Version Description
- Fixed potential security issues to prevent CSRF (Cross Site Request Forgery).
Download this release
Release Info
| Developer | cbutlerjr |
| Plugin |  WP-Members Membership Plugin |
| Version | 3.2.8 |
| Comparing to | |
| See all releases | |
Code changes from version 3.2.7 to 3.2.8
- admin/tab-fields.php +11 -11
- readme.txt +6 -2
- wp-members.php +2 -2
admin/tab-fields.php
CHANGED
|
@@ -105,9 +105,8 @@ function wpmem_a_render_fields_tab() {
|
|
| 105 |
$add_meta = sanitize_text_field( wpmem_get( 'add_field', false ) );
|
| 106 |
|
| 107 |
if ( 'delete' == $delete_action ) {
|
| 108 |
-
$delete_fields = wpmem_get( 'delete' ); ?>
|
| 109 |
-
|
| 110 |
|
|
|
|
| 111 |
|
| 112 |
<?php if ( empty( $delete_fields ) ) { ?>
|
| 113 |
<p><?php _e( 'No fields selected for deletion', 'wp-members' ); ?></p>
|
|
@@ -118,7 +117,7 @@ function wpmem_a_render_fields_tab() {
|
|
| 118 |
echo esc_html( $wpmem->fields[ $meta ]['label'] ) . ' (meta key: ' . $meta . ')<br />';
|
| 119 |
} ?>
|
| 120 |
<form name="<?php echo esc_attr( $delete_action ); ?>" id="<?php echo esc_attr( $delete_action ); ?>" method="post" action="<?php echo esc_url( wpmem_admin_form_post_url() ); ?>">
|
| 121 |
-
<?php
|
| 122 |
<input type="hidden" name="delete_fields" value="<?php echo esc_attr( implode( ",", $delete_fields ) ); ?>" />
|
| 123 |
<input type="hidden" name="dodelete" value="delete_confirmed" />
|
| 124 |
<?php submit_button( 'Delete Fields' ); ?>
|
|
@@ -127,7 +126,8 @@ function wpmem_a_render_fields_tab() {
|
|
| 127 |
} else {
|
| 128 |
|
| 129 |
if ( 'delete_confirmed' == wpmem_get( 'dodelete' ) ) {
|
| 130 |
-
|
|
|
|
| 131 |
|
| 132 |
$delete_fields = sanitize_text_field( wpmem_get( 'delete_fields', array() ) );
|
| 133 |
$delete_fields = explode( ",", $delete_fields );
|
|
@@ -184,7 +184,7 @@ function wpmem_a_render_fields_tab_field_edit( $mode, $wpmem_fields, $meta_key )
|
|
| 184 |
} ?>
|
| 185 |
<h3 class="title"><?php ( $mode == 'edit' ) ? _e( 'Edit Field', 'wp-members' ) : _e( 'Add a Field', 'wp-members' ); ?></h3>
|
| 186 |
<form name="<?php echo $form_action; ?>" id="<?php echo $form_action; ?>" method="post" action="<?php echo wpmem_admin_form_post_url( $form_submit ); ?>">
|
| 187 |
-
<?php wp_nonce_field( '
|
| 188 |
<ul>
|
| 189 |
<li>
|
| 190 |
<label><?php _e( 'Field Label', 'wp-members' ); ?> <?php echo $span_required; ?></label>
|
|
@@ -704,7 +704,7 @@ function wpmem_admin_fields_update() {
|
|
| 704 |
if ( 'save' == $action ) {
|
| 705 |
|
| 706 |
// Check nonce.
|
| 707 |
-
|
| 708 |
|
| 709 |
// Update user table fields.
|
| 710 |
$arr = ( isset( $_POST['ut_fields'] ) ) ? $_POST['ut_fields'] : array();
|
|
@@ -740,20 +740,20 @@ function wpmem_admin_fields_update() {
|
|
| 740 |
|
| 741 |
} elseif ( 'delete' == $action ) {
|
| 742 |
|
|
|
|
|
|
|
|
|
|
| 743 |
$delete_action = 'delete';
|
| 744 |
|
| 745 |
-
} elseif ( 'add_field' == wpmem_get( 'wpmem_admin_a' ) || 'edit_field' == wpmem_get( 'wpmem_admin_a' ) ) {
|
| 746 |
|
| 747 |
// Set action.
|
| 748 |
$action = sanitize_text_field( wpmem_get( 'wpmem_admin_a' ) );
|
| 749 |
|
| 750 |
-
// Check nonce.
