Custom Post Types and Custom Fields creator – WCK - Version 2.2.9

Version Description

  • Security fixes and improvements
Download this release

Release Info

Developer madalin.ungureanu
Plugin Icon 128x128 Custom Post Types and Custom Fields creator – WCK
Version 2.2.9
Comparing to
See all releases

Code changes from version 2.2.8 to 2.2.9

Files changed (9) hide show
  1. inc/class_notices.php +1 -1
  2. readme.txt +4 -1
  3. wck-cfc.php +1 -1
  4. wck-cptc.php +1 -1
  5. wck-ctc.php +1 -1
  6. wck-sas.php +1 -1
  7. wck.php +2 -2
  8. wordpress-creation-kit-api/wck-fep/wck-fep.php +6 -6
  9. wordpress-creation-kit-api/wordpress-creation-kit.php +10 -0
inc/class_notices.php CHANGED
@@ -55,7 +55,7 @@ class WCK_Add_Notices{
55
  do_action( $this->notificationId.'_before_notification_dismissed', $current_user );
56
 
57
  // If user clicks to ignore the notice, add that to their user meta
58
- if ( isset( $_GET[$this->notificationId.'_dismiss_notification']) && '0' == $_GET[$this->notificationId.'_dismiss_notification'] )
59
  add_user_meta( $user_id, $this->notificationId.'_dismiss_notification', 'true', true );
60
 
61
  do_action( $this->notificationId.'_after_notification_dismissed', $current_user );
55
  do_action( $this->notificationId.'_before_notification_dismissed', $current_user );
56
 
57
  // If user clicks to ignore the notice, add that to their user meta
58
+ if ( isset( $_GET[$this->notificationId.'_dismiss_notification']) && '0' === $_GET[$this->notificationId.'_dismiss_notification'] )
59
  add_user_meta( $user_id, $this->notificationId.'_dismiss_notification', 'true', true );
60
 
61
  do_action( $this->notificationId.'_after_notification_dismissed', $current_user );
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://www.cozmoslabs.com/wordpress-creation-kit/
4
  Tags: custom fields, custom field, wordpress custom fields, custom post type, custom post types, post types, repeater fields, meta box, metabox, custom taxonomy, custom fields creator, post meta
5
  Requires at least: 3.1
6
  Tested up to: 5.7.2
7
- Stable tag: 2.2.8
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -135,6 +135,9 @@ Creating a taxonomy generally automatically creates a special query variable usi
135
  10. Taxonomy listing
136
 
137
  == Changelog ==
 
 
 
138
  = 2.2.8 =
139
  * Security fixes and improvements
140
 
4
  Tags: custom fields, custom field, wordpress custom fields, custom post type, custom post types, post types, repeater fields, meta box, metabox, custom taxonomy, custom fields creator, post meta
5
  Requires at least: 3.1
6
  Tested up to: 5.7.2
7
+ Stable tag: 2.2.9
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
135
  10. Taxonomy listing
136
 
137
  == Changelog ==
138
+ = 2.2.9 =
139
+ * Security fixes and improvements
140
+
141
  = 2.2.8 =
142
  * Security fixes and improvements
143
 
wck-cfc.php CHANGED
@@ -1079,7 +1079,7 @@ add_action( 'admin_init', 'wck_cfc_process_unserialized_batch' );
1079
  */
1080
  function wck_cfc_process_unserialized_batch() {
1081
 
1082
- if( empty( $_REQUEST['action'] ) || 'wck_unbatch_process' != $_REQUEST['action'] ) {
1083
  return;
1084
  }
1085
 
1079
  */
1080
  function wck_cfc_process_unserialized_batch() {
1081
 
1082
+ if( empty( $_REQUEST['action'] ) || 'wck_unbatch_process' !== $_REQUEST['action'] ) {
1083
  return;
1084
  }
1085
 
wck-cptc.php CHANGED
@@ -240,7 +240,7 @@ function wck_cptc_create_cpts(){
240
  /* Flush rewrite rules */
241
  add_action('init', 'cptc_flush_rules', 20);
242
  function cptc_flush_rules(){
243
- if( isset( $_GET['page'] ) && $_GET['page'] == 'cptc-page' && isset( $_GET['updated'] ) && $_GET['updated'] == 'true' )
244
  flush_rewrite_rules( false );
245
  }
246
 
240
  /* Flush rewrite rules */
241
  add_action('init', 'cptc_flush_rules', 20);
242
  function cptc_flush_rules(){
243
+ if( isset( $_GET['page'] ) && $_GET['page'] === 'cptc-page' && isset( $_GET['updated'] ) && $_GET['updated'] === 'true' )
244
  flush_rewrite_rules( false );
245
  }
246
 
wck-ctc.php CHANGED
@@ -280,7 +280,7 @@ function wck_ctc_get_reserved_names(){
280
  /* Flush rewrite rules */
281
  add_action('init', 'ctc_flush_rules', 20);
282
  function ctc_flush_rules(){
283
- if( isset( $_GET['page'] ) && $_GET['page'] == 'ctc-page' && isset( $_GET['updated'] ) && $_GET['updated'] == 'true' )
284
  flush_rewrite_rules( false );
285
  }
286
 
