Breeze – WordPress Cache Plugin - Version 2.0.3

Version Description

  • Fix:All ajax actions are now restricted to the users that have manage_options capabilities. Vulnerability discovered from patchstack team.
    • Fix: Administrator has only capable to handle manage_options by default.
    • Fix: Added restriction to option-tabs-loader.php, if the user does not have manage_options capability, then the tabs will not load.
Download this release

Release Info

Developer adeelkhan
Plugin Icon 128x128 Breeze – WordPress Cache Plugin
Version 2.0.3
Comparing to
See all releases

Code changes from version 2.0.2 to 2.0.3

Files changed (9) hide show
  1. breeze.php +2 -2
  2. inc/breeze-admin.php +15 -6
  3. inc/breeze-configuration.php +11 -0
  4. inc/compatibility/class-breeze-shortpixel-compatibility.php +8 -7
  5. inc/functions.php +49 -1
  6. inc/plugin-incompatibility/class-breeze-incompatibility-plugins.php +24 -21
  7. inc/wp-cli/class-breeze-settings-import-export.php +1 -0
  8. readme.txt +8 -1
  9. views/option-tabs-loader.php +2 -2
breeze.php CHANGED
@@ -2,7 +2,7 @@
2
  /**
3
  * Plugin Name: Breeze
4
  * Description: Breeze is a WordPress cache plugin with extensive options to speed up your website. All the options including Varnish Cache are compatible with Cloudways hosting.
5
- * Version: 2.0.2
6
  * Text Domain: breeze
7
  * Domain Path: /languages
8
  * Author: Cloudways
@@ -37,7 +37,7 @@ if ( ! defined( 'BREEZE_PLUGIN_DIR' ) ) {
37
  define( 'BREEZE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
38
  }
39
  if ( ! defined( 'BREEZE_VERSION' ) ) {
40
- define( 'BREEZE_VERSION', '2.0.2' );
41
  }
42
  if ( ! defined( 'BREEZE_SITEURL' ) ) {
43
  define( 'BREEZE_SITEURL', get_site_url() );
2
  /**
3
  * Plugin Name: Breeze
4
  * Description: Breeze is a WordPress cache plugin with extensive options to speed up your website. All the options including Varnish Cache are compatible with Cloudways hosting.
5
+ * Version: 2.0.3
6
  * Text Domain: breeze
7
  * Domain Path: /languages
8
  * Author: Cloudways
37
  define( 'BREEZE_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
38
  }
39
  if ( ! defined( 'BREEZE_VERSION' ) ) {
40
+ define( 'BREEZE_VERSION', '2.0.3' );
41
  }
42
  if ( ! defined( 'BREEZE_SITEURL' ) ) {
43
  define( 'BREEZE_SITEURL', get_site_url() );
inc/breeze-admin.php CHANGED
@@ -181,16 +181,25 @@ class Breeze_Admin {
181
  wp_enqueue_script( 'jquery-ui-widget' );
182
 
183
 
184
-
185
  }
186
 
187
  $token_name = array(
188
- 'breeze_purge_varnish' => wp_create_nonce( '_breeze_purge_varnish' ),
189
- 'breeze_purge_database' => wp_create_nonce( '_breeze_purge_database' ),
190
- 'breeze_purge_cache' => wp_create_nonce( '_breeze_purge_cache' ),
191
- 'breeze_save_options' => wp_create_nonce( '_breeze_save_options' ),
192
  );
193
 
 
 
 
 
 
 
 
 
 
 
194
  wp_localize_script( 'breeze-backend', 'breeze_token_name', $token_name );
195
  }
196
 
@@ -418,7 +427,7 @@ class Breeze_Admin {
418
  'breeze-heartbeat-postedit' => '',
419
  'breeze-heartbeat-backend' => '',
420
  );
421
- $heartbeat = array_merge( $default_heartbeat, $heartbeat );
422
 
