Groups - Version 1.8.1

Version Description

Fixed potential XSS vulnerabilities related to the unescaped use of the $_SERVER['REQUEST_URI'] in some forms.

Release Info

Developer	itthinx
Plugin	Groups
Version	1.8.1
Comparing to
See all releases

Code changes from version 1.8.0 to 1.8.1

Files changed (8) hide show

groups.php +2 -2
lib/admin/groups-admin-capabilities-add.php +2 -2
lib/admin/groups-admin-capabilities-edit.php +2 -2
lib/admin/groups-admin-capabilities-remove.php +3 -3
lib/admin/groups-admin-groups-add.php +2 -2
lib/admin/groups-admin-groups-edit.php +2 -2
lib/admin/groups-admin-groups-remove.php +3 -3
readme.txt +6 -3

groups.php CHANGED Viewed

	@@ -21,7 +21,7 @@
21	* Plugin Name: Groups
22	* Plugin URI: http://www.itthinx.com/plugins/groups
23	* Description: Groups provides group-based user membership management, group-based capabilities and content access control.
24	- * Version: 1.8.0
25	* Author: itthinx
26	* Author URI: http://www.itthinx.com
27	* Donate-Link: http://www.itthinx.com
	@@ -30,7 +30,7 @@
30	if ( !defined( 'ABSPATH' ) ) {
31	exit;
32	}
33	- define( 'GROUPS_CORE_VERSION', '1.8.0' );
34	define( 'GROUPS_FILE', __FILE__ );
35	if ( !defined( 'GROUPS_CORE_DIR' ) ) {
36	define( 'GROUPS_CORE_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) );


21	* Plugin Name: Groups
22	* Plugin URI: http://www.itthinx.com/plugins/groups
23	* Description: Groups provides group-based user membership management, group-based capabilities and content access control.
24	+ * Version: 1.8.1
25	* Author: itthinx
26	* Author URI: http://www.itthinx.com
27	* Donate-Link: http://www.itthinx.com

30	if ( !defined( 'ABSPATH' ) ) {
31	exit;
32	}
33	+ define( 'GROUPS_CORE_VERSION', '1.8.1' );
34	define( 'GROUPS_FILE', __FILE__ );
35	if ( !defined( 'GROUPS_CORE_DIR' ) ) {
36	define( 'GROUPS_CORE_DIR', untrailingslashit( plugin_dir_path( __FILE__ ) ) );

lib/admin/groups-admin-capabilities-add.php CHANGED Viewed

	@@ -52,7 +52,7 @@ function groups_admin_capabilities_add() {
52	'</h2>' .
53	'</div>' .
54	Groups_Admin::render_messages() .
55	- '<form id="add-capability" action="' . $current_url . '" method="post">' .
56	'<div class="capability new">' .
57
58	'<div class="field">' .
	@@ -69,7 +69,7 @@ function groups_admin_capabilities_add() {
69	wp_nonce_field( 'capabilities-add', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
70	'<input class="button button-primary" type="submit" value="' . __( 'Add', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
71	'<input type="hidden" value="add" name="action"/>' .
72	- '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
73	'</div>' .
74	'</div>' . // .capability.new
75	'</form>' .


52	'</h2>' .
53	'</div>' .
54	Groups_Admin::render_messages() .
55	+ '<form id="add-capability" action="' . esc_url( $current_url ) . '" method="post">' .
56	'<div class="capability new">' .
57
58	'<div class="field">' .

69	wp_nonce_field( 'capabilities-add', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
70	'<input class="button button-primary" type="submit" value="' . __( 'Add', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
71	'<input type="hidden" value="add" name="action"/>' .
72	+ '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
73	'</div>' .
74	'</div>' . // .capability.new
75	'</form>' .

lib/admin/groups-admin-capabilities-edit.php CHANGED Viewed

	@@ -60,7 +60,7 @@ function groups_admin_capabilities_edit( $capability_id ) {
60
61	Groups_Admin::render_messages() .
62
63	- '<form id="edit-capability" action="' . $current_url . '" method="post">' .
64	'<div class="capability edit">' .
65	'<input id="capability-id-field" name="capability-id-field" type="hidden" value="' . esc_attr( intval( $capability_id ) ) . '"/>' .
66
	@@ -78,7 +78,7 @@ function groups_admin_capabilities_edit( $capability_id ) {
78	wp_nonce_field( 'capabilities-edit', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
79	'<input class="button button-primary" type="submit" value="' . __( 'Save', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
80	'<input type="hidden" value="edit" name="action"/>' .
81	- '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
82	'</div>' .
83	'</div>' . // .capability.edit
84	'</form>' .


