Sidekick - Version 2.2.2

Version Description

  • Fixes a few security vulnerabilities (Thank You Kacper Szurek - http://security.szurek.pl/)
Download this release

Release Info

Developer raptor235
Plugin Icon 128x128 Sidekick
Version 2.2.2
Comparing to
See all releases

Code changes from version 2.2.1 to 2.2.2

Files changed (3) hide show
  1. readme.txt +4 -1
  2. sidekick.php +45 -17
  3. sidekick_embed.php +45 -17
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://www.sidekick.pro
4
  Tags: help, tutorial, training, learn, learning, sidekick, guide, teach, video, manual, videos, wphelp, support, instructions, question, questions, answers, answer, clippy, q&a, wpuniversity, helper, walkthrough
5
  Requires at least: 3.7
6
  Tested up to: 4.1
7
- Stable tag: 2.2.1
8
  License: GNU Version 2 or Any Later Version
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -130,6 +130,9 @@ Absolutely. In fact, we rely on users like you to tell us about things that nee
130
 
131
  == Changelog ==
132
 
 
 
 
133
  = 2.2.1 =
134
  * Fixes an issue with SIDEKICK appearing twice in the plugin listing page
135
 
4
  Tags: help, tutorial, training, learn, learning, sidekick, guide, teach, video, manual, videos, wphelp, support, instructions, question, questions, answers, answer, clippy, q&a, wpuniversity, helper, walkthrough
5
  Requires at least: 3.7
6
  Tested up to: 4.1
7
+ Stable tag: 2.2.2
8
  License: GNU Version 2 or Any Later Version
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
130
 
131
  == Changelog ==
132
 
133
+ = 2.2.2 =
134
+ * Fixes a few security vulnerabilities (Thank You Kacper Szurek - http://security.szurek.pl/)
135
+
136
  = 2.2.1 =
137
  * Fixes an issue with SIDEKICK appearing twice in the plugin listing page
138
 
sidekick.php CHANGED
@@ -6,7 +6,7 @@ Plugin URL: http://wordpress.org/plugins/sidekick/
6
  Description: Adds a real-time WordPress training walkthroughs right in your Dashboard
7
  Requires at least: 4.0
8
  Tested up to: 4.1.1
9
- Version: 2.2.1
10
  Author: Sidekick.pro
11
  Author URI: http://www.sidekick.pro
12
  */
@@ -58,10 +58,12 @@ if (!class_exists('Sidekick')){
58
  }
59
 
60
  function ajax_save(){
61
- if (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "true") {
62
- update_option( 'sk_composer_button', true );
63
- } elseif (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "false") {
64
- delete_option('sk_composer_button');
 
 
65
  }
66
  }
67
 
@@ -138,6 +140,14 @@ if (!class_exists('Sidekick')){
138
  }
139
 
140
  function set_disabled_wts(){
 
 
 
 
 
 
 
 
141
  if (isset($_POST['disable_wts']) && $_POST['disable_wts']) {
142
  update_option('sk_disabled_wts',json_encode($_POST['disable_wts']));
143
  if (is_network_admin()) {
@@ -152,11 +162,17 @@ if (!class_exists('Sidekick')){
152
  }
153
 
154
  function set_autostart_wt(){
 
 
 
 
 
 
155
  if (isset($_POST['sk_autostart_walkthrough_id']) && intval($_POST['sk_autostart_walkthrough_id']) > 0){
156
  if (is_network_admin()) {
157
- update_site_option('sk_autostart_walkthrough_id',$_POST['sk_autostart_walkthrough_id']);
158
  }
159
- update_option('sk_autostart_walkthrough_id',$_POST['sk_autostart_walkthrough_id']);
160
  } else {
161
  delete_option('sk_autostart_walkthrough_id');
162
  if (is_network_admin()) {
@@ -166,9 +182,16 @@ if (!class_exists('Sidekick')){
166
  }
167
 
168
  function set_api(){
 
 
 
 
 
 
 
169
  if (isset($_POST['sk_api'])){
170
- update_option('sk_api',$_POST['sk_api']);
171
- update_site_option('sk_api',$_POST['sk_api']);
172
  }
173
  }
174
 
