Payment Form for PayPal Pro - Version 1.1.54

Version Description

  • Added new nonces verifications

=

Download this release

Release Info

Developer codepeople
Plugin Icon 128x128 Payment Form for PayPal Pro
Version 1.1.54
Comparing to
See all releases

Code changes from version 1.1.53 to 1.1.54

Files changed (5) hide show
  1. README.txt +5 -2
  2. cp_admin_int_edition.inc.php +3 -0
  3. cp_ppp.php +11 -20
  4. cp_ppp_admin_int.php +3 -0
  5. cp_ppp_admin_int_list.inc.php +14 -12
README.txt CHANGED
@@ -290,7 +290,10 @@ A: In all plugin versions you can turn off IP tracking to avoid saving that user
290
  = 1.1.53 =
291
  * Update for compatibility with WordPress 5.2
292
 
 
 
 
293
  == Upgrade Notice ==
294
 
295
- = 1.1.53 =
296
- * Update for compatibility with WordPress 5.2
290
  = 1.1.53 =
291
  * Update for compatibility with WordPress 5.2
292
 
293
+ = 1.1.54 =
294
+ * Added new nonces verifications
295
+
296
  == Upgrade Notice ==
297
 
298
+ = 1.1.54 =
299
+ * Added new nonces verifications
cp_admin_int_edition.inc.php CHANGED
@@ -6,6 +6,8 @@ if ( !is_admin() )
6
  exit;
7
  }
8
 
 
 
9
  global $wpdb;
10
 
11
  $cpid = 'CP_PPPRO';
@@ -29,6 +31,7 @@ else if ($_GET["item"] == 'css')
29
  <br /><br />
30
 
31
  <form method="post" action="" name="cpformconf">
 
32
  <input name="<?php echo $cpid; ?>_post_edition" type="hidden" value="1" />
33
  <input name="cfwpp_edit" type="hidden" value="<?php echo $_GET["item"]; ?>" />
34
 
6
  exit;
7
  }
8
 
9
+ $nonce = wp_create_nonce( 'uname_pppro' );
10
+
11
  global $wpdb;
12
 
13
  $cpid = 'CP_PPPRO';
31
  <br /><br />
32
 
33
  <form method="post" action="" name="cpformconf">
34
+ <input name="rsave" type="hidden" value="<?php echo $nonce; ?>" />
35
  <input name="<?php echo $cpid; ?>_post_edition" type="hidden" value="1" />
36
  <input name="cfwpp_edit" type="hidden" value="<?php echo $_GET["item"]; ?>" />
37
 
cp_ppp.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: Payment Form for PayPal Pro
4
  Plugin URI: https://wordpress.dwbooster.com/forms/paypal-payment-pro-form
5
  Description: Payment Form for PayPal Pro to accept credit cards directly into your website. Official PayPal Partner.
6
- Version: 1.1.53
7
  Author: CodePeople
8
  Author URI: https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro
9
  License: GPL
@@ -812,25 +812,19 @@ function cp_ppp_check_posted_data() {
812
  exit;
813
  }
814
 
815
- if (isset( $_GET['cp_ppp_csv'] ) && is_admin() )
816
  {
817
  cp_ppp_export_csv();
818
  return;
819
- }
820
-
821
- if (isset( $_GET['script_load_method'] ) )
822
- {
823
- cp_ppp_update_script_method();
824
- return;
825
- }
826
 
827
- if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['cp_ppp_post_options'] ) && is_admin() )
828
  {
829
  cp_ppp_save_options();
830
  return;
831
  }
832
 
833
- if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['CP_PPPRO_post_edition'] ) && is_admin() )
834
  {
835
  cp_ppp_save_edition();
836
  return;
@@ -1375,17 +1369,10 @@ function cp_ppp_export_csv ()
1375
  exit;
1376
  }
1377
 
1378
- function cp_ppp_update_script_method()
1379
- {
1380
- global $wpdb;
1381
- update_option( 'CP_CFPP_LOAD_SCRIPTS', ($_GET['script_load_method']=="1"?false:true) );
1382
- echo '<br />Script Loading Method Updated.';
1383
- exit;
1384
- }
1385
-
1386
-
1387
  function cp_ppp_save_edition()
1388
  {
 
