Quick Featured Images - Version 12.3.6

Version Description

Fixed missing sanitazions of ID in "Columns" class to close possible cross-site-scripting security hole

Release Info

Developer	Hinjiriyo
Plugin	Quick Featured Images
Version	12.3.6
Comparing to
See all releases

Code changes from version 12.3.5 to 12.3.6

Files changed (4) hide show

README.txt +13 -10
admin/class-quick-featured-images-admin.php +1 -1
admin/class-quick-featured-images-columns.php +18 -11
quick-featured-images.php +1 -1

README.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_i
4	Tags: audios, author, categories, custom post types, custom taxonomies, date, featured images, filter, image size, nextgen, remove, taxonomies, thumbnails, videos, posts, pages
5	Requires at least: 3.8
6	Tested up to: 4.8
7	- Stable tag: 12.3.5
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
	@@ -25,17 +25,14 @@ The plugin 'Quick Featured Images' helps you bulk managing featured images, sett
25	You get the free version here. If you want to include audios, videos and custom post types and get more options then take a look the premium version [Quick Featured Images Pro](https://www.quickfeaturedimages.com/).
26
27	= What users said =
28	- * "~~OMG~~ ~~Just~~ ~~Awesome~~!" by ~~vincentfijian~~ on ~~April~~ 6, ~~2016~~
29	- * "…an ~~excellent~~ plugin…" in [~~How~~ To ~~Fix~~ ~~Featured~~ ~~Image~~ ~~Issues~~ in ~~WordPress~~](~~http~~://~~worldcricketevents~~.com/~~how~~-to-~~fix~~-~~featured~~-~~image~~-~~issues~~-in-~~wordpress/~~) on ~~March~~ 18, ~~2016~~




30	* Mentioned under "Essential Plugins" on slide #24 in [The Plugins That Will Make Your Business Sink or Swim](http://www.slideshare.net/HeatherWilde/wordpress-plugins-52971643) by Heather Wilde on September 15, 2015
31	- * Number 2 in [14 Best Featured Image Plugins and Tutorials for WordPress](http://www.wpbeginner.com/plugins/14-best-featured-images-plugin-and-tools-for-wordpress/) on August 7, 2015
32	* Number 1 in [Best WordPress Plugins For Featured Image](http://www.phuntu.com/wordpress/best-wordpress-plugins-for-featured-image/) on June 20, 2015
33	- * Number 3 in [8 Must have Image Plugins for WordPress](http://www.bestwordpresshosting.org/8-must-image-plugins-wordpress/) by Sadia Komal on unknown date
34	- * "The Best Plugin I ever saw - I would like to rate it 10/5" by MovieMagia on November 25, 2014
35	- * Number 2 in [Top 5 WordPress plugins van de maand september](http://webtalis.nl/top-5-wordpress-plugins-van-de-maand-september/) by Webtalis on September 5, 2014
36	- * "Literally 5 minutes changed over 300 posts! Brilliant!!!!" by Bob on September 4, 2014
37	- * "It's a life saver ... and is ridiculously fast!" by Orlof on August 26, 2014
38	- * "Finally! It's about time somebody got it right!" by yallways on August 3, 2014
39
40	See more comments under [Reviews](http://wordpress.org/support/view/plugin-reviews/quick-featured-images).
41
	@@ -278,6 +275,9 @@ If you want to contribute a translation of the plugin in your language it would
278
279	== Changelog ==
280



281	= 12.3.5 =
282	* Fixed outdated (pre WP 4.8) texts for WP 4.8
283	* Tested successfully with WordPress 4.8
	@@ -426,6 +426,9 @@ Added spanish translation for the main texts of the plugin
426
427	== Upgrade Notice ==
428



429	= 12.3.5 =
430	Fixed outdated (pre WP 4.8) texts for WP 4.8, tested with WP 4.8
431


4	Tags: audios, author, categories, custom post types, custom taxonomies, date, featured images, filter, image size, nextgen, remove, taxonomies, thumbnails, videos, posts, pages
5	Requires at least: 3.8
6	Tested up to: 4.8
7	+ Stable tag: 12.3.6
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10