|
| 751 |
-
//check_admin_referer( 'wpmem-add-fields' );
|
| 752 |
-
|
| 753 |
global $add_field_err_msg;
|
| 754 |
|
| 755 |
$add_field_err_msg = false;
|
| 756 |
-
$add_name
|
| 757 |
$add_option = sanitize_text_field( wpmem_get( 'add_option' ) );
|
| 758 |
|
| 759 |
// Error check that field label and option name are included and unique.
|
| 105 |
$add_meta = sanitize_text_field( wpmem_get( 'add_field', false ) );
|
| 106 |
|
| 107 |
if ( 'delete' == $delete_action ) {
|
|
|
|
|
|
|
| 108 |
|
| 109 |
+
$delete_fields = wpmem_get( 'delete' ); ?>
|
| 110 |
|
| 111 |
<?php if ( empty( $delete_fields ) ) { ?>
|
| 112 |
<p><?php _e( 'No fields selected for deletion', 'wp-members' ); ?></p>
|
| 117 |
echo esc_html( $wpmem->fields[ $meta ]['label'] ) . ' (meta key: ' . $meta . ')<br />';
|
| 118 |
} ?>
|
| 119 |
<form name="<?php echo esc_attr( $delete_action ); ?>" id="<?php echo esc_attr( $delete_action ); ?>" method="post" action="<?php echo esc_url( wpmem_admin_form_post_url() ); ?>">
|
| 120 |
+
<?php wp_nonce_field( 'wpmem-confirm-delete' ); ?>
|
| 121 |
<input type="hidden" name="delete_fields" value="<?php echo esc_attr( implode( ",", $delete_fields ) ); ?>" />
|
| 122 |
<input type="hidden" name="dodelete" value="delete_confirmed" />
|
| 123 |
<?php submit_button( 'Delete Fields' ); ?>
|
| 126 |
} else {
|
| 127 |
|
| 128 |
if ( 'delete_confirmed' == wpmem_get( 'dodelete' ) ) {
|
| 129 |
+
|
| 130 |
+
check_admin_referer( 'wpmem-confirm-delete' );
|
| 131 |
|
| 132 |
$delete_fields = sanitize_text_field( wpmem_get( 'delete_fields', array() ) );
|
| 133 |
$delete_fields = explode( ",", $delete_fields );
|
| 184 |
} ?>
|
| 185 |
<h3 class="title"><?php ( $mode == 'edit' ) ? _e( 'Edit Field', 'wp-members' ) : _e( 'Add a Field', 'wp-members' ); ?></h3>
|
| 186 |
<form name="<?php echo $form_action; ?>" id="<?php echo $form_action; ?>" method="post" action="<?php echo wpmem_admin_form_post_url( $form_submit ); ?>">
|
| 187 |
+
<?php wp_nonce_field( 'wpmem_add_field' ); ?>
|
| 188 |
<ul>
|
| 189 |
<li>
|
| 190 |
<label><?php _e( 'Field Label', 'wp-members' ); ?> <?php echo $span_required; ?></label>
|
| 704 |
if ( 'save' == $action ) {
|
| 705 |
|
| 706 |
// Check nonce.
|
| 707 |
+
check_admin_referer( 'bulk-settings_page_wpmem-settings' );
|
| 708 |
|
| 709 |
// Update user table fields.
|
| 710 |
$arr = ( isset( $_POST['ut_fields'] ) ) ? $_POST['ut_fields'] : array();
|
| 740 |
|
| 741 |
} elseif ( 'delete' == $action ) {
|
| 742 |
|
| 743 |
+
// Check nonce.
|
| 744 |
+
check_admin_referer( 'bulk-settings_page_wpmem-settings' );
|
| 745 |
+
|
| 746 |
$delete_action = 'delete';
|
| 747 |
|
| 748 |
+
} elseif ( ( 'add_field' == wpmem_get( 'wpmem_admin_a' ) || 'edit_field' == wpmem_get( 'wpmem_admin_a' ) ) && check_admin_referer( 'wpmem_add_field' ) ) {
|
| 749 |
|
| 750 |
// Set action.
|
| 751 |
$action = sanitize_text_field( wpmem_get( 'wpmem_admin_a' ) );
|
| 752 |
|
|
|
|
|
|
|
|
|
|
| 753 |
global $add_field_err_msg;
|
| 754 |
|
| 755 |
$add_field_err_msg = false;
|
| 756 |
+
$add_name = sanitize_text_field( wpmem_get( 'add_name' ) );
|
| 757 |
$add_option = sanitize_text_field( wpmem_get( 'add_option' ) );
|
| 758 |
|
| 759 |
// Error check that field label and option name are included and unique.
|
readme.txt
CHANGED
|
@@ -3,7 +3,7 @@ Contributors: cbutlerjr
|
|
| 3 |
Tags: access, authentication, content, login, member, membership, password, protect, register, registration, restriction, subscriber
|
| 4 |
Requires at least: 4.0
|
| 5 |
Tested up to: 5.2
|
| 6 |
-
Stable tag: 3.2.
|
| 7 |
License: GPLv2
|
| 8 |
|
| 9 |
== Description ==
|
|
@@ -101,7 +101,7 @@ The FAQs are maintained at https://rocketgeek.com/plugins/wp-members/docs/faqs/
|
|
| 101 |
== Upgrade Notice ==
|
| 102 |
|
| 103 |
WP-Members 3.2.0 is a major update. See changelog for important details. Minimum WP version is 4.0.
|
| 104 |
-
WP-Members 3.2.
|
| 105 |
|
| 106 |
== Screenshots ==
|
| 107 |
|
|
@@ -124,6 +124,10 @@ WP-Members 3.2.7 is a fix release. See changelog for details.
|
|
| 124 |
|
| 125 |
== Changelog ==
|
| 126 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 127 |
= 3.2.7 =
|
| 128 |
|
| 129 |
* Fix console error from nonce by implementing different nonce names.
|
| 3 |
Tags: access, authentication, content, login, member, membership, password, protect, register, registration, restriction, subscriber
|
| 4 |
Requires at least: 4.0
|
| 5 |
Tested up to: 5.2
|
| 6 |
+
Stable tag: 3.2.8
|
| 7 |
License: GPLv2
|
| 8 |
|
| 9 |
== Description ==
|
| 101 |
== Upgrade Notice ==
|
| 102 |
|
| 103 |
WP-Members 3.2.0 is a major update. See changelog for important details. Minimum WP version is 4.0.
|
| 104 |
+
WP-Members 3.2.8 is a security release. See changelog for details.
|
| 105 |
|
| 106 |
== Screenshots ==
|
| 107 |
|
| 124 |
|
| 125 |
== Changelog ==
|
| 126 |
|
| 127 |
+
= 3.2.8 =
|
| 128 |
+
|
| 129 |
+
* Fixed potential security issues to prevent CSRF (Cross Site Request Forgery).
|
| 130 |
+
|
| 131 |
= 3.2.7 =
|
| 132 |
|
| 133 |
* Fix console error from nonce by implementing different nonce names.
|
wp-members.php
CHANGED
|
@@ -3,7 +3,7 @@
|
|
| 3 |
Plugin Name: WP-Members
|
| 4 |
Plugin URI: https://rocketgeek.com
|
| 5 |
Description: WP access restriction and user registration. For more information on plugin features, refer to <a href="https://rocketgeek.com/plugins/wp-members/users-guide/">the online Users Guide</a>. A <a href="https://rocketgeek.com/plugins/wp-members/quick-start-guide/">Quick Start Guide</a> is also available. WP-Members(tm) is a trademark of butlerblog.com.
|
| 6 |
-
Version: 3.2.
|
| 7 |
Author: Chad Butler
|
| 8 |
Author URI: http://butlerblog.com/
|
| 9 |
Text Domain: wp-members
|
|
@@ -66,7 +66,7 @@ if ( ! defined( 'ABSPATH' ) ) {
|
|
| 66 |
}
|
| 67 |
|
| 68 |
// Initialize constants.
|
| 69 |
-
define( 'WPMEM_VERSION', '3.2.
|
| 70 |
define( 'WPMEM_DB_VERSION', '2.1.4' );
|
| 71 |
define( 'WPMEM_DIR', plugin_dir_url ( __FILE__ ) );
|
| 72 |
define( 'WPMEM_PATH', plugin_dir_path( __FILE__ ) );
|
| 3 |
Plugin Name: WP-Members
|
| 4 |
Plugin URI: https://rocketgeek.com
|
| 5 |
Description: WP access restriction and user registration. For more information on plugin features, refer to <a href="https://rocketgeek.com/plugins/wp-members/users-guide/">the online Users Guide</a>. A <a href="https://rocketgeek.com/plugins/wp-members/quick-start-guide/">Quick Start Guide</a> is also available. WP-Members(tm) is a trademark of butlerblog.com.
|
| 6 |
+
Version: 3.2.8
|
| 7 |
Author: Chad Butler
|
| 8 |
Author URI: http://butlerblog.com/
|
| 9 |
Text Domain: wp-members
|
| 66 |
}
|
| 67 |
|
| 68 |
// Initialize constants.
|
| 69 |
+
define( 'WPMEM_VERSION', '3.2.8' );
|
| 70 |
define( 'WPMEM_DB_VERSION', '2.1.4' );
|
| 71 |
define( 'WPMEM_DIR', plugin_dir_url ( __FILE__ ) );
|
| 72 |
define( 'WPMEM_PATH', plugin_dir_path( __FILE__ ) );
|
