Version Description
- Upgrade immediately. Fixes possible XSS vulnerability in Wordfence "firewall unlock" form.
- Also added rate limiting to max of 10 requests per second to the unlock form.
Download this release
Release Info
| Developer | mmaunder |
| Plugin |  Wordfence Security – Firewall & Malware Scan |
| Version | 3.3.6 |
| Comparing to | |
| See all releases | |
Code changes from version 3.3.5 to 3.3.6
- lib/wordfenceClass.php +9 -1
- readme.txt +5 -0
- wordfence.php +2 -2
lib/wordfenceClass.php
CHANGED
|
@@ -348,6 +348,14 @@ class wordfence {
|
|
| 348 |
public static function veryFirstAction(){
|
| 349 |
$wfFunc = @$_GET['_wfsf'];
|
| 350 |
if($wfFunc == 'unlockEmail'){
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 351 |
$email = trim($_POST['email']);
|
| 352 |
global $wpdb;
|
| 353 |
$ws = $wpdb->get_results("SELECT ID, user_login FROM $wpdb->users");
|
|
@@ -382,7 +390,7 @@ class wordfence {
|
|
| 382 |
));
|
| 383 |
wp_mail($email, "Unlock email requested", $content, "Content-Type: text/html");
|
| 384 |
}
|
| 385 |
-
echo "<html><body><h1>Your request was received</h1><p>We received a request to email \"$email\" instructions to unlock their access. If that is the email address of a site administrator or someone on the Wordfence alert list, then they have been emailed instructions on how to regain access to this sytem. The instructions we sent will expire 30 minutes from now.</body></html>";
|
| 386 |
exit();
|
| 387 |
} else if($wfFunc == 'unlockAccess'){
|
| 388 |
if(! preg_match('/^\d+\.\d+\.\d+\.\d+$/', get_transient('wfunlock_' . $_GET['key']))){
|
| 348 |
public static function veryFirstAction(){
|
| 349 |
$wfFunc = @$_GET['_wfsf'];
|
| 350 |
if($wfFunc == 'unlockEmail'){
|
| 351 |
+
$numTries = get_transient('wordfenceUnlockTries');
|
| 352 |
+
if($numTries > 10){
|
| 353 |
+
echo "<html><body><h1>Please wait 3 minutes and try again</h1><p>You have used this form too much. Please wait 3 minutes and try again.</p></body></html>";
|
| 354 |
+
exit();
|
| 355 |
+
}
|
| 356 |
+
if(! $numTries){ $numTries = 1; } else { $numTries = $numTries + 1; }
|
| 357 |
+
set_transient('wordfenceUnlockTries', $numTries, 180);
|
| 358 |
+
|
| 359 |
$email = trim($_POST['email']);
|
| 360 |
global $wpdb;
|
| 361 |
$ws = $wpdb->get_results("SELECT ID, user_login FROM $wpdb->users");
|
| 390 |
));
|
| 391 |
wp_mail($email, "Unlock email requested", $content, "Content-Type: text/html");
|
| 392 |
}
|
| 393 |
+
echo "<html><body><h1>Your request was received</h1><p>We received a request to email \"" . htmlspecialchars($email, ENT_QUOTES, 'UTF-8') . "\" instructions to unlock their access. If that is the email address of a site administrator or someone on the Wordfence alert list, then they have been emailed instructions on how to regain access to this sytem. The instructions we sent will expire 30 minutes from now.</body></html>";
|
| 394 |
exit();
|
| 395 |
} else if($wfFunc == 'unlockAccess'){
|
| 396 |
if(! preg_match('/^\d+\.\d+\.\d+\.\d+$/', get_transient('wfunlock_' . $_GET['key']))){
|
readme.txt
CHANGED
|
@@ -153,6 +153,11 @@ or a theme, because often these have been updated to fix a security hole.
|
|
| 153 |
5. If you're technically minded, this is the under-the-hood view of Wordfence options where you can fine-tune your security settings.
|
| 154 |
|
| 155 |
== Changelog ==
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 156 |
= 3.3.5 =
|
| 157 |
* Re-releasing to try and fix an issue with the WordPress plugin distro system.
|
| 158 |
|
| 153 |
5. If you're technically minded, this is the under-the-hood view of Wordfence options where you can fine-tune your security settings.
|
| 154 |
|
| 155 |
== Changelog ==
|
| 156 |
+
|
| 157 |
+
= 3.3.6 =
|
| 158 |
+
* Upgrade immediately. Fixes possible XSS vulnerability in Wordfence "firewall unlock" form.
|
| 159 |
+
* Also added rate limiting to max of 10 requests per second to the unlock form.
|
| 160 |
+
|
| 161 |
= 3.3.5 =
|
| 162 |
* Re-releasing to try and fix an issue with the WordPress plugin distro system.
|
| 163 |
|
wordfence.php
CHANGED
|
@@ -4,10 +4,10 @@ Plugin Name: Wordfence Security
|
|
| 4 |
Plugin URI: http://wordfence.com/
|
| 5 |
Description: Wordfence Security - Anti-virus and Firewall security plugin for WordPress
|
| 6 |
Author: Mark Maunder
|
| 7 |
-
Version: 3.3.
|
| 8 |
Author URI: http://wordfence.com/
|
| 9 |
*/
|
| 10 |
-
define('WORDFENCE_VERSION', '3.3.
|
| 11 |
add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
|
| 12 |
if(! defined('WORDFENCE_VERSIONONLY_MODE')){
|
| 13 |
if((int) @ini_get('memory_limit') < 64){
|
| 4 |
Plugin URI: http://wordfence.com/
|
| 5 |
Description: Wordfence Security - Anti-virus and Firewall security plugin for WordPress
|
| 6 |
Author: Mark Maunder
|
| 7 |
+
Version: 3.3.6
|
| 8 |
Author URI: http://wordfence.com/
|
| 9 |
*/
|
| 10 |
+
define('WORDFENCE_VERSION', '3.3.6');
|
| 11 |
add_action('activated_plugin','wordfence_save_activation_error'); function wordfence_save_activation_error(){ update_option('wf_plugin_act_error', ob_get_contents()); }
|
| 12 |
if(! defined('WORDFENCE_VERSIONONLY_MODE')){
|
| 13 |
if((int) @ini_get('memory_limit') < 64){
|
