Contact Form Email - Version 1.2.66

Version Description

  • Improved security in custom edition area (XSS and CSRF)
Download this release

Release Info

Developer codepeople
Plugin Icon 128x128 Contact Form Email
Version 1.2.66
Comparing to
See all releases

Code changes from version 1.2.65 to 1.2.66

Files changed (4) hide show
  1. README.txt +5 -2
  2. cp-main-class.inc.php +7 -0
  3. cp_admin_int_edition.inc.php +4 -2
  4. form-to-email.php +1 -1
README.txt CHANGED
@@ -454,6 +454,9 @@ When you click a field already added into the contact form builder area, you can
454
 
455
  == Changelog ==
456
 
 
 
 
457
  = 1.2.65 =
458
  * Fixed conflict with third party plugins
459
 
@@ -956,5 +959,5 @@ When you click a field already added into the contact form builder area, you can
956
 
957
  == Upgrade Notice ==
958
 
959
- = 1.2.65 =
960
- * Fixed conflict with third party plugins
454
 
455
  == Changelog ==
456
 
457
+ = 1.2.66 =
458
+ * Improved security in custom edition area (XSS and CSRF)
459
+
460
  = 1.2.65 =
461
  * Fixed conflict with third party plugins
462
 
959
 
960
  == Upgrade Notice ==
961
 
962
+ = 1.2.66 =
963
+ * Improved security in custom edition area (XSS and CSRF)
cp-main-class.inc.php CHANGED
@@ -828,6 +828,13 @@ class CP_ContactFormToEmail extends CP_CFTEMAIL_BaseClass {
828
 
829
  function save_edition()
830
  {
 
 
 
 
 
 
 
831
  foreach ($_POST as $item => $value)
832
  if (!is_array($value))
833
  $_POST[$item] = stripcslashes($value);
828
 
829
  function save_edition()
830
  {
831
+ $verify_nonce = wp_verify_nonce( $_POST['rsave'], 'cfte_update_actions_custom');
832
+ if (!$verify_nonce)
833
+ {
834
+ echo 'Error: Form cannot be authenticated. Please contact our <a href="https://form2email.dwbooster.com/contact-us">support service</a> for verification and solution. Thank you.';
835
+ return;
836
+ }
837
+
838
  foreach ($_POST as $item => $value)
839
  if (!is_array($value))
840
  $_POST[$item] = stripcslashes($value);
cp_admin_int_edition.inc.php CHANGED
@@ -19,6 +19,8 @@ if ($_GET["item"] == 'js')
19
  else if ($_GET["item"] == 'css')
20
  $saved_contents = base64_decode(get_option($cpid.'_CSS', ''));
21
 
 
 
22
  ?>
23
  <script>
24
  // Move to an external file
@@ -83,8 +85,8 @@ jQuery(function(){
83
 
84
  <form method="post" action="" name="cpformconf">
85
  <input name="<?php echo $cpid; ?>_post_edition" type="hidden" value="1" />
86
- <input name="cfwpp_edit" type="hidden" value="<?php echo $_GET["item"]; ?>" />
87
-
88
  <div id="normal-sortables" class="meta-box-sortables">
89
 
90
  <?php if ($_GET["item"] == 'css') { ?>
19
  else if ($_GET["item"] == 'css')
20
  $saved_contents = base64_decode(get_option($cpid.'_CSS', ''));
21
 
22
+ $nonce = wp_create_nonce( 'cfte_update_actions_custom' );
23
+
24
  ?>
25
  <script>
26
  // Move to an external file
85
 
86
  <form method="post" action="" name="cpformconf">
87
  <input name="<?php echo $cpid; ?>_post_edition" type="hidden" value="1" />
88
+ <input name="cfwpp_edit" type="hidden" value="<?php echo esc_attr($_GET["item"]); ?>" />
89
+ <input name="rsave" type="hidden" value="<?php echo $nonce; ?>" />
90
  <div id="normal-sortables" class="meta-box-sortables">
91
 
92
  <?php if ($_GET["item"] == 'css') { ?>
form-to-email.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: Contact Form Email
4
  Plugin URI: https://form2email.dwbooster.com/download
5
  Description: Contact form that sends the data to email and also to a database list and CSV file.
6
- Version: 1.2.65
7
  Author: CodePeople
8
  Author URI: https://form2email.dwbooster.com
9
  Text Domain: contact-form-to-email
3
  Plugin Name: Contact Form Email
4
  Plugin URI: https://form2email.dwbooster.com/download
5
  Description: Contact form that sends the data to email and also to a database list and CSV file.
6
+ Version: 1.2.66
7
  Author: CodePeople
8
  Author URI: https://form2email.dwbooster.com
9
  Text Domain: contact-form-to-email