Email Subscribers & Newsletters - Version 5.5.3

Version Description

Fix: CSV injection while exporting Subscribers

=

Download this release

Release Info

Developer Icegram
Plugin Icon 128x128 Email Subscribers & Newsletters
Version 5.5.3
Comparing to
See all releases

Code changes from version 5.5.2 to 5.5.3

Files changed (4) hide show
  1. email-subscribers.php +2 -2
  2. lite/includes/classes/class-es-export-subscribers.php +32 -13
  3. lite/languages/email-subscribers.pot +13 -13
  4. readme.txt +7 -4
email-subscribers.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin
4
  * Plugin URI: https://www.icegram.com/
5
  * Description: Add subscription forms on website, send HTML newsletters & automatically notify subscribers about new blog posts once it is published.
6
- * Version: 5.5.2
7
  * Author: Icegram
8
  * Author URI: https://www.icegram.com/
9
  * Requires at least: 3.9
@@ -187,7 +187,7 @@ if ( 'premium' === $ig_es_plan ) {
187
  /* ***************************** Initial Compatibility Work (End) ******************* */
188
 
189
  if ( ! defined( 'ES_PLUGIN_VERSION' ) ) {
190
- define( 'ES_PLUGIN_VERSION', '5.5.2' );
191
  }
192
 
193
  // Plugin Folder Path.
3
  * Plugin Name: Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin
4
  * Plugin URI: https://www.icegram.com/
5
  * Description: Add subscription forms on website, send HTML newsletters & automatically notify subscribers about new blog posts once it is published.
6
+ * Version: 5.5.3
7
  * Author: Icegram
8
  * Author URI: https://www.icegram.com/
9
  * Requires at least: 3.9
187
  /* ***************************** Initial Compatibility Work (End) ******************* */
188
 
189
  if ( ! defined( 'ES_PLUGIN_VERSION' ) ) {
190
+ define( 'ES_PLUGIN_VERSION', '5.5.3' );
191
  }
192
 
193
  // Plugin Folder Path.
lite/includes/classes/class-es-export-subscribers.php CHANGED
@@ -97,22 +97,14 @@ class Export_Subscribers {
97
  'all' => __( 'All contacts', 'email-subscribers' ),
98
  'subscribed' => __( 'Subscribed contacts', 'email-subscribers' ),
99
  'unsubscribed' => __( 'Unsubscribed contacts', 'email-subscribers' ),
100
- // 'confirmed' => __( 'Confirmed Contacts', 'email-subscribers' ),
101
  'unconfirmed' => __( 'Unconfirmed contacts', 'email-subscribers' ),
102
  'select_list' => $list_dropdown_html,
103
  );
104
 
105
  $i = 1;
 
106
  foreach ( $export_lists as $key => $export_list ) {
107
- /*
108
- $class = '';
109
- if ( $i % 2 === 0 ) {
110
- $class = 'alternate';
111
- }*/
112
-
113
- $export_nonce = wp_create_nonce( 'ig-es-subscriber-export-nonce' );
114
- $url = "admin.php?page=download_report&report=users&status={$key}&export-nonce={$export_nonce}";
115
-
116
  ?>
117
 
118
  <tr class="border-b text-sm font-normal text-gray-700 border-gray-200" id="ig_es_export_<?php echo esc_attr( $key ); ?>">
@@ -348,9 +340,10 @@ class Export_Subscribers {
348
 
349
  foreach ( $subscribers as $key => $subscriber ) {
350
 
351
- $data['first_name'] = trim( str_replace( '"', '""', $subscriber['first_name'] ) );
352
- $data['last_name'] = trim( str_replace( '"', '""', $subscriber['last_name'] ) );
353
- $data['email'] = trim( str_replace( '"', '""', $subscriber['email'] ) );
 
354
 
355
  $contact_id = $subscriber['id'];
356
  if ( ! empty( $contact_list_map[ $contact_id ] ) ) {
@@ -369,5 +362,31 @@ class Export_Subscribers {
369
  return $csv_output;
370
  }
371
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
372
  }
373
 
97
  'all' => __( 'All contacts', 'email-subscribers' ),
98
  'subscribed' => __( 'Subscribed contacts', 'email-subscribers' ),
99
  'unsubscribed' => __( 'Unsubscribed contacts', 'email-subscribers' ),
 
100
  'unconfirmed' => __( 'Unconfirmed contacts', 'email-subscribers' ),
101
  'select_list' => $list_dropdown_html,
102
  );
103
 