423
  $is_advanced = get_option( 'breeze_advanced_settings_120' );
424
 
181
  wp_enqueue_script( 'jquery-ui-widget' );
182
 
183
 
 
184
  }
185
 
186
  $token_name = array(
187
+ 'breeze_purge_varnish' => '',
188
+ 'breeze_purge_database' => '',
189
+ 'breeze_purge_cache' => '',
190
+ 'breeze_save_options' => '',
191
  );
192
 
193
+ // Only create the security nonce if the user has manage_options ( administrator capabilities ).
194
+ if ( false === breeze_is_restricted_access( true ) ) {
195
+ $token_name = array(
196
+ 'breeze_purge_varnish' => wp_create_nonce( '_breeze_purge_varnish' ),
197
+ 'breeze_purge_database' => wp_create_nonce( '_breeze_purge_database' ),
198
+ 'breeze_purge_cache' => wp_create_nonce( '_breeze_purge_cache' ),
199
+ 'breeze_save_options' => wp_create_nonce( '_breeze_save_options' ),
200
+ );
201
+ }
202
+
203
  wp_localize_script( 'breeze-backend', 'breeze_token_name', $token_name );
204
  }
205
 
427
  'breeze-heartbeat-postedit' => '',
428
  'breeze-heartbeat-backend' => '',
429
  );
430
+ $heartbeat = array_merge( $default_heartbeat, $heartbeat );
431
 
432
  $is_advanced = get_option( 'breeze_advanced_settings_120' );
433
 
inc/breeze-configuration.php CHANGED
@@ -40,6 +40,7 @@ class Breeze_Configuration {
40
  }
41
 
42
  public function update_options_for_varnish() {
 
43
  check_ajax_referer( '_breeze_save_options', 'security' );
44
  set_as_network_screen();
45
 
@@ -76,6 +77,7 @@ class Breeze_Configuration {
76
  * @since 2.0.0
77
  */
78
  public function update_options_for_basic() {
 
79
  check_ajax_referer( '_breeze_save_options', 'security' );
80
  set_as_network_screen();
81
 
@@ -155,6 +157,7 @@ class Breeze_Configuration {
155
  * @since 2.0.0
156
  */
157
  public function update_options_for_file() {
 
158
  check_ajax_referer( '_breeze_save_options', 'security' );
159
 
160
  set_as_network_screen();
@@ -246,6 +249,7 @@ class Breeze_Configuration {
246
  * @since 2.0.0
247
  */
248
  public function update_options_for_preload() {
 
249
  check_ajax_referer( '_breeze_save_options', 'security' );
250
  set_as_network_screen();
251
 
@@ -312,6 +316,7 @@ class Breeze_Configuration {
312
  * @since 2.0.0
313
  */
314
  public function update_options_for_advanced() {
 
315
  check_ajax_referer( '_breeze_save_options', 'security' );
316
  set_as_network_screen();
317
 
@@ -359,6 +364,7 @@ class Breeze_Configuration {
359
  * @since 2.0.0
360
  */
361
  public function update_options_for_heartbeat() {
 
362
  check_ajax_referer( '_breeze_save_options', 'security' );
363
  set_as_network_screen();
364
 
@@ -408,6 +414,7 @@ class Breeze_Configuration {
408
  * @since 2.0.0
409
  */
410
  public function update_options_for_cdn() {
 
411
  check_ajax_referer( '_breeze_save_options', 'security' );
412
  set_as_network_screen();
413
 
@@ -491,6 +498,7 @@ class Breeze_Configuration {
491
  * @since 2.0.0
492
  */
493
  public function update_options_for_inherit() {
 
494
  // Does not have anything to save.
495
  check_ajax_referer( 'breeze_inherit_settings', 'security' );
496
 
@@ -1139,6 +1147,7 @@ class Breeze_Configuration {
1139
  *
1140
  */
1141
  public static function breeze_ajax_clean_cache() {
 
1142
  //check security nonce
1143
  check_ajax_referer( '_breeze_purge_cache', 'security' );
1144
  $result = self::breeze_clean_cache();
@@ -1151,6 +1160,7 @@ class Breeze_Configuration {
1151
  * Ajax purge varnish
1152
  */
1153
  public static function purge_varnish_action() {
 
