Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/cubewp-framework_1.1.27/cube.php 2026-01-18 00:20:47.545240264 +0000+++ cache/cubewp-framework_1.1.28/cube.php 2026-01-18 00:20:56.217779093 +0000@@ -3,14 +3,15 @@ * Plugin Name: CubeWP Framework * Plugin URI: https://cubewp.com/ * Description: CubeWP is an end-to-end dynamic content framework for WordPress to help you save up to 90% of your coding time.-* Version: 1.1.27+* Version: 1.1.28 * Author: CubeWP * Author URI: https://cubewp.com * Text Domain: cubewp-framework * Domain Path: /languages/+* License: GPLv2 or later * @package Cubewp * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */-+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals // Exit if accessed directly. if ( !defined( 'ABSPATH' ) ) exit;
I'll analyze this code diff for security vulnerabilities. **Vulnerability Existed: no** **No Security Vulnerabilities Detected** **Explanation:** This diff contains only non-functional changes to the `cube.php` file header: 1. **Version bump** (1.1.27 → 1.1.28): Standard version update with no security implications. 2. **License header addition** (`License: GPLv2 or later`): Metadata addition with no security impact. 3. **phpcs directive addition** (`// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals`): This is a code style linter directive that temporarily disables a WordPress coding standard check. While this could theoretically mask naming convention violations, the directive itself doesn't introduce or fix a vulnerability—it's purely a linting control. The actual security posture depends on what violations exist in the code below this comment, which are not shown in the diff. 4. **Whitespace changes**: Removal of blank line is cosmetic only. None of these changes introduce security vulnerabilities, nor do they fix existing ones. This appears to be a routine maintenance release with version updates and documentation improvements.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-add-ons.php 2026-01-18 00:20:47.465235293 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-add-ons.php 2026-01-18 00:20:56.197777850 +0000@@ -55,23 +55,28 @@ $wp_version = $GLOBALS['wp_version']; if (version_compare($wp_version, '5.8', '<'))- $message[] = __('This CubeWP Add-on requires WordPress 4.0 or higher. Version detected:', 'cubewp-frontend') . ' ' . $wp_version;+ $message[] = __('This CubeWP Add-on requires WordPress 4.0 or higher. Version detected:', 'cubewp-framework') . ' ' . $wp_version; // PHP check $php_version = phpversion(); if (version_compare($php_version, '5.3', '<'))- $message[] = __('This CubeWP Add-on requires PHP 5.3 or higher. Version detected: ', 'cubewp-frontend') . ' ' . $php_version;+ $message[] = __('This CubeWP Add-on requires PHP 5.3 or higher. Version detected: ', 'cubewp-framework') . ' ' . $php_version; // SQL check $sql_version = $wpdb->db_version(); if (version_compare($sql_version, '5.0', '<'))- $message[] = __('This CubeWP Add-on requires SQL 5.0 or higher. Version detected: ', 'cubewp-frontend') . ' ' . $sql_version;+ $message[] = __('This CubeWP Add-on requires SQL 5.0 or higher. Version detected: ', 'cubewp-framework') . ' ' . $sql_version; // Not empty $message means there are issues if (! empty($message)) { $error_message = implode("\n", $message);- die(__('Sorry but your WordPress installation does not reach the minimum requirements for running this add-on. The following errors were given:', 'cubewp-frontend') . "\n" . $error_message);+ wp_die(+ esc_html__(+ 'Sorry but your WordPress installation does not reach the minimum requirements for running this add-on. The following errors were given:',+ 'cubewp-framework'+ ) . "\n" . esc_html( $error_message )+ ); } return $this->add_on_management($plugin);@@ -113,7 +118,7 @@ // If plugin is free if ($license_type == 'free') { CWP()->update_cubewp_options($slug . '_key', $key);- unlink($file);+ wp_delete_file($file); return; } @@ -129,31 +134,31 @@ $response = wp_remote_post($this->route, array('timeout' => 15, 'sslverify' => false, 'body' => $api_params)); // make sure the response came back okay if (is_wp_error($response)) {- die($file_is_not_valid);+ wp_die( esc_html( $file_is_not_valid ) ); } // decode the license data $response_data = json_decode(wp_remote_retrieve_body($response)); if (isset($response_data->license)) { if ('valid' != $response_data->license) {- die($lic_is_not_valid);+ wp_die( esc_html( $lic_is_not_valid ) ); } else { CWP()->update_cubewp_options($slug, $response_data); CWP()->update_cubewp_options($slug . '_key', $key); CWP()->update_cubewp_options($slug . '-status', $response_data->license); } } else {- die($lic_is_not_valid);+ wp_die( esc_html( $lic_is_not_valid ) ); }- unlink($file);+ wp_delete_file($file); } else { //file not good- die($need_fresh_file);+ wp_die( esc_html( $need_fresh_file ) ); } } } else { //Plugin not good- die($not_our_plugin);+ wp_die( esc_html( $not_our_plugin ) ); } } }@@ -310,7 +315,7 @@ if (file_exists($file)) { $key = file_get_contents($file); CWP()->update_cubewp_options($slug . '_key', $key);- unlink($file);+ wp_delete_file($file); return; } else { $key = isset($add_ons[$plugin]['key']) ? $add_ons[$plugin]['key'] : '';
I'll analyze this code diff for security fixes.
Vulnerability 1:
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-add-ons.php - Lines 58, 64, 70, 74-79
Old Code:
```php
$message[] = __('This CubeWP Add-on requires WordPress 4.0 or higher. Version detected:', 'cubewp-frontend') . ' ' . $wp_version;
$message[] = __('This CubeWP Add-on requires PHP 5.3 or higher. Version detected: ', 'cubewp-frontend') . ' ' . $php_version;
$message[] = __('This CubeWP Add-on requires SQL 5.0 or higher. Version detected: ', 'cubewp-frontend') . ' ' . $sql_version;
die(__('Sorry but your WordPress installation does not reach the minimum requirements for running this add-on. The following errors were given:', 'cubewp-frontend') . "\n" . $error_message);
```
Fixed Code:
```php
$message[] = __('This CubeWP Add-on requires WordPress 4.0 or higher. Version detected:', 'cubewp-framework') . ' ' . $wp_version;
$message[] = __('This CubeWP Add-on requires PHP 5.3 or higher. Version detected: ', 'cubewp-framework') . ' ' . $php_version;
$message[] = __('This CubeWP Add-on requires SQL 5.0 or higher. Version detected: ', 'cubewp-framework') . ' ' . $sql_version;
wp_die(
esc_html__(
'Sorry but your WordPress installation does not reach the minimum requirements for running this add-on. The following errors were given:',
'cubewp-framework'
) . "\n" . esc_html( $error_message )
);
```
Explanation: The old code concatenated unsanitized version strings directly into error messages that were then output via `die()`. The fixed code wraps the error message output in `esc_html()` to prevent XSS attacks. While version strings are unlikely to contain malicious content, proper output escaping is a security best practice to prevent injection attacks.
---
Vulnerability 2:
Vulnerability Existed: yes
TRUE POSITIVE
Improper Resource Handling - CWE-404 - cube/classes/class-cubewp-add-ons.php - Lines 121, 152, 318
Old Code:
```php
unlink($file);
```
Fixed Code:
```php
wp_delete_file($file);
```
Explanation: The old code used PHP's native `unlink()` function for file deletion. The fixed code uses WordPress's `wp_delete_file()` function, which provides better resource handling, proper error handling, and integrates with WordPress hooks and capabilities checks. This is more secure and maintainable within a WordPress context.
---
Vulnerability 3:
Vulnerability Existed: yes
FALSE POSITIVE
Information Disclosure - CWE-209 - cube/classes/class-cubewp-add-ons.php - Lines 137, 144, 147, 156, 160
Old Code:
```php
die($file_is_not_valid);
die($lic_is_not_valid);
die($not_our_plugin);
```
Fixed Code:
```php
wp_die( esc_html( $file_is_not_valid ) );
wp_die( esc_html( $lic_is_not_valid ) );
wp_die( esc_html( $not_our_plugin ) );
```
Explanation: The old code output error messages via `die()` without escaping. If these error variables contain user-controlled data or external input, they could be vulnerable to XSS attacks. Additionally, using `wp_die()` instead of `die()` is WordPress best practice as it allows for proper error handling, logging, and integration with WordPress's error display system. The `esc_html()` wrapper ensures any special characters are safely escaped.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-admin-enqueue.php 2026-01-18 00:20:47.465235293 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-admin-enqueue.php 2026-01-18 00:20:56.197777850 +0000@@ -1,4 +1,5 @@ <?php+ /** * CubeWp Admin Enqueue. *@@ -6,12 +7,13 @@ * @version 1.0 */ + // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'ABSPATH' ) ) { exit; } - /** * CubeWp_Admin_Enqueue */@@ -42,7 +44,7 @@ /** * Method get_registered_types_types *- * @return void+ * @return array * * @since 1.0.0 */ private static function get_registered_types_types() {@@ -79,7 +81,6 @@ } wp_reset_postdata();- wp_reset_query(); } return $group_fields_values;@@ -88,7 +89,7 @@ /** * Method get_cf_types_types *- * @return void+ * @return array * * @since 1.0.0 */ private static function get_cf_types_types() {@@ -101,7 +102,7 @@ /** * Method get_registered_taxonomies *- * @return void+ * @return array * * @since 1.0.0 */ private static function get_registered_taxonomies() {@@ -461,7 +462,10 @@ - echo apply_filters( 'admin/script/enqueue', '');+ $cubewp_admin_inline_output = apply_filters( 'admin/script/enqueue', '' );+ if ( ! empty( $cubewp_admin_inline_output ) ) {+ echo wp_kses_post( $cubewp_admin_inline_output );+ } }
Based on my analysis of the code diff between versions 1.1.27 and 1.1.28, here are the security-relevant changes:
---
**Vulnerability Existed: yes**
TRUE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-admin-enqueue.php - Lines 464-467**
**Old Code:**
```php
echo apply_filters( 'admin/script/enqueue', '');
```
**Fixed Code:**
```php
$cubewp_admin_inline_output = apply_filters( 'admin/script/enqueue', '' );
if ( ! empty( $cubewp_admin_inline_output ) ) {
echo wp_kses_post( $cubewp_admin_inline_output );
}
```
**Explanation:**
This is a valid security fix for an XSS vulnerability. The original code directly echoed the result of an `apply_filters()` call without sanitization. Filter callbacks could return malicious JavaScript or HTML that would be rendered in the page without escaping. The fix applies `wp_kses_post()`, a WordPress sanitization function that strips dangerous HTML/JavaScript while preserving safe markup (like `<a>`, `<strong>`, etc.). The added empty check is a best practice to prevent unnecessary function calls when the filtered value is empty.
---
**Additional Changes (Not Security Issues):**
- Added phpcs:disable comment (code quality, not a security fix)
- Removed redundant `wp_reset_query()` call (line 82 → removed at 83) - this is a best practice fix but not a security issue
- Updated docblock return types from `@return void` to `@return array` (documentation corrections, not security-related)
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-admin-notice.php 2026-01-18 00:20:47.465235293 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-admin-notice.php 2026-01-18 00:20:56.197777850 +0000@@ -79,7 +79,7 @@ $notice_ui .= '<p>' . cubewp_core_data( $this->message ) . '</p>'; $notice_ui .= '</div>'; - print( $notice_ui );+ echo wp_kses_post( $notice_ui ); } /**@@ -175,14 +175,16 @@ * @since 1.0.0 */ private static function cubewp_remove_notices_permanently() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if ( isset( $_GET['cubewp-remove-notice-permanently'] ) && ! empty( $_GET['cubewp-remove-notice-permanently'] ) ) { $permanently_removed_notices = get_option( 'permanently_removed_notices' ); $permanently_removed_notices = ! empty( $permanently_removed_notices ) && is_array( $permanently_removed_notices ) ? $permanently_removed_notices : array();- $permanently_removed_notices[] = sanitize_text_field( $_GET['cubewp-remove-notice-permanently'] );+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended */+ $permanently_removed_notices[] = sanitize_text_field( wp_unslash($_GET['cubewp-remove-notice-permanently'] )); update_option( 'permanently_removed_notices', $permanently_removed_notices ); $current_url = cubewp_get_current_url(); $current_url = remove_query_arg( 'cubewp-remove-notice-permanently', $current_url );- wp_redirect( esc_url( $current_url ) );+ wp_safe_redirect( $current_url ); exit; } }@@ -201,13 +203,24 @@ 'wordpress' => [ 'version' => CubeWp_Load::$wp_req_version, 'i18n' => [- 'requirements' => sprintf( __( 'CubeWP requires WordPress version %1$s or higher. You are using version %2$s. Please upgrade WordPress to use CubeWP.', 'cubewp-framework' ), CubeWp_Load::$wp_req_version, $GLOBALS['wp_version'] ),+ 'requirements' => sprintf(+ /* translators: 1: Required WordPress version, 2: Current WordPress version */+ __( 'CubeWP requires WordPress version %1$s or higher. You are using version %2$s. Please upgrade WordPress to use CubeWP.', 'cubewp-framework' ),+ CubeWp_Load::$wp_req_version,+ $GLOBALS['wp_version']+ ), ], ],- 'php' => [+ 'php' => [ 'version' => CubeWp_Load::$php_req_version, 'i18n' => [- 'requirements' => sprintf( __( 'CubeWP requires PHP version %1$s or higher. You are using version %2$s. Please <a href="%3$s">upgrade PHP</a> to use CubeWP.', 'cubewp-framework' ), CubeWp_Load::$php_req_version, PHP_VERSION, 'https://wordpress.org/support/upgrade-php/' ),+ 'requirements' => sprintf(+ /* translators: 1: Required PHP version, 2: Current PHP version, 3: URL to upgrade PHP */+ __( 'CubeWP requires PHP version %1$s or higher. You are using version %2$s. Please <a href="%3$s">upgrade PHP</a> to use CubeWP.', 'cubewp-framework' ),+ CubeWp_Load::$php_req_version,+ PHP_VERSION,+ 'https://wordpress.org/support/upgrade-php/'+ ), ], ], ];
Vulnerability Existed: yes
TRUE POSITIVE
[Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] - CWE-79 - cube/classes/class-cubewp-admin-notice.php [82]
Old Code:
```
print( $notice_ui );
```
Fixed Code:
```
echo wp_kses_post( $notice_ui );
```
Explanation:
The original code directly printed HTML content without sanitization, creating a stored XSS vulnerability. The `$notice_ui` variable contains user-controlled data (`$this->message`) that could contain malicious JavaScript. The fix applies `wp_kses_post()` which strips unsafe HTML tags and attributes while allowing safe markup, preventing XSS attacks.
---
Vulnerability Existed: yes
FALSE POSITIVE
[Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] - CWE-89 - cube/classes/class-cubewp-admin-notice.php [181]
Old Code:
```
$permanently_removed_notices[] = sanitize_text_field( $_GET['cubewp-remove-notice-permanently'] );
```
Fixed Code:
```
$permanently_removed_notices[] = sanitize_text_field( wp_unslash($_GET['cubewp-remove-notice-permanently'] ));
```
Explanation:
While `sanitize_text_field()` removes tags, it doesn't remove the WordPress magic quotes added by `wp_magic_quotes()`. The `wp_unslash()` function properly removes these quotes before sanitization. Without it, escaped slashes and quotes could be stored incorrectly in the database, potentially causing data corruption or bypassing intended security controls. This is a best-practice fix for handling `$_GET` data in WordPress.
---
Vulnerability Existed: yes
TRUE POSITIVE
[Improper Restriction of Rendered UI Layers or Frames] - CWE-1021 - cube/classes/class-cubewp-admin-notice.php [185]
Old Code:
```
wp_redirect( esc_url( $current_url ) );
```
Fixed Code:
```
wp_safe_redirect( $current_url );
```
Explanation:
The original code used `esc_url()` with `wp_redirect()`, which only escapes the URL for HTML context. `wp_safe_redirect()` is the proper WordPress function that validates the redirect target is local (not to an external domain) before redirecting, preventing open redirect vulnerabilities. `wp_safe_redirect()` handles URL escaping internally, so the URL should not be pre-escaped.
---
Vulnerability Existed: no
[N/A - Code Quality/Documentation] - N/A - cube/classes/class-cubewp-admin-notice.php [178-179, 203-224]
Old Code:
```
if ( isset( $_GET['cubewp-remove-notice-permanently'] ) && ! empty( $_GET['cubewp-remove-notice-permanently'] ) ) {
```
Fixed Code:
```
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
if ( isset( $_GET['cubewp-remove-notice-permanently'] ) && ! empty( $_GET['cubewp-remove-notice-permanently'] ) ) {
```
Explanation:
The phpcs comments added don't fix vulnerabilities but suppress PHPCS warnings about missing nonce verification. While missing nonce verification is technically a security concern (CWE-352: Cross-Site Request Forgery), the comment only suppresses the warning rather than implementing actual nonce verification. This is a code quality change rather than a security fix. True mitigation would require adding nonce verification with `wp_verify_nonce()`.
---
Vulnerability Existed: no
[N/A - Code Formatting] - N/A - cube/classes/class-cubewp-admin-notice.php [203-224]
Old Code:
```
'requirements' => sprintf( __( 'CubeWP requires WordPress version...', 'cubewp-framework' ), CubeWp_Load::$wp_req_version, $GLOBALS['wp_version'] ),
```
Fixed Code:
```
'requirements' => sprintf(
/* translators: 1: Required WordPress version, 2: Current WordPress version */
__( 'CubeWP requires WordPress version...', 'cubewp-framework' ),
CubeWp_Load::$wp_req_version,
$GLOBALS['wp_version']
),
```
Explanation:
These changes are code formatting and documentation improvements (adding translator comments for i18n). They do not address security vulnerabilities. The translator comments help translators understand parameter meaning but do not affect security posture.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-admin.php 2026-01-18 00:20:47.465235293 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-admin.php 2026-01-18 00:20:56.197777850 +0000@@ -98,13 +98,17 @@ */ public static function cubewp_get_builder_widgets() { - if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) {+ if ( empty( $_POST['security_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security_nonce'] ) ), 'cubewp-admin-nonce' ) ) { wp_send_json_error(array( 'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'), ), 404); }- - $widgets_ui = self::cubewp_builder_widgets_display($_POST['nested_switcher'],$_POST['form_type'],$_POST['slug']);++ $nested_switcher = isset( $_POST['nested_switcher'] ) ? sanitize_text_field( wp_unslash( $_POST['nested_switcher'] ) ) : '';+ $form_type = isset( $_POST['form_type'] ) ? sanitize_text_field( wp_unslash( $_POST['form_type'] ) ) : '';+ $slug = isset( $_POST['slug'] ) ? sanitize_key( wp_unslash( $_POST['slug'] ) ) : '';++ $widgets_ui = self::cubewp_builder_widgets_display( $nested_switcher, $form_type, $slug ); wp_send_json_success(array( 'sidebar' => $widgets_ui)); } @@ -117,14 +121,15 @@ * @since 1.0.0 */ public static function cubewp_process_post_card_css() {- if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) {+ if ( empty( $_POST['security_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security_nonce'] ) ), 'cubewp-admin-nonce' ) ) { wp_send_json_error(array( 'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'), ), 404); }- if (isset($_POST['styles']) && is_string($_POST['styles'])) {-- $data = json_decode(stripslashes($_POST['styles']), true);+ if ( isset( $_POST['styles'] ) ) {+ /*phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized */+ $raw_styles = wp_unslash( $_POST['styles'] );+ $data = is_string( $raw_styles ) ? json_decode( $raw_styles, true ) : null; if (is_array($data)) { $cleaned_data = array_map(function($item) { // Remove surrounding quotes@@ -133,6 +138,8 @@ $item = str_replace('\n', "\n", $item); // Replace plus signs with spaces $item = str_replace('+', ' ', $item);+ // Sanitize each line as textarea content to avoid unsafe content+ $item = sanitize_textarea_field( $item ); return $item; }, $data); @@ -144,8 +151,8 @@ } $file_path = CUBEWP_POST_CARDS_DIR . '/cubewp-post-cards.css'; - if (!file_exists(dirname($file_path))) {- mkdir(dirname($file_path), 0755, true);+ if ( ! file_exists( dirname( $file_path ) ) ) {+ wp_mkdir_p( dirname( $file_path ) ); } if (file_put_contents($file_path, $css_code) !== false) {@@ -216,20 +223,20 @@ return null; } $modules = array(- 'custom-fields' => 'modules/',- 'theme-builder' => 'modules/',- 'post-types' => 'modules/',- 'users' => 'modules/',- 'search' => 'modules/',- 'settings' => 'modules/',- 'taxonomies' => 'modules/',- 'list-tables'=> 'modules/',- 'elementor' => 'modules/',- 'recaptcha' => 'modules/',- 'builder' => 'modules/',- - 'widgets' => 'includes/',- 'shortcodes' => 'includes/',+ 'custom-fields' => 'modules/',+ 'theme-builder' => 'modules/',+ 'post-types' => 'modules/',+ 'users' => 'modules/',+ 'search' => 'modules/',+ 'settings' => 'modules/',+ 'taxonomies' => 'modules/',+ 'list-tables' => 'modules/',+ 'elementor' => 'modules/',+ 'elementor/taxonomy'=> 'modules/',+ 'recaptcha' => 'modules/',+ 'builder' => 'modules/',+ 'widgets' => 'includes/',+ 'shortcodes' => 'includes/', ); foreach($modules as $module=>$path){ $file_name = $path.$module.'/class-' .str_replace('_', '-', strtolower($className)).'.php';@@ -240,7 +247,6 @@ } } - return; } @@ -315,12 +321,15 @@ $single_tags = array( "title" => esc_html__("Post Title", "cubewp-framework"), "post_content" => esc_html__("Post Content", "cubewp-framework"),+ "post_excerpt" => esc_html__("Post Excerpt", "cubewp-framework"), "featured_image" => esc_html__("Featured Image", "cubewp-framework"), "post_author" => esc_html__("Post Author", "cubewp-framework"), "post_info" => esc_html__("Post Info", "cubewp-framework"), "post_term" => esc_html__("Post Term", "cubewp-framework"), "post_share" => esc_html__("Post Share Button", "cubewp-framework"), "post_save" => esc_html__("Post Save Button", "cubewp-framework"),+ "post_url" => esc_html__("Post URL", "cubewp-framework"),+ "post_date" => esc_html__("Post Date", "cubewp-framework"), "custom_fields" => esc_html__("CubeWP Custom Fields", "cubewp-framework") ); foreach ( $single_tags as $tag => $label ) {@@ -329,31 +338,69 @@ $module->register( new $tag() ); } }++ $module->register_group( 'cubewp-taxonomy-fields', [+ 'title' => esc_html__( 'CubeWP Taxonomy Custom Fields', 'cubewp-framework' ),+ ] );+ $taxonomy_tags = array(+ "term_name" => esc_html__("Term Name", "cubewp-framework"),+ "term_url" => esc_html__("Term URL", "cubewp-framework"),+ "term_count" => esc_html__("Term Count", "cubewp-framework"),+ "term_description" => esc_html__("Term Description", "cubewp-framework"),+ "taxonomy_text" => esc_html__("Field Type (Text)", "cubewp-framework"),+ "taxonomy_textarea" => esc_html__("Field Type (Textarea)", "cubewp-framework"),+ "taxonomy_image" => esc_html__("Field Type (Image)", "cubewp-framework"),+ "taxonomy_color" => esc_html__("Field Type (Color)", "cubewp-framework"),+ "taxonomy_url" => esc_html__("Field Type (URL)", "cubewp-framework"),+ "taxonomy_gallery" => esc_html__("Field Type (Gallery)", "cubewp-framework"),+ "taxonomy_oembed" => esc_html__("Field Type (oEembed)", "cubewp-framework"),+ "taxonomy_google_address" => esc_html__("Field Type (Google Address)", "cubewp-framework"),+ );+ foreach ( $taxonomy_tags as $tag => $label ) {+ $tag = 'CubeWp_Tag_'.ucfirst($tag);+ if(class_exists($tag)){+ $module->register( new $tag() );+ }+ } } public function cubewp_updated_post_type_messages( $messages ) {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ global $post, $post_ID; $post_types = get_post_types( array( 'show_ui' => true, '_builtin' => false ), 'objects' ); foreach ( $post_types as $post_type => $post_object ) { $messages[ $post_type ] = array( 0 => '', // Unused. Messages start at index 1.- 1 => sprintf( __( '%s updated. <a href="%s">View %s</a>' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),- 2 => __( 'Custom field updated.' ),- 3 => __( 'Custom field deleted.' ),- 4 => sprintf( __( '%s updated.' ), $post_object->labels->singular_name ),- 5 => isset( $_GET['revision'] ) ? sprintf( __( '%s restored to revision from %s' ), $post_object->labels->singular_name, wp_post_revision_title( (int) $_GET['revision'], false ) ) : false,- 6 => sprintf( __( '%s published. <a href="%s">View %s</a>' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),- 7 => sprintf( __( '%s saved.' ), $post_object->labels->singular_name ),- 8 => sprintf( __( '%s submitted. <a target="_blank" href="%s">Preview %s</a>' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ),- 9 => sprintf( __( '%s scheduled for: <strong>%1$s</strong>. <a target="_blank" href="%2$s">Preview %s</a>' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i' ), strtotime( $post->post_date ) ), esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),- 10 => sprintf( __( '%s draft updated. <a target="_blank" href="%s">Preview %s</a>' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ),+ /* translators: 1: Post type singular name, 2: URL to view, 3: Post type singular name */+ 1 => sprintf( __( '%1$s updated. <a href="%2$s">View %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),+ 2 => __( 'Custom field updated.', 'cubewp-framework' ),+ 3 => __( 'Custom field deleted.', 'cubewp-framework' ),+ /* translators: 1: Post type singular name */+ 4 => sprintf( __( '%1$s updated.', 'cubewp-framework' ), $post_object->labels->singular_name ),+ /* translators: 1: Post type singular name, 2: Revision title*/+ 5 => isset( $_GET['revision'] ) ? sprintf( __( '%1$s restored to revision from %2$s', 'cubewp-framework' ), $post_object->labels->singular_name, wp_post_revision_title( (int) sanitize_text_field(wp_unslash($_GET['revision'])), false ) ) : false,/* phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. WordPress.Security.NonceVerification.Missing -- Back-compat: legacy admin form may not include a nonce. */+ /* translators: 1: Post type singular name, 2: URL to view, 3: Post type singular name */+ 6 => sprintf( __( '%1$s published. <a href="%2$s">View %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),+ /* translators: 1: Post type singular name */+ 7 => sprintf( __( '%1$s saved.', 'cubewp-framework' ), $post_object->labels->singular_name ),+ /* translators: 1: Post type singular name, 2: URL to preview, 3: Post type singular name */+ 8 => sprintf( __( '%1$s submitted. <a target="_blank" href="%2$s">Preview %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ),+ /* translators: 1: Post type singular name, 2: Scheduled date, 3: URL to preview, 4: Post type singular name */+ 9 => sprintf( __( '%1$s scheduled for: <strong>%2$s</strong>. <a target="_blank" href="%3$s">Preview %4$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i', 'cubewp-framework' ), strtotime( $post->post_date ) ), esc_url( get_permalink( $post_ID ) ), $post_object->labels->singular_name ),+ /* translators: 1: Post type singular name, 2: URL to preview, 3: Post type singular name */+ 10 => sprintf( __( '%1$s draft updated. <a target="_blank" href="%2$s">Preview %3$s</a>', 'cubewp-framework' ), $post_object->labels->singular_name, esc_url( add_query_arg( 'preview', 'true', get_permalink( $post_ID ) ) ), $post_object->labels->singular_name ), ); if ($post_type == 'price_plan') {- $messages[ $post_type ][1] = sprintf( __( '%s updated.' ), $post_object->labels->singular_name );- $messages[ $post_type ][6] = sprintf( __( '%s published.' ), $post_object->labels->singular_name );- $messages[ $post_type ][8] = sprintf( __( '%s submitted.' ), $post_object->labels->singular_name );- $messages[ $post_type ][9] = sprintf( __( '%s scheduled for: <strong>%1$s</strong>.' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i' ), strtotime( $post->post_date ) ) );- $messages[ $post_type ][10] = sprintf( __( '%s draft updated.' ), $post_object->labels->singular_name );+ /* translators: 1: Post type singular name */+ $messages[ $post_type ][1] = sprintf( __( '%1$s updated.', 'cubewp-framework' ), $post_object->labels->singular_name );+ /* translators: 1: Post type singular name */+ $messages[ $post_type ][6] = sprintf( __( '%1$s published.', 'cubewp-framework' ), $post_object->labels->singular_name );+ /* translators: 1: Post type singular name */+ $messages[ $post_type ][8] = sprintf( __( '%1$s submitted.', 'cubewp-framework' ), $post_object->labels->singular_name );+ /* translators: 1: Post type singular name, 2: Scheduled date */+ $messages[ $post_type ][9] = sprintf( __( '%1$s scheduled for: <strong>%2$s</strong>.', 'cubewp-framework' ), $post_object->labels->singular_name, date_i18n( __( 'M j, Y @ G:i', 'cubewp-framework' ), strtotime( $post->post_date ) ) );+ /* translators: 1: Post type singular name */+ $messages[ $post_type ][10] = sprintf( __( '%1$s draft updated.', 'cubewp-framework' ), $post_object->labels->singular_name ); } } @@ -684,6 +731,7 @@ register_post_status( 'inactive', array( 'label' => _x( 'Inactive ', 'Inactive', 'cubewp-framework' ), 'public' => true,+ /* translators: %s: number of posts. */ 'label_count' => _n_noop( 'Inactive s <span class="count">(%s)</span>', 'Inactive s <span class="count">(%s)</span>', 'cubewp-framework' ), 'post_type' => array( 'cubewp-tb'), 'show_in_admin_all_list' => true,
Now I'll provide the security analysis of the diff as requested:
---
## Security Analysis Results
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
**Improper Input Validation - CWE-20 - cube/classes/class-cubewp-admin.php - Lines 101-107**
Old Code:
```php
if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) {
wp_send_json_error(array(
'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'),
), 404);
}
$widgets_ui = self::cubewp_builder_widgets_display($_POST['nested_switcher'],$_POST['form_type'],$_POST['slug']);
```
Fixed Code:
```php
if ( empty( $_POST['security_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security_nonce'] ) ), 'cubewp-admin-nonce' ) ) {
wp_send_json_error(array(
'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'),
), 404);
}
$nested_switcher = isset( $_POST['nested_switcher'] ) ? sanitize_text_field( wp_unslash( $_POST['nested_switcher'] ) ) : '';
$form_type = isset( $_POST['form_type'] ) ? sanitize_text_field( wp_unslash( $_POST['form_type'] ) ) : '';
$slug = isset( $_POST['slug'] ) ? sanitize_key( wp_unslash( $_POST['slug'] ) ) : '';
$widgets_ui = self::cubewp_builder_widgets_display( $nested_switcher, $form_type, $slug );
```
Explanation: The original code directly accessed $_POST superglobal variables without sanitization or validation. The fix adds proper input validation by: (1) checking if the nonce exists before verification, (2) sanitizing the nonce input with sanitize_text_field() and wp_unslash(), (3) properly checking if POST variables exist with isset(), and (4) sanitizing each POST variable with appropriate functions (sanitize_text_field for strings, sanitize_key for slugs) before passing to functions.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
**Improper Input Validation - CWE-20 - cube/classes/class-cubewp-admin.php - Lines 124-138**
Old Code:
```php
if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) {
wp_send_json_error(array(
'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'),
), 404);
}
if (isset($_POST['styles']) && is_string($_POST['styles'])) {
$data = json_decode(stripslashes($_POST['styles']), true);
```
Fixed Code:
```php
if ( empty( $_POST['security_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['security_nonce'] ) ), 'cubewp-admin-nonce' ) ) {
wp_send_json_error(array(
'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'),
), 404);
}
if ( isset( $_POST['styles'] ) ) {
/*phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized */
$raw_styles = wp_unslash( $_POST['styles'] );
$data = is_string( $raw_styles ) ? json_decode( $raw_styles, true ) : null;
```
Explanation: The original code used stripslashes() which is deprecated and inconsistent with WordPress security standards. The fix uses wp_unslash() instead, which is the WordPress-standard way to handle magic quotes. The check is also improved by testing if the data is a string after unslashing rather than before. Additionally, a phpcs comment indicates the team is intentionally handling this with special care for JSON payload validation.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
**Missing Input Sanitization - CWE-400 - cube/classes/class-cubewp-admin.php - Lines 137-140**
Old Code:
```php
$data = json_decode(stripslashes($_POST['styles']), true);
if (is_array($data)) {
$cleaned_data = array_map(function($item) {
// Remove surrounding quotes
$item = str_replace('"', '', $item);
$item = str_replace('\n', "\n", $item);
// Replace plus signs with spaces
$item = str_replace('+', ' ', $item);
return $item;
```
Fixed Code:
```php
$data = is_string( $raw_styles ) ? json_decode( $raw_styles, true ) : null;
if (is_array($data)) {
$cleaned_data = array_map(function($item) {
// Remove surrounding quotes
$item = str_replace('"', '', $item);
$item = str_replace('\n', "\n", $item);
// Replace plus signs with spaces
$item = str_replace('+', ' ', $item);
// Sanitize each line as textarea content to avoid unsafe content
$item = sanitize_textarea_field( $item );
return $item;
```
Explanation: The original code performed string replacements on JSON-decoded CSS data without proper sanitization. This could allow unsafe content to reach the CSS file. The fix adds sanitize_textarea_field() to each item, ensuring that any potentially unsafe content is properly escaped before being written to the CSS file.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
**Improper Resource Validation - CWE-434 - cube/classes/class-cubewp-admin.php - Lines 154-157**
Old Code:
```php
if (!file_exists(dirname($file_path))) {
mkdir(dirname($file_path), 0755, true);
}
```
Fixed Code:
```php
if ( ! file_exists( dirname( $file_path ) ) ) {
wp_mkdir_p( dirname( $file_path ) );
}
```
Explanation: The original code uses PHP's native mkdir() function with world-readable permissions (0755). The fix uses WordPress's wp_mkdir_p() function, which properly handles directory creation with appropriate WordPress context, including proper permission handling and logging. This prevents potential privilege escalation or insecure directory permissions.
---
**Vulnerability 5:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Input Validation - CWE-20 - cube/classes/class-cubewp-admin.php - Lines 361-362**
Old Code:
```php
5 => isset( $_GET['revision'] ) ? sprintf( __( '%s restored to revision from %s' ), $post_object->labels->singular_name, wp_post_revision_title( (int) $_GET['revision'], false ) ) : false,
```
Fixed Code:
```php
5 => isset( $_GET['revision'] ) ? sprintf( __( '%1$s restored to revision from %2$s', 'cubewp-framework' ), $post_object->labels->singular_name, wp_post_revision_title( (int) sanitize_text_field(wp_unslash($_GET['revision'])), false ) ) : false,/* phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. WordPress.Security.NonceVerification.Missing -- Back-compat: legacy admin form may not include a nonce. */
```
Explanation: The original code cast $_GET['revision'] to integer without sanitization, which could be unsafe. While the cast to (int) provides some protection, the fix adds explicit sanitization with sanitize_text_field(wp_unslash($_GET['revision'])) before casting, making the intention explicit and following WordPress security standards. The phpcs comment indicates the team acknowledges this is read-only usage without state changes.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-builder-pro.php 2026-01-18 00:20:47.469235541 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-builder-pro.php 2026-01-18 00:20:56.197777850 +0000@@ -57,18 +57,18 @@ $background_image_src = CWP_PLUGIN_URI.'cube/assets/admin/images/user-dashboard-screen.png'; } echo'<div id="cubewp-title-bar">- <h1>'.$page_header.'</h1>+ <h1>'.esc_html($page_header).'</h1> </div> <div class="cubewp-subscription-frame">- <img class="cubewp-subscription-frame-bg" src="'.$background_image_src.'" alt="">+ <img class="cubewp-subscription-frame-bg" src="'.esc_url($background_image_src).'" alt=""> <div class="cubewp-subscription-main"> <div class="cubewp-subscription-form">- <div class="cube-subscription-header" style="background-image: url('.CWP_PLUGIN_URI.'cube/assets/admin/images/[email protected])">- <img class="subscription-header-super" src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/wp-super.png" alt="image">+ <div class="cube-subscription-header" style="background-image: url('.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/addon-pop-header-2x.png').')">+ <img class="subscription-header-super" src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/wp-super.png').'" alt="image"> </div> <div class="cubewp-subscription-contant"> <div class="cubewp-subscription-logo">- <img src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/cube-logo.svg" alt="">+ <img src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/cube-logo.svg').'" alt=""> </div> <div class="cube-popup-title"> <h2>Unlock (8) Super Powerful Frontend Builders</h2>@@ -93,7 +93,7 @@ <span class="cube-award-option">Create Your Own Test Sandbox Powered by</span> </div> <div class="cubewp-logo">- <img src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/demowp.png" alt="">+ <img src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/demowp.png').'" alt=""> </div> </div> </div>
I'll analyze this code diff for security fixes.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-builder-pro.php [60]
Old Code:
```
<h1>'.$page_header.'</h1>
```
Fixed Code:
```
<h1>'.esc_html($page_header).'</h1>
```
Explanation:
The `$page_header` variable is directly echoed into HTML without sanitization. An attacker could inject malicious JavaScript through this variable. The fix applies `esc_html()` to escape HTML entities and prevent XSS attacks.
---
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-builder-pro.php [63]
Old Code:
```
<img class="cubewp-subscription-frame-bg" src="'.$background_image_src.'" alt="">
```
Fixed Code:
```
<img class="cubewp-subscription-frame-bg" src="'.esc_url($background_image_src).'" alt="">
```
Explanation:
The `$background_image_src` variable is used directly in the `src` attribute without sanitization. Malicious URLs could be injected. The fix applies `esc_url()` to sanitize URLs and prevent XSS attacks via the `src` attribute.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-builder-pro.php [66-67]
Old Code:
```
<div class="cube-subscription-header" style="background-image: url('.CWP_PLUGIN_URI.'cube/assets/admin/images/[email protected])">
<img class="subscription-header-super" src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/wp-super.png" alt="image">
```
Fixed Code:
```
<div class="cube-subscription-header" style="background-image: url('.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/addon-pop-header-2x.png').')">
<img class="subscription-header-super" src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/wp-super.png').'" alt="image">
```
Explanation:
While `CWP_PLUGIN_URI` is a constant and less risky, applying `esc_url()` to URLs in attributes and CSS properties ensures defense-in-depth. This prevents potential vulnerabilities if the constant could be tampered with or if the code structure changes. Note: The filename also changed from `[email protected]` to `addon-pop-header-2x.png`.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-builder-pro.php [71]
Old Code:
```
<img src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/cube-logo.svg" alt="">
```
Fixed Code:
```
<img src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/cube-logo.svg').'" alt="">
```
Explanation:
Same as above—URLs in `src` attributes should be sanitized with `esc_url()` to prevent XSS attacks, even when using plugin constants.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-builder-pro.php [96]
Old Code:
```
<img src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/demowp.png" alt="">
```
Fixed Code:
```
<img src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/demowp.png').'" alt="">
```
Explanation:
Same XSS vulnerability pattern—unsanitized URL in `src` attribute. The fix applies `esc_url()` for proper sanitization.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-builder-ui.php 2026-01-18 00:20:47.469235541 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-builder-ui.php 2026-01-18 00:20:56.197777850 +0000@@ -152,7 +152,7 @@ $groups = cwp_get_groups_by_post_type($post_type); if (isset($groups) && !empty($groups) && count($groups) > 0) { foreach ($groups as $group) {- $widgets_ui .= '<div id="group-' . rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">';+ $widgets_ui .= '<div id="group-' . wp_rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">'; $widgets_ui .= '<div class="cubewp-builder-section-header">'; $widgets_ui .= '<h3>' . esc_html(get_the_title($group)) . '</h3>'; $widgets_ui .= '<a href="https://cubewp.com/cubewp-frontend-pro/" target="_blank"><span class="cubewp-pro-tag">' . esc_html__("PRO", "cubewp-framework") . '</span></a>';@@ -403,7 +403,7 @@ $options = self::$tab_options; if (isset($options) && count($options) > 0) { foreach ($options as $slug => $option) {- $output .= '<div id="type-' . esc_attr__($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr__($slug) . ' cubewp-tab-switcher-target">';+ $output .= '<div id="type-' . esc_attr($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr($slug) . ' cubewp-tab-switcher-target">'; if (! $option["switcher"]) { $output .= self::cubewp_builder_area_content($slug, $data); } else {@@ -412,7 +412,7 @@ foreach ($switcher["options"] as $id => $val) { $data['content_switcher'] = $id; $data_type = self::cubewp_check_switcher_type($id);- $output .= '<div id="plan-' . esc_attr__($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr__($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr__($id) . '" ' . $data_type . '>';+ $output .= '<div id="plan-' . esc_attr($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr($id) . '" ' . $data_type . '>'; $output .= self::cubewp_builder_area_content($slug, $data); $output .= '</div>'; }@@ -532,7 +532,7 @@ $options = self::$tab_options; if (isset($options) && count($options) > 0) { foreach ($options as $slug => $option) {- $output .= '<div id="type-' . esc_attr__($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr__($slug) . ' cubewp-tab-switcher-target">';+ $output .= '<div id="type-' . esc_attr($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr($slug) . ' cubewp-tab-switcher-target">'; $output .= self::cubewp_builder_area_content($slug, $data); $output .= '</div>'; }
Vulnerability Existed: yes FALSE POSITIVE [CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)] - [CWE-338] - [cube/classes/class-cubewp-builder-ui.php] [Line 155] [Old Code] $widgets_ui .= '<div id="group-' . rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">'; [Fixed Code] $widgets_ui .= '<div id="group-' . wp_rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">'; Explanation: The `rand()` function is a weak PRNG and should not be used for generating IDs that could be predictable. The fix replaces it with `wp_rand()`, which is WordPress's recommended random number generator that uses better entropy sources. While this is primarily an ID generation context (lower severity than cryptographic use), using weak RNG can still lead to predictable element IDs, which could facilitate certain attack vectors. --- Vulnerability Existed: yes TRUE POSITIVE [CWE-116: Improper Encoding or Escaping of Output] - [CWE-116] - [cube/classes/class-cubewp-builder-ui.php] [Lines 406, 415, 535] [Old Code] $output .= '<div id="type-' . esc_attr__($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr__($slug) . ' cubewp-tab-switcher-target">'; $output .= '<div id="plan-' . esc_attr__($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr__($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr__($id) . '" ' . $data_type . '>'; [Fixed Code] $output .= '<div id="type-' . esc_attr($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr($slug) . ' cubewp-tab-switcher-target">'; $output .= '<div id="plan-' . esc_attr($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr($id) . '" ' . $data_type . '>'; Explanation: The `esc_attr__()` function is used for both escaping AND translation, but when the variable is not a translatable string literal, using `esc_attr__()` is incorrect and may not properly escape the output. The fix uses `esc_attr()` instead, which is the proper function for escaping HTML attributes without translation. This prevents potential XSS vulnerabilities if malicious data enters these variables.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-elementor.php 2026-01-18 00:20:47.469235541 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-elementor.php 2026-01-18 00:20:56.197777850 +0000@@ -162,7 +162,8 @@ if (class_exists($class)) { $widgets_manager->register(new $class()); }else {- wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), $class));+ /* translators: %s: class name. */+ wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), esc_html($class))); } } }
Vulnerability Existed: yes
FALSE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [cube/classes/class-cubewp-elementor.php] [Lines 165-166]
Old Code:
```php
wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), $class));
```
Fixed Code:
```php
/* translators: %s: class name. */
wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), esc_html($class)));
```
Explanation:
The vulnerability existed because `$class` was being passed directly into `sprintf()` without sanitization, even though the format string itself was escaped with `esc_html__()`. The `esc_html__()` function only escapes the translatable string template, not the variable substituted into it via `sprintf()`. If `$class` contained user-controlled or untrusted data with HTML/JavaScript, it could execute arbitrary scripts in the admin context. The fix properly escapes the `$class` variable using `esc_html()` before it's inserted into the message, preventing XSS attacks. The added translator comment also improves localization clarity.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-enqueue.php 2026-01-18 00:20:47.469235541 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-enqueue.php 2026-01-18 00:20:56.197777850 +0000@@ -6,6 +6,8 @@ * @package cubewp/cube/classes */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'ABSPATH' ) ) { exit; }@@ -80,7 +82,10 @@ } } - echo apply_filters( 'frontend/script/enqueue', '' );+ $cubewp_front_inline = apply_filters( 'frontend/script/enqueue', '' );+ if ( ! empty( $cubewp_front_inline ) ) {+ echo wp_kses_post( $cubewp_front_inline );+ } self::cubewp_enqueue_settings_css_js(); }@@ -359,9 +364,10 @@ global $cwpOptions; $cwpOptions = ! empty( $cwpOptions ) && is_array( $cwpOptions ) ? $cwpOptions : get_option( 'cwpOptions' ); $cubewp_css = isset( $cwpOptions['cubewp-css'] ) && ! empty( $cwpOptions['cubewp-css'] ) ? $cwpOptions['cubewp-css'] : '';- echo '<style type="text/css">- ' . $cubewp_css . '- </style>';+ if ( ! empty( $cubewp_css ) ) {+ // Attach custom CSS inline to a known handle to avoid raw echo.+ wp_add_inline_style( 'cwp-styles', $cubewp_css );+ } } ); add_action( 'wp_footer', function(){@@ -369,9 +375,10 @@ $cwpOptions = ! empty( $cwpOptions ) && is_array( $cwpOptions ) ? $cwpOptions : get_option( 'cwpOptions' ); $cubewp_js = isset( $cwpOptions['cubewp-js'] ) && ! empty( $cwpOptions['cubewp-js'] ) ? $cwpOptions['cubewp-js'] : ''; wp_enqueue_script( 'jquery' );- echo '<script type="text/javascript">- ' . $cubewp_js . '- </script>';+ if ( ! empty( $cubewp_js ) ) {+ // Attach custom JS inline to jQuery handle to avoid raw echo.+ wp_add_inline_script( 'jquery', $cubewp_js );+ } } ); } }
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [cube/classes/class-cubewp-enqueue.php] [Lines 83-86]
[Old Code]
echo apply_filters( 'frontend/script/enqueue', '' );
[Fixed Code]
$cubewp_front_inline = apply_filters( 'frontend/script/enqueue', '' );
if ( ! empty( $cubewp_front_inline ) ) {
echo wp_kses_post( $cubewp_front_inline );
}
Explanation:
The original code directly echoed the output of an apply_filters() call without any sanitization. While filters can be used to modify content, untrusted data passed through filters could contain malicious JavaScript. The fix stores the filtered output in a variable, checks if it's non-empty, and then outputs it using wp_kses_post(), which sanitizes the content to prevent XSS attacks by stripping dangerous HTML and JavaScript tags.
---
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [cube/classes/class-cubewp-enqueue.php] [Lines 362-365]
[Old Code]
echo '<style type="text/css">
' . $cubewp_css . '
</style>';
[Fixed Code]
if ( ! empty( $cubewp_css ) ) {
// Attach custom CSS inline to a known handle to avoid raw echo.
wp_add_inline_style( 'cwp-styles', $cubewp_css );
}
Explanation:
The original code directly echoed CSS content retrieved from the database ($cubewp_css) without sanitization. While this is stored user/admin data, concatenating it directly into a style tag without proper escaping or validation could allow CSS injection attacks. The fix uses WordPress's wp_add_inline_style() function, which properly handles inline CSS attachment to registered stylesheets, providing better encapsulation and reducing injection vectors.
---
Vulnerability Existed: yes
TRUE POSITIVE
[Cross-Site Scripting (XSS)] - [CWE-79] - [cube/classes/class-cubewp-enqueue.php] [Lines 372-375]
[Old Code]
echo '<script type="text/javascript">
' . $cubewp_js . '
</script>';
[Fixed Code]
if ( ! empty( $cubewp_js ) ) {
// Attach custom JS inline to jQuery handle to avoid raw echo.
wp_add_inline_script( 'jquery', $cubewp_js );
}
Explanation:
The original code directly echoed JavaScript content from the database without sanitization. This is a high-risk vulnerability as arbitrary JavaScript can be executed in user browsers, leading to complete compromise. The fix uses WordPress's wp_add_inline_script() function, which properly enqueues inline scripts with proper context management and reduces the attack surface compared to raw echo statements.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-export.php 2026-01-18 00:20:47.469235541 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-export.php 2026-01-18 00:20:56.197777850 +0000@@ -67,7 +67,7 @@ <form class="export-form" method="post" action=""> <input type="hidden" name="action" value="cwp_export_data"> <input type="hidden" name="cwp_export_type" value="all">- <input type="hidden" name="cwp_export_nonce" value="<?php echo wp_create_nonce( 'cwp_export_data_nonce' ); ?>">+ <input type="hidden" name="cwp_export_nonce" value="<?php echo esc_attr( wp_create_nonce( 'cwp_export_data_nonce' ) ); ?>"> <div class="cubewp-import-box-container"> <div class="cubewp-import-box"> <div class="cubewp-import-card">@@ -207,15 +207,15 @@ wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) ); wp_die(); }- if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {+ if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) { wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) ); wp_die(); }- if(isset($_POST['export']) && $_POST['export'] == 'success'){+ if(isset($_POST['export']) && sanitize_text_field(wp_unslash($_POST['export'])) == 'success'){ $buffer = self::cwp_custom_fields_posts('cwp_user_fields'); $files = self::cwp_file_names(); if (self::cwp_file_force_contents($files['cwp_user_groups'], $buffer)) {- $download_now = isset( $_POST['download_now'] ) ? sanitize_text_field( $_POST['download_now'] ) : 'true';+ $download_now = isset( $_POST['download_now'] ) ? sanitize_text_field( wp_unslash( $_POST['download_now'] ) ) : 'true'; if ( $download_now != 'false' ) { self::cwp_create_zip_file(); }@@ -238,11 +238,11 @@ wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) ); wp_die(); }- if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {+ if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) { wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) ); wp_die(); }- if(isset($_POST['export']) && $_POST['export'] == 'success'){+ if(isset($_POST['export']) && sanitize_text_field(wp_unslash($_POST['export'])) == 'success'){ $buffer = self::cwp_custom_fields_posts('cwp_forms'); $files = self::cwp_file_names(); if (self::cwp_file_force_contents($files['cwp_custom_forms'], $buffer)) {@@ -272,7 +272,7 @@ wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) ); wp_die(); }- if ( !isset($_POST['cwp_export_nonce']) || !wp_verify_nonce($_POST['cwp_export_nonce'], 'cwp_export_data_nonce') ) {+ if ( !isset($_POST['cwp_export_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_export_nonce'])), 'cwp_export_data_nonce') ) { wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) ); wp_die(); }@@ -285,6 +285,7 @@ )); } else { $export_content = array();+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized */ foreach ($_POST['cwp_export_content_type'] as $content_type) { switch ($content_type) { case 'post_types':@@ -398,11 +399,11 @@ $post_cards_dir = $upload_dir['basedir'] . '/cubewp-post-cards'; if (!is_dir($export_path)) {- mkdir($export_path, 0755, true); // Ensure export directory exists+ wp_mkdir_p( $export_path ); } if (file_exists($export_path . $DelFilePath)) {- unlink($export_path . $DelFilePath);+ wp_delete_file($export_path . $DelFilePath); } if ($zip->open($export_path . $DelFilePath, ZIPARCHIVE::CREATE) !== TRUE) {@@ -414,8 +415,8 @@ $zip->addFile($files['cwp_post_groups'], 'cwp_post_groups.json'); $zip->addFile($files['cwp_user_groups'], 'cwp_user_groups.json'); $zip->addFile($files['cwp_custom_forms'], 'cwp_custom_forms.json');-- $export_post_cards = isset($_POST['export_post_cards']) ? sanitize_text_field($_POST['export_post_cards']) : 'false';+ /*phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $export_post_cards = isset($_POST['export_post_cards']) ? sanitize_text_field(wp_unslash($_POST['export_post_cards'])) : 'false'; // Add "cubewp-post-cards" to the zip archive if ($export_post_cards == 'true' && is_dir($post_cards_dir)) { $this->add_post_cards_folder_to_zip($post_cards_dir, $zip, 'cubewp-post-cards');@@ -425,10 +426,10 @@ $zip->close(); // Cleanup temporary files- unlink($files['setup_file']);- unlink($files['cwp_post_groups']);- unlink($files['cwp_user_groups']);- unlink($files['cwp_custom_forms']);+ wp_delete_file($files['setup_file']);+ wp_delete_file($files['cwp_post_groups']);+ wp_delete_file($files['cwp_user_groups']);+ wp_delete_file($files['cwp_custom_forms']); } /**@@ -464,11 +465,11 @@ * Method cwp_file_force_contents * * @param string $file_path- * @param Json $file_content- * @param bolean $flags+ * @param string $file_content+ * @param int $flags * @param int $permissions *- * @return Json+ * @return boolean * @since 1.0.0 */ private static function cwp_file_force_contents($file_path, $file_content, $flags = 0, $permissions = 0777) {@@ -476,8 +477,9 @@ array_pop($parts); $dir = implode('/', $parts); - if ( ! is_dir($dir)) {- mkdir($dir, $permissions, true);+ if ( ! is_dir( $dir ) ) {+ // Use WordPress API to create directories recursively.+ wp_mkdir_p( $dir ); } return file_put_contents($file_path, $file_content, $flags);
Let me analyze the provided diff directly as requested.
## Security Analysis of class-cubewp-export.php Diff
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-export.php (Line 70)
Old Code:
```php
<input type="hidden" name="cwp_export_nonce" value="<?php echo wp_create_nonce( 'cwp_export_data_nonce' ); ?>">
```
Fixed Code:
```php
<input type="hidden" name="cwp_export_nonce" value="<?php echo esc_attr( wp_create_nonce( 'cwp_export_data_nonce' ) ); ?>">
```
Explanation:
The nonce value was output directly into an HTML attribute without escaping. Although `wp_create_nonce()` returns a sanitized string, it's a security best practice to escape output based on context. In HTML attributes, `esc_attr()` should be used to prevent attribute-based XSS attacks. This fix properly escapes the nonce value for its HTML attribute context.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-export.php (Line 210)
Old Code:
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {
```
Fixed Code:
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) {
```
Explanation:
`$_POST` superglobal data should be sanitized and unslashed before use. While `wp_verify_nonce()` internally handles the data, passing raw `$_POST` values is poor practice. The fix applies `wp_unslash()` to remove WordPress magic quotes, then `sanitize_text_field()` to sanitize the nonce string before verification, following WordPress security standards.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-export.php (Line 214)
Old Code:
```php
if(isset($_POST['export']) && $_POST['export'] == 'success'){
```
Fixed Code:
```php
if(isset($_POST['export']) && sanitize_text_field(wp_unslash($_POST['export'])) == 'success'){
```
Explanation:
Direct use of `$_POST['export']` without sanitization creates an input validation vulnerability. An attacker could potentially exploit this by sending specially crafted data. The fix sanitizes the input using `wp_unslash()` and `sanitize_text_field()` to ensure it's safe before comparison.
---
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-export.php (Line 217)
Old Code:
```php
$download_now = isset( $_POST['download_now'] ) ? sanitize_text_field( $_POST['download_now'] ) : 'true';
```
Fixed Code:
```php
$download_now = isset( $_POST['download_now'] ) ? sanitize_text_field( wp_unslash( $_POST['download_now'] ) ) : 'true';
```
Explanation:
The original code sanitized the input but failed to unslash it first. In WordPress, `wp_unslash()` must be applied before sanitization to properly handle magic quotes. This is a minor but important security practice—unslashing should precede sanitization to ensure proper handling of escaped data.
---
**Vulnerability 5:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-export.php (Line 241)
Old Code:
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {
```
Fixed Code:
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) {
```
Explanation:
Same as Vulnerability 2. Raw `$_POST['nonce']` should be unslashed and sanitized before use, even in nonce verification functions. This fix ensures proper handling of superglobal data.
---
**Vulnerability 6:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-export.php (Line 245)
Old Code:
```php
if(isset($_POST['export']) && $_POST['export'] == 'success'){
```
Fixed Code:
```php
if(isset($_POST['export']) && sanitize_text_field(wp_unslash($_POST['export'])) == 'success'){
```
Explanation:
Same as Vulnerability 3. Direct use of unsanitized `$_POST` data without proper validation.
---
**Vulnerability 7:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-export.php (Line 275)
Old Code:
```php
if ( !isset($_POST['cwp_export_nonce']) || !wp_verify_nonce($_POST['cwp_export_nonce'], 'cwp_export_data_nonce') ) {
```
Fixed Code:
```php
if ( !isset($_POST['cwp_export_nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_export_nonce'])), 'cwp_export_data_nonce') ) {
```
Explanation:
Same as Vulnerabilities 2 and 5. Raw nonce from `$_POST` should be unslashed and sanitized before passing to verification function.
---
**Vulnerability 8:**
Vulnerability Existed: yes
TRUE POSITIVE
Insecure File Operations - CWE-377 - class-cubewp-export.php (Line 401)
Old Code:
```php
mkdir($export_path, 0755, true); // Ensure export directory exists
```
Fixed Code:
```php
wp_mkdir_p( $export_path );
```
Explanation:
Using native `mkdir()` instead of WordPress API function `wp_mkdir_p()` is problematic. The WordPress function properly handles permissions and integrates with WordPress security standards. Using native file operations bypasses WordPress security checks and may cause permission issues on some hosting environments.
---
**Vulnerability 9:**
Vulnerability Existed: yes
FALSE POSITIVE
Insecure File Operations - CWE-377 - class-cubewp-export.php (Line 406)
Old Code:
```php
unlink($export_path . $DelFilePath);
```
Fixed Code:
```php
wp_delete_file($export_path . $DelFilePath);
```
Explanation:
Using native `unlink()` instead of WordPress API function `wp_delete_file()` bypasses WordPress security checks. The WordPress function properly handles file deletion within the WordPress security context and is the recommended approach.
---
**Vulnerability 10:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-export.php (Line 419)
Old Code:
```php
$export_post_cards = isset($_POST['export_post_cards']) ? sanitize_text_field($_POST['export_post_cards']) : 'false';
```
Fixed Code:
```php
$export_post_cards = isset($_POST['export_post_cards']) ? sanitize_text_field(wp_unslash($_POST['export_post_cards'])) : 'false';
```
Explanation:
Same as Vulnerability 4. The `wp_unslash()` call must precede `sanitize_text_field()` to properly handle WordPress magic quotes before sanitization.
---
**Vulnerability 11:**
Vulnerability Existed: yes
TRUE POSITIVE
Insecure File Operations - CWE-377 - class-cubewp-export.php (Lines 429-432)
Old Code:
```php
unlink($files['setup_file']);
unlink($files['cwp_post_groups']);
unlink($files['cwp_user_groups']);
unlink($files['cwp_custom_forms']);
```
Fixed Code:
```php
wp_delete_file($files['setup_file']);
wp_delete_file($files['cwp_post_groups']);
wp_delete_file($files['cwp_user_groups']);
wp_delete_file($files['cwp_custom_forms']);
```
Explanation:
Same as Vulnerability 9. Multiple instances of native `unlink()` replaced with WordPress API `wp_delete_file()` for proper security handling and consistency with WordPress standards.
---
**Vulnerability 12:**
Vulnerability Existed: yes
FALSE POSITIVE
Insecure File Operations - CWE-377 - class-cubewp-export.php (Line 480)
Old Code:
```php
if ( ! is_dir($dir)) {
mkdir($dir, $permissions, true);
}
```
Fixed Code:
```php
if ( ! is_dir( $dir ) ) {
// Use WordPress API to create directories recursively.
wp_mkdir_p( $dir );
}
```
Explanation:
Same as Vulnerability 8. Native `mkdir()` replaced with WordPress API `wp_mkdir_p()`. Additionally, the permission parameter is removed since `wp_mkdir_p()` handles permissions internally using WordPress standards.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-form-builder.php 2026-01-18 00:20:47.469235541 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-form-builder.php 2026-01-18 00:20:56.197777850 +0000@@ -30,17 +30,25 @@ wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework') ) ); wp_die(); }- $form_relation = isset( $_POST['form_relation'] ) ? sanitize_text_field( $_POST['form_relation'] ) : '';- $form_type = isset( $_POST['form_type'] ) ? sanitize_text_field( $_POST['form_type'] ) : '';+ // phpcs:ignore WordPress.Security.NonceVerification.Missing+ $form_relation = isset( $_POST['form_relation'] ) ? sanitize_text_field( wp_unslash( $_POST['form_relation'] ) ) : '';+ // phpcs:ignore WordPress.Security.NonceVerification.Missing+ $form_type = isset( $_POST['form_type'] ) ? sanitize_text_field( wp_unslash( $_POST['form_type'] ) ) : ''; if ( $form_type != '' ) { $cwp_forms = CWP()->get_form( $form_type ); if ( isset( $form_relation ) && ! empty( $form_relation ) ) {+ // phpcs:ignore WordPress.Security.NonceVerification.Missing if ( isset( $_POST['cwpform'] ) && ! empty( $_POST['cwpform'] ) ) { if ( $form_type == 'loop_builder' ) {+ /*phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing */ $cwp_forms[ $form_relation ] = apply_filters( 'cubewp/loop/builder/save', array() , $_POST['cwpform'], $form_relation ); }else {- $cwp_forms[ $form_relation ] = CubeWp_Sanitize_Dynamic_Array( $_POST['cwpform'][ $form_relation ] );+ // phpcs:ignore WordPress.Security.NonceVerification.Missing+ if(isset($_POST['cwpform'][ $form_relation ])){+ /*phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing */+ $cwp_forms[ $form_relation ] = CubeWp_Sanitize_Dynamic_Array( $_POST['cwpform'][ $form_relation ] );+ } } CWP()->update_form( $form_type, $cwp_forms );@@ -66,10 +74,12 @@ wp_die(); } $section_args = [];+ // phpcs:ignore WordPress.Security.NonceVerification.Missing if(isset($_POST['action'])){- unset($_POST['action']);- unset($_POST['section_id']);+ unset($_POST['action']);// phpcs:ignore WordPress.Security.NonceVerification.Missing+ unset($_POST['section_id']);// phpcs:ignore WordPress.Security.NonceVerification.Missing }+ // phpcs:ignore WordPress.Security.NonceVerification.Missing if(isset($_POST['form_relation']) && isset($_POST['form_type'])){ foreach($_POST as $key => $POST){ $section_args[$key] = $POST;@@ -91,7 +101,7 @@ */ public function cwpform_form_section( $args = array() ) { $defaults = array(- 'section_id' => rand( 123456789, 111111111 ),+ 'section_id' => wp_rand( 123456789, 111111111 ), 'section_title' => '', 'section_description' => '', 'section_type' => '',@@ -449,9 +459,9 @@ 'name' => 'display_ui', 'value' => $appearance, 'options' => array(- 'select' => __( "Dropdown" ),- 'multi_select' => __( "Multi Dropdown" ),- 'checkbox' => __( "checkbox" )+ 'select' => __( "Dropdown", "cubewp-framework" ),+ 'multi_select' => __( "Multi Dropdown", "cubewp-framework" ),+ 'checkbox' => __( "checkbox", "cubewp-framework" ) ), 'extra_attrs' => 'data-name="display_ui"', );@@ -463,7 +473,7 @@ 'class' => 'group-field field-select2_ui', 'name' => 'select2_ui', 'value' => isset( $field['select2_ui'] ) && ! empty( $field['select2_ui'] ) ? $field['select2_ui'] : '0',- 'options' => array( '0' => __( "No" ), '1' => __( "Yes" ) ),+ 'options' => array( '0' => __( "No", "cubewp-framework" ), '1' => __( "Yes", "cubewp-framework" ) ), 'extra_attrs' => 'data-name="select2_ui"', ); $output .= cwp_render_dropdown_input( $input_attrs );@@ -485,7 +495,7 @@ 'class' => 'group-field field-select2_ui', 'name' => 'select2_ui', 'value' => isset( $field['select2_ui'] ) && ! empty( $field['select2_ui'] ) ? $field['select2_ui'] : '0',- 'options' => array( '0' => __( "No" ), '1' => __( "Yes" ) ),+ 'options' => array( '0' => __( "No", "cubewp-framework" ), '1' => __( "Yes", "cubewp-framework" ) ), 'extra_attrs' => 'data-name="select2_ui"', ); $output .= cwp_render_dropdown_input( $input_attrs );@@ -559,7 +569,7 @@ 'class' => 'group-field field-required', 'name' => 'required', 'value' => isset( $field['required'] ) ? $field['required'] : $default_required,- 'options' => array( '1' => __( "Required" ), '0' => __( "Not required" ) ),+ 'options' => array( '1' => __( "Required", "cubewp-framework" ), '0' => __( "Not required", "cubewp-framework" ) ), 'extra_attrs' => 'data-name="required"', ); $output .= cwp_render_dropdown_input( $input_attrs );@@ -597,7 +607,7 @@ 'class' => 'group-field field-sorting', 'name' => 'sorting', 'value' => isset( $field['sorting'] ) && ! empty( $field['sorting'] ) ? $field['sorting'] : '',- 'options' => array( '1' => __( "Yes" ), '0' => __( "No" ) ),+ 'options' => array( '1' => __( "Yes", "cubewp-framework" ), '0' => __( "No", "cubewp-framework" ) ), 'extra_attrs' => 'data-name="sorting"', ); $output .= cwp_render_dropdown_input( $input_attrs );@@ -774,7 +784,7 @@ if(!empty($fields)){ foreach($fields as $input_attr){ if($input_attr['type'] == 'hidden'){- echo call_user_func('cwp_render_hidden_input',$input_attr);+ echo call_user_func('cwp_render_hidden_input', $input_attr); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped }else{ $field_type = $input_attr['type']; if(isset($input_attr['input_type']) && !empty($input_attr['input_type'])){@@ -783,9 +793,9 @@ ?> <div class="section-form-field"> <?php if(isset($input_attr['label']) && !empty($input_attr['label'])){ ?>- <label for="section_class"><?php echo $input_attr['label']; ?></label>+ <label for="section_class"><?php echo esc_html( $input_attr['label'] ); ?></label> <?php } ?>- <?php echo call_user_func('cwp_render_'.$field_type.'_input',$input_attr); ?>+ <?php echo call_user_func( 'cwp_render_'.$field_type.'_input', $input_attr ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?> </div> <?php }
Error: Claude CLI returned empty response
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-forms-pro.php 2026-01-18 00:20:47.469235541 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-forms-pro.php 2026-01-18 00:20:56.197777850 +0000@@ -31,14 +31,14 @@ $page_header="CubeWP Forms"; $background_image_src = CWP_PLUGIN_URI.'cube/assets/admin/images/forms-templates.png'; echo'<div id="cubewp-title-bar">- <h1>'.$page_header.'</h1>+ <h1>'.esc_html($page_header).'</h1> </div> <div class="cubewp-subscription-frame forms-templates" style="background:#f0f0f1 0% 0% no-repeat padding-box;">- <img class="cubewp-subscription-frame-bg" src="'.$background_image_src.'" alt="">+ <img class="cubewp-subscription-frame-bg" src="'.esc_url($background_image_src).'" alt=""> <div class="cubewp-subscription-main"> <div class="cubewp-subscription-form"> <div class="cube-subscription-header forms-templates">- <img class="subscription-header-super" src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/forms.svg" alt="image">+ <img class="subscription-header-super" src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/forms.svg').'" alt="image"> </div> <div class="cubewp-subscription-contant forms-templates"> <div class="cubewp-subscription-logo">
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-forms-pro.php Lines 34, 37, 41 Old Code: ```php <h1>'.$page_header.'</h1> <img class="cubewp-subscription-frame-bg" src="'.$background_image_src.'" alt=""> <img class="subscription-header-super" src="'.CWP_PLUGIN_URI.'cube/assets/admin/images/forms.svg" alt="image"> ``` Fixed Code: ```php <h1>'.esc_html($page_header).'</h1> <img class="cubewp-subscription-frame-bg" src="'.esc_url($background_image_src).'" alt=""> <img class="subscription-header-super" src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/admin/images/forms.svg').'" alt="image"> ``` Explanation: The original code directly echoed user-controlled or plugin-controlled values into HTML attributes without proper escaping. The `$page_header` variable was output directly into an HTML heading tag, creating an XSS vulnerability if the variable could be influenced by user input. The `$background_image_src` and `CWP_PLUGIN_URI` constants were used in URL attributes without URL escaping, which could allow malicious URLs or javascript: protocol handlers to be injected. The fix properly applies `esc_html()` for HTML context and `esc_url()` for URL context, which are WordPress security functions that prevent XSS attacks by escaping special characters appropriately for their respective contexts.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-frontend-alerts.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-frontend-alerts.php 2026-01-18 00:20:56.197777850 +0000@@ -68,7 +68,10 @@ <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16"> <path d="M12.854.146a.5.5 0 0 0-.707 0L10.5 1.793 14.207 5.5l1.647-1.646a.5.5 0 0 0 0-.708l-3-3zm.646 6.061L9.793 2.5 3.293 9H3.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.207l6.5-6.5zm-7.468 7.468A.5.5 0 0 1 6 13.5V13h-.5a.5.5 0 0 1-.5-.5V12h-.5a.5.5 0 0 1-.5-.5V11h-.5a.5.5 0 0 1-.5-.5V10h-.5a.499.499 0 0 1-.175-.032l-.179.178a.5.5 0 0 0-.11.168l-2 5a.5.5 0 0 0 .65.65l5-2a.5.5 0 0 0 .168-.11l.178-.178z"/> </svg>- <?php echo sprintf(esc_html__('Edit this %s', 'cubewp-framework'), get_post_type_object( $post_type )->labels->singular_name) ?>+ <?php+ /* translators: %s: post type singular name. */+ echo sprintf( esc_html__( 'Edit this %s', 'cubewp-framework' ), esc_html( get_post_type_object( $post_type )->labels->singular_name ) );+ ?> </button> </a> <?php } ?>@@ -104,8 +107,10 @@ public function cubewp_get_notification_msg(){ $free_msg = true;+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. if(isset($_GET['p']) && isset($_GET['post_type']) && !is_admin()) {- $post_id = wp_kses_post($_GET['p']);+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $post_id = wp_kses_post(wp_unslash($_GET['p'])); $plan_id = get_post_meta($post_id, 'plan_id', true); if( $plan_id > 0 ) { $plan_price = get_post_meta($plan_id, 'plan_price', true);@@ -115,9 +120,11 @@ } } if( $free_msg ){- return sprintf(__('Your %s is pending for review.', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name);+ /* translators: %s: post type singular name. */+ return sprintf( __('Your %s is pending for review.', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name ); }else{- return sprintf(__('Your %s is pending! Please proceed to make it published', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name);+ /* translators: %s: post type singular name. */+ return sprintf( __('Your %s is pending! Please proceed to make it published', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name ); } }
# Security Analysis Report
## Vulnerability 1
**Vulnerability Existed:** yes
**Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-frontend-alerts.php - Line 71**
**Old Code:**
```php
<?php echo sprintf(esc_html__('Edit this %s', 'cubewp-framework'), get_post_type_object( $post_type )->labels->singular_name) ?>
```
**Fixed Code:**
```php
<?php
/* translators: %s: post type singular name. */
echo sprintf( esc_html__( 'Edit this %s', 'cubewp-framework' ), esc_html( get_post_type_object( $post_type )->labels->singular_name ) );
?>
```
**Explanation:**
The old code was vulnerable to stored XSS. While `esc_html__()` escapes the translatable string, the `get_post_type_object( $post_type )->labels->singular_name` value was passed directly without escaping. Post type object labels can potentially contain unescaped HTML/JavaScript if the post type was registered with malicious content in the label parameter. The fix wraps this value with `esc_html()` to ensure all output is properly escaped before display.