@@ -236,7 +259,7 @@ if (!class_exists('Sidekick')){
236
  plugin_count: <?php echo ($plugin_count) ? $plugin_count : 0 ?>,
237
  is_multisite: <?php echo (is_multisite()) ? "true" : "false" ?>,
238
  number_of_themes: <?php echo $number_of_themes ?>,
239
- installed_theme: {'<?php echo sanitize_title($theme->Name) ?>' : '<?php echo $theme->Version ?>'},
240
  theme_version: '<?php echo $theme->Version ?>',
241
  main_soft_version: '<?php echo get_bloginfo("version") ?>',
242
  user_level: '<?php echo $user_role ?>',
@@ -276,7 +299,7 @@ if (!class_exists('Sidekick')){
276
  // Generic Info
277
  just_activated: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
278
  platform_version: null,
279
- plugin_version: '2.2.1',
280
  show_login: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
281
 
282
  // SIDEKICK URLS
@@ -355,7 +378,7 @@ if (!class_exists('Sidekick')){
355
  }
356
 
357
  function activate($return = false){
358
- if (isset($_POST['activation_id'])) {
359
  update_option('sk_activation_id',$_POST['activation_id']);
360
  }
361
  }
@@ -393,7 +416,7 @@ if (!class_exists('Sidekick')){
393
 
394
  function check_ver(){
395
 
396
- $data = json_encode('2.2.1');
397
 
398
  if(array_key_exists('callback', $_GET)){
399
 
@@ -457,10 +480,15 @@ if (!class_exists('Sidekick')){
457
  register_activation_hook( __FILE__, array($sidekick,'activate_plugin') );
458
  register_deactivation_hook( __FILE__, array($sidekick,'deactivate_plugin') );
459
 
460
- if (isset($_POST['sk_setting_disabled'])) $sidekick->set_disabled_wts();
461
- if (isset($_POST['sk_setting_autostart'])) $sidekick->set_autostart_wt();
462
- if (isset($_POST['sk_api'])) $sidekick->set_api();
463
- if (isset($_GET['sk_ver_check'])) $sidekick->check_ver();
 
 
 
 
 
464
 
465
 
466
  add_action('admin_menu', array($sidekick,'setup_menu'));
6
  Description: Adds a real-time WordPress training walkthroughs right in your Dashboard
7
  Requires at least: 4.0
8
  Tested up to: 4.1.1
9
+ Version: 2.2.2
10
  Author: Sidekick.pro
11
  Author URI: http://www.sidekick.pro
12
  */
58
  }
59
 
60
  function ajax_save(){
61
+ if (user_can('install_plugins')) {
62
+ if (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "true") {
63
+ update_option( 'sk_composer_button', true );
64
+ } elseif (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "false") {
65
+ delete_option('sk_composer_button');
66
+ }
67
  }
68
  }
69
 
140
  }
141
 
142
  function set_disabled_wts(){
143
+
144
+ if (!check_admin_referer('update_sk_settings')) {
145
+ print 'Sorry, your nonce did not verify or you\'re not logged in.';
146
+ exit;
147
+ }
148
+
149
+ $_POST['disable_wts'] = array_map("mysql_real_escape_string",$_POST['disable_wts']);
150
+
151
  if (isset($_POST['disable_wts']) && $_POST['disable_wts']) {
152
  update_option('sk_disabled_wts',json_encode($_POST['disable_wts']));
153
  if (is_network_admin()) {
162
  }
163
 
164
  function set_autostart_wt(){
165
+
166
+ if (!check_admin_referer('update_sk_settings')) {
167
+ print 'Sorry, your nonce did not verify or you\'re not logged in.';
168
+ exit;
169
+ }
170
+
171
  if (isset($_POST['sk_autostart_walkthrough_id']) && intval($_POST['sk_autostart_walkthrough_id']) > 0){
172
  if (is_network_admin()) {
173
+ update_site_option('sk_autostart_walkthrough_id',wp_filter_kses($_POST['sk_autostart_walkthrough_id']));
174
  }
175
+ update_option('sk_autostart_walkthrough_id',wp_filter_kses($_POST['sk_autostart_walkthrough_id']));
176
  } else {
177
  delete_option('sk_autostart_walkthrough_id');
178
  if (is_network_admin()) {
182
  }
183
 
