Version Description
- Fixed a security vulnerability whereby XSS scripts could be inserted within the slider post titles.
Download this release
Release Info
| Developer | simonpedge |
| Plugin |  Slide Anything – Responsive Content / HTML Slider and Carousel |
| Version | 2.3.46 |
| Comparing to | |
| See all releases | |
Code changes from version 2.3.45 to 2.3.46
- php/slide-anything-admin.php +7 -0
- readme.txt +8 -2
- slide-anything.php +1 -1
php/slide-anything-admin.php
CHANGED
|
@@ -2516,6 +2516,13 @@ function cpt_slide_any_post_content() {
|
|
| 2516 |
function cpt_slider_save_postdata() {
|
| 2517 |
global $post;
|
| 2518 |
$sa_pro_version = validate_slide_anything_pro_registration();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2519 |
|
| 2520 |
// ### VERIFY 1) LOGGED-IN USER IS ADMINISTRATOR AND 2) VALID NONCE TO PREVENT CSRF HACKER ATTACKS ###
|
| 2521 |
if (current_user_can('edit_pages') &&
|
| 2516 |
function cpt_slider_save_postdata() {
|
| 2517 |
global $post;
|
| 2518 |
$sa_pro_version = validate_slide_anything_pro_registration();
|
| 2519 |
+
|
| 2520 |
+
// ### REMOVE XSS ATTACK VULNERABILITY FROM SLIDER POST TITLES ###
|
| 2521 |
+
global $wpdb;
|
| 2522 |
+
$post_title = get_the_title($post->ID);
|
| 2523 |
+
$sanitize_title = sanitize_text_field($post_title);
|
| 2524 |
+
$where = array('ID' => $post->ID);
|
| 2525 |
+
$wpdb->update($wpdb->posts, array('post_title' => $sanitize_title), $where);
|
| 2526 |
|
| 2527 |
// ### VERIFY 1) LOGGED-IN USER IS ADMINISTRATOR AND 2) VALID NONCE TO PREVENT CSRF HACKER ATTACKS ###
|
| 2528 |
if (current_user_can('edit_pages') &&
|
readme.txt
CHANGED
|
@@ -3,7 +3,7 @@ Contributors: simonpedge
|
|
| 3 |
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=RP7JLGK6VT252
|
| 4 |
Tags: slider, carousel, content slider, responsive slider, html slider, owl carousel
|
| 5 |
Requires at least: 4.0
|
| 6 |
-
Tested up to:
|
| 7 |
Stable tag: trunk
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
|
@@ -98,6 +98,9 @@ Adding a SLIDE ANYTHING slider using the WordPress 5.0 'Block Editor' is pretty
|
|
| 98 |
|
| 99 |
== Changelog ==
|
| 100 |
|
|
|
|
|
|
|
|
|
|
| 101 |
= 2.3.45 =
|
| 102 |
* Added the WordPress filter 'wp_kses_allowed_html' to allow IFRAME content to be inserted into slide content, which is required to insert YouTube & Vimeo IFRAMEs.
|
| 103 |
|
|
@@ -763,4 +766,7 @@ Adding a SLIDE ANYTHING slider using the WordPress 5.0 'Block Editor' is pretty
|
|
| 763 |
* Another security fix. WPScan notified me of a potential security vunerability where high privilege users (with a role of 'Editor' and above) could perform Cross-Site Scripting attacks by inserting malicious scripts within slide content. Fixed by using 'wp_kses_post()' function to sanitise slide content before updating sliders.
|
| 764 |
|
| 765 |
= 2.3.45 =
|
| 766 |
-
* Added the WordPress filter 'wp_kses_allowed_html' to allow IFRAME content to be inserted into slide content, which is required to insert YouTube & Vimeo IFRAMEs.
|
|
|
|
|
|
|
|
|
| 3 |
Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=RP7JLGK6VT252
|
| 4 |
Tags: slider, carousel, content slider, responsive slider, html slider, owl carousel
|
| 5 |
Requires at least: 4.0
|
| 6 |
+
Tested up to: 6.0
|
| 7 |
Stable tag: trunk
|
| 8 |
License: GPLv2 or later
|
| 9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
| 98 |
|
| 99 |
== Changelog ==
|
| 100 |
|
| 101 |
+
= 2.3.46 =
|
| 102 |
+
* Fixed a security vulnerability whereby XSS scripts could be inserted within the slider post titles.
|
| 103 |
+
|
| 104 |
= 2.3.45 =
|
| 105 |
* Added the WordPress filter 'wp_kses_allowed_html' to allow IFRAME content to be inserted into slide content, which is required to insert YouTube & Vimeo IFRAMEs.
|
| 106 |
|
| 766 |
* Another security fix. WPScan notified me of a potential security vunerability where high privilege users (with a role of 'Editor' and above) could perform Cross-Site Scripting attacks by inserting malicious scripts within slide content. Fixed by using 'wp_kses_post()' function to sanitise slide content before updating sliders.
|
| 767 |
|
| 768 |
= 2.3.45 =
|
| 769 |
+
* Added the WordPress filter 'wp_kses_allowed_html' to allow IFRAME content to be inserted into slide content, which is required to insert YouTube & Vimeo IFRAMEs.
|
| 770 |
+
|
| 771 |
+
= 2.3.46 =
|
| 772 |
+
* Fixed a security vulnerability whereby XSS scripts could be inserted within the slider post titles.
|
slide-anything.php
CHANGED
|
@@ -4,7 +4,7 @@
|
|
| 4 |
* Plugin URI: https://wordpress.org/plugins/slide-anything/
|
| 5 |
* Description: Slide Anything allows you to create a carousel/slider where the content for each slide can be anything you want - images, text, HTML, and even shortcodes. This plugin uses the Owl Carousel jQuery plugin, and lets you create beautiful, touch enabled, responsive carousels and sliders.
|
| 6 |
* Author: Simon Edge
|
| 7 |
-
* Version: 2.3.
|
| 8 |
* License: GPLv2 or later
|
| 9 |
*/
|
| 10 |
|
| 4 |
* Plugin URI: https://wordpress.org/plugins/slide-anything/
|
| 5 |
* Description: Slide Anything allows you to create a carousel/slider where the content for each slide can be anything you want - images, text, HTML, and even shortcodes. This plugin uses the Owl Carousel jQuery plugin, and lets you create beautiful, touch enabled, responsive carousels and sliders.
|
| 6 |
* Author: Simon Edge
|
| 7 |
+
* Version: 2.3.46
|
| 8 |
* License: GPLv2 or later
|
| 9 |
*/
|
| 10 |
|