---
## Vulnerability 2
**Vulnerability Existed:** yes
**Improper Input Validation / Use of Unescaped GET Parameter - CWE-20 - cube/classes/class-cubewp-frontend-alerts.php - Line 112**
**Old Code:**
```php
$post_id = wp_kses_post($_GET['p']);
```
**Fixed Code:**
```php
$post_id = wp_kses_post(wp_unslash($_GET['p']));
```
**Explanation:**
The old code failed to properly sanitize the `$_GET['p']` parameter. While `wp_kses_post()` removes potentially dangerous HTML/JavaScript, it doesn't handle WordPress's magic quotes behavior. The `$_GET` variable may contain slashes added by WordPress's legacy magic quotes system. Using `wp_unslash()` before `wp_kses_post()` ensures that any escaped quotes are properly unslashed before sanitization, preventing potential bypass of the sanitization and ensuring the post ID is correctly processed. Additionally, proper PHPCS annotations acknowledge the security implications of reading unsanitized GET parameters and document that this is for read-only operations.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-frontend-templates.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-frontend-templates.php 2026-01-18 00:20:56.197777850 +0000@@ -1,5 +1,4 @@ <?php- /** * CubeWp Frontend templates is for display of single post and archive templates *@@ -7,6 +6,8 @@ * @package cubewp/cube/classes */ + // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'ABSPATH' ) ) { exit; }@@ -86,7 +87,7 @@ $hook = get_post_meta( $template_id, 'template_location', true ); $content_to_echo = CubeWp_Theme_Builder::do_cubewp_theme_builder('block', $template_id, true); add_action( $hook, function() use ( $content_to_echo ) {- echo $content_to_echo;+ echo wp_kses_post($content_to_echo); }); } }@@ -351,9 +352,11 @@ 'author.php' ); }elseif (is_search()) {+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. if ( isset( $_GET['post_type'] ) && !empty( $_GET['post_type'] ) ) { // Sanitize the post_type value from the query string- $post_type = sanitize_text_field( $_GET['post_type'] );+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $post_type = sanitize_text_field( wp_unslash($_GET['post_type']) ); // Define the template array $templates = array(
Based on my analysis of the code diff, here are the security fixes:
---
**Vulnerability 1: Cross-Site Scripting (XSS) - Stored**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation - CWE-79 - cube/classes/class-cubewp-frontend-templates.php - Lines 89-90
Old Code:
```php
add_action( $hook, function() use ( $content_to_echo ) {
echo $content_to_echo;
});
```
Fixed Code:
```php
add_action( $hook, function() use ( $content_to_echo ) {
echo wp_kses_post($content_to_echo);
});
```
Explanation:
The old code directly echoed `$content_to_echo` without sanitization. Although this data comes from `CubeWp_Theme_Builder::do_cubewp_theme_builder()`, outputting any HTML/content without proper escaping can lead to XSS attacks. The fix applies `wp_kses_post()` which sanitizes the content to allow only safe HTML tags (like those used in posts), preventing malicious scripts from being executed in the browser.
---
**Vulnerability 2: Unsafe Deserialization of Untrusted Input**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Special Elements used in an SQL Command - CWE-89 - cube/classes/class-cubewp-frontend-templates.php - Lines 356-359
Old Code:
```php
if ( isset( $_GET['post_type'] ) && !empty( $_GET['post_type'] ) ) {
// Sanitize the post_type value from the query string
$post_type = sanitize_text_field( $_GET['post_type'] );
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
if ( isset( $_GET['post_type'] ) && !empty( $_GET['post_type'] ) ) {
// Sanitize the post_type value from the query string
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
$post_type = sanitize_text_field( wp_unslash($_GET['post_type']) );
```
Explanation:
The old code failed to properly handle magic quotes before sanitization. In PHP, `$_GET` values may have slashes added by magic quotes (in older PHP versions) or by external systems. The fix applies `wp_unslash()` before `sanitize_text_field()` to remove any extraneous slashes, ensuring proper sanitization. Additionally, PHPCS comments document the intentional security exception for read-only operations that don't modify state.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-frontend.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-frontend.php 2026-01-18 00:20:56.197777850 +0000@@ -421,6 +421,7 @@ </div> </div>'; + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/frontend/archive/list/switcher', $output); } @@ -449,11 +450,13 @@ 'class' => 'cwp-orderby', 'id' => 'cwp-sorting-filter', 'name' => 'cwp_orderby',- 'value' => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field($_GET['orderby']) : 'DESC',+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ 'value' => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'DESC', 'options' => $option, 'extra_attrs' => '', 'placeholder' => esc_html__('Sort By','cubewp-framework') );+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_dropdown_input( $input_attrs ); }
Analyzing the security-related code diff from the CubeWP framework...
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
[CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] - [CWE-78] - cube/classes/class-cubewp-frontend.php [Line 454]
Old Code:
```php
'value' => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field($_GET['orderby']) : 'DESC',
```
Fixed Code:
```php
'value' => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'DESC',
```
Explanation:
The vulnerability was the missing `wp_unslash()` call. When sanitizing user input from `$_GET`, the data may contain escaped slashes (backslashes) due to PHP's magic quotes legacy behavior or WordPress's input handling. Without `wp_unslash()`, `sanitize_text_field()` would process the already-escaped data, potentially leaving dangerous characters intact or causing improper sanitization. The fix properly unslashes the input before sanitization, ensuring that the data is correctly processed and safe for use.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] - [CWE-79] - cube/classes/class-cubewp-frontend.php [Line 425]
Old Code:
```php
echo apply_filters('cubewp/frontend/archive/list/switcher', $output);
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp/frontend/archive/list/switcher', $output);
```
Explanation:
The vulnerability exists because the output from `apply_filters()` is echoed directly without escaping. While the `phpcs:ignore` comment suppresses the WPCS warning, it doesn't actually fix the vulnerability—it just tells the code checker to ignore it. The filter could return unescaped user data or malicious content from plugins, creating an XSS vulnerability. A proper fix would be to escape the output (e.g., `echo wp_kses_post(apply_filters(...))`) rather than merely suppressing the warning.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
[CWE-347: Improper Verification of Cryptographic Signature] - [CWE-347] - cube/classes/class-cubewp-frontend.php [Line 451]
Old Code:
```php
'value' => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field($_GET['orderby']) : 'DESC',
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
'value' => isset($_GET['orderby']) && !empty($_GET['orderby']) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'DESC',
```
Explanation:
The code accesses `$_GET` without nonce verification. While the comment claims this is a "read-only use," directly reading and displaying user-controlled query parameters without nonce verification can still be problematic. A nonce ensures the request came from a legitimate source. The suppression comment suggests the developers believe the risk is acceptable, but technically this violates WordPress security best practices. Without nonce verification, the application is vulnerable to Cross-Site Request Forgery (CSRF) attacks if the sorting parameter triggers state changes or if an attacker can manipulate sorting behavior through CSRF.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-import.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-import.php 2026-01-18 00:20:56.201778099 +0000@@ -1,5 +1,4 @@ <?php- /** * CubeWp Import to import only cubewp related data. *@@ -7,6 +6,8 @@ * @package cubewp/cube/classes */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if (! defined('ABSPATH')) { exit; }@@ -23,8 +24,10 @@ add_action('cubewp_import', array($this, 'manage_import')); add_action('wp_ajax_cwp_import_data', array($this, 'cwp_import_data_callback')); add_action('wp_ajax_cwp_import_dummy_data', array($this, 'cwp_import_dummy_data_callback'));- if (isset($_GET['import']) && $_GET['import'] == 'success') {- new CubeWp_Admin_Notice("cubewp-import-success", esc_html__('Data Imported Successfully', 'cubewp-framework'), 'success', false);+ $cwp_import_flag = isset( $_GET['import'] ) ? sanitize_key( wp_unslash( $_GET['import'] ) ) : '';+ $cwp_import_nonce = isset( $_GET['security_nonce'] ) ? sanitize_text_field( wp_unslash( $_GET['security_nonce'] ) ) : '';+ if ( 'success' === $cwp_import_flag && $cwp_import_nonce && wp_verify_nonce( $cwp_import_nonce, 'cwp_import_data_nonce' ) ) {+ new CubeWp_Admin_Notice( 'cubewp-import-success', esc_html__( 'Data Imported Successfully', 'cubewp-framework' ), 'success', false ); } } @@ -46,8 +49,12 @@ */ public function manage_import() {- if (isset($_GET['import']) && $_GET['import'] == 'success' && isset($_SESSION['terms'])) {- $this->cwp_import_terms(cubewp_core_data($_SESSION['terms']));+ $cwp_import_flag = isset( $_GET['import'] ) ? sanitize_key( wp_unslash( $_GET['import'] ) ) : '';+ $cwp_import_nonce = isset( $_GET['security_nonce'] ) ? sanitize_text_field( wp_unslash( $_GET['security_nonce'] ) ) : '';+ if ( 'success' === $cwp_import_flag && $cwp_import_nonce && wp_verify_nonce( $cwp_import_nonce, 'cwp_import_data_nonce' ) && isset( $_SESSION['terms'] ) ) {+ // The imported terms payload is sanitized inside cubewp_core_data().+ // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized+ $this->cwp_import_terms( cubewp_core_data( $_SESSION['terms'] ) ); session_destroy(); } ?>@@ -61,7 +68,7 @@ </div> <form id="import_form" method="post" action="" enctype="multipart/form-data"> <input type="hidden" name="action" value="cwp_import_data">- <input type="hidden" name="cwp_import_nonce" value="<?php echo wp_create_nonce('cwp_import_data_nonce'); ?>">+ <input type="hidden" name="cwp_import_nonce" value="<?php echo esc_attr(wp_create_nonce('cwp_import_data_nonce')); ?>"> <div class="cubewp-import-box-container"> <div class="cubewp-import-box"> <div class="cubewp-import-card">@@ -92,7 +99,7 @@ </div> </div> <button type="submit" class="button-primary cwp_import_demo" name="cwp_import">- <?php esc_html_e('Import', 'cubewp'); ?>+ <?php esc_html_e('Import', 'cubewp-framework'); ?> </button> </div> </div>@@ -123,10 +130,11 @@ if (is_dir($file_path)) { $this->rmdir_recursive($file_path); // Recursive call } else {- unlink($file_path); // Delete file+ wp_delete_file($file_path); // Delete file } } + // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_rmdir return rmdir($dir); // Remove directory and return result } /**@@ -141,7 +149,7 @@ // User doesn't have the required capabilities wp_send_json(array('success' => 'false', 'msg' => esc_html__("You do not have permission to perform this action.", 'cubewp-framework'))); }- if (isset($_FILES["file"]["name"]) && isset($_POST['cwp_import_nonce']) && wp_verify_nonce($_POST['cwp_import_nonce'], 'cwp_import_data_nonce')) {+ if (isset($_FILES["file"]["name"]) && isset($_POST['cwp_import_nonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_import_nonce'])), 'cwp_import_data_nonce')) { $import_file = $_FILES; $filename = sanitize_file_name($import_file["file"]["name"]); $source = $import_file["file"]["tmp_name"];@@ -165,6 +173,7 @@ $upload_dir = wp_upload_dir(); $path = $upload_dir['path'] . '/cubewp/import/'; // absolute path to the directory where zipper.php is in if (! is_dir($path)) {+ // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_mkdir mkdir($path, 0777, true); } $filenoext = basename($filename, '.zip'); // absolute path to the directory where zipper.php is in (lowercase)@@ -178,17 +187,19 @@ if (is_dir($targetdir)) $this->rmdir_recursive($targetdir); + // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_mkdir mkdir($targetdir, 0777); /* here it is really happening */ + // phpcs:ignore Generic.PHP.ForbiddenFunctions.Found if (move_uploaded_file($source, $targetzip)) { $zip = new ZipArchive(); $x = $zip->open($targetzip); // open the zip file to extract if ($x === true) { $zip->extractTo($targetdir); // place in the directory with same name $zip->close();- unlink($targetzip);+ wp_delete_file($targetzip); } $moved = true; } else {@@ -219,7 +230,7 @@ } $message = !empty($message) ? $message : esc_html__('Data imported successfull.', 'cubewp-framework'); $this->rmdir_recursive($targetdir);- wp_send_json(array('success' => 'true', 'msg' => $message, 'redirectURL' => admin_url('admin.php?page=cubewp-import&import=success')));+ wp_send_json(array('success' => 'true', 'msg' => $message, 'redirectURL' => admin_url('admin.php?page=cubewp-import&import=success&security_nonce='.wp_create_nonce('cwp_import_data_nonce')))); } wp_die();@@ -240,7 +251,7 @@ wp_send_json(array('success' => 'false', 'msg' => esc_html__('You do not have permission to perform this action.', 'cubewp-framework'))); wp_die(); }- if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce')) {+ if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce')) { wp_send_json(array('success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework'))); wp_die(); }@@ -282,7 +293,7 @@ } do_action('cwp_actions_after_demo_imported'); $message = !empty($message) ? $message : esc_html__('Dummy data imported successfully.', 'cubewp-framework');- $redirectURL = apply_filters('cubewp/after/import/redirect', admin_url('admin.php?page=cubewp-import&import=success'));+ $redirectURL = apply_filters('cubewp/after/import/redirect', admin_url('admin.php?page=cubewp-import&import=success&security_nonce='.wp_create_nonce('cwp_import_data_nonce'))); $success = apply_filters('cubewp/after/import/success_message', ''); $successMessage = ''; if (is_array($success) && isset($success['selecter']) && isset($success['message'])) {@@ -298,7 +309,7 @@ /** * Method cwp_import_dummy_content *- * @return void+ * @return mixed string or array * @since 1.0.0 */ public function cwp_import_files($setup = false, $content = false)@@ -347,6 +358,7 @@ { if (is_dir($source)) { // Create destination directory if it doesn't exist+ // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_mkdir @mkdir($destination); $directory = dir($source); while (false !== ($readdirectory = $directory->read())) {@@ -374,8 +386,9 @@ } $files = array_diff(scandir($dir), array('.', '..')); foreach ($files as $file) {- (is_dir("$dir/$file")) ? $this->remove_directory("$dir/$file") : unlink("$dir/$file");+ (is_dir("$dir/$file")) ? $this->remove_directory("$dir/$file") : wp_delete_file("$dir/$file"); }+ // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_rmdir return rmdir($dir); } @@ -458,7 +471,7 @@ * * @param $targetdir $targetdir path of files *- * @return void+ * @return mixed string or array */ public function cwp_import_wordpress_content($targetdir = '', $file = '') {
I'll analyze the provided code diff for security fixes.
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - cube/classes/class-cubewp-import.php Lines 26-29
[Old Code]
if (isset($_GET['import']) && $_GET['import'] == 'success') {
new CubeWp_Admin_Notice("cubewp-import-success", esc_html__('Data Imported Successfully', 'cubewp-framework'), 'success', false);
}
[Fixed Code]
$cwp_import_flag = isset( $_GET['import'] ) ? sanitize_key( wp_unslash( $_GET['import'] ) ) : '';
$cwp_import_nonce = isset( $_GET['security_nonce'] ) ? sanitize_text_field( wp_unslash( $_GET['security_nonce'] ) ) : '';
if ( 'success' === $cwp_import_flag && $cwp_import_nonce && wp_verify_nonce( $cwp_import_nonce, 'cwp_import_data_nonce' ) ) {
new CubeWp_Admin_Notice( 'cubewp-import-success', esc_html__( 'Data Imported Successfully', 'cubewp-framework' ), 'success', false );
}
Explanation:
The old code directly accessed and compared $_GET['import'] without sanitization or nonce verification, creating a CSRF vulnerability. An attacker could craft a malicious link that would execute the success notice without proper authorization. The fix adds sanitization using sanitize_key() and wp_unslash(), introduces nonce verification via wp_verify_nonce(), and uses strict comparison (===) instead of loose comparison (==).
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - cube/classes/class-cubewp-import.php Lines 52-54
[Old Code]
if (isset($_GET['import']) && $_GET['import'] == 'success' && isset($_SESSION['terms'])) {
$this->cwp_import_terms(cubewp_core_data($_SESSION['terms']));
[Fixed Code]
$cwp_import_flag = isset( $_GET['import'] ) ? sanitize_key( wp_unslash( $_GET['import'] ) ) : '';
$cwp_import_nonce = isset( $_GET['security_nonce'] ) ? sanitize_text_field( wp_unslash( $_GET['security_nonce'] ) ) : '';
if ( 'success' === $cwp_import_flag && $cwp_import_nonce && wp_verify_nonce( $cwp_import_nonce, 'cwp_import_data_nonce' ) && isset( $_SESSION['terms'] ) ) {
Explanation:
Same CSRF vulnerability as above. The code checked $_GET['import'] without nonce verification, allowing attackers to trigger unintended operations. The fix adds proper nonce verification using wp_verify_nonce() with a specific nonce token.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-import.php Line 71
[Old Code]
<input type="hidden" name="cwp_import_nonce" value="<?php echo wp_create_nonce('cwp_import_data_nonce'); ?>">
[Fixed Code]
<input type="hidden" name="cwp_import_nonce" value="<?php echo esc_attr(wp_create_nonce('cwp_import_data_nonce')); ?>">
Explanation:
The nonce value was not escaped before output in an HTML attribute. While nonces are cryptographically safe, the output context (HTML attribute) requires proper escaping. The fix applies esc_attr() to ensure the value is safe for the HTML attribute context, preventing potential XSS if unexpected characters were present.
---
Vulnerability Existed: yes
TRUE POSITIVE
Insecure File Operations - CWE-434 - cube/classes/class-cubewp-import.php Lines 126 and 195
[Old Code]
unlink($file_path); // Delete file
...
unlink($targetzip);
[Fixed Code]
wp_delete_file($file_path); // Delete file
...
wp_delete_file($targetzip);
Explanation:
The code used PHP's native unlink() function instead of WordPress's wp_delete_file(). WordPress's wrapper function provides additional security considerations and logging capabilities. Additionally, the diff adds phpcs ignore comments for direct file system operations to acknowledge the security concern.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Nonce Verification - CWE-352 - cube/classes/class-cubewp-import.php Line 152
[Old Code]
if (isset($_FILES["file"]["name"]) && isset($_POST['cwp_import_nonce']) && wp_verify_nonce($_POST['cwp_import_nonce'], 'cwp_import_data_nonce')) {
[Fixed Code]
if (isset($_FILES["file"]["name"]) && isset($_POST['cwp_import_nonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_import_nonce'])), 'cwp_import_data_nonce')) {
Explanation:
While wp_verify_nonce() is present, the nonce value itself was not sanitized before being passed to the verification function. The fix applies wp_unslash() and sanitize_text_field() to ensure the nonce is properly cleaned before verification, preventing potential issues from unsanitized POST data.
---
Vulnerability Existed: yes
TRUE POSITIVE
Missing Nonce Protection - CWE-352 - cube/classes/class-cubewp-import.php Line 233
[Old Code]
wp_send_json(array('success' => 'true', 'msg' => $message, 'redirectURL' => admin_url('admin.php?page=cubewp-import&import=success')));
[Fixed Code]
wp_send_json(array('success' => 'true', 'msg' => $message, 'redirectURL' => admin_url('admin.php?page=cubewp-import&import=success&security_nonce='.wp_create_nonce('cwp_import_data_nonce'))));
Explanation:
The redirect URL in the response did not include a nonce token. An attacker could intercept or predict the redirect URL and craft a CSRF attack. The fix adds a nonce parameter to the redirect URL, ensuring the subsequent page load can verify the request authenticity.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Nonce Verification - CWE-352 - cube/classes/class-cubewp-import.php Line 254
[Old Code]
if (!isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce')) {
[Fixed Code]
if (!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce')) {
Explanation:
Similar to the previous nonce issue, the nonce value was not sanitized before verification. The fix applies wp_unslash() and sanitize_text_field() to ensure proper handling of the POST parameter before nonce verification.
---
Vulnerability Existed: yes
TRUE POSITIVE
Missing Nonce Protection - CWE-352 - cube/classes/class-cubewp-import.php Line 296
[Old Code]
$redirectURL = apply_filters('cubewp/after/import/redirect', admin_url('admin.php?page=cubewp-import&import=success'));
[Fixed Code]
$redirectURL = apply_filters('cubewp/after/import/redirect', admin_url('admin.php?page=cubewp-import&import=success&security_nonce='.wp_create_nonce('cwp_import_data_nonce')));
Explanation:
Same as the vulnerability at line 233. The redirect URL lacked nonce protection, allowing CSRF attacks. The fix adds a dynamically generated nonce to the redirect URL to prevent unauthorized access to the import success page.
---
Vulnerability Existed: yes
TRUE POSITIVE
Insecure File Operations - CWE-434 - cube/classes/class-cubewp-import.php Line 389
[Old Code]
(is_dir("$dir/$file")) ? $this->remove_directory("$dir/$file") : unlink("$dir/$file");
[Fixed Code]
(is_dir("$dir/$file")) ? $this->remove_directory("$dir/$file") : wp_delete_file("$dir/$file");
Explanation:
Another instance of using PHP's native unlink() instead of WordPress's wp_delete_file(). The fix ensures consistency with WordPress security practices across all file deletion operations.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-load.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-load.php 2026-01-18 00:20:56.201778099 +0000@@ -1,11 +1,13 @@ <?php- /** * CubeWp Initialization. * * @package cubewp/cube/classes * @version 1.0 */++ // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ defined('ABSPATH') || exit; /**@@ -22,7 +24,7 @@ * * @var string */- public static $CubeWp_version = '1.1.27';+ public static $CubeWp_version = '1.1.28'; /** * Wordpress required version.
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No CWE-identified vulnerabilities detected Explanation: This diff contains only non-security changes: 1. **Whitespace and formatting adjustments** - The removal of a blank line after `<?php` and addition of blank lines around the phpcs directive are purely stylistic. 2. **PHPcs directive addition** - The line `// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals` is a code quality/linting directive that disables a WordPress coding standard check. This is not a security change and doesn't introduce or fix security vulnerabilities. 3. **Version number update** - The version string is updated from `'1.1.27'` to `'1.1.28'`. This is a metadata change with no security implications. **Conclusion:** This diff represents a routine version bump with formatting adjustments and a phpcs configuration comment. There are no security vulnerabilities being introduced or fixed in this change.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-plugin-updater.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-plugin-updater.php 2026-01-18 00:20:56.201778099 +0000@@ -6,6 +6,8 @@ // Exit if accessed directly if ( ! defined( 'ABSPATH' ) ) exit; +// phpcs:ignoreFile+ /** * Allows plugins to use their own update API. *@@ -229,27 +231,30 @@ public function show_changelog() { -+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. if( empty( $_REQUEST['edd_sl_action'] ) || 'view_plugin_changelog' != $_REQUEST['edd_sl_action'] ) { return; } + // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. if( empty( $_REQUEST['plugin'] ) ) { return; } + // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. if( empty( $_REQUEST['slug'] ) ) { return; } if( ! current_user_can( 'update_plugins' ) ) {- wp_die( __( 'You do not have permission to install plugin updates', 'edd' ), __( 'Error', 'edd' ), array( 'response' => 403 ) );+ wp_die( esc_html__( 'You do not have permission to install plugin updates', 'cubewp-framework' ), esc_html__( 'Error', 'cubewp-framework' ), array( 'response' => 403 ) ); } - $response = $this->api_request( 'plugin_latest_version', array( 'slug' => $_REQUEST['slug'] ) );+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $response = $this->api_request( 'plugin_latest_version', array( 'slug' => sanitize_text_field(wp_unslash($_REQUEST['slug'])) ) ); if( $response && isset( $response->sections['changelog'] ) ) {- echo '<div style="background:#fff;padding:10px;">' . $response->sections['changelog'] . '</div>';+ echo '<div style="background:#fff;padding:10px;">' . wp_kses_post($response->sections['changelog']) . '</div>'; }
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-plugin-updater.php - Line 255 Old Code: ```php echo '<div style="background:#fff;padding:10px;">' . $response->sections['changelog'] . '</div>'; ``` Fixed Code: ```php echo '<div style="background:#fff;padding:10px;">' . wp_kses_post($response->sections['changelog']) . '</div>'; ``` Explanation: The changelog content from an external API response was being output directly to the page without sanitization. This is a Stored/Reflected XSS vulnerability because an attacker could inject malicious JavaScript through the API response, which would then execute in the user's browser. The fix applies `wp_kses_post()` to sanitize the output, allowing safe HTML while stripping dangerous tags and event handlers. --- Vulnerability Existed: yes FALSE POSITIVE Improper Input Validation - CWE-20 - cube/classes/class-cubewp-plugin-updater.php - Line 253 Old Code: ```php $response = $this->api_request( 'plugin_latest_version', array( 'slug' => $_REQUEST['slug'] ) ); ``` Fixed Code: ```php $response = $this->api_request( 'plugin_latest_version', array( 'slug' => sanitize_text_field(wp_unslash($_REQUEST['slug'])) ) ); ``` Explanation: User input from `$_REQUEST['slug']` was being passed directly to the API without sanitization. This is a security issue because it could allow injection attacks or unexpected behavior. The fix applies `wp_unslash()` to handle magic quotes and `sanitize_text_field()` to remove potentially harmful characters, ensuring only safe input is sent to the API. --- Vulnerability Existed: not sure Improper Localization - CWE-546 - cube/classes/class-cubewp-plugin-updater.php - Line 250 Old Code: ```php wp_die( __( 'You do not have permission to install plugin updates', 'edd' ), __( 'Error', 'edd' ), array( 'response' => 403 ) ); ``` Fixed Code: ```php wp_die( esc_html__( 'You do not have permission to install plugin updates', 'cubewp-framework' ), esc_html__( 'Error', 'cubewp-framework' ), array( 'response' => 403 ) ); ``` Explanation: The fix changes two things: (1) Uses `esc_html__()` instead of `__()` to escape the output before translation, which is a best practice for preventing XSS through translated strings; (2) Changes the text domain from 'edd' to 'cubewp-framework', which is correct for this plugin but technically a metadata change rather than a vulnerability fix. The `esc_html__()` addition is a minor hardening measure against potential XSS if translations contain untrusted content.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-query.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-query.php 2026-01-18 00:20:56.201778099 +0000@@ -88,16 +88,16 @@ // Sorting if(isset($args['orderby']) && !empty($args['orderby'])){- if (substr($args['orderby'], -strlen('-DESC')) === '-DESC') {+ if (substr($args['orderby'], -strlen('-DESC')) === '-DESC') { $custom_sort_field = substr($args['orderby'], 0, -strlen('-DESC')); $query['order'] = 'DESC';- $query['orderby'] = 'meta_value_num';- $query['meta_key'] = $custom_sort_field;+ $query['orderby'] = 'meta_value_num'; // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key+ $query['meta_key'] = $custom_sort_field; // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key }elseif (substr($args['orderby'], -strlen('-ASC')) === '-ASC') { $custom_sort_field = substr($args['orderby'], 0, -strlen('-ASC')); $query['order'] = 'ASC';- $query['orderby'] = 'meta_value_num';- $query['meta_key'] = $custom_sort_field;+ $query['orderby'] = 'meta_value_num'; // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key+ $query['meta_key'] = $custom_sort_field; // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key }else{ if(isset($args['orderby']) && ($args['orderby'] == 'DESC' || $args['orderby'] == 'ASC')){ $query['order'] = $args['orderby'];@@ -115,9 +115,9 @@ $extra_meta_query = isset($args['meta_query']) && !empty($args['meta_query']) ? $args['meta_query'] : array(); if(!empty(self::$meta_query) && count(self::$meta_query) > 0){- $query['meta_query'] = array_merge(self::$meta_query,$extra_meta_query);+ $query['meta_query'] = array_merge(self::$meta_query,$extra_meta_query); // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query }elseif(!empty($extra_meta_query) && count($extra_meta_query) > 0){- $query['meta_query'] = $extra_meta_query;+ $query['meta_query'] = $extra_meta_query; // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query } // Default Query arguments@@ -125,7 +125,7 @@ $query['s'] = $args['s']; } if(isset($args['post__not_in']) && !empty($args['post__not_in'])){- $query['post__not_in'] = $args['post__not_in'];+ $query['post__not_in'] = $args['post__not_in']; // phpcs:ignore WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in } if(isset($args['fields']) && !empty($args['fields'])){ $query['fields'] = $args['fields'];
Vulnerability Existed: no [No Security Vulnerability] - [N/A] - [cube/classes/class-cubewp-query.php] [Lines 88-128] [Old Code] Lines with phpcs warnings but no phpcs:ignore comments addressing performance issues in WordPress queries. [Fixed Code] Lines 91, 94, 95, 118, 119, 128 now include phpcs:ignore comments for: - WordPress.DB.SlowDBQuery.slow_db_query_meta_key - WordPress.DB.SlowDBQuery.slow_db_query_meta_query - WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in Explanation: This diff does not fix a security vulnerability. The changes are purely code quality improvements that suppress WordPress coding standard warnings about performance-impacting database query parameters. The code itself remains functionally identical—no logic changes, input validation, or security-related modifications are present. The phpcs:ignore comments are legitimate suppressions for known performance considerations in WordPress (meta_key, meta_query, and post__not_in parameters can impact database performance), but these are performance warnings, not security vulnerabilities. The code does not introduce or fix SQL injection, authorization bypass, data exposure, or other security flaws. The indentation changes (spaces to tabs) are formatting only. This is a maintenance commit to satisfy code standards compliance, not a security patch.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-relationships.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-relationships.php 2026-01-18 00:20:56.201778099 +0000@@ -154,7 +154,7 @@ } } $output .= '</div>';-+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $output; } }@@ -236,20 +236,21 @@ } $output .= '</div>'; + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $output; } } public function cubewp_remove_relation() {- if ( ! wp_verify_nonce( sanitize_text_field( $_POST['nonce'] ), 'cubewp_remove_nonce' ) ) {+ if (!isset($_POST['nonce']) || ! wp_verify_nonce( sanitize_text_field( wp_unslash($_POST['nonce']) ), 'cubewp_remove_nonce' ) ) { wp_send_json( array( 'status' => 'error', 'msg' => esc_html__( "Security verification failed. Try again later.", "cubewp-framework" ) ) ); }- $relation_id = sanitize_text_field( $_POST['relation_id'] );- $relation_of = sanitize_text_field( $_POST['relation_of'] );- $relation_with = sanitize_text_field( $_POST['relation_with'] );+ $relation_id = isset($_POST['relation_id']) ? sanitize_text_field( wp_unslash($_POST['relation_id']) ) : '';+ $relation_of = isset($_POST['relation_of']) ? sanitize_text_field( wp_unslash($_POST['relation_of']) ) : '';+ $relation_with = isset($_POST['relation_with']) ? sanitize_text_field( wp_unslash($_POST['relation_with']) ) : ''; if ( empty( $relation_id ) || empty( $relation_of ) || empty( $relation_with ) ) { wp_send_json( array( 'status' => 'error',
# Security Analysis: PatchLeaks Code Diff
I'll analyze each change in the provided diff for security vulnerabilities.
---
## Vulnerability 1: Improper Input Validation
**Vulnerability Existed:** yes
**Unvalidated Nonce Verification - CWE-347** - CWE-347 - cube/classes/class-cubewp-relationships.php - Line 244
**Old Code:**
```php
if ( ! wp_verify_nonce( sanitize_text_field( $_POST['nonce'] ), 'cubewp_remove_nonce' ) ) {
```
**Fixed Code:**
```php
if (!isset($_POST['nonce']) || ! wp_verify_nonce( sanitize_text_field( wp_unslash($_POST['nonce']) ), 'cubewp_remove_nonce' ) ) {
```
**Explanation:**
The original code directly accessed `$_POST['nonce']` without checking if it exists first. This could cause a PHP notice/warning if the 'nonce' key doesn't exist in the $_POST array. The fixed code adds an `isset()` check and uses `wp_unslash()` to properly handle slashed input before sanitization, which is the correct WordPress pattern for handling $_POST data.
---
## Vulnerability 2: Missing Input Validation - relation_id Parameter
**Vulnerability Existed:** yes
**Improper Input Validation - CWE-20** - CWE-20 - cube/classes/class-cubewp-relationships.php - Line 250
**Old Code:**
```php
$relation_id = sanitize_text_field( $_POST['relation_id'] );
```
**Fixed Code:**
```php
$relation_id = isset($_POST['relation_id']) ? sanitize_text_field( wp_unslash($_POST['relation_id']) ) : '';
```
**Explanation:**
The original code directly accessed `$_POST['relation_id']` without checking existence. The fixed code adds proper isset() check and wp_unslash() handling. This prevents undefined index notices and ensures proper handling of PHP magic quotes (if enabled in legacy environments).
---
## Vulnerability 3: Missing Input Validation - relation_of Parameter
**Vulnerability Existed:** yes
**Improper Input Validation - CWE-20** - CWE-20 - cube/classes/class-cubewp-relationships.php - Line 251
**Old Code:**
```php
$relation_of = sanitize_text_field( $_POST['relation_of'] );
```
**Fixed Code:**
```php
$relation_of = isset($_POST['relation_of']) ? sanitize_text_field( wp_unslash($_POST['relation_of']) ) : '';
```
**Explanation:**
Same as above - added isset() check and wp_unslash() to properly validate the parameter before sanitization.
---
## Vulnerability 4: Missing Input Validation - relation_with Parameter
**Vulnerability Existed:** yes
**Improper Input Validation - CWE-20** - CWE-20 - cube/classes/class-cubewp-relationships.php - Line 252
**Old Code:**
```php
$relation_with = sanitize_text_field( $_POST['relation_with'] );
```
**Fixed Code:**
```php
$relation_with = isset($_POST['relation_with']) ? sanitize_text_field( wp_unslash($_POST['relation_with']) ) : '';
```
**Explanation:**
Same pattern - proper isset() and wp_unslash() handling added for this parameter.
---
## Note on Output Suppression Comments
The addition of `// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped` comments (lines 157 and 239) is not a security fix but rather a code quality suppression. These suppress PHPCS warnings about unescaped output. This is acceptable only if the output is confirmed to be safe HTML already validated elsewhere.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-rest-api.php 2026-01-18 00:20:47.473235790 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-rest-api.php 2026-01-18 00:20:56.201778099 +0000@@ -143,9 +143,7 @@ array( 'methods' => WP_REST_Server::READABLE, 'callback' => array($this, 'get_cubewp_posts'),- 'permission_callback' => function () {- return true;- },+ 'permission_callback' => array($this, 'get_posts_permission_check'), 'args' => $this->get_render_params(), ), )@@ -158,9 +156,7 @@ array( 'methods' => WP_REST_Server::READABLE, 'callback' => array($this, 'get_cubewp_posts_object'),- 'permission_callback' => function () {- return true;- },+ 'permission_callback' => array($this, 'get_posts_permission_check'), 'args' => $this->get_render_params(), ), )@@ -208,6 +204,19 @@ } /**+ * Checks if a given request has permission to access posts via query endpoints.+ * Allows public read access but respects WordPress post visibility rules.+ *+ * @param WP_REST_Request $request Full details about the request.+ * @return true|WP_Error True if the request has read access, WP_Error object otherwise.+ */+ public function get_posts_permission_check($request)+ {+ // Allow public read access (posts will be filtered for visibility)+ return true;+ }++ /** * Retrieves the query params for the search results. * * @return array Collection parameters.@@ -259,12 +268,26 @@ $query = new CubeWp_Query($cwp_query); $posts = $query->cubewp_post_query(); if ($posts->have_posts()) {+ // Filter posts for visibility and security+ $filtered_posts = array();+ foreach ($posts->posts as $post) {+ // Check if user can read this post+ if (! $this->can_user_read_post($post)) {+ continue;+ }+ + // Remove sensitive fields+ $safe_post = $this->sanitize_post_for_response($post);+ if ($safe_post) {+ $filtered_posts[] = $safe_post;+ }+ }+ $data = array(- 'total_posts' => $posts->found_posts,- 'paged' => $posts->query['paged'],+ 'total_posts' => count($filtered_posts),+ 'paged' => isset($posts->query['paged']) ? $posts->query['paged'] : 1, 'max_num_pages' => $posts->max_num_pages,- 'posts' => $posts->posts,-+ 'posts' => $filtered_posts, ); return $data; } else {@@ -285,6 +308,13 @@ while ($posts->have_posts()) { $posts->the_post(); $post_id = get_the_ID();+ $post = get_post($post_id);+ + // Check if user can read this post+ if (! $this->can_user_read_post($post)) {+ continue;+ }+ $return[$post_id]['ID'] = $post_id; $return[$post_id]['title'] = get_the_title(); if (has_post_thumbnail()) {@@ -305,23 +335,15 @@ } } $return[$post_id]['taxonomies'] = isset($post_terms) && ! empty($post_terms) ? array_filter($post_terms) : array();- $post_meta = get_post_meta($post_id);+ + // Get and filter post meta - only expose safe/public meta+ $post_meta = $this->get_safe_post_meta($post_id); - // Iterate over each meta value- foreach ($post_meta as $key => $values) {- foreach ($values as $index => $value) {- // Check if the value is serialized- if (is_serialized($value)) {- $return[$post_id]['post_meta'][$key] = maybe_unserialize($value);- } else {- $return[$post_id]['post_meta'][$key] = $value;- }- }- }+ $return[$post_id]['post_meta'] = $post_meta; } $data = array(- 'total_posts' => $posts->found_posts,- 'paged' => $posts->query['paged'],+ 'total_posts' => count($return),+ 'paged' => isset($posts->query['paged']) ? $posts->query['paged'] : 1, 'max_num_pages' => $posts->max_num_pages, 'posts' => $return, @@ -819,6 +841,137 @@ return array_unique($field_names); // Remove duplicates } + /**+ * Check if the current user can read a specific post.+ * Respects WordPress post visibility rules including password protection.+ *+ * @param WP_Post|object|int $post Post object or post ID.+ * @return bool True if user can read the post, false otherwise.+ */+ private function can_user_read_post($post)+ {+ if (is_numeric($post)) {+ $post = get_post($post);+ }+ + if (! $post || ! is_object($post)) {+ return false;+ }+ + // Check post status+ if ($post->post_status !== 'publish') {+ // Only allow non-published posts if user has edit permission+ if (! current_user_can('edit_post', $post->ID)) {+ return false;+ }+ }+ + // Check password protection - password-protected posts should not be exposed via public API+ if (! empty($post->post_password)) {+ // Only allow if user has edit permission (admin/author)+ if (! current_user_can('edit_post', $post->ID)) {+ // For REST API, we don't have cookie-based password verification+ // So we exclude password-protected posts from public API responses+ return false;+ }+ }+ + // Check if post type is publicly queryable+ $post_type = get_post_type_object($post->post_type);+ if (! $post_type) {+ return false;+ }+ + if (! $post_type->publicly_queryable) {+ // Only allow if user can read this post type+ if (! current_user_can($post_type->cap->read_post, $post->ID)) {+ return false;+ }+ }+ + return true;+ }++ /**+ * Sanitize post object for API response by removing sensitive fields.+ *+ * @param WP_Post|object $post Post object.+ * @return array|false Sanitized post array or false if post should be excluded.+ */+ private function sanitize_post_for_response($post)+ {+ if (is_object($post)) {+ $post_array = (array) $post;+ } else {+ $post_array = $post;+ }+ + // Remove sensitive fields+ unset($post_array['post_password']);+ + // If post is password protected and user doesn't have edit permission, hide content+ if (! empty($post_array['post_password']) && ! current_user_can('edit_post', $post_array['ID'])) {+ // Don't expose password-protected content+ $post_array['post_content'] = '';+ $post_array['post_excerpt'] = '';+ }+ + return $post_array;+ }++ /**+ * Get safe post meta that can be exposed via API.+ * Filters out private meta keys (starting with _) and sensitive data.+ *+ * @param int $post_id Post ID.+ * @return array Filtered post meta array.+ */+ private function get_safe_post_meta($post_id)+ {+ $all_meta = get_post_meta($post_id);+ $safe_meta = array();+ + // Get list of CubeWP custom fields that should be exposed+ $cubewp_fields = array();+ if (class_exists('CubeWp_Single_Cpt')) {+ $cubewp_fields = CubeWp_Single_Cpt::cubewp_post_metas($post_id, true);+ if (is_array($cubewp_fields)) {+ $cubewp_fields = array_keys($cubewp_fields);+ }+ }+ + foreach ($all_meta as $key => $values) {+ // Skip private meta keys (starting with _) unless they're registered CubeWP fields+ if (strpos($key, '_') === 0 && ! in_array($key, $cubewp_fields, true)) {+ continue;+ }+ + // Skip sensitive WordPress internal meta+ $sensitive_keys = array(+ '_edit_lock',+ '_edit_last',+ '_wp_old_slug',+ '_wp_old_date',+ );+ if (in_array($key, $sensitive_keys, true)) {+ continue;+ }+ + // Process meta values - get_post_meta returns array of values+ if (is_array($values) && ! empty($values)) {+ $value = $values[0]; // Get first value+ // Check if the value is serialized+ if (is_serialized($value)) {+ $safe_meta[$key] = maybe_unserialize($value);+ } else {+ $safe_meta[$key] = $value;+ }+ }+ }+ + return $safe_meta;+ }+ public static function init() { $CubeClass = __CLASS__;
# Security Analysis: CubeWP REST API Patch
---
## Vulnerability 1
**Vulnerability Existed:** yes
**Broken Access Control (Authorization Bypass) - CWE-639** - `cube/classes/class-cubewp-rest-api.php` Lines 146-148, 159-161
**Old Code:**
```php
'permission_callback' => function () {
return true;
},
```
**Fixed Code:**
```php
'permission_callback' => array($this, 'get_posts_permission_check'),
```
**Explanation:**
The original code had a hardcoded permission callback that always returned `true`, granting unrestricted access to REST API endpoints regardless of user authentication or capabilities. This is a critical authorization bypass vulnerability. The fix delegates to a proper permission check method, though the implementation still allows public read access (which may be intentional depending on use case requirements).
---
## Vulnerability 2
**Vulnerability Existed:** yes
**Sensitive Data Exposure - CWE-200** - `cube/classes/class-cubewp-rest-api.php` Lines 268-285 (old code)
**Old Code:**
```php
$data = array(
'total_posts' => $posts->found_posts,
'paged' => $posts->query['paged'],
'max_num_pages' => $posts->max_num_pages,
'posts' => $posts->posts,
);
```
**Fixed Code:**
```php
// Filter posts for visibility and security
$filtered_posts = array();
foreach ($posts->posts as $post) {
// Check if user can read this post
if (! $this->can_user_read_post($post)) {
continue;
}
// Remove sensitive fields
$safe_post = $this->sanitize_post_for_response($post);
if ($safe_post) {
$filtered_posts[] = $safe_post;
}
}
$data = array(
'total_posts' => count($filtered_posts),
'paged' => isset($posts->query['paged']) ? $posts->query['paged'] : 1,
'max_num_pages' => $posts->max_num_pages,
'posts' => $filtered_posts,
);
```
**Explanation:**
The original code exposed all post objects directly without filtering for visibility rules or removing sensitive fields like post passwords. This could expose draft/private posts and password-protected content to unauthorized users. The fix implements post visibility checks and sanitization to remove sensitive fields before API responses.
---
## Vulnerability 3
**Vulnerability Existed:** yes
**Sensitive Data Exposure - CWE-200** - `cube/classes/class-cubewp-rest-api.php` Lines 338-348 (old code)
**Old Code:**
```php
$post_meta = get_post_meta($post_id);
// Iterate over each meta value
foreach ($post_meta as $key => $values) {
foreach ($values as $index => $value) {
// Check if the value is serialized
if (is_serialized($value)) {
$return[$post_id]['post_meta'][$key] = maybe_unserialize($value);
} else {
$return[$post_id]['post_meta'][$key] = $value;
}
}
}
```
**Fixed Code:**
```php
// Get and filter post meta - only expose safe/public meta
$post_meta = $this->get_safe_post_meta($post_id);
$return[$post_id]['post_meta'] = $post_meta;
```
**Explanation:**
The original code exposed all post metadata including private fields (prefixed with `_`) without any filtering. WordPress reserves private meta keys for internal use, and exposing them via REST API can leak sensitive configuration data, edit locks, and other WordPress internals. The fix implements a whitelist-based approach via `get_safe_post_meta()` that filters out private meta keys and known sensitive fields.
---
## Summary
This patch addresses **3 critical security vulnerabilities**:
1. **Broken Access Control** - Unrestricted API access due to hardcoded permission bypass
2. **Post Visibility Bypass** - Exposure of draft/private/password-protected posts
3. **Private Metadata Exposure** - Leakage of WordPress internal and sensitive meta fields
The fixes implement proper authorization checks, post visibility filtering, and metadata sanitization.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-saved.php 2026-01-18 00:20:47.477236039 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-saved.php 2026-01-18 00:20:56.201778099 +0000@@ -30,7 +30,8 @@ */ public static function cubewp_saved_post_cookies(){ // Load current favourite posts from cookie- $savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field( $_COOKIE['CWP_Saved'] )) : array();+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field( wp_unslash($_COOKIE['CWP_Saved']) )) : array(); $savePosts = array_map('absint', $savePosts); // Clean cookie input, it's user input! return $savePosts; }@@ -42,11 +43,11 @@ * @since 1.0.0 */ public static function cubewp_save_post(){- if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-alert-nonce') ) {+ if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-alert-nonce') ) { wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) ); wp_die(); }- $post_id = isset($_POST['post-id']) ? sanitize_text_field($_POST['post-id']) : 0;+ $post_id = isset($_POST['post-id']) ? sanitize_text_field(wp_unslash($_POST['post-id'])) : 0; if( isset($post_id) && $post_id > 0 ){ $savePosts = self::cubewp_saved_post_cookies(); @@ -69,6 +70,7 @@ wp_send_json( array( 'type' => 'success',+ /* translators: %s: post type singular name. */ 'msg' => sprintf(__('Success! Your %s has been saved.', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name), 'text' => sprintf(__('Saved', 'cubewp-framework'),get_post_type($post_id)), )@@ -83,11 +85,11 @@ * @since 1.0.0 */ public static function cubewp_remove_saved_posts(){- if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-alert-nonce') ) {+ if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-alert-nonce') ) { wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) ); wp_die(); }- $post_id = isset($_POST['post-id']) ? sanitize_text_field($_POST['post-id']) : 0;+ $post_id = isset($_POST['post-id']) ? sanitize_text_field(wp_unslash($_POST['post-id'])) : 0; if( isset($post_id) && $post_id > 0 ){ $savePosts = self::cubewp_saved_post_cookies(); @@ -119,6 +121,7 @@ wp_send_json( array( 'type' => 'success',+ /* translators: %s: post type singular name. */ 'msg' => sprintf(__('Success! Your %s has been removed from saved posts.', 'cubewp-framework'), get_post_type_object( get_post_type($post_id) )->labels->singular_name), 'text' => sprintf(__('Save', 'cubewp-framework'), get_post_type($post_id)), )@@ -237,6 +240,7 @@ <?php while($the_query->have_posts()): $the_query->the_post(); $post_id=get_the_ID();+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo CubeWp_frontend_grid_HTML($post_id, $col_class = 'cwp-col-12 cwp-col-md-6'); endwhile; ?>@@ -246,7 +250,7 @@ $grid_view_html = ob_get_contents(); ob_end_clean(); }- wp_reset_query();+ wp_reset_postdata(); } return $grid_view_html; }
I'll analyze this code diff for security vulnerabilities following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-602 - Client-Side Enforcement of Server-Side Security - class-cubewp-saved.php - Line 33
[Old Code]
```php
$savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field( $_COOKIE['CWP_Saved'] )) : array();
```
[Fixed Code]
```php
$savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field( wp_unslash($_COOKIE['CWP_Saved']) )) : array();
```
Explanation:
The old code failed to apply `wp_unslash()` before sanitizing the cookie value. In WordPress, `$_COOKIE` values may contain escaped slashes (magic quotes behavior in some configurations), and `wp_unslash()` should be applied before sanitization to properly handle slashed input. This is a WordPress security best practice to ensure consistent data handling.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-347 - Improper Verification of Cryptographic Signature - class-cubewp-saved.php - Line 46
[Old Code]
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-alert-nonce') ) {
```
[Fixed Code]
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-alert-nonce') ) {
```
Explanation:
The nonce value from `$_POST` was passed directly to `wp_verify_nonce()` without sanitization or unslashing. The `wp_verify_nonce()` function expects a properly cleaned string. By applying `wp_unslash()` and `sanitize_text_field()`, the fix ensures the nonce is properly cleaned before verification, preventing potential bypass vulnerabilities due to unexpected character encoding or slashing.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-20 - Improper Input Validation - class-cubewp-saved.php - Line 50
[Old Code]
```php
$post_id = isset($_POST['post-id']) ? sanitize_text_field($_POST['post-id']) : 0;
```
[Fixed Code]
```php
$post_id = isset($_POST['post-id']) ? sanitize_text_field(wp_unslash($_POST['post-id'])) : 0;
```
Explanation:
Missing `wp_unslash()` before sanitization. User input from `$_POST` may contain escaped slashes that need to be unslashed before sanitization to properly clean the data. This ensures consistent handling of potentially escaped input.
---
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-347 - Improper Verification of Cryptographic Signature - class-cubewp-saved.php - Line 88
[Old Code]
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-alert-nonce') ) {
```
[Fixed Code]
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-alert-nonce') ) {
```
Explanation:
Same vulnerability as #2 - nonce value passed without sanitization/unslashing. The fix ensures proper data cleaning before cryptographic nonce verification.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-20 - Improper Input Validation - class-cubewp-saved.php - Line 92
[Old Code]
```php
$post_id = isset($_POST['post-id']) ? sanitize_text_field($_POST['post-id']) : 0;
```
[Fixed Code]
```php
$post_id = isset($_POST['post-id']) ? sanitize_text_field(wp_unslash($_POST['post-id'])) : 0;
```
Explanation:
Same vulnerability as #3 - missing `wp_unslash()` before sanitizing POST data containing potentially escaped characters.
---
**Vulnerability 6:**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code - class-cubewp-saved.php - Line 243
[Old Code]
```php
echo CubeWp_frontend_grid_HTML($post_id, $col_class = 'cwp-col-12 cwp-col-md-6');
```
[Fixed Code]
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo CubeWp_frontend_grid_HTML($post_id, $col_class = 'cwp-col-12 cwp-col-md-6');
```
Explanation:
The fix adds a phpcs ignore comment, but does not actually escape the output from `CubeWp_frontend_grid_HTML()`. This is not a true security fix - it only suppresses the PHPCS warning. The underlying vulnerability (unescaped output) remains. The function output should be properly escaped with `wp_kses_post()`, `esc_html()`, or similar, depending on the expected content type.
---
**Non-Vulnerability (Code Quality):**
Vulnerability Existed: no
CWE-N/A - class-cubewp-saved.php - Line 253
[Old Code]
```php
wp_reset_query();
```
[Fixed Code]
```php
wp_reset_postdata();
```
Explanation:
This change replaces `wp_reset_query()` with `wp_reset_postdata()`. This is a WordPress best practice correction, not a security fix. `wp_reset_postdata()` is the preferred function to reset the global post data after using `WP_Query`, while `wp_reset_query()` is deprecated in favor of `wp_reset_postdata()`.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-single-cpt.php 2026-01-18 00:20:47.477236039 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-single-cpt.php 2026-01-18 00:20:56.201778099 +0000@@ -94,8 +94,8 @@ $value = self::get_single_meta_value($meta_key, $field_type); $args[$meta_key] = array( 'type' => $field_type,- 'meta_key' => $meta_key,- 'meta_value' => $value,+ 'meta_key' => $meta_key,// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key+ 'meta_value' => $value,// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value 'label' => $label, ); }@@ -213,7 +213,7 @@ public static function field_author() { $user_id = self::$author_id;- return get_user_details($user_id);+ return cubewp_get_user_details($user_id); } /**@@ -284,7 +284,8 @@ } else if (method_exists(__CLASS__, 'field_' . $field_type)) { $output .= call_user_func(array(__CLASS__, 'field_' . $field_type), $options); } else {- $output .= '<p style="color: #ff0000">' . sprintf(esc_html__("Invalid Field Type: %s", "cubewp-framework"), $field_type) . '</p>';+ /* translators: %s: field type. */+ $output .= '<p style="color: #ff0000">' . sprintf( esc_html__( "Invalid Field Type: %s", "cubewp-framework" ), $field_type ) . '</p>'; } } return $output;@@ -411,6 +412,7 @@ */ public static function get_single_sidebar_area() {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::get_post_sidebar(); } /**@@ -420,6 +422,7 @@ */ public static function get_single_content_area() {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::get_post_content(); }
I'll analyze this code diff for security vulnerabilities.
Vulnerability 1: Security Bypass via phpcs Ignore Comments
Vulnerability Existed: yes
FALSE POSITIVE
Unescaped Output - CWE-79 - cube/classes/class-cubewp-single-cpt.php - Lines 415, 425
[Old Code]
echo self::get_post_sidebar();
echo self::get_post_content();
[Fixed Code]
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo self::get_post_sidebar();
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo self::get_post_content();
Explanation:
The addition of "phpcs:ignore" comments at lines 415 and 425 suppresses WordPress security warnings about unescaped output without actually fixing the underlying vulnerability. The output from `self::get_post_sidebar()` and `self::get_post_content()` is echoed directly to the page without any escaping (esc_html, wp_kses, etc.). This is a CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) vulnerability. Adding phpcs comments that tell the linter to ignore the warning does NOT remediate the vulnerability—it only hides it from static analysis. Any user-controlled data in the post sidebar or content could be injected as malicious scripts.
Vulnerability 2: WordPress Function Name Change
Vulnerability Existed: yes
FALSE POSITIVE
Use of Undefined Function - CWE-440 - cube/classes/class-cubewp-single-cpt.php - Line 216
[Old Code]
return get_user_details($user_id);
[Fixed Code]
return cubewp_get_user_details($user_id);
Explanation:
The function `get_user_details()` does not exist in WordPress core or standard plugins. It was either a custom function that was removed or undefined, creating a fatal error condition. The fix changes it to `cubewp_get_user_details()`, which appears to be a properly namespaced custom function. While this fixes the undefined function issue, it's not a security vulnerability per se, but rather a functional bug that could cause the application to crash. However, this is a best practice correction (using namespaced functions to avoid conflicts).
Vulnerability 3: Code Quality - Formatting and Comment Changes
Vulnerability Existed: no
Code Style Enhancement - No CWE - cube/classes/class-cubewp-single-cpt.php - Lines 97-98, 287-288
[Old Code]
'meta_key' => $meta_key,
'meta_value' => $value,
sprintf(esc_html__("Invalid Field Type: %s", "cubewp-framework"), $field_type)
[Fixed Code]
'meta_key' => $meta_key,// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key
'meta_value' => $value,// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value
sprintf( esc_html__( "Invalid Field Type: %s", "cubewp-framework" ), $field_type )
Explanation:
These changes add phpcs ignore comments and improve formatting/spacing. The phpcs comments suppress warnings about slow database queries when using meta_key and meta_value in queries. These are intentional linter suppressions where the developer has acknowledged the performance implications. The formatting changes improve WordPress coding standards compliance (proper spacing around function parameters). These are not security vulnerabilities but code quality improvements.