184
  function set_api(){
185
+
186
+ if (!check_admin_referer('update_sk_settings')) {
187
+ print 'Sorry, your nonce did not verify or you\'re not logged in.';
188
+ exit;
189
+ }
190
+
191
+
192
  if (isset($_POST['sk_api'])){
193
+ update_option('sk_api',wp_filter_kses($_POST['sk_api']));
194
+ update_site_option('sk_api',wp_filter_kses($_POST['sk_api']));
195
  }
196
  }
197
 
259
  plugin_count: <?php echo ($plugin_count) ? $plugin_count : 0 ?>,
260
  is_multisite: <?php echo (is_multisite()) ? "true" : "false" ?>,
261
  number_of_themes: <?php echo $number_of_themes ?>,
262
+ installed_theme: '<?php echo sanitize_title($theme->Name) ?>',
263
  theme_version: '<?php echo $theme->Version ?>',
264
  main_soft_version: '<?php echo get_bloginfo("version") ?>',
265
  user_level: '<?php echo $user_role ?>',
299
  // Generic Info
300
  just_activated: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
301
  platform_version: null,
302
+ plugin_version: '2.2.2',
303
  show_login: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
304
 
305
  // SIDEKICK URLS
378
  }
379
 
380
  function activate($return = false){
381
+ if (isset($_POST['activation_id']) && user_can('install_plugins')) {
382
  update_option('sk_activation_id',$_POST['activation_id']);
383
  }
384
  }
416
 
417
  function check_ver(){
418
 
419
+ $data = json_encode('2.2.2');
420
 
421
  if(array_key_exists('callback', $_GET)){
422
 
480
  register_activation_hook( __FILE__, array($sidekick,'activate_plugin') );
481
  register_deactivation_hook( __FILE__, array($sidekick,'deactivate_plugin') );
482
 
483
+ // if (isset($_POST['sk_setting_disabled'])) $sidekick->set_disabled_wts();
484
+ // if (isset($_POST['sk_setting_autostart'])) $sidekick->set_autostart_wt();
485
+ // if (isset($_POST['sk_api'])) $sidekick->set_api();
486
+ // if (isset($_GET['sk_ver_check'])) $sidekick->check_ver();
487
+
488
+ if (isset($_POST['sk_setting_disabled'])) add_action('admin_init', array($sidekick,'set_disabled_wts'));
489
+ if (isset($_POST['sk_setting_autostart'])) add_action('admin_init', array($sidekick,'set_autostart_wt'));
490
+ if (isset($_POST['sk_api'])) add_action('admin_init', array($sidekick,'set_api'));
491
+ if (isset($_GET['sk_ver_check'])) add_action('admin_init', array($sidekick,'check_ver'));
492
 
493
 
494
  add_action('admin_menu', array($sidekick,'setup_menu'));
sidekick_embed.php CHANGED
@@ -8,7 +8,7 @@ Description: Adds a real-time WordPress training walkthroughs right in your Dash
8
  We recommend not activating SIDEKICK automatically for people but via an Opt-In process when they configure your own theme or plugin.
9
  Requires at least: 4.0
10
  Tested up to: 4.1.1
11
- Version: 2.2.1
12
  Author: Sidekick.pro
13
  Author URI: http://www.sidekick.pro
14
  */
@@ -60,10 +60,12 @@ if (!class_exists('Sidekick')){
60
  }
61
 
62
  function ajax_save(){
63
- if (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "true") {
64
- update_option( 'sk_composer_button', true );
65
- } elseif (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "false") {
66
- delete_option('sk_composer_button');
 
 
67
  }
68
  }
69
 
@@ -354,6 +356,14 @@ if (!class_exists('Sidekick')){
354
  }
355
 
356
  function set_disabled_wts(){
 
 
 
 
 
 
 
 
357
  if (isset($_POST['disable_wts']) && $_POST['disable_wts']) {
358
  update_option('sk_disabled_wts',json_encode($_POST['disable_wts']));
359
  if (is_network_admin()) {
@@ -368,11 +378,17 @@ if (!class_exists('Sidekick')){
368
  }
369
 