60
61	Groups_Admin::render_messages() .
62
63	+ '<form id="edit-capability" action="' . esc_url( $current_url ) . '" method="post">' .
64	'<div class="capability edit">' .
65	'<input id="capability-id-field" name="capability-id-field" type="hidden" value="' . esc_attr( intval( $capability_id ) ) . '"/>' .
66

78	wp_nonce_field( 'capabilities-edit', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
79	'<input class="button button-primary" type="submit" value="' . __( 'Save', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
80	'<input type="hidden" value="edit" name="action"/>' .
81	+ '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
82	'</div>' .
83	'</div>' . // .capability.edit
84	'</form>' .

lib/admin/groups-admin-capabilities-remove.php CHANGED Viewed

	@@ -54,7 +54,7 @@ function groups_admin_capabilities_remove( $capability_id ) {
54	__( 'Remove a capability', GROUPS_PLUGIN_DOMAIN ) .
55	'</h2>' .
56	'</div>' .
57	- '<form id="remove-capability" action="' . $current_url . '" method="post">' .
58	'<div class="capability remove">' .
59	'<input id="capability-id-field" name="capability-id-field" type="hidden" value="' . esc_attr( intval( $capability->capability_id ) ) . '"/>' .
60	'<ul>' .
	@@ -63,7 +63,7 @@ function groups_admin_capabilities_remove( $capability_id ) {
63	wp_nonce_field( 'capabilities-remove', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
64	'<input class="button button-primary" type="submit" value="' . __( 'Remove', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
65	'<input type="hidden" value="remove" name="action"/>' .
66	- '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
67	'</div>' .
68	'</div>' . // .capability.remove
69	'</form>' .
	@@ -153,7 +153,7 @@ function groups_admin_capabilities_bulk_remove() {
153	$output .= '</ul>';
154	}
155	$output .= '<input class="button button-primary" type="submit" name="bulk" value="' . __( "Remove", GROUPS_PLUGIN_DOMAIN ) . '"/>';
156	- $output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
157
158	$output .= '<input type="hidden" name="action" value="groups-action"/>';
159	$output .= '<input type="hidden" name="bulk-action" value="remove"/>';


54	__( 'Remove a capability', GROUPS_PLUGIN_DOMAIN ) .
55	'</h2>' .
56	'</div>' .
57	+ '<form id="remove-capability" action="' . esc_url( $current_url ) . '" method="post">' .
58	'<div class="capability remove">' .
59	'<input id="capability-id-field" name="capability-id-field" type="hidden" value="' . esc_attr( intval( $capability->capability_id ) ) . '"/>' .
60	'<ul>' .

63	wp_nonce_field( 'capabilities-remove', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
64	'<input class="button button-primary" type="submit" value="' . __( 'Remove', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
65	'<input type="hidden" value="remove" name="action"/>' .
66	+ '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
67	'</div>' .
68	'</div>' . // .capability.remove
69	'</form>' .

153	$output .= '</ul>';
154	}
155	$output .= '<input class="button button-primary" type="submit" name="bulk" value="' . __( "Remove", GROUPS_PLUGIN_DOMAIN ) . '"/>';
156	+ $output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
157
158	$output .= '<input type="hidden" name="action" value="groups-action"/>';
159	$output .= '<input type="hidden" name="bulk-action" value="remove"/>';

lib/admin/groups-admin-groups-add.php CHANGED Viewed

	@@ -63,7 +63,7 @@ function groups_admin_groups_add() {
63
64	$output .= Groups_Admin::render_messages();
65
66	- $output .= '<form id="add-group" action="' . $current_url . '" method="post">';
67	$output .= '<div class="group new">';
68
69	$output .= '<div class="field">';
	@@ -118,7 +118,7 @@ function groups_admin_groups_add() {
118	$output .= wp_nonce_field( 'groups-add', GROUPS_ADMIN_GROUPS_NONCE, true, false );
119	$output .= '<input class="button button-primary" type="submit" value="' . __( 'Add', GROUPS_PLUGIN_DOMAIN ) . '"/>';
120	$output .= '<input type="hidden" value="add" name="action"/>';
121	- $output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
122	$output .= '</div>';
123	$output .= '</div>'; // .group.new
124	$output .= '</form>';