 
1389
  foreach ($_POST as $item => $value)
1390
  if (!is_array($value))
1391
  $_POST[$item] = stripcslashes($value);
@@ -1401,6 +1388,10 @@ function cp_ppp_save_edition()
1401
  function cp_ppp_save_options()
1402
  {
1403
  global $wpdb;
 
 
 
 
1404
  if (!defined('CP_PPP_ID'))
1405
  define ('CP_PPP_ID',intval($_POST["cp_ppp_id"]));
1406
 
3
  Plugin Name: Payment Form for PayPal Pro
4
  Plugin URI: https://wordpress.dwbooster.com/forms/paypal-payment-pro-form
5
  Description: Payment Form for PayPal Pro to accept credit cards directly into your website. Official PayPal Partner.
6
+ Version: 1.1.54
7
  Author: CodePeople
8
  Author URI: https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro
9
  License: GPL
812
  exit;
813
  }
814
 
815
+ if (isset( $_GET['cp_ppp_csv'] ) && current_user_can('edit_pages') && is_admin() )
816
  {
817
  cp_ppp_export_csv();
818
  return;
819
+ }
 
 
 
 
 
 
820
 
821
+ if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['cp_ppp_post_options'] ) && current_user_can('edit_pages') && is_admin() )
822
  {
823
  cp_ppp_save_options();
824
  return;
825
  }
826
 
827
+ if ( 'POST' == $_SERVER['REQUEST_METHOD'] && isset( $_POST['CP_PPPRO_post_edition'] ) && current_user_can('edit_pages') && is_admin() )
828
  {
829
  cp_ppp_save_edition();
830
  return;
1369
  exit;
1370
  }
1371
 
 
 
 
 
 
 
 
 
 
1372
  function cp_ppp_save_edition()
1373
  {
1374
+ if (!wp_verify_nonce( $_REQUEST['rsave'], 'uname_pppro' ))
1375
+ return;
1376
  foreach ($_POST as $item => $value)
1377
  if (!is_array($value))
1378
  $_POST[$item] = stripcslashes($value);
1388
  function cp_ppp_save_options()
1389
  {
1390
  global $wpdb;
1391
+
1392
+ if (!wp_verify_nonce( $_REQUEST['rsave'], 'uname_pppro' ))
1393
+ return;
1394
+
1395
  if (!defined('CP_PPP_ID'))
1396
  define ('CP_PPP_ID',intval($_POST["cp_ppp_id"]));
1397
 
cp_ppp_admin_int.php CHANGED
@@ -6,6 +6,8 @@ if ( !is_admin() )
6
  exit;
7
  }
8
 
 
 
9
  global $wpdb;
10
 
11
  if (!defined('CP_PPP_ID'))
@@ -38,6 +40,7 @@ $scriptmethod = cp_ppp_get_option('script_load_method','0');
38
  <br /><br />
39
 
40
  <form method="post" action="" name="cpformconf">
 
41
  <input name="cp_ppp_post_options" type="hidden" value="1" />
42
  <input name="cp_ppp_id" type="hidden" value="<?php echo CP_PPP_ID; ?>" />
43
 
6
  exit;
7
  }
8
 
9
+ $nonce = wp_create_nonce( 'uname_pppro' );
10
+
11
  global $wpdb;
12
 
13
  if (!defined('CP_PPP_ID'))
40
  <br /><br />
41
 
42
  <form method="post" action="" name="cpformconf">
43
+ <input name="rsave" type="hidden" value="<?php echo $nonce; ?>" />
44
  <input name="cp_ppp_post_options" type="hidden" value="1" />
45
  <input name="cp_ppp_id" type="hidden" value="<?php echo CP_PPP_ID; ?>" />
46
 
cp_ppp_admin_int_list.inc.php CHANGED
@@ -9,9 +9,11 @@ if ( !is_admin() )
9
  global $wpdb;
10
  $message = "";
11
 
 
 