25	You get the free version here. If you want to include audios, videos and custom post types and get more options then take a look the premium version [Quick Featured Images Pro](https://www.quickfeaturedimages.com/).
26
27	= What users said =
28	+ * "Excellent plugin! Extremely useful!" in [Reviews at wordpress.org](https://wordpress.org/support/topic/excellent-plugin-extremely-useful-2/) by marcfuller on June 8, 2017
29	+ * Number 7 in [8 Plugins to Help Supercharge Your WordPress Media Library](https://www.elegantthemes.com/blog/tips-tricks/8-plugins-to-help-supercharge-your-wordpress-media-library) by John Hughes on April 6, 2017
30	+ * …can be a great asset for a variety of situations… in [How to Use WordPress to Bulk Edit Featured Images](https://www.greengeeks.com/tutorials/article/how-to-use-wordpress-to-bulk-edit-featured-images/) by Josh Dargie on March 6, 2017
31	+ * Mentioned in a comment of [What are must-have WordPress plugins for developer?](https://www.quora.com/What-are-must-have-WordPress-plugins-for-developer/answer/Joel-Rivera-2) by Joel Rivera on February 7, 2017
32	+ * "The plugin is fast, and it works great on big WordPress websites." in [How to make WP display featured image on excerpts?](http://hostileblog.com/wp-display-featured-image/) by Pramod on July 16, 2016
33	+ * "The plugin offers great features for handling the post thumbnails including bulk editing, overview, replace and much more." in [6+ Best Plugins To Fix Featured Image Issues in WordPress](https://85ideas.com/plugins/best-plugins-fix-featured-image-issues-wordpress/) by Editorial Staff on December 3, 2015
34	* Mentioned under "Essential Plugins" on slide #24 in [The Plugins That Will Make Your Business Sink or Swim](http://www.slideshare.net/HeatherWilde/wordpress-plugins-52971643) by Heather Wilde on September 15, 2015

35	* Number 1 in [Best WordPress Plugins For Featured Image](http://www.phuntu.com/wordpress/best-wordpress-plugins-for-featured-image/) on June 20, 2015






36
37	See more comments under [Reviews](http://wordpress.org/support/view/plugin-reviews/quick-featured-images).
38

275
276	== Changelog ==
277
278	+ = 12.3.6 =
279	+ * Fixed missing sanitazions of ID in "Columns" class to close possible cross-site-scripting security hole
280	+
281	= 12.3.5 =
282	* Fixed outdated (pre WP 4.8) texts for WP 4.8
283	* Tested successfully with WordPress 4.8

426
427	== Upgrade Notice ==
428
429	+ = 12.3.6 =
430	+ Fixed missing sanitazions of ID in Columns class to close possible cross-site-scripting security hole
431	+
432	= 12.3.5 =
433	Fixed outdated (pre WP 4.8) texts for WP 4.8, tested with WP 4.8
434

admin/class-quick-featured-images-admin.php CHANGED Viewed

	@@ -19,7 +19,7 @@
19	*
20	* @var string
21	*/
22	- protected $plugin_version = '12.3.5';
23
24	/**
25	* Instance of this class.


19	*
20	* @var string
21	*/
22	+ protected $plugin_version = '12.3.6';
23
24	/**
25	* Instance of this class.

admin/class-quick-featured-images-columns.php CHANGED Viewed

	@@ -402,7 +402,11 @@ class Quick_Featured_Images_Columns {
402	die( __( $text ) );
403	}
404	if ( isset( $_POST[ 'post_id' ] ) and isset( $_POST[ 'thumbnail_id' ] ) ) {
405	- ~~$success~~ = ~~set_post_thumbnail( $_POST[ 'post_id' ][ 0 ], $_POST[ 'thumbnail_id' ] );~~




406	if ( $success ) {
407
408	// Localize the texts
	@@ -423,22 +427,22 @@ class Quick_Featured_Images_Columns {
423	* build the HTML response
424	*/
425
426	- $thumb_title = _draft_or_post_title( $~~_POST[ '~~thumbnail_id' ] );
427
428	// 'change thumbnail' link
429	$html = sprintf(
430	'<a href="%s" id="qfi_set_%d" class="qfi_set_fi" title="%s">%s<br />%s</a>',
431	- esc_url( get_upload_iframe_src( 'image', $~~_POST[ '~~post_id' ~~][ 0 ]~~ ) ),
432	- $~~_POST[ '~~post_id~~' ][ 0 ]~~,
433	esc_attr( sprintf( $translations[ 'title_change' ], $thumb_title ) ),
434	- get_the_post_thumbnail( $~~_POST[ '~~post_id~~' ][ 0 ]~~, array( 80, 80 ) ),
435	$translations[ 'text_change' ]
436	);
437
438	// 'edit image' link
439	$html .= sprintf(
440	'<br /><a href="%s" title="%s">%s</a>',
441	- get_edit_post_link( $~~_POST[ '~~thumbnail_id' ] ),
442	esc_attr( sprintf( $translations[ 'title_edit' ], $thumb_title ) ),
443	$translations[ 'text_edit' ]
444	);
	@@ -446,7 +450,7 @@ class Quick_Featured_Images_Columns {
446	// 'remove thumbnail' link
447	$html .= sprintf(
448	'<br /><a href="#" id="qfi_delete_%d" class="qfi_delete_fi hide-if-no-js" title="%s">%s</a>',
449	- $~~_POST[ '~~post_id~~' ][ 0 ]~~,
450	esc_attr( sprintf( $translations[ 'title_remove' ], $thumb_title ) ),
451	$translations[ 'text_remove' ]
452	);
	@@ -475,7 +479,10 @@ class Quick_Featured_Images_Columns {
475	die( __( $text ) );
476	}
477	if ( isset( $_POST[ 'post_id' ] ) ) {
478	- ~~$success~~ = ~~delete_post_thumbnail(~~ ~~$_POST[ 'post_id' ][ 0 ] );~~