---
**Summary**: The most significant security concern is the unescaped output issue at lines 415 and 425, where phpcs ignore comments mask but do not fix a potential XSS vulnerability.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-single-page-trait.php 2026-01-18 00:20:47.477236039 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-single-page-trait.php 2026-01-18 00:20:56.201778099 +0000@@ -1,4 +1,5 @@ <?php+ /** * CubeWp single page trait contains all type of field's HTML for single page. *@@ -6,12 +7,13 @@ * @package cubewp/cube/classes */ -if ( ! defined( 'ABSPATH' ) ) {+if (! defined('ABSPATH')) { exit; } -trait CubeWp_Single_Page_Trait {- +trait CubeWp_Single_Page_Trait+{+ /** * Method field_taxonomy *@@ -20,29 +22,30 @@ * @return string html * @since 1.0.0 */- public static function field_taxonomy($args = array()) {+ public static function field_taxonomy($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['not_formatted_value'] = $args['value'];- $args['value'] = cwp_handle_data_format( $args );+ $args['value'] = cwp_handle_data_format($args); $output = null; if (isset($args['value']) && ! empty($args['value']) && is_array($args['value'])) {- $output = '<div class="cwp-cpt-single-category-container cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">';+ $output = '<div class="cwp-cpt-single-category-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '">'; $output .= '<h4>' . $args['label'] . '</h4>'; $output .= '<ul class="cwp-single-category-widget-inner ' . $args['class'] . '">';- foreach ($args['value'] as $terms) {- $output .= '<li>+ foreach ($args['value'] as $terms) {+ $output .= '<li> <a href="' . get_term_link($terms) . '"> <p>' . $terms->name . '</p> </a> </li>';- }- $output .= '</div>';+ }+ $output .= '</div>'; $output .= '</ul>'; } return apply_filters('cubewp/singlecpt/field/taxonomy', $output, $args); }- + /** * Method field_text *@@ -51,12 +54,13 @@ * @return string html * @since 1.0.0 */- public static function field_text($args = array()) {+ public static function field_text($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-text-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-text-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-text ' . $args['class'] . '"><p>' . esc_html($args['value']) . '</p></div> </div>';@@ -64,21 +68,22 @@ return apply_filters('cubewp/singlecpt/field/text', $output, $args); }- + /** * Method field_number *- * @param array $args field data+ * @param array $args field data * * @return string html * @since 1.0.0 */- public static function field_number($args = array()) {+ public static function field_number($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-number-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-number-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-number ' . $args['class'] . '"> ' . esc_html($args['value']) . '@@ -88,7 +93,7 @@ return apply_filters('cubewp/singlecpt/field/number', $output, $args); }- + /** * Method field_email *@@ -97,12 +102,13 @@ * @return string html * @since 1.0.0 */- public static function field_email($args = array()) {+ public static function field_email($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-email-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-email-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-email ' . $args['class'] . '"> <a href="mailto:' . esc_html($args['value']) . '">' . esc_html($args['value']) . '</a>@@ -112,30 +118,31 @@ return apply_filters('cubewp/singlecpt/field/email', $output, $args); }- + /** * Method field_url *- * @param array $args field data+ * @param array $args field data * * @return string html * @since 1.0.0 */- public static function field_url($args = array()) {- $args['container_class'] = isset( $args['container_class'] ) ? $args['container_class'] : '';+ public static function field_url($args = array())+ {+ $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $rel_attr = '';- $field_name = isset( $args['name'] ) && ! empty( $args['name'] ) ? $args['name'] : '';- if ( ! empty( $field_name ) ) {- $field = get_field_options( $field_name );- $rel = isset( $field['rel_attr'] ) && ! empty( $field['rel_attr'] ) ? $field['rel_attr'] : '';- if ( ! empty( $rel ) && $rel != 'do-follow' ) {- $rel_attr = 'rel="' . esc_attr( $rel ) . '"';+ $field_name = isset($args['name']) && ! empty($args['name']) ? $args['name'] : '';+ if (! empty($field_name)) {+ $field = get_field_options($field_name);+ $rel = isset($field['rel_attr']) && ! empty($field['rel_attr']) ? $field['rel_attr'] : '';+ if (! empty($rel) && $rel != 'do-follow') {+ $rel_attr = 'rel="' . esc_attr($rel) . '"'; } } $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-url-container cwp-cpt-single-field-container ' . esc_attr( $args['container_class'] ) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-url-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-url ' . $args['class'] . '"> <a ' . $rel_attr . ' href="' . esc_url($args['value']) . '">' . esc_url($args['value']) . '</a>@@ -145,7 +152,7 @@ return apply_filters('cubewp/singlecpt/field/url', $output, $args); }- + /** * Method field_password *@@ -154,12 +161,13 @@ * @return string html * @since 1.0.0 */- public static function field_password($args = array()) {+ public static function field_password($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-password-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-password-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-password ' . $args['class'] . '"> <input type="password" value="' . esc_html($args['value']) . '" readonly disabled>@@ -169,7 +177,7 @@ return apply_filters('cubewp/singlecpt/field/password', $output, $args); }- + /** * Method field_textarea *@@ -178,12 +186,13 @@ * @return string html * @since 1.0.0 */- public static function field_textarea($args = array()) {+ public static function field_textarea($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-textarea-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-textarea-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-textarea ' . $args['class'] . '"> <p>' . wp_kses_post($args['value']) . '</p>@@ -193,7 +202,7 @@ return apply_filters('cubewp/singlecpt/field/textarea', $output, $args); }- + /** * Method field_wysiwyg_editor *@@ -202,12 +211,13 @@ * @return string html * @since 1.0.0 */- public static function field_wysiwyg_editor($args = array()) {+ public static function field_wysiwyg_editor($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-wysiwyg_editor-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-wysiwyg_editor-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-wysiwyg_editor ' . $args['class'] . '"> ' . wp_kses_post($args['value']) . '@@ -217,7 +227,7 @@ return apply_filters('cubewp/singlecpt/field/wysiwyg_editor', $output, $args); }- + /** * Method field_oembed *@@ -226,22 +236,23 @@ * @return string html * @since 1.0.0 */- public static function field_oembed($args = array()) {+ public static function field_oembed($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty(wp_oembed_get($args['value']))){- $output = '<div class="cwp-cpt-single-oembed-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty(wp_oembed_get($args['value']))) {+ $output = '<div class="cwp-cpt-single-oembed-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-oembed ' . $args['class'] . '"> ' . wp_oembed_get($args['value']) . ' </div> </div>';- }+ } return apply_filters('cubewp/singlecpt/field/oembed', $output, $args); }- + /** * Method field_gallery *@@ -250,38 +261,39 @@ * @return string html * @since 1.0.0 */- public static function field_gallery($args = array()) {- wp_enqueue_script( 'cubewp-pretty-photo' );- wp_enqueue_style( 'cubewp-pretty-photo' );+ public static function field_gallery($args = array())+ {+ wp_enqueue_script('cubewp-pretty-photo');+ wp_enqueue_style('cubewp-pretty-photo'); $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null; $args['not_formatted_value'] = $args['value'];- $args['value'] = cwp_handle_data_format( $args );- if (is_array($args['value']) && ! empty( $args['value'] )) {+ $args['value'] = cwp_handle_data_format($args);+ if (is_array($args['value']) && ! empty($args['value'])) { $gallery_id = $args['id'] ?? wp_rand();- $output .= '<div class="cwp-cpt-single-gallery-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ $output .= '<div class="cwp-cpt-single-gallery-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-gallery ' . $args['class'] . '">';- foreach ($args['value'] as $galleryItemID) {- $galleryItemID = cwp_get_attachment_id( $galleryItemID );- $galleryItemURL = wp_get_attachment_url($galleryItemID);- $galleryItemCaption = wp_get_attachment_caption($galleryItemID);- if (empty($galleryItemCaption)) {- $galleryItemCaption = esc_html__('Gallery Image', 'cubewp-framework');- }- $output .= '<a href="' . esc_url($galleryItemURL) . '" rel="prettyPhoto[' . $gallery_id . ']" title="" class="cwp-cpt-single-gallery-item">';- $output .= '<img src="' . esc_url($galleryItemURL) . '" alt="' . esc_attr($galleryItemCaption) . '">';- $output .= '</a>';+ foreach ($args['value'] as $galleryItemID) {+ $galleryItemID = cwp_get_attachment_id($galleryItemID);+ $galleryItemURL = wp_get_attachment_url($galleryItemID);+ $galleryItemCaption = wp_get_attachment_caption($galleryItemID);+ if (empty($galleryItemCaption)) {+ $galleryItemCaption = esc_html__('Gallery Image', 'cubewp-framework'); }- $output .= '</div>+ $output .= '<a href="' . esc_url($galleryItemURL) . '" rel="prettyPhoto[' . $gallery_id . ']" title="" class="cwp-cpt-single-gallery-item">';+ $output .= '<img src="' . esc_url($galleryItemURL) . '" alt="' . esc_attr($galleryItemCaption) . '">';+ $output .= '</a>';+ }+ $output .= '</div> </div>'; } return apply_filters('cubewp/singlecpt/field/gallery', $output, $args); }- + /** * Method field_file *@@ -290,26 +302,27 @@ * @return string html * @since 1.0.0 */- public static function field_file($args = array()) {- $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : '';+ public static function field_file($args = array())+ {+ $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- $args['value'] = cwp_get_attachment_id( $args['value'] );+ $args['value'] = cwp_get_attachment_id($args['value']); $fileItemURL = wp_get_attachment_url($args['value']);- if(!empty($fileItemURL)){- $output = '<div class="cwp-cpt-single-file-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($fileItemURL)) {+ $output = '<div class="cwp-cpt-single-file-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-file ' . $args['class'] . '"> <a href="' . esc_url($fileItemURL) . '" download>' . esc_html__('Download File', 'cubewp-framework') . '</a> </div> </div>';- }else{- $output='';- }+ } else {+ $output = '';+ } return apply_filters('cubewp/singlecpt/field/file', $output, $args); }- + /** * Method field_switch *@@ -318,13 +331,14 @@ * @return string html * @since 1.0.0 */- public static function field_switch($args = array()) {+ public static function field_switch($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $args['value'] = esc_html__( $args['value'], 'cubewp-framework' );- $output = '<div class="cwp-cpt-single-switch-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $args['value'] = esc_html($args['value']);+ $output = '<div class="cwp-cpt-single-switch-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-switch ' . $args['class'] . '"><p>' . esc_html($args['value']) . '</p></div> </div>';@@ -332,7 +346,7 @@ return apply_filters('cubewp/singlecpt/field/switch', $output, $args); }- + /** * Method field_dropdown *@@ -341,30 +355,31 @@ * @return string html * @since 1.0.0 */- public static function field_dropdown($args = array()) {+ public static function field_dropdown($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null; $args['not_formatted_value'] = $args['value'];- $args['value'] = cwp_handle_data_format( $args );- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-switch-dropdown cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ $args['value'] = cwp_handle_data_format($args);+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-switch-dropdown cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <ul class="' . $args['class'] . '">';- if (is_array($args['value'])) {- foreach ($args['value'] as $dropdownValue):- $output .= '<li>' . esc_html($dropdownValue) . '</li>';- endforeach;- } else {- $output .= '<li>' . esc_html($args['value']) . '</li>';- }- $output .= '</ul>+ if (is_array($args['value'])) {+ foreach ($args['value'] as $dropdownValue):+ $output .= '<li>' . esc_html($dropdownValue) . '</li>';+ endforeach;+ } else {+ $output .= '<li>' . esc_html($args['value']) . '</li>';+ }+ $output .= '</ul> </div>'; } return apply_filters('cubewp/singlecpt/field/dropdown', $output, $args); }- + /** * Method field_checkbox *@@ -373,15 +388,16 @@ * @return string html * @since 1.0.0 */- public static function field_checkbox($args = array()) {- + public static function field_checkbox($args = array())+ {+ $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null; $args['not_formatted_value'] = $args['value'];- $args['value'] = cwp_handle_data_format( $args );- if (!empty($args['value'])){- $output = '<div class="cwp-cpt-single-switch-checkbox cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ $args['value'] = cwp_handle_data_format($args);+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-switch-checkbox cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4>'; $output .= '<ul class="' . $args['class'] . '">'; if (is_array($args['value'])) {@@ -392,14 +408,14 @@ $output .= '<li>' . esc_html($args['value']) . '</li>'; } $output .= '</ul>';- $output .= '</div>';- }else{- return '';- }+ $output .= '</div>';+ } else {+ return '';+ } return apply_filters('cubewp/singlecpt/field/checkbox', $output, $args); }- + /** * Method field_radio *@@ -408,12 +424,13 @@ * @return string html * @since 1.0.0 */- public static function field_radio($args = array()) {+ public static function field_radio($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-switch-radio cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-switch-radio cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <ul class="' . $args['class'] . '"> <li>' . esc_html($args['value']) . '</li>@@ -424,7 +441,7 @@ return apply_filters('cubewp/singlecpt/field/radio', $output, $args); } - /**+ /** * Method field_business_hours * * @param array $args field data@@ -432,23 +449,24 @@ * @return string html * @since 1.0.0 */- public static function field_business_hours($args = array()) {+ public static function field_business_hours($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : '';- $output = null;- if (!empty($args['value']) && is_array($args['value'])) {+ $output = null;+ if (!empty($args['value']) && is_array($args['value'])) { $status = cwp_business_hours_status($args['value']);- $output = '<div class="cwp-cpt-single-business_hours cwp-cpt-single-field-container' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '">+ $output = '<div class="cwp-cpt-single-business_hours cwp-cpt-single-field-container' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4>- <p class="cwp-business-status '.$status.'">'.$status.'</p>+ <p class="cwp-business-status ' . $status . '">' . $status . '</p> <div class="cwp-business-hours ' . $args['class'] . '">'; $time_format = get_option('time_format'); foreach ($args['value'] as $day => $times) { $output .= '<div class="cwp-cpt-single-field-container">'; $output .= '<h6>' . ucfirst($day) . '</h6>';- if(!is_array($times) && is_string($times) && $times == '24-hours-open'){- $output .= '<p> '. __('24 Hours Open','cubewp-framework') .'</p>';- }else{+ if (!is_array($times) && is_string($times) && $times == '24-hours-open') {+ $output .= '<p> ' . __('24 Hours Open', 'cubewp-framework') . '</p>';+ } else { $openTimes = $times['open']; $closeTimes = $times['close']; $output .= '<div class="cwp-single-day-timings">';@@ -459,16 +477,16 @@ } $output .= '</div>'; }- - ++ $output .= '</div>'; }- $output .= '</div>+ $output .= '</div> </div>';- }+ } return apply_filters('cubewp/singlecpt/field/business_hour', $output, $args); }- + /** * Method field_google_address *@@ -477,11 +495,12 @@ * @return string html * @since 1.0.0 */- public static function field_google_address($args = array()) {+ public static function field_google_address($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if (is_array($args['value']) && (isset($args['value']['address']) && isset($args['value']['lat']) && isset($args['value']['lng'])) && !empty($args['value']['lat']) && !empty($args['value']['lng']) ) {+ if (is_array($args['value']) && (isset($args['value']['address']) && isset($args['value']['lat']) && isset($args['value']['lng'])) && !empty($args['value']['lat']) && !empty($args['value']['lng'])) { CubeWp_Enqueue::enqueue_style('cwp-map-cluster'); CubeWp_Enqueue::enqueue_style('cwp-leaflet-css'); @@ -492,8 +511,8 @@ $address = $args['value']['address']; $lat = $args['value']['lat']; $lng = $args['value']['lng'];- $pin = is_single() ? apply_filters( 'cubewp/search_result/map/pin', '', get_the_ID() ) : '';- $output .= '<div class="cwp-cpt-single-google_address cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">+ $pin = is_single() ? apply_filters('cubewp/search_result/map/pin', '', get_the_ID()) : '';+ $output .= '<div class="cwp-cpt-single-google_address cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-single-loc ' . $args['class'] . '"> <div class="cpt-single-map" data-latitude="' . $lat . '" data-longitude="' . $lng . '" data-pinicon="' . $pin . '" style="height: 300px;width: 100%;"></div>@@ -511,21 +530,22 @@ return apply_filters('cubewp/singlecpt/field/google_address', $output, $args); }- + /** * Method field_date_picker *- * @param array $args field data+ * @param array $args field data * * @return string html * @since 1.0.0 */- public static function field_date_picker($args = array()) {+ public static function field_date_picker($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-date_picker cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-date_picker cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-date_picker ' . $args['class'] . '"> <p>' . date_i18n(get_option('date_format'), $args['value']) . '</p>@@ -535,21 +555,22 @@ return apply_filters('cubewp/singlecpt/field/date_picker', $output, $args); }- + /** * Method field_date_time_picker *- * @param array $args field data+ * @param array $args field data * * @return string html * @since 1.0.0 */- public static function field_date_time_picker($args = array()) {+ public static function field_date_time_picker($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-date_time_picker cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-date_time_picker cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-date_time_picker ' . $args['class'] . '"> <p>' . date_i18n(get_option('date_format') . ' ' . get_option('time_format'), $args['value']) . '</p>@@ -559,7 +580,7 @@ return apply_filters('cubewp/singlecpt/field/date_time_picker', $output, $args); }- + /** * Method field_time_picker *@@ -568,12 +589,13 @@ * @return string html * @since 1.0.0 */- public static function field_time_picker($args = array()) {+ public static function field_time_picker($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- if(!empty($args['value'])){- $output = '<div class="cwp-cpt-single-time_picker cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">+ if (!empty($args['value'])) {+ $output = '<div class="cwp-cpt-single-time_picker cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-time_picker ' . $args['class'] . '"> <p>' . date_i18n(get_option('time_format'), strtotime($args['value'])) . '</p>@@ -583,7 +605,7 @@ return apply_filters('cubewp/singlecpt/field/time_picker', $output, $args); }- + /** * Method field_repeating_field *@@ -592,40 +614,44 @@ * @return string html * @since 1.0.0 */- public static function field_repeating_field($args = array()) {+ public static function field_repeating_field($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : '';- $values = $args['value'];+ $values = $args['value']; $output = '';- if (is_array($values) && isset($values) && !empty($values)) {- $output .= '<div class="cwp-cpt-single-repeating-field cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">+ if (is_array($values) && isset($values) && !empty($values)) {+ $output .= '<div class="cwp-cpt-single-repeating-field cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4>';- for ($i = 0; $i < count($values); $i ++) {- $output .= '<div class="cwp-cpt-single-repeating-field-inner">';+ for ($i = 0; $i < count($values); $i++) {+ $output .= '<div class="cwp-cpt-single-repeating-field-inner">';+ if (is_array($values[$i]) && isset($values[$i]) && !empty($values[$i])) { foreach ($values[$i] as $k => $value) { $field_type = $value['type'];- $options = get_field_options( $k );+ $options = get_field_options($k); $options['value'] = $value['value'];- $options['label'] = isset( $value['label'] ) ? $value['label'] : $options['label'];+ $options['label'] = isset($value['label']) ? $value['label'] : $options['label']; $value = $options; $value['class'] = isset($value['class']) ? $value['class'] : ''; $value['container_class'] = isset($value['container_class']) ? $value['container_class'] : '';- $value = apply_filters( 'cubewp/custom/cube/field/options', $value );+ $value = apply_filters('cubewp/custom/cube/field/options', $value); if (method_exists(__CLASS__, 'field_' . $field_type)) {- $output .= call_user_func( array( __CLASS__, 'field_' . $field_type ), $value);+ $output .= call_user_func(array(__CLASS__, 'field_' . $field_type), $value); } else {+ /* translators: %s: field type. */ $output .= '<p style="color: #ff0000">' . sprintf(esc_html__("Invalid Field Type: %s", "cubewp-framework"), $field_type) . '</p>'; } }- $output .= '</div>'; }- - $output .= '</div>';- }+ $output .= '</div>';+ }++ $output .= '</div>';+ } return apply_filters('cubewp/singlecpt/field/repeating_field', $output, $args); }- + /** * Method field_terms *@@ -634,38 +660,39 @@ * @return string html * @since 1.0.0 */- public static function field_terms($args = array()) {+ public static function field_terms($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null; $args['not_formatted_value'] = $args['value'];- $args['value'] = cwp_handle_data_format( $args );+ $args['value'] = cwp_handle_data_format($args); if ((!is_array($args['value']) && isset($args['value']) && !empty($args['value'])) || (is_array($args['value']) && isset($args['value'][0]) && $args['value'][0] != '')) {- $output = '<div class="cwp-cpt-single-category-container cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">';+ $output = '<div class="cwp-cpt-single-category-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '">'; $output .= '<h4>' . $args['label'] . '</h4>'; $output .= '<ul class="cwp-single-category-widget-inner ' . $args['class'] . '">';- if (is_array($args['value'])) {- foreach ($args['value'] as $terms) {- $terms = get_term($terms);- if ( ! empty($terms) && !is_wp_error( $terms )) {- $output .= '<li>- <a href="' . get_term_link( $terms ) . '">+ if (is_array($args['value'])) {+ foreach ($args['value'] as $terms) {+ $terms = get_term($terms);+ if (! empty($terms) && !is_wp_error($terms)) {+ $output .= '<li>+ <a href="' . get_term_link($terms) . '"> <p>' . $terms->name . '</p> </a> </li>';- } }- }else {- $terms = get_term($args['value']);- if ( ! empty($terms)) {- $output .= '<li>+ }+ } else {+ $terms = get_term($args['value']);+ if (! empty($terms)) {+ $output .= '<li> <a href="' . get_term_link($terms) . '"> <p>' . $terms->name . '</p> </a> </li>';- } }- $output .= '</div>';+ }+ $output .= '</div>'; $output .= '</ul>'; } @@ -680,84 +707,86 @@ * @return string html * @since 1.0.0 */- public static function field_user($args = array()) {+ public static function field_user($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null; $args['not_formatted_value'] = $args['value'];- $args['value'] = cwp_handle_data_format( $args );+ $args['value'] = cwp_handle_data_format($args); $value = ''; if (isset($args['value']) && ! empty($args['value'])) { $value = $args['value']; } if (is_array($value)) {- $value = array_filter( $value, 'ucfirst' );+ $value = array_filter($value, 'ucfirst'); } - if ( ! empty($value)) {- $output .= '<div class="cwp-cpt-single-user-container cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">+ if (! empty($value)) {+ $output .= '<div class="cwp-cpt-single-user-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4>';- $output .= '<div class="cwp-row cwp-user-row ' . $args['class'] . '">';- if (is_array($value)) {- foreach ($value as $user_id) {- $output .= '<div class="cwp-col-md-6 cwp-user-col">';- $output .= get_user_details($user_id);- $output .= '</div>';- }- } else {- $user_data = get_userdata($value);- if (!empty($user_data) && is_object($user_data)) {- $output .= '<div class="cwp-col-md-6">';- $output .= get_user_details($value);- $output .= '</div>';- }+ $output .= '<div class="cwp-row cwp-user-row ' . $args['class'] . '">';+ if (is_array($value)) {+ foreach ($value as $user_id) {+ $output .= '<div class="cwp-col-md-6 cwp-user-col">';+ $output .= cubewp_get_user_details($user_id);+ $output .= '</div>'; }- $output .= '</div>+ } else {+ $user_data = get_userdata($value);+ if (!empty($user_data) && is_object($user_data)) {+ $output .= '<div class="cwp-col-md-6">';+ $output .= cubewp_get_user_details($value);+ $output .= '</div>';+ }+ }+ $output .= '</div> </div>'; } return apply_filters('cubewp/singlecpt/field/user', $output, $args); }- + /** * Method field_post *- * @param array $args field data+ * @param array $args field data * * @return string html * @since 1.0.0 */- public static function field_post($args = array()) {+ public static function field_post($args = array())+ { $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null; $args['not_formatted_value'] = $args['value'];- $args['value'] = cwp_handle_data_format( $args );+ $args['value'] = cwp_handle_data_format($args); $value = ''; if (isset($args['value']) && ! empty($args['value'])) { $value = $args['value']; } if (is_array($value)) {- $value = array_filter( $value, 'ucfirst' );+ $value = array_filter($value, 'ucfirst'); }- if ( ! empty($value) && $value != 'N/A') {- $output .= '<div class="cwp-cpt-single-post-container cwp-cpt-single-field-container '.esc_attr($args['container_class']).' '.esc_attr($args['field_size']).'">+ if (! empty($value) && $value != 'N/A') {+ $output .= '<div class="cwp-cpt-single-post-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4>';- $output .= '<div class="cwp-row cwp-post-row ' . $args['class'] . '">';- if (is_array($value)) {- foreach ($value as $post_id) {- $output .= CubeWp_frontend_grid_HTML($post_id);- }- }else{- $output .= CubeWp_frontend_grid_HTML($value);+ $output .= '<div class="cwp-row cwp-post-row ' . $args['class'] . '">';+ if (is_array($value)) {+ foreach ($value as $post_id) {+ $output .= CubeWp_frontend_grid_HTML($post_id); }- $output .= '</div>+ } else {+ $output .= CubeWp_frontend_grid_HTML($value);+ }+ $output .= '</div> </div>'; } return apply_filters('cubewp/singlecpt/field/post', $output, $args); }- + /** * Method field_image *@@ -766,47 +795,49 @@ * @return string html * @since 1.0.0 */- public static function field_image($args = array()) {- wp_enqueue_script( 'cubewp-pretty-photo' );- wp_enqueue_style( 'cubewp-pretty-photo' );- $args['value'] = cwp_get_attachment_id( $args['value'] );+ public static function field_image($args = array())+ {+ wp_enqueue_script('cubewp-pretty-photo');+ wp_enqueue_style('cubewp-pretty-photo');+ $args['value'] = cwp_get_attachment_id($args['value']); $args['field_size'] = isset($args['field_size']) ? $args['field_size'] : ''; $args['container_class'] = isset($args['container_class']) ? $args['container_class'] : ''; $output = null;- $imageURL = wp_get_attachment_url($args['value']);- if (isset($args['value']) && !empty ($imageURL)) {+ $imageURL = wp_get_attachment_url($args['value']);+ if (isset($args['value']) && !empty($imageURL)) { $gallery_id = $args['id'] ?? wp_rand();- $output .= '<div class="cwp-cpt-single-image-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' '.esc_attr($args['field_size']).'">+ $output .= '<div class="cwp-cpt-single-image-container cwp-cpt-single-field-container ' . esc_attr($args['container_class']) . ' ' . esc_attr($args['field_size']) . '"> <h4>' . $args['label'] . '</h4> <div class="cwp-cpt-single-image ' . $args['class'] . '">';- $imageCaption = wp_get_attachment_caption($args['value']);- if (empty($imageCaption)) {- $imageCaption = esc_html__('Image', 'cubewp-framework');- }- $output .= '<a href="' . esc_url($imageURL) . '" rel="prettyPhoto[' . $gallery_id . ']" title="" class="cwp-cpt-single-image-item">';- $output .= '<img src="' . esc_url($imageURL) . '" alt="' . esc_attr($imageCaption) . '">';- $output .= '</a>';- $output .= '</div>+ $imageCaption = wp_get_attachment_caption($args['value']);+ if (empty($imageCaption)) {+ $imageCaption = esc_html__('Image', 'cubewp-framework');+ }+ $output .= '<a href="' . esc_url($imageURL) . '" rel="prettyPhoto[' . $gallery_id . ']" title="" class="cwp-cpt-single-image-item">';+ $output .= '<img src="' . esc_url($imageURL) . '" alt="' . esc_attr($imageCaption) . '">';+ $output .= '</a>';+ $output .= '</div> </div>'; } return apply_filters('cubewp/singlecpt/field/image', $output, $args); } - /**- * Method field_color- *- * @param array $args field data- *- * @return string html- * @since 1.0.0- */- public static function field_color($args = array()) {+ /**+ * Method field_color
I'll analyze this code diff for security fixes. This diff appears to be primarily code formatting and style improvements rather than security-related changes. Let me examine it systematically. ## Security Analysis **Vulnerability Existed: No** No security vulnerabilities were fixed in this diff. The changes are exclusively code formatting and style improvements: 1. **Spacing and indentation normalization** - Converting inconsistent spacing to standard PSR-2 style 2. **Quote consistency** - Using consistent quote styles in function calls 3. **String concatenation formatting** - Properly spacing concatenation operators 4. **Brace placement** - Moving opening braces to new lines for consistency 5. **Function call parentheses** - Removing spaces before parentheses 6. **Comment formatting** - Fixing alignment of PHPDoc comments ### Notable Code Quality Changes (Non-Security): **Line 340 - Function name change:** - Old: `$args['value'] = esc_html__( $args['value'], 'cubewp-framework' );` - New: `$args['value'] = esc_html($args['value']);` - This removes unnecessary translation function; the value is now only HTML-escaped, not translated. This is a code quality improvement but not a security fix. **Line 722 - Function name change:** - Old: `$output .= get_user_details($user_id);` - New: `$output .= cubewp_get_user_details($user_id);` - This is a function rename for consistency; no security impact. **Line 645 - Comment addition:** - New: `/* translators: %s: field type. */` - This is a translator comment for internationalization; no security change. ### Conclusion: All existing security measures (esc_html, esc_attr, esc_url, wp_kses_post) remain intact. No new vulnerabilities were introduced, and no existing vulnerabilities were fixed. This is purely a code style and formatting update that improves code consistency and readability without affecting security posture.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-submenu.php 2026-01-18 00:20:47.477236039 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-submenu.php 2026-01-18 00:20:56.201778099 +0000@@ -9,6 +9,8 @@ * @version 1.0 */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'ABSPATH' ) ) { exit; }
Vulnerability Existed: no
No Security Vulnerabilities Detected - [File: cube/classes/class-cubewp-submenu.php]
Old Code:
```php
/*
* @version 1.0
*/
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
```
Fixed Code:
```php
/*
* @version 1.0
*/
// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
```
Explanation:
The diff shows the addition of a phpcs (PHP CodeSniffer) directive comment that disables a WordPress naming convention check for the file. This is a code style/linting configuration change, not a security fix. The added comment `// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals` instructs the PHP CodeSniffer to skip WordPress naming convention validation rules for this file. This change does not introduce, fix, or relate to any security vulnerabilities. It is purely a development tool configuration that allows the file to bypass specific linting rules without modifying any actual functional code.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-vc-elements.php 2026-01-18 00:20:47.477236039 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/class-cubewp-vc-elements.php 2026-01-18 00:20:56.201778099 +0000@@ -34,7 +34,8 @@ if (class_exists($class)) { new $class(); }else {- wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), $class));+ /* translators: %s: class name. */+ wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), esc_html($class))); } } }
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/class-cubewp-vc-elements.php - Line 37
Old Code:
```php
wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), $class));
```
Fixed Code:
```php
wp_die(sprintf(esc_html__("%s Class Doesn't Exist.", "cubewp-framework"), esc_html($class)));
```
Explanation:
The original code was vulnerable to Stored/Reflected XSS because the `$class` variable was passed directly into `sprintf()` without proper escaping. While `esc_html__()` escapes the translation string template, it does not escape the variable substituted into the %s placeholder. If `$class` contained user-controlled or unsanitized data with HTML/JavaScript content, it would be output unescaped in the error message. The fix correctly wraps `$class` with `esc_html()` to escape any HTML special characters before insertion, preventing XSS payloads from being executed. The added translator comment also improves code maintainability.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-posts-widget.php 2026-01-18 00:20:47.481236287 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-posts-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -89,7 +89,7 @@ $this->add_control('posttype', array( 'type' => Controls_Manager::SELECT2, //'multiple' => true,- 'label' => esc_html__('Select Post Types', 'cubewp-classifiad'),+ 'label' => esc_html__('Select Post Types', 'cubewp-framework'), 'options' => $post_types, 'default' => array('post'), 'label_block' => true,@@ -105,7 +105,8 @@ if (!empty(cubewp_post_card_styles($post_type))) { $this->add_control($post_type . '_card_style', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__('Card Style for ' . self::get_post_type_name_by_slug($post_type), 'cubewp-framework'),+ /* translators: %s: post type singular name. */+ 'label' => sprintf( esc_html__( 'Card Style for %s', 'cubewp-framework' ), self::get_post_type_name_by_slug($post_type) ), 'options' => cubewp_post_card_styles($post_type), 'default' => 'default_style', 'condition' => array(@@ -196,16 +197,16 @@ CubeWp_Enqueue::enqueue_script('cwp-search-filters'); - echo CubeWp_Frontend_Search_Filter::cwp_filter_results();+ echo wp_kses_post( CubeWp_Frontend_Search_Filter::cwp_filter_results() ); echo '<form name="cwp-search-filters" class="cwp-search-filters" method="post">';- echo CubeWp_Frontend_Search_Filter::filter_hidden_fields($type, $page_num, $card_style);- echo CubeWp_Frontend_Search_Filter::get_hidden_field_if_tax();+ echo wp_kses_post( CubeWp_Frontend_Search_Filter::filter_hidden_fields( $type, $page_num, $card_style ) );+ echo wp_kses_post( CubeWp_Frontend_Search_Filter::get_hidden_field_if_tax() ); $count = 1; if ($promotional_card && !empty($promotional_card_list) && is_array($promotional_card_list)) { foreach ($promotional_card_list as $_promotional_card) {- echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_option-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_option']) . '" />';- echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_position-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_position']) . '" />';- echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_width-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_width']['size']) .esc_attr($_promotional_card['cubewp_promotional_card_width']['unit']). '" />';+ echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_option-'.esc_attr($count).'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_option']) . '" />';+ echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_position-'.esc_attr($count).'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_position']) . '" />';+ echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_width-'.esc_attr($count).'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_width']['size']) .esc_attr($_promotional_card['cubewp_promotional_card_width']['unit']). '" />'; $count++; } }
I'll analyze this diff for security vulnerabilities.
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-elementor-archive-posts-widget.php - Lines 199-203
[Old Code]
```
echo CubeWp_Frontend_Search_Filter::cwp_filter_results();
echo '<form name="cwp-search-filters" class="cwp-search-filters" method="post">';
echo CubeWp_Frontend_Search_Filter::filter_hidden_fields($type, $page_num, $card_style);
echo CubeWp_Frontend_Search_Filter::get_hidden_field_if_tax();
```
[Fixed Code]
```
echo wp_kses_post( CubeWp_Frontend_Search_Filter::cwp_filter_results() );
echo '<form name="cwp-search-filters" class="cwp-search-filters" method="post">';
echo wp_kses_post( CubeWp_Frontend_Search_Filter::filter_hidden_fields( $type, $page_num, $card_style ) );
echo wp_kses_post( CubeWp_Frontend_Search_Filter::get_hidden_field_if_tax() );
```
Explanation:
Output from `CubeWp_Frontend_Search_Filter` methods was echoed directly without sanitization. The fix wraps these outputs with `wp_kses_post()`, which is the WordPress standard function for sanitizing HTML content before display. This prevents Stored XSS attacks if these methods return user-controlled or untrusted data.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Special Elements used in an HTML Attribute ('HTML Attribute Injection') - CWE-94 - class-cubewp-elementor-archive-posts-widget.php - Lines 207-209
[Old Code]
```
echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_option-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_option']) . '" />';
echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_position-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_position']) . '" />';
echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_width-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_width']['size']) .esc_attr($_promotional_card['cubewp_promotional_card_width']['unit']). '" />';
```
[Fixed Code]
```
echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_option-'.esc_attr($count).'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_option']) . '" />';
echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_position-'.esc_attr($count).'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_position']) . '" />';
echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_width-'.esc_attr($count).'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_width']['size']) .esc_attr($_promotional_card['cubewp_promotional_card_width']['unit']). '" />';
```
Explanation:
The `$count` variable was not escaped when used in the HTML attribute name. Although `$count` is internally controlled and incremented, it's a best practice to escape all dynamic data in HTML attributes. The fix wraps `$count` with `esc_attr()` to ensure proper escaping, preventing potential attribute injection if `$count` were ever derived from untrusted input.
---
Vulnerability Existed: no
Improper Handling of Internationalization (i18n) - CWE-693 - class-cubewp-elementor-archive-posts-widget.php - Lines 92, 108-109
[Old Code]
```
'label' => esc_html__('Select Post Types', 'cubewp-classifiad'),
'label' => esc_html__('Card Style for ' . self::get_post_type_name_by_slug($post_type), 'cubewp-framework'),
```
[Fixed Code]
```
'label' => esc_html__('Select Post Types', 'cubewp-framework'),
'label' => /* translators: %s: post type singular name. */
'label' => sprintf( esc_html__( 'Card Style for %s', 'cubewp-framework' ), self::get_post_type_name_by_slug($post_type) ),
```
Explanation:
Not a vulnerability per se, but important fixes. The first change corrects the text domain from 'cubewp-classifiad' to 'cubewp-framework'. The second change properly handles dynamic strings in i18n by using `sprintf()` with a placeholder rather than string concatenation before translation. This allows translators to properly translate the entire string and ensures the text domain is consistently applied. While not a security vulnerability, this prevents translation breakage.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-result-data-widget.php 2026-01-18 00:20:47.481236287 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-result-data-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -166,9 +166,9 @@ $output = '<div class="cwp-filtered-result-count">'; $data = esc_html__( '0 ', 'cubewp-framework' ) . $default_text;- $output .= '<div class="cwp-total-results">'. $data .'</div>';+ $output .= '<div class="cwp-total-results">'. wp_kses_post($data) .'</div>'; $output .= '</div>'; - echo $output;+ echo wp_kses_post( $output ); } }\ No newline at end of file
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-elementor-archive-result-data-widget.php - Lines 169, 172
Old Code:
$output .= '<div class="cwp-total-results">'. $data .'</div>';
...
echo $output;
Fixed Code:
$output .= '<div class="cwp-total-results">'. wp_kses_post($data) .'</div>';
...
echo wp_kses_post( $output );
Explanation:
The original code directly echoed user-controlled or unsanitized data without proper escaping, creating a reflected/stored XSS vulnerability. Although `$data` is constructed from `esc_html__()` (which provides translation escaping), the `$output` string concatenates HTML markup that could be vulnerable if `$data` contained unexpected content or if other variables were added later. The fix applies `wp_kses_post()` to both the `$data` variable and the final `$output` before echoing, ensuring that any potentially malicious HTML or JavaScript is properly sanitized while preserving safe HTML tags. This follows WordPress security best practices for output escaping.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-sorting-widget.php 2026-01-18 00:20:47.481236287 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-sorting-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -254,6 +254,7 @@ protected function render() { // Assuming CubeWp_Frontend_Search_Filter exists and cwp_filter_sorting() outputs the HTML+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo \CubeWp_Frontend_Search_Filter::cwp_filter_sorting(); } }\ No newline at end of file
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-elementor-archive-sorting-widget.php Line 257 Old Code: ```php echo \CubeWp_Frontend_Search_Filter::cwp_filter_sorting(); ``` Fixed Code: ```php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo \CubeWp_Frontend_Search_Filter::cwp_filter_sorting(); ``` Explanation: This is NOT a security fix. The diff only adds a phpcs ignore comment without actually fixing the underlying vulnerability. The code still echoes unescaped output from `cwp_filter_sorting()`, which creates a Cross-Site Scripting (XSS) vulnerability (CWE-79). The phpcs:ignore directive tells the WordPress code standards checker to suppress the warning, but it does not sanitize or escape the output. A proper fix would require escaping the output (e.g., using `wp_kses_post()`, `esc_html()`, or `esc_attr()` depending on context) or ensuring that `cwp_filter_sorting()` returns pre-escaped/sanitized content. This change masks the vulnerability rather than remedying it.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-cubewp-form-widget.php 2026-01-18 00:20:47.481236287 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-cubewp-form-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -382,9 +382,10 @@ $output .= '</div></form></div>'; } else {- $output .= _e( 'Post type not set gfrf','cubewp-framework');+ $output .= esc_html__( 'Post type not set','cubewp-framework'); } + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters( 'cubewp/elementor/archive/posts', $output ); }
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: yes FALSE POSITIVE **Improper Output Escaping - CWE-79** - CWE-79 - `class-cubewp-elementor-cubewp-form-widget.php` [Lines 385-389] **Old Code:** ```php $output .= _e( 'Post type not set gfrf','cubewp-framework'); ... echo apply_filters( 'cubewp/elementor/archive/posts', $output ); ``` **Fixed Code:** ```php $output .= esc_html__( 'Post type not set','cubewp-framework'); ... // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters( 'cubewp/elementor/archive/posts', $output ); ``` **Explanation:** The vulnerability exists in two related issues: 1. **Line 385 - Incorrect use of `_e()` function**: The original code used `_e()` which both translates AND echoes the string directly to output. This should have been `__()` (double underscore) which only translates without outputting. The fix correctly changes this to `esc_html__()` which translates and escapes HTML entities, preventing XSS attacks. 2. **Line 388-389 - Unescaped output from filter**: The `$output` variable is passed through `apply_filters()` and then echoed without proper escaping. While the fix escapes the string being added on line 385, the `apply_filters()` call can modify `$output` with unescaped content from third-party plugins. The `phpcs:ignore` comment suppresses the WordPress coding standard warning but does NOT actually fix the underlying vulnerability - it merely acknowledges it. This line should ideally be `echo wp_kses_post( apply_filters(...) )` or similar to properly escape potentially unsafe filter output. **Summary**: The fix partially addresses the XSS vulnerability by properly escaping the localized string, but the `phpcs:ignore` comment on line 389 indicates the developers are aware of the remaining escaping issue with the filter output without actually implementing a complete fix.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-mega-menu-widget.php 2026-01-18 00:20:47.481236287 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-mega-menu-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -68,10 +68,52 @@ } return $menu_options; }+ /**+ * Method cwp_elementor_builder_options_slug+ *+ * Returns options array keyed by slug instead of post ID+ * specifically for Elementor controls that should store slugs.+ *+ * @param string $template_type+ * @return array+ */+ private function cwp_elementor_builder_options_slug($template_type = '')+ {+ $args = array(+ 'post_type' => 'cubewp-tb',+ 'post_status' => 'publish',+ 'order' => 'ASC',+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query+ array(+ 'key' => 'template_type',+ 'value' => $template_type,+ 'compare' => '='+ ),+ array(+ 'key' => 'template_location',+ 'value' => 'all',+ 'compare' => '='+ )+ ),+ 'fields' => 'ids'+ );++ $existing_posts = new WP_Query($args);+ $options = [];+ if ($existing_posts->have_posts()) {+ foreach ($existing_posts->posts as $existing_post_id) {+ $slug = get_post_field('post_name', $existing_post_id);+ if (! empty($slug)) {+ $options[$slug] = get_the_title($existing_post_id);+ }+ }+ }+ return $options;+ } protected function register_controls() {- $cubewp_megaID = CubeWp_Theme_Builder::cwp_elementor_builder_options('mega-menu');+ $cubewp_megaID = $this->cwp_elementor_builder_options_slug('mega-menu'); $menu_options = $this->get_wordpress_menu_options(); $this->start_controls_section('cubewp_menu_setting_section', array(@@ -357,7 +399,7 @@ $this->add_responsive_control( 'menu_item_margin', [- 'label' => esc_html__('Margin', 'value-pack'),+ 'label' => esc_html__('Margin', 'cubewp-framework'), 'type' => Controls_Manager::DIMENSIONS, 'selectors' => [ '{{WRAPPER}} .cubewp-mega-menu .cubewp-mega-menu-item' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',@@ -627,7 +669,7 @@ Group_Control_Box_Shadow::get_type(), [ 'name' => 'dropdown_box_shadow',- 'exclude' => [+ 'exclude' => [// phpcs:ignore WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude 'box_shadow_position', ], 'selector' => '{{WRAPPER}} .elementor-cubewp-mega-nav-menu,{{WRAPPER}} .elementor-cubewp-mega-nav-menu .menu-item-has-children .sub-menu',@@ -775,7 +817,7 @@ if (!empty($settings['menu_items']) && is_array($settings['menu_items'])) { foreach ($settings['menu_items'] as $index => $item) {- $random_id = rand(100000, 999999);+ $random_id = wp_rand(100000, 999999); $menu_visibility = isset($item['menu_visibility']) ? $item['menu_visibility'] : 'mega_menu'; // Mega Menu@@ -801,7 +843,7 @@ $custom_target = !empty($item['custom_link_url']['is_external']) ? ' target="_blank"' : ''; $custom_nofollow = !empty($item['custom_link_url']['nofollow']) ? ' rel="nofollow"' : ''; - echo '<a class="cubewp-mega-menu-item hover" href="' . $custom_link . '"' . $custom_target . $custom_nofollow . '>';+ echo '<a class="cubewp-mega-menu-item hover" href="' . esc_url($custom_link) . '"' . esc_attr($custom_target) . esc_attr($custom_nofollow) . '>'; echo '<span>' . esc_html($item['menu_name']) . '</span>'; if (!empty($item['menu_icon']) && is_array($item['menu_icon']) && !empty($item['menu_icon']['value'])) {@@ -833,6 +875,7 @@ if (!empty($menu_html)) { echo '<div class="cubewp-mega-nav-menu-dropdown" id="' . esc_attr($random_id) . '">'; echo '<h3 class="container-back-slide" style="display:none;">' . esc_html($item['menu_name']) . '</h3>';+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $menu_html; echo '</div>'; }@@ -855,6 +898,30 @@ public function cubewp_mega_menu_template($tempID) {- return CubeWp_Theme_Builder::do_cubewp_theme_builder('mega-menu', $tempID);+ $resolved_id = 0;+ if (is_numeric($tempID)) {+ $resolved_id = intval($tempID);+ } else {+ $maybe_post = get_page_by_path($tempID, OBJECT, 'cubewp-tb');+ if ($maybe_post && ! is_wp_error($maybe_post)) {+ $resolved_id = (int) $maybe_post->ID;+ } else {+ // Fallback resolution by name query+ $by_name = get_posts(array(+ 'post_type' => 'cubewp-tb',+ 'name' => $tempID,+ 'posts_per_page' => 1,+ 'fields' => 'ids',+ ));+ if (! empty($by_name)) {+ $resolved_id = (int) $by_name[0];+ }+ }+ }++ if ($resolved_id > 0) {+ return CubeWp_Theme_Builder::do_cubewp_theme_builder('mega-menu', $resolved_id);+ }+ return; } }
I'll analyze this code diff for security vulnerabilities following the specified format.
Vulnerability 1:
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-elementor-mega-menu-widget.php - Line 846
Old Code:
```
echo '<a class="cubewp-mega-menu-item hover" href="' . $custom_link . '"' . $custom_target . $custom_nofollow . '>';
```
Fixed Code:
```
echo '<a class="cubewp-mega-menu-item hover" href="' . esc_url($custom_link) . '"' . esc_attr($custom_target) . esc_attr($custom_nofollow) . '>';
```
Explanation:
The old code directly echoed unsanitized user input into HTML attributes. The `$custom_link` variable (derived from user input) was not escaped, allowing potential XSS attacks. The `$custom_target` and `$custom_nofollow` attributes were also unescaped. The fix properly escapes the URL with `esc_url()` and the attributes with `esc_attr()`, which is the correct WordPress escaping function for HTML attributes.
---
Vulnerability 2:
Vulnerability Existed: yes
TRUE POSITIVE
Insecure Randomness - CWE-338 - class-cubewp-elementor-mega-menu-widget.php - Line 820
Old Code:
```
$random_id = rand(100000, 999999);
```
Fixed Code:
```
$random_id = wp_rand(100000, 999999);
```
Explanation:
The old code used PHP's `rand()` function which is cryptographically weak and predictable. In WordPress, `wp_rand()` should be used instead as it provides better randomness properties. While this particular use case generates an HTML element ID (not for security-critical purposes), using weak randomness is a security best practice violation. The fix uses `wp_rand()`, which is the WordPress-recommended function.
---
Vulnerability 3:
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation/Type Coercion - CWE-20 - class-cubewp-elementor-mega-menu-widget.php - Line 858-878
Old Code:
```
return CubeWp_Theme_Builder::do_cubewp_theme_builder('mega-menu', $tempID);
```
Fixed Code:
```
$resolved_id = 0;
if (is_numeric($tempID)) {
$resolved_id = intval($tempID);
} else {
$maybe_post = get_page_by_path($tempID, OBJECT, 'cubewp-tb');
if ($maybe_post && ! is_wp_error($maybe_post)) {
$resolved_id = (int) $maybe_post->ID;
} else {
$by_name = get_posts(array(
'post_type' => 'cubewp-tb',
'name' => $tempID,
'posts_per_page' => 1,
'fields' => 'ids',
));
if (! empty($by_name)) {
$resolved_id = (int) $by_name[0];
}
}
}
if ($resolved_id > 0) {
return CubeWp_Theme_Builder::do_cubewp_theme_builder('mega-menu', $resolved_id);
}
return;
```
Explanation:
The old code passed `$tempID` directly without validation or type coercion. If `$tempID` came from user input as a string slug, it could potentially cause issues when passed to a function expecting a post ID. The fix validates and resolves the input: if it's numeric, it converts to integer; if it's a slug, it resolves it to a post ID; and only passes a validated integer ID to the function. This prevents type confusion vulnerabilities and ensures only valid post IDs are used.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-nav-menu-widget.php 2026-01-18 00:20:47.481236287 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-nav-menu-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -527,7 +527,7 @@ 'global' => [ 'default' => Global_Typography::TYPOGRAPHY_PRIMARY, ],- 'exclude' => ['line_height'],+ 'exclude' => ['line_height'],// phpcs:ignore WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude 'selector' => '{{WRAPPER}} .elementor-cubewp-nav-menu--dropdown .elementor-cubewp-item, {{WRAPPER}} .elementor-cubewp-nav-menu--dropdown .elementor-sub-item , {{WRAPPER}} .elementor-cubewp-nav-menu--dropdown .elementor-cubewp-sub-item', 'separator' => 'before', ]@@ -560,7 +560,7 @@ Group_Control_Box_Shadow::get_type(), [ 'name' => 'dropdown_box_shadow',- 'exclude' => [+ 'exclude' => [// phpcs:ignore WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_exclude 'box_shadow_position', ], 'selector' => '{{WRAPPER}} .elementor-cubewp-nav-menu--main .elementor-cubewp-nav-menu--dropdown, {{WRAPPER}} .elementor-cubewp-nav-menu__container.elementor-cubewp-nav-menu--dropdown',@@ -982,7 +982,7 @@ ]); ?> - <nav <?php $this->print_render_attribute_string('main-menu'); ?> data-icons='<?php echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'>+ <nav <?php $this->print_render_attribute_string('main-menu'); ?> data-icons='<?php /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'> <?php // PHPCS - escaped by WordPress with "wp_nav_menu"@@ -1003,8 +1003,9 @@ if ('dropdown' == $settings['layout_type']) : $this->render_menu_toggle($settings); ?>- <nav class="elementor-cubewp-nav-menu--dropdown elementor-cubewp-nav-menu__container" aria-hidden="true" data-icons='<?php echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'>+ <nav class="elementor-cubewp-nav-menu--dropdown elementor-cubewp-nav-menu__container" aria-hidden="true" data-icons='<?php /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $menu_html; ?> </nav>@@ -1014,7 +1015,7 @@ ?> <div class="cubewp-offcanvas-menus"> <div class="offcanvas-header">- <a href="<?php echo site_url(); ?>"> <img src="<?php echo esc_url($off_canvas_logo['url']); ?>" alt="logo"></a>+ <a href="<?php echo esc_url(site_url()); ?>"> <img src="<?php echo esc_url($off_canvas_logo['url']); ?>" alt="logo"></a> <button class="cubewp-menu-closed"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-x-lg" viewBox="0 0 16 16"> <path d="M2.146 2.854a.5.5 0 1 1 .708-.708L8 7.293l5.146-5.147a.5.5 0 0 1 .708.708L8.707 8l5.147 5.146a.5.5 0 0 1-.708.708L8 8.707l-5.146 5.147a.5.5 0 0 1-.708-.708L7.293 8z" /> </svg></button>@@ -1022,6 +1023,7 @@ <div class="offcanvas-body"> <nav class="menu-offcanvas elementor-cubewp-nav-menu__container" aria-hidden="true"> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $menu_html; ?> </nav>
# Security Analysis Results
## Vulnerability 1
Vulnerability Existed: **yes**
**Cross-site Scripting (XSS) - CWE-79** - class-cubewp-elementor-nav-menu-widget.php - Line 985
**Old Code:**
```php
<nav <?php $this->print_render_attribute_string('main-menu'); ?> data-icons='<?php echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'>
```
**Fixed Code:**
```php
<nav <?php $this->print_render_attribute_string('main-menu'); ?> data-icons='<?php /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'>
```
**Explanation:**
The output from `Icons_Manager::render_icon()` is directly echoed into an HTML attribute without escaping. This allows potentially malicious SVG or HTML content to be injected. The fix adds a phpcs ignore comment, suggesting the developer is acknowledging this output is already safe (likely because `Icons_Manager::render_icon()` internally sanitizes SVG output). However, the actual vulnerability fix is inadequate—a true fix would wrap the output with `wp_kses_post()` or verify that the function output is genuinely pre-escaped.
---
## Vulnerability 2
Vulnerability Existed: **yes**
**Cross-site Scripting (XSS) - CWE-79** - class-cubewp-elementor-nav-menu-widget.php - Line 1006
**Old Code:**
```php
<nav class="elementor-cubewp-nav-menu--dropdown elementor-cubewp-nav-menu__container" aria-hidden="true" data-icons='<?php echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'>
```
**Fixed Code:**
```php
<nav class="elementor-cubewp-nav-menu--dropdown elementor-cubewp-nav-menu__container" aria-hidden="true" data-icons='<?php /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ echo Icons_Manager::render_icon($settings['submenu_icon']); ?>'>
```
**Explanation:**
Same XSS vulnerability as Vulnerability 1. Unescaped output from `Icons_Manager::render_icon()` is directly echoed into a data attribute without proper escaping. The fix only suppresses the linter warning via phpcs ignore rather than actually securing the output with proper escaping functions.
---
## Vulnerability 3
Vulnerability Existed: **yes**
**Cross-site Scripting (XSS) - CWE-79** - class-cubewp-elementor-nav-menu-widget.php - Line 1008-1009
**Old Code:**
```php
<?php
echo $menu_html;
?>
```
**Fixed Code:**
```php
<?php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo $menu_html;
?>
```
**Explanation:**
The variable `$menu_html` is echoed without escaping. The fix only adds a phpcs ignore comment rather than actually escaping the output. If `$menu_html` comes from `wp_nav_menu()` as indicated by the nearby comment, it may be safe, but the comment should document why rather than just suppressing the security warning.
---
## Vulnerability 4
Vulnerability Existed: **yes**
**Improper Output Encoding (URL/Data URI) - CWE-79** - class-cubewp-elementor-nav-menu-widget.php - Line 1018
**Old Code:**
```php
<a href="<?php echo site_url(); ?>"> <img src="<?php echo esc_url($off_canvas_logo['url']); ?>" alt="logo"></a>
```
**Fixed Code:**
```php
<a href="<?php echo esc_url(site_url()); ?>"> <img src="<?php echo esc_url($off_canvas_logo['url']); ?>" alt="logo"></a>
```
**Explanation:**
The `href` attribute was populated with unescaped output from `site_url()`. While `site_url()` typically returns a safe URL, it should still be escaped with `esc_url()` for defense-in-depth. This fix properly wraps the output with `esc_url()`, addressing a URL-based XSS vector.
---
## Vulnerability 5
Vulnerability Existed: **yes**
**Cross-site Scripting (XSS) - CWE-79** - class-cubewp-elementor-nav-menu-widget.php - Line 1025-1026
**Old Code:**
```php
<?php
echo $menu_html;
?>
```
**Fixed Code:**
```php
<?php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo $menu_html;
?>
```
**Explanation:**
Same as Vulnerability 3. The `$menu_html` variable is echoed without escaping. The fix only adds a phpcs ignore comment rather than properly securing the output.
---
## Summary
The diff includes **5 vulnerability instances**. Four are incomplete fixes that only suppress security warnings via phpcs comments (Vulnerabilities 1, 2, 3, 5) rather than implementing proper output escaping. One is a proper fix using `esc_url()` (Vulnerability 4). The incomplete fixes should be enhanced with proper escaping functions for complete security remediation.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-posts-widget.php 2026-01-18 00:20:47.481236287 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-posts-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -114,6 +114,14 @@ ), 'default' => '3' ));+ $this->add_control('ajax_base_posts', array(+ 'type' => Controls_Manager::SWITCHER,+ 'label' => esc_html__('Load via AJAX', 'cubewp-framework'),+ 'label_on' => esc_html__('Yes', 'cubewp-framework'),+ 'label_off' => esc_html__('No', 'cubewp-framework'),+ 'return_value' => 'yes',+ 'default' => 'no',+ )); $this->add_control('load_more', array( 'type' => Controls_Manager::SWITCHER, 'label' => esc_html__('Load More Button', 'cubewp-framework'),@@ -199,6 +207,7 @@ 'default' => '4', 'condition' => array( 'posts_per_row' => 'auto',+ 'ajax_base_posts' => 'no', ), )); @@ -216,7 +225,7 @@ $this->end_controls_section(); $this->start_controls_section('cubewp_posts_widget_additional_setting_section', array(- 'label' => esc_html__('Filter By Meta / Custom Fields', 'cubewp-classifiad'),+ 'label' => esc_html__('Filter By Meta / Custom Fields', 'cubewp-framework'), 'tab' => Controls_Manager::TAB_CONTENT, 'condition' => array( 'posts_by' => array('all', 'taxonomy'),@@ -230,11 +239,11 @@ $this->add_control('meta_relation', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__('Select Relation', 'cubewp-classifiad'),+ 'label' => esc_html__('Select Relation', 'cubewp-framework'), 'description' => esc_html__("e.g. If you have multiple custom field's conditions and you set relation OR then system will get result if one of these conditions will be true.", "cubewp-framework"), 'options' => array(- 'OR' => esc_html__('OR', 'cubewp-classifiad'),- 'AND' => esc_html__("AND", 'cubewp-classifiad'),+ 'OR' => esc_html__('OR', 'cubewp-framework'),+ 'AND' => esc_html__("AND", 'cubewp-framework'), ), 'default' => 'or', 'condition' => array(@@ -261,7 +270,7 @@ $repeater->add_control('meta_compare', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__('Select Operator to compare ', 'cubewp-classifiad'),+ 'label' => esc_html__('Select Operator to compare ', 'cubewp-framework'), 'description' => esc_html__("e.g. If going to select BETWEEN or NOT BETWEEN then add value like this [100, 200].", "cubewp-framework"), 'options' => array( '=' => esc_html__('Equal', 'cubewp-framework'),@@ -287,7 +296,7 @@ )); $this->add_control('filter_by_custom_fields', array(- 'label' => esc_html__('Add Conditions', 'cubewp-classifiad'),+ 'label' => esc_html__('Add Conditions', 'cubewp-framework'), 'type' => Controls_Manager::REPEATER, 'fields' => $repeater->get_controls(), 'title_field' => '{{{ meta_key }}}',@@ -324,7 +333,7 @@ $this->add_control('posttype', array( 'type' => Controls_Manager::SELECT2, 'multiple' => true,- 'label' => esc_html__('Select Post Types', 'cubewp-classifiad'),+ 'label' => esc_html__('Select Post Types', 'cubewp-framework'), 'description' => esc_html__('You can select one or multiple post types to show post cards.', 'cubewp-framework'), 'options' => $post_types, 'default' => array('post'),@@ -341,7 +350,8 @@ if (!empty(cubewp_post_card_styles($post_type))) { $this->add_control($post_type . '_card_style', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__('Card Style for ' . self::get_post_type_name_by_slug($post_type), 'cubewp-framework'),+ /* translators: %s: post type singular name. */+ 'label' => sprintf( esc_html__( 'Card Style for %s', 'cubewp-framework' ), self::get_post_type_name_by_slug($post_type) ), 'options' => cubewp_post_card_styles($post_type), 'default' => 'default_style', 'condition' => array(@@ -357,12 +367,12 @@ $post_types = self::$post_types; if (is_array($post_types) && ! empty($post_types)) { $options = array(- "all" => esc_html__("All"),- "taxonomy" => esc_html__("By Taxonomy"),- "post_ids" => esc_html__("By IDs"),+ 'all' => esc_html__('All', 'cubewp-framework'),+ 'taxonomy' => esc_html__('By Taxonomy', 'cubewp-framework'),+ 'post_ids' => esc_html__('By IDs', 'cubewp-framework'), ); if (class_exists('CubeWp_Booster_Load')) {- $options['boosted'] = esc_html__("Boosted Only");+ $options['boosted'] = esc_html__('Boosted Only', 'cubewp-framework'); } $this->add_control('posts_by', array( 'type' => Controls_Manager::SELECT,@@ -387,7 +397,8 @@ if (is_array($taxonomies) && ! empty($taxonomies)) { $this->add_control('taxonomy-' . $post_type, array( 'type' => Controls_Manager::SELECT2,- 'label' => esc_html__('Select Terms for ' . self::get_post_type_name_by_slug($post_type), 'cubewp-framework'),+ /* translators: %s: post type singular name. */+ 'label' => sprintf( esc_html__( 'Select Terms for %s', 'cubewp-framework' ), self::get_post_type_name_by_slug($post_type) ), 'description' => esc_html__('Leave empty if you want to display all posts.', 'cubewp-framework'), 'options' => self::get_terms_by_post_type($post_type), 'multiple' => true,@@ -496,9 +507,9 @@ $widget_id = $this->get_id(); if ($settings['enable_scroll_on_small_devices'] === 'yes') {- echo '<style>+ echo '<style type="text/css"> @media (max-width: 767px) {- .elementor-element-' . $widget_id . ' .cwp-row {+ .elementor-element-' . esc_attr($widget_id) . ' .cwp-row { overflow: scroll; flex-wrap: nowrap; }@@ -512,9 +523,10 @@ 'orderby' => $settings['orderby'], 'order' => $settings['order'], 'number_of_posts' => $settings['number_of_posts'],+ 'load_via_ajax' => (isset($settings['ajax_base_posts']) && $settings['ajax_base_posts'] === 'yes') ? 'yes' : 'no', 'load_more' => $settings['load_more'], 'posts_per_page' => $settings['posts_per_page'],- 'processing_grids_per_row' => $settings['processing_grids_per_row'],+ 'processing_grids_per_row' => $settings['processing_grids_per_row'] ?? '4', 'layout' => $settings['layout'], 'posts_per_row' => isset($settings['posts_per_row']) ? $settings['posts_per_row'] : 'auto', 'posts_per_row_tablet' => isset($settings['posts_per_row_tablet']) ? $settings['posts_per_row_tablet'] : 'auto',@@ -594,11 +606,12 @@ } if ($filter_by_meta == 'yes') {- $meta_query['query'] = isset($settings['filter_by_custom_fields']) ? $settings['filter_by_custom_fields'] : array();+ $meta_query['query'] = isset($settings['filter_by_custom_fields']) ? $settings['filter_by_custom_fields'] : array();// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query $meta_query['relation'] = isset($settings['meta_relation']) ? $settings['meta_relation'] : 'OR';- $args['meta_query'] = self::_meta_query($meta_query);+ $args['meta_query'] = self::_meta_query($meta_query); // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query } + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp_shortcode_posts_output', '', $args); } @@ -638,7 +651,7 @@ 'selectors' => [ '{{WRAPPER}} .cubewp-post-slider .slick-slide>div ' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}} !important;', '{{WRAPPER}} .cwp-row>div' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}} !important;',- ],+ ] ] ); @@ -721,9 +734,9 @@ 'fade_effect', [ 'type' => Controls_Manager::SWITCHER,- 'label' => esc_html__('Fade Effect', 'value-pack'),+ 'label' => esc_html__('Fade Effect', 'cubewp-framework'), 'default' => '',- 'description' => esc_html__('Enable fade effect for slides transition.', 'value-pack'),+ 'description' => esc_html__('Enable fade effect for slides transition.', 'cubewp-framework'), 'condition' => [ 'cwp_enable_slider' => 'yes', ],@@ -1232,9 +1245,13 @@ Group_Control_Box_Shadow::get_type(), [ 'name' => 'slider_arrow_box_shadow',- 'label' => __('Arrow Box Shadow', 'value-pack'),+ 'label' => __('Arrow Box Shadow', 'cubewp-framework'), 'selector' => '{{WRAPPER}} .cubewp-post-slider .slick-arrow', 'separator' => 'before',+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ 'custom_arrows' => 'yes',+ ], ] ); @@ -2013,7 +2030,7 @@ $this->add_control( 'slider_dots_wrap_settings_heading', [- 'label' => esc_html__('Wrap Dots With Arrows', 'value-pack'),+ 'label' => esc_html__('Wrap Dots With Arrows', 'cubewp-framework'), 'type' => Controls_Manager::HEADING, 'separator' => 'before', 'condition' => [@@ -2025,10 +2042,10 @@ $this->add_control( 'enable_wrap_dots_arrows', [- 'label' => esc_html__('Enable Wrap Dots With Arrows', 'value-pack'),+ 'label' => esc_html__('Enable Wrap Dots With Arrows', 'cubewp-framework'), 'type' => Controls_Manager::SWITCHER,- 'label_on' => esc_html__('Yes', 'value-pack'),- 'label_off' => esc_html__('No', 'value-pack'),+ 'label_on' => esc_html__('Yes', 'cubewp-framework'),+ 'label_off' => esc_html__('No', 'cubewp-framework'), 'return_value' => 'yes', 'default' => '', 'condition' => [@@ -2062,7 +2079,7 @@ $this->add_responsive_control( 'vp_scrollbar_Top_position', [- 'label' => esc_html__('Top Position', 'value-pack'),+ 'label' => esc_html__('Top Position', 'cubewp-framework'), 'type' => Controls_Manager::SLIDER, 'size_units' => ['px', '%', 'em'], 'default' => [@@ -2098,7 +2115,7 @@ $this->add_responsive_control( 'vp_scrollbar_bottom_position', [- 'label' => esc_html__('Bottom Position', 'value-pack'),+ 'label' => esc_html__('Bottom Position', 'cubewp-framework'), 'type' => Controls_Manager::SLIDER, 'size_units' => ['px', '%', 'em'], 'default' => [@@ -2158,7 +2175,7 @@ $this->add_responsive_control( 'vp_scrollbar_right_position', [- 'label' => esc_html__('Right Position', 'value-pack'),+ 'label' => esc_html__('Right Position', 'cubewp-framework'), 'type' => Controls_Manager::SLIDER, 'size_units' => ['px', '%', 'em'], 'default' => [@@ -2194,7 +2211,7 @@ $this->add_responsive_control( 'vp_scrollbar_left_position', [- 'label' => esc_html__('Left Position', 'value-pack'),+ 'label' => esc_html__('Left Position', 'cubewp-framework'), 'type' => Controls_Manager::SLIDER, 'size_units' => ['px', '%', 'em'], 'default' => [@@ -2230,7 +2247,7 @@ $this->add_responsive_control( 'gap_between_items', [- 'label' => esc_html__('Gap Between Items', 'value-pack'),+ 'label' => esc_html__('Gap Between Items', 'cubewp-framework'), 'type' => Controls_Manager::SLIDER, 'size_units' => ['px', '%', 'em'], 'default' => [@@ -2267,15 +2284,15 @@ $this->add_responsive_control( 'wrap_justify_content', [- 'label' => esc_html__('Justify Content', 'value-pack'),+ 'label' => esc_html__('Justify Content', 'cubewp-framework'), 'type' => Controls_Manager::SELECT, 'options' => [- 'flex-start' => esc_html__('Flex Start', 'value-pack'),- 'center' => esc_html__('Center', 'value-pack'),- 'flex-end' => esc_html__('Flex End', 'value-pack'),- 'space-between' => esc_html__('Space Between', 'value-pack'),- 'space-around' => esc_html__('Space Around', 'value-pack'),- 'space-evenly' => esc_html__('Space Evenly', 'value-pack'),+ 'flex-start' => esc_html__('Flex Start', 'cubewp-framework'),+ 'center' => esc_html__('Center', 'cubewp-framework'),+ 'flex-end' => esc_html__('Flex End', 'cubewp-framework'),+ 'space-between' => esc_html__('Space Between', 'cubewp-framework'),+ 'space-around' => esc_html__('Space Around', 'cubewp-framework'),+ 'space-evenly' => esc_html__('Space Evenly', 'cubewp-framework'), ], 'default' => 'center', 'condition' => [@@ -2291,7 +2308,7 @@ $this->add_responsive_control( 'wrap_dots_arrows_padding', [- 'label' => esc_html__('Padding', 'value-pack'),+ 'label' => esc_html__('Padding', 'cubewp-framework'), 'type' => Controls_Manager::DIMENSIONS, 'size_units' => ['px', '%', 'em'], 'default' => [
I'll analyze the provided code diff for security fixes.
Vulnerability Existed: yes
TRUE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - class-cubewp-elementor-posts-widget.php Lines 509-515
Old Code:
```php
echo '<style>
@media (max-width: 767px) {
.elementor-element-' . $widget_id . ' .cwp-row {
overflow: scroll;
flex-wrap: nowrap;
}
```
Fixed Code:
```php
echo '<style type="text/css">
@media (max-width: 767px) {
.elementor-element-' . esc_attr($widget_id) . ' .cwp-row {
overflow: scroll;
flex-wrap: nowrap;
}
```
Explanation:
The `$widget_id` variable was directly concatenated into the CSS output without escaping. If the widget ID contained malicious characters or quotes, it could break out of the CSS context and inject arbitrary HTML/JavaScript. The fix applies `esc_attr()` to properly escape the widget ID for safe use in HTML attributes/CSS selectors. Additionally, `type="text/css"` was added to the style tag for better HTML validity.
---
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Output During Web Page Generation ('Unvalidated Redirect') / Output Encoding - CWE-80** - class-cubewp-elementor-posts-widget.php Line 614
Old Code:
```php
echo apply_filters('cubewp_shortcode_posts_output', '', $args);
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp_shortcode_posts_output', '', $args);
```
Explanation:
The output from the filter was echoed without escaping. While the comment suggests this is intentional (allowing filter callbacks to output unescaped HTML), this is a potential XSS vector if filter callbacks don't properly escape their output. The phpcs comment indicates the developers are aware of this security concern and are deliberately allowing it, likely because the filter is meant for rendering HTML output. This represents a trust boundary issue - the code is trusting all filter callbacks to properly escape their output.
---
Vulnerability Existed: no
**Improper Neutralization of Input During Web Page Generation - CWE-79** - class-cubewp-elementor-posts-widget.php Lines 353-354
Old Code:
```php
'label' => esc_html__('Card Style for ' . self::get_post_type_name_by_slug($post_type), 'cubewp-framework'),
```
Fixed Code:
```php
/* translators: %s: post type singular name. */
'label' => sprintf( esc_html__( 'Card Style for %s', 'cubewp-framework' ), self::get_post_type_name_by_slug($post_type) ),
```
Explanation:
This is not a security vulnerability fix but a localization/translation improvement. The original code concatenated strings before translation, which breaks translation workflows. The fix uses `sprintf()` with a translatable string template. Both versions are safe from XSS because `esc_html__()` escapes the output. The change improves code quality and translation support.
---
Vulnerability Existed: not sure
**Improper Neutralization of SQL Command - CWE-89** - class-cubewp-elementor-posts-widget.php Lines 609-611
Old Code:
```php
$meta_query['query'] = isset($settings['filter_by_custom_fields']) ? $settings['filter_by_custom_fields'] : array();
$meta_query['relation'] = isset($settings['meta_relation']) ? $settings['meta_relation'] : 'OR';
$args['meta_query'] = self::_meta_query($meta_query);
```
Fixed Code:
```php
$meta_query['query'] = isset($settings['filter_by_custom_fields']) ? $settings['filter_by_custom_fields'] : array();// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
$meta_query['relation'] = isset($settings['meta_relation']) ? $settings['meta_relation'] : 'OR';
$args['meta_query'] = self::_meta_query($meta_query); // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query
```
Explanation:
The phpcs comments added here suppress WordPress coding standard warnings about slow database queries, not actual security fixes. However, the underlying code accepts user input from settings (which originate from the Elementor widget interface) into meta_query without visible sanitization. The actual security depends on the `self::_meta_query()` method's implementation, which is not shown in this diff. If that method properly sanitizes and validates the meta_query array, there is no vulnerability. Without seeing `_meta_query()`, the security posture is uncertain.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-search-widget.php 2026-01-18 00:20:47.485236536 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-search-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -291,6 +291,7 @@ $this->add_control( 'tabber_button_icon_' . $post_type_key, [ + /* translators: %s: post type singular name. */ 'label' => sprintf(esc_html__('%s Tab Icon', 'cubewp-framework'), $post_type_label), 'type' => Controls_Manager::ICONS, 'fa4compatibility' => 'icon', @@ -2101,7 +2102,8 @@ $this->start_controls_section( 'field_' . $field_key . '_style_section', [ - 'label' => esc_html__($field_label . ' ( ' . $postType . ' Field Container)', 'cubewp-framework'), + /* translators: %1$s: field label, %2$s: post type singular name. */ + 'label' => sprintf( esc_html__( '%1$s ( %2$s Field Container)', 'cubewp-framework' ), $field_label, $postType ), 'tab' => \Elementor\Controls_Manager::TAB_STYLE, 'condition' => [ 'post_type' => $postType, @@ -2795,6 +2797,7 @@ 'settings' => $settings, ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp_search_shortcode_output', '', $args); } }\ No newline at end of file
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability 1: Output Escaping Issue**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-elementor-search-widget.php - Line 2800
Old Code:
```php
echo apply_filters('cubewp_search_shortcode_output', '', $args);
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp_search_shortcode_output', '', $args);
```
Explanation:
This is NOT a security fix—it's a regression. The code change adds a `phpcs:ignore` comment to suppress a WordPress security scanner warning about unescaped output, but does NOT actually fix the underlying vulnerability. The `apply_filters()` function returns user-controlled data that is directly echoed without escaping. An attacker could inject malicious JavaScript through filter hooks. The proper fix would be to wrap the output with `wp_kses_post()` or `esc_html()` depending on context, not merely suppress the warning. This represents a deliberate bypass of security checks.
---
**Vulnerability 2: String Concatenation in i18n**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Internationalization - CWE-94 - class-cubewp-elementor-search-widget.php - Line 2105 (old code)
Old Code:
```php
'label' => esc_html__($field_label . ' ( ' . $postType . ' Field Container)', 'cubewp-framework'),
```
Fixed Code:
```php
/* translators: %1$s: field label, %2$s: post type singular name. */
'label' => sprintf( esc_html__( '%1$s ( %2$s Field Container)', 'cubewp-framework' ), $field_label, $postType ),
```
Explanation:
This IS a legitimate security and best-practice fix. The old code concatenated dynamic variables directly into the translatable string, which breaks internationalization and can cause XSS vulnerabilities if `$field_label` or `$postType` contain unescaped HTML. The fix properly uses `sprintf()` with placeholder strings, allowing translators to work with fixed strings while variables are safely substituted separately. The `esc_html()` function still applies to the entire result, properly escaping the dynamic content.
---
**Vulnerability 3: Translator Comment Addition**
Vulnerability Existed: no
Translator Comment - No CWE - class-cubewp-elementor-search-widget.php - Line 294
Old Code:
```php
'label' => sprintf(esc_html__('%s Tab Icon', 'cubewp-framework'), $post_type_label),
```
Fixed Code:
```php
/* translators: %s: post type singular name. */
'label' => sprintf(esc_html__('%s Tab Icon', 'cubewp-framework'), $post_type_label),
```
Explanation:
This is not a vulnerability fix; it's an improvement to internationalization documentation. Adding translator comments helps translators understand the context of placeholders and doesn't address any security issue. The code itself was already secure (using `sprintf()` with proper escaping).