104
  $i = 1;
105
+ $export_nonce = wp_create_nonce( 'ig-es-subscriber-export-nonce' );
106
  foreach ( $export_lists as $key => $export_list ) {
107
+ $url = "admin.php?page=download_report&report=users&status={$key}&export-nonce={$export_nonce}";
 
 
 
 
 
 
 
 
108
  ?>
109
 
110
  <tr class="border-b text-sm font-normal text-gray-700 border-gray-200" id="ig_es_export_<?php echo esc_attr( $key ); ?>">
340
 
341
  foreach ( $subscribers as $key => $subscriber ) {
342
 
343
+ $data = array();
344
+ $data['first_name'] = trim( str_replace( '"', '""', $this->escape_data( $subscriber['first_name'] ) ) );
345
+ $data['last_name'] = trim( str_replace( '"', '""', $this->escape_data( $subscriber['last_name'] ) ) );
346
+ $data['email'] = trim( str_replace( '"', '""', $this->escape_data( $subscriber['email'] ) ) );
347
 
348
  $contact_id = $subscriber['id'];
349
  if ( ! empty( $contact_list_map[ $contact_id ] ) ) {
362
  return $csv_output;
363
  }
364
 
365
+ /**
366
+ * Escape a string to be used in a CSV context
367
+ *
368
+ * Malicious input can inject formulas into CSV files, opening up the possibility
369
+ * for phishing attacks and disclosure of sensitive information.
370
+ *
371
+ * Additionally, Excel exposes the ability to launch arbitrary commands through
372
+ * the DDE protocol.
373
+ *
374
+ * @see http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
375
+ * @see https://hackerone.com/reports/72785
376
+ *
377
+ * @since 5.5.3
378
+ * @param string $data CSV field to escape.
379
+ * @return string
380
+ */
381
+ public function escape_data( $data ) {
382
+ $active_content_triggers = array( '=', '+', '-', '@' );
383
+
384
+ if ( in_array( mb_substr( $data, 0, 1 ), $active_content_triggers, true ) ) {
385
+ $data = "'" . $data;
386
+ }
387
+
388
+ return $data;
389
+ }
390
+
391
  }
392
 
lite/languages/email-subscribers.pot CHANGED
@@ -2,14 +2,14 @@
2
  # This file is distributed under the same license as the Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin plugin.
3
  msgid ""
4
  msgstr ""
5
- "Project-Id-Version: Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin 5.5.2\n"
6
  "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/email-subscribers\n"
7
  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
8
  "Language-Team: LANGUAGE <LL@li.org>\n"
9
  "MIME-Version: 1.0\n"
10
  "Content-Type: text/plain; charset=UTF-8\n"
11
  "Content-Transfer-Encoding: 8bit\n"
12
- "POT-Creation-Date: 2022-12-07T19:27:59+01:00\n"
13
  "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
14
  "X-Generator: WP-CLI 2.4.0\n"
15
  "X-Domain: email-subscribers\n"
@@ -659,7 +659,7 @@ msgstr ""
659
  #: lite/includes/classes/class-es-admin-settings.php:241
660
  #: lite/includes/classes/class-es-campaign-report.php:436
661
  #: lite/includes/classes/class-es-contacts-table.php:838
662
- #: lite/includes/classes/class-es-export-subscribers.php:339
663
  #: lite/includes/classes/class-es-import-subscribers.php:587
664
  #: lite/includes/classes/class-es-import-subscribers.php:681
665
  #: lite/includes/classes/class-es-import-subscribers.php:1102
@@ -1533,7 +1533,7 @@ msgstr ""
1533
  #: lite/admin/partials/help.php:237
1534
  #: lite/includes/classes/class-es-campaign-report.php:437
1535
  #: lite/includes/classes/class-es-campaigns-table.php:631
1536
- #: lite/includes/classes/class-es-export-subscribers.php:341
1537
  #: lite/includes/classes/class-es-import-subscribers.php:690
1538
  #: lite/includes/classes/class-es-import-subscribers.php:1353
1539
  #: lite/includes/classes/class-es-reports-table.php:325
@@ -3046,7 +3046,7 @@ msgstr ""
3046
 
3047
  #: lite/includes/classes/class-es-contacts-table.php:142
3048
  #: lite/includes/classes/class-es-export-subscribers.php:72
3049
- #: lite/includes/classes/class-es-export-subscribers.php:162
3050
  msgid "Export Contacts"
3051
  msgstr ""
3052
 
