Payment Form for PayPal Pro - Version 1.1.54

Version Description

  • Added new nonces verifications

=

Download this release

Release Info

Developer codepeople
Plugin Icon 128x128 Payment Form for PayPal Pro
Version 1.1.54
Comparing to
See all releases

Code changes from version 1.1.53 to 1.1.54

README.txt CHANGED
@@ -290,7 +290,10 @@ A: In all plugin versions you can turn off IP tracking to avoid saving that user
290
= 1.1.53 =
291
* Update for compatibility with WordPress 5.2
292
293
== Upgrade Notice ==
294
295
- = 1.1.53 =
296
- * Update for compatibility with WordPress 5.2
290
= 1.1.53 =
291
* Update for compatibility with WordPress 5.2
292
293
+ = 1.1.54 =
294
+ * Added new nonces verifications
295
+
296
== Upgrade Notice ==
297
298
+ = 1.1.54 =
299
+ * Added new nonces verifications
cp_admin_int_edition.inc.php CHANGED
@@ -6,6 +6,8 @@ if ( !is_admin() )
6
exit;
7
}
8
9
global $wpdb;
10
11
$cpid = 'CP_PPPRO';
@@ -29,6 +31,7 @@ else if ($_GET["item"] == 'css')
29
<br /><br />
30
31
<form method="post" action="" name="cpformconf">
32
<input name="<?php echo $cpid; ?>_post_edition" type="hidden" value="1" />
33
<input name="cfwpp_edit" type="hidden" value="<?php echo $_GET["item"]; ?>" />
34
6
exit;
7
}
8
9
+ $nonce = wp_create_nonce( 'uname_pppro' );
10
+
11
global $wpdb;
12
13
$cpid = 'CP_PPPRO';
31
<br /><br />
32
33
<form method="post" action="" name="cpformconf">
34
+ <input name="rsave" type="hidden" value="<?php echo $nonce; ?>" />
35
<input name="<?php echo $cpid; ?>_post_edition" type="hidden" value="1" />
36
<input name="cfwpp_edit" type="hidden" value="<?php echo $_GET["item"]; ?>" />
37
cp_ppp.php CHANGED
@@ -3,7 +3,7 @@
3
Plugin Name: Payment Form for PayPal Pro
4
Plugin URI: https://wordpress.dwbooster.com/forms/paypal-payment-pro-form
5
Description: Payment Form for PayPal Pro to accept credit cards directly into your website. Official PayPal Partner.
6
- Version: 1.1.53
7
Author: CodePeople
8
Author URI: https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro
9
License: GPL
@@ -812,25 +812,19 @@ function cp_ppp_check_posted_data() {
812
exit;
813
}
814
815
- if (isset( $_GET['cp_ppp_csv'] ) && is_admin() )
816
{
817
cp_ppp_export_csv();
818
return;
819
- }
820
-
821
- if (isset( $_GET['script_load_method'] ) )
822
- {
823
- cp_ppp_update_script_method();
824
- return;
825
- }
826
827
- if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['cp_ppp_post_options'] ) && is_admin() )
828
{
829
cp_ppp_save_options();
830
return;
831
}
832
833
- if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['CP_PPPRO_post_edition'] ) && is_admin() )
834
{
835
cp_ppp_save_edition();
836
return;
@@ -1375,17 +1369,10 @@ function cp_ppp_export_csv ()
1375
exit;
1376
}
1377
1378
- function cp_ppp_update_script_method()
1379
- {
1380
- global $wpdb;
1381
- update_option( 'CP_CFPP_LOAD_SCRIPTS', ($_GET['script_load_method']=="1"?false:true) );
1382
- echo '<br />Script Loading Method Updated.';
1383
- exit;
1384
- }
1385
-
1386
-
1387
function cp_ppp_save_edition()
1388
{
1389
foreach ($_POST as $item => $value)
1390
if (!is_array($value))
1391
$_POST[$item] = stripcslashes($value);
@@ -1401,6 +1388,10 @@ function cp_ppp_save_edition()
1401
function cp_ppp_save_options()
1402
{
1403
global $wpdb;
1404
if (!defined('CP_PPP_ID'))
1405
define ('CP_PPP_ID',intval($_POST["cp_ppp_id"]));
1406
3
Plugin Name: Payment Form for PayPal Pro
4
Plugin URI: https://wordpress.dwbooster.com/forms/paypal-payment-pro-form
5
Description: Payment Form for PayPal Pro to accept credit cards directly into your website. Official PayPal Partner.
6
+ Version: 1.1.54
7
Author: CodePeople
8
Author URI: https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro
9
License: GPL
812
exit;
813
}
814
815
+ if (isset( $_GET['cp_ppp_csv'] ) && current_user_can('edit_pages') && is_admin() )
816
{
817
cp_ppp_export_csv();
818
return;
819
+ }
820
821
+ if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['cp_ppp_post_options'] ) && current_user_can('edit_pages') && is_admin() )
822
{
823
cp_ppp_save_options();
824
return;
825
}
826
827