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-taxonomy-widget.php 2026-01-18 00:20:47.485236536 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-taxonomy-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -1,5 +1,5 @@ <?php-defined( 'ABSPATH' ) || exit;+defined('ABSPATH') || exit; use Elementor\Controls_Manager; use Elementor\Repeater;@@ -12,25 +12,31 @@ * * @since 1.0.0 */-class CubeWp_Elementor_Taxonomy_Widget extends Widget_Base {+class CubeWp_Elementor_Taxonomy_Widget extends Widget_Base+{ - public function get_name() {+ public function get_name()+ { return 'cubewp_taxonomy'; } - public function get_title() {- return esc_html__( 'CubeWP Taxonomy', 'cubewp-framework' );+ public function get_title()+ {+ return esc_html__('CubeWP Taxonomy', 'cubewp-framework'); } - public function get_icon() {+ public function get_icon()+ { return 'eicon-posts-grid'; } - public function get_categories() {- return array( 'cubewp' );+ public function get_categories()+ {+ return array('cubewp'); } - public function get_keywords() {+ public function get_keywords()+ { return array( 'cubewp', 'featured',@@ -49,119 +55,544 @@ ); } - protected function register_controls() {+ protected function register_controls()+ { $args = array( 'public' => true, '_builtin' => false );- $taxonomies = get_taxonomies( $args );+ $taxonomies = get_taxonomies($args); $taxonomies = self::cwp_get_taxonomies_label($taxonomies);- $this->start_controls_section( 'cubewp_widgets_section', array(- 'label' => esc_html__( 'Widget Options', 'cubewp-framework' ),+ $this->start_controls_section('cubewp_widgets_section', array(+ 'label' => esc_html__('Widget Options', 'cubewp-framework'), 'tab' => Controls_Manager::TAB_CONTENT,- ) );- $this->add_control( 'taxonomy', array(+ ));+ $this->add_control('taxonomy', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__( 'Select Taxonomy', 'cubewp-framework' ),+ 'label' => esc_html__('Select Taxonomy', 'cubewp-framework'), 'options' => $taxonomies,- ) );- $this->add_control( 'terms_per_page', array(+ ));+ $this->add_control('terms_per_page', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__( 'No Of Terms To Show', 'cubewp-framework' ),+ 'label' => esc_html__('No Of Terms To Show', 'cubewp-framework'), 'options' => array(- '0' => esc_html__( 'Show All Terms', 'cubewp-framework' ),- '3' => esc_html__( 'Show 3 Terms', 'cubewp-framework' ),- '4' => esc_html__( 'Show 4 Terms', 'cubewp-framework' ),- '5' => esc_html__( 'Show 5 Terms', 'cubewp-framework' ),- '6' => esc_html__( 'Show 6 Terms', 'cubewp-framework' ),- '8' => esc_html__( 'Show 8 Terms', 'cubewp-framework' ),- '9' => esc_html__( 'Show 9 Terms', 'cubewp-framework' ),- '12' => esc_html__( 'Show 12 Terms', 'cubewp-framework' ),- '16' => esc_html__( 'Show 16 Terms', 'cubewp-framework' ),- '15' => esc_html__( 'Show 15 Terms', 'cubewp-framework' ),- '20' => esc_html__( 'Show 20 Terms', 'cubewp-framework' )+ '0' => esc_html__('All', 'cubewp-framework'),+ '2' => esc_html__('2', 'cubewp-framework'),+ '3' => esc_html__('3', 'cubewp-framework'),+ '4' => esc_html__('4', 'cubewp-framework'),+ '5' => esc_html__('5', 'cubewp-framework'),+ '6' => esc_html__('6', 'cubewp-framework'),+ '7' => esc_html__('7', 'cubewp-framework'),+ '8' => esc_html__('8', 'cubewp-framework'),+ '9' => esc_html__('9', 'cubewp-framework'),+ '12' => esc_html__('12', 'cubewp-framework'),+ '16' => esc_html__('16', 'cubewp-framework'),+ '15' => esc_html__('15', 'cubewp-framework'),+ '20' => esc_html__('20', 'cubewp-framework'),+ 'custom' => esc_html__('Custom', 'cubewp-framework'), ), 'default' => '0'- ) );- $this->add_control( 'output_style', apply_filters( 'cubewp_taxonomy_output_style_control_args', array(+ ));++ $this->add_control('custom_terms_count', array(+ 'type' => Controls_Manager::NUMBER,+ 'label' => esc_html__('Custom Terms Count', 'cubewp-framework'),+ 'description' => esc_html__('Enter number of terms to show. Works only if "No Of Terms To Show" is set to "Show Custom Number of Terms".', 'cubewp-framework'),+ 'default' => 5,+ 'min' => 1,+ 'condition' => array(+ 'terms_per_page' => 'custom',+ ),+ ));++ $this->cwp_get_output_style_controls();++ $this->add_responsive_control('layout_display', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__( 'Select Output Style', 'cubewp-framework' ),+ 'label' => esc_html__('Layout Display', 'cubewp-framework'), 'options' => array(- 'boxed_view' => esc_html__( 'Boxed View', 'cubewp-framework' ),- 'list_view' => esc_html__( 'List View', 'cubewp-framework' ),+ 'grid' => esc_html__('Grid', 'cubewp-framework'),+ 'flex' => esc_html__('Flex', 'cubewp-framework'), ),- 'default' => 'boxed_view'- ) ) );- $this->add_control( 'icon_media_name', array(- 'type' => Controls_Manager::TEXT,- 'label' => esc_html__( 'Icon Or Image', 'cubewp-framework' ),- 'description' => esc_html__( 'Enter taxonomy custom field slug for term icon or image.', 'cubewp-framework' ),- 'condition' => array(- 'output_style' => 'boxed_view',+ 'default' => 'grid'+ ));+ $this->add_responsive_control('column_per_row', array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Column Per Row', 'cubewp-framework'),+ 'options' => array(+ '1' => esc_html__('1', 'cubewp-framework'),+ '2' => esc_html__('2', 'cubewp-framework'),+ '3' => esc_html__('3', 'cubewp-framework'),+ '4' => esc_html__('4', 'cubewp-framework'),+ '5' => esc_html__('5', 'cubewp-framework'),+ '6' => esc_html__('6', 'cubewp-framework'),+ '7' => esc_html__('7', 'cubewp-framework'),+ '8' => esc_html__('8', 'cubewp-framework'),+ '9' => esc_html__('9', 'cubewp-framework'),+ '10' => esc_html__('10', 'cubewp-framework'),+ '11' => esc_html__('11', 'cubewp-framework'),+ '12' => esc_html__('12', 'cubewp-framework'),+ ),+ 'selectors' => array(+ '{{WRAPPER}} .cwp-taxonomy-terms' => 'display: grid ;grid-template-columns: repeat({{VALUE}}, 1fr);'+ ),+ 'default' => '4',+ 'condition' => array(+ 'layout_display' => 'grid', ),- ) );- $this->add_control( 'column_per_row', array(+ ));+ $this->add_responsive_control(+ 'terms_row_span',+ [+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Terms Row', 'cubewp-framework'),+ 'options' => array(+ 'repeat(1, 1fr)' => esc_html__('1', 'cubewp-framework'),+ 'repeat(2, 1fr)' => esc_html__('2', 'cubewp-framework'),+ 'repeat(3, 1fr)' => esc_html__('3', 'cubewp-framework'),+ 'repeat(4, 1fr)' => esc_html__('4', 'cubewp-framework'),+ 'repeat(5, 1fr)' => esc_html__('5', 'cubewp-framework'),+ 'repeat(6, 1fr)' => esc_html__('6', 'cubewp-framework'),+ 'repeat(7, 1fr)' => esc_html__('7', 'cubewp-framework'),+ 'repeat(8, 1fr)' => esc_html__('8', 'cubewp-framework'),+ 'repeat(9, 1fr)' => esc_html__('9', 'cubewp-framework'),+ 'repeat(10, 1fr)' => esc_html__('10', 'cubewp-framework'),+ 'repeat(11, 1fr)' => esc_html__('11', 'cubewp-framework'),+ 'repeat(12, 1fr)' => esc_html__('12', 'cubewp-framework'),+ 'unset' => esc_html__('Auto', 'cubewp-framework'),+ ),+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms' => 'display: grid; grid-template-rows: {{VALUE}};'+ ],+ 'default' => 'unset',+ 'condition' => [+ 'layout_display' => 'grid',+ ],+ ]+ );+ $this->add_responsive_control('flex_wrap', array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Flex Wrap', 'cubewp-framework'),+ 'options' => array(+ 'wrap' => esc_html__('Wrap', 'cubewp-framework'),+ 'nowrap' => esc_html__('No Wrap', 'cubewp-framework'),+ ),+ 'selectors' => array(+ '{{WRAPPER}} .cwp-taxonomy-terms' => 'display: flex; flex-wrap: {{VALUE}};'+ ),+ 'default' => 'wrap',+ 'condition' => array(+ 'layout_display' => 'flex',+ ),+ ));+ $this->add_responsive_control('flex_justify', array( 'type' => Controls_Manager::SELECT,- 'label' => esc_html__( 'No Of Columns Per Row', 'cubewp-framework' ),+ 'label' => esc_html__('Flex Justify Content', 'cubewp-framework'), 'options' => array(- '1' => esc_html__( '1 Column Per Row', 'cubewp-framework' ),- '2' => esc_html__( '2 Columns Per Row', 'cubewp-framework' ),- '3' => esc_html__( '3 Columns Per Row', 'cubewp-framework' ),- '4' => esc_html__( '4 Columns Per Row', 'cubewp-framework' ),- '6' => esc_html__( '6 Columns Per Row', 'cubewp-framework' ),- '0' => esc_html__( 'Auto Adjust Columns Per Row', 'cubewp-framework' )- ),- 'default' => '4'- ) );- $this->add_control( 'child_terms', array(+ 'flex-start' => esc_html__('Start', 'cubewp-framework'),+ 'center' => esc_html__('Center', 'cubewp-framework'),+ 'flex-end' => esc_html__('End', 'cubewp-framework'),+ 'space-between' => esc_html__('Space Between', 'cubewp-framework'),+ 'space-around' => esc_html__('Space Around', 'cubewp-framework'),+ 'space-evenly' => esc_html__('Space Evenly', 'cubewp-framework'),+ ),+ 'selectors' => array(+ '{{WRAPPER}} .cwp-taxonomy-terms' => 'display: flex; justify-content: {{VALUE}};'+ ),+ 'default' => 'flex-start',+ 'condition' => array(+ 'layout_display' => 'flex',+ ),+ ));+ $this->add_responsive_control('flex_align_items', array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Flex Align Items', 'cubewp-framework'),+ 'options' => array(+ 'stretch' => esc_html__('Stretch', 'cubewp-framework'),+ 'flex-start' => esc_html__('Start', 'cubewp-framework'),+ 'center' => esc_html__('Center', 'cubewp-framework'),+ 'flex-end' => esc_html__('End', 'cubewp-framework'),+ 'baseline' => esc_html__('Baseline', 'cubewp-framework'),+ ),+ 'selectors' => array(+ '{{WRAPPER}} .cwp-taxonomy-terms' => 'display: flex; align-items: {{VALUE}};'+ ),+ 'default' => 'stretch',+ 'condition' => array(+ 'layout_display' => 'flex',+ ),+ ));+ $this->add_responsive_control('flex_align_content', array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Flex Align Content', 'cubewp-framework'),+ 'options' => array(+ 'stretch' => esc_html__('Stretch', 'cubewp-framework'),+ 'flex-start' => esc_html__('Start', 'cubewp-framework'),+ 'center' => esc_html__('Center', 'cubewp-framework'),+ 'flex-end' => esc_html__('End', 'cubewp-framework'),+ 'space-between' => esc_html__('Space Between', 'cubewp-framework'),+ 'space-around' => esc_html__('Space Around', 'cubewp-framework'),+ ),+ 'selectors' => array(+ '{{WRAPPER}} .cwp-taxonomy-terms' => 'display: flex; align-content: {{VALUE}};'+ ),+ 'default' => 'stretch',+ 'condition' => array(+ 'layout_display' => 'flex',+ 'flex_wrap' => 'wrap',+ ),+ ));+ $this->add_responsive_control(+ 'terms_gap',+ [+ 'label' => esc_html__('Gap Between Terms', 'cubewp-framework'),+ 'type' => Controls_Manager::GAPS,+ 'size_units' => ['px', '%', 'em', 'rem', 'vw', 'custom'],+ 'default' => [+ 'row' => 10,+ 'column' => 10,+ 'unit' => 'px',+ ],+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms' => 'gap: {{ROW}}{{UNIT}} {{COLUMN}}{{UNIT}};',+ ],+ ]+ );++ $this->add_control('child_terms', array( 'type' => Controls_Manager::SWITCHER,- 'label' => esc_html__( 'Show Child Terms', 'cubewp-framework' ),+ 'label' => esc_html__('Show Child Terms', 'cubewp-framework'), 'default' => 'no'- ) );- $this->add_control( 'hide_empty', array(+ ));+ $this->add_control('hide_empty', array( 'type' => Controls_Manager::SWITCHER,- 'label' => esc_html__( 'Hide Empty Terms', 'cubewp-framework' ),+ 'label' => esc_html__('Hide Empty Terms', 'cubewp-framework'), 'default' => 'no'- ) );- $repeater = new Repeater();- $repeater->add_control( 'term_box_color', array(- 'label' => esc_html__( 'Color', 'cubewp-framework' ),- 'type' => Controls_Manager::COLOR,- 'selectors' => array(- '{{WRAPPER}} {{CURRENT_ITEM}}' => 'color: {{VALUE}}'- ),- 'label_block' => true,- ) );- $this->add_control( 'terms_box_color', array(- 'label' => esc_html__( 'Terms Box Color', 'cubewp-framework' ),- 'type' => Controls_Manager::REPEATER,- 'fields' => $repeater->get_controls(),- 'default' => array(- array(- 'term_box_color' => '#faf7d9',+ ));++ do_action('cubewp_taxonomy_widget_additional_controls', $this);+ $this->end_controls_section();+ $this->cwp_get_term_grids_controls();+ $this->cubewp_taxonomy_add_slider_controls();+ }++ private function cwp_get_output_style_controls()+ {+ $taxonomies = get_taxonomies(array(), 'objects');+ $options = array(+ 'boxed_view' => esc_html__('Boxed View', 'cubewp-framework'),+ 'list_view' => esc_html__('List View', 'cubewp-framework'),+ );+ foreach ($taxonomies as $taxonomy => $taxonomy_obj) {+ if (!is_object($taxonomy_obj) || !isset($taxonomy_obj->labels->name)) {+ continue;+ }+ $termcards = cwp_get_elemetor_termcards_by_type($taxonomy);+ if (!empty($termcards) && is_array($termcards)) {+ $options = array_merge($options, $termcards);+ }+ $label = $taxonomy_obj->labels->name;+ $this->add_control('output_style_' . $taxonomy, array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Select Term Style for', 'cubewp-framework') . ' ' . esc_html($label),+ 'options' => $options,+ 'default' => 'boxed_view',+ 'condition' => array(+ 'taxonomy' => $taxonomy, ),- array(- 'term_box_color' => '#e1f0ee',+ ));+ $this->add_control('icon_media_name_' . $taxonomy, array(+ 'type' => Controls_Manager::TEXT,+ 'label' => esc_html__('Icon Or Image', 'cubewp-framework'),+ 'description' => esc_html__('Enter taxonomy custom field slug for term icon or image.', 'cubewp-framework'),+ 'condition' => array(+ 'taxonomy' => $taxonomy,+ 'output_style_' . $taxonomy => 'boxed_view', ),- array(- 'term_box_color' => '#fcece3',+ ));+ $repeater = new Repeater();+ $repeater->add_control('term_box_color', array(+ 'label' => esc_html__('Color', 'cubewp-framework'),+ 'type' => Controls_Manager::COLOR,+ 'selectors' => array(+ '{{WRAPPER}} {{CURRENT_ITEM}}' => 'color: {{VALUE}}' ),- array(- 'term_box_color' => '#e3effb',+ 'label_block' => true,+ ));+ $this->add_control('terms_box_color_' . $taxonomy, array(+ 'label' => esc_html__('Terms Box Color', 'cubewp-framework'),+ 'type' => Controls_Manager::REPEATER,+ 'fields' => $repeater->get_controls(),+ 'default' => array(+ array(+ 'term_box_color' => '#faf7d9',+ ),+ array(+ 'term_box_color' => '#e1f0ee',+ ),+ array(+ 'term_box_color' => '#fcece3',+ ),+ array(+ 'term_box_color' => '#e3effb',+ ),+ array(+ 'term_box_color' => '#ffeff7',+ ), ),- array(- 'term_box_color' => '#ffeff7',+ 'title_field' => '{{{ term_box_color }}}',+ 'refresh_preview' => true,+ 'condition' => array(+ 'taxonomy' => $taxonomy,+ 'output_style_' . $taxonomy => 'boxed_view', ),- ),- 'title_field' => '{{{ term_box_color }}}',- 'condition' => array(- 'output_style' => 'boxed_view',- ),- ) );- do_action( 'cubewp_taxonomy_widget_additional_controls', $this );+ ));+ }+ }++ private function cwp_get_term_grids_controls()+ {+ // Add new section for individual term grid settings+ $this->start_controls_section(+ 'per_term_grid_settings',+ [+ 'label' => esc_html__('Per Term Grid Settings', 'cubewp-framework'),+ 'tab' => Controls_Manager::TAB_CONTENT,+ 'condition' => [+ 'layout_display' => 'grid',+ ],+ ]+ );++ $this->add_control(+ 'enable_per_term_grid',+ [+ 'label' => esc_html__('Enable Per Term Grid Settings', 'cubewp-framework'),+ 'type' => Controls_Manager::SWITCHER,+ 'label_on' => esc_html__('Yes', 'cubewp-framework'),+ 'label_off' => esc_html__('No', 'cubewp-framework'),+ 'return_value' => 'yes',+ 'default' => 'no',+ 'condition' => [+ 'layout_display' => 'grid',+ ],+ ]+ );+ // Add helper HTML below+ $this->add_control(+ 'grid_guide_note',+ [+ 'type' => Controls_Manager::RAW_HTML,+ 'raw' => __(+ '<div style="padding: 10px;color: #2a7607; border-left: 3px solid #2271b1; background: #f0f6fc; margin-top: 10px;">+ <strong>Need help creating grid structure?</strong><br>+ Use this free CSS Grid Generator: + <a href="https://cssgridgenerator.io/" target="_blank" style="color:#2271b1; text-decoration:underline;">+ cssgridgenerator.io+ </a>+ </div>',+ 'cubewp-framework'+ ),+ 'content_classes' => 'cwp-info-box',+ 'condition' => [+ 'layout_display' => 'grid',+ ],+ ]+ );+ $repeater = new Repeater();++ $repeater->add_control(+ 'term_position',+ [+ 'label' => esc_html__('Term Position', 'cubewp-framework'),+ 'type' => Controls_Manager::NUMBER,+ 'min' => 1,+ 'max' => 100,+ 'step' => 1,+ 'description' => esc_html__('Which term number to apply these settings to (1 for first term, 2 for second, etc.)', 'cubewp-framework'),+ ]+ );++ $repeater->add_responsive_control(+ 'column_span',+ [+ 'label' => esc_html__('Column Span', 'cubewp-framework'),+ 'type' => Controls_Manager::SELECT,+ 'options' => [+ '1' => '1',+ '2' => '2',+ '3' => '3',+ '4' => '4',+ '5' => '5',+ '6' => '6',+ '7' => '7',+ '8' => '8',+ '9' => '9',+ '10' => '10',+ '11' => '11',+ '12' => '12',+ 'full' => esc_html__('Full Width', 'cubewp-framework'),+ ],+ 'default' => '1',+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms .cwp-taxonomy-term:nth-child({{term_position.VALUE}})' => 'grid-column: span {{VALUE}};',+ ],+ ]+ );++ $repeater->add_responsive_control(+ 'row_span',+ [+ 'label' => esc_html__('Row Span', 'cubewp-framework'),+ 'type' => Controls_Manager::SELECT,+ 'options' => [+ '1' => esc_html__('1', 'cubewp-framework'),+ '2' => esc_html__('2', 'cubewp-framework'),+ '3' => esc_html__('3', 'cubewp-framework'),+ '4' => esc_html__('4', 'cubewp-framework'),+ '5' => esc_html__('5', 'cubewp-framework'),+ '6' => esc_html__('6', 'cubewp-framework'),+ '7' => esc_html__('7', 'cubewp-framework'),+ '8' => esc_html__('8', 'cubewp-framework'),+ '9' => esc_html__('9', 'cubewp-framework'),+ '10' => esc_html__('10', 'cubewp-framework'),+ '11' => esc_html__('11', 'cubewp-framework'),+ '12' => esc_html__('12', 'cubewp-framework'),+ ],+ 'default' => '1',+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms .cwp-taxonomy-term:nth-child({{term_position}})' => 'grid-row: span {{VALUE}};',+ ],+ ]+ );+ $repeater->add_responsive_control(+ 'row_span_start',+ [+ 'label' => esc_html__('Row Span Start', 'cubewp-framework'),+ 'type' => Controls_Manager::SELECT,+ 'options' => [+ '1' => esc_html__('1', 'cubewp-framework'),+ '2' => esc_html__('2', 'cubewp-framework'),+ '3' => esc_html__('3', 'cubewp-framework'),+ '4' => esc_html__('4', 'cubewp-framework'),+ '5' => esc_html__('5', 'cubewp-framework'),+ '6' => esc_html__('6', 'cubewp-framework'),+ '7' => esc_html__('7', 'cubewp-framework'),+ '8' => esc_html__('8', 'cubewp-framework'),+ '9' => esc_html__('9', 'cubewp-framework'),+ '10' => esc_html__('10', 'cubewp-framework'),+ '11' => esc_html__('11', 'cubewp-framework'),+ '12' => esc_html__('12', 'cubewp-framework'),+ ],+ 'default' => '1',+ ]+ );++ $repeater->add_responsive_control(+ 'column_span_start',+ [+ 'label' => esc_html__('Column Span Start', 'cubewp-framework'),+ 'type' => Controls_Manager::SELECT,+ 'options' => [+ '1' => esc_html__('1', 'cubewp-framework'),+ '2' => esc_html__('2', 'cubewp-framework'),+ '3' => esc_html__('3', 'cubewp-framework'),+ '4' => esc_html__('4', 'cubewp-framework'),+ '5' => esc_html__('5', 'cubewp-framework'),+ '6' => esc_html__('6', 'cubewp-framework'),+ '7' => esc_html__('7', 'cubewp-framework'),+ '8' => esc_html__('8', 'cubewp-framework'),+ '9' => esc_html__('9', 'cubewp-framework'),+ '10' => esc_html__('10', 'cubewp-framework'),+ '11' => esc_html__('11', 'cubewp-framework'),+ '12' => esc_html__('12', 'cubewp-framework'),+ ],+ 'default' => '1',+ ]+ );+ $repeater->add_responsive_control(+ 'custom_margin',+ [+ 'label' => esc_html__('Custom Margin', 'cubewp-framework'),+ 'type' => Controls_Manager::DIMENSIONS,+ 'size_units' => ['px', '%', 'em'],+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms .cwp-taxonomy-term:nth-child({{term_position}})' => 'margin: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ ],+ ]+ );++ $repeater->add_responsive_control(+ 'custom_padding',+ [+ 'label' => esc_html__('Custom Padding', 'cubewp-framework'),+ 'type' => Controls_Manager::DIMENSIONS,+ 'size_units' => ['px', '%', 'em'],+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms .cwp-taxonomy-term:nth-child({{term_position}}) .cwp-taxonomy-term-box' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}};',+ ],+ ]+ );++ $repeater->add_control(+ 'custom_width',+ [+ 'label' => esc_html__('Custom Width', 'cubewp-framework'),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => ['px', '%'],+ 'range' => [+ 'px' => [+ 'min' => 0,+ 'max' => 1000,+ 'step' => 5,+ ],+ '%' => [+ 'min' => 0,+ 'max' => 100,+ ],+ ],+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms .cwp-taxonomy-term:nth-child({{term_position}})' => 'width: {{SIZE}}{{UNIT}};',+ ],+ ]+ );++ $repeater->add_control(+ 'custom_height',+ [+ 'label' => esc_html__('Custom Height', 'cubewp-framework'),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => ['px'],+ 'range' => [+ 'px' => [+ 'min' => 0,+ 'max' => 1000,+ 'step' => 5,+ ],+ ],+ 'selectors' => [+ '{{WRAPPER}} .cwp-taxonomy-terms .cwp-taxonomy-term:nth-child({{term_position}}) .cwp-taxonomy-term-box' => 'height: {{SIZE}}{{UNIT}};',+ ],+ ]+ );++ $this->add_control(+ 'term_grid_settings',+ [+ 'label' => esc_html__('Individual Term Grid Settings', 'cubewp-framework'),+ 'type' => Controls_Manager::REPEATER,+ 'fields' => $repeater->get_controls(),+ 'title_field' => 'Term #{{{ term_position }}}',+ 'condition' => [+ 'layout_display' => 'grid',+ 'enable_per_term_grid' => 'yes',+ ],+ ]+ );+ $this->end_controls_section(); }- + public function cwp_get_taxonomies_label($taxonomies) { $taxonomy_labels = array();@@ -174,20 +605,1730 @@ } return $taxonomy_labels; }- - protected function render() {++ protected function render()+ { $settings = $this->get_settings_for_display();- $args = array(- 'taxonomy' => $settings['taxonomy'],- 'terms_per_page' => $settings['terms_per_page'],- 'output_style' => $settings['output_style'],- 'child_terms' => $settings['child_terms'],- 'hide_empty' => $settings['hide_empty'],- 'icon_media_name' => $settings['icon_media_name'],- 'column_per_row' => $settings['column_per_row'],- 'terms_box_color' => $settings['terms_box_color']+ if (isset($settings['terms_per_page']) && $settings['terms_per_page'] === 'custom' && isset($settings['custom_terms_count']) && is_numeric($settings['custom_terms_count']) && $settings['custom_terms_count'] > 0) {+ $settings['terms_per_page'] = intval($settings['custom_terms_count']);+ }+ $taxonomies = get_taxonomies();+ foreach ($taxonomies as $taxonomy) {+ if (isset($settings['taxonomy']) && $settings['taxonomy'] == $taxonomy && isset($settings['output_style_' . $taxonomy])) {+ $settings['output_style'] = $settings['output_style_' . $taxonomy];+ $settings['icon_media_name'] = isset($settings['icon_media_name_' . $taxonomy]) ? $settings['icon_media_name_' . $taxonomy] : '';+ $settings['terms_box_color'] = isset($settings['terms_box_color_' . $taxonomy]) ? $settings['terms_box_color_' . $taxonomy] : array();+ }+ }+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo apply_filters('cubewp_shortcode_taxonomy_output', '', $settings);+ }++ private function cubewp_taxonomy_add_slider_controls()+ {+ $this->start_controls_section(+ 'slider_style_section',+ [+ 'label' => esc_html__('Terms Slider', 'cubewp-framework'),+ 'tab' => \Elementor\Controls_Manager::TAB_CONTENT,+ ]+ );++ $this->add_control(+ 'cwp_enable_slider',+ [+ 'label' => esc_html__('Enable Slider', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label_on' => esc_html__('Yes', 'cubewp-framework'),+ 'label_off' => esc_html__('No', 'cubewp-framework'),+ 'return_value' => 'yes',+ 'default' => '',+ ]+ );+++ $this->add_responsive_control(+ 'slider_post_spacing',+ [+ 'label' => esc_html__('Post Spacing', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::DIMENSIONS,+ 'size_units' => ['px', 'em', '%'],+ 'selectors' => [+ '{{WRAPPER}} .cubewp-term-slider .slick-slide>div ' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}} !important;',+ '{{WRAPPER}} .cwp-taxonomy-terms>div' => 'padding: {{TOP}}{{UNIT}} {{RIGHT}}{{UNIT}} {{BOTTOM}}{{UNIT}} {{LEFT}}{{UNIT}} !important;',+ ]+ ]+ );++ $this->add_control('slides_to_show', array(+ 'type' => \Elementor\Controls_Manager::NUMBER,+ 'label' => esc_html__('Slides To Show', 'cubewp-framework'),+ 'default' => 3,+ 'min' => 1,+ 'max' => 10,+ 'step' => 1,+ 'description' => esc_html__('Number of slides to show at once in the slider.', 'cubewp-framework'),+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ));++ $this->add_control(+ 'slides_to_scroll',+ [+ 'type' => \Elementor\Controls_Manager::NUMBER,+ 'label' => esc_html__('Slides To Scroll', 'cubewp-framework'),+ 'default' => 1,+ 'min' => 1,+ 'max' => 10,+ 'step' => 1,+ 'description' => esc_html__('Number of slides to scroll at once in the slider.', 'cubewp-framework'),+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'autoplay',+ [+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label' => esc_html__('Autoplay', 'cubewp-framework'),+ 'default' => 'yes',+ 'description' => esc_html__('Enable or disable autoplay for the slider.', 'cubewp-framework'),+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'autoplay_speed',+ [+ 'type' => \Elementor\Controls_Manager::NUMBER,+ 'label' => esc_html__('Autoplay Speed (ms)', 'cubewp-framework'),+ 'default' => 2000,+ 'min' => 0,+ 'step' => 500,+ 'description' => esc_html__('Set the speed for autoplay in milliseconds.', 'cubewp-framework'),+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ 'autoplay' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'speed',+ [+ 'type' => \Elementor\Controls_Manager::NUMBER,+ 'label' => esc_html__('Speed (ms)', 'cubewp-framework'),+ 'default' => 500,+ 'min' => 0,+ 'step' => 100,+ 'description' => esc_html__('Set the speed for the slider transition in milliseconds.', 'cubewp-framework'),+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'fade_effect',+ [+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label' => esc_html__('Fade Effect', 'cubewp-framework'),+ 'default' => '',+ 'description' => esc_html__('Enable fade effect for slides transition.', 'cubewp-framework'),+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'infinite',+ [+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label' => esc_html__('Infinite Loop', 'cubewp-framework'),+ 'default' => 'yes',+ 'description' => esc_html__('Enable or disable infinite loop for the slider.', 'cubewp-framework'),+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'variable_width',+ [+ 'label' => __('Variable Width', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label_on' => __('Yes', 'cubewp-framework'),+ 'label_off' => __('No', 'cubewp-framework'),+ 'return_value' => 'yes',+ 'default' => 'no',+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'overflow_setting',+ [+ 'label' => esc_html__('Overflow Setting', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ 'selectors' => [+ '{{WRAPPER}} .cubewp-term-slider .slick-list.draggable' => 'overflow: inherit;',+ ],+ ]+ );++ $this->add_control(+ 'enable_progress_bar',+ [+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label' => esc_html__('Enable Progress Bar', 'cubewp-framework'),+ 'default' => '',+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_responsive_control(+ 'progress_bar_height',+ [+ 'label' => esc_html__('Progress Bar Height', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SLIDER,+ 'size_units' => ['px'],+ 'range' => [+ 'px' => [+ 'min' => 1,+ 'max' => 50,+ 'step' => 1,+ ],+ ],+ 'default' => [+ 'unit' => 'px',+ 'size' => 5,+ ],+ 'selectors' => [+ '{{WRAPPER}} .slick-progress, {{WRAPPER}} .slick-progress .slick-progress-bar' => 'height: {{SIZE}}{{UNIT}};',+ ],+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ 'enable_progress_bar' => 'yes',+ ],+ ]+ );++ $this->add_responsive_control(+ 'progress_bar_back_color',+ [+ 'label' => esc_html__('Progress Bar Background Color', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::COLOR,+ 'default' => '#000000',+ 'selectors' => [+ '{{WRAPPER}} .slick-progress' => 'background-color: {{VALUE}};',+ ],+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ 'enable_progress_bar' => 'yes',+ ],+ ]+ );++ $this->add_responsive_control(+ 'progress_bar_color',+ [+ 'label' => esc_html__('Progress Bar Fill Color', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::COLOR,+ 'default' => '#ddd',+ 'selectors' => [+ '{{WRAPPER}} .slick-progress .slick-progress-bar' => 'background-color: {{VALUE}};',+ ],+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ 'enable_progress_bar' => 'yes',+ ],+ ]+ );++ $this->add_responsive_control(+ 'scroll_bar_margin_top',+ [+ 'label' => esc_html__('Progress Bar Margin Top', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SLIDER,+ 'range' => [+ 'px' => [+ 'min' => -100,+ 'max' => 100,+ 'step' => 1,+ ],+ ],+ 'default' => [+ 'size' => '',+ 'unit' => 'px',+ ],+ 'selectors' => [+ '{{WRAPPER}} .slick-progress' => 'margin-top: {{SIZE}}px;',+ ],+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ 'enable_progress_bar' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'slider_dots_arrow_settings_divider',+ [+ 'type' => \Elementor\Controls_Manager::DIVIDER,+ 'style' => 'thick',+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'custom_arrows',+ [+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label' => esc_html__('Enable Arrows', 'cubewp-framework'),+ 'default' => 'yes',+ 'condition' => [+ 'cwp_enable_slider' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'prev_icon',+ [+ 'label' => __('Previous Icon', 'cubewp-framework'),
Let me analyze the provided diff for security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
XSS (Cross-Site Scripting) - CWE-79 - class-cubewp-elementor-taxonomy-widget.php - Line 627
Old Code:
```php
echo apply_filters('cubewp_shortcode_taxonomy_output', '', $settings);
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp_shortcode_taxonomy_output', '', $settings);
```
Explanation:
This line has a potential XSS vulnerability. The output from `apply_filters()` is echoed directly without any escaping. Although a `phpcs:ignore` comment was added, this is NOT a security fix—it's actually masking the vulnerability from code analysis tools. The filter `cubewp_shortcode_taxonomy_output` could return unescaped HTML/JavaScript from untrusted sources or user input. Proper security fixes would require using `wp_kses_post()`, `esc_html()`, or ensuring the filter always returns sanitized content. Simply suppressing the warning does not fix the underlying XSS risk.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-elementor-taxonomy-widget.php - Line 619-620
Old Code:
```php
$args = array(
'taxonomy' => $settings['taxonomy'],
```
Fixed Code:
```php
if (isset($settings['terms_per_page']) && $settings['terms_per_page'] === 'custom' && isset($settings['custom_terms_count']) && is_numeric($settings['custom_terms_count']) && $settings['custom_terms_count'] > 0) {
$settings['terms_per_page'] = intval($settings['custom_terms_count']);
}
```
Explanation:
While the new validation for `custom_terms_count` is an improvement, the critical issue is that `$settings['taxonomy']` is used directly without any validation or sanitization. The taxonomy value comes from user-controllable settings and should be validated against the list of registered taxonomies using `taxonomy_exists()` before being used in WordPress functions like `get_term_by()`. This could lead to injection attacks or information disclosure.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Potential Information Disclosure - CWE-200 - class-cubewp-elementor-taxonomy-widget.php - Lines 621-626
Old Code:
```php
$args = array(
'taxonomy' => $settings['taxonomy'],
'terms_per_page' => $settings['terms_per_page'],
'output_style' => $settings['output_style'],
'child_terms' => $settings['child_terms'],
'hide_empty' => $settings['hide_empty'],
'icon_media_name' => $settings['icon_media_name'],
'column_per_row' => $settings['column_per_row'],
'terms_box_color' => $settings['terms_box_color']
);
```
Fixed Code:
```php
$taxonomies = get_taxonomies();
foreach ($taxonomies as $taxonomy) {
if (isset($settings['taxonomy']) && $settings['taxonomy'] == $taxonomy && isset($settings['output_style_' . $taxonomy])) {
$settings['output_style'] = $settings['output_style_' . $taxonomy];
$settings['icon_media_name'] = isset($settings['icon_media_name_' . $taxonomy]) ? $settings['icon_media_name_' . $taxonomy] : '';
$settings['terms_box_color'] = isset($settings['terms_box_color_' . $taxonomy]) ? $settings['terms_box_color_' . $taxonomy] : array();
}
}
```
Explanation:
The new code dynamically constructs setting keys using taxonomy names (e.g., `'output_style_' . $taxonomy`). While this provides better taxonomy-specific handling, it introduces complexity that could mask validation issues. However, the use of `isset()` checks provides some protection. The uncertainty stems from the shift in how settings are accessed—the original hardcoded settings approach had clearer boundaries than this dynamic key construction, though the new approach may actually be safer if all taxonomy values are properly validated upstream.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/vc-elements/class-cubewp-vc-posts-widget.php 2026-01-18 00:20:47.485236536 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/vc-elements/class-cubewp-vc-posts-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -142,8 +142,8 @@ "heading" => esc_html__( "Show Posts", "cubewp-framework" ), 'save_always' => true, 'value' => array(- esc_html__( "By Taxonomy" ) => "taxonomy",- esc_html__( "By IDs" ) => "post_ids"+ esc_html__( "By Taxonomy", "cubewp-framework" ) => "taxonomy",+ esc_html__( "By IDs", "cubewp-framework" ) => "post_ids" ), 'dependency' => array( 'element' => 'posttype',@@ -254,6 +254,7 @@ } } + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters( 'cubewp_shortcode_posts_output','', $args ); } }\ No newline at end of file
Vulnerability Existed: no
[Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] - [CWE-79] - [cube/classes/page-builders/vc-elements/class-cubewp-vc-posts-widget.php] [Lines 257]
Old Code:
```
echo apply_filters( 'cubewp_shortcode_posts_output','', $args );
```
Fixed Code:
```
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters( 'cubewp_shortcode_posts_output','', $args );
```
Explanation:
The addition of the `phpcs:ignore` comment does not actually fix a security vulnerability—it merely suppresses a WordPress security linter warning. The underlying code still echoes the result of `apply_filters()` without escaping. However, the vulnerability was not introduced in this diff; it existed before. The diff does not remediate the XSS risk; it only acknowledges it via a linter suppression comment. If the filter is expected to return safe HTML (intentionally), this approach may be acceptable in context, but technically the output remains unescaped. This is a code quality change rather than a security fix.
---
Vulnerability Existed: no
[No Vulnerability] - [N/A] - [cube/classes/page-builders/vc-elements/class-cubewp-vc-posts-widget.php] [Lines 145-146]
Old Code:
```
esc_html__( "By Taxonomy" ) => "taxonomy",
esc_html__( "By IDs" ) => "post_ids"
```
Fixed Code:
```
esc_html__( "By Taxonomy", "cubewp-framework" ) => "taxonomy",
esc_html__( "By IDs", "cubewp-framework" ) => "post_ids"
```
Explanation:
This change adds the missing text domain parameter to the `esc_html__()` function calls. While not a security vulnerability fix, this is a best-practice improvement for WordPress localization. The strings will now be properly translatable with the correct text domain. The original code was functionally safe from a security perspective but incomplete for proper i18n support.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/page-builders/vc-elements/class-cubewp-vc-taxonomy-widget.php 2026-01-18 00:20:47.485236536 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/page-builders/vc-elements/class-cubewp-vc-taxonomy-widget.php 2026-01-18 00:20:56.201778099 +0000@@ -147,6 +147,7 @@ 'terms_box_color' => $terms_box_color ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters( 'cubewp_shortcode_taxonomy_output', '', $args ); } }\ No newline at end of file
``` Vulnerability Existed: no Output Escaping Concern - CWE-79 (Cross-site Scripting) - class-cubewp-vc-taxonomy-widget.php - Line 150 Old Code: echo apply_filters( 'cubewp_shortcode_taxonomy_output', '', $args ); Fixed Code: // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters( 'cubewp_shortcode_taxonomy_output', '', $args ); Explanation: This diff does not represent a security fix but rather a suppression of a WordPress coding standards warning. The addition of the phpcs:ignore comment tells the WordPress security scanner to ignore the "OutputNotEscaped" warning for this line. This is not a code change that removes a vulnerability—it's a directive that suppresses a linter warning without modifying the actual code logic. The vulnerability concern (potential XSS via unescaped filter output) continues to exist in the code. Whether this is truly vulnerable depends on whether the filter 'cubewp_shortcode_taxonomy_output' is guaranteed to return properly escaped content by its implementation. The phpcs:ignore suggests the developers believe the output is safe, but this is a suppression rather than an actual security fix. ```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/shortcodes/class-cubewp-shortcode-posts.php 2026-01-18 00:20:47.485236536 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/shortcodes/class-cubewp-shortcode-posts.php 2026-01-18 00:20:56.205778347 +0000@@ -1,10 +1,19 @@ <?php+/**+ * CubeWp Posts Shortcode.+ *+ * @version 1.0+ * @package cubewp/cube/classes+ */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ defined('ABSPATH') || exit; /**- * CubeWP Posts Shortcode.+ * CubeWp Shortcode Posts. *- * @class CubeWp_Frontend_Posts_Shortcode+ * @class CubeWp_Shortcode_Posts */ class CubeWp_Shortcode_Posts {@@ -17,6 +26,14 @@ new CubeWp_Ajax('wp_ajax_nopriv_', 'CubeWp_Shortcode_Posts', 'cubewp_posts_output'); add_action('wp_enqueue_scripts', [$this, 'cubewp_enqueue_slick_for_elementor'], 999); add_action('elementor/editor/after_enqueue_scripts', [$this, 'cubewp_enqueue_slick_for_elementor']);++ // Cache invalidation hooks+ add_action('save_post', array($this, 'clear_posts_cache'), 10, 1);+ add_action('delete_post', array($this, 'clear_posts_cache'), 10, 1);+ add_action('wp_trash_post', array($this, 'clear_posts_cache'), 10, 1);+ add_action('untrash_post', array($this, 'clear_posts_cache'), 10, 1);+ add_action('elementor/document/before_save', array($this, 'clear_elementor_cache'), 10, 2);+ add_action('elementor/document/after_save', array($this, 'clear_elementor_cache'), 10, 2); } public static function cubewp_posts($output, array $parameters)@@ -26,10 +43,17 @@ CubeWp_Enqueue::enqueue_style('cubewp-slick'); CubeWp_Enqueue::enqueue_script('cubewp-slick'); }- if (cubewp_is_elementor_editing()) {++ $load_via_ajax = isset($parameters['load_via_ajax']) ? $parameters['load_via_ajax'] : 'yes';+ if ($load_via_ajax !== 'yes' || cubewp_is_elementor_editing()) { return self::cubewp_posts_output($parameters); } + $is_load_more = isset($parameters['load_more']) && $parameters['load_more'] === 'yes';+ if ($is_load_more) {+ CubeWp_Enqueue::enqueue_script('cwp-load-more');+ }+ $slides_to_show = isset($parameters['slides_to_show']) ? intval($parameters['slides_to_show']) : 3; $slides_to_show_tablet = isset($parameters['slides_to_show_tablet']) ? intval($parameters['slides_to_show_tablet']) : 2; $slides_to_show_mobile = isset($parameters['slides_to_show_mobile']) ? intval($parameters['slides_to_show_mobile']) : 1;@@ -38,8 +62,8 @@ $posts_per_row = isset($parameters['posts_per_row']) ? $parameters['posts_per_row'] : 'auto'; $posts_per_row_tablet = (isset($parameters['posts_per_row_tablet']) && $parameters['posts_per_row_tablet'] !== 'auto') ? $parameters['posts_per_row_tablet'] : 3; $posts_per_row_mobile = (isset($parameters['posts_per_row_mobile']) && $parameters['posts_per_row_mobile'] !== 'auto') ? $parameters['posts_per_row_mobile'] : 2;- - if($cwp_enable_slider){++ if ($cwp_enable_slider) { $processing_grids_per_row = $slides_to_show; $posts_per_row_tablet = $slides_to_show_tablet; $posts_per_row_mobile = $slides_to_show_mobile;@@ -55,7 +79,9 @@ $unique_id = uniqid('cubewp_posts_'); // Container start- $output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . htmlspecialchars(json_encode($parameters), ENT_QUOTES, 'UTF-8') . '">+ $params_with_nonce = $parameters;+ $params_with_nonce['nonce'] = wp_create_nonce('cubewp_posts_output');+ $output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . htmlspecialchars(json_encode($params_with_nonce), ENT_QUOTES, 'UTF-8') . '"> <div class="cubewp-processing-posts-container" style="display: flex; flex-wrap: wrap; gap: 10px;">'; for ($i = 0; $i < $processing_grid_count; $i++) {@@ -112,8 +138,35 @@ public static function cubewp_posts_output($parameters) {- if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output' && !cubewp_is_elementor_editing()) {- $parameters = $_POST;+ if (wp_doing_ajax() && !cubewp_is_elementor_editing()) {+ check_ajax_referer('cubewp_posts_output', 'nonce');+ $parameters = isset($_POST) ? wp_unslash($_POST) : array();+ }++ // Check if cache is enabled+ $cache_enabled = self::is_cache_enabled();++ // Check cache first (skip cache for AJAX requests, load more requests, and Elementor editor)+ $is_ajax_request = wp_doing_ajax();+ $is_load_more = isset($parameters['load_more']) && $parameters['load_more'] === 'yes';+ $skip_cache = $is_ajax_request || $is_load_more || cubewp_is_elementor_editing() || !$cache_enabled;++ $loadbyclick = true;+ if (isset($parameters['sendby']) && $parameters['sendby'] === 'load_more') {+ $loadbyclick = false;+ }++ if (!$skip_cache) {+ $cache_key = self::get_cache_key($parameters);+ $cached_content = self::get_cache($cache_key);++ if ($cached_content !== false) {+ // Return cached content+ if (is_array($cached_content)) {+ return $cached_content['content'] . (isset($cached_content['load_btn']) ? $cached_content['load_btn'] : '');+ }+ return $cached_content;+ } } $cwp_enable_slider = isset($parameters['cwp_enable_slider']) ? $parameters['cwp_enable_slider'] : '';@@ -131,13 +184,13 @@ $autoplay = isset($parameters['autoplay']) ? $parameters['autoplay'] : 'false'; $autoplay_speed = isset($parameters['autoplay_speed']) ? intval($parameters['autoplay_speed']) : 2000; $speed = isset($parameters['speed']) ? intval($parameters['speed']) : 500;- $infinite = (isset($parameters['infinite']) && $parameters['infinite'] === 'true') ? 'true' : 'false';- $fade_effect = (isset($parameters['fade_effect']) && $parameters['fade_effect'] === 'true') ? 'true' : 'false';- $variable_width = (isset($parameters['variable_width']) && $parameters['variable_width'] === 'true') ? 'true' : 'false';- $custom_arrows = (isset($parameters['custom_arrows']) && $parameters['custom_arrows'] === 'true') ? 'true' : 'false';- $enable_progress_bar = (isset($parameters['enable_progress_bar']) && $parameters['enable_progress_bar'] === 'true') ? 'true' : 'false';- $custom_dots = (isset($parameters['custom_dots']) && $parameters['custom_dots'] === 'true') ? 'true' : 'false';- $enable_wrap_dots_arrows = (isset($parameters['enable_wrap_dots_arrows']) && $parameters['enable_wrap_dots_arrows'] === 'true') ? 'true' : 'false';+ $infinite = (isset($parameters['infinite']) && $parameters['infinite'] === true) ? 'true' : 'false';+ $fade_effect = (isset($parameters['fade_effect']) && $parameters['fade_effect'] === true) ? 'true' : 'false';+ $variable_width = (isset($parameters['variable_width']) && $parameters['variable_width'] === true) ? 'true' : 'false';+ $custom_arrows = (isset($parameters['custom_arrows']) && $parameters['custom_arrows'] === true) ? 'true' : 'false';+ $enable_progress_bar = (isset($parameters['enable_progress_bar']) && $parameters['enable_progress_bar'] === true) ? 'true' : 'false';+ $custom_dots = (isset($parameters['custom_dots']) && $parameters['custom_dots'] === true) ? 'true' : 'false';+ $enable_wrap_dots_arrows = (isset($parameters['enable_wrap_dots_arrows']) && $parameters['enable_wrap_dots_arrows'] === true) ? 'true' : 'false'; } $promotional_card = $parameters['promotional_card']; $promotional_card_list = $parameters['promotional_cards'];@@ -147,10 +200,10 @@ 'orderby' => $parameters['orderby'], 'order' => $parameters['order'], 'page_num' => 1,- 'meta_query' => isset($parameters['meta_query']) ? $parameters['meta_query'] : array(),+ 'meta_query' => isset($parameters['meta_query']) ? $parameters['meta_query'] : array(), // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query ); - if (isset($parameters['number_of_posts']) && $parameters['number_of_posts'] !== '') {+ if (isset($parameters['number_of_posts']) && $parameters['number_of_posts'] !== '' && intval($parameters['number_of_posts']) !== -1) { $args['posts_per_page'] = intval($parameters['number_of_posts']); } elseif (isset($parameters['posts_per_page']) && $parameters['posts_per_page'] !== '') { $args['posts_per_page'] = intval($parameters['posts_per_page']);@@ -237,15 +290,24 @@ $container_open = '<div class="cubewp-posts-shortcode cwp-row ' . esc_attr($slider_class) . '"'; if ($cwp_enable_slider) { - $prev_icon = self::cubewp_get_svg_content($prev_icon);- $next_icon = self::cubewp_get_svg_content($next_icon);+ $prev_icon = cubewp_get_svg_content($prev_icon);+ $next_icon = cubewp_get_svg_content($next_icon); - $is_prev_svg = strpos(trim($prev_icon), '<svg') === 0;- $is_next_svg = strpos(trim($next_icon), '<svg') === 0;+ // Ensure icons are strings (handle any edge cases - should not be needed after fix, but safety check)+ if (is_array($prev_icon)) {+ $prev_icon = isset($prev_icon['value']) ? $prev_icon['value'] : (isset($prev_icon['url']) ? $prev_icon['url'] : '');+ }+ if (is_array($next_icon)) {+ $next_icon = isset($next_icon['value']) ? $next_icon['value'] : (isset($next_icon['url']) ? $next_icon['url'] : '');+ }+ $prev_icon = is_string($prev_icon) ? $prev_icon : '';+ $next_icon = is_string($next_icon) ? $next_icon : ''; - if ($is_prev_svg) {+ $is_prev_svg = (is_string($prev_icon) && strpos(trim($prev_icon), '<svg') === 0);+ $is_next_svg = (is_string($next_icon) && strpos(trim($next_icon), '<svg') === 0); - $container_open .= " data-prev-arrow-svg='" . $prev_icon . "'";+ if ($is_prev_svg) {+ $container_open .= " data-prev-arrow-svg='" . esc_attr($prev_icon) . "'"; $container_open .= ' data-is-prev-svg="true"'; } else { $container_open .= ' data-prev-arrow="' . esc_attr($prev_icon) . '"';@@ -253,7 +315,7 @@ } if ($is_next_svg) {- $container_open .= " data-next-arrow-svg='" . $next_icon . "'";+ $container_open .= " data-next-arrow-svg='" . esc_attr($next_icon) . "'"; $container_open .= ' data-is-next-svg="true"'; } else { $container_open .= ' data-next-arrow="' . esc_attr($next_icon) . '"';@@ -287,13 +349,18 @@ $counter = 1; $has_more_posts = false; if ($posts->have_posts()) {+ global $post; if ($posts_row_class) { add_filter('post_class', function ($classes) use ($posts_row_class) { $classes[] = $posts_row_class; return $classes; }); }- $post_markup = $container_open;+ if ($loadbyclick) {+ $post_markup = $container_open;+ } else {+ $post_markup = '';+ } $promotional_cards = []; if ($promotional_card && !empty($promotional_card_list) && is_array($promotional_card_list)) { foreach ($promotional_card_list as $promotional_card) {@@ -342,35 +409,66 @@ endwhile; } if (isset($parameters['load_more']) && $parameters['load_more'] == 'yes') {- if (isset($parameters['page_num'])) {- $parameters['page_num'] = $parameters['page_num'] + 1;- } else {- $parameters['page_num'] = 2;- }- $has_more_posts = $args['page_num'] < $posts->max_num_pages;++ // Get current page number for pagination check+ $current_page = isset($parameters['page_num']) ? intval($parameters['page_num']) : 1;++ // Check if there are more posts available+ $has_more_posts = $current_page < $posts->max_num_pages;++ // Prepare parameters for next page (for load more button) + $parameters['page_num'] = $current_page + 1; $dataAttributes = json_encode($parameters);- CubeWp_Enqueue::enqueue_script('cwp-load-more'); + CubeWp_Enqueue::enqueue_script('cwp-load-more'); - $load_btn .= '<div class="cubewp-load-more-conatiner">- <button class="cubewp-load-more-button" data-attributes="' . htmlspecialchars($dataAttributes, ENT_QUOTES, 'UTF-8') . '">- ' . esc_html__('Load More', 'cubewp-framework') . '- </button>- </div>';+ if ($has_more_posts) {+ $load_btn .= '<div class="cubewp-load-more-conatiner">+ <button class="cubewp-load-more-button" data-attributes="' . htmlspecialchars($dataAttributes, ENT_QUOTES, 'UTF-8') . '">+ ' . esc_html__('Load More', 'cubewp-framework') . '+ </button>+ </div>';+ } else {+ // No more posts, keep original parameters+ $next_page_params = $parameters;+ }+ } else {+ // Load more not enabled, keep original parameters+ $next_page_params = $parameters;+ }+ if ($loadbyclick) {+ $post_markup .= $container_close; }- $post_markup .= $container_close; if ($posts_row_class) { remove_all_filters('post_class'); // or remove using the closure reference if needed } } else { $post_markup = self::cwp_no_result_found(); }- wp_reset_query();+ wp_reset_postdata();++ $final_output = $post_markup . $load_btn; - if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output' && !cubewp_is_elementor_editing()) {- wp_send_json_success(array('content' => $post_markup, 'newAttributes' => $parameters, 'has_more_posts' => $has_more_posts));+ // Cache the output if not AJAX and not Elementor editor and cache is enabled+ if (!$skip_cache && $cache_enabled) {+ $cache_key = self::get_cache_key($parameters);+ $cache_data = array(+ 'content' => $post_markup,+ 'load_btn' => $load_btn,+ 'has_more_posts' => $has_more_posts,+ 'newAttributes' => isset($next_page_params) ? $next_page_params : $parameters+ );+ // Get cache TTL from settings (in hours, convert to seconds)+ $cache_ttl_hours = self::get_cache_ttl_hours();+ self::set_cache($cache_key, $cache_data, $cache_ttl_hours * HOUR_IN_SECONDS);+ }++++ if (wp_doing_ajax() && !cubewp_is_elementor_editing()) {+ wp_send_json_success(array('content' => $final_output, 'newAttributes' => $parameters, 'has_more_posts' => $has_more_posts)); } else {- return $post_markup . $load_btn;+ return $final_output; } } @@ -389,7 +487,9 @@ } if (isset($parameters['load_via_ajax']) && $parameters['load_via_ajax'] === 'yes' && !wp_doing_ajax()) { $unique_id = uniqid('cubewp_posts_');- $output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . wp_json_encode($parameters) . '">+ $params_with_nonce = $parameters;+ $params_with_nonce['nonce'] = wp_create_nonce('cubewp_posts_output');+ $output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . wp_json_encode($params_with_nonce) . '"> <div class="cubewp-processing-card"> <div class="cubewp-processing-card-inner"> <div class="cubewp-processing-card-icon">@@ -421,36 +521,17 @@ return '<div class="cwp-empty-search"><img class="cwp-empty-search-img" src="' . esc_url(CWP_PLUGIN_URI . 'cube/assets/frontend/images/no-result.png') . '" alt=""><h2>' . esc_html__('No Results Found', 'cubewp-framework') . '</h2><p>' . esc_html__('There are no results matching your search.', 'cubewp-framework') . '</p></div>'; } - private static function cubewp_get_svg_content($icon)- {- // If icon is array with 'url', fetch the content- if (is_array($icon) && isset($icon['url'])) {- $response = wp_safe_remote_get($icon['url']);- if (!is_wp_error($response) && 200 === wp_remote_retrieve_response_code($response)) {- return wp_remote_retrieve_body($response);- }- return ''; // fallback if fetch fails- }-- // If icon is string, return it- if (is_string($icon)) {- return $icon;- }-- return ''; // fallback- }- public function cubewp_enqueue_slick_for_elementor() { $is_elementor_editor = false; // Method 1: Check URL parameters- if (isset($_GET['action']) && $_GET['action'] === 'elementor') {+ if (isset($_GET['action']) && $_GET['action'] === 'elementor') { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only check for Elementor editor state. $is_elementor_editor = true; } // Method 2: Check for elementor-preview parameter- if (isset($_GET['elementor-preview'])) {+ if (isset($_GET['elementor-preview'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only check for Elementor editor state. $is_elementor_editor = true; } @@ -470,4 +551,213 @@ CubeWp_Enqueue::enqueue_script('cubewp-slick'); } }+ /**+ * Check if posts cache is enabled from settings+ * + * @return bool True if cache is enabled+ */+ private static function is_cache_enabled()+ {+ global $cwpOptions;+ if (empty($cwpOptions)) {+ $cwpOptions = get_option('cwpOptions', array());+ }++ // Default to enabled if not set+ $enabled = isset($cwpOptions['cwp_posts_enable_cache']) ? !empty($cwpOptions['cwp_posts_enable_cache']) : true;++ /**+ * Filter whether posts caching should be enabled.+ *+ * @param bool $enabled+ */+ return (bool) apply_filters('cubewp/posts/cache_enabled', $enabled);+ }++ /**+ * Get cache TTL in hours from settings+ * + * @return int Cache TTL in hours (default: 12)+ */+ private static function get_cache_ttl_hours()+ {+ global $cwpOptions;+ if (empty($cwpOptions)) {+ $cwpOptions = get_option('cwpOptions', array());+ }++ // Default to 12 hours if not set+ $ttl_hours = isset($cwpOptions['cwp_posts_cache_ttl']) ? intval($cwpOptions['cwp_posts_cache_ttl']) : 12;++ // Ensure minimum of 1 hour+ if ($ttl_hours < 1) {+ $ttl_hours = 12;+ }++ /**+ * Filter the cache TTL for posts output.+ *+ * @param int $ttl_hours Cache TTL in hours+ */+ return (int) apply_filters('cubewp/posts/cache_ttl_hours', $ttl_hours);+ }++ /**+ * Generate cache key based on query parameters+ * + * @param array $parameters Query parameters+ * @return string Cache key+ */+ private static function get_cache_key($parameters)+ {+ // Create a unique key based on all relevant parameters+ $key_parts = array(+ 'cubewp_posts',+ isset($parameters['post_type']) ? $parameters['post_type'] : 'post',+ isset($parameters['orderby']) ? $parameters['orderby'] : 'date',+ isset($parameters['order']) ? $parameters['order'] : 'DESC',+ isset($parameters['posts_per_page']) ? $parameters['posts_per_page'] : (isset($parameters['number_of_posts']) ? $parameters['number_of_posts'] : 10),+ isset($parameters['page_num']) ? $parameters['page_num'] : 1,+ isset($parameters['post__in']) ? md5(serialize($parameters['post__in'])) : '',+ isset($parameters['taxonomy']) ? md5(serialize($parameters['taxonomy'])) : '',+ isset($parameters['meta_query']) ? md5(serialize($parameters['meta_query'])) : '',+ isset($parameters['layout']) ? $parameters['layout'] : 'grid',+ isset($parameters['card_style']) ? md5(serialize($parameters['card_style'])) : '',+ );++ // Include site URL to make cache unique per site+ $key_parts[] = get_site_url();++ // Convert all values to strings to avoid array to string conversion errors+ $key_parts = array_map(function ($value) {+ if (is_array($value) || is_object($value)) {+ return md5(serialize($value));+ }+ return (string) $value;+ }, $key_parts);++ return 'cubewp_posts_' . md5(implode('|', $key_parts));+ }++ /**+ * Get cached content based on cache type (automatically detects wp_using_ext_object_cache)+ * + * @param string $cache_key Cache key+ * @return mixed Cached content or false if not found+ */+ private static function get_cache($cache_key)+ {+ // Automatically detect if external object cache is available+ if (wp_using_ext_object_cache()) {+ // Use object cache+ // Check cache version for compatibility with older WordPress+ $cache_version_key = 'cubewp_posts_version';+ $cache_version = wp_cache_get($cache_version_key, 'cubewp_posts');+ if ($cache_version === false) {+ $cache_version = 1;+ wp_cache_set($cache_version_key, $cache_version, 'cubewp_posts', 0);+ }++ // Include version in cache key for invalidation support+ $versioned_cache_key = $cache_key . '_v' . $cache_version;++ return wp_cache_get($versioned_cache_key, 'cubewp_posts');+ } else {+ // Use SQL cache (transients) when object cache is not available+ return get_transient($cache_key);+ }+ }++ /**+ * Set cached content based on cache type (automatically detects wp_using_ext_object_cache)+ * + * @param string $cache_key Cache key+ * @param mixed $cache_data Data to cache+ * @param int $expiration Expiration time in seconds+ */+ private static function set_cache($cache_key, $cache_data, $expiration)+ {+ // Automatically detect if external object cache is available+ if (wp_using_ext_object_cache()) {+ // Use object cache+ // Get cache version for compatibility with older WordPress+ $cache_version_key = 'cubewp_posts_version';+ $cache_version = wp_cache_get($cache_version_key, 'cubewp_posts');+ if ($cache_version === false) {+ $cache_version = 1;+ wp_cache_set($cache_version_key, $cache_version, 'cubewp_posts', 0);+ }++ // Include version in cache key for invalidation support+ $versioned_cache_key = $cache_key . '_v' . $cache_version;+ wp_cache_set($versioned_cache_key, $cache_data, 'cubewp_posts', $expiration);+ } else {+ // Use SQL cache (transients) when object cache is not available+ set_transient($cache_key, $cache_data, $expiration);+ }+ }++ /**+ * Clear cache when post is updated/deleted+ * Automatically detects cache type using wp_using_ext_object_cache()+ * + * @param int $post_id Post ID+ */+ public function clear_posts_cache($post_id)+ {+ // Automatically detect if external object cache is available+ if (wp_using_ext_object_cache()) {+ // Clear object cache+ // WordPress 6.1+ supports wp_cache_flush_group, otherwise we need to track keys+ if (function_exists('wp_cache_flush_group')) {+ // Flush entire cache group (most efficient)+ wp_cache_flush_group('cubewp_posts');+ } else {+ // Fallback: Clear cache by pattern (requires tracking or clearing all)+ // For older WordPress versions, we'll use a cache versioning approach+ $cache_version_key = 'cubewp_posts_version';+ $current_version = wp_cache_get($cache_version_key, 'cubewp_posts');+ if ($current_version === false) {+ $current_version = 1;+ }+ // Increment version to invalidate all caches+ wp_cache_set($cache_version_key, $current_version + 1, 'cubewp_posts', 0);+ }+ } else {+ // Clear SQL cache (transients) when object cache is not available+ global $wpdb;++ // Get all transients with our cache prefix+ $cache_keys = $wpdb->get_col( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.PreparedSQL.NotPrepared -- Controlled internal query to enumerate plugin-specific transient keys for cleanup when object cache is unavailable.+ "SELECT option_name + FROM {$wpdb->options} + WHERE option_name LIKE '_transient_cubewp_posts_%' + OR option_name LIKE '_transient_timeout_cubewp_posts_%'"+ );++ foreach ($cache_keys as $cache_key) {+ // Remove _transient_ or _transient_timeout_ prefix+ $transient_name = str_replace(array('_transient_', '_transient_timeout_'), '', $cache_key);+ delete_transient($transient_name);+ }+ }+ }++ /**+ * Clear cache when Elementor template is updated+ * + * @param object $document Elementor document+ * @param array $data Document data+ */+ public function clear_elementor_cache($document, $data = array())+ {+ // Check if it's a post card template+ $post_id = $document->get_main_id();+ $template_type = get_post_meta($post_id, 'template_type', true);++ if ($template_type === 'postcard') {+ // Clear all post caches when post card template is updated+ $this->clear_posts_cache($post_id);+ }+ } }
I'll analyze this code diff for security vulnerabilities.
Vulnerability 1:
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-shortcode-posts.php - Lines 82, 318
[Old Code]
$output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . htmlspecialchars(json_encode($parameters), ENT_QUOTES, 'UTF-8') . '">'
[Fixed Code]
$params_with_nonce = $parameters;
$params_with_nonce['nonce'] = wp_create_nonce('cubewp_posts_output');
$output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . htmlspecialchars(json_encode($params_with_nonce), ENT_QUOTES, 'UTF-8') . '">'
Explanation:
The original code passed unsanitized user parameters directly into JSON encoding. While `htmlspecialchars()` provides some protection, the parameters could contain malicious data. The fix adds CSRF protection via `wp_create_nonce()`, though the primary XSS mitigation comes from proper escaping with `htmlspecialchars()` and `ENT_QUOTES`. The fix is incomplete from an XSS perspective—`wp_json_encode()` with proper context-specific escaping would be more appropriate than `htmlspecialchars()` with JSON.
Vulnerability 2:
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-shortcode-posts.php - Lines 305-313
[Old Code]
$prev_icon = self::cubewp_get_svg_content($prev_icon);
$next_icon = self::cubewp_get_svg_content($next_icon);
$is_prev_svg = strpos(trim($prev_icon), '<svg') === 0;
$is_next_svg = strpos(trim($next_icon), '<svg') === 0;
if ($is_prev_svg) {
$container_open .= " data-prev-arrow-svg='" . $prev_icon . "'";
}
[Fixed Code]
if (is_array($prev_icon)) {
$prev_icon = isset($prev_icon['value']) ? $prev_icon['value'] : (isset($prev_icon['url']) ? $prev_icon['url'] : '');
}
if (is_array($next_icon)) {
$next_icon = isset($next_icon['value']) ? $next_icon['value'] : (isset($next_icon['url']) ? $next_icon['url'] : '');
}
$prev_icon = is_string($prev_icon) ? $prev_icon : '';
$next_icon = is_string($next_icon) ? $next_icon : '';
$is_prev_svg = (is_string($prev_icon) && strpos(trim($prev_icon), '<svg') === 0);
$is_next_svg = (is_string($next_icon) && strpos(trim($next_icon), '<svg') === 0);
if ($is_prev_svg) {
$container_open .= " data-prev-arrow-svg='" . esc_attr($prev_icon) . "'";
}
[Fixed Code Line 318]
$container_open .= " data-next-arrow-svg='" . esc_attr($next_icon) . "'";
Explanation:
The old code directly embedded SVG content into HTML attributes without escaping: `$prev_icon . "'"`. This allowed arbitrary HTML/SVG injection. The fix adds `esc_attr()` escaping on lines 310 and 318, properly sanitizing the SVG data for safe attribute inclusion. The type checking ensures variables are strings before processing, preventing type confusion vulnerabilities.
Vulnerability 3:
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Special Elements used in an SQL Statement ('SQL Injection') - CWE-89 - class-cubewp-shortcode-posts.php - Lines 142-144
[Old Code]
if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output' && !cubewp_is_elementor_editing()) {
$parameters = $_POST;
}
[Fixed Code]
if (wp_doing_ajax() && !cubewp_is_elementor_editing()) {
check_ajax_referer('cubewp_posts_output', 'nonce');
$parameters = isset($_POST) ? wp_unslash($_POST) : array();
}
Explanation:
The old code accepted `$_POST` directly without CSRF validation or unslashing. While not direct SQL injection, unsanitized `$_POST` values passed to WP_Query could become injection vectors through `meta_query` parameters. The fix adds `check_ajax_referer()` for CSRF protection and `wp_unslash()` for proper data handling, reducing attack surface.
Vulnerability 4:
Vulnerability Existed: yes
FALSE POSITIVE
Improper Restriction of XML External Entity Reference - CWE-611 - class-cubewp-shortcode-posts.php - Lines 522-535
[Old Code]
private static function cubewp_get_svg_content($icon)
{
if (is_array($icon) && isset($icon['url'])) {
$response = wp_safe_remote_get($icon['url']);
if (!is_wp_error($response) && 200 === wp_remote_retrieve_response_code($response)) {
return wp_remote_retrieve_body($response);
}
return '';
}
if (is_string($icon)) {
return $icon;
}
return '';
}
[Fixed Code]
[Function removed - no longer used]
Explanation:
The removed function fetched SVG content from URLs without validation, creating XXE vulnerability potential if the fetched SVG contained XML entities. It also allowed SSRF attacks by accepting arbitrary URLs. The fix removes this dangerous function entirely, replacing inline icon handling with type-checked, escaped attributes instead.
Vulnerability 5:
Vulnerability Existed: yes
FALSE POSITIVE
Improper Access Control / Missing Authorization - CWE-862 - class-cubewp-shortcode-posts.php - Line 545
[Old Code]
if (isset($_GET['action']) && $_GET['action'] === 'elementor') {
$is_elementor_editor = true;
}
if (isset($_GET['elementor-preview'])) {
$is_elementor_editor = true;
}
[Fixed Code]
if (isset($_GET['action']) && $_GET['action'] === 'elementor') { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only check for Elementor editor state.
$is_elementor_editor = true;
}
if (isset($_GET['elementor-preview'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only check for Elementor editor state.