12
  $current_user_access = current_user_can('manage_options');
13
 
14
- if (isset($_GET['a']) && $_GET['a'] == '1' && $current_user_access)
15
  {
16
  define('CP_PPP_DEFAULT_fp_from_email', get_the_author_meta('user_email', get_current_user_id()) );
17
  define('CP_PPP_DEFAULT_fp_destination_emails', CP_PPP_DEFAULT_fp_from_email);
@@ -71,7 +73,7 @@ if (isset($_GET['a']) && $_GET['a'] == '1' && $current_user_access)
71
 
72
  $message = "Item added";
73
  }
74
- else if (isset($_GET['u']) && $_GET['u'] != '' && $current_user_access)
75
  {
76
  $wpdb->query( $wpdb->prepare (
77
  'UPDATE `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` SET form_name=%s WHERE id=%d',
@@ -80,12 +82,12 @@ else if (isset($_GET['u']) && $_GET['u'] != '' && $current_user_access)
80
  );
81
  $message = "Item updated";
82
  }
83
- else if (isset($_GET['d']) && $_GET['d'] != '' && $current_user_access)
84
  {
85
  $wpdb->query( $wpdb->prepare ( 'DELETE FROM `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` WHERE id=%d', $_GET['d']) );
86
  $message = "Item deleted";
87
  }
88
- else if (isset($_GET['c']) && $_GET['c'] != '' && $current_user_access)
89
  {
90
  $myrows = $wpdb->get_row( $wpdb->prepare ("SELECT * FROM ".$wpdb->prefix.CP_PPP_FORMS_TABLE." WHERE id=%d", $_GET['c']), ARRAY_A);
91
  unset($myrows["id"]);
@@ -93,7 +95,7 @@ else if (isset($_GET['c']) && $_GET['c'] != '' && $current_user_access)
93
  $wpdb->insert( $wpdb->prefix.CP_PPP_FORMS_TABLE, $myrows);
94
  $message = "Item duplicated/cloned";
95
  }
96
- else if (isset($_GET['ac']) && $_GET['ac'] == 'st' && $current_user_access)
97
  {
98
  update_option( 'CP_CFPP_LOAD_SCRIPTS', ($_GET["scr"]=="1"?"0":"1") );
99
  update_option( 'CP_CFPP_LOAD_SCRIPTS_ADMIN', ($_GET["scradmin"]=="1"?"0":"1") );
@@ -129,35 +131,35 @@ if ($message) echo "<div id='setting-error-settings_updated' class='updated sett
129
  function cp_addItem()
130
  {
131
  var calname = document.getElementById("cp_itemname").value;
132
- document.location = 'options-general.php?page=cp_ppp&a=1&r='+Math.random()+'&name='+encodeURIComponent(calname);
133
  }
134
 
135
  function cp_updateItem(id)
136
  {
137
  var calname = document.getElementById("calname_"+id).value;
138
- document.location = 'options-general.php?page=cp_ppp&u='+id+'&r='+Math.random()+'&name='+encodeURIComponent(calname);
139
  }
140
 
141
  function cp_cloneItem(id)
142
  {
143
- document.location = 'options-general.php?page=cp_ppp&c='+id+'&r='+Math.random();
144
  }
145
 
146
  function cp_manageSettings(id)
147
  {
148
- document.location = 'options-general.php?page=cp_ppp&cal='+id+'&r='+Math.random();
149
  }
150
 
151
  function cp_viewMessages(id)
152
  {
153
- document.location = 'admin.php?page=cp_ppp&cal='+id+'&list=1&r='+Math.random();
154
  }
155
 
156
  function cp_deleteItem(id)
157
  {
158
  if (confirm('Are you sure that you want to delete this item?'))
159
  {
160
- document.location = 'options-general.php?page=cp_ppp&d='+id+'&r='+Math.random();
161
  }
162
  }
163
 
@@ -168,7 +170,7 @@ if ($message) echo "<div id='setting-error-settings_updated' class='updated sett
168
  var scr = document.getElementById("ccscriptload").value;
169
  var scradmin = document.getElementById("ccscriptloadadmin").value;
170
  var chs = document.getElementById("cccharsets").value;
171
- document.location = 'options-general.php?page=cp_ppp&ac=st&scr='+scr+'&scradmin='+scradmin+'&chs='+chs+'&r='+Math.random();
172
  }
173
  }
174
 