280
  /* Flush rewrite rules */
281
  add_action('init', 'ctc_flush_rules', 20);
282
  function ctc_flush_rules(){
283
+ if( isset( $_GET['page'] ) && $_GET['page'] === 'ctc-page' && isset( $_GET['updated'] ) && $_GET['updated'] === 'true' )
284
  flush_rewrite_rules( false );
285
  }
286
 
wck-sas.php CHANGED
@@ -332,7 +332,7 @@ class wck_add_serial_notices{
332
  do_action( $this->pluginPrefix.'_before_notification_dismissed', $current_user );
333
 
334
  // If user clicks to ignore the notice, add that to their user meta
335
- if ( isset( $_GET[$this->pluginPrefix.'_dismiss_notification']) && '0' == $_GET[$this->pluginPrefix.'_dismiss_notification'] )
336
  add_user_meta( $user_id, $this->pluginPrefix.'_dismiss_notification', 'true', true );
337
 
338
  do_action( $this->pluginPrefix.'_after_notification_dismissed', $current_user );
332
  do_action( $this->pluginPrefix.'_before_notification_dismissed', $current_user );
333
 
334
  // If user clicks to ignore the notice, add that to their user meta
335
+ if ( isset( $_GET[$this->pluginPrefix.'_dismiss_notification']) && '0' === $_GET[$this->pluginPrefix.'_dismiss_notification'] )
336
  add_user_meta( $user_id, $this->pluginPrefix.'_dismiss_notification', 'true', true );
337
 
338
  do_action( $this->pluginPrefix.'_after_notification_dismissed', $current_user );
wck.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: WCK - Custom Fields and Custom Post Types Creator
4
  Description: WordPress Creation Kit consists of three tools that can help you create and maintain custom post types, custom taxonomies and most importantly, custom fields and metaboxes for your posts, pages or CPT's.
5
  Author: Cozmoslabs, Madalin Ungureanu, Cristian Antohe
6
- Version: 2.2.8
7
  Author URI: http://www.cozmoslabs.com
8
  Text Domain: wck
9
  Domain Path: /languages
@@ -28,7 +28,7 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
28
 
29
  define( 'WCK_PLUGIN_DIR', WP_PLUGIN_DIR . '/' . dirname( plugin_basename( __FILE__ ) ) );
30
  define( 'WCK_PLUGIN_DIR_URL', plugin_dir_url( __FILE__ ) );
31
- define( 'WCK_PLUGIN_VERSION', '2.6.1' );
32
 
33
  /* ready for localization */
34
  $current_theme = wp_get_theme();
3
  Plugin Name: WCK - Custom Fields and Custom Post Types Creator
4
  Description: WordPress Creation Kit consists of three tools that can help you create and maintain custom post types, custom taxonomies and most importantly, custom fields and metaboxes for your posts, pages or CPT's.
5
  Author: Cozmoslabs, Madalin Ungureanu, Cristian Antohe
6
+ Version: 2.2.9
7
  Author URI: http://www.cozmoslabs.com
8
  Text Domain: wck
9
  Domain Path: /languages
28
 
29
  define( 'WCK_PLUGIN_DIR', WP_PLUGIN_DIR . '/' . dirname( plugin_basename( __FILE__ ) ) );
30
  define( 'WCK_PLUGIN_DIR_URL', plugin_dir_url( __FILE__ ) );
31
+ define( 'WCK_PLUGIN_VERSION', '2.6.3' );
32
 
33
  /* ready for localization */
34
  $current_theme = wp_get_theme();
wordpress-creation-kit-api/wck-fep/wck-fep.php CHANGED
@@ -185,7 +185,7 @@ class WCK_FrontEnd_Posting extends Wordpress_Creation_Kit{
185
  wp_enqueue_media();
186
 
187
  $output = "<div class='". $form_name ." fep-container";
188
- if( isset( $_GET['action'] ) && $_GET['action'] == 'edit' )
189
  $output .= " fep-edit";
190
  $output .= "'><div id='fep-ajax-loading'></div></div>";
191
 
@@ -202,7 +202,7 @@ class WCK_FrontEnd_Posting extends Wordpress_Creation_Kit{
202
 
203
  /* edit nonce */
204
  if( !empty( $_GET['_wpnonce'] ) ){
205
- $edit_nonce = $_GET['_wpnonce'];
206
  }
207
  else
208
  $edit_nonce = '';
@@ -522,10 +522,10 @@ class WCK_FrontEnd_Posting extends Wordpress_Creation_Kit{
522
  $meta = sanitize_text_field( $_POST['meta'] );
523
  $post_ID = absint( $_POST['postid'] );
524
  if( !empty( $_POST['values'] ) )
525
- $values = $_POST['values'];
526
  else
527
  $values = array();
528
- $single_cfcs = (!empty( $_POST['single_cfcs'] )) ? $_POST['single_cfcs'] : array() ;
529
  $action_type = sanitize_text_field( $_POST['action_type'] );
530
 