1154
  //check security
1155
  check_ajax_referer( '_breeze_purge_varnish', 'security' );
1156
 
@@ -1164,6 +1174,7 @@ class Breeze_Configuration {
1164
  * Ajax purge database
1165
  */
1166
  public static function breeze_ajax_purge_database() {
 
1167
  //check security
1168
  check_ajax_referer( '_breeze_purge_database', 'security' );
1169
 
40
  }
41
 
42
  public function update_options_for_varnish() {
43
+ breeze_is_restricted_access();
44
  check_ajax_referer( '_breeze_save_options', 'security' );
45
  set_as_network_screen();
46
 
77
  * @since 2.0.0
78
  */
79
  public function update_options_for_basic() {
80
+ breeze_is_restricted_access();
81
  check_ajax_referer( '_breeze_save_options', 'security' );
82
  set_as_network_screen();
83
 
157
  * @since 2.0.0
158
  */
159
  public function update_options_for_file() {
160
+ breeze_is_restricted_access();
161
  check_ajax_referer( '_breeze_save_options', 'security' );
162
 
163
  set_as_network_screen();
249
  * @since 2.0.0
250
  */
251
  public function update_options_for_preload() {
252
+ breeze_is_restricted_access();
253
  check_ajax_referer( '_breeze_save_options', 'security' );
254
  set_as_network_screen();
255
 
316
  * @since 2.0.0
317
  */
318
  public function update_options_for_advanced() {
319
+ breeze_is_restricted_access();
320
  check_ajax_referer( '_breeze_save_options', 'security' );
321
  set_as_network_screen();
322
 
364
  * @since 2.0.0
365
  */
366
  public function update_options_for_heartbeat() {
367
+ breeze_is_restricted_access();
368
  check_ajax_referer( '_breeze_save_options', 'security' );
369
  set_as_network_screen();
370
 
414
  * @since 2.0.0
415
  */
416
  public function update_options_for_cdn() {
417
+ breeze_is_restricted_access();
418
  check_ajax_referer( '_breeze_save_options', 'security' );
419
  set_as_network_screen();
420
 
498
  * @since 2.0.0
499
  */
500
  public function update_options_for_inherit() {
501
+ breeze_is_restricted_access();
502
  // Does not have anything to save.
503
  check_ajax_referer( 'breeze_inherit_settings', 'security' );
504
 
1147
  *
1148
  */
1149
  public static function breeze_ajax_clean_cache() {
1150
+ breeze_is_restricted_access();
1151
  //check security nonce
1152
  check_ajax_referer( '_breeze_purge_cache', 'security' );
1153
  $result = self::breeze_clean_cache();
1160
  * Ajax purge varnish
1161
  */
1162
  public static function purge_varnish_action() {
1163
+ breeze_is_restricted_access();
1164
  //check security
1165
  check_ajax_referer( '_breeze_purge_varnish', 'security' );
1166
 
1174
  * Ajax purge database
1175
  */
1176
  public static function breeze_ajax_purge_database() {
1177
+ breeze_is_restricted_access();
1178
  //check security
1179
  check_ajax_referer( '_breeze_purge_database', 'security' );
1180
 
inc/compatibility/class-breeze-shortpixel-compatibility.php CHANGED
@@ -29,15 +29,16 @@ if ( ! class_exists( 'Breeze_Shortpixel_Compatibility' ) ) {
29
 
30
 
31
  public function clear_breeze_cache() {
32
- $data = $_POST['data'];
33
-
34
- $action = isset( $data['action'] ) ? $data['action'] : null;
35
- // Clear LQIP cache and Clear CSS cache.
36
- if ( 'clear lqip cache' === $action || 'clear css cache' === $action ) {
37
- $this->clear_all_breeze_cache();
 
