Modern Events Calendar Lite - Version 5.1.7

Version Description

29 February 2020 = - Fixed: Improve ajax access for causing XSS security issues

Download this release

Release Info

Developer webnus
Plugin Icon 128x128 Modern Events Calendar Lite
Version 5.1.7
Comparing to
See all releases

Code changes from version 5.1.6 to 5.1.7

Files changed (6) hide show
  1. app/addons/divi/includes/MECShortcodesForDivi.php +1 -1
  2. app/features/mec.php +19 -7
  3. app/libraries/main.php +11 -2
  4. changelog.txt +4 -1
  5. modern-events-calendar-lite.php +2 -2
  6. readme.txt +5 -2
app/addons/divi/includes/MECShortcodesForDivi.php CHANGED
@@ -11,10 +11,10 @@ add_filter( 'et_builder_load_actions', 'MECDIVI_et_builder_load_actions' );
11
 
12
  if( ! function_exists( 'MECDIVI_load_mec_shortcode' )) {
13
  function MECDIVI_load_mec_shortcode() {
 
14
  $post_id = $_POST['shortcode_id'];
15
  echo do_shortcode( '[MEC id="'.$post_id.'"]' );
16
  wp_die();
17
  }
18
  }
19
- add_action( 'wp_ajax_nopriv_MECDIVI_load_mec_shortcode', 'MECDIVI_load_mec_shortcode' );
20
  add_action( 'wp_ajax_MECDIVI_load_mec_shortcode', 'MECDIVI_load_mec_shortcode' );
11
 
12
  if( ! function_exists( 'MECDIVI_load_mec_shortcode' )) {
13
  function MECDIVI_load_mec_shortcode() {
14
+ if(!current_user_can('manage_options')) return;
15
  $post_id = $_POST['shortcode_id'];
16
  echo do_shortcode( '[MEC id="'.$post_id.'"]' );
17
  wp_die();
18
  }
19
  }
 
20
  add_action( 'wp_ajax_MECDIVI_load_mec_shortcode', 'MECDIVI_load_mec_shortcode' );
app/features/mec.php CHANGED
@@ -126,27 +126,21 @@ class MEC_feature_mec extends MEC_base
126
 
127
  // Export Settings
128
  $this->factory->action('wp_ajax_download_settings', array($this, 'download_settings'));
129
- $this->factory->action('wp_ajax_nopriv_download_settings', array($this, 'download_settings'));
130
 
131
  // Import Settings
132
  $this->factory->action('wp_ajax_import_settings', array($this, 'import_settings'));
133
- $this->factory->action('wp_ajax_nopriv_import_settings', array($this, 'import_settings'));
134
 
135
  // License Activation
136
  $this->factory->action('wp_ajax_activate_license', array($this, 'activate_license'));
137
- $this->factory->action('wp_ajax_nopriv_activate_license', array($this, 'activate_license'));
138
 
139
  // Close Notification
140
  $this->factory->action('wp_ajax_close_notification', array($this, 'close_notification'));
141
- $this->factory->action('wp_ajax_nopriv_close_notification', array($this, 'close_notification'));
142
 
143
  // Close Custom Text Notification
144
  $this->factory->action('wp_ajax_close_cmsg_notification', array($this, 'close_cmsg_notification'));
145
- $this->factory->action('wp_ajax_nopriv_close_cmsg_notification', array($this, 'close_cmsg_notification'));
146
 
147
  // Close Custom Text Notification
148
  $this->factory->action('wp_ajax_report_event_dates', array($this, 'report_event_dates'));
149
- $this->factory->action('wp_ajax_nopriv_report_event_dates', array($this, 'report_event_dates'));
150
 
151
  // Scheduler Cronjob
152
  $schedule = $this->getSchedule();
@@ -159,6 +153,9 @@ class MEC_feature_mec extends MEC_base
159
  /* Activate License */
160
  public function activate_license()
161
  {
 
 
 
162
  if(!wp_verify_nonce($_REQUEST['nonce'], 'mec_settings_nonce'))
163
  {
164
  exit();
@@ -194,6 +191,9 @@ class MEC_feature_mec extends MEC_base
194
  /* Download MEC settings */
195
  public function download_settings()
196
  {
 
 
 
