WP Live Chat Support - Version 8.0.18

Version Description

It is highly recommended that you upgrade to WP Live Chat Support version 8.0.18 for security reasons.

Download this release

Release Info

Developer WP-LiveChat
Plugin Icon 128x128 WP Live Chat Support
Version 8.0.18
Comparing to
See all releases

Code changes from version 8.0.17 to 8.0.18

Files changed (3) hide show
  1. modules/gdpr.php +8 -6
  2. readme.txt +7 -0
  3. wp-live-chat-support.php +6 -2
modules/gdpr.php CHANGED
@@ -156,7 +156,7 @@ function wplc_gdpr_page_layout(){
156
  <th>
157
  <form method="GET" action="">
158
  <input type="hidden" name="page" value='wplivechat-menu-gdpr-page'>
159
- <input name='term' type="text" value='<?php echo(isset($_GET['term']) ? $_GET['term'] : ''); ?>' placeholder="<?php _e('Name, Email, Message', 'wplivechat'); ?>" style='height:30px; width: 70%'>
160
 
161
  <?php do_action('wplc_gdpr_page_search_form_before_submit_hook'); ?>
162
 
@@ -168,7 +168,7 @@ function wplc_gdpr_page_layout(){
168
  <tbody>
169
  <?php
170
  if(isset($_GET['term'])){
171
- $results = wplc_gdpr_return_chat_session_search_results($_GET['term']);
172
 
173
  foreach ($results as $heading => $sub_results) {
174
  $original_heading = $heading;
@@ -197,6 +197,8 @@ function wplc_gdpr_page_layout(){
197
  break;
198
  }
199
 
 
 
200
  foreach ($sub_results as $key => $value) {
201
  $cid = isset($value[$cid_identidier]) ? $value[$cid_identidier] : 'false';
202
  $delete_button_text = str_replace("%%CID%%", $cid, __("Delete Chat (%%CID%%)", "wplivechat"));
@@ -215,8 +217,8 @@ function wplc_gdpr_page_layout(){
215
  ?>
216
  </td>
217
  <td>
218
- <a class='button' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=delete&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $delete_button_text; ?></a>
219
- <a class='button button-primary' href='?page=wplivechat-menu-gdpr-page&term=<?php echo($_GET["term"]); ?>&action=download&filter=<?php echo $action_action_filter; ?>&id=<?php echo $cid; ?>'><?php echo $download_button_text; ?></a>
220
  </td>
221
  </tr>
222
  <?php
@@ -574,7 +576,7 @@ add_action('init', 'wplc_gdpr_front_end_download_chat');
574
  function wplc_gdpr_front_end_download_chat(){
575
  if(isset($_GET['wplc_action']) && isset($_GET['wplc_init_nonce']) && isset($_GET['wplc_cid'])){
576
  if($_GET['wplc_action'] === 'wplc_gdpr_download_chat_json'){
577
- if(wp_verify_nonce( $_GET['wplc_init_nonce'], 'wplc-init-nonce-' . date('Y-m-d'))){
578
  $chat_id = sanitize_text_field($_GET['wplc_cid']);
579
  if( ! filter_var($chat_id, FILTER_VALIDATE_INT) ) {
580
  /* We need to identify if this CID is a node CID, and if so, return the WP CID */
@@ -672,7 +674,7 @@ function wplc_gdpr_disabled_warning(){
672
  $output .= "<p>" . $privacy_warning . " <a href='https://wp-livechat.com/privacy-policy/' target='_blank'>" . __('Privacy Policy', 'wplivechat') . "</a></p>";
673
  $output .= "<p>" . $final_warning . "</p>";
674
  $output .= "<a class='button' href='?page=wplivechat-menu-settings#tabs-privacy' >" . __("Privacy Settings", "wplivechat") . "</a> ";
675
- $output .= "<a class='button' href='?page=" . $_GET['page'] ."&wplc_gdpr_dismiss_notice=true' style='color: #fff;background-color: #bb0000;border-color: #c70000;'>" . __("Dismiss & Accept Responsibility", "wplivechat") . "</a>";
676
  $output .= "</div>";
677
  echo $output;
678
  }
156
  <th>
157
  <form method="GET" action="">
158
  <input type="hidden" name="page" value='wplivechat-menu-gdpr-page'>
159
+ <input name='term' type="text" value='<?php echo(isset($_GET['term']) ? htmlspecialchars($_GET['term']) : ''); ?>' placeholder="<?php _e('Name, Email, Message', 'wplivechat'); ?>" style='height:30px; width: 70%'>
160
 