 
38
  }
39
 
40
-
41
  }
42
 
43
  public function clear_all_breeze_cache() {
29
 
30
 
31
  public function clear_breeze_cache() {
32
+ if ( false === breeze_is_restricted_access( true ) ) {
33
+ $data = $_POST['data'];
34
+
35
+ $action = isset( $data['action'] ) ? $data['action'] : null;
36
+ // Clear LQIP cache and Clear CSS cache.
37
+ if ( 'clear lqip cache' === $action || 'clear css cache' === $action ) {
38
+ $this->clear_all_breeze_cache();
39
+ }
40
  }
41
 
 
42
  }
43
 
44
  public function clear_all_breeze_cache() {
inc/functions.php CHANGED
@@ -45,7 +45,7 @@ function breeze_get_cache_base_path( $is_network = false, $blog_id_requested = 0
45
  $path .= abs( intval( $blog_id ) ) . DIRECTORY_SEPARATOR;
46
  }
47
  } else {
48
- $path = rtrim( WP_CONTENT_DIR, '/\\' ) . '/cache/breeze/';
49
  $path .= abs( intval( $blog_id_requested ) ) . DIRECTORY_SEPARATOR;
50
  }
51
  } else {
@@ -276,6 +276,54 @@ function breeze_auth_cookie_set_init() {
276
  }
277
  }
278
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
279
 
280
  function breeze_which_role_folder( $hash = '' ) {
281
  if ( empty( $hash ) ) {
45
  $path .= abs( intval( $blog_id ) ) . DIRECTORY_SEPARATOR;
46
  }
47
  } else {
48
+ $path = rtrim( WP_CONTENT_DIR, '/\\' ) . '/cache/breeze/';
49
  $path .= abs( intval( $blog_id_requested ) ) . DIRECTORY_SEPARATOR;
50
  }
51
  } else {
276
  }
277
  }
278
 
279
+ /**
280
+ * Checks the current used data and decide to restrict certain actions
281
+ * or allow them. ( Such as saving breeze options )
282
+ *
283
+ * If $bool_response is true, then you should restrict an action.
284
+ *
285
+ * @see https://wordpress.org/support/article/roles-and-capabilities/#administrator
286
+ * Only administrators have manage_options capability by default.
287
+ *
288
+ * @param bool $bool_response If false it throws the forbidden header, if true it will respond with true/false.
289
+ *
290
+ * @return bool|void
291
+ * @since 2.0.3
292
+ */
293
+ function breeze_is_restricted_access( $bool_response = false ) {
294
+ // User not authenticated can't change anything.
295
+ if ( ! is_user_logged_in() ) {
296
+ if ( false === $bool_response ) {
297
+ header( 'Status: 403 Forbidden' );
298
+ header( 'HTTP/1.1 403 Forbidden' );
299
+ exit;
300
+ } else {
301
+ return true;//restrict the access.
302
+ }
303
+ }
304
+
305
+ // $user = wp_get_current_user();
306
+ // $allowed_roles = array( 'administrator' );
307
+ // ! array_intersect( $allowed_roles, $user->roles ) ||
308
+
309
+ // Only allow administrators to handle Breeze data.
310
+ // Manage Options is a capability only allowed to administrators by default.
311
+ // Can be given to other users, but they do not have it by default.
312
+ if ( ! current_user_can( 'manage_options' ) ) {
313
+ if ( false === $bool_response ) {
314
+ header( 'Status: 403 Forbidden' );
315
+ header( 'HTTP/1.1 403 Forbidden' );
316
+ exit;
317
+ } else {
318
+ return true;//restrict the access.
319
+ }
320
+
321
+ }
322
+
323
+ if ( true === $bool_response ) {
324
+ return false; // Do not restrict.
325
+ }
326
+ }
327
 
328
  function breeze_which_role_folder( $hash = '' ) {
329
  if ( empty( $hash ) ) {
inc/plugin-incompatibility/class-breeze-incompatibility-plugins.php CHANGED
@@ -45,9 +45,12 @@ if ( ! class_exists( 'Breeze_Incompatibility_Plugins' ) ) {
45
 