63
64	$output .= Groups_Admin::render_messages();
65
66	+ $output .= '<form id="add-group" action="' . esc_url( $current_url ) . '" method="post">';
67	$output .= '<div class="group new">';
68
69	$output .= '<div class="field">';

118	$output .= wp_nonce_field( 'groups-add', GROUPS_ADMIN_GROUPS_NONCE, true, false );
119	$output .= '<input class="button button-primary" type="submit" value="' . __( 'Add', GROUPS_PLUGIN_DOMAIN ) . '"/>';
120	$output .= '<input type="hidden" value="add" name="action"/>';
121	+ $output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
122	$output .= '</div>';
123	$output .= '</div>'; // .group.new
124	$output .= '</form>';

lib/admin/groups-admin-groups-edit.php CHANGED Viewed

	@@ -72,7 +72,7 @@ function groups_admin_groups_edit( $group_id ) {
72
73	$output .= Groups_Admin::render_messages();
74
75	- $output .= '<form id="edit-group" action="' . $current_url . '" method="post">';
76	$output .= '<div class="group edit">';
77	$output .= '<input id="group-id-field" name="group-id-field" type="hidden" value="' . esc_attr( intval( $group_id ) ) . '"/>';
78
	@@ -157,7 +157,7 @@ function groups_admin_groups_edit( $group_id ) {
157	$output .= wp_nonce_field( 'groups-edit', GROUPS_ADMIN_GROUPS_NONCE, true, false );
158	$output .= '<input class="button button-primary" type="submit" value="' . __( 'Save', GROUPS_PLUGIN_DOMAIN ) . '"/>';
159	$output .= '<input type="hidden" value="edit" name="action"/>';
160	- $output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
161	$output .= '</div>';
162	$output .= '</div>'; // .group.edit
163	$output .= '</form>';


72
73	$output .= Groups_Admin::render_messages();
74
75	+ $output .= '<form id="edit-group" action="' . esc_url( $current_url ) . '" method="post">';
76	$output .= '<div class="group edit">';
77	$output .= '<input id="group-id-field" name="group-id-field" type="hidden" value="' . esc_attr( intval( $group_id ) ) . '"/>';
78

157	$output .= wp_nonce_field( 'groups-edit', GROUPS_ADMIN_GROUPS_NONCE, true, false );
158	$output .= '<input class="button button-primary" type="submit" value="' . __( 'Save', GROUPS_PLUGIN_DOMAIN ) . '"/>';
159	$output .= '<input type="hidden" value="edit" name="action"/>';
160	+ $output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
161	$output .= '</div>';
162	$output .= '</div>'; // .group.edit
163	$output .= '</form>';

lib/admin/groups-admin-groups-remove.php CHANGED Viewed

	@@ -54,7 +54,7 @@ function groups_admin_groups_remove( $group_id ) {
54	__( 'Remove a group', GROUPS_PLUGIN_DOMAIN ) .
55	'</h2>' .
56	'</div>' .
57	- '<form id="remove-group" action="' . $current_url . '" method="post">' .
58	'<div class="group remove">' .
59	'<input id="group-id-field" name="group-id-field" type="hidden" value="' . esc_attr( intval( $group->group_id ) ) . '"/>' .
60	'<ul>' .
	@@ -63,7 +63,7 @@ function groups_admin_groups_remove( $group_id ) {
63	wp_nonce_field( 'groups-remove', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
64	'<input class="button button-primary" type="submit" value="' . __( 'Remove', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
65	'<input type="hidden" value="remove" name="action"/>' .
66	- '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
67	'</div>' .
68	'</div>' . // .group.remove
69	'</form>' .
	@@ -157,7 +157,7 @@ function groups_admin_groups_bulk_remove() {
157	$output .= '</ul>';
158	}
159	$output .= '<input class="button button-primary" type="submit" name="bulk" value="' . __( "Remove", GROUPS_PLUGIN_DOMAIN ) . '"/>';
160	- $output .= '<a class="cancel button" href="' . $current_url . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
161
162	$output .= '<input type="hidden" name="action" value="groups-action"/>';
163	$output .= '<input type="hidden" name="bulk-action" value="remove-group"/>';