@@ -3122,7 +3122,7 @@ msgid "Please enter valid email address"
3122
  msgstr ""
3123
 
3124
  #: lite/includes/classes/class-es-contacts-table.php:592
3125
- #: lite/includes/classes/class-es-export-subscribers.php:157
3126
  #: lite/includes/classes/class-es-handle-sync-wp-user.php:216
3127
  #: lite/includes/classes/class-es-import-subscribers.php:409
3128
  #: lite/includes/classes/class-es-lists-table.php:83
@@ -3315,15 +3315,15 @@ msgstr ""
3315
  msgid "Unsubscribed contacts"
3316
  msgstr ""
3317
 
3318
- #: lite/includes/classes/class-es-export-subscribers.php:101
3319
  msgid "Unconfirmed contacts"
3320
  msgstr ""
3321
 
3322
- #: lite/includes/classes/class-es-export-subscribers.php:263
3323
  msgid "Export the Subscribers"
3324
  msgstr ""
3325
 
3326
- #: lite/includes/classes/class-es-export-subscribers.php:337
3327
  #: lite/includes/classes/class-es-import-subscribers.php:588
3328
  #: lite/includes/classes/class-es-import-subscribers.php:682
3329
  #: lite/includes/classes/class-es-import-subscribers.php:1094
@@ -3332,7 +3332,7 @@ msgstr ""
3332
  msgid "First Name"
3333
  msgstr ""
3334
 
3335
- #: lite/includes/classes/class-es-export-subscribers.php:338
3336
  #: lite/includes/classes/class-es-import-subscribers.php:589
3337
  #: lite/includes/classes/class-es-import-subscribers.php:683
3338
  #: lite/includes/classes/class-es-import-subscribers.php:1099
@@ -3341,7 +3341,7 @@ msgstr ""
3341
  msgid "Last Name"
3342
  msgstr ""
3343
 
3344
- #: lite/includes/classes/class-es-export-subscribers.php:340
3345
  #: lite/includes/classes/class-es-lists-table.php:33
3346
  #: lite/includes/compatibilities/elementor/actions/class-es-ig-form-action.php:51
3347
  #: lite/includes/workflows/actions/class-es-action-add-to-list.php:31
@@ -3351,11 +3351,11 @@ msgstr ""
3351
  msgid "List"
3352
  msgstr ""
3353
 
3354
- #: lite/includes/classes/class-es-export-subscribers.php:342
3355
  msgid "Opt-In Type"
3356
  msgstr ""
3357
 
3358
- #: lite/includes/classes/class-es-export-subscribers.php:343
3359
  msgid "Created On"
3360
  msgstr ""
3361
 
2
  # This file is distributed under the same license as the Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin plugin.
3
  msgid ""
4
  msgstr ""
5
+ "Project-Id-Version: Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin 5.5.3\n"
6
  "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/email-subscribers\n"
7
  "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
8
  "Language-Team: LANGUAGE <LL@li.org>\n"
9
  "MIME-Version: 1.0\n"
10
  "Content-Type: text/plain; charset=UTF-8\n"
11
  "Content-Transfer-Encoding: 8bit\n"
12
+ "POT-Creation-Date: 2022-12-14T05:55:03+01:00\n"
13
  "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
14
  "X-Generator: WP-CLI 2.4.0\n"
15
  "X-Domain: email-subscribers\n"
659
  #: lite/includes/classes/class-es-admin-settings.php:241
660
  #: lite/includes/classes/class-es-campaign-report.php:436
661
  #: lite/includes/classes/class-es-contacts-table.php:838
662
+ #: lite/includes/classes/class-es-export-subscribers.php:331
663
  #: lite/includes/classes/class-es-import-subscribers.php:587
664
  #: lite/includes/classes/class-es-import-subscribers.php:681
665
  #: lite/includes/classes/class-es-import-subscribers.php:1102
1533
  #: lite/admin/partials/help.php:237
1534
  #: lite/includes/classes/class-es-campaign-report.php:437
1535
  #: lite/includes/classes/class-es-campaigns-table.php:631
1536
+ #: lite/includes/classes/class-es-export-subscribers.php:333
1537
  #: lite/includes/classes/class-es-import-subscribers.php:690
1538
  #: lite/includes/classes/class-es-import-subscribers.php:1353
1539
  #: lite/includes/classes/class-es-reports-table.php:325
3046
 