46
  public function compatibility_warning_close() {
47
  $response = array();
48
- $response['success'] = true;
49
- update_option( 'breeze_hide_notice', 'yes', 'no' );
50
-
 
 
 
51
  wp_send_json( $response );
52
  }
53
 
@@ -182,11 +185,11 @@ if ( ! class_exists( 'Breeze_Incompatibility_Plugins' ) ) {
182
  }
183
  // Build data for the notice HTML
184
  $final_list[] = array(
185
- 'warning_message' => $message,
186
- 'safe_version_message' => ( ! empty( trim( $details['safe_version_message'] ) ) ? $details['safe_version_message'] : '' ),
187
  'display_deactivate_button' => $show_deactivate,
188
- 'deactivate_url' => wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . urlencode( $plugin ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin ),
189
- 'is_network_only' => $network_only_text,
190
  );
191
 
192
  }
@@ -267,79 +270,79 @@ if ( ! class_exists( 'Breeze_Incompatibility_Plugins' ) ) {
267
  * If warning_version has the value -1, the compare_sign will be ignored.
268
  * Current version of installed plugin compared to warning_version
269
  */
270
- 'w3-total-cache/w3-total-cache.php' => array(
271
  'warning_message' => '',
272
  'warning_version' => - 1,
273
  'compare_sign' => '>',
274
  'safe_version_message' => '',
275
  ),
276
- 'wp-super-cache/wp-cache.php' => array(
277
  'warning_message' => '',
278
  'warning_version' => - 1,
279
  'compare_sign' => '>',
280
  'safe_version_message' => '',
281
  ),
282
- 'litespeed-cache/litespeed-cache.php' => array(
283
  'warning_message' => '',
284
  'warning_version' => '2.0',
285
  'compare_sign' => '>=', // Current version of installed plugin compared to warning_version
286
  'safe_version_message' => 'Version (1.0 - 1.9) are compatible.',
287
  ),
288
- 'quick-cache/quick-cache.php' => array(
289
  'warning_message' => '',
290
  'warning_version' => - 1,
291
  'compare_sign' => '>',
292
  'safe_version_message' => '',
293
  ),
294
- 'hyper-cache/plugin.php' => array(
295
  'warning_message' => '',
296
  'warning_version' => - 1,
297
  'compare_sign' => '>',
298
  'safe_version_message' => '',
299
  ),
300
- 'hyper-cache-extended/plugin.php' => array(
301
  'warning_message' => '',
302
  'warning_version' => - 1,
303
  'compare_sign' => '>',
304
  'safe_version_message' => '',
305
  ),
306
- 'wp-fast-cache/wp-fast-cache.php' => array(
307
  'warning_message' => '',
308
  'warning_version' => - 1,
309
  'compare_sign' => '>',
310
  'safe_version_message' => '',
311
  ),
312
- 'flexicache/wp-plugin.php' => array(
313
  'warning_message' => '',
314
  'warning_version' => - 1,
315
  'compare_sign' => '>',
316
  'safe_version_message' => '',
317
  ),
318
- 'wp-fastest-cache/wpFastestCache.php' => array(
319
  'warning_message' => '',
320
  'warning_version' => - 1,
321
  'compare_sign' => '>',
322
  'safe_version_message' => '',
323
  ),
324
- 'lite-cache/plugin.php' => array(
325
  'warning_message' => '',
326
  'warning_version' => - 1,
327
  'compare_sign' => '>',
328
  'safe_version_message' => '',
329
  ),
330
- 'gator-cache/gator-cache.php' => array(
331
  'warning_message' => '',
332
  'warning_version' => - 1,
333
  'compare_sign' => '>',
334
  'safe_version_message' => '',
335
  ),
336
- 'wp-http-compression/wp-http-compression.php' => array(
337
  'warning_message' => '',
338
  'warning_version' => - 1,
339
  'compare_sign' => '>',
340
  'safe_version_message' => '',
341
  ),
342
- 'wordpress-gzip-compression/ezgz.php' => array(
343
  'warning_message' => '',
344
  'warning_version' => - 1,
345
  'compare_sign' => '>',
@@ -351,7 +354,7 @@ if ( ! class_exists( 'Breeze_Incompatibility_Plugins' ) ) {
351
  'compare_sign' => '>',
352
  'safe_version_message' => '',
353
  ),
354
- 'speed-booster-pack/speed-booster-pack.php' => array(
355
  'warning_message' => '',
356
  'warning_version' => - 1,
357
  'compare_sign' => '>',
45
 