161
  <?php do_action('wplc_gdpr_page_search_form_before_submit_hook'); ?>
162
 
168
  <tbody>
169
  <?php
170
  if(isset($_GET['term'])){
171
+ $results = wplc_gdpr_return_chat_session_search_results(htmlspecialchars($_GET['term']));
172
 
173
  foreach ($results as $heading => $sub_results) {
174
  $original_heading = $heading;
197
  break;
198
  }
199
 
200
+ $action_action_filter = htmlspecialchars($action_action_filter);
201
+
202
  foreach ($sub_results as $key => $value) {
203
  $cid = isset($value[$cid_identidier]) ? $value[$cid_identidier] : 'false';
204
  $delete_button_text = str_replace("%%CID%%", $cid, __("Delete Chat (%%CID%%)", "wplivechat"));
217
  ?>
218
  </td>
219
  <td>
220
+ <a class='button' href='?page=wplivechat-menu-gdpr-page&term=<?php echo(htmlspecialchars($_GET["term"])); ?>&action=delete&filter=<?php echo $action_action_filter; ?>&id=<?php echo htmlspecialchars($cid); ?>'><?php echo $delete_button_text; ?></a>
221
+ <a class='button button-primary' href='?page=wplivechat-menu-gdpr-page&term=<?php echo(htmlspecialchars($_GET["term"])); ?>&action=download&filter=<?php echo $action_action_filter; ?>&id=<?php echo htmlspecialchars($cid); ?>'><?php echo $download_button_text; ?></a>
222
  </td>
223
  </tr>
224
  <?php
576
  function wplc_gdpr_front_end_download_chat(){
577
  if(isset($_GET['wplc_action']) && isset($_GET['wplc_init_nonce']) && isset($_GET['wplc_cid'])){
578
  if($_GET['wplc_action'] === 'wplc_gdpr_download_chat_json'){
579
+ if(wp_verify_nonce( htmlspecialchars($_GET['wplc_init_nonce']), 'wplc-init-nonce-' . date('Y-m-d'))){
580
  $chat_id = sanitize_text_field($_GET['wplc_cid']);
581
  if( ! filter_var($chat_id, FILTER_VALIDATE_INT) ) {
582
  /* We need to identify if this CID is a node CID, and if so, return the WP CID */
674
  $output .= "<p>" . $privacy_warning . " <a href='https://wp-livechat.com/privacy-policy/' target='_blank'>" . __('Privacy Policy', 'wplivechat') . "</a></p>";
675
  $output .= "<p>" . $final_warning . "</p>";
676
  $output .= "<a class='button' href='?page=wplivechat-menu-settings#tabs-privacy' >" . __("Privacy Settings", "wplivechat") . "</a> ";
677
+ $output .= "<a class='button' href='?page=" . htmlspecialchars($_GET['page']) ."&wplc_gdpr_dismiss_notice=true' style='color: #fff;background-color: #bb0000;border-color: #c70000;'>" . __("Dismiss & Accept Responsibility", "wplivechat") . "</a>";
678
  $output .= "</div>";
679
  echo $output;
680
  }
readme.txt CHANGED
@@ -208,6 +208,9 @@ If the live chat box still does not appear on your website, please go through th
208
 
209
  == Upgrade Notice ==
210
 
 
 
 
211
  = 8.0.15 =
212
  It is highly recommended that you upgrade to WP Live Chat Support version 8.0.15 for security reasons.
213
 