9
  global $wpdb;
10
  $message = "";
11
 
12
+ $nonce = wp_create_nonce( 'uname_ppprolist' );
13
+
14
  $current_user_access = current_user_can('manage_options');
15
 
16
+ if (isset($_GET['a']) && $_GET['a'] == '1' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
17
  {
18
  define('CP_PPP_DEFAULT_fp_from_email', get_the_author_meta('user_email', get_current_user_id()) );
19
  define('CP_PPP_DEFAULT_fp_destination_emails', CP_PPP_DEFAULT_fp_from_email);
73
 
74
  $message = "Item added";
75
  }
76
+ else if (isset($_GET['u']) && $_GET['u'] != '' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
77
  {
78
  $wpdb->query( $wpdb->prepare (
79
  'UPDATE `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` SET form_name=%s WHERE id=%d',
82
  );
83
  $message = "Item updated";
84
  }
85
+ else if (isset($_GET['d']) && $_GET['d'] != '' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
86
  {
87
  $wpdb->query( $wpdb->prepare ( 'DELETE FROM `'.$wpdb->prefix.CP_PPP_FORMS_TABLE.'` WHERE id=%d', $_GET['d']) );
88
  $message = "Item deleted";
89
  }
90
+ else if (isset($_GET['c']) && $_GET['c'] != '' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
91
  {
92
  $myrows = $wpdb->get_row( $wpdb->prepare ("SELECT * FROM ".$wpdb->prefix.CP_PPP_FORMS_TABLE." WHERE id=%d", $_GET['c']), ARRAY_A);
93
  unset($myrows["id"]);
95
  $wpdb->insert( $wpdb->prefix.CP_PPP_FORMS_TABLE, $myrows);
96
  $message = "Item duplicated/cloned";
97
  }
98
+ else if (isset($_GET['ac']) && $_GET['ac'] == 'st' && $current_user_access && wp_verify_nonce( $_REQUEST['_wpnonce'], 'uname_ppprolist' ))
99
  {
100
  update_option( 'CP_CFPP_LOAD_SCRIPTS', ($_GET["scr"]=="1"?"0":"1") );
101
  update_option( 'CP_CFPP_LOAD_SCRIPTS_ADMIN', ($_GET["scradmin"]=="1"?"0":"1") );
131
  function cp_addItem()
132
  {
133
  var calname = document.getElementById("cp_itemname").value;
134
+ document.location = 'options-general.php?page=cp_ppp&a=1&_wpnonce=<?php echo $nonce; ?>&name='+encodeURIComponent(calname);
135
  }
136
 
137
  function cp_updateItem(id)
138
  {
139
  var calname = document.getElementById("calname_"+id).value;
140
+ document.location = 'options-general.php?page=cp_ppp&u='+id+'&_wpnonce=<?php echo $nonce; ?>&name='+encodeURIComponent(calname);
141
  }
142
 
143
  function cp_cloneItem(id)
144
  {
145
+ document.location = 'options-general.php?page=cp_ppp&c='+id+'&_wpnonce=<?php echo $nonce; ?>';
146
  }
147
 
148
  function cp_manageSettings(id)
149
  {
150
+ document.location = 'options-general.php?page=cp_ppp&cal='+id+'&_wpnonce=<?php echo $nonce; ?>';
151
  }
152
 
153
  function cp_viewMessages(id)
154
  {
155
+ document.location = 'admin.php?page=cp_ppp&cal='+id+'&list=1&_wpnonce=<?php echo $nonce; ?>';
156
  }
157
 
158
  function cp_deleteItem(id)
159
  {
160
  if (confirm('Are you sure that you want to delete this item?'))
161
  {
162
+ document.location = 'options-general.php?page=cp_ppp&d='+id+'&_wpnonce=<?php echo $nonce; ?>';
163
  }
164
  }
165
 
170
  var scr = document.getElementById("ccscriptload").value;
171
  var scradmin = document.getElementById("ccscriptloadadmin").value;
172
  var chs = document.getElementById("cccharsets").value;
173
+ document.location = 'options-general.php?page=cp_ppp&ac=st&scr='+scr+'&scradmin='+scradmin+'&chs='+chs+'&_wpnonce=<?php echo $nonce; ?>';
174
  }
175
  }
176