46
  public function compatibility_warning_close() {
47
  $response = array();
48
+ $response['success'] = false;
49
+ // Only administrator can close this notice.
50
+ if ( false === breeze_is_restricted_access( true ) ) {
51
+ $response['success'] = true;
52
+ update_option( 'breeze_hide_notice', 'yes', 'no' );
53
+ }
54
  wp_send_json( $response );
55
  }
56
 
185
  }
186
  // Build data for the notice HTML
187
  $final_list[] = array(
188
+ 'warning_message' => $message,
189
+ 'safe_version_message' => ( ! empty( trim( $details['safe_version_message'] ) ) ? $details['safe_version_message'] : '' ),
190
  'display_deactivate_button' => $show_deactivate,
191
+ 'deactivate_url' => wp_nonce_url( 'plugins.php?action=deactivate&plugin=' . urlencode( $plugin ) . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'deactivate-plugin_' . $plugin ),
192
+ 'is_network_only' => $network_only_text,
193
  );
194
 
195
  }
270
  * If warning_version has the value -1, the compare_sign will be ignored.
271
  * Current version of installed plugin compared to warning_version
272
  */
273
+ 'w3-total-cache/w3-total-cache.php' => array(
274
  'warning_message' => '',
275
  'warning_version' => - 1,
276
  'compare_sign' => '>',
277
  'safe_version_message' => '',
278
  ),
279
+ 'wp-super-cache/wp-cache.php' => array(
280
  'warning_message' => '',
281
  'warning_version' => - 1,
282
  'compare_sign' => '>',
283
  'safe_version_message' => '',
284
  ),
285
+ 'litespeed-cache/litespeed-cache.php' => array(
286
  'warning_message' => '',
287
  'warning_version' => '2.0',
288
  'compare_sign' => '>=', // Current version of installed plugin compared to warning_version
289
  'safe_version_message' => 'Version (1.0 - 1.9) are compatible.',
290
  ),
291
+ 'quick-cache/quick-cache.php' => array(
292
  'warning_message' => '',
293
  'warning_version' => - 1,
294
  'compare_sign' => '>',
295
  'safe_version_message' => '',
296
  ),
297
+ 'hyper-cache/plugin.php' => array(
298
  'warning_message' => '',
299
  'warning_version' => - 1,
300
  'compare_sign' => '>',
301
  'safe_version_message' => '',
302
  ),
303
+ 'hyper-cache-extended/plugin.php' => array(
304
  'warning_message' => '',
305
  'warning_version' => - 1,
306
  'compare_sign' => '>',
307
  'safe_version_message' => '',
308
  ),
309
+ 'wp-fast-cache/wp-fast-cache.php' => array(
310
  'warning_message' => '',
311
  'warning_version' => - 1,
312
  'compare_sign' => '>',
313
  'safe_version_message' => '',
314
  ),
315
+ 'flexicache/wp-plugin.php' => array(
316
  'warning_message' => '',
317
  'warning_version' => - 1,
318
  'compare_sign' => '>',
319
  'safe_version_message' => '',
320
  ),
321
+ 'wp-fastest-cache/wpFastestCache.php' => array(
322
  'warning_message' => '',
323
  'warning_version' => - 1,
324
  'compare_sign' => '>',
325
  'safe_version_message' => '',
326
  ),
327
+ 'lite-cache/plugin.php' => array(
328
  'warning_message' => '',
329
  'warning_version' => - 1,
330
  'compare_sign' => '>',
331
  'safe_version_message' => '',
332
  ),
333
+ 'gator-cache/gator-cache.php' => array(
334
  'warning_message' => '',
335
  'warning_version' => - 1,
336
  'compare_sign' => '>',
337
  'safe_version_message' => '',
338
  ),
339
+ 'wp-http-compression/wp-http-compression.php' => array(
340
  'warning_message' => '',
341
  'warning_version' => - 1,
342
  'compare_sign' => '>',
343
  'safe_version_message' => '',
344
  ),
345
+ 'wordpress-gzip-compression/ezgz.php' => array(
346
  'warning_message' => '',
347
  'warning_version' => - 1,
348
  'compare_sign' => '>',
354
  'compare_sign' => '>',
355
  'safe_version_message' => '',
356
  ),
357
+ 'speed-booster-pack/speed-booster-pack.php' => array(
358
  'warning_message' => '',
359
  'warning_version' => - 1,
360
  'compare_sign' => '>',
inc/wp-cli/class-breeze-settings-import-export.php CHANGED
@@ -93,6 +93,7 @@ class Breeze_Settings_Import_Export {
93
  * @access public
94
  */
95
  public function export_json_settings() {
 