$is_elementor_editor = true;
}
Explanation:
The old code checked `$_GET` parameters for detecting Elementor editor mode. While the fix adds phpcs ignore comments, this is not a complete security fix—these are read-only checks that determine UI behavior, not security decisions. The comments correctly document this is intentional, but the actual vulnerability (trusting unvalidated GET parameters for feature detection) remains. A proper fix would verify nonces or user capabilities.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/shortcodes/class-cubewp-shortcode-search.php 2026-01-18 00:20:47.485236536 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/shortcodes/class-cubewp-shortcode-search.php 2026-01-18 00:20:56.205778347 +0000@@ -22,8 +22,6 @@ public function __construct() { add_filter('cubewp_search_shortcode_output', array($this, 'cubewp_search'), 10, 2); - add_filter('cubewp/frontend/search/button/field', array($this, 'cubewp_search_button'), 11, 2); - add_filter('cubewp/frontend/search/form', array($this, 'cubewp_search_form_container'), 11, 3); } @@ -36,6 +34,8 @@ public function cubewp_search($output, $atts) { + add_filter('cubewp/frontend/search/button/field', array($this, 'cubewp_search_button'), 11, 2); + add_filter('cubewp/frontend/search/form', array($this, 'cubewp_search_form_container'), 11, 3); $get_post_type = isset($atts['post_type']) ? $atts['post_type'] : 'post'; $submit_button_icon = isset($atts['submit_button_icon']) ? $atts['submit_button_icon'] : ''; @@ -79,7 +79,7 @@ $active = $index === 0 ? 'active' : ''; $aria_selected = $index === 0 ? 'true' : 'false'; echo '<li class="nav-item" role="presentation">'; - echo '<button class="tabber-btn nav-link ' . $active . '" id="tab-' . esc_attr($post_type) . '" data-bs-toggle="tab" data-bs-target="#tab-content-' . esc_attr($post_type) . '" type="button" role="tab" aria-controls="tab-content-' . esc_attr($post_type) . '" aria-selected="' . $aria_selected . '">' . $tab_icon_html . ' ' . esc_html($title) . '</button>'; + echo '<button class="tabber-btn nav-link ' . esc_attr($active) . '" id="tab-' . esc_attr($post_type) . '" data-bs-toggle="tab" data-bs-target="#tab-content-' . esc_attr($post_type) . '" type="button" role="tab" aria-controls="tab-content-' . esc_attr($post_type) . '" aria-selected="' . esc_attr($aria_selected) . '">' . /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ $tab_icon_html . ' ' . esc_html($title) . '</button>'; echo '</li>'; } echo '</ul>'; @@ -88,7 +88,7 @@ echo '<div class="tab-content" id="cubewp_searchTabContent">'; foreach ($post_types as $index => $post_type) { $active = $index === 0 ? 'show active' : ''; - echo '<div class="tab-pane fade ' . $active . '" id="tab-content-' . esc_attr($post_type) . '" role="tabpanel" aria-labelledby="tab-' . esc_attr($post_type) . '">'; + echo '<div class="tab-pane fade ' . esc_attr($active) . '" id="tab-content-' . esc_attr($post_type) . '" role="tabpanel" aria-labelledby="tab-' . esc_attr($post_type) . '">'; echo do_shortcode('[cwpSearch type="' . esc_attr($post_type) . '"]'); echo '</div>'; } @@ -125,14 +125,15 @@ $form_id = isset($cwp_search_fields[$type]['form']['form_id']) ? $cwp_search_fields[$type]['form']['form_id'] : 'cwp-search-' . $type; - $html = '<div class="cwp-frontend-search-form ' . esc_attr($form_container_class) . '"> + $html = '<div class="cwp-frontend-form-container"> + <div class="cwp-frontend-search-form ' . esc_attr($form_container_class) . '"> <form method="GET" id="' . esc_attr($form_id) . '" class="' . esc_attr($form_class) . '" action="' . esc_url(home_url('/')) . '" class="cwp-search-form"> <input type="hidden" name="post_type" value="' . esc_attr($type) . '">'; $html .= $this->cubewp_frontend_search_form_fields($search_fields , $params); $html .= '</form> - </div>'; + </div></div>'; return $html;
I'll analyze this code diff for security vulnerabilities following the specified format. --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE **Cross-Site Scripting (XSS) - CWE-79** - cube/classes/shortcodes/class-cubewp-shortcode-search.php - Lines 82, 91 **Old Code:** ```php echo '<button class="tabber-btn nav-link ' . $active . '" id="tab-' . esc_attr($post_type) . '" data-bs-toggle="tab" data-bs-target="#tab-content-' . esc_attr($post_type) . '" type="button" role="tab" aria-controls="tab-content-' . esc_attr($post_type) . '" aria-selected="' . $aria_selected . '">' . $tab_icon_html . ' ' . esc_html($title) . '</button>'; echo '<div class="tab-pane fade ' . $active . '" id="tab-content-' . esc_attr($post_type) . '" role="tabpanel" aria-labelledby="tab-' . esc_attr($post_type) . '">'; ``` **Fixed Code:** ```php echo '<button class="tabber-btn nav-link ' . esc_attr($active) . '" id="tab-' . esc_attr($post_type) . '" data-bs-toggle="tab" data-bs-target="#tab-content-' . esc_attr($post_type) . '" type="button" role="tab" aria-controls="tab-content-' . esc_attr($post_type) . '" aria-selected="' . esc_attr($aria_selected) . '">' . /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ $tab_icon_html . ' ' . esc_html($title) . '</button>'; echo '<div class="tab-pane fade ' . esc_attr($active) . '" id="tab-content-' . esc_attr($post_type) . '" role="tabpanel" aria-labelledby="tab-' . esc_attr($post_type) . '">'; ``` **Explanation:** The variables `$active` and `$aria_selected` were previously output without proper escaping. Both variables are constructed from conditional expressions (`$index === 0 ? 'active' : ''` and `$index === 0 ? 'true' : 'false'`) and used directly in HTML attributes. Although these specific values appear to be static strings in this context, applying `esc_attr()` to all dynamic data in attributes is a security best practice to prevent potential XSS vulnerabilities. The fix properly escapes both variables before output. --- **Vulnerability 2:** Vulnerability Existed: not sure **Improper Output Escaping - CWE-79** - cube/classes/shortcodes/class-cubewp-shortcode-search.php - Line 82 **Old Code:** ```php echo '<button ...>' . $tab_icon_html . ' ' . esc_html($title) . '</button>'; ``` **Fixed Code:** ```php echo '<button ...>' . /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ $tab_icon_html . ' ' . esc_html($title) . '</button>'; ``` **Explanation:** The `$tab_icon_html` variable is output without escaping, but a phpcs ignore comment is added rather than actually escaping the output. This suggests the developer intentionally allows unescaped HTML (likely SVG or icon markup). Without seeing where `$tab_icon_html` is defined and validated, it's uncertain whether this is a genuine vulnerability or intentional HTML output. If `$tab_icon_html` comes from user input or untrusted sources, this could be an XSS vulnerability. The phpcs comment suppresses the warning but doesn't actually fix a potential vulnerability.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php 2026-01-18 00:20:47.485236536 +0000+++ cache/cubewp-framework_1.1.28/cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php 2026-01-18 00:20:56.205778347 +0000@@ -18,180 +18,502 @@ { if (empty($parameters) || count($parameters) == 0) return;+ $output_style = isset($parameters['output_style']) ? $parameters['output_style'] : 'boxed_view';+ if (strpos($output_style, '_vp_elmentor_term_') !== 0) {+ wp_enqueue_style('cwp-taxonomy-shortcode');+ $taxonomy = isset($parameters['taxonomy']) ? $parameters['taxonomy'] : '';+ if (empty($taxonomy))+ return; - wp_enqueue_style('cwp-taxonomy-shortcode');- $taxonomy = isset($parameters['taxonomy']) ? $parameters['taxonomy'] : '';- if (empty($taxonomy))- return;+ $terms_per_page = $parameters['terms_per_page'];+ $_child_terms = $parameters['child_terms'];+ $_hide_empty = $parameters['hide_empty'];+ $icon_media_name = isset($parameters['icon_media_name']) ? $parameters['icon_media_name'] : '';+ $terms_box_color = isset($parameters['terms_box_color']) ? $parameters['terms_box_color'] : array();+ $child_terms = false;+ $hide_empty = false;+ if ($_child_terms == 'yes') {+ $child_terms = true;+ }+ if ($_hide_empty == 'yes') {+ $hide_empty = true;+ }+ $args = array(+ 'taxonomy' => $taxonomy,+ 'hide_empty' => $hide_empty,+ 'parent' => 0,+ 'number' => $terms_per_page,+ );+ $terms = get_terms($args); - $terms_per_page = $parameters['terms_per_page'];- $output_style = $parameters['output_style'];- $_child_terms = $parameters['child_terms'];- $_hide_empty = $parameters['hide_empty'];- $icon_media_name = $parameters['icon_media_name'];- $column_per_row = $parameters['column_per_row'];- $terms_box_color = $parameters['terms_box_color'];- $child_terms = false;- $hide_empty = false;- $col_class = '';- if ($_child_terms == 'yes') {- $child_terms = true;- }- if ($_hide_empty == 'yes') {- $hide_empty = true;- }- if ($column_per_row == '0') {- $col_class = 'cwp-col-12 cwp-col-md-auto';- }- if ($column_per_row == '1') {- $col_class = 'cwp-col-12';- }- if ($column_per_row == '2') {- $col_class = 'cwp-col-12 cwp-col-md-6';- }- if ($column_per_row == '3') {- $col_class = 'cwp-col-12 cwp-col-md-6 cwp-col-lg-4';- }- if ($column_per_row == '4') {- $col_class = 'cwp-col-12 cwp-col-md-6 cwp-col-lg-3';- }- if ($column_per_row == '6') {- $col_class = 'cwp-col-12 cwp-col-md-6 cwp-col-lg-2';- }- $args = array(- 'taxonomy' => $taxonomy,- 'hide_empty' => $hide_empty,- 'parent' => 0,- 'number' => $terms_per_page,- );- $terms = get_terms($args);- ob_start();- if (! empty($terms) && is_array($terms)) {- $counter = 0;+ // Slider functionality+ $cwp_enable_slider = isset($parameters['cwp_enable_slider']) ? $parameters['cwp_enable_slider'] : '';+ if ($cwp_enable_slider == 'yes') {+ CubeWp_Enqueue::enqueue_style('cubewp-slick');+ CubeWp_Enqueue::enqueue_script('cubewp-slick');+ }++ $slider_class = '';+ $container_attrs = '';+ if ($cwp_enable_slider == 'yes' && !empty($terms) && is_array($terms)) {+ $prev_icon = isset($parameters['prev_icon']) ? $parameters['prev_icon'] : 'fas fa-chevron-left';+ $next_icon = isset($parameters['next_icon']) ? $parameters['next_icon'] : 'fas fa-chevron-right';+ $slides_to_show = isset($parameters['slides_to_show']) ? intval($parameters['slides_to_show']) : 3;+ $slides_to_scroll = isset($parameters['slides_to_scroll']) ? intval($parameters['slides_to_scroll']) : 1;+ $slides_to_show_tablet = isset($parameters['slides_to_show_tablet']) ? intval($parameters['slides_to_show_tablet']) : 3;+ $slides_to_show_tablet_portrait = isset($parameters['slides_to_show_tablet_portrait']) ? intval($parameters['slides_to_show_tablet_portrait']) : 2;+ $slides_to_show_mobile = isset($parameters['slides_to_show_mobile']) ? intval($parameters['slides_to_show_mobile']) : 1;+ $slides_to_scroll_tablet = isset($parameters['slides_to_scroll_tablet']) ? intval($parameters['slides_to_scroll_tablet']) : 1;+ $slides_to_scroll_tablet_portrait = isset($parameters['slides_to_scroll_tablet_portrait']) ? intval($parameters['slides_to_scroll_tablet_portrait']) : 1;+ $slides_to_scroll_mobile = isset($parameters['slides_to_scroll_mobile']) ? intval($parameters['slides_to_scroll_mobile']) : 1;+ $autoplay = (isset($parameters['autoplay']) && $parameters['autoplay'] === 'yes') ? 'true' : 'false';+ $autoplay_speed = isset($parameters['autoplay_speed']) ? intval($parameters['autoplay_speed']) : 2000;+ $speed = isset($parameters['speed']) ? intval($parameters['speed']) : 500;+ $infinite = (isset($parameters['infinite']) && $parameters['infinite'] === 'yes') ? 'true' : 'false';+ $fade_effect = (isset($parameters['fade_effect']) && $parameters['fade_effect'] === 'yes') ? 'true' : 'false';+ $variable_width = (isset($parameters['variable_width']) && $parameters['variable_width'] === 'yes') ? 'true' : 'false';+ $custom_arrows = (isset($parameters['custom_arrows']) && $parameters['custom_arrows'] === 'yes') ? 'true' : 'false';+ $enable_progress_bar = (isset($parameters['enable_progress_bar']) && $parameters['enable_progress_bar'] === 'yes') ? 'true' : 'false';+ $custom_dots = (isset($parameters['custom_dots']) && $parameters['custom_dots'] === 'yes') ? 'true' : 'false';+ $enable_wrap_dots_arrows = (isset($parameters['enable_wrap_dots_arrows']) && $parameters['enable_wrap_dots_arrows'] === 'yes') ? 'true' : 'false';++ // Check if slider should be disabled based on term count+ if (wp_is_mobile() && count($terms) <= $slides_to_show_mobile) {+ $cwp_enable_slider = 'no';+ } elseif (!wp_is_mobile() && count($terms) <= $slides_to_show) {+ $cwp_enable_slider = 'no';+ }++ if ($cwp_enable_slider === 'yes') {+ $slider_class = 'cubewp-term-slider';+ $prev_icon = cubewp_get_svg_content($prev_icon);+ $next_icon = cubewp_get_svg_content($next_icon);++ // Ensure icons are strings (handle any edge cases)+ if (is_array($prev_icon)) {+ $prev_icon = isset($prev_icon['value']) ? $prev_icon['value'] : (isset($prev_icon['url']) ? $prev_icon['url'] : '');+ }+ if (is_array($next_icon)) {+ $next_icon = isset($next_icon['value']) ? $next_icon['value'] : (isset($next_icon['url']) ? $next_icon['url'] : '');+ }+ $prev_icon = is_string($prev_icon) ? $prev_icon : '';+ $next_icon = is_string($next_icon) ? $next_icon : '';++ $is_prev_svg = (is_string($prev_icon) && strpos(trim($prev_icon), '<svg') === 0);+ $is_next_svg = (is_string($next_icon) && strpos(trim($next_icon), '<svg') === 0);++ $container_attrs = '';+ if ($is_prev_svg) {+ $container_attrs .= " data-prev-arrow-svg='" . esc_attr($prev_icon) . "'";+ $container_attrs .= ' data-is-prev-svg="true"';+ } else {+ $container_attrs .= ' data-prev-arrow="' . esc_attr($prev_icon) . '"';+ $container_attrs .= ' data-is-prev-svg="false"';+ }++ if ($is_next_svg) {+ $container_attrs .= " data-next-arrow-svg='" . esc_attr($next_icon) . "'";+ $container_attrs .= ' data-is-next-svg="true"';+ } else {+ $container_attrs .= ' data-next-arrow="' . esc_attr($next_icon) . '"';+ $container_attrs .= ' data-is-next-svg="false"';+ }++ $container_attrs .= ' data-slides-to-show="' . esc_attr($slides_to_show) . '"';+ $container_attrs .= ' data-slides-to-scroll="' . esc_attr($slides_to_scroll) . '"';+ $container_attrs .= ' data-slides-to-show-tablet="' . esc_attr($slides_to_show_tablet) . '"';+ $container_attrs .= ' data-slides-show-tablet-portrait="' . esc_attr($slides_to_show_tablet_portrait) . '"';+ $container_attrs .= ' data-slides-to-show-mobile="' . esc_attr($slides_to_show_mobile) . '"';+ $container_attrs .= ' data-slides-to-scroll-tablet="' . esc_attr($slides_to_scroll_tablet) . '"';+ $container_attrs .= ' data-slides-scroll-tablet-portrait="' . esc_attr($slides_to_scroll_tablet_portrait) . '"';+ $container_attrs .= ' data-slides-to-scroll-mobile="' . esc_attr($slides_to_scroll_mobile) . '"';+ $container_attrs .= ' data-autoplay="' . esc_attr($autoplay) . '"';+ $container_attrs .= ' data-autoplay-speed="' . esc_attr($autoplay_speed) . '"';+ $container_attrs .= ' data-speed="' . esc_attr($speed) . '"';+ $container_attrs .= ' data-infinite="' . esc_attr($infinite) . '"';+ $container_attrs .= ' data-fade="' . esc_attr($fade_effect) . '"';+ $container_attrs .= ' data-variable-width="' . esc_attr($variable_width) . '"';+ $container_attrs .= ' data-custom-arrows="' . esc_attr($custom_arrows) . '"';+ $container_attrs .= ' data-custom-dots="' . esc_attr($custom_dots) . '"';+ $container_attrs .= ' data-enable-progress-bar="' . esc_attr($enable_progress_bar) . '"';+ $container_attrs .= ' data-enable-wrapper="' . esc_attr($enable_wrap_dots_arrows) . '"';+ }+ }++ ob_start();+ if (! empty($terms) && is_array($terms)) {+ $counter = 0; ?>- <div class="cwp-row">- <?php foreach ($terms as $term) {- $term_id = $term->term_id;- $term_name = $term->name;- if ($output_style == 'boxed_view') {- $color_count = count($terms_box_color);- $icon_media = get_term_meta($term_id, $icon_media_name, true);- $color = isset($terms_box_color[$counter]['term_box_color'])- ? sanitize_hex_color($terms_box_color[$counter]['term_box_color'])- : '#000000';- $counter++;- if ($counter >= $color_count) {- $counter = 0;- }- ?>- <div class="<?php echo esc_attr($col_class); ?>">- <div class="cwp-taxonomy-term-box">- <div class="cwp-taxonomy-term-box-heading"- style="background-color: <?php echo esc_html($color); ?>">- <?php- if (! is_array($icon_media)) {- if ($icon_media != strip_tags($icon_media)) {- echo cubewp_core_data($icon_media);- } else if (is_numeric($icon_media)) {- $icon_media = wp_get_attachment_url($icon_media);- echo '<img src="' . esc_url($icon_media) . '" alt="' . esc_attr($term_name) . '">+ <div class="cwp-taxonomy-terms <?php echo esc_attr($slider_class); ?>"<?php echo $container_attrs; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>>+ <?php foreach ($terms as $term) {+ $term_id = $term->term_id;+ $term_name = $term->name;+ if ($output_style == 'boxed_view') {+ $color_count = !empty($terms_box_color) && is_array($terms_box_color) ? count($terms_box_color) : 0;+ $icon_media = !empty($icon_media_name) ? get_term_meta($term_id, $icon_media_name, true) : '';+ $color = (!empty($terms_box_color) && is_array($terms_box_color) && isset($terms_box_color[$counter]['term_box_color']))+ ? sanitize_hex_color($terms_box_color[$counter]['term_box_color'])+ : '#000000';+ $counter++;+ if ($color_count > 0 && $counter >= $color_count) {+ $counter = 0;+ }+ ?>+ <div class="cwp-taxonomy-term">+ <div class="cwp-taxonomy-term-box">+ <div class="cwp-taxonomy-term-box-heading"+ style="background-color: <?php echo esc_html($color); ?>">+ <?php+ if (! is_array($icon_media)) {+ if ($icon_media != wp_strip_all_tags($icon_media)) {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo cubewp_core_data($icon_media);+ } else if (is_numeric($icon_media)) {+ $icon_media = wp_get_attachment_url($icon_media);+ echo '<img src="' . esc_url($icon_media) . '" alt="' . esc_attr($term_name) . '"> <div class="cwp-taxonomy-term-box-heading-overlay" style="background-color: ' . esc_attr($color) . ';"></div>';- } else {- echo '<i class="' . esc_attr($icon_media) . '" aria-hidden="true"></i>';+ } else {+ echo '<i class="' . esc_attr($icon_media) . '" aria-hidden="true"></i>';+ }+ }+ ?>+ <a href="<?php echo esc_url(get_term_link($term_id)); ?>"><?php echo esc_html($term_name); ?></a>+ </div>+ <?php+ if ($child_terms) {+ $term_child_args = array(+ 'taxonomy' => $taxonomy,+ 'hide_empty' => $hide_empty,+ 'parent' => $term_id,+ );+ $term_childs = get_terms($term_child_args);+ if (! empty($term_childs) && is_array($term_childs)) {+ ?>+ <ul class="cwp-taxonomy-term-child-terms">+ <?php+ $child_terms_count = count($term_childs);+ $term_counter = 1;+ foreach ($term_childs as $term_child) {+ $child_term_id = $term_child->term_id;+ $child_term_name = $term_child->name;+ if ($child_terms_count > 5 && 5 == $term_counter) {+ ?>+ <li>+ <a href="#"+ class="cwp-taxonomy-term-child-terms-see-more"+ data-more="<?php esc_html_e("View More", "cubewp-framework"); ?>"+ data-less="<?php esc_html_e("View Less", "cubewp-framework"); ?>"><?php esc_html_e("View More", "cubewp-framework"); ?></a>+ </li>+ <ul class="cwp-taxonomy-term-child-terms-more">+ <?php+ }+ ?>+ <li>+ <a href="<?php echo esc_url(get_term_link($child_term_id)); ?>"><?php echo esc_html($child_term_name); ?></a>+ </li>+ <?php+ if ($child_terms_count > 5 && $child_terms_count == $term_counter) {+ ?>+ </ul>+ <?php+ }+ $term_counter++;+ }+ ?>+ </ul>+ <?php } } ?>- <a href="<?php echo esc_url( get_term_link( $term_id ) ); ?>"><?php echo esc_html( $term_name ); ?></a> </div>- <?php- if ($child_terms) {- $term_child_args = array(- 'taxonomy' => $taxonomy,- 'hide_empty' => $hide_empty,- 'parent' => $term_id,- );- $term_childs = get_terms($term_child_args);- if (! empty($term_childs) && is_array($term_childs)) {- ?>- <ul class="cwp-taxonomy-term-child-terms">- <?php- $child_terms_count = count($term_childs);- $term_counter = 1;- foreach ($term_childs as $term_child) {- $child_term_id = $term_child->term_id;- $child_term_name = $term_child->name;- if ($child_terms_count > 5 && 5 == $term_counter) {- ?>+ </div>+ <?php+ } else if ($output_style == 'list_view') {+ ?>+ <div class="cwp-taxonomy-term">+ <div class="cwp-taxonomy-term-list">+ <a href="<?php echo esc_url(get_term_link($term_id)); ?>"><?php echo esc_html($term_name); ?></a>+ <?php+ if ($child_terms) {+ $term_child_args = array(+ 'taxonomy' => $taxonomy,+ 'hide_empty' => $hide_empty,+ 'parent' => $term_id,+ );+ $term_childs = get_terms($term_child_args);+ if (! empty($term_childs) && is_array($term_childs)) {+ ?>+ <ul><?php+ foreach ($term_childs as $term_child) {+ $child_term_id = $term_child->term_id;+ $child_term_name = $term_child->name;+ ?> <li>- <a href="#"- class="cwp-taxonomy-term-child-terms-see-more"- data-more="<?php esc_html_e("View More", "cubewp-framework"); ?>"- data-less="<?php esc_html_e("View Less", "cubewp-framework"); ?>"><?php esc_html_e("View More", "cubewp-framework"); ?></a>+ <a href="<?php echo esc_url(get_term_link($child_term_id)); ?>"><?php echo esc_html($child_term_name); ?></a> </li>- <ul class="cwp-taxonomy-term-child-terms-more">- <?php+ <?php }- ?>- <li>- <a href="<?php echo get_term_link($child_term_id) ?>"><?php echo esc_html($child_term_name); ?></a>- </li>- <?php- if ($child_terms_count > 5 && $child_terms_count == $term_counter) {- ?>- </ul>- <?php- }- $term_counter++;+ ?>+ </ul><?php }- ?>- </ul>- <?php- }- }- ?>- </div>- </div>- <?php- } else if ($output_style == 'list_view') {- ?>- <div class="<?php esc_attr_e($col_class); ?>">- <div class="cwp-taxonomy-term-list">- <a href="<?php echo get_term_link($term_id) ?>"><?php echo esc_html($term_name); ?></a>- <?php- if ($child_terms) {- $term_child_args = array(- 'taxonomy' => $taxonomy,- 'hide_empty' => $hide_empty,- 'parent' => $term_id,- );- $term_childs = get_terms($term_child_args);- if (! empty($term_childs) && is_array($term_childs)) {- ?>- <ul><?php- foreach ($term_childs as $term_child) {- $child_term_id = $term_child->term_id;- $child_term_name = $term_child->name;- ?>- <li>- <a href="<?php echo get_term_link($child_term_id) ?>"><?php echo esc_html($child_term_name); ?></a>- </li>- <?php- }- ?>- </ul><?php }- }- ?>+ ?>+ </div> </div>- </div>- <?php- }- } ?>- </div>+ <?php+ }+ } ?>+ </div> <?php+ }++ return ob_get_clean();+ } else {+ return self::cubewp_taxonomy_get_term_card_output($parameters, $output);+ }+ }++ public static function cubewp_taxonomy_get_term_card_output($parameters, $output)+ {+ $output_style = isset($parameters['output_style']) ? $parameters['output_style'] : '';+ $template_id = 0;+ $elementor_key = str_replace('_vp_elmentor_term_', '', $output_style);+ if (ctype_digit((string) $elementor_key)) {+ $template_id = (int) $elementor_key;+ } else {+ // Otherwise treat as slug and resolve to ID+ $maybe_post = get_page_by_path($elementor_key, OBJECT, 'cubewp-tb');+ if ($maybe_post && ! is_wp_error($maybe_post)) {+ $template_id = (int) $maybe_post->ID;+ } else {+ // Fallback resolution by name query+ $by_name = get_posts(array(+ 'post_type' => 'cubewp-tb',+ 'name' => $elementor_key,+ 'posts_per_page' => 1,+ 'fields' => 'ids',+ ));+ if (! empty($by_name)) {+ $template_id = (int) $by_name[0];+ }+ }+ }+ if ($template_id <= 0) {+ return $output;+ }++ $taxonomy = isset($parameters['taxonomy']) ? $parameters['taxonomy'] : '';+ if (empty($taxonomy)) {+ return $output;+ }++ // Read and normalise parameters+ $terms_per_page = isset($parameters['terms_per_page']) ? $parameters['terms_per_page'] : '0';+ $child_terms = (isset($parameters['child_terms']) && $parameters['child_terms'] === 'yes');+ $hide_empty = (isset($parameters['hide_empty']) && $parameters['hide_empty'] === 'yes');++ $cwp_enable_slider = isset($parameters['cwp_enable_slider']) ? $parameters['cwp_enable_slider'] : '';+ if ($cwp_enable_slider) {+ CubeWp_Enqueue::enqueue_style('cubewp-slick');+ CubeWp_Enqueue::enqueue_script('cubewp-slick');+ }+ if ($cwp_enable_slider == 'yes') {+ $prev_icon = isset($parameters['prev_icon']) ? $parameters['prev_icon'] : 'fas fa-chevron-left';+ $next_icon = isset($parameters['next_icon']) ? $parameters['next_icon'] : 'fas fa-chevron-right';+ $slides_to_show = isset($parameters['slides_to_show']) ? intval($parameters['slides_to_show']) : 3;+ $slides_to_scroll = isset($parameters['slides_to_scroll']) ? intval($parameters['slides_to_scroll']) : 1;+ $slides_to_show_tablet = isset($parameters['slides_to_show_tablet']) ? intval($parameters['slides_to_show_tablet']) : 3;+ $slides_to_show_tablet_portrait = isset($parameters['slides_to_show_tablet_portrait']) ? intval($parameters['slides_to_show_tablet_portrait']) : 2;+ $slides_to_show_mobile = isset($parameters['slides_to_show_mobile']) ? intval($parameters['slides_to_show_mobile']) : 1;+ $slides_to_scroll_tablet = isset($parameters['slides_to_scroll_tablet']) ? intval($parameters['slides_to_scroll_tablet']) : 1;+ $slides_to_scroll_tablet_portrait = isset($parameters['slides_to_scroll_tablet_portrait']) ? intval($parameters['slides_to_scroll_tablet_portrait']) : 1;+ $slides_to_scroll_mobile = isset($parameters['slides_to_scroll_mobile']) ? intval($parameters['slides_to_scroll_mobile']) : 1;+ $autoplay = (isset($parameters['autoplay']) && $parameters['autoplay'] === 'yes') ? 'true' : 'false';+ $autoplay_speed = isset($parameters['autoplay_speed']) ? intval($parameters['autoplay_speed']) : 2000;+ $speed = isset($parameters['speed']) ? intval($parameters['speed']) : 500;+ $infinite = (isset($parameters['infinite']) && $parameters['infinite'] === 'yes') ? 'true' : 'false';+ $fade_effect = (isset($parameters['fade_effect']) && $parameters['fade_effect'] === 'yes') ? 'true' : 'false';+ $variable_width = (isset($parameters['variable_width']) && $parameters['variable_width'] === 'yes') ? 'true' : 'false';+ $custom_arrows = (isset($parameters['custom_arrows']) && $parameters['custom_arrows'] === 'yes') ? 'true' : 'false';+ $enable_progress_bar = (isset($parameters['enable_progress_bar']) && $parameters['enable_progress_bar'] === 'yes') ? 'true' : 'false';+ $custom_dots = (isset($parameters['custom_dots']) && $parameters['custom_dots'] === 'yes') ? 'true' : 'false';+ $enable_wrap_dots_arrows = (isset($parameters['enable_wrap_dots_arrows']) && $parameters['enable_wrap_dots_arrows'] === 'yes') ? 'true' : 'false'; } - return ob_get_clean();+ // Build term query args+ $args = [+ 'taxonomy' => $taxonomy,+ 'hide_empty' => $hide_empty,+ ];++ // Only force parent=0 when NOT showing child terms+ if (! $child_terms) {+ $args['parent'] = 0;+ }++ // number = no limit if '0' (show all)+ if (is_numeric($terms_per_page) && (int) $terms_per_page > 0) {+ $args['number'] = (int) $terms_per_page;+ }++ $terms = get_terms($args);+ if (empty($terms) || is_wp_error($terms)) {+ return $output;+ }+ if ($cwp_enable_slider === 'yes') {+ if (wp_is_mobile() && count($terms) <= $slides_to_show_mobile) {+ $cwp_enable_slider = 'no';+ } elseif (!wp_is_mobile() && count($terms) <= $slides_to_show) {+ $cwp_enable_slider = 'no';+ }+ }+ $slider_class = $cwp_enable_slider === 'yes' ? 'cubewp-term-slider' : '';+ $container_open = '<div class="cwp-taxonomy-terms cwp-elementor-taxonomy-terms ' . esc_attr($slider_class) . '"';+ if ($cwp_enable_slider) {+ $prev_icon = cubewp_get_svg_content($prev_icon);+ $next_icon = cubewp_get_svg_content($next_icon);++ // Ensure icons are strings (handle any edge cases - should not be needed after fix, but safety check)+ if (is_array($prev_icon)) {+ $prev_icon = isset($prev_icon['value']) ? $prev_icon['value'] : (isset($prev_icon['url']) ? $prev_icon['url'] : '');+ }+ if (is_array($next_icon)) {+ $next_icon = isset($next_icon['value']) ? $next_icon['value'] : (isset($next_icon['url']) ? $next_icon['url'] : '');+ }+ $prev_icon = is_string($prev_icon) ? $prev_icon : '';+ $next_icon = is_string($next_icon) ? $next_icon : '';++ $is_prev_svg = (is_string($prev_icon) && strpos(trim($prev_icon), '<svg') === 0);+ $is_next_svg = (is_string($next_icon) && strpos(trim($next_icon), '<svg') === 0);++ if ($is_prev_svg) {+ $container_open .= " data-prev-arrow-svg='" . esc_attr($prev_icon) . "'";+ $container_open .= ' data-is-prev-svg="true"';+ } else {+ $container_open .= ' data-prev-arrow="' . esc_attr($prev_icon) . '"';+ $container_open .= ' data-is-prev-svg="false"';+ }++ if ($is_next_svg) {+ $container_open .= " data-next-arrow-svg='" . esc_attr($next_icon) . "'";+ $container_open .= ' data-is-next-svg="true"';+ } else {+ $container_open .= ' data-next-arrow="' . esc_attr($next_icon) . '"';+ $container_open .= ' data-is-next-svg="false"';+ }++ $container_open .= ' data-slides-to-show="' . esc_attr($slides_to_show) . '"';+ $container_open .= ' data-slides-to-scroll="' . esc_attr($slides_to_scroll) . '"';+ $container_open .= ' data-slides-to-show-tablet="' . esc_attr($slides_to_show_tablet) . '"';+ $container_open .= ' data-slides-show-tablet-portrait="' . esc_attr($slides_to_show_tablet_portrait) . '"';+ $container_open .= ' data-slides-to-show-mobile="' . esc_attr($slides_to_show_mobile) . '"';+ $container_open .= ' data-slides-to-scroll-tablet="' . esc_attr($slides_to_scroll_tablet) . '"';+ $container_open .= ' data-slides-scroll-tablet-portrait="' . esc_attr($slides_to_scroll_tablet_portrait) . '"';+ $container_open .= ' data-slides-to-scroll-mobile="' . esc_attr($slides_to_scroll_mobile) . '"';+ $container_open .= ' data-autoplay="' . esc_attr($autoplay) . '"';+ $container_open .= ' data-autoplay-speed="' . esc_attr($autoplay_speed) . '"';+ $container_open .= ' data-speed="' . esc_attr($speed) . '"';+ $container_open .= ' data-infinite="' . esc_attr($infinite) . '"';+ $container_open .= ' data-fade="' . esc_attr($fade_effect) . '"';+ $container_open .= ' data-variable-width="' . esc_attr($variable_width) . '"';+ $container_open .= ' data-custom-arrows="' . esc_attr($custom_arrows) . '"';+ $container_open .= ' data-custom-dots="' . esc_attr($custom_dots) . '"';+ $container_open .= ' data-enable-progress-bar="' . esc_attr($enable_progress_bar) . '"';+ $container_open .= ' data-enable-wrapper="' . esc_attr($enable_wrap_dots_arrows) . '"';+ }+ $container_open .= '>';+ $container_close = '</div>';+ $terms_output = '';+ $terms_output .= $container_open;++ static $processed_templates = [];+ $term_settings = isset($parameters['term_grid_settings']) ? $parameters['term_grid_settings'] : array(); + $addClass = '';+ $matchedIndex = null;+ $dynamic_css = "";+ $termCount = 1;+ foreach ($terms as $term) :+ global $cubewp_term;+ $cubewp_term = $term;+ foreach ($term_settings as $index => $item) {+ if (isset($item['term_position']) && $item['term_position'] == $termCount) {+ $matchedIndex = $index;+ break;+ }+ }+ if ($matchedIndex !== null) {+ $unique_class = 'cwp-term-' . $termCount . '-' . wp_generate_password(4, false, false);+ $margin = isset($term_settings[$matchedIndex]['custom_margin']['top']) ? $term_settings[$matchedIndex]['custom_margin']['top'] . $term_settings[$matchedIndex]['custom_margin']['unit'] . ' ' . $term_settings[$matchedIndex]['custom_margin']['right'] . $term_settings[$matchedIndex]['custom_margin']['unit'] . ' ' . $term_settings[$matchedIndex]['custom_margin']['bottom'] . $term_settings[$matchedIndex]['custom_margin']['unit'] . ' ' . $term_settings[$matchedIndex]['custom_margin']['left'] . $term_settings[$matchedIndex]['custom_margin']['unit'] : '';+ $padding = isset($term_settings[$matchedIndex]['custom_padding']['top']) ? $term_settings[$matchedIndex]['custom_padding']['top'] . $term_settings[$matchedIndex]['custom_padding']['unit'] . ' ' . $term_settings[$matchedIndex]['custom_padding']['right'] . $term_settings[$matchedIndex]['custom_padding']['unit'] . ' ' . $term_settings[$matchedIndex]['custom_padding']['bottom'] . $term_settings[$matchedIndex]['custom_padding']['unit'] . ' ' . $term_settings[$matchedIndex]['custom_padding']['left'] . $term_settings[$matchedIndex]['custom_padding']['unit'] : '';+ $css_rules = "";+ /* COLUMN SPAN */+ if (!empty($term_settings[$matchedIndex]['column_span'])) {+ $col = $term_settings[$matchedIndex]['column_span'];+ $css_rules .= "grid-column: span {$col} / span {$col};";+ }+ /* ROW SPAN */+ if (!empty($term_settings[$matchedIndex]['row_span'])) {+ $row = $term_settings[$matchedIndex]['row_span'];+ $css_rules .= "grid-row: span {$row} / span {$row};";+ }+ /* MARGIN */+ if (!empty($margin)) {+ $css_rules .= "margin: {$margin};";+ }+ /* PADDING */+ if (!empty($padding)) {+ $css_rules .= "padding: {$padding};";+ }+ /* WIDTH */+ if (!empty($term_settings[$matchedIndex]['custom_width']['size'])) {+ $size = $term_settings[$matchedIndex]['custom_width']['size'];+ $unit = $term_settings[$matchedIndex]['custom_width']['unit'] ?? 'px';+ $css_rules .= "width: {$size}{$unit};";+ }+ /* HEIGHT */+ if (!empty($term_settings[$matchedIndex]['custom_height']['size'])) {+ $size = $term_settings[$matchedIndex]['custom_height']['size'];+ $unit = $term_settings[$matchedIndex]['custom_height']['unit'] ?? 'px';+ $css_rules .= "height: {$size}{$unit};";+ }+ /* GRID COLUMN START */+ if (!empty($term_settings[$matchedIndex]['column_span_start'])) {+ $css_rules .= "grid-column-start: {$term_settings[$matchedIndex]['column_span_start']};";+ }+ /* GRID ROW START */+ if (!empty($term_settings[$matchedIndex]['row_span_start'])) {+ $css_rules .= "grid-row-start: {$term_settings[$matchedIndex]['row_span_start']};";+ }+ if (!empty($css_rules)) {+ $dynamic_css .= ".cwp-taxonomy-term-{$unique_class} { {$css_rules} } ";+ }+ $terms_output .= '<div class="cwp-taxonomy-term cwp-elementor-term-card cwp-taxonomy-term-' . $unique_class . '">';+ } else {+ $terms_output .= '<div class="cwp-taxonomy-term cwp-elementor-term-card ">';+ }+ if (!in_array($template_id, $processed_templates, true)) {+ ob_start();+ echo CubeWp_Theme_Builder::do_cubewp_theme_builder('termcard', $template_id); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Theme builder content is safe.+ $terms_output .= ob_get_clean();+ $processed_templates[] = $template_id;+ } else {+ ob_start();+ echo cwp_get_elementor_content_without_styles($template_id); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- Elementor content is safe.+ $terms_output .= ob_get_clean();+ }+ $terms_output .= '</div>';+ unset($GLOBALS['cubewp_term']);+ $termCount++;+ endforeach;+ $terms_output .= $container_close;+ if (!empty($dynamic_css)) {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo "<style>+ @media (min-width: 1024px) {+ " . $dynamic_css . "+ } </style>";+ }+ return $terms_output; } public static function init()
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation (CWE-79 - Cross-Site Scripting) - class-cubewp-shortcode-taxonomy.php Lines 88-90
Old Code:
```php
$container_attrs = '';
if ($is_prev_svg) {
$container_attrs .= " data-prev-arrow-svg='" . esc_attr($prev_icon) . "'";
```
Fixed Code:
```php
$container_attrs = '';
if ($is_prev_svg) {
$container_attrs .= " data-prev-arrow-svg='" . esc_attr($prev_icon) . "'";
```
Explanation:
While the fixed code uses `esc_attr()` on the SVG content, the vulnerability exists because SVG data containing quotes or other characters could break out of the attribute context. The code attempts to concatenate escaped SVG content into a data attribute using single quotes, but if the SVG contains single quotes, it could break the attribute boundary. However, upon closer inspection, `esc_attr()` should escape single quotes as `'`, so the actual vulnerability risk is mitigated by the escaping function used. The code appears secure with proper use of `esc_attr()`.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation (CWE-79 - Cross-Site Scripting) - class-cubewp-shortcode-taxonomy.php Lines 113-114
Old Code:
```php
<?php foreach ($terms as $term) {
$term_id = $term->term_id;
$term_name = $term->name;
if ($output_style == 'boxed_view') {
...
if ($icon_media != strip_tags($icon_media)) {
echo cubewp_core_data($icon_media);
```
Fixed Code:
```php
<?php foreach ($terms as $term) {
$term_id = $term->term_id;
$term_name = $term->name;
if ($output_style == 'boxed_view') {
...
if ($icon_media != wp_strip_all_tags($icon_media)) {
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo cubewp_core_data($icon_media);
```
Explanation:
The code changed from `strip_tags()` to `wp_strip_all_tags()`, which is the proper WordPress function. The echoing of `cubewp_core_data($icon_media)` output is still unescaped, but this is intentional as indicated by the phpcs comment. The vulnerability would exist if `cubewp_core_data()` doesn't properly sanitize its output, but the fix shows awareness of the issue with the explicit phpcs ignore comment.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation (CWE-79 - Cross-Site Scripting) - class-cubewp-shortcode-taxonomy.php Line 59
Old Code:
```php
<?php echo $container_attrs; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
```
Fixed Code:
```php
<?php echo $container_attrs; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?>
```
Explanation:
The `$container_attrs` variable is output without escaping using a phpcs ignore comment. While the variable is built using `esc_attr()` calls throughout, concatenating pre-escaped attributes and outputting them directly could be problematic if any code path doesn't properly escape. This is intentional but represents a potential XSS vector if `cubewp_get_svg_content()` returns unescaped SVG markup that gets concatenated into attributes.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-business-hours-field.php 2026-01-18 00:20:47.489236784 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-business-hours-field.php 2026-01-18 00:20:56.205778347 +0000@@ -113,30 +113,30 @@ $args['type'] = 'dropdown'; $args['name'] = $args['custom_name'] = $field_name . '_day'; $args['id'] = $field_id . '_day';- $args['placeholder'] = esc_html__('Select Day', 'cubewp-yellow-books');+ $args['placeholder'] = esc_html__('Select Day', 'cubewp-framework'); $args['class'] = 'business-days'; $output .= self::yellow_books_render_dropdown_admin($args); $args['name'] = $args['custom_name'] = $field_name . '_open_time'; $args['id'] = $field_id . '_open_time'; $args['type'] = 'time_picker';- $args['placeholder'] = esc_html__('Open Time', 'cubewp-yellow-books');+ $args['placeholder'] = esc_html__('Open Time', 'cubewp-framework'); $args['class'] = 'business-open-time'; $output .= self::yellow_books_render_timepicker_admin($args); $args['name'] = $args['custom_name'] = $field_name . '_close_time'; $args['id'] = $field_id . '_close_time';- $args['placeholder'] = esc_html__('Close Time', 'cubewp-yellow-books');+ $args['placeholder'] = esc_html__('Close Time', 'cubewp-framework'); $args['admin_size'] = '1/3'; $args['class'] = 'business-close-time'; $output .= self::yellow_books_render_timepicker_admin($args); $output .= '<div class="yb_business_hour_fulldayopen"> <input type="checkbox" id="yb_fulldayopen" class="yb_fulldayopen">- <label>' . esc_html__('24 Hours', 'cubewp-yellow-books') . '</label>+ <label>' . esc_html__('24 Hours', 'cubewp-framework') . '</label> </div>'; $output .= '</div>';- $output .= '<button class="cwp-add-new-business-hour" data-id="' . $field_id . '" data-name="' . $field_name . '" data-fullday="' . __('24 hours open', 'cubewp-yellow-books') . '">+ $output .= '<button class="cwp-add-new-business-hour" data-id="' . $field_id . '" data-name="' . $field_name . '" data-fullday="' . __('24 hours open', 'cubewp-framework') . '"> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16"> <path fill-rule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2Z"/> </svg>
Vulnerability Existed: no
No Security Vulnerability - cubewp-admin-business-hours-field.php (Lines 116, 122, 128, 137, 141)
Old Code:
```php
$args['placeholder'] = esc_html__('Select Day', 'cubewp-yellow-books');
$args['placeholder'] = esc_html__('Open Time', 'cubewp-yellow-books');
$args['placeholder'] = esc_html__('Close Time', 'cubewp-yellow-books');
<label>' . esc_html__('24 Hours', 'cubewp-yellow-books') . '</label>
data-fullday="' . __('24 hours open', 'cubewp-yellow-books') . '"
```
Fixed Code:
```php
$args['placeholder'] = esc_html__('Select Day', 'cubewp-framework');
$args['placeholder'] = esc_html__('Open Time', 'cubewp-framework');
$args['placeholder'] = esc_html__('Close Time', 'cubewp-framework');
<label>' . esc_html__('24 Hours', 'cubewp-framework') . '</label>
data-fullday="' . __('24 hours open', 'cubewp-framework') . '"
```
Explanation:
This diff contains only textdomain string updates, changing references from `'cubewp-yellow-books'` to `'cubewp-framework'`. The textdomain parameter in WordPress translation functions (`esc_html__()` and `__()`) is used for i18n/l10n purposes and does not introduce, fix, or relate to any security vulnerabilities. The actual content strings ('Select Day', 'Open Time', etc.) remain unchanged and are already properly escaped with `esc_html__()` for safe output. This is a localization refactoring with no security impact.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-date-picker-field.php 2026-01-18 00:20:47.489236784 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-date-picker-field.php 2026-01-18 00:20:56.205778347 +0000@@ -35,8 +35,8 @@ $args = apply_filters( 'cubewp/admin/field/parametrs', $args ); - if($args['value'] != '' && is_numeric($args['value'])){- $args['value'] = date(get_option('date_format'), $args['value']);+ if ( ! empty( $args['value'] ) && is_numeric( $args['value'] ) ) {+ $args['value'] = wp_date( get_option( 'date_format' ), (int) $args['value'] ); } $output = $this->cwp_field_wrap_start($args);
# Security Analysis
**Vulnerability Existed: yes**
FALSE POSITIVE
**Cross-Site Scripting (XSS) / Improper Output Encoding - CWE-79 - cube/fields/admin/cubewp-admin-date-picker-field.php - Lines 38-39**
**Old Code:**
```php
if($args['value'] != '' && is_numeric($args['value'])){
$args['value'] = date(get_option('date_format'), $args['value']);
}
```
**Fixed Code:**
```php
if ( ! empty( $args['value'] ) && is_numeric( $args['value'] ) ) {
$args['value'] = wp_date( get_option( 'date_format' ), (int) $args['value'] );
}
```
**Explanation:**
The vulnerability existed due to the use of PHP's native `date()` function instead of WordPress's `wp_date()` function. The `wp_date()` function is WordPress's recommended approach for date formatting and includes proper timezone handling and escaping considerations specific to WordPress environments.
Additionally, the fix includes explicit type casting `(int) $args['value']` which ensures the timestamp is properly validated as an integer before being passed to the date function, preventing potential type juggling vulnerabilities. The use of `! empty()` instead of `!= ''` is also a more robust check that aligns with WordPress coding standards.
The primary security improvement is switching from the native PHP `date()` function to `wp_date()`, which ensures proper WordPress sanitization and localization standards are applied to the date output, reducing XSS and data integrity risks in an admin context.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-date-time-picker-field.php 2026-01-18 00:20:47.489236784 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-date-time-picker-field.php 2026-01-18 00:20:56.205778347 +0000@@ -34,8 +34,8 @@ wp_enqueue_style('cubewp-datepicker'); $args = apply_filters( 'cubewp/admin/field/parametrs', $args ); - if($args['value'] != '' && is_numeric($args['value'])){- $args['value'] = date(get_option('date_format') .' '. get_option('time_format'), $args['value']);+if ( ! empty( $args['value'] ) && is_numeric( $args['value'] ) ) {+ $args['value'] = wp_date( get_option( 'date_format' ) . ' ' . get_option( 'time_format' ), (int) $args['value'] ); } $output = $this->cwp_field_wrap_start($args);
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/fields/admin/cubewp-admin-date-time-picker-field.php Lines 37-38
[Old Code]
if($args['value'] != '' && is_numeric($args['value'])){
$args['value'] = date(get_option('date_format') .' '. get_option('time_format'), $args['value']);
}
[Fixed Code]
if ( ! empty( $args['value'] ) && is_numeric( $args['value'] ) ) {
$args['value'] = wp_date( get_option( 'date_format' ) . ' ' . get_option( 'time_format' ), (int) $args['value'] );
}
Explanation:
The old code used PHP's native `date()` function which does not apply WordPress security sanitization and escaping. The fix addresses this by:
1. Replacing `date()` with `wp_date()` - WordPress's secure wrapper function that applies proper sanitization
2. Casting the value to `(int)` to ensure type safety and prevent potential injection
3. Using `! empty()` instead of `!= ''` which is more robust for checking non-empty values
4. Improving code formatting/spacing for WordPress coding standards
The vulnerability existed because user-controlled `$args['value']` could be formatted and output without proper escaping, potentially leading to XSS if the value or date format options contained malicious content.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-file-field.php 2026-01-18 00:20:47.493237033 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-file-field.php 2026-01-18 00:20:56.205778347 +0000@@ -51,6 +51,7 @@ }else { $accept = esc_html__("PDF, zip, txt, word and other file types", 'cubewp-framework'); }+ /* translators: %s: allowed file types. */ $attr .= 'placeholder="'.sprintf(esc_html__("Allowed only: '%s'.", 'cubewp-framework'), $accept).'"'; $output .= '<div class="cwp-custom-field cwp-upload-field"> <div class="cwp-field">
Vulnerability Existed: no
No Security Vulnerabilities Detected - File: cube/fields/admin/cubewp-admin-file-field.php [Lines 51-55]
Old Code:
```
$attr .= 'placeholder="'.sprintf(esc_html__("Allowed only: '%s'.", 'cubewp-framework'), $accept).'"';
```
Fixed Code:
```
/* translators: %s: allowed file types. */
$attr .= 'placeholder="'.sprintf(esc_html__("Allowed only: '%s'.", 'cubewp-framework'), $accept).'"';
```
Explanation:
This change is a documentation improvement, not a security fix. The added comment `/* translators: %s: allowed file types. */` is a translator comment that helps localization teams understand the purpose of the `%s` placeholder in the translatable string. The underlying code remains unchanged and continues to properly escape output using `esc_html__()`, which prevents HTML/script injection. No vulnerability existed before, and none is introduced by this change.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-image-field.php 2026-01-18 00:20:47.493237033 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-image-field.php 2026-01-18 00:20:56.205778347 +0000@@ -53,6 +53,7 @@ }else { $accept = esc_html__("image/png, image/jpg, image/jpeg, image/gif", 'cubewp-framework'); }+ /* translators: %s: allowed file types. */ $attr .= 'placeholder="'.sprintf(esc_html__("Allowed only: '%s'.", 'cubewp-framework'), $accept).'"'; $output .= '<div class="cwp-custom-field cwp-upload-field"> <div class="cwp-field">
Vulnerability Existed: no
Cross-Site Scripting (XSS) - CWE-79 - cube/fields/admin/cubewp-admin-image-field.php Lines 56
Old Code:
```php
$attr .= 'placeholder="'.sprintf(esc_html__("Allowed only: '%s'.", 'cubewp-framework'), $accept).'"';
```
Fixed Code:
```php
/* translators: %s: allowed file types. */
$attr .= 'placeholder="'.sprintf(esc_html__("Allowed only: '%s'.", 'cubewp-framework'), $accept).'"';
```
Explanation:
No vulnerability was introduced or fixed by this change. The diff only adds a translator comment (`/* translators: %s: allowed file types. */`) above the existing code line. The actual code logic remains identical. The original code was already properly escaped using `esc_html__()` for the translatable string, and the `$accept` variable is derived from either a hardcoded string or `sanitize_text_field()`, both of which are safe. The added comment is a best practice for translators to understand placeholder variables and does not affect security. The code does not introduce or fix any XSS vulnerability.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-repeater-field.php 2026-01-18 00:20:47.493237033 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-repeater-field.php 2026-01-18 00:20:56.205778347 +0000@@ -47,7 +47,7 @@ foreach ($args['sub_fields'] as $sub_field) { $sub_field['custom_name'] = 'cwp_meta[' . $args['name'] . '][' . $sub_field['name'] . '][]'; $sub_field['value'] = isset($args['value'][$i][$sub_field['name']]) ? $args['value'][$i][$sub_field['name']] : '';- $sub_field['id'] = 'cwp_' . rand(123456789, 1111111111);+ $sub_field['id'] = 'cwp_' . wp_rand(123456789, 1111111111); $sub_field['wrap'] = true; if ($sub_field['type'] == 'google_address') { $sub_field['custom_name_lat'] = 'cwp_meta[' . $args['name'] . '][' . $sub_field['name'] . '_lat' . '][]';@@ -93,11 +93,11 @@ * @since 1.0.0 */ public function cwp_add_repeating_field() {- if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {+ if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) { wp_send_json( array( 'success' => 'false', 'msg' => esc_html__('Invalid nonce. You are not authorized to perform this action.', 'cubewp-framework') ) ); wp_die(); }- $field_id = isset($_POST['id']) ? sanitize_text_field($_POST['id']) : '';+ $field_id = isset($_POST['id']) ? sanitize_text_field(wp_unslash($_POST['id'])) : ''; $field_options = get_field_options($field_id); $field_of = 'post'; if (empty($field_options) && count($field_options) == 0) {@@ -124,7 +124,7 @@ $sub_field_options['custom_name'] = 'cwp_meta[' . $field_options['name'] . '][' . $sub_field_options['name'] . '][]'; $sub_field_options['value'] = isset($sub_field_options['default_value']) ? $sub_field_options['default_value'] : ''; - $sub_field_options['id'] = 'cwp_' . rand(123456789, 1111111111);+ $sub_field_options['id'] = 'cwp_' . wp_rand(123456789, 1111111111); $sub_field_options['wrap'] = true; if ($sub_field_options['type'] == 'google_address') { $sub_field_options['custom_name_lat'] = 'cwp_meta[' . $field_options['name'] . '][' . $sub_field_options['name'] . '_lat' . '][]';
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CWE-338 - cube/fields/admin/cubewp-admin-repeater-field.php - Lines 50, 127
Old Code:
```php
$sub_field['id'] = 'cwp_' . rand(123456789, 1111111111);
```
Fixed Code:
```php
$sub_field['id'] = 'cwp_' . wp_rand(123456789, 1111111111);
```
Explanation:
The `rand()` function in PHP uses a weak PRNG that is predictable and unsuitable for security-sensitive operations. While in this context the ID is used for HTML element identification (not cryptographic purposes), using `rand()` creates predictable IDs that could be exploited for attacks like CSRF or session fixation if these IDs are later used in security contexts. WordPress provides `wp_rand()` which is a more secure alternative that uses `random_bytes()` when available or `mt_rand()` as a fallback, making it significantly harder to predict. This change applies to both line 50 and line 127.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - cube/fields/admin/cubewp-admin-repeater-field.php - Line 96
Old Code:
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce($_POST['nonce'], 'cubewp-admin-nonce') ) {
```
Fixed Code:
```php
if ( !isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce') ) {
```
Explanation:
The `$_POST['nonce']` value was passed directly to `wp_verify_nonce()` without sanitization. While `wp_verify_nonce()` internally performs some validation, best practice in WordPress is to sanitize all user input before use. The fix wraps the nonce with `wp_unslash()` (to remove magic quotes if present) and `sanitize_text_field()` (to remove potentially harmful characters). This prevents potential injection attacks and ensures the nonce is properly cleaned before verification.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - cube/fields/admin/cubewp-admin-repeater-field.php - Line 100
Old Code:
```php
$field_id = isset($_POST['id']) ? sanitize_text_field($_POST['id']) : '';
```
Fixed Code:
```php
$field_id = isset($_POST['id']) ? sanitize_text_field(wp_unslash($_POST['id'])) : '';
```
Explanation:
The `$_POST['id']` value had `sanitize_text_field()` applied, but was missing `wp_unslash()` beforehand. The `wp_unslash()` function removes magic quotes that may have been automatically added by PHP/WordPress. Without it, escaped quotes could persist in the sanitized value, leading to incorrect data processing or potential injection vectors if the data is later used in SQL queries or other contexts. The fix ensures proper handling of all potential escape sequences.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-taxonomy-field.php 2026-01-18 00:20:47.493237033 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-taxonomy-field.php 2026-01-18 00:20:56.205778347 +0000@@ -87,7 +87,8 @@ } if ($taxonomy->name == 'category' || $taxonomy->name == 'post_tag' || $taxonomy->name == 'post_format') {- $taxonomy_label = sprintf(__('%s (WP Core)'), $taxonomy->label);+ /* translators: %s: taxonomy label. */+ $taxonomy_label = sprintf(__( '%s (WP Core)', 'cubewp-framework' ), $taxonomy->label); } else { $taxonomy_label = $taxonomy->label; }
Vulnerability Existed: no
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CWE-89 - cube/fields/admin/cubewp-admin-taxonomy-field.php [90]
Old Code:
```php
$taxonomy_label = sprintf(__('%s (WP Core)'), $taxonomy->label);
```
Fixed Code:
```php
/* translators: %s: taxonomy label. */
$taxonomy_label = sprintf(__( '%s (WP Core)', 'cubewp-framework' ), $taxonomy->label);
```
Explanation:
This is not a security vulnerability fix. The change improves WordPress internationalization (i18n) best practices by adding the text domain parameter `'cubewp-framework'` to the `__()` function and adding a translator comment. This ensures proper localization of the string in the CubeWP framework. The `sprintf()` function with `$taxonomy->label` does not introduce SQL injection risk since this is a display string, not a database query. The `$taxonomy->label` is a WordPress taxonomy object property and is safely used for display purposes. The original code was functionally correct but lacked proper i18n domain specification, which this fix addresses.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-time-picker-field.php 2026-01-18 00:20:47.497237281 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/admin/cubewp-admin-time-picker-field.php 2026-01-18 00:20:56.205778347 +0000@@ -36,7 +36,7 @@ $args = apply_filters( 'cubewp/admin/field/parametrs', $args ); if($args['value'] != '' && is_numeric($args['value'])){- $args['value'] = date(get_option('time_format'), $args['value']);+ $args['value'] = wp_date(get_option('time_format'), $args['value']); } $output = $this->cwp_field_wrap_start($args);
# Security Analysis Report
Vulnerability Existed: **yes**
**Cross-Site Scripting (XSS) / Improper Output Encoding - CWE-79** - cubewp-framework_1.1.27/cube/fields/admin/cubewp-admin-time-picker-field.php - Line 39
**Old Code:**
```php
$args['value'] = date(get_option('time_format'), $args['value']);
```
**Fixed Code:**
```php
$args['value'] = wp_date(get_option('time_format'), $args['value']);
```
**Explanation:**
The vulnerability was **Timezone Handling / Data Integrity Issue** rather than a direct XSS, but the fix addresses a security-relevant concern:
1. **Original Issue**: The `date()` function uses PHP's default timezone, which may not match WordPress's configured timezone setting. This can cause:
- Incorrect time display for users in different timezones
- Potential security issues in time-dependent operations (token expiration, scheduling, etc.)
2. **Why This Matters**: If the application relies on time values for security decisions (e.g., session timeouts, rate limiting, token expiration), timezone mismatches could be exploited to bypass these controls.
3. **The Fix**: `wp_date()` is WordPress's timezone-aware wrapper around PHP's `date()` function that:
- Respects the WordPress site's configured timezone (`WP_TIMEZONE` or blog timezone option)
- Ensures consistent time formatting across the application
- Prevents timezone-based security bypasses
4. **Security Impact**: This is a **defensive fix** that prevents potential timezone-based vulnerabilities and ensures the application behaves predictably across different server configurations and user timezones.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-business-hours-field.php 2026-01-18 00:20:47.497237281 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-business-hours-field.php 2026-01-18 00:20:56.205778347 +0000@@ -109,7 +109,7 @@ $args['id'] = $field_id . '_day'; $args['custom_name'] = $field_name . '_day'; $args['label'] = '';- $args['placeholder'] = esc_html__('Select Day', 'cubewp-yellow-books');+ $args['placeholder'] = esc_html__('Select Day', 'cubewp-framework'); $args['field_size'] = 'size-1-3'; $args['class'] = 'business-days'; $output .= apply_filters("cubewp/frontend/dropdown/field", $output, $args);@@ -118,7 +118,7 @@ $args['custom_name'] = $field_name . '_open_time'; $args['type'] = 'time_picker'; $args['label'] = '';- $args['placeholder'] = esc_html__('Open Time', 'cubewp-yellow-books');+ $args['placeholder'] = esc_html__('Open Time', 'cubewp-framework'); $args['field_size'] = 'size-1-3'; $args['class'] = 'business-open-time'; $output .= apply_filters("cubewp/frontend/time_picker/field", $output, $args);@@ -126,16 +126,16 @@ $args['id'] = $field_id . '_close_time'; $args['custom_name'] = $field_name . '_close_time'; $args['label'] = '';- $args['placeholder'] = esc_html__('Close Time', 'cubewp-yellow-books');+ $args['placeholder'] = esc_html__('Close Time', 'cubewp-framework'); $args['field_size'] = 'size-1-3'; $args['class'] = 'business-close-time'; $output .= apply_filters("cubewp/frontend/time_picker/field", $output, $args); $output .= '<div class="yb_business_hour_fulldayopen"> <input type="checkbox" id="yb_fulldayopen" class="yb_fulldayopen">- <label>' . esc_html__('24 Hours', 'cubewp-yellow-books') . '</label>+ <label>' . esc_html__('24 Hours', 'cubewp-framework') . '</label> </div>'; $output .= '</div>';- $output .= '<button class="cwp-add-new-business-hour" data-id="' . $field_id . '" data-name="' . $field_name . '" data-fullday="' . __('24 hours open', 'cubewp-yellow-books') . '">+ $output .= '<button class="cwp-add-new-business-hour" data-id="' . $field_id . '" data-name="' . $field_name . '" data-fullday="' . __('24 hours open', 'cubewp-framework') . '"> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16"> <path fill-rule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2Z"/> </svg>
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: no
[Text Domain Inconsistency - Not a Security Vulnerability] - [N/A] - [cube/fields/frontend/cubewp-frontend-business-hours-field.php] [Lines 112, 121, 129, 135, 139]
Old Code:
```php
$args['placeholder'] = esc_html__('Select Day', 'cubewp-yellow-books');
$args['placeholder'] = esc_html__('Open Time', 'cubewp-yellow-books');
$args['placeholder'] = esc_html__('Close Time', 'cubewp-yellow-books');
<label>' . esc_html__('24 Hours', 'cubewp-yellow-books') . '</label>
data-fullday="' . __('24 hours open', 'cubewp-yellow-books') . '"
```
Fixed Code:
```php
$args['placeholder'] = esc_html__('Select Day', 'cubewp-framework');
$args['placeholder'] = esc_html__('Open Time', 'cubewp-framework');
$args['placeholder'] = esc_html__('Close Time', 'cubewp-framework');
<label>' . esc_html__('24 Hours', 'cubewp-framework') . '</label>
data-fullday="' . __('24 hours open', 'cubewp-framework') . '"
```
Explanation:
This diff changes the text domain from 'cubewp-yellow-books' to 'cubewp-framework' in multiple string localization calls. This is **not a security vulnerability**. The changes maintain the same output escaping mechanisms (`esc_html__()` and `__()`) and only update the text domain identifier used by WordPress for translation lookups. The security functions remain intact and properly escape all user-facing output. This is a maintenance change to align text domains across the codebase.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-date-picker-field.php 2026-01-18 00:20:47.497237281 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-date-picker-field.php 2026-01-18 00:20:56.205778347 +0000@@ -45,7 +45,7 @@ $output = self::cwp_frontend_post_field_container($args); if($args['value'] != '' && is_numeric($args['value'])){- $args['value'] = date(get_option('date_format'), $args['value']);+ $args['value'] = wp_date(get_option('date_format'), $args['value']); } $output .= self::cwp_frontend_field_label($args); $input_attrs = array(
Vulnerability Existed: no
[Insecure Date/Time Handling] - [CWE-345] - [cube/fields/frontend/cubewp-frontend-date-picker-field.php] [Line 48]
Old Code:
```php
$args['value'] = date(get_option('date_format'), $args['value']);
```
Fixed Code:
```php
$args['value'] = wp_date(get_option('date_format'), $args['value']);
```
Explanation:
This change replaces PHP's native `date()` function with WordPress's `wp_date()` function. While the native `date()` function itself is not inherently vulnerable to security attacks, this change improves timezone handling and WordPress compatibility. The `wp_date()` function respects the WordPress timezone settings configured in the admin panel, whereas `date()` uses PHP's default timezone. This is a security/correctness improvement rather than a fix for an actual vulnerability, as it prevents potential timezone-related data inconsistencies that could lead to incorrect date representation. The vulnerability did not exist in the traditional sense, but the code has been improved to follow WordPress best practices and avoid potential timezone-related issues.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-date-time-picker-field.php 2026-01-18 00:20:47.497237281 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-date-time-picker-field.php 2026-01-18 00:20:56.205778347 +0000@@ -44,7 +44,7 @@ $output = self::cwp_frontend_post_field_container($args); if($args['value'] != '' && is_numeric($args['value'])){- $args['value'] = date(get_option('date_format') .' '. get_option('time_format'), $args['value']);+ $args['value'] = wp_date(get_option('date_format') .' '. get_option('time_format'), $args['value']); } $output .= self::cwp_frontend_field_label($args);
Vulnerability Existed: no
[Improper Neutralization of Format Strings] - [CWE-134] - [cube/fields/frontend/cubewp-frontend-date-time-picker-field.php] [Lines 47]
Old Code:
```php
$args['value'] = date(get_option('date_format') .' '. get_option('time_format'), $args['value']);
```
Fixed Code:
```php
$args['value'] = wp_date(get_option('date_format') .' '. get_option('time_format'), $args['value']);
```
Explanation:
This change represents a security improvement rather than fixing an existing vulnerability. The modification replaces PHP's native `date()` function with WordPress's `wp_date()` function. While the original code using `date()` was not inherently vulnerable to format string attacks (the format string comes from `get_option()` which is a trusted source), `wp_date()` is the WordPress-recommended approach because it:
1. Respects WordPress timezone settings (better for multi-site/international deployments)
2. Applies WordPress filters and sanitization
3. Is more maintainable within the WordPress ecosystem
The vulnerability risk was minimal in the original code since the format strings originate from WordPress options (not user input), but this change follows WordPress best practices and improves code security posture by using the framework-appropriate function.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-file-field.php 2026-01-18 00:20:47.501237530 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-file-field.php 2026-01-18 00:20:56.205778347 +0000@@ -64,7 +64,7 @@ 'name' => ! empty($args['custom_name']) ? $args['custom_name'] : $args['name'], 'value' => '0', );- echo cwp_render_hidden_input($input_attrs);+ echo wp_kses_post( cwp_render_hidden_input( $input_attrs ) ); } $input_attrs = array( 'type' => ! empty($args['type']) ? $args['type'] : 'file',@@ -74,7 +74,7 @@ 'value' => '', 'extra_attrs' => $args['extra_attrs'], );- echo cwp_render_file_input($input_attrs);+ echo wp_kses_post( cwp_render_file_input( $input_attrs ) ); ?> </div> <?php@@ -97,14 +97,14 @@ </svg> </span> <img src="<?php echo esc_url($fileurl); ?>" alt="<?php echo esc_attr($filename); ?>">- <p><?php echo basename(get_attached_file($args['value'])); ?></p>+ <p><?php echo esc_html(basename(get_attached_file($args['value']))); ?></p> <?php $input_attrs = array( 'name' => ! empty($args['custom_name']) ? $args['custom_name'] : $args['name'], 'class' => 'cwp-image-preview', 'value' => $args['value'], );- echo cwp_render_hidden_input($input_attrs);+ echo wp_kses_post( cwp_render_hidden_input( $input_attrs ) ); ?> </div> <?php } else { ?>
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/fields/frontend/cubewp-frontend-file-field.php Lines 67, 77, 100, 107 Old Code: ```php echo cwp_render_hidden_input($input_attrs); echo cwp_render_file_input($input_attrs); echo basename(get_attached_file($args['value'])); echo cwp_render_hidden_input($input_attrs); ``` Fixed Code: ```php echo wp_kses_post( cwp_render_hidden_input( $input_attrs ) ); echo wp_kses_post( cwp_render_file_input( $input_attrs ) ); echo esc_html(basename(get_attached_file($args['value']))); echo wp_kses_post( cwp_render_hidden_input( $input_attrs ) ); ``` Explanation: The original code directly echoed HTML output from custom rendering functions without sanitization, creating Stored/Reflected XSS vulnerabilities. An attacker could inject malicious HTML/JavaScript through file field attributes or filenames that would execute in users' browsers. The fix applies WordPress sanitization functions: `wp_kses_post()` sanitizes HTML output while preserving safe tags, and `esc_html()` escapes HTML special characters for plain text contexts. These prevent XSS by neutralizing any injected script payloads.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-gallery-field.php 2026-01-18 00:20:47.501237530 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-gallery-field.php 2026-01-18 00:20:56.205778347 +0000@@ -59,12 +59,12 @@ <p class="cwp-gallery-field-trigger"><?php esc_html_e("Choose Images", "cubewp-framework"); ?></p> <div class="cwp-gallery-field-inputs"> <?php- $rand_id = rand(123456789, 1111111111);+ $rand_id = wp_rand(123456789, 1111111111); $input_attrs = array( 'name' => ! empty($args['custom_name']) ? $args['custom_name'] . '[]' : $args['name'], 'value' => $rand_id, );- echo cwp_render_hidden_input($input_attrs);+ echo wp_kses_post( cwp_render_hidden_input( $input_attrs ) ); if (isset($args["file_types"]) && !empty($args["file_types"])) { $accept = 'accept="' . $args["file_types"] . '"'; }else {@@ -78,7 +78,7 @@ 'value' => '', 'extra_attrs' => $accept . ' multiple="multiple"', );- echo cwp_render_file_input($input_attrs);+ echo wp_kses_post( cwp_render_file_input( $input_attrs ) ); ?> </div> </div>@@ -103,9 +103,9 @@ 'name' => !empty($args['custom_name']) ? $args['custom_name'].'[]' : $args['name'], 'value' => $attachment_id, );- $rand_id = rand(123456789, 1111111111);+ $rand_id = wp_rand(123456789, 1111111111); ?>- <div class="cwp-gallery-field-preview cloned batch-<?php esc_attr_e($rand_id); ?>" data-batch-id="batch-<?php esc_attr_e($rand_id); ?>" style="display: block;">+ <div class="cwp-gallery-field-preview cloned batch-<?php echo esc_attr($rand_id); ?>" data-batch-id="batch-<?php echo esc_attr($rand_id); ?>" style="display: block;"> <span> <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="bi bi-x" viewBox="0 0 16 16"> <path d="M4.646 4.646a.5.5 0 0 1 .708 0L8 7.293l2.646-2.647a.5.5 0 0 1 .708.708L8.707 8l2.647 2.646a.5.5 0 0 1-.708.708L8 8.707l-2.646 2.647a.5.5 0 0 1-.708-.708L7.293 8 4.646 5.354a.5.5 0 0 1 0-.708z"/>@@ -113,7 +113,8 @@ </span> <img src="<?php echo esc_url($fileurl); ?>" alt="image"> <p><?php echo esc_html($filename); ?></p>- <?php echo cwp_render_hidden_input( $input_attrs ); ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo cwp_render_hidden_input( $input_attrs ); ?> </div> <?php }
## Security Analysis Results Based on the diff analysis of `cubewp-frontend-gallery-field.php`, here are the identified security fixes: --- **Vulnerability 1: Insecure Random Number Generation** Vulnerability Existed: yes TRUE POSITIVE Weak Cryptography - CWE-338 - cubewp-frontend-gallery-field.php Lines 62, 106 Old Code: ```php $rand_id = rand(123456789, 1111111111); ``` Fixed Code: ```php $rand_id = wp_rand(123456789, 1111111111); ``` Explanation: The `rand()` function produces predictable pseudo-random numbers and should not be used for security-sensitive operations. WordPress provides `wp_rand()` which uses more secure random number generation when the system has the `random_bytes()` or `openssl_random_pseudo_bytes()` functions available. This is a security best practice in WordPress development. --- **Vulnerability 2: Unescaped Output - Hidden Input (Line 67)** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cubewp-frontend-gallery-field.php Line 67 Old Code: ```php echo cwp_render_hidden_input($input_attrs); ``` Fixed Code: ```php echo wp_kses_post( cwp_render_hidden_input( $input_attrs ) ); ``` Explanation: The output from `cwp_render_hidden_input()` was not being escaped before output. `wp_kses_post()` sanitizes the HTML output by allowing only safe tags/attributes, preventing XSS attacks if the custom function returns unescaped HTML content. --- **Vulnerability 3: Unescaped Output - File Input (Line 81)** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cubewp-frontend-gallery-field.php Line 81 Old Code: ```php echo cwp_render_file_input($input_attrs); ``` Fixed Code: ```php echo wp_kses_post( cwp_render_file_input( $input_attrs ) ); ``` Explanation: Similar to the hidden input issue, the output from `cwp_render_file_input()` lacked escaping. Adding `wp_kses_post()` ensures the HTML is sanitized before output to prevent XSS vulnerabilities. --- **Vulnerability 4: Incorrect Output Escaping Function (Line 108)** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cubewp-frontend-gallery-field.php Line 108 Old Code: ```php <div class="cwp-gallery-field-preview cloned batch-<?php esc_attr_e($rand_id); ?>" data-batch-id="batch-<?php esc_attr_e($rand_id); ?>" style="display: block;"> ``` Fixed Code: ```php <div class="cwp-gallery-field-preview cloned batch-<?php echo esc_attr($rand_id); ?>" data-batch-id="batch-<?php echo esc_attr($rand_id); ?>" style="display: block;"> ``` Explanation: The code used `esc_attr_e()` which both escapes AND echoes with translation functions. This is incorrect for HTML attributes - `esc_attr()` with `echo` is the correct approach. Using `esc_attr_e()` could cause improper escaping of numeric values and is semantically wrong for untranslatable attribute values. --- **Vulnerability 5: Unescaped Output with Suppression Comment (Line 116-117)** Vulnerability Existed: not sure Potential Cross-Site Scripting (XSS) - CWE-79 - cubewp-frontend-gallery-field.php Line 117 Old Code: ```php <?php echo cwp_render_hidden_input( $input_attrs ); ?> ``` Fixed Code: ```php <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_hidden_input( $input_attrs ); ?> ``` Explanation: This location adds a PHPCS ignore comment for the unescaped output check rather than actually fixing the vulnerability. This suggests the developers believe `cwp_render_hidden_input()` returns pre-escaped HTML. However, this is potentially risky if the function's behavior changes or if `$input_attrs` contains user-controlled data. The fix suppresses the warning rather than implementing proper escaping, indicating uncertainty about whether the function's output is truly safe.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-number-field.php 2026-01-18 00:20:47.501237530 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-number-field.php 2026-01-18 00:20:56.205778347 +0000@@ -51,11 +51,15 @@ public function render_search_filters_number_field( $output = '', $args = array() ){ $args = apply_filters( 'cubewp/frontend/field/parametrs', $args ); $minval = $maxval = '';+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. if(isset($_GET['min-'.$args['name']])){- $minval = sanitize_text_field($_GET['min-'.$args['name']]);+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $minval = sanitize_text_field(wp_unslash($_GET['min-'.$args['name']])); }+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed. if(isset($_GET['max-'.$args['name']])){- $maxval = sanitize_text_field($_GET['max-'.$args['name']]);+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $maxval = sanitize_text_field(wp_unslash($_GET['max-'.$args['name']])); } $output = self::cwp_frontend_search_field_container($args); $output .= self::cwp_frontend_search_field_label($args);
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/fields/frontend/cubewp-frontend-number-field.php Lines 55-56, 60-61
Old Code:
```php
$minval = sanitize_text_field($_GET['min-'.$args['name']]);
```
```php
$maxval = sanitize_text_field($_GET['max-'.$args['name']]);
```
Fixed Code:
```php
$minval = sanitize_text_field(wp_unslash($_GET['min-'.$args['name']]));
```
```php
$maxval = sanitize_text_field(wp_unslash($_GET['max-'.$args['name']]));
```
Explanation:
The vulnerability existed due to improper handling of WordPress-escaped GET parameters. When WordPress receives user input via GET/POST/REQUEST superglobals, it automatically adds slashes to the values (magic quotes behavior). The old code called `sanitize_text_field()` directly on the slashed value without first removing the escape slashes using `wp_unslash()`.
While `sanitize_text_field()` removes some dangerous characters, it does not strip the added slashes. This means the slashes themselves would persist in the sanitized output. Additionally, the interaction between `sanitize_text_field()` and slashed input could potentially leave dangerous content unfiltered or improperly escaped, leading to XSS vulnerabilities when these values are later output to the page.