54	__( 'Remove a group', GROUPS_PLUGIN_DOMAIN ) .
55	'</h2>' .
56	'</div>' .
57	+ '<form id="remove-group" action="' . esc_url( $current_url ) . '" method="post">' .
58	'<div class="group remove">' .
59	'<input id="group-id-field" name="group-id-field" type="hidden" value="' . esc_attr( intval( $group->group_id ) ) . '"/>' .
60	'<ul>' .

63	wp_nonce_field( 'groups-remove', GROUPS_ADMIN_GROUPS_NONCE, true, false ) .
64	'<input class="button button-primary" type="submit" value="' . __( 'Remove', GROUPS_PLUGIN_DOMAIN ) . '"/>' .
65	'<input type="hidden" value="remove" name="action"/>' .
66	+ '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>' .
67	'</div>' .
68	'</div>' . // .group.remove
69	'</form>' .

157	$output .= '</ul>';
158	}
159	$output .= '<input class="button button-primary" type="submit" name="bulk" value="' . __( "Remove", GROUPS_PLUGIN_DOMAIN ) . '"/>';
160	+ $output .= '<a class="cancel button" href="' . esc_url( $current_url ) . '">' . __( 'Cancel', GROUPS_PLUGIN_DOMAIN ) . '</a>';
161
162	$output .= '<input type="hidden" name="action" value="groups-action"/>';
163	$output .= '<input type="hidden" name="bulk-action" value="remove-group"/>';

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: http://www.itthinx.com/plugins/groups
4	Tags: access, access control, capability, capabilities, content, download, downloads, file, file access, files, group, groups, member, members, membership, memberships, paypal, permission, permissions, subscription, subscriptions, woocommerce
5	Requires at least: 4.0
6	Tested up to: 4.3.1
7	- Stable tag: 1.8.0
8	License: GPLv3
9
10	Groups is an efficient and powerful solution, providing group-based user membership management, group-based capabilities and content access control.
	@@ -181,6 +181,9 @@ See also [Groups](http://www.itthinx.com/plugins/groups/)
181
182	== Changelog ==
183



184	= 1.8.0 =
185	* WordPress 4.3.1 compatibility tested.
186	* Add-ons section added.
	@@ -487,5 +490,5 @@ Some installations wouldn't work correctly, showing no capabilities and making i
487
488	== Upgrade Notice ==
489
490	- = 1.8.0 =
491	- ~~This~~ ~~release~~ ~~has~~ ~~been~~ ~~tested~~ ~~with~~ ~~WordPress~~ ~~4.3.1~~ ~~and includes a section for recommended add-ons~~.


4	Tags: access, access control, capability, capabilities, content, download, downloads, file, file access, files, group, groups, member, members, membership, memberships, paypal, permission, permissions, subscription, subscriptions, woocommerce
5	Requires at least: 4.0
6	Tested up to: 4.3.1
7	+ Stable tag: 1.8.1
8	License: GPLv3
9
10	Groups is an efficient and powerful solution, providing group-based user membership management, group-based capabilities and content access control.

181
182	== Changelog ==
183
184	+ = 1.8.1 =
185	+ * Fixed potential XSS vulnerabilities related to the unescaped use of the $_SERVER['REQUEST_URI'] in some forms.
186	+
187	= 1.8.0 =
188	* WordPress 4.3.1 compatibility tested.
189	* Add-ons section added.

490
491	== Upgrade Notice ==
492
493	+ = 1.8.1 =
494	+ Security Release : This release fixes potential XSS vulnerabilities.