479	if ( $success ) {
480	// Localize the texts
481	$text_set = 'Set featured image';
	@@ -490,14 +497,14 @@ class Quick_Featured_Images_Columns {
490	* build the HTML response
491	*/
492
493	- $post_title = _draft_or_post_title( $~~_POST[ '~~post_id' ~~][ 0 ]~~ );
494
495	// 'set thumbnail' link
496	$html = sprintf(
497	'%s<br /><a href="%s" id="qfi_set_%d" class="qfi_set_fi" title="%s">%s</a>',
498	$translations[ 'text_deleted' ],
499	- esc_url( get_upload_iframe_src( 'image', $~~_POST[ '~~post_id' ~~][ 0 ]~~ ) ),
500	- $~~_POST[ '~~post_id~~' ][ 0 ]~~,
501	esc_attr( sprintf( $translations[ 'title_set' ], $post_title ) ),
502	$translations[ 'text_set' ]
503	);


402	die( __( $text ) );
403	}
404	if ( isset( $_POST[ 'post_id' ] ) and isset( $_POST[ 'thumbnail_id' ] ) ) {
405	+ // sanitze ids
406	+ $post_id = absint( $_POST[ 'post_id' ][ 0 ] );
407	+ $thumbnail_id = absint( $_POST[ 'thumbnail_id' ] );
408	+ // try to set thumbnail; returns true if successful
409	+ $success = set_post_thumbnail( $post_id, $thumbnail_id );
410	if ( $success ) {
411
412	// Localize the texts

427	* build the HTML response
428	*/
429
430	+ $thumb_title = _draft_or_post_title( $thumbnail_id );
431
432	// 'change thumbnail' link
433	$html = sprintf(
434	'<a href="%s" id="qfi_set_%d" class="qfi_set_fi" title="%s">%s<br />%s</a>',
435	+ esc_url( get_upload_iframe_src( 'image', $post_id ) ),
436	+ $post_id,
437	esc_attr( sprintf( $translations[ 'title_change' ], $thumb_title ) ),
438	+ get_the_post_thumbnail( $post_id, array( 80, 80 ) ),
439	$translations[ 'text_change' ]
440	);
441
442	// 'edit image' link
443	$html .= sprintf(
444	'<br /><a href="%s" title="%s">%s</a>',
445	+ get_edit_post_link( $thumbnail_id ),
446	esc_attr( sprintf( $translations[ 'title_edit' ], $thumb_title ) ),
447	$translations[ 'text_edit' ]
448	);

450	// 'remove thumbnail' link
451	$html .= sprintf(
452	'<br /><a href="#" id="qfi_delete_%d" class="qfi_delete_fi hide-if-no-js" title="%s">%s</a>',
453	+ $post_id,
454	esc_attr( sprintf( $translations[ 'title_remove' ], $thumb_title ) ),
455	$translations[ 'text_remove' ]
456	);

479	die( __( $text ) );
480	}
481	if ( isset( $_POST[ 'post_id' ] ) ) {
482	+ // sanitze post id
483	+ $post_id = absint( $_POST[ 'post_id' ][ 0 ] );
484	+ // try to delete thumbnail; returns true if successful
485	+ $success = delete_post_thumbnail( $post_id );
486	if ( $success ) {
487	// Localize the texts
488	$text_set = 'Set featured image';

497	* build the HTML response
498	*/
499
500	+ $post_title = _draft_or_post_title( $post_id );
501
502	// 'set thumbnail' link
503	$html = sprintf(
504	'%s<br /><a href="%s" id="qfi_set_%d" class="qfi_set_fi" title="%s">%s</a>',
505	$translations[ 'text_deleted' ],
506	+ esc_url( get_upload_iframe_src( 'image', $post_id ) ),
507	+ $post_id,
508	esc_attr( sprintf( $translations[ 'title_set' ], $post_title ) ),
509	$translations[ 'text_set' ]
510	);

quick-featured-images.php CHANGED Viewed

	@@ -10,7 +10,7 @@
10	* Plugin Name: Quick Featured Images
11	* Plugin URI: http://wordpress.org/plugins/quick-featured-images
12	* Description: Your time-saving Swiss Army Knife for featured images: Set, replace and delete them in bulk, in posts lists and set default images for future posts.
13	- * Version: 12.3.5
14	* Author: Martin Stehle
15	* Author URI: http://stehle-internet.de
16	* Text Domain: quick-featured-images


10	* Plugin Name: Quick Featured Images
11	* Plugin URI: http://wordpress.org/plugins/quick-featured-images
12	* Description: Your time-saving Swiss Army Knife for featured images: Set, replace and delete them in bulk, in posts lists and set default images for future posts.
13	+ * Version: 12.3.6
14	* Author: Martin Stehle
15	* Author URI: http://stehle-internet.de
16	* Text Domain: quick-featured-images