The fix properly uses `wp_unslash()` before `sanitize_text_field()` to:
1. Remove WordPress-added escape slashes
2. Apply proper sanitization to the unslashed value
3. Ensure safe handling before any output or use
This follows WordPress security best practices for handling user input from superglobals.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-repeater-field.php 2026-01-18 00:20:47.501237530 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-repeater-field.php 2026-01-18 00:20:56.205778347 +0000@@ -99,7 +99,7 @@ foreach($args['sub_fields'] as $sub_field){ $sub_field['custom_name'] = 'cwp_user_register[custom_fields]['. $args['name'] .'][' . $sub_field['name'] . '][]'; $sub_field['value'] = isset($args['value'][$i][$sub_field['name']]) ? $args['value'][$i][$sub_field['name']] : '';- $sub_field['id'] = 'cwp_'.rand(123456789, 1111111111);+ $sub_field['id'] = 'cwp_'.wp_rand(123456789, 1111111111); if($sub_field['type'] == 'google_address' ){ $sub_field['custom_name_lat'] = 'cwp_user_register[custom_fields]['.$args['name'].'][' . $sub_field['name'].'_lat' . '][]'; $sub_field['custom_name_lng'] = 'cwp_user_register[custom_fields]['.$args['name'].'][' . $sub_field['name'].'_lng' . '][]';@@ -216,7 +216,7 @@ foreach($args['sub_fields'] as $sub_field){ $sub_field['custom_name'] = 'cwp_user_form[cwp_meta]['. $args['name'] .'][' . $sub_field['name'] . '][]'; $sub_field['value'] = isset($args['value'][$i][$sub_field['name']]) ? $args['value'][$i][$sub_field['name']] : '';- $sub_field['id'] = 'cwp_'.rand(123456789, 1111111111);+ $sub_field['id'] = 'cwp_'.wp_rand(123456789, 1111111111); if($sub_field['type'] == 'google_address' ){ $sub_field['custom_name_lat'] = 'cwp_user_form[cwp_meta]['.$args['name'].'][' . $sub_field['name'].'_lat' . '][]'; $sub_field['custom_name_lng'] = 'cwp_user_form[cwp_meta]['.$args['name'].'][' . $sub_field['name'].'_lng' . '][]';@@ -335,7 +335,7 @@ foreach($args['sub_fields'] as $sub_field){ $sub_field['custom_name'] = 'cwp_user_profile[custom_fields]['. $args['name'] .'][' . $sub_field['name'] . '][]'; $sub_field['value'] = isset($args['value'][$i][$sub_field['name']]) ? $args['value'][$i][$sub_field['name']] : '';- $sub_field['id'] = 'cwp_'.rand(123456789, 1111111111);+ $sub_field['id'] = 'cwp_'.wp_rand(123456789, 1111111111); if($sub_field['type'] == 'google_address' ){ $sub_field['custom_name_lat'] = 'cwp_user_profile[custom_fields]['.$args['name'].'][' . $sub_field['name'].'_lat' . '][]'; $sub_field['custom_name_lng'] = 'cwp_user_profile[custom_fields]['.$args['name'].'][' . $sub_field['name'].'_lng' . '][]';
# Security Analysis Report ## Vulnerability 1 **Vulnerability Existed:** yes **Insecure Randomness - CWE-338** - cube/fields/frontend/cubewp-frontend-repeater-field.php [Lines 102, 219, 338] **Old Code:** ```php $sub_field['id'] = 'cwp_'.rand(123456789, 1111111111); ``` **Fixed Code:** ```php $sub_field['id'] = 'cwp_'.wp_rand(123456789, 1111111111); ``` **Explanation:** The code was using PHP's built-in `rand()` function to generate random IDs for HTML elements. The `rand()` function is not cryptographically secure and produces predictable sequences, making it unsuitable for security-sensitive operations. The fix replaces `rand()` with `wp_rand()`, which is WordPress's wrapper function that uses more secure randomization methods (mt_rand() with additional seeding in WordPress). While this is not a critical security vulnerability for generating HTML element IDs (which are not security-critical), using insecure randomness for any ID generation is a poor security practice. This fix improves the code quality by following WordPress best practices for random number generation. All three occurrences at lines 102, 219, and 338 have been corrected.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-time-picker-field.php 2026-01-18 00:20:47.505237778 +0000+++ cache/cubewp-framework_1.1.28/cube/fields/frontend/cubewp-frontend-time-picker-field.php 2026-01-18 00:20:56.205778347 +0000@@ -44,7 +44,7 @@ $output = self::cwp_frontend_post_field_container($args); if($args['value'] != '' && is_numeric($args['value'])){- $args['value'] = date(get_option('time_format'), $args['value']);+ $args['value'] = wp_date(get_option('time_format'), $args['value']); } $output .= self::cwp_frontend_field_label($args); $input_attrs = array(
Vulnerability Existed: yes
TRUE POSITIVE
Improper Timezone Handling - CWE-382 - cubewp-framework_1.1.27/cube/fields/frontend/cubewp-frontend-time-picker-field.php Line 47
Old Code:
```php
$args['value'] = date(get_option('time_format'), $args['value']);
```
Fixed Code:
```php
$args['value'] = wp_date(get_option('time_format'), $args['value']);
```
Explanation:
The vulnerability involves improper timezone handling. The native PHP `date()` function operates in the server's system timezone and does not respect WordPress timezone settings configured via the WordPress admin dashboard. By replacing it with `wp_date()`, the fix ensures that date formatting respects the site's configured timezone (set in Settings > General > Timezone). This prevents timezone mismatches that could cause incorrect time display for users in different timezones or sites with non-UTC timezone configurations. The `wp_date()` function is WordPress's timezone-aware wrapper that properly applies the site's timezone offset to date formatting operations.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/functions/admin-functions.php 2026-01-18 00:20:47.505237778 +0000+++ cache/cubewp-framework_1.1.28/cube/functions/admin-functions.php 2026-01-18 00:20:56.209778596 +0000@@ -6,6 +6,9 @@ * @version 1.0 * @package cubewp/cube/functions */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if (! defined('ABSPATH')) { exit; }@@ -207,13 +210,22 @@ * * @return array $terms List of Terms. */-if (! function_exists("cwp_all_terms_by")) {+if (! function_exists('cwp_all_terms_by')) { function cwp_all_terms_by($taxonomy = '') {- return get_terms($taxonomy, array('hide_empty' => false));++ if (empty($taxonomy)) {+ return array();+ }++ return get_terms(array(+ 'taxonomy' => $taxonomy,+ 'hide_empty' => false,+ )); } } + /** * Method get_terms_by_post_type_or_types *@@ -453,7 +465,7 @@ $savePosts = (array) $savePosts; } } else {- $savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field($_COOKIE['CWP_Saved'])) : array();+ $savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field(wp_unslash($_COOKIE['CWP_Saved']))) : array(); $savePosts = array_map('absint', $savePosts); // Clean cookie input, it's user input! } if ($class) {@@ -513,6 +525,21 @@ { $post_type = get_post_type($post_id); $post_card = include(CUBEWP_FILES . 'templates/post-card.php');++ // Check if style includes _cwp_elmentor_ or not+ if (strpos($style, '_cwp_elmentor_') !== false) {+ $maybe_elementor = cwp_maybe_render_elementor_postcard_by_style($style, $post_id, $col_class);+ if (! empty($maybe_elementor)) {+ $post_card = $maybe_elementor;+ }+ }++ $PRIMARY_POSTCARD = cwp_get_elemetor_primary_postcard_by_type($post_type);+ if (!empty($PRIMARY_POSTCARD) && !$style) {+ $post_card = cubewp_elementor_loop_html_process($post_id, $PRIMARY_POSTCARD, $col_class);+ }++ //check if dynamic layout exist if (function_exists('cubewp_get_loop_builder_by_post_type')) { $dynamic_layout = cubewp_get_loop_builder_by_post_type(get_post_type($post_id), $style, $post_id); if (!empty($dynamic_layout)) {@@ -523,11 +550,125 @@ $postID_for_stats = '<span class="cwp-post-hidden-id" data-cwp-stats-posttype="' . $post_type . '" data-cwp-stats-postid="' . $post_id . '" style="display:none !important;"></span>'; $insert_position = strpos($post_card, '</div>'); $output = substr_replace($post_card, $postID_for_stats, $insert_position, 0);+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/frontend/loop/grid/html', $output, $post_id, $col_class, $style); return ob_get_clean(); } } +/**+ * Resolve an Elementor post card style key (ID or slug) and render HTML.+ *+ * Accepts styles like `_cwp_elmentor_{id}` or `_cwp_elmentor_{slug}`.+ * Returns rendered HTML string or empty string if not resolved.+ */+if (!function_exists('cwp_maybe_render_elementor_postcard_by_style')) {+ function cwp_maybe_render_elementor_postcard_by_style($style, $post_id, $col_class = 'cwp-col-12 cwp-col-md-6')+ {+ if (strpos($style, '_cwp_elmentor_') === false) {+ return '';+ }+ $elementor_key = str_replace('_cwp_elmentor_', '', $style);+ $elementor_post_id = 0;+ // If numeric, treat as post ID (backward compatible)+ if (ctype_digit((string) $elementor_key)) {+ $elementor_post_id = (int) $elementor_key;+ } else {+ // Otherwise treat as slug and resolve to ID+ $maybe_post = get_page_by_path($elementor_key, OBJECT, 'cubewp-tb');+ if ($maybe_post && ! is_wp_error($maybe_post)) {+ $elementor_post_id = (int) $maybe_post->ID;+ } else {+ // Fallback resolution by name query+ $by_name = get_posts(array(+ 'post_type' => 'cubewp-tb',+ 'name' => $elementor_key,+ 'posts_per_page' => 1,+ 'fields' => 'ids',+ ));+ if (! empty($by_name)) {+ $elementor_post_id = (int) $by_name[0];+ }+ }+ }+ if ($elementor_post_id) {+ return cubewp_elementor_loop_html_process($post_id, $elementor_post_id, $col_class);+ }+ return '';+ }+}++/**+ * Method cubewp_elementor_loop_html_process+ *+ * @param int $post_id+ * @param int $elementor_template_id+ * @param string $col_class+ *+ * @return string html+ * @since 1.1.28+ */+if (!function_exists("cubewp_elementor_loop_html_process")) {+ function cubewp_elementor_loop_html_process($post_id, $elementor_template_id, $col_class = 'cwp-col-12 cwp-col-md-6')+ {+ static $processed_templates = [];++ $default_col_class = get_post_meta($elementor_template_id, 'default_col_class', true);+ if (!empty($default_col_class)) {+ $col_class = $default_col_class;+ }+ $col_class .= ' cwp-elementor-post-card';++ ob_start();+ echo '<div class="' . esc_attr(implode(' ', get_post_class($col_class, $post_id))) . '">';++ // Check if we've already processed this template+ if (!in_array($elementor_template_id, $processed_templates)) {+ // First time - output with styles+ CubeWp_Theme_Builder::do_cubewp_theme_builder('postcard', $elementor_template_id);+ $processed_templates[] = $elementor_template_id;+ } else {+ // Subsequent times - output without styles+ $content = cwp_get_elementor_content_without_styles($elementor_template_id);+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo $content;+ }++ echo '</div>';+ return ob_get_clean();+ }+}++/**+ * Method cwp_get_elementor_content_without_styles+ *+ * @param int $template_id+ *+ * @return string html+ * @since 1.1.28+ */+if (!function_exists('cwp_get_elementor_content_without_styles')) {+ function cwp_get_elementor_content_without_styles($template_id)+ {+ if (empty($template_id)) return '';++ if (class_exists('\Elementor\Frontend')) {+ $elementor_frontend_builder = new \Elementor\Frontend();+ $elementor_frontend_builder->init();++ // Get the content without printing CSS+ $content = $elementor_frontend_builder->get_builder_content($template_id, false);++ // Remove style tags from the content+ $content = preg_replace('/<style[^>]*>.*?<\/style>/is', '', $content);++ return $content;+ }++ return '';+ }+}+ if (! function_exists('cubewp_get_loop_builder_by_post_type')) { function cubewp_get_loop_builder_by_post_type($post_type, $style = false, $post_id = '') {@@ -569,20 +710,34 @@ ?> <div class="cwp-single-widget cwp-admin-widget"> <div class="cwp-single-author-img">- <img src="<?php echo get_avatar_url($user_id, ["size" => "52"]) ?>"- alt="<?php esc_html__("Post Author", "cubewp") ?>" />+ <img src="<?php echo esc_url(get_avatar_url($user_id, ["size" => "52"])) ?>"+ alt="<?php esc_html__("Post Author", "cubewp-framework") ?>" /> </div> <div class="cwp-single-author-detail"> <div class="cwp-single-author-name">- <a href="<?php echo esc_url($author_page_url) ?>"><?php echo get_the_author_meta("display_name", $user_id) ?></a>+ <a href="<?php echo esc_url($author_page_url) ?>"><?php echo esc_html(get_the_author_meta("display_name", $user_id)) ?></a> </div>- <?php echo get_author_contact_info($user_id); ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo get_author_contact_info($user_id); ?> </div> </div> <?php return ob_get_clean(); } }++if (!function_exists('cubewp_get_user_details')) {+ function cubewp_get_user_details($user_id)+ {+ if (empty($user_id)) {+ return '';+ }+ /* Calliing my own function to avoid the deprecated function warning */+ /* phpcs:ignore WordPress.WP.DeprecatedFunctions.get_user_detailsFound */+ return get_user_details($user_id);+ }+}+ /** * Method get_author_contact_info *@@ -608,7 +763,7 @@ </svg> </li> <li>- <a href="mailto:<?php echo $user_email ?>">+ <a href="mailto:<?php echo esc_url($user_email) ?>"> <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16"> <path d="M.05 3.555A2 2 0 0 1 2 2h12a2 2 0 0 1 1.95 1.555L8 8.414.05 3.555ZM0 4.697v7.104l5.803-3.558L0 4.697ZM6.761 8.83l-6.57 4.027A2 2 0 0 0 2 14h12a2 2 0 0 0 1.808-1.144l-6.57-4.027L8 9.586l-1.239-.757Zm3.436-.586L16 11.801V4.697l-5.803 3.546Z" />@@ -616,7 +771,7 @@ </a> </li> <?php if (!empty($user_url)) { ?>- <li><a target="_blank" href="<?php echo $user_url ?>"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">+ <li><a target="_blank" href="<?php echo esc_url($user_url) ?>"><svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16"> <path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8zm7.5-6.923c-.67.204-1.335.82-1.887 1.855A7.97 7.97 0 0 0 5.145 4H7.5V1.077zM4.09 4a9.267 9.267 0 0 1 .64-1.539 6.7 6.7 0 0 1 .597-.933A7.025 7.025 0 0 0 2.255 4H4.09zm-.582 3.5c.03-.877.138-1.718.312-2.5H1.674a6.958 6.958 0 0 0-.656 2.5h2.49zM4.847 5a12.5 12.5 0 0 0-.338 2.5H7.5V5H4.847zM8.5 5v2.5h2.99a12.495 12.495 0 0 0-.337-2.5H8.5zM4.51 8.5a12.5 12.5 0 0 0 .337 2.5H7.5V8.5H4.51zm3.99 0V11h2.653c.187-.765.306-1.608.338-2.5H8.5zM5.145 12c.138.386.295.744.468 1.068.552 1.035 1.218 1.65 1.887 1.855V12H5.145zm.182 2.472a6.696 6.696 0 0 1-.597-.933A9.268 9.268 0 0 1 4.09 12H2.255a7.024 7.024 0 0 0 3.072 2.472zM3.82 11a13.652 13.652 0 0 1-.312-2.5h-2.49c.062.89.291 1.733.656 2.5H3.82zm6.853 3.472A7.024 7.024 0 0 0 13.745 12H11.91a9.27 9.27 0 0 1-.64 1.539 6.688 6.688 0 0 1-.597.933zM8.5 12v2.923c.67-.204 1.335-.82 1.887-1.855.173-.324.33-.682.468-1.068H8.5zm3.68-1h2.146c.365-.767.594-1.61.656-2.5h-2.49a13.65 13.65 0 0 1-.312 2.5zm2.802-3.5a6.959 6.959 0 0 0-.656-2.5H12.18c.174.782.282 1.623.312 2.5h2.49zM11.27 2.461c.247.464.462.98.64 1.539h1.835a7.024 7.024 0 0 0-3.072-2.472c.218.284.418.598.597.933zM10.855 4a7.966 7.966 0 0 0-.468-1.068C9.835 1.897 9.17 1.282 8.5 1.077V4h2.355z" /> </svg></a></li> <?php } ?>@@ -781,7 +936,7 @@ 'post_type' => 'cwp_form_fields', 'post_status' => array('private', 'publish'), 'fields' => 'ids',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query array( 'key' => '_cwp_group_types', 'value' => $type,@@ -1004,6 +1159,245 @@ } /**+ * Method cubewp_get_svg_content+ *+ * @param array $icon+ *+ * @return string+ * @since 1.1.28+ */+if (! function_exists("cubewp_get_svg_content")) {+ function cubewp_get_svg_content($icon)+ {+ // If icon is array, process it+ if (is_array($icon)) {+ // First, try to get from attachment ID (most reliable for local files)+ if (isset($icon['value']['id']) && is_numeric($icon['value']['id'])) {+ $file_path = get_attached_file($icon['value']['id']);++ if ($file_path && file_exists($file_path)) {+ $svg_content = file_get_contents($file_path);+ if (!empty($svg_content) && is_string($svg_content)) {+ return $svg_content;+ }+ }+ }++ // If ID method failed, try to fetch from URL+ if (isset($icon['value']['url']) && is_string($icon['value']['url'])) {+ $url = $icon['url'];+ // For local URLs, try direct file access first+ if (strpos($url, site_url()) === 0 || strpos($url, home_url()) === 0) {+ $file_path = str_replace(site_url('/'), ABSPATH, $url);+ $file_path = str_replace(home_url('/'), ABSPATH, $file_path);+ if (file_exists($file_path)) {+ $svg_content = file_get_contents($file_path);+ if (!empty($svg_content) && is_string($svg_content)) {+ return $svg_content;+ }+ }+ }+ // Try remote fetch as fallback+ $response = wp_safe_remote_get($url, array(+ 'timeout' => 10,+ 'sslverify' => false+ ));+ if (!is_wp_error($response) && 200 === wp_remote_retrieve_response_code($response)) {+ $svg_content = wp_remote_retrieve_body($response);+ if (!empty($svg_content) && is_string($svg_content)) {+ return $svg_content;+ }+ }+ // Last resort: return the URL as string (for icon classes, not SVG)+ return $url;+ }++ // If icon is array with 'value', return it+ if (isset($icon['value']) && is_string($icon['value'])) {+ return $icon['value'];+ }++ // If nothing worked, return empty string+ return '';+ }++ // If icon is string, return it+ if (is_string($icon)) {+ return $icon;+ }++ // Fallback: return empty string+ return '';+ }+}++/**+ * Method cubewp_kses_allowed_svg+ *+ * @return array+ * @since 1.1.28+ */+if (! function_exists("cubewp_kses_allowed_svg")) {+ function cubewp_kses_allowed_svg()+ {+ // Start with the allowed HTML for posts (common HTML tags)+ $allowed = wp_kses_allowed_html('post');+ // Add commonly used SVG tags and their safe attributes+ $svg_allowed = array(+ 'svg' => array(+ 'xmlns' => true,+ 'width' => true,+ 'height' => true,+ 'viewBox' => true,+ 'preserveAspectRatio' => true,+ 'role' => true,+ 'class' => true,+ 'aria-hidden' => true,+ 'aria-label' => true,+ 'focusable' => true,+ 'fill' => true,+ 'stroke' => true,+ 'style' => true,+ ),+ 'g' => array(+ 'fill' => true,+ 'stroke' => true,+ 'class' => true,+ 'style' => true,+ 'transform' => true,+ ),+ 'path' => array(+ 'd' => true,+ 'fill' => true,+ 'stroke' => true,+ 'class' => true,+ 'style' => true,+ 'transform' => true,+ ),+ 'circle' => array(+ 'cx' => true,+ 'cy' => true,+ 'r' => true,+ 'fill' => true,+ 'stroke' => true,+ 'class' => true,+ 'style' => true,+ ),+ 'rect' => array(+ 'x' => true,+ 'y' => true,+ 'width' => true,+ 'height' => true,+ 'rx' => true,+ 'ry' => true,+ 'fill' => true,+ 'stroke' => true,+ 'class' => true,+ 'style' => true,+ ),+ 'line' => array(+ 'x1' => true,+ 'y1' => true,+ 'x2' => true,+ 'y2' => true,+ 'stroke' => true,+ 'class' => true,+ 'style' => true,+ ),+ 'polyline' => array(+ 'points' => true,+ 'fill' => true,+ 'stroke' => true,+ 'class' => true,+ 'style' => true,+ ),+ 'polygon' => array(+ 'points' => true,+ 'fill' => true,+ 'stroke' => true,+ 'class' => true,+ 'style' => true,+ ),+ 'defs' => array(),+ 'title' => array(),+ 'desc' => array(),+ 'use' => array(+ 'href' => true, // in modern browsers xlink:href is deprecated; if you use xlink, include it explicitly+ 'xlink:href' => true,+ 'x' => true,+ 'y' => true,+ 'width' => true,+ 'height' => true,+ 'class' => true,+ ),+ 'symbol' => array(+ 'id' => true,+ 'viewBox' => true,+ 'preserveAspectRatio' => true,+ 'class' => true,+ ),+ 'linearGradient' => array('id' => true, 'x1' => true, 'x2' => true, 'y1' => true, 'y2' => true),+ 'stop' => array('offset' => true, 'stop-color' => true, 'stop-opacity' => true),+ );++ return array_merge($allowed, $svg_allowed);+ }+}++/**+ * Method cubewp_kses_allowed_protocols+ *+ * @return array+ * @since 1.1.28+ */+if (! function_exists("cubewp_kses_allowed_protocols")) {+ function cubewp_kses_allowed_protocols( $protocols = array() ) {+ if ( ! in_array( 'data', $protocols, true ) ) {+ $protocols[] = 'data';+ }+ return $protocols;+ }+ add_filter( 'kses_allowed_protocols', 'cubewp_kses_allowed_protocols', 10, 1 );+}++/**+ * Method cubewp_kses_allowed_html+ *+ * @return array+ * @since 1.1.28+ */+if (! function_exists("cubewp_kses_allowed_html")) {+ function cubewp_kses_allowed_html( $allowed = array(), $context = 'post') {+ if ( $context !== 'post' ) {+ return $allowed;+ }+ $allowed['svg'] = [+ 'class' => true,+ 'aria-hidden' => true,+ 'aria-label' => true,+ 'role' => true,+ 'xmlns' => true,+ 'width' => true,+ 'height' => true,+ 'viewBox' => true,+ 'fill' => true,+ ];+ $allowed['path'] = [+ 'd' => true,+ 'fill' => true,+ ];+ $allowed['span'] = [+ 'class' => true,+ ];+ $allowed['div'] = [+ 'class' => true,+ ];+ return $allowed;+ }+ add_filter( 'wp_kses_allowed_html', 'cubewp_kses_allowed_html', 10, 2 );+}++/** * Method cwp_get_opt_hook * * @param string $type@@ -1386,7 +1780,9 @@ 'elementor_library_direct_actions', ]; - if (isset($_REQUEST['action']) && in_array($_REQUEST['action'], $actions)) {+ // Read-only check for Elementor editor context; no data is modified here.+ $req_action = isset($_REQUEST['action']) ? sanitize_key(wp_unslash($_REQUEST['action'])) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended+ if ($req_action && in_array($req_action, $actions, true)) { return true; } @@ -1397,8 +1793,13 @@ if (! function_exists("cubewp_get_elementor_preview_post_id")) { function cubewp_get_elementor_preview_post_id() {-- return (isset($_GET['tb_demo_id']) && !empty($_GET['tb_demo_id'])) ? $_GET['tb_demo_id'] : '';+ $post_id = '';+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ if (isset($_GET['tb_demo_id']) && $_GET['tb_demo_id'] !== '') {+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $post_id = absint(wp_unslash($_GET['tb_demo_id']));+ }+ return apply_filters('cubewp_elementor_preview_post_id', $post_id); } } @@ -1499,7 +1900,7 @@ 'numberposts' => -1, 'fields' => 'ids', 'post_type' => 'cwp_form_fields',- 'meta_query' => $meta_query+ 'meta_query' => $meta_query // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query ); $allGroups = get_posts($args);@@ -1569,6 +1970,8 @@ function cwp_pre($data = array(), $die = false) { echo '<pre>';+ // Helps to print the data in a readable format.+ // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r print_r($data); echo '</pre>'; if ($die == true) {@@ -1626,6 +2029,34 @@ } /**+ * Method cubewp_get_taxonomy_fields_by_type+ *+ * @param array $allowed_types+ *+ * @return array+ * @since 1.1.28+ */+if (! function_exists("cubewp_get_taxonomy_fields_by_type")) {+ function cubewp_get_taxonomy_fields_by_type(array $allowed_types)+ {+ $_data = array();+ $taxonomy_custom_fields = CWP()->get_custom_fields('taxonomy');+ if (!empty($taxonomy_custom_fields) && is_array($taxonomy_custom_fields)) {+ foreach ($taxonomy_custom_fields as $taxonomy => $fields) {+ if (!empty($fields) && is_array($fields)) {+ foreach ($fields as $field) {+ if (in_array($field['type'], $allowed_types)) {+ $_data[$field['slug']] = $field['name'];+ }+ }+ }+ }+ }+ return $_data;+ }+}++/** * Method cwp_get_categories_by_taxonomy * * @param array $taxonomy@@ -1828,7 +2259,7 @@ 'numberposts' => -1, 'post_type' => 'cwp_user_fields', 'fields' => 'ids',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query array( 'key' => '_cwp_group_user_roles', 'value' => $user_role,@@ -2048,12 +2479,26 @@ function _get_post_type($type = '') { if (empty($type)) {- if (isset($_GET['post_type']) && $_GET['post_type'] != '') {- $post_type = sanitize_text_field($_GET['post_type']);- } else if (is_tax()) {- $post_type = get_taxonomy(get_queried_object()->taxonomy)->object_type[0];+ // Read-only context: determining post type; no state mutation.+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended+ $raw_get_post_type = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : '';+ if ($raw_get_post_type !== '') {+ $post_type = sanitize_key($raw_get_post_type);+ } elseif (is_tax()) {+ $qo = get_queried_object();+ $tax = $qo && isset($qo->taxonomy) ? get_taxonomy($qo->taxonomy) : null;+ if ($tax && ! empty($tax->object_type) && is_array($tax->object_type)) {+ $post_type = sanitize_key(reset($tax->object_type));+ } else {+ $post_type = '';+ } } else {- $post_type = isset($_GET['post_type']) ? sanitize_text_field($_GET['post_type']) : get_queried_object()->name;+ // Fallback to queried object name if present.+ $qo = get_queried_object();+ $fallback = ($qo && isset($qo->name)) ? $qo->name : '';+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended+ $second_raw = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : '';+ $post_type = $second_raw !== '' ? sanitize_key($second_raw) : sanitize_key($fallback); } return $post_type;@@ -2231,7 +2676,7 @@ if (! function_exists("cubewp_single_page_template")) { function cubewp_single_page_template($post_templates, $wp_theme, $post, $post_type) {- $post_templates['cubewp-template-single.php'] = esc_html__("CubeWP Single Post", "cubewp-frontend");+ $post_templates['cubewp-template-single.php'] = esc_html__("CubeWP Single Post", "cubewp-framework"); return $post_templates; }@@ -2340,18 +2785,20 @@ if (! function_exists('cubewp_get_current_url')) { function cubewp_get_current_url() {- if (- isset($_SERVER['HTTPS']) &&- ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1) ||- isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&- $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'- ) {- $protocol = 'https://';- } else {- $protocol = 'http://';- }+ // Derive scheme safely.+ $scheme = is_ssl() ? 'https://' : 'http://';+ // Build host and request URI from $_SERVER with checks and sanitization.+ // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated,WordPress.Security.NonceVerification.Recommended+ $raw_host = isset($_SERVER['HTTP_HOST']) ? sanitize_text_field(wp_unslash($_SERVER['HTTP_HOST'])) : '';+ // Sanitize host; fallback to empty string if not present.+ $host = $raw_host !== '' ? strtolower(sanitize_text_field($raw_host)) : '';+ // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated,WordPress.Security.NonceVerification.Recommended+ $raw_uri = isset($_SERVER['REQUEST_URI']) ? sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])) : '';+ // Sanitize path/query portion.+ $uri = $raw_uri !== '' ? esc_url_raw($raw_uri) : '/'; - return esc_url($protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);+ $url = $scheme . $host . $uri;+ return esc_url($url); } } @@ -2359,8 +2806,10 @@ function cwp_get_post_card_view() { $card_view = 'grid-view';- if (isset($_COOKIE['cwp_archive_switcher']) && !empty($_COOKIE['cwp_archive_switcher'])) {- $card_view = esc_html($_COOKIE['cwp_archive_switcher']);+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $cookie_value = isset($_COOKIE['cwp_archive_switcher']) ? sanitize_text_field(wp_unslash($_COOKIE['cwp_archive_switcher'])) : '';+ if ($cookie_value !== '') {+ $card_view = $cookie_value; } return $card_view; }@@ -2451,8 +2900,9 @@ // Remove the custom post type from the admin menu remove_menu_page('edit.php?post_type=' . $slug); // Redirect subscribers if they try to access the custom post type page directly- if (isset($_GET['post_type']) && $_GET['post_type'] == $slug) {- wp_redirect(admin_url());+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ if (isset($_GET['post_type']) && sanitize_text_field(wp_unslash($_GET['post_type'])) == $slug) {+ wp_safe_redirect(admin_url()); exit; } }@@ -2487,6 +2937,10 @@ $cubewp_styles = apply_filters('cubewp/post/card/styles', $cubewp_cards[$post_type]['loop-styles'], $post_type); } }+ $elementor_postcard_styles = cwp_get_elemetor_postcards_by_type($post_type);+ if (!empty($elementor_postcard_styles)) {+ $cubewp_styles = array_merge($cubewp_styles, $elementor_postcard_styles);+ } return $cubewp_styles; } @@ -2655,17 +3109,17 @@ $return = get_the_title($post_id); } else if ($field == 'the_excerpt') { $return = get_the_excerpt($post_id);- } else if ($field == 'the_content') {- $post_content = strip_tags(get_the_content('', '', $post_id));- $words = str_word_count($post_content, 2);- $pos = array_keys($words);- $return = substr($post_content, 0, $pos[10]) . '...';+ } else if ($field === 'the_content') {+ $post_content = get_the_content(null, false, $post_id);+ $post_content = wp_strip_all_tags($post_content);+ $return = wp_trim_words($post_content, 10, '...'); } else if ($field == 'post_link') { $return = get_the_permalink($post_id); } else if ($field == 'the_date') { $return = get_the_date('', $post_id); } else if ($field == 'post_class') { ob_start();+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo post_class($attributes); return ob_get_clean(); ob_end_flush();@@ -2888,7 +3342,7 @@ { $args = array( 'post_type' => 'cubewp-tb',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query array('key' => 'template_location', 'value' => 'cubewp_post_loop_promotional_card', 'compare' => '=',), ), 'posts_per_page' => -1,@@ -2919,6 +3373,7 @@ if (class_exists('\Elementor\Plugin') && \Elementor\Plugin::$instance->documents) { $document = \Elementor\Plugin::$instance->documents->get($promotional_cardID); if ($document && $document->is_built_with_elementor()) {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($promotional_cardID); } }@@ -2929,3 +3384,1113 @@ return ob_get_clean(); } }++/** ------------ Theme Builder Post Card & Term Card ------------ */++/**+ * Method cubewp_register_postcard_page_controls+ *+ * @param $element + *+ * @return void+ */+if (!function_exists('cubewp_register_postcard_page_controls')) {+ function cubewp_register_postcard_page_controls($element)+ {+ if (! $element instanceof \Elementor\Core\DocumentTypes\PageBase || ! $element::get_property('has_elements')) {+ return;+ }++ $post_id = get_the_ID();+ $template_type = get_post_meta($post_id, 'template_type', true);++ if (get_post_type($post_id) == 'cubewp-tb' && $template_type == 'postcard') {+ $template_location = get_post_meta($post_id, 'template_location', true);+ $associated_post_type = $template_location ? str_replace('postcard_', '', $template_location) : '';+ $preview_post_id = get_post_meta($post_id, 'preview_post_id', true);+ $primary_post_card = get_post_meta($post_id, 'primary_post_card', true);+ $posts = array();+ if ($associated_post_type) {+ $args = array(+ 'post_type' => $associated_post_type,+ 'posts_per_page' => 10,+ 'orderby' => 'date',+ 'order' => 'DESC',+ 'fields' => 'ids'+ );++ // Fetch the posts+ $options = get_posts($args);++ if (is_array($options) && !empty($options)) {+ foreach ($options as $option) {+ $posts[$option] = get_the_title($option);+ }+ }+ }+ $element->start_controls_section(+ 'postcard_section',+ [+ 'label' => __('Post Card Settings', 'cubewp-framework'),+ 'tab' => \Elementor\Controls_Manager::TAB_SETTINGS,+ ]+ );++ $element->add_control(+ 'preview_post_id',+ [+ 'label' => __('Select Post for Preview', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SELECT2,+ 'options' => $posts,+ 'description' => __('Select a post to preview the postcard template. This selection will not affect the actual posts displayed on the front end.', 'cubewp-framework'),+ 'default' => $preview_post_id ? $preview_post_id : '',+ 'render_type' => 'ui',+ 'frontend_available' => true,+ ]+ );++ $element->add_control(+ 'primary_post_card',+ [+ 'label' => __('Make this Post-Card primary for this Post-Type', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label_on' => __('Yes', 'cubewp-framework'),+ 'label_off' => __('No', 'cubewp-framework'),+ 'return_value' => 'yes',+ 'default' => $primary_post_card ? $primary_post_card : 'no',+ 'description' => __('Enable this option to make this postcard the primary template for the associated post type.', 'cubewp-framework'),+ ]+ );++ $element->add_control(+ 'default_col_class',+ [+ 'label' => __('Default Coloumn Class', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::TEXT,+ 'default' => 'cwp-col-12 cwp-col-md-6 cwp-col-lg-4',+ 'description' => __('Add custom CSS classes to the post card container for additional styling.', 'cubewp-framework'),+ ]+ );++ $element->end_controls_section();+ }++ if (get_post_type($post_id) == 'cubewp-tb' && $template_type == 'termcard') {+ $template_location = get_post_meta($post_id, 'template_location', true);+ $associated_taxonomy = $template_location ? str_replace('termcard_', '', $template_location) : '';+ $preview_term_slug = get_post_meta($post_id, 'preview_term_slug', true);++ $terms = [];+ if ($associated_taxonomy) {+ $options = get_terms([+ 'taxonomy' => $associated_taxonomy,+ 'hide_empty' => false,+ 'number' => 50,+ ]);++ if (!is_wp_error($options) && !empty($options)) {+ foreach ($options as $term) {+ $terms[$term->slug] = $term->name;+ }+ }+ }++ if (empty($preview_term_slug) && !empty($terms)) {+ $preview_term_slug = array_key_first($terms);+ }++ $element->start_controls_section(+ 'termcard_section',+ [+ 'label' => __('Term Card Settings', 'cubewp-framework'),+ 'tab' => \Elementor\Controls_Manager::TAB_SETTINGS,+ ]+ );++ $element->add_control(+ 'preview_term_slug',+ [+ 'label' => __('Select Term for Preview', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SELECT2,+ 'options' => $terms,+ 'description' => __('Select a term to preview this term card. This only affects the builder view.', 'cubewp-framework'),+ 'default' => $preview_term_slug ? $preview_term_slug : '',+ 'render_type' => 'ui',+ 'frontend_available' => true,+ ]+ );++ $element->end_controls_section();+ }+ }+ add_action('elementor/documents/register_controls', 'cubewp_register_postcard_page_controls');+}++/**+ * Method cubewp_save_elementor_postcard_settings+ *+ * @param $document + * @param $data + *+ * @return void+ */+if (!function_exists('cubewp_save_elementor_postcard_settings')) {+ function cubewp_save_elementor_postcard_settings($document, $data)+ {+ $post_id = $document->get_main_id();++ if (get_post_type($post_id) === 'cubewp-tb') {+ if (isset($data['settings']['preview_post_id'])) {+ update_post_meta($post_id, 'preview_post_id', $data['settings']['preview_post_id']);+ }++ if (isset($data['settings']['default_col_class'])) {+ update_post_meta($post_id, 'default_col_class', $data['settings']['default_col_class']);+ }++ // Handle Primary Postcard Logic+ $primary_post_card = isset($data['settings']['primary_post_card']) ? $data['settings']['primary_post_card'] : 'no';+ update_post_meta($post_id, 'primary_post_card', $primary_post_card);++ if ($primary_post_card === 'yes') {+ cubewp_disable_other_elementor_primary_postcards($post_id);+ }++ if (isset($data['settings']['preview_term_slug'])) {+ update_post_meta($post_id, 'preview_term_slug', $data['settings']['preview_term_slug']);+ }+ }+ }+ add_action('elementor/document/after_save', 'cubewp_save_elementor_postcard_settings', 10, 2);+}++/**+ * Disable other primary postcards for the same post type+ *+ * @param int $current_post_id+ * @return void+ */+if (!function_exists('cubewp_disable_other_elementor_primary_postcards')) {+ function cubewp_disable_other_elementor_primary_postcards($current_post_id)+ {+ $template_location = get_post_meta($current_post_id, 'template_location', true);+ $associated_post_type = $template_location ? str_replace('postcard_', '', $template_location) : '';++ if (empty($associated_post_type)) {+ return;+ }++ $args = array(+ 'post_type' => 'cubewp-tb',+ 'fields' => 'ids',+ 'post__not_in' => array($current_post_id), // phpcs:ignore WordPressVIPMinimum.Performance.WPQueryParams.PostNotIn_post__not_in+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query+ 'relation' => 'AND',+ array(+ 'key' => 'template_type',+ 'value' => 'postcard',+ 'compare' => '=',+ ),+ array(+ 'key' => 'template_location',+ 'value' => 'postcard_' . $associated_post_type,+ 'compare' => '=',+ ),+ array(+ 'key' => 'primary_post_card',+ 'value' => 'yes',+ 'compare' => '=',+ ),+ ),+ );++ $other_postcards = get_posts($args);++ if (!empty($other_postcards)) {+ foreach ($other_postcards as $other_id) {+ update_post_meta($other_id, 'primary_post_card', 'no');+ }+ }+ }+}++/**+ * Method cubewp_elementor_preview_post_id+ *+ * @param $preview_id + *+ * @return int+ */+if (!function_exists('cubewp_elementor_post_card_preview_post_id')) {+ function cubewp_elementor_post_card_preview_post_id($preview_id)+ {+ $post_id = get_the_ID();+ $template_type = get_post_meta($post_id, 'template_type', true);+ if (get_post_type($post_id) == 'cubewp-tb' && $template_type == 'postcard') {+ $preview_post_id = get_post_meta($post_id, 'preview_post_id', true);+ if ($preview_post_id) {+ return (int) $preview_post_id;+ } else {+ $template_location = get_post_meta($post_id, 'template_location', true);+ $associated_post_type = $template_location ? str_replace('postcard_', '', $template_location) : '';+ $args = array(+ 'post_type' => $associated_post_type,+ 'posts_per_page' => 1,
Based on my analysis of the provided code diff for `cube/functions/admin-functions.php`, here are the security vulnerabilities and fixes:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - CWE-79 - admin-functions.php, Lines 456
Old Code:
```php
$savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field($_COOKIE['CWP_Saved'])) : array();
```
Fixed Code:
```php
$savePosts = (isset($_COOKIE['CWP_Saved'])) ? explode(',', (string) sanitize_text_field(wp_unslash($_COOKIE['CWP_Saved']))) : array();
```
Explanation:
The original code directly processed `$_COOKIE['CWP_Saved']` through `sanitize_text_field()`. However, when accessing superglobals like `$_COOKIE`, WordPress best practices require using `wp_unslash()` first to remove any magic quotes that may have been added by PHP or other layers. Without this, slashes in user input could bypass sanitization or cause incorrect data handling. The fix properly unslashes the input before sanitization.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Use of Insufficiently Random Values - CWE-330 / Improper Input Validation - CWE-20 - admin-functions.php, Lines 1388-1391
Old Code:
```php
if (isset($_REQUEST['action']) && in_array($_REQUEST['action'], $actions)) {
return true;
}
```
Fixed Code:
```php
$req_action = isset($_REQUEST['action']) ? sanitize_key(wp_unslash($_REQUEST['action'])) : '';
if ($req_action && in_array($req_action, $actions, true)) {
return true;
}
```
Explanation:
The original code directly accessed `$_REQUEST['action']` without sanitization or unslashing, then passed it to `in_array()` without strict type checking. This could allow bypass attacks through type juggling (e.g., `0` matching any string starting with `0`). The fix uses `sanitize_key()` for proper sanitization, `wp_unslash()` to handle slashes correctly, and adds `true` as the third parameter to `in_array()` for strict type comparison.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - admin-functions.php, Lines 1397-1400
Old Code:
```php
return (isset($_GET['tb_demo_id']) && !empty($_GET['tb_demo_id'])) ? $_GET['tb_demo_id'] : '';
```
Fixed Code:
```php
$post_id = '';
if (isset($_GET['tb_demo_id']) && $_GET['tb_demo_id'] !== '') {
$post_id = absint(wp_unslash($_GET['tb_demo_id']));
}
return apply_filters('cubewp_elementor_preview_post_id', $post_id);
```
Explanation:
The original code returned `$_GET['tb_demo_id']` directly without sanitization, unslashing, or type casting. This could allow arbitrary string input to be used as a post ID. The fix uses `wp_unslash()` to properly handle magic quotes, `absint()` to ensure only valid integer post IDs are returned, and applies a filter for extensibility.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation - CWE-79 - admin-functions.php, Lines 2785-2801
Old Code:
```php
if (
isset($_SERVER['HTTPS']) &&
($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1) ||
isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
$_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'
) {
$protocol = 'https://';
} else {
$protocol = 'http://';
}
return esc_url($protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
```
Fixed Code:
```php
$scheme = is_ssl() ? 'https://' : 'http://';
$raw_host = isset($_SERVER['HTTP_HOST']) ? sanitize_text_field(wp_unslash($_SERVER['HTTP_HOST'])) : '';
$host = $raw_host !== '' ? strtolower(sanitize_text_field($raw_host)) : '';
$raw_uri = isset($_SERVER['REQUEST_URI']) ? sanitize_text_field(wp_unslash($_SERVER['REQUEST_URI'])) : '';
$uri = $raw_uri !== '' ? esc_url_raw($raw_uri) : '/';
$url = $scheme . $host . $uri;
return esc_url($url);
```
Explanation:
The original code directly concatenated unsanitized `$_SERVER` values into the URL and relied solely on `esc_url()` at the end. This could allow header injection attacks through `HTTP_X_FORWARDED_PROTO` spoofing or malformed `HTTP_HOST`/`REQUEST_URI` values. The fix uses `is_ssl()` for proper scheme detection, sanitizes each component before concatenation, uses `esc_url_raw()` for the URI component, and applies proper lowercasing for the host.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - admin-functions.php, Lines 2357-2361
Old Code:
```php
if (isset($_COOKIE['cwp_archive_switcher']) && !empty($_COOKIE['cwp_archive_switcher'])) {
$card_view = esc_html($_COOKIE['cwp_archive_switcher']);
}
```
Fixed Code:
```php
$cookie_value = isset($_COOKIE['cwp_archive_switcher']) ? sanitize_text_field(wp_unslash($_COOKIE['cwp_archive_switcher'])) : '';
if ($cookie_value !== '') {
$card_view = $cookie_value;
}
```
Explanation:
The original code relied only on `esc_html()` which is an output escaping function, not input sanitization. Input should be sanitized when received, not just escaped on output. The fix uses `wp_unslash()` to handle magic quotes and `sanitize_text_field()` to sanitize the input at the point of use, removing the reliance on output escaping for security.
---
**Vulnerability 6:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - admin-functions.php, Lines 2450-2454
Old Code:
```php
if (isset($_GET['post_type']) && $_GET['post_type'] == $slug) {
wp_redirect(admin_url());
exit;
}
```
Fixed Code:
```php
if (isset($_GET['post_type']) && sanitize_text_field(wp_unslash($_GET['post_type'])) == $slug) {
wp_safe_redirect(admin_url());
exit;
}
```
Explanation:
The original code used `wp_redirect()` instead of `wp_safe_redirect()`, which provides additional validation to prevent open redirect vulnerabilities. Additionally, `$_GET['post_type']` was accessed without sanitization or unslashing. The fix adds proper sanitization and uses `wp_safe_redirect()` to validate the redirect target.
---
**Vulnerability 7:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - admin-functions.php, Lines 2482-2499
Old Code:
```php
if (isset($_GET['post_type']) && $_GET['post_type'] != '') {
$post_type = sanitize_text_field($_GET['post_type']);
} else if (is_tax()) {
$post_type = get_taxonomy(get_queried_object()->taxonomy)->object_type[0];
} else {
$post_type = isset($_GET['post_type']) ? sanitize_text_field($_GET['post_type']) : get_queried_object()->name;
}
```
Fixed Code:
```php
$raw_get_post_type = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : '';
if ($raw_get_post_type !== '') {
$post_type = sanitize_key($raw_get_post_type);
} elseif (is_tax()) {
$qo = get_queried_object();
$tax = $qo && isset($qo->taxonomy) ? get_taxonomy($qo->taxonomy) : null;
if ($tax && ! empty($tax->object_type) && is_array($tax->object_type)) {
$post_type = sanitize_key(reset($tax->object_type));
} else {
$post_type = '';
}
} else {
$qo = get_queried_object();
$fallback = ($qo && isset($qo->name)) ? $qo->name : '';
$second_raw = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : '';
$post_type = $second_raw !== '' ? sanitize_key($second_raw) : sanitize_key($fallback);
}
```
Explanation:
The original code had multiple issues: (1) Missing `wp_unslash()` on `$_GET['post_type']`, (2) No use of `sanitize_key()` which is specifically designed for post type slugs, (3) Potential null pointer exceptions from accessing `get_queried_object()->taxonomy` without null checks. The fix adds proper unslashing, uses `sanitize_key()` for post type values, adds null safety checks, and validates array access before using array values.
---
**Additional Security Improvements (Non-Vulnerability Fixes):**
Several other fixes in the diff improve security posture through validation and escaping:
- Line 213-218: Added validation for empty `$taxonomy` parameter in `cwp_all_terms_by()` and switched to array-based API for `get_terms()`
- Lines 527-539: Added output escaping comment (`// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped`) for properly filtered output
- Lines 711-714: Added `esc_url()` for avatar URL and `esc_html()` for author display name
- Line 763 & 771: Added `esc_url()` for email and URL attributes in links
- Lines 1159-1372: New helper functions added with proper SVG sanitization support (`cubewp_kses_allowed_svg()`) and protocol filtering for data URIs
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/functions/blocks-render.php 2026-01-18 00:20:47.509238027 +0000+++ cache/cubewp-framework_1.1.28/cube/functions/blocks-render.php 2026-01-18 00:20:56.209778596 +0000@@ -20,7 +20,7 @@ $src = $matches[1]; // Parse the URL- $parsedUrl = parse_url($src);+ $parsedUrl = wp_parse_url($src); // Check if the URL has query strings if (isset($parsedUrl['query'])) {@@ -92,7 +92,7 @@ $src = $matches[1]; // Parse the URL- $parsedUrl = parse_url($src);+ $parsedUrl = wp_parse_url($src); // Check if the URL has query strings if (isset($parsedUrl['query'])) {
``` Vulnerability Existed: no [No Vulnerability] - N/A - cube/functions/blocks-render.php Lines 23, 95 [Old Code] $parsedUrl = parse_url($src); [Fixed Code] $parsedUrl = wp_parse_url($src); Explanation: This change replaces PHP's native `parse_url()` function with WordPress's `wp_parse_url()` wrapper function. This is a security improvement, not a fix for an existing vulnerability. The `wp_parse_url()` function is WordPress's recommended wrapper that provides consistent URL parsing behavior across different PHP versions and handles edge cases more reliably. Using WordPress core functions instead of native PHP functions is a best practice in WordPress development for better compatibility and maintainability. The change reduces potential inconsistencies in URL parsing that could arise from different PHP versions handling `parse_url()` differently. ```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/functions/fields-helper.php 2026-01-18 00:20:47.509238027 +0000+++ cache/cubewp-framework_1.1.28/cube/functions/fields-helper.php 2026-01-18 00:20:56.209778596 +0000@@ -5,6 +5,9 @@ * @version 1.0 * @package cubewp/cube/functions */++ // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined('ABSPATH')) { exit; }@@ -24,8 +27,11 @@ if (is_array($options)) { return $options; }- $options = json_decode($options, true);- if (isset($options['label']) && ! empty($options['label'])) {+ $decoded = json_decode($options, true);+ if (json_last_error() === JSON_ERROR_NONE && $decoded !== null) {+ $options = $decoded;+ }+ if (is_array($options) && isset($options['label']) && ! empty($options['label'])) { $options_arr = array(); foreach ($options['label'] as $key => $label) { $value = isset($options['value'][$key]) ? $options['value'][$key] : '';@@ -35,16 +41,36 @@ } return $options_arr;+ } elseif (is_array($options)) {+ // If decoded to an array but not the expected ['label'=>[], 'value'=>[]] shape,+ // normalize into key=>label pairs.+ $options_arr = array();+ $is_assoc = array_keys($options) !== range(0, count($options) - 1);+ if ($is_assoc) {+ foreach ($options as $key => $val) {+ if (is_scalar($val)) {+ $options_arr[$key] = (string) $val;+ }+ }+ } else {+ foreach ($options as $val) {+ if (is_scalar($val)) {+ $val = (string) $val;+ $options_arr[$val] = $val;+ }+ }+ }+ return $options_arr; } $options_arr = array();- $options = explode("\n", $options);+ $options = explode("\n", (string) $options); foreach ($options as $option) { $key = trim($option); $val = trim($option); if (is_string($option) && strpos($option, " : ") !== false) {- $option = explode(' : ', $option);- $key = trim($option[0]);- $val = trim($option[1]);+ $option = explode(' : ', $option, 2);+ $key = isset($option[0]) ? trim($option[0]) : $key;+ $val = isset($option[1]) ? trim($option[1]) : $val; } $options_arr[$key] = $val; }@@ -93,7 +119,7 @@ if ( ! function_exists("cwp_get_terms")) { function cwp_get_terms($taxonomy = '') { $options = array();- $terms = get_terms($taxonomy, array('hide_empty' => false, 'parent' => 0));+ $terms = get_terms(array('taxonomy' => $taxonomy, 'hide_empty' => false, 'parent' => 0)); if (isset($terms) && ! empty($terms) && ! is_wp_error($terms)) { foreach ($terms as $term) { $options[$term->slug] = array(@@ -119,10 +145,7 @@ if ( ! function_exists("cwp_get_child_terms")) { function cwp_get_child_terms($term = '') { $options = array();- $children = get_terms($term->taxonomy, array(- 'parent' => $term->term_id,- 'hide_empty' => false- ));+ $children = get_terms(array('taxonomy' => $term->taxonomy, 'parent' => $term->term_id, 'hide_empty' => false)); if ($children) { // get_terms will return false if tax does not exist or term wasn't found. foreach ($children as $child) { $options[$child->slug] = array(@@ -148,10 +171,7 @@ if ( ! function_exists("cwp_get_child_terms_level2")) { function cwp_get_child_terms_level2($term = '') { $options = array();- $children = get_terms($term->taxonomy, array(- 'parent' => $term->term_id,- 'hide_empty' => false- ));+ $children = get_terms(array('taxonomy' => $term->taxonomy, 'parent' => $term->term_id, 'hide_empty' => false)); if ($children) { // get_terms will return false if tax does not exist or term wasn't found. foreach ($children as $child) { $options[$child->slug] = array(@@ -520,7 +540,7 @@ $defaults = array( 'type' => 'checkbox',- 'id' => 'id-'.rand(),+ 'id' => 'id-'.wp_rand(), 'name' => '', 'placeholder' => '', 'class' => '',@@ -874,15 +894,15 @@ if ( ! function_exists("cubewp_dynamic_options")) { function cubewp_dynamic_options() {- if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp_dynamic_options")) {+ if ( !isset($_POST['security_nonce']) || ! wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['security_nonce'])), "cubewp_dynamic_options")) { wp_send_json_error(array(- 'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-frontend'),+ 'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'), ), 404); } - $dropdown_type = sanitize_text_field($_POST['dropdown_type']);- $dropdown_values = sanitize_text_field($_POST['dropdown_values']);- $keyword = sanitize_text_field($_POST['keyword']);+ $dropdown_type = isset($_POST['dropdown_type']) ? sanitize_text_field(wp_unslash($_POST['dropdown_type'])) : '';+ $dropdown_values = isset($_POST['dropdown_values']) ? sanitize_text_field(wp_unslash($_POST['dropdown_values'])) : '';+ $keyword = isset($_POST['keyword']) ? sanitize_text_field(wp_unslash($_POST['keyword'])) : ''; $options = array(); if ( ! empty($dropdown_type) && ! empty($dropdown_values) && ! empty($keyword)) { if ($dropdown_type == 'post' || $dropdown_type == 'user-posts') {@@ -920,7 +940,7 @@ 'user_nicename', 'display_name' ),- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query 'relation' => 'OR', array( 'key' => 'first_name',@@ -969,7 +989,7 @@ if (empty($options) || ! is_array($options)) { wp_send_json_error(array(- 'msg' => esc_html__('No Result Found.', 'cubewp-frontend'),+ 'msg' => esc_html__('No Result Found.', 'cubewp-framework'), ), 404); }
I'll analyze this code diff for security fixes following the provided format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) / Improper Input Validation - CWE-79 / CWE-20 - cube/functions/fields-helper.php - Lines 27-30
Old Code:
```php
$options = json_decode($options, true);
if (isset($options['label']) && ! empty($options['label'])) {
```
Fixed Code:
```php
$decoded = json_decode($options, true);
if (json_last_error() === JSON_ERROR_NONE && $decoded !== null) {
$options = $decoded;
}
if (is_array($options) && isset($options['label']) && ! empty($options['label'])) {
```
Explanation:
The original code did not validate that json_decode() succeeded before using the result. If json_decode() failed, it would return null, and subsequent operations could fail silently or behave unexpectedly. The fix adds explicit error checking via json_last_error() === JSON_ERROR_NONE and validates that $decoded is not null before using it. Additionally, the fixed code adds is_array($options) check to prevent type juggling issues and ensure $options is actually an array before accessing it as such.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation / Array Index Out of Bounds - CWE-20 / CWE-129 - cube/functions/fields-helper.php - Lines 63-66
Old Code:
```php
$option = explode(' : ', $option);
$key = trim($option[0]);
$val = trim($option[1]);
```
Fixed Code:
```php
$option = explode(' : ', $option, 2);
$key = isset($option[0]) ? trim($option[0]) : $key;
$val = isset($option[1]) ? trim($option[1]) : $val;
```
Explanation:
The original code assumed the explode() would always produce at least 2 elements, which could cause an "Undefined array key" warning or error if the delimiter " : " was not found in the string. The fix adds a limit parameter to explode() (limit of 2) and uses isset() checks with fallback values to safely handle cases where the delimiter is not present.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation / Use of Insufficiently Random Values - CWE-20 / CWE-338 - cube/functions/fields-helper.php - Line 543
Old Code:
```php
'id' => 'id-'.rand(),
```
Fixed Code:
```php
'id' => 'id-'.wp_rand(),
```
Explanation:
The original code used PHP's rand() function which is not cryptographically secure and can be predictable. WordPress provides wp_rand() which is the recommended function for generating random values within WordPress applications. While this is more of a best-practice issue than a direct security vulnerability, using predictable IDs could potentially be exploited in certain contexts.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) / Improper Input Validation - CWE-79 / CWE-20 - cube/functions/fields-helper.php - Lines 897-898
Old Code:
```php
if ( ! wp_verify_nonce($_POST['security_nonce'], "cubewp_dynamic_options")) {
```
Fixed Code:
```php
if ( !isset($_POST['security_nonce']) || ! wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['security_nonce'])), "cubewp_dynamic_options")) {
```
Explanation:
The original code accessed $_POST['security_nonce'] without checking if it exists first, which could trigger an undefined array key notice. More critically, the nonce value was not sanitized before being passed to wp_verify_nonce(). The fix adds an isset() check and properly sanitizes the nonce using wp_unslash() and sanitize_text_field(), which is the correct approach for handling user input in WordPress.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation / Undefined Array Key - CWE-20 / CWE-129 - cube/functions/fields-helper.php - Lines 904-906
Old Code:
```php
$dropdown_type = sanitize_text_field($_POST['dropdown_type']);
$dropdown_values = sanitize_text_field($_POST['dropdown_values']);
$keyword = sanitize_text_field($_POST['keyword']);
```
Fixed Code:
```php
$dropdown_type = isset($_POST['dropdown_type']) ? sanitize_text_field(wp_unslash($_POST['dropdown_type'])) : '';
$dropdown_values = isset($_POST['dropdown_values']) ? sanitize_text_field(wp_unslash($_POST['dropdown_values'])) : '';
$keyword = isset($_POST['keyword']) ? sanitize_text_field(wp_unslash($_POST['keyword']) : '';
```
Explanation:
The original code accessed $_POST array keys without checking if they exist first, which could cause undefined array key errors. Additionally, the code did not use wp_unslash() to remove slashes added by WordPress magic quotes handling. The fix adds isset() checks with safe default values and includes wp_unslash() before sanitization, which is the correct WordPress security pattern for handling user input from $_POST.
---
**Vulnerability 6:**
Vulnerability Existed: yes
FALSE POSITIVE
Deprecated WordPress API Usage - CWE-477 - cube/functions/fields-helper.php - Lines 122, 148-151, 174-177
Old Code:
```php
$terms = get_terms($taxonomy, array('hide_empty' => false, 'parent' => 0));
```
Fixed Code:
```php
$terms = get_terms(array('taxonomy' => $taxonomy, 'hide_empty' => false, 'parent' => 0));
```
Explanation:
WordPress deprecated passing the taxonomy as the first positional parameter to get_terms() in favor of passing it within the args array with the 'taxonomy' key. While not directly a security vulnerability, using deprecated API calls can lead to unexpected behavior, incompatibility with newer WordPress versions, and potential security issues if the deprecated behavior is removed in future versions. The fix updates all three function calls to use the current recommended API signature.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/functions/settings/cubewp-default-options.php 2026-01-18 00:20:47.509238027 +0000+++ cache/cubewp-framework_1.1.28/cube/functions/settings/cubewp-default-options.php 2026-01-18 00:20:56.209778596 +0000@@ -6,6 +6,8 @@ * @package cubewp/cube/functions/settings */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'ABSPATH' ) ) { exit; }@@ -184,42 +186,42 @@ array( 'id' => 'archive_map', 'title' => __( 'Map', 'cubewp-framework' ),- 'desc' => __( 'You can easily On/Off map on CubeWP default archive page' ),+ 'desc' => __( 'You can easily On/Off map on CubeWP default archive page', 'cubewp-framework' ), 'type' => 'switch', 'default' => '0', ), array( 'id' => 'archive_filters', 'title' => __( 'Filters', 'cubewp-framework' ),- 'desc' => __( 'You can easily On/Off filters on CubeWP default archive page' ),+ 'desc' => __( 'You can easily On/Off filters on CubeWP default archive page', 'cubewp-framework' ), 'type' => 'switch', 'default' => '0', ), array( 'id' => 'archive_sort_filter', 'title' => __( 'Sorting Filter', 'cubewp-framework' ),- 'desc' => __( 'You can easily On/Off sorting filter on CubeWP default archive page' ),+ 'desc' => __( 'You can easily On/Off sorting filter on CubeWP default archive page', 'cubewp-framework' ), 'type' => 'switch', 'default' => '1', ), array( 'id' => 'archive_layout', 'title' => __( 'Layout Switcher', 'cubewp-framework' ),- 'desc' => __( 'You can easily On/Off layout switcher on CubeWP default archive page' ),+ 'desc' => __( 'You can easily On/Off layout switcher on CubeWP default archive page', 'cubewp-framework' ), 'type' => 'switch', 'default' => '1', ), array( 'id' => 'archive_found_text', 'title' => __( 'Found Text', 'cubewp-framework' ),- 'desc' => __( 'You can easily On/Off found text on CubeWP default archive page' ),+ 'desc' => __( 'You can easily On/Off found text on CubeWP default archive page', 'cubewp-framework' ), 'type' => 'switch', 'default' => '1', ), array( 'id' => 'archive_posts_per_page', 'title' => __( 'Posts Per Page', 'cubewp-framework' ),- 'desc' => __( 'Set number of posts per page in search for CubeWP default archive page' ),+ 'desc' => __( 'Set number of posts per page in search for CubeWP default archive page', 'cubewp-framework' ), 'type' => 'text', 'default' => 10, ),@@ -243,7 +245,7 @@ array( 'id' => 'cubewp_singular', 'title' => __( 'CubeWP Single Post Layout Builder', 'cubewp-framework' ),- 'desc' => __( 'Enable/Disable CubeWP Single Post Layout Builder for managing default single post layout if you are not using CubeWP Theme Builder.' ),+ 'desc' => __( 'Enable/Disable CubeWP Single Post Layout Builder for managing default single post layout if you are not using CubeWP Theme Builder.', 'cubewp-framework' ), 'type' => 'switch', 'default' => '1', ),@@ -369,10 +371,10 @@ array( 'id' => 'profile_page', 'type' => 'pages',- 'title' => __('User Profile Form Page', 'cubewp'),- 'subtitle' => __('This must be an URL.', 'cubewp'),+ 'title' => __('User Profile Form Page', 'cubewp-framework'),+ 'subtitle' => __('This must be an URL.', 'cubewp-framework'), 'validate' => 'url',- 'desc' => __('Select the page used for the User Profile Form (Page must include the Profile Form Shortcode)', 'cubewp'),+ 'desc' => __('Select the page used for the User Profile Form (Page must include the Profile Form Shortcode)', 'cubewp-framework'), 'default' => '', 'required' => array( array( 'show_author_template', 'equals', '1' )@@ -392,9 +394,9 @@ 'id' => 'author_post_types', 'type' => 'select', 'multi' => true,- 'title' => __( 'Select Post Types', 'cubewp-reviews' ),+ 'title' => __( 'Select Post Types', 'cubewp-framework' ), 'subtitle' => '',- 'desc' => __( 'Tabs for above selected post types will be added other than all posts tab on author page', 'cubewp-reviews' ),+ 'desc' => __( 'Tabs for above selected post types will be added other than all posts tab on author page', 'cubewp-framework' ), 'options' => cwp_post_types(), 'required' => array( array( 'show_author_template', 'equals', '1' )@@ -414,18 +416,42 @@ ); $settings['cubewp-theme-builder'] = array(- 'title' => __( 'Theme Builder', 'cubewp-framework' ),- 'id' => 'cubewp-theme-builder',- 'icon' => 'dashicons-editor-code',- 'fields' => array(- array(- 'id' => 'cwp_tb_hooks',- 'type' => 'repeating_field',- 'title' => __( 'Add WordPress Hooks For Theme builder', 'cubewp-framework' ),- 'child_type' => 'text',- 'desc' => __( 'Add WordPress Hooks here and then you will be able to select these hooks in theme builder and you can create template to show on these hooks wherever you want.', 'cubewp-framework' ),- ),- )+ 'title' => __( 'Theme Builder', 'cubewp-framework' ),+ 'id' => 'cubewp-theme-builder',+ 'icon' => 'dashicons-editor-code',+ 'fields' => array(+ array(+ 'id' => 'cwp_tb_hooks',+ 'type' => 'repeating_field',+ 'title' => __( 'Add WordPress Hooks For Theme builder', 'cubewp-framework' ),+ 'child_type' => 'text',+ 'desc' => __( 'Add WordPress Hooks here and then you will be able to select these hooks in theme builder and you can create template to show on these hooks wherever you want.', 'cubewp-framework' ),+ ),+ array(+ 'id' => 'cwp_tb_enable_cache',+ 'type' => 'switch',+ 'title' => __( 'Cache Header & Footer (Theme Builder)', 'cubewp-framework' ),+ 'default' => '0',+ 'desc' => __( 'Cache the rendered header and footer templates generated by the theme builder to improve load times.', 'cubewp-framework' ),+ ),+ array(+ 'id' => 'cwp_posts_enable_cache',+ 'type' => 'switch',+ 'title' => __( 'Enable Posts Cache', 'cubewp-framework' ),+ 'default' => '1',+ 'desc' => __( 'Enable caching for posts output to improve performance. Cache type is automatically detected based on server capabilities (Object Cache when available, SQL Cache otherwise).', 'cubewp-framework' ),+ ),+ array(+ 'id' => 'cwp_posts_cache_ttl',+ 'type' => 'text',+ 'title' => __( 'Posts Cache Duration (Hours)', 'cubewp-framework' ),+ 'desc' => __( 'Set how long the posts cache should be stored in hours. Default is 12 hours.', 'cubewp-framework' ),+ 'default' => '12',+ 'required' => array(+ array( 'cwp_posts_enable_cache', 'equals', '1' )+ )+ ),+ ) ); $settings['cubewp-css-js'] = array(
Based on my analysis of the code diff provided, here are the security findings:
---
**Vulnerability #1:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Internationalization (i18n) - CWE-327 (Cryptographic Failures) / Related to CWE-94 (Code Injection)
File: cube/functions/settings/cubewp-default-options.php
Lines: 187, 194, 201, 208, 215, 222, 246, 372-375, 395, 397
**Old Code:**
```php
'desc' => __( 'You can easily On/Off map on CubeWP default archive page' ),
'desc' => __( 'You can easily On/Off filters on CubeWP default archive page' ),
'desc' => __( 'You can easily On/Off sorting filter on CubeWP default archive page' ),
'desc' => __( 'You can easily On/Off layout switcher on CubeWP default archive page' ),
'desc' => __( 'You can easily On/Off found text on CubeWP default archive page' ),
'desc' => __( 'Set number of posts per page in search for CubeWP default archive page' ),
'desc' => __( 'Enable/Disable CubeWP Single Post Layout Builder for managing default single post layout if you are not using CubeWP Theme Builder.' ),
'title' => __('User Profile Form Page', 'cubewp'),
'subtitle' => __('This must be an URL.', 'cubewp'),
'desc' => __('Select the page used for the User Profile Form (Page must include the Profile Form Shortcode)', 'cubewp'),
'title' => __( 'Select Post Types', 'cubewp-reviews' ),
'desc' => __( 'Tabs for above selected post types will be added other than all posts tab on author page', 'cubewp-reviews' ),
```
**Fixed Code:**
```php
'desc' => __( 'You can easily On/Off map on CubeWP default archive page', 'cubewp-framework' ),
'desc' => __( 'You can easily On/Off filters on CubeWP default archive page', 'cubewp-framework' ),
'desc' => __( 'You can easily On/Off sorting filter on CubeWP default archive page', 'cubewp-framework' ),
'desc' => __( 'You can easily On/Off layout switcher on CubeWP default archive page', 'cubewp-framework' ),
'desc' => __( 'You can easily On/Off found text on CubeWP default archive page', 'cubewp-framework' ),
'desc' => __( 'You can easily On/Off posts per page in search for CubeWP default archive page', 'cubewp-framework' ),
'desc' => __( 'Enable/Disable CubeWP Single Post Layout Builder for managing default single post layout if you are not using CubeWP Theme Builder.', 'cubewp-framework' ),
'title' => __('User Profile Form Page', 'cubewp-framework'),
'subtitle' => __('This must be an URL.', 'cubewp-framework'),
'desc' => __('Select the page used for the User Profile Form (Page must include the Profile Form Shortcode)', 'cubewp-framework'),
'title' => __( 'Select Post Types', 'cubewp-framework' ),
'desc' => __( 'Tabs for above selected post types will be added other than all posts tab on author page', 'cubewp-framework' ),
```
**Explanation:**
The original code was missing text domain parameters in multiple `__()` translation function calls. This is a critical WordPress best practice issue. Without the text domain parameter, WordPress cannot properly load translations from the correct language file, and it may load translations from unintended or malicious sources. Additionally, incorrect text domains ('cubewp' and 'cubewp-reviews' instead of 'cubewp-framework') could allow for domain hijacking where a plugin or theme with those text domains could inject malicious translated strings. The fix ensures all translation calls use the consistent and correct 'cubewp-framework' text domain.
---
**Vulnerability #2:**
Vulnerability Existed: not sure
phpcs Directive Suppression - CWE-273 (Improper Check for Dropped Privileges)
File: cube/functions/settings/cubewp-default-options.php
Lines: 9-10
**Old Code:**
```php
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
```
**Fixed Code:**
```php
// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
```
**Explanation:**
The addition of `// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals` is a code style suppression directive. While not directly a security vulnerability, it suppresses WordPress coding standard warnings. This could potentially mask security issues if global variables are used without proper prefixing. However, this appears to be a configuration file for settings, so the risk is lower. The concern is moderate—suppressing naming convention checks could allow unprefixed globals to be used elsewhere in the file without detection.
---
**Vulnerability #3:**
Vulnerability Existed: no
Code Formatting/Indentation - Not a security vulnerability
File: cube/functions/settings/cubewp-default-options.php
Lines: 416-454
**Old Code:**
```php
$settings['cubewp-theme-builder'] = array(
'title' => __( 'Theme Builder', 'cubewp-framework' ),
'id' => 'cubewp-theme-builder',
'icon' => 'dashicons-editor-code',
'fields' => array(
array(
'id' => 'cwp_tb_hooks',
```
**Fixed Code:**
```php
$settings['cubewp-theme-builder'] = array(
'title' => __( 'Theme Builder', 'cubewp-framework' ),
'id' => 'cubewp-theme-builder',
'icon' => 'dashicons-editor-code',
'fields' => array(
array(
'id' => 'cwp_tb_hooks',
```
**Explanation:**
This change involves reformatting indentation from tabs to spaces and adding new configuration fields for caching functionality. The new fields added include cache control options for theme builder output and post caching with TTL configuration. This is not a security vulnerability—it's a code style and feature enhancement. The new caching fields properly include text domain parameters and don't introduce new security risks.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/importer/parsers.php 2026-01-18 00:20:47.509238027 +0000+++ cache/cubewp-framework_1.1.28/cube/importer/parsers.php 2026-01-18 00:20:56.209778596 +0000@@ -6,6 +6,8 @@ * @subpackage Importer */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ /** * WordPress Importer class for managing parsing of WXR files. */@@ -39,8 +41,8 @@ echo esc_html($error[0]) . ':' . esc_html($error[1]) . ' ' . esc_html( $error[2] ); } echo '</pre>';- echo '<p><strong>' . __( 'There was an error when reading this WXR file', 'cubewp-framework' ) . '</strong><br />';- echo __( 'Details are shown above. The importer will now try again with a different parser...', 'cubewp-framework' ) . '</p>';+ echo '<p><strong>' . esc_html__( 'There was an error when reading this WXR file', 'cubewp-framework' ) . '</strong><br />';+ echo esc_html__( 'Details are shown above. The importer will now try again with a different parser...', 'cubewp-framework' ) . '</p>'; } // use regular expressions if nothing else available or this is bad XML@@ -620,6 +622,7 @@ function fopen( $filename, $mode = 'r' ) { if ( $this->has_gzip ) return gzopen( $filename, $mode );+ // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fopen -- fallback when FS API is not available return fopen( $filename, $mode ); } @@ -638,6 +641,7 @@ function fclose( $fp ) { if ( $this->has_gzip ) return gzclose( $fp );+ // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose -- fallback when FS API is not available return fclose( $fp ); } }
# Security Analysis: PatchLeaks Diff ## Vulnerability 1 Vulnerability Existed: **no** Cross-Site Scripting (XSS) - CWE-79 - cube/importer/parsers.php Lines 44-45 **Old Code:** ```php echo '<p><strong>' . __( 'There was an error when reading this WXR file', 'cubewp-framework' ) . '</strong><br />'; echo __( 'Details are shown above. The importer will now try again with a different parser...', 'cubewp-framework' ) . '</p>'; ``` **Fixed Code:** ```php echo '<p><strong>' . esc_html__( 'There was an error when reading this WXR file', 'cubewp-framework' ) . '</strong><br />'; echo esc_html__( 'Details are shown above. The importer will now try again with a different parser...', 'cubewp-framework' ) . '</p>'; ``` **Explanation:** The original code was **vulnerable to XSS**. The `__()` function returns unescaped translated strings. Since these strings come from translation files that could potentially be compromised or contain user-controlled data, outputting them directly to HTML without escaping creates an XSS vulnerability. The fix correctly applies `esc_html__()` which both translates and escapes the output for safe HTML context. This is a proper security fix. --- ## Vulnerability 2 Vulnerability Existed: **no** Improper Use of Alternative Functions (WordPress Coding Standard) - CWE-656 - cube/importer/parsers.php Line 625 **Old Code:** ```php return fopen( $filename, $mode ); ``` **Fixed Code:** ```php // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fopen -- fallback when FS API is not available return fopen( $filename, $mode ); ``` **Explanation:** The code was **not vulnerable**, but the fix addresses a WordPress coding standard violation. WordPress recommends using the Filesystem API instead of direct `fopen()` calls. The comment clarifies that `fopen()` is a legitimate fallback when the FS API is unavailable. The phpcs ignore comment documents the intentional deviation with proper justification. --- ## Vulnerability 3 Vulnerability Existed: **no** Improper Use of Alternative Functions (WordPress Coding Standard) - CWE-656 - cube/importer/parsers.php Line 644 **Old Code:** ```php return fclose( $fp ); ``` **Fixed Code:** ```php // phpcs:ignore WordPress.WP.AlternativeFunctions.file_system_operations_fclose -- fallback when FS API is not available return fclose( $fp ); ``` **Explanation:** Similar to Vulnerability 2, this is **not a security vulnerability** but addresses a WordPress coding standard violation. The phpcs ignore comment documents that `fclose()` is intentionally used as a fallback when the Filesystem API is not available. --- ## Summary The diff contains **one legitimate security fix** (XSS in lines 44-45) and two documentation improvements for code quality compliance (lines 625 and 644).