@@ -241,6 +244,10 @@ We have patched the PHPMailer vulnerability. Please update to version 7.0.02.
241
 
242
  == Changelog ==
243
 
 
 
 
 
244
  = 8.0.17 - 2018-10-19 - Low priority =
245
  * Removes WP User Avatar option from settings page. This was incorrectly included in the last release
246
 
208
 
209
  == Upgrade Notice ==
210
 
211
+ = 8.0.18 =
212
+ It is highly recommended that you upgrade to WP Live Chat Support version 8.0.18 for security reasons.
213
+
214
  = 8.0.15 =
215
  It is highly recommended that you upgrade to WP Live Chat Support version 8.0.15 for security reasons.
216
 
244
 
245
  == Changelog ==
246
 
247
+ = 8.0.18 - 2018-11-01 - High Priority =
248
+ * Fixed XSS vulnerability within the GDPR search system (Thanks to Tim Coen)
249
+ * Fixed Self-XSS vulnerability within the message input field on both dashboard and chat box (Thanks to Tim Coen)
250
+
251
  = 8.0.17 - 2018-10-19 - Low priority =
252
  * Removes WP User Avatar option from settings page. This was incorrectly included in the last release
253
 
wp-live-chat-support.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: WP Live Chat Support
4
  Plugin URI: http://www.wp-livechat.com
5
  Description: The easiest to use website live chat plugin. Let your visitors chat with you and increase sales conversion rates with WP Live Chat Support.
6
- Version: 8.0.17
7
  Author: WP-LiveChat
8
  Author URI: http://www.wp-livechat.com
9
  Text Domain: wplivechat
@@ -11,6 +11,10 @@
11
  */
12
 
13
  /**
 
 
 
 
14
  * 8.0.17 - 2018-10-19 - Low priority
15
  * Removes WP User Avatar option from settings page. This was incorrectly included in the last release.
16
  *
@@ -694,7 +698,7 @@ global $debug_start;
694
  $wplc_tblname_offline_msgs = $wpdb->prefix . "wplc_offline_messages";
695
  $wplc_tblname_chats = $wpdb->prefix . "wplc_chat_sessions";
696
  $wplc_tblname_msgs = $wpdb->prefix . "wplc_chat_msgs";
697
- $wplc_version = "8.0.17";
698
 
699
  define('WPLC_BASIC_PLUGIN_DIR', dirname(__FILE__));
700
  define('WPLC_BASIC_PLUGIN_URL', plugins_url( '/', __FILE__ ) );
3
  Plugin Name: WP Live Chat Support
4
  Plugin URI: http://www.wp-livechat.com
5
  Description: The easiest to use website live chat plugin. Let your visitors chat with you and increase sales conversion rates with WP Live Chat Support.
6
+ Version: 8.0.18
7
  Author: WP-LiveChat
8
  Author URI: http://www.wp-livechat.com
9
  Text Domain: wplivechat
11
  */
12
 
13
  /**
14
+ * 8.0.18 - 2018-11-01 - High Priority
15
+ * Fixed XSS vulnerability within the GDPR search system (Thanks to Tim Coen)
16
+ * Fixed Self-XSS vulnerability within the message input field on both dashboard and chat box (Thanks to Tim Coen)
17
+ *
18
  * 8.0.17 - 2018-10-19 - Low priority
19
  * Removes WP User Avatar option from settings page. This was incorrectly included in the last release.
20
  *
698
  $wplc_tblname_offline_msgs = $wpdb->prefix . "wplc_offline_messages";
699
  $wplc_tblname_chats = $wpdb->prefix . "wplc_chat_sessions";
700
  $wplc_tblname_msgs = $wpdb->prefix . "wplc_chat_msgs";
701
+ $wplc_version = "8.0.18";
702
 
703
  define('WPLC_BASIC_PLUGIN_DIR', dirname(__FILE__));
704
  define('WPLC_BASIC_PLUGIN_URL', plugins_url( '/', __FILE__ ) );