197
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_download'))
198
  {
199
  exit();
@@ -215,6 +215,9 @@ class MEC_feature_mec extends MEC_base
215
  /* Close addons notification */
216
  public function close_notification()
217
  {
 
 
 
218
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
219
  {
220
  exit();
@@ -226,6 +229,9 @@ class MEC_feature_mec extends MEC_base
226
  /* Close addons notification */
227
  public function close_cmsg_notification()
228
  {
 
 
 
229
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
230
  {
231
  exit();
@@ -238,6 +244,9 @@ class MEC_feature_mec extends MEC_base
238
  /* Report Event Dates */
239
  public function report_event_dates()
240
  {
 
 
 
241
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
242
  {
243
  exit();
@@ -265,9 +274,12 @@ class MEC_feature_mec extends MEC_base
265
  wp_die();
266
  }
267
 
268
- /* Download MEC settings */
269
  public function import_settings()
270
  {
 
 
 
271
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
272
  {
273
  exit();
126
 
127
  // Export Settings
128
  $this->factory->action('wp_ajax_download_settings', array($this, 'download_settings'));
 
129
 
130
  // Import Settings
131
  $this->factory->action('wp_ajax_import_settings', array($this, 'import_settings'));
 
132
 
133
  // License Activation
134
  $this->factory->action('wp_ajax_activate_license', array($this, 'activate_license'));
 
135
 
136
  // Close Notification
137
  $this->factory->action('wp_ajax_close_notification', array($this, 'close_notification'));
 
138
 
139
  // Close Custom Text Notification
140
  $this->factory->action('wp_ajax_close_cmsg_notification', array($this, 'close_cmsg_notification'));
 
141
 
142
  // Close Custom Text Notification
143
  $this->factory->action('wp_ajax_report_event_dates', array($this, 'report_event_dates'));
 
144
 
145
  // Scheduler Cronjob
146
  $schedule = $this->getSchedule();
153
  /* Activate License */
154
  public function activate_license()
155
  {
156
+ // Current User is not Permitted
157
+ if(!current_user_can('manage_options')) $this->main->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
158
+
159
  if(!wp_verify_nonce($_REQUEST['nonce'], 'mec_settings_nonce'))
160
  {
161
  exit();
191
  /* Download MEC settings */
192
  public function download_settings()
193
  {
194
+ // Current User is not Permitted
195
+ if(!current_user_can('manage_options')) $this->main->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
196
+
197
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_download'))
198
  {
199
  exit();
215
  /* Close addons notification */
216
  public function close_notification()
217
  {
218
+ // Current User is not Permitted
219
+ if(!current_user_can('manage_options')) $this->main->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
220
+
221
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
222
  {
223
  exit();
229
  /* Close addons notification */
230
  public function close_cmsg_notification()
231
  {
232
+ // Current User is not Permitted
233
+ if(!current_user_can('manage_options')) $this->main->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
234
+
235
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
236
  {
237
  exit();
244
  /* Report Event Dates */
245
  public function report_event_dates()
246
  {
247
+ // Current User is not Permitted
248
+ if(!current_user_can('manage_options')) $this->main->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
249
+
250
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
251
  {
252
  exit();
274
  wp_die();
275
  }
276
 
277
+ /* Import MEC settings */
278
  public function import_settings()
279
  {
280
+ // Current User is not Permitted
281
+ if(!current_user_can('manage_options')) $this->main->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
282
+
283
  if(!wp_verify_nonce( $_REQUEST['nonce'], 'mec_settings_nonce'))
284
  {
285
  exit();
app/libraries/main.php CHANGED
@@ -901,7 +901,6 @@ class MEC_main extends MEC_base
901
  {
902
  $get_cmsg_display_option = get_option('mec_custom_msg_display_option');
903
 
904
-
905
  $data_url = 'https://webnus.net/modern-events-calendar/addons-api/mec-extra-content.json';
906
  if( function_exists('file_get_contents') && ini_get('allow_url_fopen') )
907
  {
@@ -1117,6 +1116,9 @@ class MEC_main extends MEC_base
1117
 
1118
  // Verify that the nonce is valid.
1119
  if(!wp_verify_nonce($wpnonce, 'mec_options_form')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID'));
 
