Analysis Report Folder Analysis cache/sureforms_2.2.0 → cache/sureforms_2.2.1 - CVE-2025-14855

Shared security patch analysis results

AI Used: claude_cli haiku
Share this analysis
Use quotes for exact: \"SQL injection\" | Operators: hello AND bye, admin OR root, -error, NOT warning
Showing 0 to 0 of 0 results
assets/build/entries.asset.php AI: No vulnerabilities 
--- cache/sureforms_2.2.0/assets/build/entries.asset.php	2025-12-21 09:35:59.881094163 +0000+++ cache/sureforms_2.2.1/assets/build/entries.asset.php	2025-12-21 09:36:02.445253548 +0000@@ -1 +1 @@-<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-data', 'wp-dom-ready', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-url'), 'version' => '933d85de2a2b39ef4841');+<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-data', 'wp-dom-ready', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-url'), 'version' => '8e3f68a27359d4c004aa');
AI Analysis
Vulnerability Existed: no

No Vulnerabilities Detected - [N/A] - assets/build/entries.asset.php [1]

Old Code:
```php
<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-data', 'wp-dom-ready', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-url'), 'version' => '933d85de2a2b39ef4841');
```

Fixed Code:
```php
<?php return array('dependencies' => array('react', 'react-dom', 'wp-api-fetch', 'wp-data', 'wp-dom-ready', 'wp-editor', 'wp-element', 'wp-hooks', 'wp-i18n', 'wp-url'), 'version' => '8e3f68a27359d4c004aa');
```

Explanation:
This diff shows a routine update to a WordPress asset manifest file. The only change is the version hash, which has been updated from `933d85de2a2b39ef4841` to `8e3f68a27359d4c004aa`. This is a normal part of the build process and represents a cache-busting version update for the entries asset file. There are no security vulnerabilities introduced or fixed in this change. The dependencies list remains identical, and the code structure is unchanged.
CVE Analysis Results:
CVE-2025-14855: No
View CVE Description 
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
inc/gutenberg-hooks.php AI: No vulnerabilities 
--- cache/sureforms_2.2.0/inc/gutenberg-hooks.php	2025-12-21 09:35:59.969099633 +0000+++ cache/sureforms_2.2.1/inc/gutenberg-hooks.php	2025-12-21 09:36:02.533259018 +0000@@ -48,7 +48,7 @@ 		// Initializing hooks. 		add_action( 'enqueue_block_editor_assets', [ $this, 'form_editor_screen_assets' ] ); 		add_action( 'enqueue_block_editor_assets', [ $this, 'block_editor_assets' ] );-		add_filter( 'block_categories_all', [ $this, 'register_block_categories' ], 10, 1 );+		add_filter( 'block_categories_all', [ $this, 'register_block_categories' ], 10, 2 ); 		add_filter( 'allowed_block_types_all', [ $this, 'disable_forms_wrapper_block' ], 10, 2 ); 		add_action( 'save_post_sureforms_form', [ $this, 'update_field_slug' ], 10, 2 ); 		add_action( 'load-post.php', [ $this, 'maybe_migrate_form_stylings' ] );@@ -94,14 +94,16 @@ 	/** 	 * Register our custom block category. 	 *-	 * @param array<mixed> $categories Array of categories.+	 * @param array<mixed>             $categories Array of categories.+	 * @param \WP_Block_Editor_Context $block_editor_context The current block editor context. 	 * @return array<mixed> 	 * @since 0.0.1 	 */-	public function register_block_categories( $categories ) {-		$screen = get_current_screen();+	public function register_block_categories( $categories, $block_editor_context ) { -		if ( $screen && SRFM_FORMS_POST_TYPE === $screen->post_type ) {+		$post_type = $block_editor_context->post->post_type ?? '';++		if ( $post_type && SRFM_FORMS_POST_TYPE === $post_type ) { 			$title = esc_html__( 'General Fields', 'sureforms' ); 		} else { 			$title = esc_html__( 'SureForms', 'sureforms' );
AI Analysis
Vulnerability Existed: no
[Incorrect Hook Parameter Count] - [N/A] - [inc/gutenberg-hooks.php] [Lines 51, 102]

Old Code:
```php
add_filter( 'block_categories_all', [ $this, 'register_block_categories' ], 10, 1 );
```

```php
public function register_block_categories( $categories ) {
    $screen = get_current_screen();

    if ( $screen && SRFM_FORMS_POST_TYPE === $screen->post_type ) {
```

Fixed Code:
```php
add_filter( 'block_categories_all', [ $this, 'register_block_categories' ], 10, 2 );
```

```php
public function register_block_categories( $categories, $block_editor_context ) {

    $post_type = $block_editor_context->post->post_type ?? '';

    if ( $post_type && SRFM_FORMS_POST_TYPE === $post_type ) {
```

Explanation:
This is not a security vulnerability fix, but rather a correctness and reliability improvement. The `block_categories_all` filter in WordPress passes 2 parameters to the callback function: `$categories` (array) and `$block_editor_context` (WP_Block_Editor_Context object). 

The original code declared only 1 parameter in the `add_filter()` call and only accepted `$categories` in the function signature. This caused WordPress to not pass the second parameter, forcing the code to rely on `get_current_screen()` which is less reliable and can be null in certain contexts.

The fix properly declares 2 parameters in the filter hook and updates the function to accept both `$categories` and `$block_editor_context`. It then safely extracts the post type from the context object using the null coalescing operator (`??`), which is more robust than relying on the global screen state. This improves code reliability and maintainability, but does not address a security vulnerability per se.
CVE Analysis Results:
CVE-2025-14855: No
View CVE Description 
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
sureforms.php AI: No vulnerabilities 
--- cache/sureforms_2.2.0/sureforms.php	2025-12-21 09:36:00.061105353 +0000+++ cache/sureforms_2.2.1/sureforms.php	2025-12-21 09:36:02.629264985 +0000@@ -7,7 +7,7 @@  * Requires PHP: 7.4  * Author: SureForms  * Author URI: https://sureforms.com/- * Version: 2.2.0+ * Version: 2.2.1  * License: GPLv2 or later  * Text Domain: sureforms  *@@ -25,7 +25,7 @@ define( 'SRFM_BASENAME', plugin_basename( SRFM_FILE ) ); define( 'SRFM_DIR', plugin_dir_path( SRFM_FILE ) ); define( 'SRFM_URL', plugins_url( '/', SRFM_FILE ) );-define( 'SRFM_VER', '2.2.0' );+define( 'SRFM_VER', '2.2.1' ); define( 'SRFM_SLUG', 'srfm' ); // ------ ADDITIONAL CONSTANTS ------- // define( 'SRFM_FORMS_POST_TYPE', 'sureforms_form' );
AI Analysis
Vulnerability Existed: no

No security vulnerabilities detected in this diff.

Explanation:
This diff contains only version number updates in the SureForms WordPress plugin:
- Line 10: Version number in plugin header updated from 2.2.0 to 2.2.1
- Line 28: SRFM_VER constant updated from '2.2.0' to '2.2.1'

These are purely metadata changes with no modifications to functional code, logic, or security-sensitive operations. Version bumps alone do not introduce or fix security vulnerabilities. Without access to the actual security fixes implemented in version 2.2.1 (which would be in other files not shown in this diff), no vulnerability analysis can be performed on this particular change.
CVE Analysis Results:
CVE-2025-14855: No
View CVE Description 
The SureForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form field parameters in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.