3047
  #: lite/includes/classes/class-es-contacts-table.php:142
3048
  #: lite/includes/classes/class-es-export-subscribers.php:72
3049
+ #: lite/includes/classes/class-es-export-subscribers.php:154
3050
  msgid "Export Contacts"
3051
  msgstr ""
3052
 
3122
  msgstr ""
3123
 
3124
  #: lite/includes/classes/class-es-contacts-table.php:592
3125
+ #: lite/includes/classes/class-es-export-subscribers.php:149
3126
  #: lite/includes/classes/class-es-handle-sync-wp-user.php:216
3127
  #: lite/includes/classes/class-es-import-subscribers.php:409
3128
  #: lite/includes/classes/class-es-lists-table.php:83
3315
  msgid "Unsubscribed contacts"
3316
  msgstr ""
3317
 
3318
+ #: lite/includes/classes/class-es-export-subscribers.php:100
3319
  msgid "Unconfirmed contacts"
3320
  msgstr ""
3321
 
3322
+ #: lite/includes/classes/class-es-export-subscribers.php:255
3323
  msgid "Export the Subscribers"
3324
  msgstr ""
3325
 
3326
+ #: lite/includes/classes/class-es-export-subscribers.php:329
3327
  #: lite/includes/classes/class-es-import-subscribers.php:588
3328
  #: lite/includes/classes/class-es-import-subscribers.php:682
3329
  #: lite/includes/classes/class-es-import-subscribers.php:1094
3332
  msgid "First Name"
3333
  msgstr ""
3334
 
3335
+ #: lite/includes/classes/class-es-export-subscribers.php:330
3336
  #: lite/includes/classes/class-es-import-subscribers.php:589
3337
  #: lite/includes/classes/class-es-import-subscribers.php:683
3338
  #: lite/includes/classes/class-es-import-subscribers.php:1099
3341
  msgid "Last Name"
3342
  msgstr ""
3343
 
3344
+ #: lite/includes/classes/class-es-export-subscribers.php:332
3345
  #: lite/includes/classes/class-es-lists-table.php:33
3346
  #: lite/includes/compatibilities/elementor/actions/class-es-ig-form-action.php:51
3347
  #: lite/includes/workflows/actions/class-es-action-add-to-list.php:31
3351
  msgid "List"
3352
  msgstr ""
3353
 
3354
+ #: lite/includes/classes/class-es-export-subscribers.php:334
3355
  msgid "Opt-In Type"
3356
  msgstr ""
3357
 
3358
+ #: lite/includes/classes/class-es-export-subscribers.php:335
3359
  msgid "Created On"
3360
  msgstr ""
3361
 
readme.txt CHANGED
@@ -6,7 +6,7 @@ Tags: email marketing, subscription, autoresponder, post notification, welcome e
6
  Requires at least: 3.9
7
  Tested up to: 6.1.1
8
  Requires PHP: 5.6
9
- Stable tag: 5.5.2
10
  License: GPLv3
11
  License URI: http://www.gnu.org/licenses
12
 
@@ -310,13 +310,16 @@ Refer [here](https://www.icegram.com/documentation/es-faq/).
310
 
311
  == Upgrade Notice ==
312
 
313
- = 5.5.2 =
314
 
315
- * New: Added option to automatically delete unconfirmed subscribers [PRO]
316
- * Fix: Incorrect remaining emails count show when sending campaigns manually
317
 
318
  == Changelog ==
319
 
 
 
 
 
320
  **5.5.2 (08.12.2022)**
321
 
322
  * New: Added option to automatically delete unconfirmed subscribers [PRO]
6
  Requires at least: 3.9
7
  Tested up to: 6.1.1
8
  Requires PHP: 5.6
9
+ Stable tag: 5.5.3
10
  License: GPLv3
11
  License URI: http://www.gnu.org/licenses
12
 
310
 
311
  == Upgrade Notice ==
312
 
313
+ = 5.5.3 =
314
 
315
+ Fix: CSV injection while exporting Subscribers
 
316
 
317
  == Changelog ==
318
 
319
+ **5.5.3 (14.12.2022)**
320
+
321
+ Fix: CSV injection while exporting Subscribers
322
+
323
  **5.5.2 (08.12.2022)**
324
 
325
  * New: Added option to automatically delete unconfirmed subscribers [PRO]