531
  /* check required fields */
@@ -1178,7 +1178,7 @@ function wck_fep_redirect_to_front_end() {
1178
 
1179
  /* Set up upload field for frontend */
1180
  /* overwrite the two functions for when an upload is made from the frontend so they don't check for a logged in user */
1181
- if( strpos( wp_get_referer(), 'wp-admin' ) === false && isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action'] ){
1182
  if( !function_exists( 'check_ajax_referer' ) ){
1183
  function check_ajax_referer( ) {
1184
  return true;
@@ -1195,7 +1195,7 @@ if( strpos( wp_get_referer(), 'wp-admin' ) === false && isset( $_REQUEST['action
1195
  /* create a fake user with the "upload_posts" capability and assign him to the global $current_user. this is used to bypass the checks for current_user_can('upload_files') in async-upload.php */
1196
  add_action( 'after_setup_theme', 'wck_create_fake_user_when_uploading_and_not_logged_in' );
1197
  function wck_create_fake_user_when_uploading_and_not_logged_in(){
1198
- if( strpos( wp_get_referer(), 'wp-admin' ) === false && isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['action'] ){
1199
  if( !is_user_logged_in() || !current_user_can('upload_files') || !current_user_can( 'edit_posts' ) ){
1200
  global $current_user;
1201
  $current_user = new WP_User( 0, 'frontend_uploader' );
185
  wp_enqueue_media();
186
 
187
  $output = "<div class='". $form_name ." fep-container";
188
+ if( isset( $_GET['action'] ) && $_GET['action'] === 'edit' )
189
  $output .= " fep-edit";
190
  $output .= "'><div id='fep-ajax-loading'></div></div>";
191
 
202
 
203
  /* edit nonce */
204
  if( !empty( $_GET['_wpnonce'] ) ){
205
+ $edit_nonce = esc_js($_GET['_wpnonce']);
206
  }
207
  else
208
  $edit_nonce = '';
522
  $meta = sanitize_text_field( $_POST['meta'] );
523
  $post_ID = absint( $_POST['postid'] );
524
  if( !empty( $_POST['values'] ) )
525
+ $values = self::wck_sanitize_request( $_POST['values'] );
526
  else
527
  $values = array();
528
+ $single_cfcs = (!empty( $_POST['single_cfcs'] )) ? self::wck_sanitize_request( $_POST['single_cfcs'] ) : array() ;
529
  $action_type = sanitize_text_field( $_POST['action_type'] );
530
 
531
  /* check required fields */
1178
 
1179
  /* Set up upload field for frontend */
1180
  /* overwrite the two functions for when an upload is made from the frontend so they don't check for a logged in user */
1181
+ if( strpos( wp_get_referer(), 'wp-admin' ) === false && isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ){
1182
  if( !function_exists( 'check_ajax_referer' ) ){
1183
  function check_ajax_referer( ) {
1184
  return true;
1195
  /* create a fake user with the "upload_posts" capability and assign him to the global $current_user. this is used to bypass the checks for current_user_can('upload_files') in async-upload.php */
1196
  add_action( 'after_setup_theme', 'wck_create_fake_user_when_uploading_and_not_logged_in' );
1197
  function wck_create_fake_user_when_uploading_and_not_logged_in(){
1198
+ if( strpos( wp_get_referer(), 'wp-admin' ) === false && isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ){
1199
  if( !is_user_logged_in() || !current_user_can('upload_files') || !current_user_can( 'edit_posts' ) ){
1200
  global $current_user;
1201
  $current_user = new WP_User( 0, 'frontend_uploader' );
wordpress-creation-kit-api/wordpress-creation-kit.php CHANGED
@@ -1724,6 +1724,16 @@ class Wordpress_Creation_Kit{
1724
  function wck_sanitize_value( $string ){
1725
  return preg_replace( '/<script\b[^>]*>(.*?)<\/script>/is', '', $string );
1726
  }
 
 
 
 
 
 
 
 
 
 
1727
  }
1728
 
1729
 
1724
  function wck_sanitize_value( $string ){
1725
  return preg_replace( '/<script\b[^>]*>(.*?)<\/script>/is', '', $string );
1726
  }
1727
+
1728
+ function wck_sanitize_request( $request ){
1729
+ if( is_array( $request ) ){
1730
+ $request = array_map( array( $this, 'wck_sanitize_value' ), $request );
1731
+ }
1732
+ else
1733
+ $request = $this->wck_sanitize_value($request);
1734
+
1735
+ return $request;
1736
+ }
1737
  }
1738
 
1739