

vulntitan/trunk/includes/Services/CommentSpamService.php

vulntitan/trunk/includes/Services/ContactFormSpamService.php

vulntitan/trunk/includes/Services/FirewallService.php

vulntitan/trunk/includes/Services/FluentFormSpamService.php

vulntitan/trunk/includes/Services/LoginSecurityService.php

vulntitan/trunk/readme.txt

vulntitan/trunk/vulntitan.php

Download in other formats: