WP Subscribe - Version 1.2.14

Version Description

  • Security hardening
Download this release

Release Info

Developer MyThemeShop
Plugin Icon 128x128 WP Subscribe
Version 1.2.14
Comparing to
See all releases

Code changes from version 1.2.13 to 1.2.14

Files changed (4) hide show
  1. assets/js/wp-subscribe-admin.js +2 -1
  2. includes/class-wps-base.php +16 -16
  3. readme.txt +4 -1
  4. wp-subscribe.php +31 -21
assets/js/wp-subscribe-admin.js CHANGED
@@ -203,7 +203,8 @@ Author URI: http://mythemeshop.com/
203
  url: ajaxurl,
204
  data: {
205
  action: 'mts_dismiss_wpsubscribe_notice',
206
- dismiss: jQuery(this).data('ignore')
 
207
  }
208
  });
209
  return false;
203
  url: ajaxurl,
204
  data: {
205
  action: 'mts_dismiss_wpsubscribe_notice',
206
+ dismiss: jQuery(this).data('ignore'),
207
+ nonce: jQuery(this).data('nonce'),
208
  }
209
  });
210
  return false;
includes/class-wps-base.php CHANGED
@@ -4,9 +4,9 @@
4
  * The base class for all the classes
5
  */
6
 
7
- if( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
8
 
9
- if( ! class_exists( 'WPS_Base' ) ):
10
 
11
  /**
12
  * Base Class
@@ -44,7 +44,7 @@ class WPS_Base {
44
  */
45
  protected function remove_action( $hook, $func, $priority = 10, $args = 1 ) {
46
  remove_action( $hook, array( &$this, $func ), $priority, $args );
47
- }
48
 
49
  /**
50
  * Remove filter
@@ -53,7 +53,7 @@ class WPS_Base {
53
  */
54
  protected function remove_filter( $hook, $func, $priority = 10, $args = 1 ) {
55
  remove_filter( $hook, array( &$this, $func ), $priority, $args );
56
- }
57
 
58
  /**
59
  * Inject config into class
@@ -61,17 +61,17 @@ class WPS_Base {
61
  * @param array $config
62
  * @return void
63
  */
64
- protected function config( $config = array() ) {
65
 
66
- // check
67
- if( empty( $config ) ) {
68
- return;
69
- }
70
 
71
- foreach( $config as $key => $value ) {
72
- $this->$key = $value;
73
- }
74
- }
75
 
76
  /**
77
  * Is current page equals this
@@ -79,9 +79,9 @@ class WPS_Base {
79
  * @return boolean
80
  */
81
  protected function is_current_page() {
82
- $page = isset( $_GET['page'] ) && !empty( $_GET['page'] ) ? $_GET['page'] : false;
83
- return $page === $this->id;
84
- }
85
  }
86
 
87
  endif;
4
  * The base class for all the classes
5
  */
6
 
7
+ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
8
 
9
+ if ( ! class_exists( 'WPS_Base' ) ):
10
 
11
  /**
12
  * Base Class
44
  */
45
  protected function remove_action( $hook, $func, $priority = 10, $args = 1 ) {
46
  remove_action( $hook, array( &$this, $func ), $priority, $args );
47
+ }
48
 
49
  /**
50
  * Remove filter
53
  */
54
  protected function remove_filter( $hook, $func, $priority = 10, $args = 1 ) {
55
  remove_filter( $hook, array( &$this, $func ), $priority, $args );
56
+ }
57
 
58
  /**
59
  * Inject config into class
61
  * @param array $config
62
  * @return void
63
  */
64
+ protected function config( $config = array() ) {
65
 
66
+ // check
67
+ if( empty( $config ) ) {
68
+ return;
69
+ }
70
 
71
+ foreach( $config as $key => $value ) {
72
+ $this->$key = $value;
73
+ }
74
+ }
75
 
76
  /**
77
  * Is current page equals this
79
  * @return boolean
80
  */
81
  protected function is_current_page() {
82
+ $page = isset( $_GET['page'] ) && ! empty( $_GET['page'] ) ? $_GET['page'] : false;
83
+ return $page === $this->id;
84
+ }
85
  }
86
 
87
  endif;
readme.txt CHANGED
@@ -4,7 +4,7 @@ Creator's website link: http://mythemeshop.com/plugins/wp-subscribe/
4
  Tags: subscribe, subscription, subscription box, newsletter, subscribe widget, mailchimp, aweber, feedburner,
5
  Requires at least: 4.0
6
  Tested up to: 5.9.3
7
- Stable tag: 1.2.13
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -82,6 +82,9 @@ Please disable all plugins and check if plugin is working properly. Then you can
82
 
83
  == Changelog ==
84
 
 
 
 
85
  = 1.2.13 =
86
  * Fixed a security issue
87
 
4
  Tags: subscribe, subscription, subscription box, newsletter, subscribe widget, mailchimp, aweber, feedburner,
5
  Requires at least: 4.0
6
  Tested up to: 5.9.3
7
+ Stable tag: 1.2.14
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
82
 
83
  == Changelog ==
84
 
85
+ = 1.2.14 =
86
+ * Security hardening
87
+
88
  = 1.2.13 =
89
  * Fixed a security issue
90
 
wp-subscribe.php CHANGED
@@ -117,12 +117,13 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
117
  public function wp_subscribe_admin_notice() {
118
  global $current_user ;
119
  $user_id = $current_user->ID;
 
120
  /* Check that the user hasn't already clicked to ignore the message */
121
  /* Only show the notice 2 days after plugin activation */
122
  if ( ! get_user_meta($user_id, 'wp_subscribe_ignore_notice') && time() >= (get_option( 'wp_subscribe_activated', 0 ) + (2 * 24 * 60 * 60)) ) {
123
  echo '<div class="updated notice-info wp-subscribe-notice" id="wpsubscribe-notice" style="position:relative;">';
124
  // Translators: %s is "WP Subscribe Pro" as a link.
125
- echo '<p>' . sprintf( __('Like WP Subscribe plugin? You will LOVE %s!', 'wp-subscribe'), '<a target="_blank" href="https://mythemeshop.com/plugins/wp-subscribe-pro/?utm_source=WP+Subscribe&utm_medium=Notification+Link&utm_content=WP+Subscribe+Pro+LP&utm_campaign=WordPressOrg"><strong>WP Subscribe Pro</strong></a>' ) . '</p><a class="notice-dismiss wpsubscribe-dismiss-notice" data-ignore="0" href="#"></a>';
126
  echo "</div>";
127
  }
128
  /* Other notice appears right after activating */
@@ -134,7 +135,7 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
134
  echo '<p>';
135
  esc_html_e('Thank you for trying WP Subscribe. We hope you will like it.', 'wp-subscribe');
136
  echo '</p>';
137
- echo '<a class="notice-dismiss wpsubscribe-dismiss-notice" data-ignore="1" href="#"></a>';
138
  echo "</div>";
139
  }
140
  }
@@ -142,14 +143,23 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
142
  public function wp_subscribe_admin_notice_ignore() {
143
  global $current_user;
144
  $user_id = $current_user->ID;
145
- /* If user clicks to ignore the notice, add that to their user meta */
146
- if ( isset($_POST['dismiss']) ) {
147
- if ( '0' == $_POST['dismiss'] ) {
148
- add_user_meta($user_id, 'wp_subscribe_ignore_notice', '1', true);
149
- } elseif ( '1' == $_POST['dismiss'] ) {
150
- add_user_meta($user_id, 'wp_subscribe_ignore_notice_2', '1', true);
151
- }
152
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
153
  }
154
 
155
  public function activate_plugin() {
@@ -199,8 +209,8 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
199
  public function connect_aweber() {
200
 
201
  // check for data
202
- $aweber_code = isset( $_REQUEST['aweber_code'] ) ? $_REQUEST['aweber_code'] : array();
203
- if( empty( $aweber_code ) ) {
204
  wp_send_json( array(
205
  'success' => false,
206
  'error' => esc_html__( 'No aweber authorization code found.', 'wp-subscribe' )
@@ -231,7 +241,7 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
231
  public function validate_subscribe() {
232
 
233
  // check for data
234
- $data = isset( $_POST['wps_data'] ) ? $_POST['wps_data'] : array();
235
  if( empty( $data ) ) {
236
  wp_send_json( array(
237
  'success' => false,
@@ -240,14 +250,14 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
240
  }
241
 
242
  // check for valid data
243
- if( empty( $data['email'] ) ) {
244
  wp_send_json( array(
245
  'success' => false,
246
  'error' => esc_html__( 'No email address found.', 'wp-subscribe' )
247
  ) );
248
  }
249
 
250
- if( !filter_var( $data['email'], FILTER_VALIDATE_EMAIL ) ) {
251
  wp_send_json( array(
252
  'success' => false,
253
  'error' => esc_html__( 'Not a valid email address.', 'wp-subscribe' )
@@ -256,7 +266,7 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
256
 
257
  // check for valid service
258
  $services = wps_get_mailing_services('options');
259
- if( !array_key_exists( $data['service'], $services ) ) {
260
  wp_send_json( array(
261
  'success' => false,
262
  'error' => esc_html__( 'Unknown mailing service called.', 'wp-subscribe' )
@@ -268,16 +278,16 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
268
  $service = wps_get_subscription_service( $data['service'] );
269
  $status = $service->subscribe( $data, $service->get_options( $data ) );
270
 
271
- wp_send_json(array(
272
  'success' => true,
273
  'status' => $status['status']
274
- ));
275
  }
276
  catch( Exception $e ) {
277
- wp_send_json(array(
278
  'success' => false,
279
  'error' => $e->getMessage()
280
- ));
281
  }
282
  }
283
 
@@ -288,8 +298,8 @@ if( ! class_exists('MTS_WP_Subscribe') ) :
288
  */
289
  public function get_service_list() {
290
 
291
- $name = $_REQUEST['service'];
292
- $args = $_REQUEST['args'];
293
 
294
  if( empty( $name ) || empty( $args ) ) {
295
  wp_send_json(array(
117
  public function wp_subscribe_admin_notice() {
118
  global $current_user ;
119
  $user_id = $current_user->ID;
120
+ $nonce = wp_create_nonce( 'mts_dismiss_wpsubscribe_notice' );
121
  /* Check that the user hasn't already clicked to ignore the message */
122
  /* Only show the notice 2 days after plugin activation */
123
  if ( ! get_user_meta($user_id, 'wp_subscribe_ignore_notice') && time() >= (get_option( 'wp_subscribe_activated', 0 ) + (2 * 24 * 60 * 60)) ) {
124
  echo '<div class="updated notice-info wp-subscribe-notice" id="wpsubscribe-notice" style="position:relative;">';
125
  // Translators: %s is "WP Subscribe Pro" as a link.
126
+ echo '<p>' . sprintf( __('Like WP Subscribe plugin? You will LOVE %s!', 'wp-subscribe'), '<a target="_blank" href="https://mythemeshop.com/plugins/wp-subscribe-pro/?utm_source=WP+Subscribe&utm_medium=Notification+Link&utm_content=WP+Subscribe+Pro+LP&utm_campaign=WordPressOrg"><strong>WP Subscribe Pro</strong></a>' ) . '</p><a class="notice-dismiss wpsubscribe-dismiss-notice" data-ignore="0" data-nonce="' . $nonce . '" href="#"></a>';
127
  echo "</div>";
128
  }
129
  /* Other notice appears right after activating */
135
  echo '<p>';
136
  esc_html_e('Thank you for trying WP Subscribe. We hope you will like it.', 'wp-subscribe');
137
  echo '</p>';
138
+ echo '<a class="notice-dismiss wpsubscribe-dismiss-notice" data-ignore="1" data-nonce="' . $nonce . '" href="#"></a>';
139
  echo "</div>";
140
  }
141
  }
143
  public function wp_subscribe_admin_notice_ignore() {
144
  global $current_user;
145
  $user_id = $current_user->ID;
146
+ if ( ! isset( $_POST['dismiss'] ) || ! isset( $_POST['nonce'] ) ) {
147
+ die( '0' );
 
 
 
 
 
148
  }
149
+
150
+ if ( ! wp_verify_nonce( $_POST['nonce'], 'mts_dismiss_wpsubscribe_notice' ) ) {
151
+ die( '0' );
152
+ }
153
+
154
+ if ( '0' == $_POST['dismiss'] ) {
155
+ add_user_meta($user_id, 'wp_subscribe_ignore_notice', '1', true);
156
+ die( '1' );
157
+ } elseif ( '1' == $_POST['dismiss'] ) {
158
+ add_user_meta($user_id, 'wp_subscribe_ignore_notice_2', '1', true);
159
+ die( '1' );
160
+ }
161
+
162
+ die( '0' );
163
  }
164
 
165
  public function activate_plugin() {
209
  public function connect_aweber() {
210
 
211
  // check for data
212
+ $aweber_code = isset( $_REQUEST['aweber_code'] ) ? sanitize_textarea_field( $_REQUEST['aweber_code'] ) : '';
213
+ if ( empty( $aweber_code ) ) {
214
  wp_send_json( array(
215
  'success' => false,
216
  'error' => esc_html__( 'No aweber authorization code found.', 'wp-subscribe' )
241
  public function validate_subscribe() {
242
 
243
  // check for data
244
+ $data = isset( $_POST['wps_data'] ) && is_array( $_POST['wps_data'] ) ? array_map( 'sanitize_text_field', $_POST['wps_data'] ) : array();
245
  if( empty( $data ) ) {
246
  wp_send_json( array(
247
  'success' => false,
250
  }
251
 
252
  // check for valid data
253
+ if ( empty( $data['email'] ) ) {
254
  wp_send_json( array(
255
  'success' => false,
256
  'error' => esc_html__( 'No email address found.', 'wp-subscribe' )
257
  ) );
258
  }
259
 
260
+ if ( ! filter_var( $data['email'], FILTER_VALIDATE_EMAIL ) ) {
261
  wp_send_json( array(
262
  'success' => false,
263
  'error' => esc_html__( 'Not a valid email address.', 'wp-subscribe' )
266
 
267
  // check for valid service
268
  $services = wps_get_mailing_services('options');
269
+ if ( empty( $data['service'] ) || ! array_key_exists( $data['service'], $services ) ) {
270
  wp_send_json( array(
271
  'success' => false,
272
  'error' => esc_html__( 'Unknown mailing service called.', 'wp-subscribe' )
278
  $service = wps_get_subscription_service( $data['service'] );
279
  $status = $service->subscribe( $data, $service->get_options( $data ) );
280
 
281
+ wp_send_json( array(
282
  'success' => true,
283
  'status' => $status['status']
284
+ ) );
285
  }
286
  catch( Exception $e ) {
287
+ wp_send_json( array(
288
  'success' => false,
289
  'error' => $e->getMessage()
290
+ ) );
291
  }
292
  }
293
 
298
  */
299
  public function get_service_list() {
300
 
301
+ $name = isset( $_REQUEST['service'] ) ? sanitize_text_field( $_REQUEST['service'] ) : '';
302
+ $args = isset( $_REQUEST['args'] ) ? array_map( 'sanitize_text_field', $_REQUEST['args'] ) : array();
303
 
304
  if( empty( $name ) || empty( $args ) ) {
305
  wp_send_json(array(