 
 
1120
 
1121
  // Get mec options
1122
  $mec = $request->getVar('mec', array());
@@ -1180,6 +1182,9 @@ class MEC_main extends MEC_base
1180
  */
1181
  public function save_notifications()
1182
  {
 
 
 
1183
  // MEC Request library
1184
  $request = $this->getRequest();
1185
 
@@ -1212,9 +1217,14 @@ class MEC_main extends MEC_base
1212
  /**
1213
  * Saves MEC Import/Export options
1214
  * @author Webnus <info@webnus.biz>
 
 
1215
  */
1216
  public function save_ix_options($ix_options = array())
1217
  {
 
 
 
1218
  // Get current MEC ix options
1219
  $current = $this->get_ix_options();
1220
  if(is_string($current) and trim($current) == '') $current = array();
@@ -1379,7 +1389,6 @@ class MEC_main extends MEC_base
1379
  /**
1380
  * Returns MEC Container Width
1381
  * @author Webnus <info@webnus.biz>
1382
- * @return array
1383
  */
1384
  public function get_container_width()
1385
  {
901
  {
902
  $get_cmsg_display_option = get_option('mec_custom_msg_display_option');
903
 
 
904
  $data_url = 'https://webnus.net/modern-events-calendar/addons-api/mec-extra-content.json';
905
  if( function_exists('file_get_contents') && ini_get('allow_url_fopen') )
906
  {
1116
 
1117
  // Verify that the nonce is valid.
1118
  if(!wp_verify_nonce($wpnonce, 'mec_options_form')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID'));
1119
+
1120
+ // Current User is not Permitted
1121
+ if(!current_user_can('manage_options')) $this->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
1122
 
1123
  // Get mec options
1124
  $mec = $request->getVar('mec', array());
1182
  */
1183
  public function save_notifications()
1184
  {
1185
+ // Current User is not Permitted
1186
+ if(!current_user_can('manage_options')) $this->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
1187
+
1188
  // MEC Request library
1189
  $request = $this->getRequest();
1190
 
1217
  /**
1218
  * Saves MEC Import/Export options
1219
  * @author Webnus <info@webnus.biz>
1220
+ * @param array $ix_options
1221
+ * @return boolean
1222
  */
1223
  public function save_ix_options($ix_options = array())
1224
  {
1225
+ // Current User is not Permitted
1226
+ if(!current_user_can('manage_options')) $this->response(array('success'=>0, 'code'=>'ADMIN_ONLY'));
1227
+
1228
  // Get current MEC ix options
1229
  $current = $this->get_ix_options();
1230
  if(is_string($current) and trim($current) == '') $current = array();
1389
  /**
1390
  * Returns MEC Container Width
1391
  * @author Webnus <info@webnus.biz>
 
1392
  */
1393
  public function get_container_width()
1394
  {
changelog.txt CHANGED
@@ -1,4 +1,7 @@
1
- v 5.1.618 February 2020
 
 
 
2
  - Added: Occurrence to related events module
3
  - Added: Order time column to the CSV Export (pro)
4
  - Added: Some strings to WPML compatibility (pro)
1
+ v 5.1.729 February 2020
2
+ - Fixed: Improve ajax access for causing XSS security issues
3
+
4
+ v 5.1.6 – 18 February 2020
5
  - Added: Occurrence to related events module
6
  - Added: Order time column to the CSV Export (pro)
7
  - Added: Some strings to WPML compatibility (pro)
modern-events-calendar-lite.php CHANGED
@@ -4,7 +4,7 @@
4
  * Plugin URI: http://webnus.net/modern-events-calendar/
5
  * Description: An awesome plugin for events calendar
6
  * Author: Webnus Team
7
- * Version: 5.1.6
8
  * Text Domain: modern-events-calendar-lite
9
  * Domain Path: /languages
10
  * Author URI: http://webnus.net
@@ -31,7 +31,7 @@ if(!defined('MECEXEC'))
31
  define('MEC_BASENAME', plugin_basename(__FILE__)); // modern-events-calendar/mec.php
32
 