+ if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['CP_PPPRO_post_edition'] ) && current_user_can('edit_pages') && is_admin() )
828
{
829
cp_ppp_save_edition();
830
return;
1369
exit;
1370
}
1371
1372
function cp_ppp_save_edition()
1373
{
1374
+ if (!wp_verify_nonce( $_REQUEST['rsave'], 'uname_pppro' ))
1375
+ return;
1376
foreach ($_POST as $item => $value)
1377
if (!is_array($value))
1378
$_POST[$item] = stripcslashes($value);
1388
function cp_ppp_save_options()
1389
{
1390
global $wpdb;
1391
+
1392
+ if (!wp_verify_nonce( $_REQUEST['rsave'], 'uname_pppro' ))
1393
+ return;
1394
+
1395
if (!defined('CP_PPP_ID'))
1396
define ('CP_PPP_ID',intval($_POST["cp_ppp_id"]));
1397
cp_ppp_admin_int.php CHANGED
@@ -6,6 +6,8 @@ if ( !is_admin() )
6
exit;
7
}
8
9
global $wpdb;
10
11
if (!defined('CP_PPP_ID'))
@@ -38,6 +40,7 @@ $scriptmethod = cp_ppp_get_option('script_load_method','0');
38
<br /><br />
39
40
<form method="post" action="" name="cpformconf">
41
<input name="cp_ppp_post_options" type="hidden" value="1" />
42
<input name="cp_ppp_id" type="hidden" value="<?php echo CP_PPP_ID; ?>" />
43
6
exit;
7
}
8
9
+ $nonce = wp_create_nonce( 'uname_pppro' );
10
+
11
global $wpdb;
12
13
if (!defined('CP_PPP_ID'))
40
<br /><br />
41
42
<form method="post" action="" name="cpformconf">
43
+ <input name="rsave" type="hidden" value="<?php echo $nonce; ?>" />
44
<input name="cp_ppp_post_options" type="hidden" value="1" />
45
<input name="cp_ppp_id" type="hidden" value="<?php echo CP_PPP_ID; ?>" />
46
cp_ppp_admin_int_list.inc.php CHANGED
@@ -9,9 +9,11 @@ if ( !is_admin() )
9
global $wpdb;
10
$message = "";
11
12
$current_user_access = current_user_can('manage_options');
13
14
- if (isset($_GET['a']) && $_GET['a'] == '1' && $current_user_access)
15
{
16
define('CP_PPP_DEFAULT_fp_from_email', get_the_author_meta('user_email', get_current_user_id()) );
17
define('CP_PPP_DEFAULT_fp_destination_emails', CP_PPP_DEFAULT_fp_from_email);
@@ -71,7 +73,7 @@ if (isset($_GET['a']) && $_GET['a'] == '1' && $current_user_access)
71
72
$message = "Item added";
73
}
74
- else if (isset($_GET['u']) && $_GET['u'] != '' && $current_user_access)
75
{
76
$wpdb->query( $wpdb->prepare (
77
'UPDATE `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` SET form_name=%s WHERE id=%d',
@@ -80,12 +82,12 @@ else if (isset($_GET['u']) && $_GET['u'] != '' && $current_user_access)
80
);
81
$message = "Item updated";
82
}
83
- else if (isset($_GET['d']) && $_GET['d'] != '' && $current_user_access)
84
{
85
$wpdb->query( $wpdb->prepare ( 'DELETE FROM `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` WHERE id=%d', $_GET['d']) );
86
$message = "Item deleted";
87
}
88
- else if (isset($_GET['c']) && $_GET['c'] != '' && $current_user_access)
89
{
90
$myrows = $wpdb->get_row( $wpdb->prepare ("SELECT * FROM ".$wpdb->prefix.CP_PPP_FORMS_TABLE." WHERE id=%d", $_GET['c']), ARRAY_A);
91
unset($myrows["id"]);
@@ -93,7 +95,7 @@ else if (isset($_GET['c']) && $_GET['c'] != '' && $current_user_access)
93
$wpdb->insert( $wpdb->prefix.CP_PPP_FORMS_TABLE, $myrows);
94
$message = "Item duplicated/cloned";
95
}
96
- else if (isset($_GET['ac']) && $_GET['ac'] == 'st' && $current_user_access)
97
{
98
update_option( 'CP_CFPP_LOAD_SCRIPTS', ($_GET["scr"]=="1"?"0":"1") );
99
update_option( 'CP_CFPP_LOAD_SCRIPTS_ADMIN', ($_GET["scradmin"]=="1"?"0":"1") );
@@ -129,35 +131,35 @@ if ($message) echo "<div id='setting-error-settings_updated' class='updated sett
129
function cp_addItem()
130
{
131
var calname = document.getElementById("cp_itemname").value;
132
- document.location = 'options-general.php?page=cp_ppp&a=1&r='+Math.random()+'&name='+encodeURIComponent(calname);
133
}
134
135
function cp_updateItem(id)
136
{
137
var calname = document.getElementById("calname_"+id).value;
138
- document.location = 'options-general.php?page=cp_ppp&u='+id+'&r='+Math.random()+'&name='+encodeURIComponent(calname);
139
}
140
141
function cp_cloneItem(id)
142
{
143
- document.location = 'options-general.php?page=cp_ppp&c='+id+'&r='+Math.random();
144
}
145
146
function cp_manageSettings(id)
147
{