96
  $level = '';
97
  if ( is_multisite() ) {
98
  $level = ( isset( $_GET['network_level'] ) ) ? $_GET['network_level'] : '';
93
  * @access public
94
  */
95
  public function export_json_settings() {
96
+ breeze_is_restricted_access();
97
  $level = '';
98
  if ( is_multisite() ) {
99
  $level = ( isset( $_GET['network_level'] ) ) ? $_GET['network_level'] : '';
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: Cloudways
3
  Tags: cache,caching, performance, wp-cache, cdn, combine, compress, speed plugin, database cache,gzip, http compression, js cache, minify, optimize, page cache, performance, speed, expire headers
4
  Requires at least: 4.5
5
  Tested up to: 5.8
6
- Stable tag: 2.0.2
7
  License: GPLv2 or later
8
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
 
@@ -145,6 +145,13 @@ Using Gzip, Breeze compresses the request files, further reducing the size of th
145
 
146
  == Changelog ==
147
 
 
 
 
 
 
 
 
148
  = 2.0.2 =
149
 
150
  * Fix: Atarim - Client Interface Plugin conflict with UI of Breeze in the admin area.
3
  Tags: cache,caching, performance, wp-cache, cdn, combine, compress, speed plugin, database cache,gzip, http compression, js cache, minify, optimize, page cache, performance, speed, expire headers
4
  Requires at least: 4.5
5
  Tested up to: 5.8
6
+ Stable tag: 2.0.3
7
  License: GPLv2 or later
8
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
 
145
 
146
  == Changelog ==
147
 
148
+ = 2.0.3 =
149
+
150
+ * Fix:All ajax actions are now restricted to the users that have manage_options capabilities. Vulnerability discovered from patchstack team.
151
+ * Fix: Administrator has only capable to handle manage_options by default.
152
+ * Fix: Added restriction to option-tabs-loader.php, if the user does not have manage_options capability, then the tabs will not load.
153
+
154
+
155
  = 2.0.2 =
156
 
157
  * Fix: Atarim - Client Interface Plugin conflict with UI of Breeze in the admin area.
views/option-tabs-loader.php CHANGED
@@ -25,8 +25,8 @@ class Breeze_Tab_Loader {
25
 
26
  $requested_tab = $_GET['request_tab'];
27
 
28
- if ( ! in_array( $requested_tab, $accepted_tabs, true ) ) {
29
- echo '<h3>The requested tab does not exist</h3>';
30
  }
31
  ob_start();
32
  Breeze_Admin::render( $requested_tab );
25
 
26
  $requested_tab = $_GET['request_tab'];
27
 
28
+ if ( ! in_array( $requested_tab, $accepted_tabs, true ) || true === breeze_is_restricted_access( true ) ) {
29
+ die( '<h3>The requested tab does not exist</h3>' );
30
  }
31
  ob_start();
32
  Breeze_Admin::render( $requested_tab );