33
  /** Plugin Version **/
34
- define('MEC_VERSION', '5.1.6');
35
 
36
  /** Include Webnus MEC class if not included before **/
37
  if(!class_exists('MEC')) require_once MEC_ABSPATH.'mec-init.php';
4
  * Plugin URI: http://webnus.net/modern-events-calendar/
5
  * Description: An awesome plugin for events calendar
6
  * Author: Webnus Team
7
+ * Version: 5.1.7
8
  * Text Domain: modern-events-calendar-lite
9
  * Domain Path: /languages
10
  * Author URI: http://webnus.net
31
  define('MEC_BASENAME', plugin_basename(__FILE__)); // modern-events-calendar/mec.php
32
 
33
  /** Plugin Version **/
34
+ define('MEC_VERSION', '5.1.7');
35
 
36
  /** Include Webnus MEC class if not included before **/
37
  if(!class_exists('MEC')) require_once MEC_ABSPATH.'mec-init.php';
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: https://webnus.net
4
  Tags: Event, Events, Calendar, Booking, Schedule, Organizer, Venue
5
  Requires at least: 4.0.0
6
  Tested up to: 5.3.2
7
- Stable tag: 5.1.6
8
  Requires PHP: 5.6
9
  License: GPLv2 or later
10
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -24,7 +24,7 @@ WordPress event calendar plugin is a trending FREE tool used for managing events
24
  We gathered all features of [event calendar](https://webnus.net/modern-events-calendar/) as you desire with advanced booking system ([Pro Version](https://webnus.net/mec-purchase/?ref=17/)) and many other useful options which are practical in real world!
25
  Using [Modern Events Calendar Lite](https://webnus.net/modern-events-calendar/), you can create different single or [recurring events](https://webnus.net/modern-events-calendar/) and show them in frontend of your website using many modern skins and styles.
26
 
27
- https://www.youtube.com/watch?v=erKILCKDxis
28
 
29
  Fortunately, though WordPress doesn’t enable these functions out of the box, there’s a plugin you can use. Modern Events Calendar is an easy way to manage events of all kinds on your WordPress site. As the name suggests, the core benefit of Modern Events Calendar is that it lets you create an events calendar that looks pretty great out of the box. That latter part is important because some popular event calendar plugins require a lot of custom styling to make them look good, which is tough if you don’t know your way around CSS.
30
 
@@ -358,6 +358,9 @@ You can see [plugin documentation here](https://webnus.net/dox/modern-events-cal
358
  35. WordPress Event Calendar - Shortcode edit page
359
 
360
  == Changelog ==
 
 
 
361
  = 5.1.6 – 18 February 2020 =
362
  - Added: Occurrence to related events module
363
  - Added: Order time column to the CSV Export (pro)
4
  Tags: Event, Events, Calendar, Booking, Schedule, Organizer, Venue
5
  Requires at least: 4.0.0
6
  Tested up to: 5.3.2
7
+ Stable tag: 5.1.7
8
  Requires PHP: 5.6
9
  License: GPLv2 or later
10
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
24
  We gathered all features of [event calendar](https://webnus.net/modern-events-calendar/) as you desire with advanced booking system ([Pro Version](https://webnus.net/mec-purchase/?ref=17/)) and many other useful options which are practical in real world!
25
  Using [Modern Events Calendar Lite](https://webnus.net/modern-events-calendar/), you can create different single or [recurring events](https://webnus.net/modern-events-calendar/) and show them in frontend of your website using many modern skins and styles.
26
 
27
+ https://youtu.be/GjRVKIwD5jY
28
 
29
  Fortunately, though WordPress doesn’t enable these functions out of the box, there’s a plugin you can use. Modern Events Calendar is an easy way to manage events of all kinds on your WordPress site. As the name suggests, the core benefit of Modern Events Calendar is that it lets you create an events calendar that looks pretty great out of the box. That latter part is important because some popular event calendar plugins require a lot of custom styling to make them look good, which is tough if you don’t know your way around CSS.
30
 
358
  35. WordPress Event Calendar - Shortcode edit page
359
 
360
  == Changelog ==
361
+ = 5.1.7 – 29 February 2020 =
362
+ - Fixed: Improve ajax access for causing XSS security issues
363
+
364
  = 5.1.6 – 18 February 2020 =
365
  - Added: Occurrence to related events module
366
  - Added: Order time column to the CSV Export (pro)