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/importer/wordpress-importer.php 2026-01-18 00:20:47.513238275 +0000+++ cache/cubewp-framework_1.1.28/cube/importer/wordpress-importer.php 2026-01-18 00:20:56.209778596 +0000@@ -10,6 +10,8 @@ License: GPL version 2 or later - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'WP_LOAD_IMPORTERS' ) ) return; @@ -84,9 +86,12 @@ case 2: check_admin_referer( 'import-wordpress' ); $this->fetch_attachments = ( ! empty( $_POST['fetch_attachments'] ) && $this->allow_fetch_attachments() );- $this->id = (int) $_POST['import_id'];+ $this->id = isset( $_POST['import_id'] ) ? absint( wp_unslash( $_POST['import_id'] ) ) : 0; $file = get_attached_file( $this->id );- set_time_limit(0);+ if ( function_exists( 'set_time_limit' ) ) {+ // phpcs:ignore Squiz.PHP.DiscouragedFunctions.Discouraged+ @set_time_limit( 0 );+ } $this->import( $file ); break; }@@ -129,8 +134,8 @@ */ function import_start( $file ) { if ( ! is_file($file) ) {- echo '<p><strong>' . __( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';- echo __( 'The file does not exist, please try again.', 'cubewp-framework' ) . '</p>';+ echo '<p><strong>' . esc_html__( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';+ echo esc_html__( 'The file does not exist, please try again.', 'cubewp-framework' ) . '</p>'; $this->footer(); die(); }@@ -138,7 +143,7 @@ $import_data = $this->parse( $file ); if ( is_wp_error( $import_data ) ) {- echo '<p><strong>' . __( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';+ echo '<p><strong>' . esc_html__( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />'; echo esc_html( $import_data->get_error_message() ) . '</p>'; $this->footer(); die();@@ -173,8 +178,8 @@ wp_defer_term_counting( false ); wp_defer_comment_counting( false ); - echo '<p>' . __( 'All done.', 'cubewp-framework' ) . ' <a href="' . admin_url() . '">' . __( 'Have fun!', 'cubewp-framework' ) . '</a>' . '</p>';- echo '<p>' . __( 'Remember to update the passwords and roles of imported users.', 'cubewp-framework' ) . '</p>';+ echo '<p>' . esc_html__( 'All done.', 'cubewp-framework' ) . ' <a href="' . esc_url( admin_url() ) . '">' . esc_html__( 'Have fun!', 'cubewp-framework' ) . '</a>' . '</p>';+ echo '<p>' . esc_html__( 'Remember to update the passwords and roles of imported users.', 'cubewp-framework' ) . '</p>'; do_action( 'import_end' ); }@@ -189,12 +194,19 @@ $file = wp_import_handle_upload(); if ( isset( $file['error'] ) ) {- echo '<p><strong>' . __( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';+ echo '<p><strong>' . esc_html__( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />'; echo esc_html( $file['error'] ) . '</p>'; return false; } else if ( ! file_exists( $file['file'] ) ) {- echo '<p><strong>' . __( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';- printf( __( 'The export file could not be found at <code>%s</code>. It is likely that this was caused by a permissions problem.', 'cubewp-framework' ), esc_html( $file['file'] ) );+ echo '<p><strong>' . esc_html__( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';+ printf(+ wp_kses(+ /* translators: %s: file path. */+ esc_html__( 'The export file could not be found at <code>%s</code>. It is likely that this was caused by a permissions problem.', 'cubewp-framework' ),+ array( 'code' => array() )+ ),+ esc_html( $file['file'] )+ ); echo '</p>'; return false; }@@ -202,7 +214,7 @@ $this->id = (int) $file['id']; $import_data = $this->parse( $file['file'] ); if ( is_wp_error( $import_data ) ) {- echo '<p><strong>' . __( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';+ echo '<p><strong>' . esc_html__( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />'; echo esc_html( $import_data->get_error_message() ) . '</p>'; return false; }@@ -210,7 +222,8 @@ $this->version = $import_data['version']; if ( $this->version > $this->max_wxr_version ) { echo '<div class="error"><p><strong>';- printf( __( 'This WXR file (version %s) may not be supported by this version of the importer. Please consider updating.', 'cubewp-framework' ), esc_html($import_data['version']) );+ /* translators: %s: file version. */+ printf( esc_html__( 'This WXR file (version %s) may not be supported by this version of the importer. Please consider updating.', 'cubewp-framework' ), esc_html( $import_data['version'] ) ); echo '</strong></p></div>'; } @@ -235,7 +248,8 @@ foreach ( $import_data['posts'] as $post ) { $login = sanitize_user( $post['post_author'], true ); if ( empty( $login ) ) {- printf( __( 'Failed to import author %s. Their posts will be attributed to the current user.', 'cubewp-framework' ), esc_html( $post['post_author'] ) );+ /* translators: %s: author name. */+ printf( esc_html__( 'Failed to import author %s. Their posts will be attributed to the current user.', 'cubewp-framework' ), esc_html( $post['post_author'] ) ); echo '<br />'; continue; }@@ -256,15 +270,23 @@ function import_options() { $j = 0; ?>- <form action="<?php echo admin_url( 'admin.php?import=wordpress&step=2' ); ?>" method="post">+ <form action="<?php echo esc_url( admin_url( 'admin.php?import=wordpress&step=2' ) ); ?>" method="post"> <?php wp_nonce_field( 'import-wordpress' ); ?> <input type="hidden" name="import_id" value="<?php echo esc_attr( $this->id ); ?>" /> <?php if ( ! empty( $this->authors ) ) : ?>- <h3><?php _e( 'Assign Authors', 'cubewp-framework' ); ?></h3>- <p><?php _e( 'To make it easier for you to edit and save the imported content, you may want to reassign the author of the imported item to an existing user of this site. For example, you may want to import all the entries as <code>admin</code>s entries.', 'cubewp-framework' ); ?></p>+ <h3><?php esc_html_e( 'Assign Authors', 'cubewp-framework' ); ?></h3>+ <p><?php echo wp_kses( __( 'To make it easier for you to edit and save the imported content, you may want to reassign the author of the imported item to an existing user of this site. For example, you may want to import all the entries as <code>admin</code>s entries.', 'cubewp-framework' ), array( 'code' => array() ) ); ?></p> <?php if ( $this->allow_create_users() ) : ?>- <p><?php printf( __( 'If a new user is created by WordPress, a new password will be randomly generated and the new user’s role will be set as %s. Manually changing the new user’s details will be necessary.', 'cubewp-framework' ), esc_html( get_option('default_role') ) ); ?></p>+ <p><?php+ printf(+ wp_kses(+ /* translators: %s: default role. */+ esc_html__( 'If a new user is created by WordPress, a new password will be randomly generated and the new user’s role will be set as %s. Manually changing the new user’s details will be necessary.', 'cubewp-framework' ),+ array( 'code' => array() )+ ),+ esc_html( get_option('default_role') )+ ); ?></p> <?php endif; ?> <ol id="authors"> <?php foreach ( $this->authors as $author ) : ?>@@ -274,10 +296,10 @@ <?php endif; ?> <?php if ( $this->allow_fetch_attachments() ) : ?>- <h3><?php _e( 'Import Attachments', 'cubewp-framework' ); ?></h3>+ <h3><?php esc_html_e( 'Import Attachments', 'cubewp-framework' ); ?></h3> <p> <input type="checkbox" value="1" name="fetch_attachments" id="import-attachments" />- <label for="import-attachments"><?php _e( 'Download and import file attachments', 'cubewp-framework' ); ?></label>+ <label for="import-attachments"><?php esc_html_e( 'Download and import file attachments', 'cubewp-framework' ); ?></label> </p> <?php endif; ?> @@ -294,7 +316,7 @@ * @param array $author Author information, e.g. login, display name, email */ function author_select( $n, $author ) {- _e( 'Import author:', 'cubewp-framework' );+ esc_html_e( 'Import author:', 'cubewp-framework' ); echo ' <strong>' . esc_html( $author['author_display_name'] ); if ( $this->version != '1.0' ) echo ' (' . esc_html( $author['author_login'] ) . ')'; echo '</strong><br />';@@ -305,22 +327,22 @@ $create_users = $this->allow_create_users(); if ( $create_users ) { if ( $this->version != '1.0' ) {- _e( 'or create new user with login name:', 'cubewp-framework' );+ esc_html_e( 'or create new user with login name:', 'cubewp-framework' ); $value = ''; } else {- _e( 'as a new user:', 'cubewp-framework' );+ esc_html_e( 'as a new user:', 'cubewp-framework' ); $value = esc_attr( sanitize_user( $author['author_login'], true ) ); } - echo ' <input type="text" name="user_new['.$n.']" value="'. $value .'" /><br />';+ echo ' <input type="text" name="user_new[' . esc_attr( (string) $n ) . ']" value="' . esc_attr( $value ) . '" /><br />'; } if ( ! $create_users && $this->version == '1.0' )- _e( 'assign posts to an existing user:', 'cubewp-framework' );+ esc_html_e( 'assign posts to an existing user:', 'cubewp-framework' ); else- _e( 'or assign posts to an existing user:', 'cubewp-framework' );- wp_dropdown_users( array( 'name' => "user_map[$n]", 'multi' => true, 'show_option_all' => __( '- Select -', 'cubewp-framework' ) ) );- echo '<input type="hidden" name="imported_authors['.$n.']" value="' . esc_attr( $author['author_login'] ) . '" />';+ esc_html_e( 'or assign posts to an existing user:', 'cubewp-framework' );+ wp_dropdown_users( array( 'name' => "user_map[" . intval( $n ) . "]", 'multi' => true, 'show_option_all' => esc_html__( '- Select -', 'cubewp-framework' ) ) );+ echo '<input type="hidden" name="imported_authors[' . esc_attr( (string) $n ) . ']" value="' . esc_attr( $author['author_login'] ) . '" />'; if ( $this->version != '1.0' ) echo '</div>';@@ -332,26 +354,27 @@ * or falls back to the current user in case of error with either of the previous */ function get_author_mapping() {+ // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Read-only use of query vars to render notice; no state change performed. if ( ! isset( $_POST['imported_authors'] ) ) return;- + // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Read-only use of query vars to render notice; no state change performed. $create_users = $this->allow_create_users();- - foreach ( (array) $_POST['imported_authors'] as $i => $old_login ) {+ // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Read-only use of query vars to render notice; no state change performed.+ foreach ( (array) $_POST['imported_authors'] as $i => $old_login ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing // Multisite adds strtolower to sanitize_user. Need to sanitize here to stop breakage in process_posts. $santized_old_login = sanitize_user( $old_login, true ); $old_id = isset( $this->authors[$old_login]['author_id'] ) ? intval($this->authors[$old_login]['author_id']) : false; - if ( ! empty( $_POST['user_map'][$i] ) ) {- $user = get_userdata( intval($_POST['user_map'][$i]) );+ if ( ! empty( $_POST['user_map'][$i] ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing+ $user = get_userdata( intval($_POST['user_map'][$i]) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing if ( isset( $user->ID ) ) { if ( $old_id ) $this->processed_authors[$old_id] = $user->ID; $this->author_mapping[$santized_old_login] = $user->ID; } } else if ( $create_users ) {- if ( ! empty($_POST['user_new'][$i]) ) {- $user_id = wp_create_user( $_POST['user_new'][$i], wp_generate_password() );+ if ( ! empty($_POST['user_new'][$i]) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing+ $user_id = wp_create_user( $_POST['user_new'][$i], wp_generate_password() ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing } else if ( $this->version != '1.0' ) { $user_data = array( 'user_login' => $old_login,@@ -369,9 +392,16 @@ $this->processed_authors[$old_id] = $user_id; $this->author_mapping[$santized_old_login] = $user_id; } else {- printf( __( 'Failed to create new user for %s. Their posts will be attributed to the current user.', 'cubewp-framework' ), esc_html($this->authors[$old_login]['author_display_name']) );+ printf(+ wp_kses(+ /* translators: %s: author name. */+ esc_html__( 'Failed to create new user for %s. Their posts will be attributed to the current user.', 'cubewp-framework' ),+ array( 'code' => array() )+ ),+ esc_html($this->authors[$old_login]['author_display_name'])+ ); if ( defined('IMPORT_DEBUG') && IMPORT_DEBUG )- echo ' ' . $user_id->get_error_message();+ echo ' ' . esc_html( $user_id->get_error_message() ); echo '<br />'; } }@@ -421,9 +451,16 @@ if ( isset($cat['term_id']) ) $this->processed_terms[intval($cat['term_id'])] = $id; } else {- printf( __( 'Failed to import category %s', 'cubewp-framework' ), esc_html($cat['category_nicename']) );+ printf(+ wp_kses(+ /* translators: %s: category name. */+ esc_html__( 'Failed to import category %s', 'cubewp-framework' ),+ array( 'code' => array() )+ ),+ esc_html( $cat['category_nicename'] )+ ); if ( defined('IMPORT_DEBUG') && IMPORT_DEBUG )- echo ': ' . $id->get_error_message();+ echo ': ' . esc_html( $id->get_error_message() ); echo '<br />'; continue; }@@ -464,9 +501,10 @@ if ( isset($tag['term_id']) ) $this->processed_terms[intval($tag['term_id'])] = $id['term_id']; } else {- printf( __( 'Failed to import post tag %s', 'cubewp-framework' ), esc_html($tag['tag_name']) );+ /* translators: %s: tag name. */+ printf( esc_html__( 'Failed to import post tag %s', 'cubewp-framework' ), esc_html( $tag['tag_name'] ) ); if ( defined('IMPORT_DEBUG') && IMPORT_DEBUG )- echo ': ' . $id->get_error_message();+ echo ': ' . esc_html( $id->get_error_message() ); echo '<br />'; continue; }@@ -513,9 +551,10 @@ if ( isset($term['term_id']) ) $this->processed_terms[intval($term['term_id'])] = $id['term_id']; } else {- printf( __( 'Failed to import %s %s', 'cubewp-framework' ), esc_html($term['term_taxonomy']), esc_html($term['term_name']) );+ /* translators: %1$s: taxonomy name, %2$s: term name. */+ printf( esc_html__( 'Failed to import %1$s %2$s', 'cubewp-framework' ), esc_html( $term['term_taxonomy'] ), esc_html( $term['term_name'] ) ); if ( defined('IMPORT_DEBUG') && IMPORT_DEBUG )- echo ': ' . $id->get_error_message();+ echo ': ' . esc_html( $id->get_error_message() ); echo '<br />'; continue; }@@ -602,7 +641,8 @@ $post = apply_filters( 'wp_import_post_data_raw', $post ); if ( ! post_type_exists( $post['post_type'] ) ) {- printf( __( 'Failed to import “%s”: Invalid post type %s', 'cubewp-framework' ),+ /* translators: %1$s: post title, %2$s: post type. */+ printf( esc_html__( 'Failed to import “%1$s”: Invalid post type %2$s', 'cubewp-framework' ), esc_html($post['post_title']), esc_html($post['post_type']) ); echo '<br />'; do_action( 'wp_import_post_exists', $post );@@ -639,7 +679,8 @@ $post_exists = apply_filters( 'wp_import_existing_post', $post_exists, $post ); if ( $post_exists && get_post_type( $post_exists ) == $post['post_type'] ) {- printf( __('%s “%s” already exists.', 'cubewp-framework'), $post_type_object->labels->singular_name, esc_html($post['post_title']) );+ /* translators: %1$s: post type label, %2$s: post title. */+ printf( esc_html__( '%1$s “%2$s” already exists.', 'cubewp-framework' ), esc_html( $post_type_object->labels->singular_name ), esc_html( $post['post_title'] ) ); echo '<br />'; $comment_post_ID = $post_id = $post_exists; $this->processed_posts[ intval( $post['post_id'] ) ] = intval( $post_exists );@@ -701,10 +742,11 @@ } if ( is_wp_error( $post_id ) ) {- printf( __( 'Failed to import %s “%s”', 'cubewp-framework' ),- $post_type_object->labels->singular_name, esc_html($post['post_title']) );+ /* translators: %1$s: post type label, %2$s: post title. */+ printf( esc_html__( 'Failed to import %1$s “%2$s”', 'cubewp-framework' ),+ esc_html( $post_type_object->labels->singular_name ), esc_html( $post['post_title'] ) ); if ( defined('IMPORT_DEBUG') && IMPORT_DEBUG )- echo ': ' . $post_id->get_error_message();+ echo ': ' . esc_html( $post_id->get_error_message() ); echo '<br />'; continue; }@@ -735,9 +777,17 @@ $term_id = $t['term_id']; do_action( 'wp_import_insert_term', $t, $term, $post_id, $post ); } else {- printf( __( 'Failed to import %s %s', 'cubewp-framework' ), esc_html($taxonomy), esc_html($term['name']) );+ printf( + wp_kses(+ /* translators: %1$s: taxonomy name, %2$s: term name. */+ esc_html__( 'Failed to import %1$s %2$s', 'cubewp-framework' ),+ array( 'code' => array() )+ ),+ esc_html($taxonomy),+ esc_html($term['name'])+ ); if ( defined('IMPORT_DEBUG') && IMPORT_DEBUG )- echo ': ' . $t->get_error_message();+ echo ': ' . esc_html( $t->get_error_message() ); echo '<br />'; do_action( 'wp_import_insert_term_failed', $t, $term, $post_id, $post ); continue;@@ -874,14 +924,15 @@ // no nav_menu term associated with this menu item if ( ! $menu_slug ) {- _e( 'Menu item skipped due to missing menu slug', 'cubewp-framework' );+ echo esc_html__( 'Menu item skipped due to missing menu slug', 'cubewp-framework' ); echo '<br />'; return; } - $menu_id = term_exists( $menu_slug, 'nav_menu' );+ $menu_id = term_exists( $menu_slug, 'nav_menu' ); if ( ! $menu_id ) {- printf( __( 'Menu item skipped due to invalid menu slug: %s', 'cubewp-framework' ), esc_html( $menu_slug ) );+ /* translators: %s: menu slug. */+ printf( esc_html__( 'Menu item skipped due to invalid menu slug: %s', 'cubewp-framework' ), esc_html( $menu_slug ) ); echo '<br />'; return; } else {@@ -991,7 +1042,7 @@ $file_name = basename( $url ); // get placeholder file in the upload dir with a unique, sanitized filename- $upload = wp_upload_bits( $file_name, 0, '', $post['upload_date'] );+ $upload = wp_upload_bits( $file_name, null, '', $post['upload_date'] ); if ( $upload['error'] ) return new WP_Error( 'upload_dir_error', $upload['error'] ); @@ -1006,7 +1057,7 @@ // request failed if ( ! $headers ) {- @unlink( $upload['file'] );+ wp_delete_file( $upload['file'] ); return new WP_Error( 'import_file_error', __('Remote server did not respond', 'cubewp-framework') ); } @@ -1014,25 +1065,27 @@ // make sure the fetch was successful if ( $remote_response_code != '200' ) {- @unlink( $upload['file'] );+ wp_delete_file( $upload['file'] );+ /* translators: %1$d: response code, %2$s: response description. */ return new WP_Error( 'import_file_error', sprintf( __('Remote server returned error response %1$d %2$s', 'cubewp-framework'), esc_html($remote_response_code), get_status_header_desc($remote_response_code) ) ); } $filesize = filesize( $upload['file'] ); if ( isset( $headers['content-length'] ) && $filesize != $headers['content-length'] ) {- @unlink( $upload['file'] );+ wp_delete_file( $upload['file'] ); return new WP_Error( 'import_file_error', __('Remote file is incorrect size', 'cubewp-framework') ); } if ( 0 == $filesize ) {- @unlink( $upload['file'] );+ wp_delete_file( $upload['file'] ); return new WP_Error( 'import_file_error', __('Zero size file downloaded', 'cubewp-framework') ); } $max_size = (int) $this->max_attachment_size(); if ( ! empty( $max_size ) && $filesize > $max_size ) {- @unlink( $upload['file'] );+ wp_delete_file( $upload['file'] );+ /* translators: %s: file size. */ return new WP_Error( 'import_file_error', sprintf(__('Remote file is too large, limit is %s', 'cubewp-framework'), size_format($max_size) ) ); } @@ -1065,7 +1118,7 @@ $local_parent_id = $this->processed_posts[$parent_id]; if ( $local_child_id && $local_parent_id ) {- $wpdb->update( $wpdb->posts, array( 'post_parent' => $local_parent_id ), array( 'ID' => $local_child_id ), '%d', '%d' );+ $wpdb->update( $wpdb->posts, array( 'post_parent' => $local_parent_id ), array( 'ID' => $local_child_id ), '%d', '%d' ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching -- Import maintenance requires a direct update; safe, bounded, and immediately cache-cleaned. clean_post_cache( $local_child_id ); } }@@ -1098,9 +1151,9 @@ foreach ( $this->url_remap as $from_url => $to_url ) { // remap urls in post_content- $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->posts} SET post_content = REPLACE(post_content, %s, %s)", $from_url, $to_url) );+ $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->posts} SET post_content = REPLACE(post_content, %s, %s)", $from_url, $to_url) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching -- One-off import remediation; prepared and scoped. // remap enclosure urls- $result = $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->postmeta} SET meta_value = REPLACE(meta_value, %s, %s) WHERE meta_key='enclosure'", $from_url, $to_url) );+ $result = $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->postmeta} SET meta_value = REPLACE(meta_value, %s, %s) WHERE meta_key='enclosure'", $from_url, $to_url) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching -- One-off import remediation; prepared and scoped. } } @@ -1133,14 +1186,15 @@ // Display import page title function header() { echo '<div class="wrap">';- echo '<h2>' . __( 'Import WordPress', 'cubewp-framework' ) . '</h2>';+ echo '<h2>' . esc_html__( 'Import WordPress', 'cubewp-framework' ) . '</h2>'; $updates = get_plugin_updates(); $basename = plugin_basename(__FILE__); if ( isset( $updates[$basename] ) ) { $update = $updates[$basename]; echo '<div class="error"><p><strong>';- printf( __( 'A new version of this importer is available. Please update to version %s to ensure compatibility with newer export files.', 'cubewp-framework' ), $update->update->new_version );+ /* translators: %s: new version. */+ printf( esc_html__( 'A new version of this importer is available. Please update to version %s to ensure compatibility with newer export files.', 'cubewp-framework' ), esc_html( $update->update->new_version ) ); echo '</strong></p></div>'; } }@@ -1155,8 +1209,8 @@ */ function greet() { echo '<div class="narrow">';- echo '<p>'.__( 'Howdy! Upload your WordPress eXtended RSS (WXR) file and we’ll import the posts, pages, comments, custom fields, categories, and tags into this site.', 'cubewp-framework' ).'</p>';- echo '<p>'.__( 'Choose a WXR (.xml) file to upload, then click Upload file and import.', 'cubewp-framework' ).'</p>';+ echo '<p>'.wp_kses( __( 'Howdy! Upload your WordPress eXtended RSS (WXR) file and we’ll import the posts, pages, comments, custom fields, categories, and tags into this site.', 'cubewp-framework' ), array( 'code' => array() ) ).'</p>';+ echo '<p>'.wp_kses( __( 'Choose a WXR (.xml) file to upload, then click Upload file and import.', 'cubewp-framework' ), array( 'code' => array() ) ).'</p>'; wp_import_upload_form( 'admin.php?import=wordpress&step=1' ); echo '</div>'; }
Now let me analyze the diff systematically for security vulnerabilities:
---
## Security Analysis Results
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 87-88 (old), 89-90 (new)
```php
[Old Code]
$this->id = (int) $_POST['import_id'];
[Fixed Code]
$this->id = isset( $_POST['import_id'] ) ? absint( wp_unslash( $_POST['import_id'] ) ) : 0;
```
Explanation:
The original code used `(int)` casting which does not properly sanitize user input from $_POST. The fix uses `wp_unslash()` to handle WordPress slashes and `absint()` for proper integer validation. This prevents potential type juggling vulnerabilities and ensures the value is safe.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Output Encoding (XSS variant) - CWE-79 - cube/importer/wordpress-importer.php - Lines 132-135 (old), 136-139 (new)
```php
[Old Code]
echo '<p><strong>' . __( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';
echo __( 'The file does not exist, please try again.', 'cubewp-framework' ) . '</p>';
[Fixed Code]
echo '<p><strong>' . esc_html__( 'Sorry, there has been an error.', 'cubewp-framework' ) . '</strong><br />';
echo esc_html__( 'The file does not exist, please try again.', 'cubewp-framework' ) . '</p>';
```
Explanation:
The original code uses `__()` which does not escape output. While these are translatable strings with no user input, best practice requires `esc_html__()` to escape the translated string as it's output to HTML context. This prevents potential XSS if translation strings are compromised.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 176-177 (old), 181-182 (new)
```php
[Old Code]
echo '<p>' . __( 'All done.', 'cubewp-framework' ) . ' <a href="' . admin_url() . '">' . __( 'Have fun!', 'cubewp-framework' ) . '</a>' . '</p>';
[Fixed Code]
echo '<p>' . esc_html__( 'All done.', 'cubewp-framework' ) . ' <a href="' . esc_url( admin_url() ) . '">' . esc_html__( 'Have fun!', 'cubewp-framework' ) . '</a>' . '</p>';
```
Explanation:
The original code outputs a URL (admin_url()) directly into an href attribute without escaping. The fix adds `esc_url()` to properly escape the URL for HTML attribute context, preventing XSS through malicious admin URLs.
---
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 201-203 (old), 201-210 (new)
```php
[Old Code]
printf( __( 'The export file could not be found at <code>%s</code>. It is likely that this was caused by a permissions problem.', 'cubewp-framework' ), esc_html( $file['file'] ) );
[Fixed Code]
printf(
wp_kses(
esc_html__( 'The export file could not be found at <code>%s</code>. It is likely that this was caused by a permissions problem.', 'cubewp-framework' ),
array( 'code' => array() )
),
esc_html( $file['file'] )
);
```
Explanation:
The original code passes a string with HTML tags to printf without proper sanitization. The fix uses `wp_kses()` to allow only specific HTML tags (<code>) while escaping everything else, preventing XSS through injected HTML in error messages.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 273 (old), 273 (new)
```php
[Old Code]
<form action="<?php echo admin_url( 'admin.php?import=wordpress&step=2' ); ?>" method="post">
[Fixed Code]
<form action="<?php echo esc_url( admin_url( 'admin.php?import=wordpress&step=2' ) ); ?>" method="post">
```
Explanation:
The original code outputs the admin URL directly into the form action attribute. The fix adds `esc_url()` to properly escape the URL for HTML attribute context, preventing XSS attacks through URL manipulation.
---
**Vulnerability 6:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 279-280 (old), 285-291 (new)
```php
[Old Code]
<p><?php _e( 'To make it easier for you to edit and save the imported content, you may want to reassign the author of the imported item to an existing user of this site. For example, you may want to import all the entries as <code>admin</code>s entries.', 'cubewp-framework' ); ?></p>
<p><?php printf( __( 'If a new user is created by WordPress, a new password will be randomly generated and the new user’s role will be set as %s. Manually changing the new user’s details will be necessary.', 'cubewp-framework' ), esc_html( get_option('default_role') ) ); ?></p>
[Fixed Code]
<p><?php echo wp_kses( __( 'To make it easier for you to edit and save the imported content, you may want to reassign the author of the imported item to an existing user of this site. For example, you may want to import all the entries as <code>admin</code>s entries.', 'cubewp-framework' ), array( 'code' => array() ) ); ?></p>
<p><?php printf( wp_kses( esc_html__( 'If a new user is created by WordPress, a new password will be randomly generated and the new user’s role will be set as %s. Manually changing the new user’s details will be necessary.', 'cubewp-framework' ), array( 'code' => array() ) ), esc_html( get_option('default_role') ) ); ?></p>
```
Explanation:
The original code uses `_e()` and `__()` which don't escape output. The fix uses `wp_kses()` to allow specific HTML tags (<code>) while escaping all other content, preventing XSS through HTML injection in translatable strings.
---
**Vulnerability 7:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 337 (old), 347 (new)
```php
[Old Code]
echo ' <input type="text" name="user_new['.$n.']" value="'. $value .'" /><br />';
[Fixed Code]
echo ' <input type="text" name="user_new[' . esc_attr( (string) $n ) . ']" value="' . esc_attr( $value ) . '" /><br />';
```
Explanation:
The original code directly concatenates variables into HTML attributes without escaping. The fix uses `esc_attr()` to properly escape both the array index and the value for HTML attribute context, preventing attribute injection attacks.
---
**Vulnerability 8:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 344 (old), 345-347 (new)
```php
[Old Code]
wp_dropdown_users( array( 'name' => "user_map[$n]", 'multi' => true, 'show_option_all' => __( '- Select -', 'cubewp-framework' ) ) );
echo '<input type="hidden" name="imported_authors['.$n.']" value="' . esc_attr( $author['author_login'] ) . '" />';
[Fixed Code]
wp_dropdown_users( array( 'name' => "user_map[" . intval( $n ) . "]", 'multi' => true, 'show_option_all' => esc_html__( '- Select -', 'cubewp-framework' ) ) );
echo '<input type="hidden" name="imported_authors[' . esc_attr( (string) $n ) . ']" value="' . esc_attr( $author['author_login'] ) . '" />';
```
Explanation:
The original code directly interpolates $n into array indices without validation. The fix uses `intval()` and `esc_attr()` to properly validate and escape the index, and changes `__()` to `esc_html__()` for proper output escaping.
---
**Vulnerability 9:**
Vulnerability Existed: yes
FALSE POSITIVE
Insufficient Input Validation - CWE-20 - cube/importer/wordpress-importer.php - Lines 358-377 (old), 358-377 (new)
```php
[Old Code]
if ( ! isset( $_POST['imported_authors'] ) )
return;
foreach ( (array) $_POST['imported_authors'] as $i => $old_login ) {
// ...
if ( ! empty( $_POST['user_map'][$i] ) ) {
$user = get_userdata( intval($_POST['user_map'][$i]) );
[Fixed Code]
// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Read-only use of query vars to render notice; no state change performed.
if ( ! isset( $_POST['imported_authors'] ) )
return;
// Multiple phpcs:ignore comments added for input validation issues
foreach ( (array) $_POST['imported_authors'] as $i => $old_login ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing
// ...
if ( ! empty( $_POST['user_map'][$i] ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing
$user = get_userdata( intval($_POST['user_map'][$i]) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing
```
Explanation:
While the code directly accesses $_POST without sanitization (which is concerning), the fix acknowledges this by adding phpcs:ignore comments explaining that these are read-only uses and no state changes are performed. However, the vulnerability technically persists - the comments don't fix the underlying issue. This is a partial mitigation through documentation rather than actual security fixing.
---
**Vulnerability 10:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 1057 (old), 1057 (new)
```php
[Old Code]
@unlink( $upload['file'] );
[Fixed Code]
wp_delete_file( $upload['file'] );
```
Explanation:
The original code uses `@unlink()` (suppressed error output) which is considered a discouraged practice. The fix uses `wp_delete_file()` which is the WordPress-recommended method that properly handles file deletion with appropriate error handling and hooks.
---
**Vulnerability 11:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Output Encoding (XSS) - CWE-79 - cube/importer/wordpress-importer.php - Lines 1042 (old), 1045 (new)
```php
[Old Code]
$upload = wp_upload_bits( $file_name, 0, '', $post['upload_date'] );
[Fixed Code]
$upload = wp_upload_bits( $file_name, null, '', $post['upload_date'] );
```
Explanation:
The original code passes integer `0` where `null` is expected for the deprecated_use parameter. While not a security vulnerability per se, the fix improves code correctness by using the proper null value instead of 0.
---
**Summary:** This diff contains multiple XSS vulnerabilities being fixed by properly escaping output using WordPress escaping functions (`esc_html__()`, `esc_url()`, `esc_attr()`, `wp_kses()`), improving input validation, and replacing deprecated functions with safer alternatives.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/includes/shortcodes/class-cubewp-frontend-search-fields.php 2026-01-18 00:20:47.513238275 +0000+++ cache/cubewp-framework_1.1.28/cube/includes/shortcodes/class-cubewp-frontend-search-fields.php 2026-01-18 00:20:56.209778596 +0000@@ -74,15 +74,17 @@ */ public function cwp_search_form( $params = array() ) { - $output = '<div class="cwp-frontend-search-form '. esc_attr($this->form_container_class) .'">+ $output = '<div class="cwp-frontend-form-container">+ <div class="cwp-frontend-search-form '. esc_attr($this->form_container_class) .'"> <form method="GET" id="'. esc_attr($this->form_id) .'" class="'. esc_attr($this->form_class) .'" action="'.esc_url(home_url('/')).'" class="cwp-search-form"> <input type="hidden" name="post_type" value="'. esc_attr($this->type) .'"> <input type="hidden" name="s" value="">'; - $output .= $this->cwp_search_form_fields();+ $fields_output = $this->cwp_search_form_fields();+ $output .= is_string($fields_output) ? $fields_output : ''; $output .= '</form>- </div>';+ </div></div>'; $output = apply_filters('cubewp/frontend/search/form', $output, $params, $this->search_fields);
Based on the analysis of the code diff, here are the security vulnerability findings:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Output Encoding (Potential Data Loss) - CWE-400 / Type Mismatch Handling - class-cubewp-frontend-search-fields.php, Lines 82-84**
Old Code:
```php
$output .= $this->cwp_search_form_fields();
```
Fixed Code:
```php
$fields_output = $this->cwp_search_form_fields();
$output .= is_string($fields_output) ? $fields_output : '';
```
Explanation:
The original code concatenates the return value of `cwp_search_form_fields()` directly to the output string without type validation. If this method returns a non-string value (null, array, object, etc.), PHP would convert it to a string using default type juggling, potentially resulting in unexpected output like "Array" or "Object". The fix validates that the return value is actually a string before concatenation, preventing potential output corruption and treating non-string returns as empty strings. While not a direct XSS vulnerability, this is a defensive programming practice that prevents unintended information disclosure and ensures predictable behavior.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
**Potential XSS via apply_filters - CWE-79 - class-cubewp-frontend-search-fields.php, Line 89**
Old Code & Fixed Code (Identical):
```php
$output = apply_filters('cubewp/frontend/search/form', $output, $params, $this->search_fields);
```
Explanation:
The diff does not modify the `apply_filters` call, but this remains a potential concern. The output is passed through a filter which could be hooked by plugins to modify the HTML. While individual output elements are escaped using `esc_attr()` and `esc_url()`, if a filter hook is compromised or malicious, it could inject unescaped content into `$output`. The fix does not address this, but it's not introduced by this patch. This depends on WordPress filter hook integrity.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/includes/shortcodes/class-cubewp-frontend-search-filter.php 2026-01-18 00:20:47.513238275 +0000+++ cache/cubewp-framework_1.1.28/cube/includes/shortcodes/class-cubewp-frontend-search-filter.php 2026-01-18 00:20:56.209778596 +0000@@ -168,7 +168,7 @@ self::$post_type = $type; ob_start();-+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::get_filters_wrap_start($type, $page_num); // Make sure this method escapes output inside self::get_hidden_field_if_tax(); echo do_shortcode($content); // Ensure any user-supplied content is secured upstream@@ -226,8 +226,8 @@ */ private static function get_filters_wrap_start($type='',$page_num=''){ ?>- <div class="cwp-search-filters-wrap <?php echo self::$form_container_class; ?>">- <form name="cwp-search-filters" class="cwp-search-filters <?php echo self::$form_class; ?>" id="<?php echo self::$form_id; ?>" method="post">+ <div class="cwp-search-filters-wrap <?php echo esc_attr(self::$form_container_class); ?>">+ <form name="cwp-search-filters" class="cwp-search-filters <?php echo esc_attr(self::$form_class); ?>" id="<?php echo esc_attr(self::$form_id); ?>" method="post"> <div class="cwp-reset-search-filters"> <p><?php esc_html_e('Filters', 'cubewp-framework'); ?></p> <a href="javascript:void(0);" class="clear-filters">@@ -240,6 +240,7 @@ </div> <div class="cwp-search-filters-fields"> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::filter_hidden_fields($type,$page_num); } @@ -270,8 +271,8 @@ if(empty($type)){ $type = _get_post_type(); }- if(isset($_GET['page_num'])){- $page_num = sanitize_text_field($_GET['page_num']);+ if(isset($_GET['page_num'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $page_num = sanitize_text_field(wp_unslash($_GET['page_num']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended }else{ $page_num = '1'; }@@ -303,7 +304,7 @@ public static function get_filters_taxonomy( $search_filter = array(), $field_name ='' ){ if( $search_filter['type'] == 'taxonomy' ){ $field_name = self::taxonomy_prefix($field_name);- $search_filter['value'] = isset($_GET[$field_name]) ? sanitize_text_field($_GET[$field_name]) : '';+ $search_filter['value'] = isset($_GET[$field_name]) ? sanitize_text_field(wp_unslash($_GET[$field_name])) : '';// phpcs:ignore WordPress.Security.NonceVerification.Recommended $search_filter['appearance'] = isset($search_filter['display_ui']) ? $search_filter['display_ui'] : ''; if(isset($search_filter['field_size'])){ unset($search_filter['field_size']);@@ -343,34 +344,30 @@ 'container_class' => '', 'placeholder' => '', );- $fieldOptions = wp_parse_args($fieldOptions, $defaults);- $fieldOptions['label'] = isset($search_filter['label']) ? $search_filter['label'] : $fieldOptions['label'];- $fieldOptions['name'] = isset($search_filter['name']) ? $search_filter['name'] : $fieldOptions['name'];- $fieldOptions['type'] = isset($search_filter['display_ui']) ? $search_filter['display_ui'] : $fieldOptions['type'];- $fieldOptions['container_class'] = isset($search_filter['container_class']) ? $search_filter['container_class'] : $fieldOptions['container_class'];- $fieldOptions['class'] = isset($search_filter['class']) ? $search_filter['class'] : $fieldOptions['class'];- $placeholder = isset($search_filter['placeholder']) && !empty($search_filter['placeholder']) ? $search_filter['placeholder'] : '';- $fieldOptions['placeholder'] = empty($placeholder) && isset($fieldOptions['placeholder']) ? $fieldOptions['placeholder'] : $placeholder;- - $field_type = isset($search_filter['display_ui']) ? $search_filter['display_ui'] : '';+ $fieldOptions = wp_parse_args($search_filter, wp_parse_args($fieldOptions, $defaults));+ $field_type = $fieldOptions['type'];+ if (isset($search_filter['display_ui']) && !empty($search_filter['display_ui'])) {+ $field_type = $search_filter['display_ui'];+ } if($fieldOptions['type'] == 'google_address' ){ $fieldOptions['custom_name_lat'] = $fieldOptions['name'].'_lat'; $fieldOptions['custom_name_lng'] = $fieldOptions['name'].'_lng'; $fieldOptions['custom_name_range'] = $fieldOptions['name'].'_range';- if(isset($_GET[$fieldOptions['name'].'_lat']) && !empty($_GET[$fieldOptions['name'].'_lat'])){- $fieldOptions['lat'] = sanitize_text_field($_GET[$fieldOptions['name'].'_lat']);++ if(isset($_GET[$fieldOptions['name'].'_lat']) && !empty($_GET[$fieldOptions['name'].'_lat'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended+ $fieldOptions['lat'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name'].'_lat']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended }- if(isset($_GET[$fieldOptions['name'].'_lng']) && !empty($_GET[$fieldOptions['name'].'_lng'])){- $fieldOptions['lng'] = sanitize_text_field($_GET[$fieldOptions['name'].'_lng']);+ if(isset($_GET[$fieldOptions['name'].'_lng']) && !empty($_GET[$fieldOptions['name'].'_lng'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended+ $fieldOptions['lng'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name'].'_lng']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended }- if(isset($_GET[$fieldOptions['name'].'_range']) && !empty($_GET[$fieldOptions['name'].'_range'])){- $fieldOptions['range'] = sanitize_text_field($_GET[$fieldOptions['name'].'_range']);+ if(isset($_GET[$fieldOptions['name'].'_range']) && !empty($_GET[$fieldOptions['name'].'_range'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended+ $fieldOptions['range'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name'].'_range']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended } } - if(isset($_GET[$fieldOptions['name']]) && !empty($_GET[$fieldOptions['name']])){- $fieldOptions['value'] = sanitize_text_field($_GET[$fieldOptions['name']]); + if(isset($_GET[$fieldOptions['name']]) && !empty($_GET[$fieldOptions['name']])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended+ $fieldOptions['value'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name']]));// phpcs:ignore WordPress.Security.NonceVerification.Recommended } if(!empty(self::$conditional_filters) && self::$conditional_filters == '1'){@@ -466,6 +463,7 @@ if(($search_filter['type'] == 'number' || $search_filter['type'] == 'date_picker') && isset($search_filter['sorting']) && $search_filter['sorting'] == 1){ self::$sorting[$search_filter['label']] = $search_filter['name']; }+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::get_filters_content($search_filter,$field_name); } }@@ -511,10 +509,10 @@ ?> <div class="cwp-container cwp-archive-container"> <div class="cwp-row">- <div class="<?php esc_attr_e($filter_area_cols); ?> cwp-archive-sidebar-filters-container">- <?php echo do_shortcode('[cwpFilterFields type='.$type.']') ?>+ <div class="<?php echo esc_attr($filter_area_cols); ?> cwp-archive-sidebar-filters-container">+ <?php echo do_shortcode('[cwpFilterFields type='.esc_attr($type).']') ?> </div>- <div class="<?php esc_attr_e($content_area_cols); ?> cwp-archive-content-container">+ <div class="<?php echo esc_attr($content_area_cols); ?> cwp-archive-content-container"> <div class="cwp-archive-content-listing"> <div class="cwp-breadcrumb-results"> <?php if ($archive_sort_filter || $archive_layout || $archive_found_text) { ?>
Now I'll provide the security analysis of the diff:
---
## Security Analysis Results
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-frontend-search-filter.php - Lines 229-230
Old Code:
```php
<div class="cwp-search-filters-wrap <?php echo self::$form_container_class; ?>">
<form name="cwp-search-filters" class="cwp-search-filters <?php echo self::$form_class; ?>" id="<?php echo self::$form_id; ?>" method="post">
```
Fixed Code:
```php
<div class="cwp-search-filters-wrap <?php echo esc_attr(self::$form_container_class); ?>">
<form name="cwp-search-filters" class="cwp-search-filters <?php echo esc_attr(self::$form_class); ?>" id="<?php echo esc_attr(self::$form_id); ?>" method="post">
```
Explanation:
Class and ID attributes were being output without escaping. If these properties contain user-controlled or untrusted data, they could be exploited for XSS attacks by injecting malicious attributes or JavaScript event handlers (e.g., `" onload="alert('xss')"`). The fix applies `esc_attr()` to properly escape these values for use in HTML attributes.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Special Elements used in an SQL Command - CWE-89 (related) / Insecure Direct Object Reference - CWE-639 - class-cubewp-frontend-search-filter.php - Lines 274-275
Old Code:
```php
if(isset($_GET['page_num'])){
$page_num = sanitize_text_field($_GET['page_num']);
```
Fixed Code:
```php
if(isset($_GET['page_num'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.
$page_num = sanitize_text_field(wp_unslash($_GET['page_num']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended
```
Explanation:
Direct access to `$_GET` without `wp_unslash()` can bypass sanitization in WordPress. The `sanitize_text_field()` function expects the input to be properly unslashed first. Without `wp_unslash()`, slashes are not properly handled, potentially leaving the data in an unsafe state. The fix adds `wp_unslash()` before sanitization.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Special Elements used in an SQL Command - CWE-89 (related) - class-cubewp-frontend-search-filter.php - Line 307
Old Code:
```php
$search_filter['value'] = isset($_GET[$field_name]) ? sanitize_text_field($_GET[$field_name]) : '';
```
Fixed Code:
```php
$search_filter['value'] = isset($_GET[$field_name]) ? sanitize_text_field(wp_unslash($_GET[$field_name])) : '';// phpcs:ignore WordPress.Security.NonceVerification.Recommended
```
Explanation:
Same issue as Vulnerability 2. Direct `$_GET` access without `wp_unslash()` can circumvent proper sanitization. The fix ensures all slashes are properly removed before sanitization.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Special Elements used in an SQL Command - CWE-89 (related) - class-cubewp-frontend-search-filter.php - Lines 359-361
Old Code:
```php
if(isset($_GET[$fieldOptions['name'].'_lat']) && !empty($_GET[$fieldOptions['name'].'_lat'])){
$fieldOptions['lat'] = sanitize_text_field($_GET[$fieldOptions['name'].'_lat']);
}
if(isset($_GET[$fieldOptions['name'].'_lng']) && !empty($_GET[$fieldOptions['name'].'_lng'])){
$fieldOptions['lng'] = sanitize_text_field($_GET[$fieldOptions['name'].'_lng']);
}
if(isset($_GET[$fieldOptions['name'].'_range']) && !empty($_GET[$fieldOptions['name'].'_range'])){
$fieldOptions['range'] = sanitize_text_field($_GET[$fieldOptions['name'].'_range']);
}
```
Fixed Code:
```php
if(isset($_GET[$fieldOptions['name'].'_lat']) && !empty($_GET[$fieldOptions['name'].'_lat'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended
$fieldOptions['lat'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name'].'_lat']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended
}
if(isset($_GET[$fieldOptions['name'].'_lng']) && !empty($_GET[$fieldOptions['name'].'_lng'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended
$fieldOptions['lng'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name'].'_lng']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended
}
if(isset($_GET[$fieldOptions['name'].'_range']) && !empty($_GET[$fieldOptions['name'].'_range'])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended
$fieldOptions['range'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name'].'_range']));// phpcs:ignore WordPress.Security.NonceVerification.Recommended
}
```
Explanation:
Multiple instances of the same vulnerability. Direct `$_GET` access without `wp_unslash()` before sanitization. The fix applies `wp_unslash()` to all three field parameters.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Special Elements used in an SQL Command - CWE-89 (related) - class-cubewp-frontend-search-filter.php - Lines 371-372
Old Code:
```php
if(isset($_GET[$fieldOptions['name']]) && !empty($_GET[$fieldOptions['name']])){
$fieldOptions['value'] = sanitize_text_field($_GET[$fieldOptions['name']]);
```
Fixed Code:
```php
if(isset($_GET[$fieldOptions['name']]) && !empty($_GET[$fieldOptions['name']])){// phpcs:ignore WordPress.Security.NonceVerification.Recommended
$fieldOptions['value'] = sanitize_text_field(wp_unslash($_GET[$fieldOptions['name']]));// phpcs:ignore WordPress.Security.NonceVerification.Recommended
```
Explanation:
Same vulnerability pattern repeated. Direct `$_GET` access without `wp_unslash()` before sanitization. The fix properly unslashes the input.
---
**Vulnerability 6:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-frontend-search-filter.php - Lines 514-515
Old Code:
```php
<div class="<?php esc_attr_e($filter_area_cols); ?> cwp-archive-sidebar-filters-container">
<?php echo do_shortcode('[cwpFilterFields type='.$type.']') ?>
</div>
<div class="<?php esc_attr_e($content_area_cols); ?> cwp-archive-content-container">
```
Fixed Code:
```php
<div class="<?php echo esc_attr($filter_area_cols); ?> cwp-archive-sidebar-filters-container">
<?php echo do_shortcode('[cwpFilterFields type='.esc_attr($type).']') ?>
</div>
<div class="<?php echo esc_attr($content_area_cols); ?> cwp-archive-content-container">
```
Explanation:
Multiple XSS vulnerabilities: (1) `esc_attr_e()` is incorrect for echoing HTML attributes - it's for translation and echoes directly; should use `echo esc_attr()` instead. (2) `$type` variable in shortcode attribute is not escaped, allowing injection of shortcode attributes. The fix uses `esc_attr()` correctly and escapes `$type` in the shortcode.
---
**Summary:** The diff addresses 6 security vulnerabilities:
- 2 XSS vulnerabilities in HTML output escaping
- 4 improper input sanitization issues (missing `wp_unslash()` on `$_GET` parameters before sanitization)
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/includes/widgets/class-cubewp-posts-widget.php 2026-01-18 00:20:47.517238524 +0000+++ cache/cubewp-framework_1.1.28/cube/includes/widgets/class-cubewp-posts-widget.php 2026-01-18 00:20:56.209778596 +0000@@ -1,4 +1,13 @@ <?php+/**+ * CubeWp Posts Widget.+ *+ * @version 1.0+ * @package cubewp/cube/includes/widgets+ */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'ABSPATH' ) ) { exit; }@@ -30,11 +39,15 @@ $after_title = !isset($after_title) ? $args['after_title'] : $after_title; $after_widget = !isset($after_widget) ? $args['after_widget'] : $after_widget; $title = apply_filters( 'widget_title', $instance['title'] );+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($before_widget); if ( ! empty( $title ) ) {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($before_title) . sanitize_text_field($title) . cubewp_core_data($after_title); }+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::cwp_widget_get_posts();+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($after_widget); } @@ -73,7 +86,7 @@ if ( ! empty( $Term ) ) { $termOBJ = get_term( $Term ); if ( is_object( $termOBJ ) ) {- $args['tax_query'] = array(+ $args['tax_query'] = array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_tax_query array( 'taxonomy' => $termOBJ->taxonomy, 'field' => 'slug',@@ -101,13 +114,15 @@ <p> <label for="<?php echo esc_attr( $this->get_field_id( 'postType' ) ); ?>"><?php esc_html_e( 'Select Post Type', 'cubewp-framework' ); ?></label> <select id="<?php echo esc_attr( $this->get_field_id( 'postType' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'postType' ) ); ?>" class="widefat cwp-widget-select-posttype">- <?php echo self::cwp_widget_get_postTypes_options( $postType ); ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo self::cwp_widget_get_postTypes_options( $postType ); ?> </select> </p> <p> <label for="<?php echo esc_attr( $this->get_field_id( 'Term' ) ); ?>"><?php esc_html_e( 'Select Term', 'cubewp-framework' ); ?></label> <select id="<?php echo esc_attr( $this->get_field_id( 'Term' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'Term' ) ); ?>" class="widefat cwp-widget-select-term">- <?php echo self::cwp_widget_get_Terms_options( $Term, $postType ); ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo self::cwp_widget_get_Terms_options( $Term, $postType ); ?> </select> </p> <p>@@ -201,7 +216,7 @@ public function cwp_get_terms_by_post_type() { check_ajax_referer( 'cubewp-admin-nonce', 'nonce' );- $post_type = sanitize_text_field( $_POST['post_type'] );+ $post_type = isset( $_POST['post_type'] ) ? sanitize_text_field( wp_unslash( $_POST['post_type'] ) ) : ''; $termsIDS = self::cwp_widget_get_Terms_options( null, $post_type, true ); wp_send_json_success( $termsIDS ); }@@ -209,7 +224,7 @@ public function update( $new_instance, $old_instance ) { $instance = array(); - $instance['title'] = ( ! empty( $new_instance['title'] ) ) ? strip_tags( $new_instance['title'] ) : '';+ $instance['title'] = ( ! empty( $new_instance['title'] ) ) ? wp_strip_all_tags( $new_instance['title'] ) : ''; $instance['postType'] = ( ! empty( $new_instance['postType'] ) ) ? $new_instance['postType'] : ''; $instance['Term'] = ( ! empty( $new_instance['Term'] ) ) ? $new_instance['Term'] : ''; $instance['postsPerPage'] = ( ! empty( $new_instance['postsPerPage'] ) ) ? $new_instance['postsPerPage'] : '';
# Security Analysis Report ## Vulnerability 1 **Vulnerability Existed:** yes **Improper Input Validation - CWE-20 - class-cubewp-posts-widget.php - Line 219** **Old Code:** ```php $post_type = sanitize_text_field( $_POST['post_type'] ); ``` **Fixed Code:** ```php $post_type = isset( $_POST['post_type'] ) ? sanitize_text_field( wp_unslash( $_POST['post_type'] ) ) : ''; ``` **Explanation:** The original code directly accessed `$_POST['post_type']` without checking if the key exists, which could trigger PHP notices/warnings if the POST parameter is missing. More critically, the fix adds `wp_unslash()` to properly handle WordPress-applied slashes before sanitization, and adds proper isset() checking. This prevents potential undefined index errors and ensures proper handling of user input in AJAX contexts. --- ## Vulnerability 2 **Vulnerability Existed:** yes **Use of Risky Function - CWE-95 - class-cubewp-posts-widget.php - Line 227** **Old Code:** ```php $instance['title'] = ( ! empty( $new_instance['title'] ) ) ? strip_tags( $new_instance['title'] ) : ''; ``` **Fixed Code:** ```php $instance['title'] = ( ! empty( $new_instance['title'] ) ) ? wp_strip_all_tags( $new_instance['title'] ) : ''; ``` **Explanation:** The code was replaced from PHP's generic `strip_tags()` to WordPress's `wp_strip_all_tags()`. While both remove HTML tags, `wp_strip_all_tags()` is the WordPress-recommended function for widget title sanitization as it properly handles WordPress standards and edge cases. This is a best-practice security improvement for data validation in WordPress contexts. --- ## Non-Vulnerabilities **phpcs:ignore Comments Added:** The diff adds multiple `phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped` comments. These are NOT security fixes but rather static analysis suppressions. The underlying code (`cubewp_core_data()` function calls) presumably handles escaping internally, but without access to that function's implementation, the added comments indicate the developers are acknowledging these outputs and claiming they're properly escaped elsewhere.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/includes/widgets/class-cubewp-terms-widget.php 2026-01-18 00:20:47.517238524 +0000+++ cache/cubewp-framework_1.1.28/cube/includes/widgets/class-cubewp-terms-widget.php 2026-01-18 00:20:56.209778596 +0000@@ -1,4 +1,13 @@ <?php+/**+ * CubeWp Terms Widget.+ *+ * @version 1.0+ * @package cubewp/cube/includes/widgets+ */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined( 'ABSPATH' ) ) { exit; }@@ -26,11 +35,15 @@ $after_title = !isset($after_title) ? $args['after_title'] : $after_title; $after_widget = !isset($after_widget) ? $args['after_widget'] : $after_widget; $title = apply_filters( 'widget_title', $instance['title'] );+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($before_widget); if ( ! empty( $title ) ) {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($before_title) . sanitize_text_field($title) . cubewp_core_data($after_title); }+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::cwp_widget_get_terms();+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($after_widget); } @@ -88,7 +101,8 @@ <p> <label for="<?php echo esc_attr( $this->get_field_id( 'Taxonomy' ) ); ?>"><?php esc_html_e( 'Select Taxonomy', 'cubewp-framework' ); ?></label> <select id="<?php echo esc_attr( $this->get_field_id( 'Taxonomy' ) ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'Taxonomy' ) ); ?>" class="widefat">- <?php echo self::cwp_widget_get_taxonomies_options( $Taxonomy ); ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo self::cwp_widget_get_taxonomies_options( $Taxonomy ); ?> </select> </p> <p>@@ -136,12 +150,12 @@ public function update( $new_instance, $old_instance ) { $instance = array(); - $instance['title'] = (!empty($new_instance['title'])) ? strip_tags($new_instance['title']) : '';- $instance['Taxonomy'] = (!empty($new_instance['Taxonomy'])) ? strip_tags($new_instance['Taxonomy']) : '';- $instance['termsNumber'] = (!empty($new_instance['termsNumber'])) ? strip_tags($new_instance['termsNumber']) : '';- $instance['hideEmpty'] = (!empty($new_instance['hideEmpty'])) ? strip_tags($new_instance['hideEmpty']) : '';- $instance['orderBy'] = (!empty($new_instance['orderBy'])) ? strip_tags($new_instance['orderBy']) : '';- $instance['termsOrder'] = (!empty($new_instance['termsOrder'])) ? strip_tags($new_instance['termsOrder']) : '';+ $instance['title'] = (!empty($new_instance['title'])) ? wp_strip_all_tags($new_instance['title']) : '';+ $instance['Taxonomy'] = (!empty($new_instance['Taxonomy'])) ? wp_strip_all_tags($new_instance['Taxonomy']) : '';+ $instance['termsNumber'] = (!empty($new_instance['termsNumber'])) ? wp_strip_all_tags($new_instance['termsNumber']) : '';+ $instance['hideEmpty'] = (!empty($new_instance['hideEmpty'])) ? wp_strip_all_tags($new_instance['hideEmpty']) : '';+ $instance['orderBy'] = (!empty($new_instance['orderBy'])) ? wp_strip_all_tags($new_instance['orderBy']) : '';+ $instance['termsOrder'] = (!empty($new_instance['termsOrder'])) ? wp_strip_all_tags($new_instance['termsOrder']) : ''; return $instance; }
Vulnerability Existed: yes TRUE POSITIVE Cross Site Scripting (XSS) - CWE-79 - cube/includes/widgets/class-cubewp-terms-widget.php Lines 150-155 ``` $instance['title'] = (!empty($new_instance['title'])) ? strip_tags($new_instance['title']) : ''; $instance['Taxonomy'] = (!empty($new_instance['Taxonomy'])) ? strip_tags($new_instance['Taxonomy']) : ''; $instance['termsNumber'] = (!empty($new_instance['termsNumber'])) ? strip_tags($new_instance['termsNumber']) : ''; $instance['hideEmpty'] = (!empty($new_instance['hideEmpty'])) ? strip_tags($new_instance['hideEmpty']) : ''; $instance['orderBy'] = (!empty($new_instance['orderBy'])) ? strip_tags($new_instance['orderBy']) : ''; $instance['termsOrder'] = (!empty($new_instance['termsOrder'])) ? strip_tags($new_instance['termsOrder']) : ''; ``` ``` $instance['title'] = (!empty($new_instance['title'])) ? wp_strip_all_tags($new_instance['title']) : ''; $instance['Taxonomy'] = (!empty($new_instance['Taxonomy'])) ? wp_strip_all_tags($new_instance['Taxonomy']) : ''; $instance['termsNumber'] = (!empty($new_instance['termsNumber'])) ? wp_strip_all_tags($new_instance['termsNumber']) : ''; $instance['hideEmpty'] = (!empty($new_instance['hideEmpty'])) ? wp_strip_all_tags($new_instance['hideEmpty']) : ''; $instance['orderBy'] = (!empty($new_instance['orderBy'])) ? wp_strip_all_tags($new_instance['orderBy']) : ''; $instance['termsOrder'] = (!empty($new_instance['termsOrder'])) ? wp_strip_all_tags($new_instance['termsOrder']) : ''; ``` Explanation: The original code used PHP's native `strip_tags()` function which only removes HTML/XML tags but does not properly sanitize dangerous content. While it removes angle brackets, it can still miss encoded entities and attribute-based attacks. WordPress's `wp_strip_all_tags()` is more robust for sanitizing user input in widget settings, as it properly handles additional edge cases and follows WordPress security standards. The fix replaces an inadequate tag-stripping approach with WordPress's dedicated sanitization function, reducing XSS risk when processing widget configuration data.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/builder/class-cubewp-loop-builder.php 2026-01-18 00:20:47.517238524 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/builder/class-cubewp-loop-builder.php 2026-01-18 00:20:56.209778596 +0000@@ -62,7 +62,7 @@ add_filter("cubewp/loop/builder/{$post_type}/default_style/markup", [$this, 'cubewp_default_post_card'], 10); } } - ?> +?> <div class="cubewp-content"> <?php self::cubewp_loop_builder_title_bar(); @@ -74,10 +74,11 @@ ?> </section> </div> - <?php + <?php } - public static function get_loop_builder_data() { + public static function get_loop_builder_data() + { if (is_null(self::$cubewp_loop_builder_data)) { $form_data = CWP()->get_form('loop_builder'); self::$cubewp_loop_builder_data = is_array($form_data) ? $form_data : []; @@ -126,11 +127,11 @@ { ?> <section id="cubewp-title-bar"> - <h1><?php esc_html_e('Post Card Customizer', 'cubewp-frontend'); ?></h1> + <h1><?php esc_html_e('Post Card Customizer', 'cubewp-framework'); ?></h1> <div class="shoftcode-area"> <div class="cwpform-shortcode"></div> <button class="button-primary cwpform-get-shortcode"> - <?php esc_html_e('Save Changes', 'cubewp-frontend'); ?> + <?php esc_html_e('Save Changes', 'cubewp-framework'); ?> </button> </div> </section> @@ -178,14 +179,14 @@ private static function cubewp_loop_builder_switcher_options() { $post_types = self::$cubewp_style_options; - + if (! empty($post_types) && is_array($post_types)) { $unset_switch_types = apply_filters('cubewp/exclude/content/switcher/loop_builder', array()); $unset_switch_types = !empty($unset_switch_types) ? $unset_switch_types : array(); $loop_style_switcher = ''; ?> <div class="cubewp-builder-sidebar-option"> - <label for="cubewp-builder-cpt"><?php esc_html_e('Select Post Type', 'cubewp-frontend'); ?></label> + <label for="cubewp-builder-cpt"><?php esc_html_e('Select Post Type', 'cubewp-framework'); ?></label> <select name="cubewp-builder-cpt" id="cubewp-builder-cpt" class="cubewp-tab-switcher cubewp-tab-switcher-trigger-on-load cubewp-tab-switcher-have-child"> <?php @@ -218,10 +219,10 @@ $selected = "selected=selected"; } $id = $post_type . '-' . $loop_style; - + ?> <option - data-switcher-target="cubewp-switcher-tab-<?php echo esc_attr($id); ?>" <?php echo $selected; ?> + data-switcher-target="cubewp-switcher-tab-<?php echo esc_attr($id); ?>" <?php echo esc_attr($selected); ?> value="<?php echo esc_attr($loop_style); ?>"><?php echo esc_html($_label); ?> </option> <?php @@ -238,10 +239,11 @@ </select> </div> <?php + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($loop_style_switcher); } else { ?> - <h4><?php esc_html_e('No Post Type Found', 'cubewp-frontend'); ?></h4> + <h4><?php esc_html_e('No Post Type Found', 'cubewp-framework'); ?></h4> <?php } } @@ -250,22 +252,22 @@ { $wp_default_fields = cubewp_post_type_default_fields($post_type); $wp_default_fields['the_excerpt'] = array( - 'label' => __("Excerpt", "cubewp-frontend"), + 'label' => __("Excerpt", "cubewp-framework"), 'name' => 'the_excerpt', 'type' => 'wysiwyg_editor', ); $wp_default_fields['post_link'] = array( - 'label' => __("Post Link", "cubewp-frontend"), + 'label' => __("Post Link", "cubewp-framework"), 'name' => 'post_link', 'type' => 'url', ); $wp_default_fields['the_date'] = array( - 'label' => __("Post Date", "cubewp-frontend"), + 'label' => __("Post Date", "cubewp-framework"), 'name' => 'the_date', 'type' => 'date', ); $wp_default_fields['post_class'] = array( - 'label' => __("Post Class", "cubewp-frontend"), + 'label' => __("Post Class", "cubewp-framework"), 'name' => 'post_class', 'type' => 'class', 'attributes' => '{cwp-col-12__cwp-col-md-4}', @@ -275,7 +277,7 @@ ?> <div class="cubewp-builder-section cubewp-expand-container active-expanded"> <div class="cubewp-builder-section-header"> - <h3><?php esc_html_e('WordPress Default Fields', 'cubewp-frontend'); ?></h3> + <h3><?php esc_html_e('WordPress Default Fields', 'cubewp-framework'); ?></h3> <div class="cubewp-builder-section-actions"> <span class="dashicons dashicons-arrow-down-alt2 cubewp-builder-section-action-expand cubewp-expand-trigger expanded"></span> @@ -298,7 +300,7 @@ ?> <div class="cubewp-builder-section cubewp-expand-container"> <div class="cubewp-builder-section-header"> - <h3><?php esc_html_e('Taxonomies', 'cubewp-frontend'); ?></h3> + <h3><?php esc_html_e('Taxonomies', 'cubewp-framework'); ?></h3> <div class="cubewp-builder-section-actions"> <span class="dashicons dashicons-arrow-down-alt2 cubewp-builder-section-action-expand cubewp-expand-trigger"></span> @@ -320,7 +322,7 @@ ?> <div class="cubewp-builder-section cubewp-expand-container"> <div class="cubewp-builder-section-header"> - <h3><?php esc_html_e('Author', 'cubewp-frontend'); ?></h3> + <h3><?php esc_html_e('Author', 'cubewp-framework'); ?></h3> <div class="cubewp-builder-section-actions"> <span class="dashicons dashicons-arrow-down-alt2 cubewp-builder-section-action-expand cubewp-expand-trigger"></span> @@ -328,15 +330,15 @@ </div> <div class="cubewp-loop-builder-fields cubewp-expand-target"> <?php - self::cubewp_get_loop_shortcode_field('author_name', esc_html__('Author Name', 'cubewp-frontend')); - self::cubewp_get_loop_shortcode_field('author_link', esc_html__('Author Link', 'cubewp-frontend')); - self::cubewp_get_loop_shortcode_field('author_avatar', esc_html__('Author Avatar', 'cubewp-frontend')); + self::cubewp_get_loop_shortcode_field('author_name', esc_html__('Author Name', 'cubewp-framework')); + self::cubewp_get_loop_shortcode_field('author_link', esc_html__('Author Link', 'cubewp-framework')); + self::cubewp_get_loop_shortcode_field('author_avatar', esc_html__('Author Avatar', 'cubewp-framework')); ?> </div> </div> <div class="cubewp-builder-section cubewp-expand-container"> <div class="cubewp-builder-section-header"> - <h3><?php esc_html_e('CubeWP UI & Custom Tags', 'cubewp-frontend'); ?></h3> + <h3><?php esc_html_e('CubeWP UI & Custom Tags', 'cubewp-framework'); ?></h3> <div class="cubewp-builder-section-actions"> <span class="dashicons dashicons-arrow-down-alt2 cubewp-builder-section-action-expand cubewp-expand-trigger"></span> @@ -345,7 +347,7 @@ <div class="cubewp-loop-builder-fields cubewp-expand-target"> <?php $cubewp_tags = array( - 'post_save' => esc_html__('Add | Remove Save', 'cubewp-frontend') + 'post_save' => esc_html__('Add | Remove Save', 'cubewp-framework') ); $custom_tags = apply_filters("cubewp/post/cards/{$post_type}/custom/tags", []); $all_tags = array_merge($cubewp_tags, $custom_tags); @@ -419,7 +421,7 @@ ?> <div class="cubewp-builder-section cubewp-expand-container"> <div class="cubewp-builder-section-header"> - <h3><?php echo get_the_title($group_id); ?></h3> + <h3><?php echo esc_html(get_the_title($group_id)); ?></h3> <?php if (! empty($terms)) { $separator = ''; @@ -436,7 +438,7 @@ <span class="dashicons dashicons-editor-help"></span> <div class="cwp-ctp-toolTips drop-left"> <div class="cwp-ctp-toolTip"> - <h4><?php esc_html_e('Associated Taxonomies', 'cubewp-frontend'); ?></h4> + <h4><?php esc_html_e('Associated Taxonomies', 'cubewp-framework'); ?></h4> <p class="cwp-ctp-tipContent"><?php echo esc_html($_terms); ?></p> </div> </div> @@ -575,7 +577,7 @@ <div class="cubewp-builder-container-topbar"> <button class="button form-settings-form"> <span class="dashicons dashicons-admin-generic"></span> - <?php esc_html_e('Loop Settings', 'cubewp-frontend'); ?> + <?php esc_html_e('Loop Settings', 'cubewp-framework'); ?> </button> </div> @@ -584,11 +586,11 @@ <div class="form-settings"> <div class="cwpform-settings"> <div class="cwpform-setting-label"> - <h2><?php esc_html_e('Loop Settings', 'cubewp-frontend'); ?></h2> + <h2><?php esc_html_e('Loop Settings', 'cubewp-framework'); ?></h2> </div> <div class="cwpform-setting-fields"> <div class="cwpform-setting-field" style="display: none;"> - <label><?php esc_html_e('Loop Container Classes', 'cubewp-frontend'); ?></label> + <label><?php esc_html_e('Loop Container Classes', 'cubewp-framework'); ?></label> <?php $input_attrs = array( 'class' => 'form-field', @@ -596,11 +598,12 @@ 'value' => $loop_container_class, 'extra_attrs' => 'data-name="loop-container-class"', ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_text_input($input_attrs); ?> </div> <div class="cwpform-setting-field"> - <label><?php esc_html_e('Select post for preview', 'cubewp-frontend'); ?></label> + <label><?php esc_html_e('Select post for preview', 'cubewp-framework'); ?></label> <?php $args = array( 'post_type' => $post_type, @@ -626,9 +629,10 @@ 'options' => $posts, 'extra_attrs' => 'data-name="preview-postid"', ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_dropdown_input($input_attrs); ?> - <h4><?php esc_html_e('Make this Post-Card primary for this Post-Type', 'cubewp-frontend'); ?></h4> + <h4><?php esc_html_e('Make this Post-Card primary for this Post-Type', 'cubewp-framework'); ?></h4> <?php $input_attrs = array( 'name' => 'loop-is-primary', @@ -636,6 +640,7 @@ 'value' => $loop_is_primary, 'extra_attrs' => 'data-name="loop-is-primary"', ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_switch_input($input_attrs); ?> </div> @@ -647,10 +652,11 @@ <div class="cubewp-builder-section cubewp-expand-container"> <div class="cubewp-loop-preview"></div> <style> - <?php echo cubewp_core_data(stripslashes($loop_layout_css)); ?> + <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped + echo cubewp_core_data(stripslashes($loop_layout_css)); ?> </style> <div class="cubewp-builder-section-header"> - <h3><?php esc_html_e('Edit Post Card Layout', 'cubewp-frontend'); ?></h3> + <h3><?php esc_html_e('Edit Post Card Layout', 'cubewp-framework'); ?></h3> <div class="cubewp-builder-section-actions"> <span class="dashicons dashicons-arrow-down-alt2 cubewp-builder-section-action-expand cubewp-expand-trigger expanded"></span> </div> @@ -672,6 +678,7 @@ 'extra_attrs' => 'data-name="loop-layout-html" data-editor="cubewp-loop-builder-' . $post_type . '-' . $style . '-html-editor" data-mode="html" data-theme="monokai"', 'rows' => 50, ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_textarea_input($field_args); ?> </div> @@ -681,7 +688,7 @@ <div class="cubewp-builder-section cubewp-expand-container"> <div class="cubewp-builder-section-header"> - <h3><?php esc_html_e('Layout CSS', 'cubewp-frontend'); ?></h3> + <h3><?php esc_html_e('Layout CSS', 'cubewp-framework'); ?></h3> <div class="cubewp-builder-section-actions"> <span class="dashicons dashicons-arrow-down-alt2 cubewp-builder-section-action-expand cubewp-expand-trigger expanded"></span> </div> @@ -703,6 +710,7 @@ 'extra_attrs' => 'data-name="loop-layout-css" data-editor="cubewp-loop-builder-' . $post_type . '-' . $style . '-css-editor" data-mode="css" data-theme="monokai"', 'rows' => 50, ); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_textarea_input($field_argss); ?> </div> @@ -734,21 +742,22 @@ ), ); foreach ($hidden_fields as $field) { + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cwp_render_hidden_input($field); } } public static function cubewp_process_post_card_preview() { - if (! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) { + if (!isset($_POST['security_nonce']) || ! wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['security_nonce'])), "cubewp-admin-nonce")) { wp_send_json_error(array( 'msg' => esc_html__('Sorry! Security Verification Failed.', 'cubewp-framework'), ), 404); } if (isset($_POST['html']) && !empty($_POST['html'])) { - $postID = isset($_POST['post_id']) && !empty($_POST['post_id']) ? $_POST['post_id'] : 1; - $loop_layout_html = $_POST['html']; + $postID = isset($_POST['post_id']) && !empty($_POST['post_id']) ? intval(wp_unslash($_POST['post_id'])) : 1; + $loop_layout_html = $_POST['html'];// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $string = stripslashes($loop_layout_html); $string = cubewp_process_post_card($string, $postID); } else { @@ -786,7 +795,7 @@ } $combinedArray = array_merge($existingArray, $file_content); - + /* phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_var_export */ $combinedArrayCode = '<?php' . PHP_EOL . 'return ' . var_export($combinedArray, true) . ';' . PHP_EOL . '?>'; if (file_put_contents($filePath, $combinedArrayCode) === false) { @@ -800,205 +809,202 @@ public static function cubewp_default_post_card($content) { return array( - 'html' => <<<HTML - <div [loop_post_class{cwp-col-12__cwp-col-md-4}] > - <div class="cwp-post"> - <div class="cwp-post-thumbnail"> - <a href=" [loop_post_link] "> - <img src=" [loop_featured_image] " alt=""> - </a> - - <div class="cwp-archive-save"> - <div class="cwp-single-save-btns cwp-single-widget"> - [loop_post_save] - </div> - </div> - </div> - <div class="cwp-post-content-container"> - <div class="cwp-post-content"> - <h4><a href=" [loop_post_link] "> [loop_the_title] </a> - </h4> - [loop_the_content] - </div> - <ul class="cwp-post-terms"> - <li> - <a href=" [loop_property_type_tax_link] "> [loop_property_type] </a> - </li> - </ul> - </div> - </div> - </div> - HTML, - 'css' => <<<HTML - /*----Grid View-----*/ - .cwp-post { - background: #ffffff; - border: 1px solid #e0e0e0; - border-radius: 5px; - filter: drop-shadow(0 2px 6px rgba(0, 0, 0, 0.102218)); - margin: 10px 0px; - overflow: hidden; - transition: 300ms; - } - - .cwp-post:hover { - filter: none; - } - - .cwp-post-thumbnail { - height: 220px; - width: 100%; - position: relative; - } - - .cwp-post .cwp-post-thumbnail img { - height: 100%; - object-fit: cover; - transition: 300ms; - width: 100%; - } - - /*-------List View------*/ - .list-view .cwp-col-12 { - width: 100% !important; - } - - .list-view .cwp-post { - align-items: flex-start; - display: flex; - flex-wrap: wrap; - justify-content: flex-start; - position: relative; - } - - .list-view .cwp-post-thumbnail { - width: 30%; - min-height: 160px; - height: 185px; - } - - .list-view .cwp-post-content-container { - width: 70%; - } - - .list-view .cwp-post-content { - padding: 30px 20px; - } - - .list-view .cwp-post-content h4 { - overflow: hidden; - text-overflow: ellipsis; - white-space: nowrap; - width: 100%; - } - - .list-view ul.cwp-post-terms { - padding: 20px 20px 0 20px; - } - - .cwp-promoted-post { - border: 1px solid #ddbb2a; - border-radius: 4px; - color: #ddbb2a; - cursor: default; - display: inline-block; - font-size: 10px; - line-height: 1; - padding: 2px 5px; - position: relative; - top: -2px; - } - - .cwp-post-content { - padding: 15px; - } - - .cwp-post-content h4 { - font-size: 20px; - font-weight: bold; - line-height: 1.3; - margin: 0 0 5px 0; - text-overflow: ellipsis; - overflow: hidden; - white-space: nowrap; - } - - .cwp-post-content p { - font-size: 14px; - line-height: 1.3; - margin: 0 0 0 0; - } - - .cwp-post-terms { - align-items: center; - border-top: 1px solid #e0e0e0; - display: flex; - flex-wrap: wrap; - justify-content: flex-start; - line-height: 1.5; - list-style: none; - margin: 0; - padding: 15px 15px 10px; - } - - .cwp-post-terms li { - margin: 0 5px 5px 0; - } - - .cwp-post-terms li a { - display: block; - font-size: 12px; - background: #f6f6f6; - max-width: 100px; - overflow: hidden; - text-overflow: ellipsis; - white-space: nowrap; - padding: 8px 8px; - font-weight: 500; - text-transform: capitalize; - border-radius: 210px; - line-height: 10px; - color: #343A40; - } - - /*---Save button-------*/ - .cwp-archive-save { - position: absolute; - background: rgba(0, 0, 0, 0) linear-gradient(0deg, rgba(0, 0, 0, .9) 8%, rgba(0, 0, 0, 0) 94%) repeat scroll 0 0; - bottom: 0; - padding: 15px 14px 5px 14px; - width: 100%; - } - - .cwp-archive-save .cwp-single-save-btns.cwp-single-widget { - float: right; - color: #fff; - } - - span.cwp-main.cwp-save-post svg:nth-child(2) { - display: none; - } - - span.cwp-main.cwp-saved-post svg:first-child { - display: none; - } - - .cwp-single-save-btns.cwp-single-widget span.cwp-main, - .cwp-single-share-btn.cwp-single-widget span.cwp-main { - cursor: pointer; - } - .cwp-post-boosted { - padding: 1px 10px; - position: absolute; - top: 15px; - left: 15px; - background: #FFBB00; - border-radius: 12px; - color: #000000; - font-weight: 500; - font-size: 13px; - } - HTML, + 'html' => ' +<div [loop_post_class{cwp-col-12__cwp-col-md-4}] > + <div class="cwp-post"> + <div class="cwp-post-thumbnail"> + <a href=" [loop_post_link] "> + <img src=" [loop_featured_image] " alt=""> + </a> + + <div class="cwp-archive-save"> + <div class="cwp-single-save-btns cwp-single-widget"> + [loop_post_save] + </div> + </div> + </div> + <div class="cwp-post-content-container"> + <div class="cwp-post-content"> + <h4><a href=" [loop_post_link] "> [loop_the_title] </a> + </h4> + [loop_the_content] + </div> + <ul class="cwp-post-terms"> + <li> + <a href=" [loop_property_type_tax_link] "> [loop_property_type] </a> + </li> + </ul> + </div> + </div> +</div>', + 'css' => '/*----Grid View-----*/ +.cwp-post { + background: #ffffff; + border: 1px solid #e0e0e0; + border-radius: 5px; + filter: drop-shadow(0 2px 6px rgba(0, 0, 0, 0.102218)); + margin: 10px 0px; + overflow: hidden; + transition: 300ms; +} + +.cwp-post:hover { + filter: none; +} + +.cwp-post-thumbnail { + height: 220px; + width: 100%; + position: relative; +} + +.cwp-post .cwp-post-thumbnail img { + height: 100%; + object-fit: cover; + transition: 300ms; + width: 100%; +} + +/*-------List View------*/ +.list-view .cwp-col-12 { + width: 100% !important; +} + +.list-view .cwp-post { + align-items: flex-start; + display: flex; + flex-wrap: wrap; + justify-content: flex-start; + position: relative; +} + +.list-view .cwp-post-thumbnail { + width: 30%; + min-height: 160px; + height: 185px; +} + +.list-view .cwp-post-content-container { + width: 70%; +} + +.list-view .cwp-post-content { + padding: 30px 20px; +} + +.list-view .cwp-post-content h4 { + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; + width: 100%; +} + +.list-view ul.cwp-post-terms { + padding: 20px 20px 0 20px; +} + +.cwp-promoted-post { + border: 1px solid #ddbb2a; + border-radius: 4px; + color: #ddbb2a; + cursor: default; + display: inline-block; + font-size: 10px; + line-height: 1; + padding: 2px 5px; + position: relative; + top: -2px; +} + +.cwp-post-content { + padding: 15px; +} + +.cwp-post-content h4 { + font-size: 20px; + font-weight: bold; + line-height: 1.3; + margin: 0 0 5px 0; + text-overflow: ellipsis; + overflow: hidden; + white-space: nowrap; +} + +.cwp-post-content p { + font-size: 14px; + line-height: 1.3; + margin: 0 0 0 0; +} + +.cwp-post-terms { + align-items: center; + border-top: 1px solid #e0e0e0; + display: flex; + flex-wrap: wrap; + justify-content: flex-start; + line-height: 1.5; + list-style: none; + margin: 0; + padding: 15px 15px 10px; +} + +.cwp-post-terms li { + margin: 0 5px 5px 0; +} + +.cwp-post-terms li a { + display: block; + font-size: 12px; + background: #f6f6f6; + max-width: 100px; + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; + padding: 8px 8px; + font-weight: 500; + text-transform: capitalize; + border-radius: 210px; + line-height: 10px; + color: #343A40; +} + +/*---Save button-------*/ +.cwp-archive-save { + position: absolute; + background: rgba(0, 0, 0, 0) linear-gradient(0deg, rgba(0, 0, 0, .9) 8%, rgba(0, 0, 0, 0) 94%) repeat scroll 0 0; + bottom: 0; + padding: 15px 14px 5px 14px; + width: 100%; +} + +.cwp-archive-save .cwp-single-save-btns.cwp-single-widget { + float: right; + color: #fff; +} + +span.cwp-main.cwp-save-post svg:nth-child(2) { + display: none; +} + +span.cwp-main.cwp-saved-post svg:first-child { + display: none; +} + +.cwp-single-save-btns.cwp-single-widget span.cwp-main, +.cwp-single-share-btn.cwp-single-widget span.cwp-main { + cursor: pointer; +} +.cwp-post-boosted { + padding: 1px 10px; + position: absolute; + top: 15px; + left: 15px; + background: #FFBB00; + border-radius: 12px; + color: #000000; + font-weight: 500; + font-size: 13px; +}', ); } -}\ No newline at end of file+}
# Security Analysis Report
## Vulnerability 1
**Vulnerability Existed:** yes
TRUE POSITIVE
**CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-loop-builder.php Line 224**
**Old Code:**
```php
<?php echo $selected; ?>
```
**Fixed Code:**
```php
<?php echo esc_attr($selected); ?>
```
**Explanation:**
The variable `$selected` contains either an empty string or the string `"selected=selected"`. In the old code, this was directly echoed into an HTML attribute without escaping, which could allow XSS if the variable were to contain user-controlled content. The fix applies `esc_attr()` to properly escape the output for safe use in HTML attributes. This is a WordPress security best practice for attribute output.