148
- document.location = 'options-general.php?page=cp_ppp&cal='+id+'&r='+Math.random();
149
}
150
151
function cp_viewMessages(id)
152
{
153
- document.location = 'admin.php?page=cp_ppp&cal='+id+'&list=1&r='+Math.random();
154
}
155
156
function cp_deleteItem(id)
157
{
158
if (confirm('Are you sure that you want to delete this item?'))
159
{
160
- document.location = 'options-general.php?page=cp_ppp&d='+id+'&r='+Math.random();
161
}
162
}
163
@@ -168,7 +170,7 @@ if ($message) echo "<div id='setting-error-settings_updated' class='updated sett
168
var scr = document.getElementById("ccscriptload").value;
169
var scradmin = document.getElementById("ccscriptloadadmin").value;
170
var chs = document.getElementById("cccharsets").value;
171
- document.location = 'options-general.php?page=cp_ppp&ac=st&scr='+scr+'&scradmin='+scradmin+'&chs='+chs+'&r='+Math.random();
172
}
173
}
174
9
global $wpdb;
10
$message = "";
11
12
+ $nonce = wp_create_nonce( 'uname_ppprolist' );
13
+
14
$current_user_access = current_user_can('manage_options');
15
16
+ if (isset($_GET['a']) && $_GET['a'] == '1' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
17
{
18
define('CP_PPP_DEFAULT_fp_from_email', get_the_author_meta('user_email', get_current_user_id()) );
19
define('CP_PPP_DEFAULT_fp_destination_emails', CP_PPP_DEFAULT_fp_from_email);
73
74
$message = "Item added";
75
}
76
+ else if (isset($_GET['u']) && $_GET['u'] != '' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
77
{
78
$wpdb->query( $wpdb->prepare (
79
'UPDATE `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` SET form_name=%s WHERE id=%d',
82
);
83
$message = "Item updated";
84
}
85
+ else if (isset($_GET['d']) && $_GET['d'] != '' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
86
{
87
$wpdb->query( $wpdb->prepare ( 'DELETE FROM `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` WHERE id=%d', $_GET['d']) );
88
$message = "Item deleted";
89
}
90
+ else if (isset($_GET['c']) && $_GET['c'] != '' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
91
{
92
$myrows = $wpdb->get_row( $wpdb->prepare ("SELECT * FROM ".$wpdb->prefix.CP_PPP_FORMS_TABLE." WHERE id=%d", $_GET['c']), ARRAY_A);
93
unset($myrows["id"]);
95
$wpdb->insert( $wpdb->prefix.CP_PPP_FORMS_TABLE, $myrows);
96
$message = "Item duplicated/cloned";
97
}
98
+ else if (isset($_GET['ac']) && $_GET['ac'] == 'st' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
99
{
100
update_option( 'CP_CFPP_LOAD_SCRIPTS', ($_GET["scr"]=="1"?"0":"1") );
101
update_option( 'CP_CFPP_LOAD_SCRIPTS_ADMIN', ($_GET["scradmin"]=="1"?"0":"1") );
131
function cp_addItem()
132
{
133
var calname = document.getElementById("cp_itemname").value;
134
+ document.location = 'options-general.php?page=cp_ppp&a=1&_wpnonce=<?php echo $nonce; ?>&name='+encodeURIComponent(calname);
135
}
136
137
function cp_updateItem(id)
138
{
139
var calname = document.getElementById("calname_"+id).value;
140
+ document.location = 'options-general.php?page=cp_ppp&u='+id+'&_wpnonce=<?php echo $nonce; ?>&name='+encodeURIComponent(calname);
141
}
142
143
function cp_cloneItem(id)
144
{
145
+ document.location = 'options-general.php?page=cp_ppp&c='+id+'&_wpnonce=<?php echo $nonce; ?>';
146
}
147
148
function cp_manageSettings(id)
149
{
150
+ document.location = 'options-general.php?page=cp_ppp&cal='+id+'&_wpnonce=<?php echo $nonce; ?>';
151
}
152
153
function cp_viewMessages(id)
154
{
155
+ document.location = 'admin.php?page=cp_ppp&cal='+id+'&list=1&_wpnonce=<?php echo $nonce; ?>';
156
}
157
158
function cp_deleteItem(id)
159
{
160
if (confirm('Are you sure that you want to delete this item?'))
161
{
162
+ document.location = 'options-general.php?page=cp_ppp&d='+id+'&_wpnonce=<?php echo $nonce; ?>';
163
}
164
}
165
170
var scr = document.getElementById("ccscriptload").value;
171
var scradmin = document.getElementById("ccscriptloadadmin").value;
172
var chs = document.getElementById("cccharsets").value;
173
+ document.location = 'options-general.php?page=cp_ppp&ac=st&scr='+scr+'&scradmin='+scradmin+'&chs='+chs+'&_wpnonce=<?php echo $nonce; ?>';
174
}
175
}
176