370
  function set_autostart_wt(){
 
 
 
 
 
 
371
  if (isset($_POST['sk_autostart_walkthrough_id']) && intval($_POST['sk_autostart_walkthrough_id']) > 0){
372
  if (is_network_admin()) {
373
- update_site_option('sk_autostart_walkthrough_id',$_POST['sk_autostart_walkthrough_id']);
374
  }
375
- update_option('sk_autostart_walkthrough_id',$_POST['sk_autostart_walkthrough_id']);
376
  } else {
377
  delete_option('sk_autostart_walkthrough_id');
378
  if (is_network_admin()) {
@@ -382,9 +398,16 @@ if (!class_exists('Sidekick')){
382
  }
383
 
384
  function set_api(){
 
 
 
 
 
 
 
385
  if (isset($_POST['sk_api'])){
386
- update_option('sk_api',$_POST['sk_api']);
387
- update_site_option('sk_api',$_POST['sk_api']);
388
  }
389
  }
390
 
@@ -452,7 +475,7 @@ if (!class_exists('Sidekick')){
452
  plugin_count: <?php echo ($plugin_count) ? $plugin_count : 0 ?>,
453
  is_multisite: <?php echo (is_multisite()) ? "true" : "false" ?>,
454
  number_of_themes: <?php echo $number_of_themes ?>,
455
- installed_theme: {'<?php echo sanitize_title($theme->Name) ?>' : '<?php echo $theme->Version ?>'},
456
  theme_version: '<?php echo $theme->Version ?>',
457
  main_soft_version: '<?php echo get_bloginfo("version") ?>',
458
  user_level: '<?php echo $user_role ?>',
@@ -492,7 +515,7 @@ if (!class_exists('Sidekick')){
492
  // Generic Info
493
  just_activated: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
494
  platform_version: null,
495
- plugin_version: '2.2.1',
496
  show_login: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
497
 
498
  // SIDEKICK URLS
@@ -571,7 +594,7 @@ if (!class_exists('Sidekick')){
571
  }
572
 
573
  function activate($return = false){
574
- if (isset($_POST['activation_id'])) {
575
  update_option('sk_activation_id',$_POST['activation_id']);
576
  }
577
  }
@@ -609,7 +632,7 @@ if (!class_exists('Sidekick')){
609
 
610
  function check_ver(){
611
 
612
- $data = json_encode('2.2.1');
613
 
614
  if(array_key_exists('callback', $_GET)){
615
 
@@ -673,10 +696,15 @@ if (!class_exists('Sidekick')){
673
  register_activation_hook( __FILE__, array($sidekick,'activate_plugin') );
674
  register_deactivation_hook( __FILE__, array($sidekick,'deactivate_plugin') );
675
 
676
- if (isset($_POST['sk_setting_disabled'])) $sidekick->set_disabled_wts();
677
- if (isset($_POST['sk_setting_autostart'])) $sidekick->set_autostart_wt();
678
- if (isset($_POST['sk_api'])) $sidekick->set_api();
679
- if (isset($_GET['sk_ver_check'])) $sidekick->check_ver();
 
 
 
 
 
680
 
681
 
682
  add_action('admin_menu', array($sidekick,'setup_menu'));
8
  We recommend not activating SIDEKICK automatically for people but via an Opt-In process when they configure your own theme or plugin.
9
  Requires at least: 4.0
10
  Tested up to: 4.1.1
11
+ Version: 2.2.2
12
  Author: Sidekick.pro
13
  Author URI: http://www.sidekick.pro
14
  */
60
  }
61
 
62
  function ajax_save(){
63
+ if (user_can('install_plugins')) {
64
+ if (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "true") {
65
+ update_option( 'sk_composer_button', true );
66
+ } elseif (isset($_POST['sk_composer_button']) && $_POST['sk_composer_button'] == "false") {
67
+ delete_option('sk_composer_button');
68
+ }
69
  }
70
  }
71
 
356
  }
357
 
358
  function set_disabled_wts(){
359
+
360
+ if (!check_admin_referer('update_sk_settings')) {
361
+ print 'Sorry, your nonce did not verify or you\'re not logged in.';
362
+ exit;
363
+ }
364
+
365
+ $_POST['disable_wts'] = array_map("mysql_real_escape_string",$_POST['disable_wts']);
366
+
367
  if (isset($_POST['disable_wts']) && $_POST['disable_wts']) {
368
  update_option('sk_disabled_wts',json_encode($_POST['disable_wts']));
369
  if (is_network_admin()) {
378
  }
379
 
380
  function set_autostart_wt(){
381
+
382
+ if (!check_admin_referer('update_sk_settings')) {
383
+ print 'Sorry, your nonce did not verify or you\'re not logged in.';
384
+ exit;
385
+ }
386
+
387
  if (isset($_POST['sk_autostart_walkthrough_id']) && intval($_POST['sk_autostart_walkthrough_id']) > 0){
388
  if (is_network_admin()) {
389
+ update_site_option('sk_autostart_walkthrough_id',wp_filter_kses($_POST['sk_autostart_walkthrough_id']));
390
  }
391
+ update_option('sk_autostart_walkthrough_id',wp_filter_kses($_POST['sk_autostart_walkthrough_id']));
392
  } else {
393
  delete_option('sk_autostart_walkthrough_id');
394
  if (is_network_admin()) {
398
  }
399
 
400
  function set_api(){
401
+
402
+ if (!check_admin_referer('update_sk_settings')) {
403
+ print 'Sorry, your nonce did not verify or you\'re not logged in.';
404
+ exit;
405
+ }
406
+
407
+
408
  if (isset($_POST['sk_api'])){
409
+ update_option('sk_api',wp_filter_kses($_POST['sk_api']));
410
+ update_site_option('sk_api',wp_filter_kses($_POST['sk_api']));
411
  }
412
  }
413
 
475
  plugin_count: <?php echo ($plugin_count) ? $plugin_count : 0 ?>,
476
  is_multisite: <?php echo (is_multisite()) ? "true" : "false" ?>,
477
  number_of_themes: <?php echo $number_of_themes ?>,
478
+ installed_theme: '<?php echo sanitize_title($theme->Name) ?>',
479
  theme_version: '<?php echo $theme->Version ?>',
480
  main_soft_version: '<?php echo get_bloginfo("version") ?>',
481
  user_level: '<?php echo $user_role ?>',
515
  // Generic Info
516
  just_activated: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
517
  platform_version: null,
518
+ plugin_version: '2.2.2',
519
  show_login: <?php echo ($sk_just_activated) ? "true" : "false" ?>,
520
 
521
  // SIDEKICK URLS
594
  }
595
 
596
  function activate($return = false){
597
+ if (isset($_POST['activation_id']) && user_can('install_plugins')) {
598
  update_option('sk_activation_id',$_POST['activation_id']);
599
  }
600
  }
632
 
633
  function check_ver(){
634
 
635
+ $data = json_encode('2.2.2');
636
 
637
  if(array_key_exists('callback', $_GET)){
638
 
696
  register_activation_hook( __FILE__, array($sidekick,'activate_plugin') );
697
  register_deactivation_hook( __FILE__, array($sidekick,'deactivate_plugin') );
698
 
699
+ // if (isset($_POST['sk_setting_disabled'])) $sidekick->set_disabled_wts();
700
+ // if (isset($_POST['sk_setting_autostart'])) $sidekick->set_autostart_wt();
701
+ // if (isset($_POST['sk_api'])) $sidekick->set_api();
702
+ // if (isset($_GET['sk_ver_check'])) $sidekick->check_ver();
703
+
704
+ if (isset($_POST['sk_setting_disabled'])) add_action('admin_init', array($sidekick,'set_disabled_wts'));
705
+ if (isset($_POST['sk_setting_autostart'])) add_action('admin_init', array($sidekick,'set_autostart_wt'));
706
+ if (isset($_POST['sk_api'])) add_action('admin_init', array($sidekick,'set_api'));
707
+ if (isset($_GET['sk_ver_check'])) add_action('admin_init', array($sidekick,'check_ver'));
708
 
709
 
710
  add_action('admin_menu', array($sidekick,'setup_menu'));