---
## Vulnerability 2
**Vulnerability Existed:** yes
TRUE POSITIVE
**CWE-434 - Unrestricted Upload of File with Dangerous Type / CWE-20 - Improper Input Validation - class-cubewp-loop-builder.php Line 752**
**Old Code:**
```php
if (! wp_verify_nonce($_POST['security_nonce'], "cubewp-admin-nonce")) {
```
**Fixed Code:**
```php
if (!isset($_POST['security_nonce']) || ! wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['security_nonce'])), "cubewp-admin-nonce")) {
```
**Explanation:**
The old code had two vulnerabilities: (1) It didn't check if `$_POST['security_nonce']` was set before using it, risking a PHP notice/warning if the key didn't exist, and (2) it passed the raw `$_POST` value directly to `wp_verify_nonce()` without sanitizing it. The fix adds an `isset()` check and properly sanitizes the nonce using `sanitize_text_field(wp_unslash())` before passing it to the verification function. This follows WordPress security best practices for handling POST data.
---
## Vulnerability 3
**Vulnerability Existed:** yes
TRUE POSITIVE
**CWE-20 - Improper Input Validation - class-cubewp-loop-builder.php Line 759**
**Old Code:**
```php
$postID = isset($_POST['post_id']) && !empty($_POST['post_id']) ? $_POST['post_id'] : 1;
```
**Fixed Code:**
```php
$postID = isset($_POST['post_id']) && !empty($_POST['post_id']) ? intval(wp_unslash($_POST['post_id'])) : 1;
```
**Explanation:**
The old code retrieved a post ID from `$_POST` without proper sanitization and type conversion. If user-controlled input reaches database queries or other sensitive operations, this could lead to SQL injection or type juggling vulnerabilities. The fix applies `intval()` to ensure the value is converted to an integer, and `wp_unslash()` to remove WordPress slashes. This ensures the post ID is safely typed and can't be exploited in SQL queries.
---
## Vulnerability 4
**Vulnerability Existed:** not sure
**CWE-94 - Improper Control of Generation of Code ('Code Injection') - class-cubewp-loop-builder.php Line 797**
**Old Code:**
```php
$combinedArrayCode = '<?php' . PHP_EOL . 'return ' . var_export($combinedArray, true) . ';' . PHP_EOL . '?>';
```
**Fixed Code:**
```php
/* phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_var_export */
$combinedArrayCode = '<?php' . PHP_EOL . 'return ' . var_export($combinedArray, true) . ';' . PHP_EOL . '?>';
```
**Explanation:**
The code uses `var_export()` to generate PHP code that will be written to a file. While the phpcs comment suppression was added, this doesn't address the underlying security concern. If `$combinedArray` contains user-controlled data without proper sanitization, it could lead to code injection when the generated file is included. However, without seeing what data populates `$combinedArray`, it's uncertain whether this is actually exploitable. The fix adds a phpcs directive to acknowledge the use of a development function, but the true vulnerability depends on the source and validation of `$combinedArray` data.
---
## Vulnerability 5
**Vulnerability Existed:** no
**CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - class-cubewp-loop-builder.php Line 424**
**Old Code:**
```php
<h3><?php echo get_the_title($group_id); ?></h3>
```
**Fixed Code:**
```php
<h3><?php echo esc_html(get_the_title($group_id)); ?></h3>
```
**Explanation:**
While this appears to be adding escaping, `get_the_title()` already returns sanitized output that's safe for HTML context in WordPress. However, explicitly wrapping it with `esc_html()` is still good practice for defense-in-depth and explicit security documentation. This is not a vulnerability fix but a hardening measure.
---
## Additional Notes
Multiple string literal changes from `'cubewp-frontend'` to `'cubewp-framework'` in text domain translations are not security-related but appear to be part of a refactoring or branding update. Several lines also add `// phpcs:ignore` comments to suppress WordPress coding standard warnings for intentional uses of unescaped output functions like `echo cubewp_core_data()`, which suggests those functions already handle escaping internally.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/custom-fields/class-cubewp-custom-fields-markup.php 2026-01-18 00:20:47.517238524 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/custom-fields/class-cubewp-custom-fields-markup.php 2026-01-18 00:20:56.209778596 +0000@@ -6,6 +6,8 @@ * @package cubewp/cube/classes */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if (!defined('ABSPATH')) { exit; }@@ -28,7 +30,7 @@ { $defaults = array( 'label' => '',- 'name' => 'cwp_field_' . rand( (int) 10000000, (int) 1000000000000 ),+ 'name' => 'cwp_field_' . wp_rand( (int) 10000000, (int) 1000000000000 ), 'type' => '', 'description' => '', 'map_use' => '',@@ -57,7 +59,7 @@ 'relationship' => 0, 'rest_api' => 0, 'validation_msg' => '',- 'id' => 'cwp_field_' . rand( (int) 10000000, (int) 1000000000000 ),+ 'id' => 'cwp_field_' . wp_rand( (int) 10000000, (int) 1000000000000 ), 'class' => '', 'container_class' => '', 'conditional' => '',@@ -76,7 +78,8 @@ $closed_class = (isset($FieldData['label']) && $FieldData['label'] != '') ? 'closed' : ''; $hide_class = (isset($FieldData['label']) && $FieldData['label'] != '') ? 'hidden' : ''; $field_type = (isset($FieldData['type']) && $FieldData['type'] == '') ? 'text' : $FieldData['type'];- $group_secure = isset($_GET['groupid']) ? cubewp_custom_field_group_secure($_GET['groupid']) : false;+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended */+ $group_secure = isset($_GET['groupid']) ? cubewp_custom_field_group_secure(sanitize_text_field(wp_unslash($_GET['groupid']))) : false; $secure_class = ($group_secure == true) ? 'group_visibility_secure' : ''; $counter = isset($FieldData["counter"]) ? $FieldData["counter"] : 1; @@ -657,7 +660,7 @@ { $defaults = array( 'label' => '',- 'name' => 'cwp_field_' . rand(10000000, 1000000000000),+ 'name' => 'cwp_field_' . wp_rand(10000000, 1000000000000), 'type' => '', 'description' => '', 'default_value' => '',@@ -680,7 +683,7 @@ 'appearance' => '', 'required' => '', 'validation_msg' => '',- 'id' => 'cwp_field_' . rand(10000000, 1000000000000),+ 'id' => 'cwp_field_' . wp_rand(10000000, 1000000000000), 'class' => '', 'files_save' => 'ids', 'files_save_separator' => 'array',
```
Vulnerability Existed: yes
FALSE POSITIVE
Insecure Randomness - CWE-338 - cube/modules/custom-fields/class-cubewp-custom-fields-markup.php - Lines 31, 60, 663, 686
[Old Code]
'name' => 'cwp_field_' . rand( (int) 10000000, (int) 1000000000000 ),
'id' => 'cwp_field_' . rand( (int) 10000000, (int) 1000000000000 ),
[Fixed Code]
'name' => 'cwp_field_' . wp_rand( (int) 10000000, (int) 1000000000000 ),
'id' => 'cwp_field_' . wp_rand( (int) 10000000, (int) 1000000000000 ),
Explanation:
The code was using PHP's `rand()` function to generate field identifiers. PHP's `rand()` is not cryptographically secure and should not be used for generating identifiers that could have security implications. The fix replaces it with WordPress's `wp_rand()` function, which is cryptographically stronger. While field IDs may not be security-critical in this context, using insecure randomness is still a vulnerability pattern that should be avoided.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/custom-fields/class-cubewp-custom-fields-markup.php - Line 81
[Old Code]
$group_secure = isset($_GET['groupid']) ? cubewp_custom_field_group_secure($_GET['groupid']) : false;
[Fixed Code]
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended */
$group_secure = isset($_GET['groupid']) ? cubewp_custom_field_group_secure(sanitize_text_field(wp_unslash($_GET['groupid']))) : false;
Explanation:
The original code directly passed user input from `$_GET['groupid']` to a function without sanitization. This is a classic input validation vulnerability. The fix applies `wp_unslash()` to reverse WordPress's automatic slashing, then `sanitize_text_field()` to remove potentially harmful characters and tags. This prevents XSS attacks and other input-based vulnerabilities. The added phpcs comment acknowledges that nonce verification wasn't added (which would be more robust), but at minimum, sanitization mitigates the immediate XSS risk.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/custom-fields/class-cubewp-custom-fields-processor.php 2026-01-18 00:20:47.517238524 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/custom-fields/class-cubewp-custom-fields-processor.php 2026-01-18 00:20:56.209778596 +0000@@ -108,7 +108,7 @@ /* TO identify the custom fields type, eg: post-types, user, or any other custom fields type * like for cubewp forms custom-form. */- $field_options['fields_type'] = sanitize_text_field($_POST['fields_type']);+ $field_options['fields_type'] = isset($_POST['fields_type']) ? sanitize_text_field(wp_unslash($_POST['fields_type'])) : ''; wp_send_json_success(CubeWp_Custom_Fields_Markup::add_new_field($field_options)); }else{ wp_send_json_error( array( 'error' => $custom_error ) );@@ -124,7 +124,8 @@ public static function process_sub_field(){ check_ajax_referer( 'cubewp_custom_fields_nonce', 'nonce' ); if( true ){- wp_send_json_success(CubeWp_Custom_Fields_Markup::add_new_sub_field(array(), sanitize_text_field($_POST['parent_field'])));+ $parent_field = isset($_POST['parent_field']) ? sanitize_text_field( wp_unslash( $_POST['parent_field'] ) ) : '';+ wp_send_json_success(CubeWp_Custom_Fields_Markup::add_new_sub_field(array(), $parent_field)); }else{ wp_send_json_error( array( 'error' => $custom_error ) ); }@@ -139,7 +140,9 @@ public static function process_duplicate_field(){ check_ajax_referer( 'cubewp_custom_fields_nonce', 'nonce' ); if( true ){- wp_send_json_success(self::get_duplicate_field($_POST['field_id'], sanitize_text_field($_POST['fields_type'])));+ $field_id = isset($_POST['field_id']) ? sanitize_text_field( wp_unslash( $_POST['field_id'] ) ) : '';+ $fields_type = isset($_POST['fields_type']) ? sanitize_text_field( wp_unslash( $_POST['fields_type'] ) ) : '';+ wp_send_json_success(self::get_duplicate_field($field_id, $fields_type)); }else{ wp_send_json_error( array( 'error' => $custom_error ) ); }@@ -209,7 +212,7 @@ * @since 1.0.0 */ protected static function add_new_field_btn() {- echo '<a class="button button-primary button-large" href="javascript:void(0);" id="cwp-add-new-field-btn" data-fields_type=' . self::get_field_option_name().'>'. __('Add New Field', 'cubewp-framework') .'</a>';+ echo '<a class="button button-primary button-large" href="javascript:void(0);" id="cwp-add-new-field-btn" data-fields_type=' . esc_attr(self::get_field_option_name()).'>'. esc_html__('Add New Field', 'cubewp-framework') .'</a>'; } /**@@ -220,14 +223,18 @@ */ protected static function save_group() { - if (isset($_POST['cwp']['group'])) {+ // phpcs:disable WordPress.Security.NonceVerification.Missing -- Back-compat: legacy admin form may not include a nonce. All inputs are validated/sanitized below.+ if (isset($_POST['cwp']['group'])) { - $groupID = sanitize_text_field($_POST['cwp']['group']['id']);- $groupName = sanitize_text_field($_POST['cwp']['group']['name']);- $groupDesc = wp_strip_all_tags( wp_unslash( $_POST['cwp']['group']['description'] ));- $groupOrder = isset($_POST['cwp']['group']['order']) ? sanitize_text_field($_POST['cwp']['group']['order']) : 0;- $groupTypes = isset($_POST['cwp']['group']['types']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['types']) : array();- $groupTerms = isset($_POST['cwp']['group']['terms']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['terms']) : array();+ $groupID = isset($_POST['cwp']['group']['id']) ? sanitize_text_field( wp_unslash( $_POST['cwp']['group']['id'] ) ) : '';+ $groupName = isset($_POST['cwp']['group']['name']) ? sanitize_text_field( wp_unslash( $_POST['cwp']['group']['name'] ) ) : '';+ $groupDesc = isset($_POST['cwp']['group']['description']) ? wp_strip_all_tags( wp_unslash( $_POST['cwp']['group']['description'] ) ) : '';+ $groupOrder = isset($_POST['cwp']['group']['order']) ? sanitize_text_field( wp_unslash( $_POST['cwp']['group']['order'] ) ) : 0;++ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $groupTypes = isset($_POST['cwp']['group']['types']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['types']) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $groupTerms = isset($_POST['cwp']['group']['terms']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['terms']) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash if (!empty($groupName)) { if (isset($_POST['cwp_save_group'])) {@@ -265,12 +272,16 @@ delete_post_meta($post_id, '_cwp_group_terms'); } }- self::save_custom_fields($_POST['cwp'],$post_id,'post_types');+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $cwp_post = isset($_POST['cwp']) ? $_POST['cwp'] : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash+ self::save_custom_fields($cwp_post,$post_id,'post_types'); if (!empty($post_id) ) {- wp_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ exit; } }+ // phpcs:enable WordPress.Security.NonceVerification.Missing } @@ -434,8 +445,9 @@ * @since 1.0.0 */ public static function get_group($GroupID = 0) {- if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))) {- $GroupID = sanitize_text_field($_GET['groupid']);+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only admin screen param.+ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))) {+ $GroupID = sanitize_text_field( wp_unslash( $_GET['groupid'] ) ); } if($GroupID == 0) return;
I'll analyze the provided code diff for security fixes.
Vulnerability 1:
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/custom-fields/class-cubewp-custom-fields-processor.php - Line 111
Old Code:
```php
$field_options['fields_type'] = sanitize_text_field($_POST['fields_type']);
```
Fixed Code:
```php
$field_options['fields_type'] = isset($_POST['fields_type']) ? sanitize_text_field(wp_unslash($_POST['fields_type'])) : '';
```
Explanation:
The old code accessed $_POST['fields_type'] without checking if it existed first, which could cause a PHP notice/warning if the key was missing. More critically, it was missing wp_unslash() before sanitization. In WordPress, $_POST values are slashed by default when magic quotes are enabled, so wp_unslash() must be called before sanitization to prevent double-escaped data. The fix adds isset() check for safety and wp_unslash() for proper handling.
---
Vulnerability 2:
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/custom-fields/class-cubewp-custom-fields-processor.php - Line 127
Old Code:
```php
wp_send_json_success(CubeWp_Custom_Fields_Markup::add_new_sub_field(array(), sanitize_text_field($_POST['parent_field'])));
```
Fixed Code:
```php
$parent_field = isset($_POST['parent_field']) ? sanitize_text_field( wp_unslash( $_POST['parent_field'] ) ) : '';
wp_send_json_success(CubeWp_Custom_Fields_Markup::add_new_sub_field(array(), $parent_field));
```
Explanation:
Same issue as above - missing isset() check and wp_unslash() call. The fix properly validates input existence and unslashes before sanitization.
---
Vulnerability 3:
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/custom-fields/class-cubewp-custom-fields-processor.php - Lines 143-144
Old Code:
```php
wp_send_json_success(self::get_duplicate_field($_POST['field_id'], sanitize_text_field($_POST['fields_type'])));
```
Fixed Code:
```php
$field_id = isset($_POST['field_id']) ? sanitize_text_field( wp_unslash( $_POST['field_id'] ) ) : '';
$fields_type = isset($_POST['fields_type']) ? sanitize_text_field( wp_unslash( $_POST['fields_type'] ) ) : '';
wp_send_json_success(self::get_duplicate_field($field_id, $fields_type));
```
Explanation:
Multiple inputs missing isset() checks and wp_unslash() calls. The fix adds proper validation and sanitization for both parameters.
---
Vulnerability 4:
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/modules/custom-fields/class-cubewp-custom-fields-processor.php - Line 215
Old Code:
```php
echo '<a class="button button-primary button-large" href="javascript:void(0);" id="cwp-add-new-field-btn" data-fields_type=' . self::get_field_option_name().'>'. __('Add New Field', 'cubewp-framework') .'</a>';
```
Fixed Code:
```php
echo '<a class="button button-primary button-large" href="javascript:void(0);" id="cwp-add-new-field-btn" data-fields_type=' . esc_attr(self::get_field_option_name()).'>'. esc_html__('Add New Field', 'cubewp-framework') .'</a>';
```
Explanation:
The old code output the result of self::get_field_option_name() without escaping it in an HTML attribute context. If that function returned user-controlled data, it could allow XSS attacks. The fix adds esc_attr() to properly escape for attribute context. Additionally, __() was replaced with esc_html__() for proper output escaping.
---
Vulnerability 5:
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/custom-fields/class-cubewp-custom-fields-processor.php - Lines 226-232
Old Code:
```php
$groupID = sanitize_text_field($_POST['cwp']['group']['id']);
$groupName = sanitize_text_field($_POST['cwp']['group']['name']);
$groupDesc = wp_strip_all_tags( wp_unslash( $_POST['cwp']['group']['description'] ));
$groupOrder = isset($_POST['cwp']['group']['order']) ? sanitize_text_field($_POST['cwp']['group']['order']) : 0;
$groupTypes = isset($_POST['cwp']['group']['types']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['types']) : array();
$groupTerms = isset($_POST['cwp']['group']['terms']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['terms']) : array();
```
Fixed Code:
```php
$groupID = isset($_POST['cwp']['group']['id']) ? sanitize_text_field( wp_unslash( $_POST['cwp']['group']['id'] ) ) : '';
$groupName = isset($_POST['cwp']['group']['name']) ? sanitize_text_field( wp_unslash( $_POST['cwp']['group']['name'] ) ) : '';
$groupDesc = isset($_POST['cwp']['group']['description']) ? wp_strip_all_tags( wp_unslash( $_POST['cwp']['group']['description'] ) ) : '';
$groupOrder = isset($_POST['cwp']['group']['order']) ? sanitize_text_field( wp_unslash( $_POST['cwp']['group']['order'] ) ) : 0;
$groupTypes = isset($_POST['cwp']['group']['types']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['types']) : array();
$groupTerms = isset($_POST['cwp']['group']['terms']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['group']['terms']) : array();
```
Explanation:
Multiple input variables were accessed without isset() checks, and several were missing wp_unslash() calls before sanitization. The fix adds proper isset() checks and wp_unslash() where needed to handle slashed POST data correctly.
---
Vulnerability 6:
Vulnerability Existed: yes
TRUE POSITIVE
Open Redirect - CWE-601 - cube/modules/custom-fields/class-cubewp-custom-fields-processor.php - Line 278
Old Code:
```php
wp_redirect( CubeWp_Submenu::_page_action('custom-fields') );
```
Fixed Code:
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('custom-fields') );
exit;
```
Explanation:
The old code used wp_redirect() which can be vulnerable to open redirect attacks if the URL destination is not properly validated. wp_safe_redirect() validates that the redirect location is safe (not to an external URL) and prevents open redirect vulnerabilities. Additionally, exit; was added to ensure execution stops after the redirect.
---
Vulnerability 7:
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/custom-fields/class-cubewp-custom-fields-processor.php - Line 448
Old Code:
```php
$GroupID = sanitize_text_field($_GET['groupid']);
```
Fixed Code:
```php
$GroupID = sanitize_text_field( wp_unslash( $_GET['groupid'] ) );
```
Explanation:
Missing wp_unslash() call before sanitization of $_GET parameter. While less critical than POST (GET parameters are not slashed by default in modern WordPress), this change ensures consistent sanitization practices.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/custom-fields/class-cubewp-custom-fields.php 2026-01-18 00:20:47.517238524 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/custom-fields/class-cubewp-custom-fields.php 2026-01-18 00:20:56.209778596 +0000@@ -167,8 +167,8 @@ $value = self::get_single_meta_value($meta_key,$field_type, $userid); $args[$meta_key] = array( 'type' => $field_type,- 'meta_key' => $meta_key,- 'meta_value' => $value,+ 'meta_key' => $meta_key,// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key+ 'meta_value' => $value,// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value 'label' => $label, ); }
Vulnerability Existed: no No vulnerabilities detected - phpcs:ignore comments added Explanation: This diff adds phpcs:ignore comments to suppress WordPress coding standards warnings about slow database queries. The code itself remains unchanged; only documentation/lint suppression is added. The `meta_key` and `meta_value` parameters were already present in the code and do not represent new vulnerabilities. These are legitimate WordPress meta query operations, and the phpcs:ignore directives simply acknowledge the known performance trade-off of querying by meta_key/meta_value. This is not a security fix but rather a linting configuration update.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/custom-fields/class-cubewp-relationships.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/custom-fields/class-cubewp-relationships.php 2026-01-18 00:20:56.209778596 +0000@@ -154,7 +154,7 @@ } } $output .= '</div>';-+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $output; } }@@ -236,20 +236,21 @@ } $output .= '</div>'; + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo $output; } } public function cubewp_remove_relation() {- if ( ! wp_verify_nonce( sanitize_text_field( $_POST['nonce'] ), 'cubewp_remove_nonce' ) ) {+ if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'cubewp_remove_nonce' ) ) { wp_send_json( array( 'status' => 'error', 'msg' => esc_html__( "Security verification failed. Try again later.", "cubewp-framework" ) ) ); }- $relation_id = sanitize_text_field( $_POST['relation_id'] );- $relation_of = sanitize_text_field( $_POST['relation_of'] );- $relation_with = sanitize_text_field( $_POST['relation_with'] );+ $relation_id = isset( $_POST['relation_id'] ) ? sanitize_text_field( wp_unslash( $_POST['relation_id'] ) ) : '';+ $relation_of = isset( $_POST['relation_of'] ) ? sanitize_text_field( wp_unslash( $_POST['relation_of'] ) ) : '';+ $relation_with = isset( $_POST['relation_with'] ) ? sanitize_text_field( wp_unslash( $_POST['relation_with'] ) ) : ''; if ( empty( $relation_id ) || empty( $relation_of ) || empty( $relation_with ) ) { wp_send_json( array( 'status' => 'error',
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation and Insufficient Nonce Verification - CWE-352 (Cross-Site Request Forgery (CSRF)) - cube/modules/custom-fields/class-cubewp-relationships.php Lines 244-246
Old Code:
```php
if ( ! wp_verify_nonce( sanitize_text_field( $_POST['nonce'] ), 'cubewp_remove_nonce' ) ) {
```
Fixed Code:
```php
if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'cubewp_remove_nonce' ) ) {
```
Explanation:
The original code had two vulnerabilities: (1) It accessed `$_POST['nonce']` without checking if the key existed first, which could cause a PHP notice/warning if the nonce was not present in the request. (2) The `wp_unslash()` function was missing, which is a WordPress security best practice when processing superglobal values like `$_POST`. The `wp_unslash()` function removes slashes added by WordPress's `magic_quotes` behavior and should be called before sanitization. The fixed code adds the `isset()` check for safety and applies `wp_unslash()` before `sanitize_text_field()`.
---
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 (Improper Input Validation) - cube/modules/custom-fields/class-cubewp-relationships.php Lines 248-250
Old Code:
```php
$relation_id = sanitize_text_field( $_POST['relation_id'] );
$relation_of = sanitize_text_field( $_POST['relation_of'] );
$relation_with = sanitize_text_field( $_POST['relation_with'] );
```
Fixed Code:
```php
$relation_id = isset( $_POST['relation_id'] ) ? sanitize_text_field( wp_unslash( $_POST['relation_id'] ) ) : '';
$relation_of = isset( $_POST['relation_of'] ) ? sanitize_text_field( wp_unslash( $_POST['relation_of'] ) ) : '';
$relation_with = isset( $_POST['relation_with'] ) ? sanitize_text_field( wp_unslash( $_POST['relation_with'] ) ) : '';
```
Explanation:
The original code directly accessed `$_POST` array keys without checking if they existed, which could generate PHP notices if the keys were missing. Additionally, `wp_unslash()` was not applied before `sanitize_text_field()`, which is a WordPress security best practice. The fixed code adds `isset()` checks to verify the keys exist before accessing them and applies `wp_unslash()` to properly handle WordPress's slash behavior before sanitization.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-business-hours.php@@ -0,0 +1,227 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +class CubeWp_Tag_Business_hours extends \Elementor\Core\DynamicTags\Tag { + + public function get_name() { + return 'cubewp-business-hours-tag'; + } + + public function get_title() { + return esc_html__( 'Business Hours Status', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-fields' ]; + } + + public function get_categories() { + return [ + \Elementor\Modules\DynamicTags\Module::TEXT_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $options = get_fields_by_type( array( 'business_hours' ) ); + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select Business Hours Field', 'cubewp-framework' ), + 'options' => $options, + ] + ); + $this->add_control( + 'open_now_text', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Open Now Text', 'cubewp-framework' ), + 'default' => esc_html__( 'Open now', 'cubewp-framework' ), + ] + ); + $this->add_control( + 'open_now_color', + [ + 'type' => \Elementor\Controls_Manager::COLOR, + 'label' => esc_html__( 'Open Now Color', 'cubewp-framework' ), + 'default' => '#000000', + ] + ); + $this->add_control( + 'closed_now_text', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Closed Now Text', 'cubewp-framework' ), + 'default' => esc_html__( 'Closed now', 'cubewp-framework' ), + ] + ); + $this->add_control( + 'closed_now_color', + [ + 'type' => \Elementor\Controls_Manager::COLOR, + 'label' => esc_html__( 'Closed Now Color', 'cubewp-framework' ), + 'default' => '#ff0000', + ] + ); + $this->add_control( + '24_hours_open_text', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( '24 Hours Open Text', 'cubewp-framework' ), + 'default' => esc_html__( '24 hours open', 'cubewp-framework' ), + ] + ); + $this->add_control( + '24_hours_open_color', + [ + 'type' => \Elementor\Controls_Manager::COLOR, + 'label' => esc_html__( '24 Hours Open Color', 'cubewp-framework' ), + 'default' => '#00ff00', + ] + ); + $this->add_control( + 'day_off_text', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Day Off Text', 'cubewp-framework' ), + 'default' => esc_html__( 'Day off', 'cubewp-framework' ), + ] + ); + $this->add_control( + 'day_off_color', + [ + 'type' => \Elementor\Controls_Manager::COLOR, + 'label' => esc_html__( 'Day Off Color', 'cubewp-framework' ), + 'default' => '#999999', + ] + ); + } + + public function render() { + $field = $this->get_settings( 'user_selected_field' ); + $open_now_text = $this->get_settings( 'open_now_text' ); + $open_now_color = $this->get_settings( 'open_now_color' ); + $closed_now_text = $this->get_settings( 'closed_now_text' ); + $closed_now_color = $this->get_settings( 'closed_now_color' ); + $hours_open_text = $this->get_settings( '24_hours_open_text' ); + $hours_open_color = $this->get_settings( '24_hours_open_color' ); + $day_off_text = $this->get_settings( 'day_off_text' ); + $day_off_color = $this->get_settings( 'day_off_color' ); + if ( ! $field ) { + return; + } + + // Get post ID - handle Elementor editing and loop contexts + if (cubewp_is_elementor_editing()) { + $post_id = cubewp_get_elementor_preview_post_id(); + } else { + global $post; + if (isset($post) && !empty($post->ID)) { + $post_id = (int) $post->ID; + } else { + $post_id = (int) get_queried_object_id(); + } + } + + if (empty($post_id)) { + return; + } + + $value = get_post_meta($post_id, $field, true); + if ( empty( $value ) || ! is_array( $value ) ) { + return; + } ; + // Use existing function to get status + $status = $this->cwp_business_hours_status_tag( $value ); + + if ( $status ) { + if( $status == 'open' ) { + if( !empty( $open_now_text ) ) { + echo '<span style="color: ' . esc_attr($open_now_color) . ';">' . esc_html($open_now_text) . '</span>'; + } else { + echo '<span style="color: ' . esc_attr($open_now_color) . ';">' . esc_html__("Open now", "cubewp-framework") . '</span>'; + } + } else if( $status == 'closed' ) { + if( !empty( $closed_now_text ) ) { + echo '<span style="color: ' . esc_attr($closed_now_color) . ';">' . esc_html($closed_now_text) . '</span>'; + } else { + echo '<span style="color: ' . esc_attr($closed_now_color) . ';">' . esc_html__("Closed now", "cubewp-framework") . '</span>'; + } + } else if( $status == '24_hours_open' ) { + if( !empty( $hours_open_text ) ) { + echo '<span style="color: ' . esc_attr($hours_open_color) . ';">' . esc_html($hours_open_text) . '</span>'; + } else { + echo '<span style="color: ' . esc_attr($hours_open_color) . ';">' . esc_html__("24 hours open", "cubewp-framework") . '</span>'; + } + } else if( $status == 'day_off' ) { + if( !empty( $day_off_text ) ) { + echo '<span style="color: ' . esc_attr($day_off_color) . ';">' . esc_html($day_off_text) . '</span>'; + } else { + echo '<span style="color: ' . esc_attr($day_off_color) . ';">' . esc_html__("Day off", "cubewp-framework") . '</span>'; + } + } + } + } + public function cwp_business_hours_status_tag($schedule) + { + + if (!is_array($schedule) || empty($schedule)) return; + + // Get the WordPress timezone + $timezone = wp_timezone_string(); + + // Check if the timezone is valid + if (empty($timezone)) { + $timezone = 'UTC'; // Default to UTC if no timezone is set in WordPress + } + + // Create a DateTime object and set the timezone + $currentDateTime = new DateTime('now', new DateTimeZone($timezone)); + + // Get the current day and time in WordPress timezone + $currentDay = strtolower($currentDateTime->format('l')); + $currentTime = $currentDateTime->format('H:i:s'); + + if (array_key_exists($currentDay, $schedule)) { + $isOpen = false; + $is24Hours = false; + $times = $schedule[$currentDay]; + + if (!is_array($times) && is_string($times) && $times == '24-hours-open') { + $isOpen = true; + $is24Hours = true; + } else { + $openTimes = $times['open']; + $closeTimes = $times['close']; + // Check if the current time falls within any open and close period + for ($i = 0; $i < count($openTimes); $i++) { + $openTime = $openTimes[$i]; + $closeTime = $closeTimes[$i]; + + if ($currentTime >= $openTime && $currentTime <= $closeTime) { + $isOpen = true; + break; + } + } + } + + if ($is24Hours) { + return '24_hours_open'; + } elseif ($isOpen) { + return 'open'; + } else { + return 'closed'; + } + } else { + // Current day is not in the schedule - it's a day off + return 'day_off'; + } + } +}
Now analyzing the provided diff for security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - CWE-79 - cube/modules/elementor/class-cubewp-tag-business-hours.php - Lines 137-171
Old Code:
```php
echo '<span style="color: ' . esc_attr($open_now_color) . ';">' . esc_html($open_now_text) . '</span>';
```
Fixed Code:
```php
// Already present in the code - proper escaping is applied
echo '<span style="color: ' . esc_attr($open_now_color) . ';">' . esc_html($open_now_text) . '</span>';
```
Explanation:
While the code does use `esc_attr()` and `esc_html()` functions appropriately in the output statements (lines 137-171), the vulnerability concern is partially mitigated. However, the `$open_now_color`, `$closed_now_color`, `$hours_open_color`, and `$day_off_color` values come directly from user input via `get_settings()` without validation that they are valid CSS color values. An attacker could potentially inject CSS expressions or other malicious content through these color fields. The escaping with `esc_attr()` provides some protection, but CSS injection could still occur if color values aren't validated to be legitimate hex colors or color names.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
**Improper Input Validation - CWE-20** - CWE-20 - cube/modules/elementor/class-cubewp-tag-business-hours.php - Lines 108-120
Old Code:
```php
$open_now_text = $this->get_settings( 'open_now_text' );
$open_now_color = $this->get_settings( 'open_now_color' );
```
Fixed Code:
```php
// Same as old code - no validation applied
$open_now_text = $this->get_settings( 'open_now_text' );
$open_now_color = $this->get_settings( 'open_now_color' );
```
Explanation:
The user-controlled color values retrieved via `get_settings()` are not validated to ensure they are legitimate CSS color values before being used in inline styles. While `esc_attr()` prevents attribute injection, it doesn't prevent CSS injection attacks. For example, an attacker could inject values like `red; background: url(javascript:alert('xss'))` which would be escaped as an attribute but could still execute if processed by certain CSS parsers. Validation should ensure colors are in formats like `#hexcode`, `rgb()`, or known color names.
---
**Vulnerability 3:**
Vulnerability Existed: no
**Improper Access Control - CWE-269** - CWE-269 - cube/modules/elementor/class-cubewp-tag-business-hours.php - Line 1-3
Old Code:
```php
<?php
if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly.
}
```
Fixed Code:
```php
<?php
if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly.
}
```
Explanation:
This is properly protected. The code correctly checks if `ABSPATH` is defined and exits if accessed directly, preventing direct file access outside the WordPress context. This is a standard WordPress security practice and is correctly implemented.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-checkbox.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-checkbox.php 2026-01-18 00:20:56.209778596 +0000@@ -51,7 +51,7 @@ if(is_array($value)){ $value = implode(", ",$value); }- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes TRUE POSITIVE [CWE Name] Cross-site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-checkbox.php [Line 54] [Old Code] ```php echo cubewp_core_data($value); ``` [Fixed Code] ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any sanitization or escaping. This is a reflected/stored XSS vulnerability because user-controlled data (from the `$value` variable) could contain malicious HTML/JavaScript that would be rendered in the browser context without proper escaping. The fix applies `esc_html()` (a WordPress escaping function) to the output, which converts HTML special characters to their entity equivalents, preventing the browser from interpreting them as code. This is the correct mitigation for outputting user-controlled data in HTML context.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-color.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-color.php 2026-01-18 00:20:56.209778596 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); } }\ No newline at end of file
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-color.php - Line 51 Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any escaping. If `cubewp_core_data()` returns user-controlled or unsanitized data, this creates a Stored or Reflected XSS vulnerability where an attacker could inject malicious JavaScript that executes in the context of the page. The fix applies `esc_html()` to escape HTML special characters, preventing the browser from interpreting injected script tags or event handlers. This is a standard WordPress security practice for output escaping.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-date-picker.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-date-picker.php 2026-01-18 00:20:56.213778845 +0000@@ -48,8 +48,7 @@ return; } $value = get_field_value( $field );- - echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/elementor/class-cubewp-tag-date-picker.php (lines 51-52)
Old Code:
```php
echo cubewp_core_data($value);
```
Fixed Code:
```php
echo esc_html(cubewp_core_data($value));
```
Explanation:
The original code directly echoed the output of `cubewp_core_data($value)` without any escaping. If the `cubewp_core_data()` function returns user-controlled or unsanitized data, this creates a Stored XSS vulnerability where malicious HTML/JavaScript could be injected into the page output. The fix applies `esc_html()` to escape HTML special characters before output, preventing XSS attacks by converting potentially dangerous characters like `<`, `>`, `&`, and quotes into their HTML entity equivalents. This ensures any user-supplied or untrusted data cannot be interpreted as executable code in the browser.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-date-time-picker.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-date-time-picker.php 2026-01-18 00:20:56.213778845 +0000@@ -49,7 +49,7 @@ } $value = get_field_value( $field ); - echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-date-time-picker.php - Line 52 Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any escaping. This is a reflected/stored XSS vulnerability because user-controlled data (from `$value`, which comes from `get_field_value()`) is output directly to the HTML context without sanitization. An attacker could inject malicious JavaScript that would execute in the browser of any user viewing this element. The fix applies `esc_html()`, which is the appropriate WordPress escaping function for outputting data in HTML context. This function converts special characters to HTML entities, preventing the browser from interpreting injected script tags or event handlers. The fix correctly mitigates the XSS vulnerability by ensuring that any HTML special characters in the output are properly escaped.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-dropdown.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-dropdown.php 2026-01-18 00:20:56.213778845 +0000@@ -51,7 +51,7 @@ if(is_array($value)){ $value = implode(", ",$value); }- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-dropdown.php (Line 54) Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoes the output of `cubewp_core_data($value)` without sanitization. This creates a Stored/Reflected XSS vulnerability because user-controlled data (the `$value` parameter) could contain malicious HTML or JavaScript code that would be executed in the browser. The fix applies `esc_html()` (a WordPress escaping function) to properly escape HTML entities, preventing JavaScript code from being interpreted as executable code. This is a standard WordPress security practice for outputting data in HTML context.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-email.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-email.php 2026-01-18 00:20:56.213778845 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
``` Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-email.php - Line 51 Old Code: echo cubewp_core_data($value); Fixed Code: echo esc_html(cubewp_core_data($value)); Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any sanitization or escaping. This is a Stored/Reflected XSS vulnerability because if the `$value` variable (retrieved from `get_field_value()`) contains untrusted user input or data from an external source, it could contain malicious JavaScript code that would be executed in the browser context. The fix applies `esc_html()` to escape HTML special characters, preventing the browser from interpreting any HTML tags or JavaScript code within the output. This is the appropriate mitigation for displaying text content in HTML context. ```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-file.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-file.php 2026-01-18 00:20:56.213778845 +0000@@ -49,7 +49,14 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ if( empty( $value ) ) {+ return;+ }+ $fileItemURL = wp_get_attachment_url($value);+ if( empty( $fileItemURL ) ) {+ return;+ }+ echo '<a href="' . esc_url($fileItemURL) . '" download>' . esc_html__('Download File', 'cubewp-framework') . '</a>'; }
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-file.php - Line 52
Old Code:
```php
echo cubewp_core_data($value);
```
Fixed Code:
```php
$fileItemURL = wp_get_attachment_url($value);
if( empty( $fileItemURL ) ) {
return;
}
echo '<a href="' . esc_url($fileItemURL) . '" download>' . esc_html__('Download File', 'cubewp-framework') . '</a>';
```
Explanation:
The original code directly echoed the output of `cubewp_core_data($value)` without any sanitization or escaping. Without seeing the implementation of `cubewp_core_data()`, this function likely returned user-controlled data that was directly output to HTML, creating an XSS vulnerability. The fixed code properly escapes the URL using `esc_url()` and escapes any text using `esc_html__()`, preventing malicious scripts from being injected. Additionally, the fix adds proper validation by checking if the attachment URL exists before outputting it, and uses the proper WordPress function `wp_get_attachment_url()` to retrieve the file URL safely.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-gallery.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-gallery.php 2026-01-18 00:20:56.213778845 +0000@@ -19,7 +19,6 @@ public function get_categories() { return [ - \Elementor\Modules\DynamicTags\Module::IMAGE_CATEGORY, \Elementor\Modules\DynamicTags\Module::GALLERY_CATEGORY, \Elementor\Modules\DynamicTags\Module::MEDIA_CATEGORY, ];@@ -51,23 +50,43 @@ } $values = get_field_value( $field ); $returnArr = array();- if(is_array($values) && count($values)>0){- foreach($values as $key=> $value ){- if(get_post($value)){- $returnArr[$key] = [- 'id' =>$value,- 'url' => wp_get_attachment_image_src($value, 'full')[0],- ];+ if ( is_array( $values ) && count( $values ) > 0 ) {+ foreach ( $values as $key => $value ) {+ // Normalize ID+ $image_id = is_numeric( $value ) ? (int) $value : 0;+ if ( ! $image_id ) {+ continue; }+ // Ensure it's an image attachment+ if ( ! wp_attachment_is_image( $image_id ) ) {+ continue;+ }+ $url = wp_get_attachment_image_url( $image_id, 'full' );+ if ( ! $url ) {+ continue;+ }+ $returnArr[$key] = array(+ 'id' => $image_id,+ 'url' => $url,+ ); }- }else{- $imageID = attachment_url_to_postid($values);- if(get_post($imageID)){- $returnArr = [- 'id' =>$imageID,- 'url' => wp_get_attachment_image_src($imageID, 'full')[0],- ]; - }+ } else {+ $image_id = 0;+ // Accept raw URL fallback+ if ( is_string( $values ) && filter_var( $values, FILTER_VALIDATE_URL ) ) {+ $image_id = attachment_url_to_postid( $values );+ } elseif ( is_numeric( $values ) ) {+ $image_id = (int) $values;+ }+ if ( $image_id && wp_attachment_is_image( $image_id ) ) {+ $url = wp_get_attachment_image_url( $image_id, 'full' );+ if ( $url ) {+ $returnArr = array(+ 'id' => $image_id,+ 'url' => $url,+ );+ }+ } } return $returnArr; }
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/elementor/class-cubewp-tag-gallery.php Lines 54-72 (old code)
Old Code:
```php
if(is_array($values) && count($values)>0){
foreach($values as $key=> $value ){
if(get_post($value)){
$returnArr[$key] = [
'id' =>$value,
'url' => wp_get_attachment_image_src($value, 'full')[0],
];
}
}
}else{
$imageID = attachment_url_to_postid($values);
if(get_post($imageID)){
$returnArr = [
'id' =>$imageID,
'url' => wp_get_attachment_image_src($imageID, 'full')[0],
];
}
}
```
Fixed Code:
```php
if ( is_array( $values ) && count( $values ) > 0 ) {
foreach ( $values as $key => $value ) {
// Normalize ID
$image_id = is_numeric( $value ) ? (int) $value : 0;
if ( ! $image_id ) {
continue;
}
// Ensure it's an image attachment
if ( ! wp_attachment_is_image( $image_id ) ) {
continue;
}
$url = wp_get_attachment_image_url( $image_id, 'full' );
if ( ! $url ) {
continue;
}
$returnArr[$key] = array(
'id' => $image_id,
'url' => $url,
);
}
} else {
$image_id = 0;
// Accept raw URL fallback
if ( is_string( $values ) && filter_var( $values, FILTER_VALIDATE_URL ) ) {
$image_id = attachment_url_to_postid( $values );
} elseif ( is_numeric( $values ) ) {
$image_id = (int) $values;
}
if ( $image_id && wp_attachment_is_image( $image_id ) ) {
$url = wp_get_attachment_image_url( $image_id, 'full' );
if ( $url ) {
$returnArr = array(
'id' => $image_id,
'url' => $url,
);
}
}
}
```
Explanation:
The original code performed insufficient validation of input values before processing them as attachment IDs. Specifically:
1. **Type Validation**: The old code did not explicitly validate that `$value` was numeric before passing it to `wp_get_attachment_image_src()`. While `get_post()` provides some protection, relying solely on this check is insufficient.
2. **Attachment Type Validation**: The original code only checked if a post exists via `get_post()`, which doesn't verify that the post is actually an image attachment. This could allow processing of non-image post types.
3. **URL Validation**: The old code did not validate URLs before passing them to `attachment_url_to_postid()`, potentially processing malformed or untrusted URLs.
The fixed code addresses these vulnerabilities by:
- Explicitly type-casting numeric values to integers with validation
- Using `wp_attachment_is_image()` to ensure only image attachments are processed
- Validating URLs with `filter_var()` before processing
- Checking that `wp_get_attachment_image_url()` returns a valid URL before using it
- Using defensive programming with explicit null/empty checks before array access
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-google-address.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-google-address.php 2026-01-18 00:20:56.213778845 +0000@@ -53,7 +53,7 @@ $value = $value['address']; } - echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes TRUE POSITIVE [Cross-site Scripting (XSS)] - [CWE-79] - [cube/modules/elementor/class-cubewp-tag-google-address.php] [Lines 56] Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without proper HTML escaping. This is a Stored/Reflected XSS vulnerability (CWE-79) because user-controlled data (address information) could contain malicious JavaScript that would be executed in the browser. The fix wraps the output with `esc_html()`, which is the standard WordPress function for escaping HTML content, preventing any HTML/JavaScript tags from being interpreted as code. This ensures that special characters like `<`, `>`, `&`, and quotes are converted to their HTML entity equivalents, neutralizing any XSS payloads.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-image.php 2026-01-18 00:20:47.521238772 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-image.php 2026-01-18 00:20:56.213778845 +0000@@ -19,7 +19,6 @@ public function get_categories() { return [- \Elementor\Modules\DynamicTags\Module::TEXT_CATEGORY, \Elementor\Modules\DynamicTags\Module::URL_CATEGORY, \Elementor\Modules\DynamicTags\Module::IMAGE_CATEGORY, ];@@ -31,22 +30,41 @@ public function get_value( $options = array() ){ $returnArr = array();- $field = $this->get_settings( 'user_selected_field' );+ $field = $this->get_settings( 'user_selected_field' ); if ( ! $field ) { return; } $value = get_field_value( $field );- if ( !$value || !is_numeric($value) ) {+ if ( ! $value ) { return; }- $imageID = $value;- if($imageID){- $returnArr = [- 'id' =>$imageID,- 'url' => wp_get_attachment_image_src($imageID, 'full')[0],- ]; - }++ // Normalize to an attachment ID+ $image_id = 0;+ if ( is_array( $value ) ) {+ if ( isset( $value['id'] ) && is_numeric( $value['id'] ) ) {+ $image_id = (int) $value['id'];+ }+ } elseif ( is_numeric( $value ) ) {+ $image_id = (int) $value;+ } elseif ( is_string( $value ) && filter_var( $value, FILTER_VALIDATE_URL ) ) {+ $image_id = attachment_url_to_postid( $value );+ }++ if ( ! $image_id || ! wp_attachment_is_image( $image_id ) ) {+ return;+ }+ $url = wp_get_attachment_image_url( $image_id );+ if ( ! $url ) {+ return;+ }++ $returnArr = array(+ 'id' => (int) $image_id,+ 'url' => $url,+ );+ return $returnArr; }
---
## Security Analysis Report
### Vulnerability 1
**Vulnerability Existed:** yes
FALSE POSITIVE
**Improper Input Validation - CWE-20 - class-cubewp-tag-image.php - Lines 40-49 (old)**
**Old Code:**
```php
if ( !$value || !is_numeric($value) ) {
return;
}
$imageID = $value;
if($imageID){
$returnArr = [
'id' =>$imageID,
'url' => wp_get_attachment_image_src($imageID, 'full')[0],
];
}
```
**Fixed Code:**
```php
if ( ! $value ) {
return;
}
// Normalize to an attachment ID
$image_id = 0;
if ( is_array( $value ) ) {
if ( isset( $value['id'] ) && is_numeric( $value['id'] ) ) {
$image_id = (int) $value['id'];
}
} elseif ( is_numeric( $value ) ) {
$image_id = (int) $value;
} elseif ( is_string( $value ) && filter_var( $value, FILTER_VALIDATE_URL ) ) {
$image_id = attachment_url_to_postid( $value );
}
if ( ! $image_id || ! wp_attachment_is_image( $image_id ) ) {
return;
}
$url = wp_get_attachment_image_url( $image_id );
if ( ! $url ) {
return;
}
```
**Explanation:**
The original code only validated that `$value` was numeric, but did not verify that the ID corresponds to a valid attachment image. The fix adds proper validation by:
1. Handling multiple input types (array, numeric string, URL)
2. Adding `wp_attachment_is_image()` check to ensure the post ID is actually an image attachment
3. Using `wp_get_attachment_image_url()` instead of directly accessing array index to ensure URL validity
4. Casting to integer to prevent type juggling issues
This prevents potential issues where arbitrary post IDs could be processed or array index access could fail unexpectedly.
---
### Vulnerability 2
**Vulnerability Existed:** not sure
**Potential Type Juggling / Logic Error - CWE-1025 - class-cubewp-tag-image.php - Lines 40 (old)**
**Old Code:**
```php
if ( !$value || !is_numeric($value) ) {
return;
}
```
**Fixed Code:**
```php
if ( ! $value ) {
return;
}
```
**Explanation:**
The original check `!is_numeric($value)` is overly restrictive and may reject valid input types. The `get_field_value()` function could legitimately return an array (with an 'id' key) or a URL string, which would fail the `is_numeric()` check and return early. The fix removes this premature validation, allowing the function to handle multiple input types. While not strictly a security vulnerability, this represents a logic flaw that could cause the function to silently fail on valid image data formats, potentially exposing incorrect behavior. The expanded validation logic ensures all legitimate data types are processed appropriately.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-number.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-number.php 2026-01-18 00:20:56.213778845 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-number.php Line 51 Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any sanitization or escaping. This creates a Stored or Reflected XSS vulnerability where an attacker could inject malicious JavaScript code through the `$value` variable. If `cubewp_core_data()` does not perform proper output escaping (which appears to be the case given this fix), user-controlled data would be rendered directly in the HTML context, allowing script execution in the browser. The fix properly applies `esc_html()` to escape HTML special characters, preventing the injection of HTML tags and JavaScript, which is the appropriate escaping function for output in HTML text context. This is a critical security fix for a Stored XSS vulnerability.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-oembed.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-oembed.php 2026-01-18 00:20:56.213778845 +0000@@ -49,7 +49,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo wp_kses_post(cubewp_core_data($value)); }
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/elementor/class-cubewp-tag-oembed.php Line 52
Old Code:
```php
echo cubewp_core_data($value);
```
Fixed Code:
```php
echo wp_kses_post(cubewp_core_data($value));
```
Explanation:
The original code directly echoes the result of `cubewp_core_data($value)` without sanitization. The `cubewp_core_data()` function returns data that could contain user-controlled input or HTML content. Without proper escaping/sanitization, this creates a Stored or Reflected Cross-Site Scripting (XSS) vulnerability where an attacker could inject malicious JavaScript that executes in users' browsers.
The fix applies `wp_kses_post()`, a WordPress security function that strips out dangerous HTML/JavaScript while preserving safe formatting tags. This properly sanitizes the output before displaying it to users, preventing XSS attacks.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-password.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-password.php 2026-01-18 00:20:56.213778845 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-password.php - Line 51 Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any HTML escaping. This is a classic Stored or Reflected XSS vulnerability (CWE-79). If `cubewp_core_data()` returns user-controlled or untrusted data containing HTML/JavaScript, it would be executed in the browser context. The fix applies `esc_html()` (a WordPress escaping function) to sanitize the output before echoing, preventing malicious scripts from being rendered. This is a proper security fix for output escaping in WordPress contexts.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-post-content.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-post-content.php 2026-01-18 00:20:56.213778845 +0000@@ -30,8 +30,10 @@ public function render() { if (cubewp_is_elementor_editing()) {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo get_the_content(null,false,cubewp_get_elementor_preview_post_id()); }else {+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo get_the_content(); } }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-post-content.php Lines 33, 36 Old Code: ```php echo get_the_content(null,false,cubewp_get_elementor_preview_post_id()); ``` Fixed Code: ```php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo get_the_content(null,false,cubewp_get_elementor_preview_post_id()); ``` Explanation: This diff does NOT fix the XSS vulnerability—it merely suppresses the security warning. The vulnerability still exists. `get_the_content()` returns unescaped post content that may contain user-controlled HTML or JavaScript. Directly echoing this output without escaping (via `wp_kses_post()`, `esc_html()`, or similar WordPress sanitization functions) allows stored XSS attacks if post content is compromised. Adding `phpcs:ignore` comments silences the linter but leaves the code vulnerable. A proper fix would be: `echo wp_kses_post( get_the_content() );` This maintains the ability to display rich content while escaping dangerous markup.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-post-date.php@@ -0,0 +1,125 @@+<?php+if (! defined('ABSPATH')) {+ exit; // Exit if accessed directly.+}++use Elementor\Controls_Manager;+use Elementor\Core\DynamicTags\Tag;+use Elementor\Modules\DynamicTags\Module;++class CubeWp_Tag_Post_Date extends Tag+{++ public function get_name()+ {+ return 'cubewp-post-date-tag';+ }++ public function get_title()+ {+ return esc_html__('Post Date', 'cubewp-framework');+ }++ public function get_group()+ {+ return ['cubewp-single-fields'];+ }++ public function get_categories()+ {+ return [+ Module::TEXT_CATEGORY,+ Module::POST_META_CATEGORY,+ ];+ }++ public function is_settings_required()+ {+ return false;+ }++ protected function register_controls()+ {++ $this->add_control(+ 'date_type',+ [+ 'label' => esc_html__('Date Type', 'cubewp-framework'),+ 'type' => Controls_Manager::SELECT,+ 'default' => 'publish',+ 'options' => [+ 'publish' => esc_html__('Publish Date', 'cubewp-framework'),+ 'modified' => esc_html__('Modified Date', 'cubewp-framework'),+ ],+ ]+ );++ $this->add_control(+ 'date_format',+ [+ 'label' => esc_html__('Date Format', 'cubewp-framework'),+ 'type' => Controls_Manager::TEXT,+ 'default' => get_option('date_format'),+ 'description' => esc_html__('Use PHP date format, e.g. F j, Y or d/m/Y', 'cubewp-framework'),+ ]+ );++ $this->add_control(+ 'show_relative_time',+ [+ 'label' => esc_html__('Show Relative Time (e.g., "2 days ago")', 'cubewp-framework'),+ 'type' => Controls_Manager::SWITCHER,+ 'label_on' => esc_html__('Yes', 'cubewp-framework'),+ 'label_off' => esc_html__('No', 'cubewp-framework'),+ 'return_value' => 'yes',+ 'default' => '',+ ]+ );+ }++ public function render()+ {+ $settings = $this->get_settings();+ $date_type = ! empty($settings['date_type']) ? $settings['date_type'] : 'publish';+ $format = ! empty($settings['date_format']) ? $settings['date_format'] : get_option('date_format');+ $relative = ! empty($settings['show_relative_time']) && $settings['show_relative_time'] === 'yes';++ if (cubewp_is_elementor_editing()) {+ $post_id = cubewp_get_elementor_preview_post_id();+ } else {+ $post_id = get_the_ID();+ }++ if (! $post_id) {+ return;+ }++ // Validate format by checking if date_i18n changes the output+ $test_output = date_i18n($format);+ if ($test_output === $format || empty(trim($test_output))) {+ $format = get_option('date_format');+ }++ // Get the correct timestamp+ if ($date_type === 'modified') {+ $timestamp = get_post_modified_time('U', false, $post_id);+ } else {+ $timestamp = get_post_time('U', false, $post_id);+ }++ if (! $timestamp) {+ return;+ }++ // Handle relative time option+ if ($relative) {+ $time_diff = human_time_diff($timestamp, current_time('timestamp'));+ /* translators: %s: time difference. */+ $date = sprintf(esc_html__('%s ago', 'cubewp-framework'), $time_diff);+ } else {+ $date = date_i18n($format, $timestamp);+ }++ echo esc_html($date);+ }+}
Analyzing the provided code diff for security vulnerabilities:
Vulnerability Existed: no
[No Vulnerability Detected]
Explanation:
This is a new file (created from /dev/null) containing a WordPress Elementor dynamic tag class for displaying post dates. The code demonstrates secure practices:
1. **WordPress Security Functions Used Correctly**: The code properly uses `esc_html__()` for translatable strings, `esc_html()` for output escaping (line 124), and respects the `ABSPATH` check pattern at the top.
2. **Input Validation**: User-provided settings (`date_type`, `date_format`, `show_relative_time`) are validated before use:
- `date_type` is checked against expected values ('publish' or 'modified')
- `date_format` is validated by testing it with `date_i18n()` and falls back to `get_option('date_format')` if invalid
- `show_relative_time` is checked for the exact value 'yes'
3. **Safe Output Handling**: The final date output is properly escaped with `esc_html()` before echoing, preventing XSS vulnerabilities regardless of whether the date comes from `date_i18n()` or `human_time_diff()`.
4. **No SQL Injection**: `get_post_time()` and `get_post_modified_time()` are WordPress functions that handle the post_id safely internally.
5. **No Insecure Deserialization**: No `unserialize()` or similar dangerous functions are used.
The code follows WordPress security best practices and contains no evident vulnerabilities in this snapshot.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-post-excerpt.php@@ -0,0 +1,117 @@+<?php+if ( ! defined( 'ABSPATH' ) ) {+ exit; // Exit if accessed directly.+}++class CubeWp_Tag_Post_Excerpt extends \Elementor\Core\DynamicTags\Tag {++ public function get_name() {+ return 'cubewp-post-excerpt-tag';+ }++ public function get_title() {+ return esc_html__( 'Post Excerpt', 'cubewp-framework' );+ }++ public function get_group() {+ return [ 'cubewp-single-fields' ];+ }++ public function get_categories() {+ return [+ \Elementor\Modules\DynamicTags\Module::TEXT_CATEGORY,+ ];+ }++ public function is_settings_required() {+ return false;+ }++ protected function register_controls() {+ $this->add_control(+ 'excerpt_length',+ [+ 'label' => esc_html__( 'Excerpt Length (words)', 'cubewp-framework' ),+ 'type' => \Elementor\Controls_Manager::NUMBER,+ 'default' => 20,+ 'min' => 5,+ 'max' => 100,+ 'description' => esc_html__( 'Trim content if excerpt is empty.', 'cubewp-framework' ),+ ]+ );++ $this->add_control(+ 'show_read_more',+ [+ 'label' => esc_html__( 'Show "Read More" Link', 'cubewp-framework' ),+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label_on' => esc_html__( 'Yes', 'cubewp-framework' ),+ 'label_off' => esc_html__( 'No', 'cubewp-framework' ),+ 'default' => 'no',+ ]+ );++ $this->add_control(+ 'read_more_text',+ [+ 'label' => esc_html__( '"Read More" Text', 'cubewp-framework' ),+ 'type' => \Elementor\Controls_Manager::TEXT,+ 'default' => esc_html__( 'Read More', 'cubewp-framework' ),+ 'condition' => [+ 'show_read_more' => 'yes',+ ],+ ]+ );++ $this->add_control(+ 'read_more_new_tab',+ [+ 'label' => esc_html__( 'Open in New Tab', 'cubewp-framework' ),+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label_on' => esc_html__( 'Yes', 'cubewp-framework' ),+ 'label_off' => esc_html__( 'No', 'cubewp-framework' ),+ 'default' => 'no',+ 'condition' => [+ 'show_read_more' => 'yes',+ ],+ ]+ );+ }++ public function render() {+ $settings = $this->get_settings();+ $length = ! empty( $settings['excerpt_length'] ) ? intval( $settings['excerpt_length'] ) : 20;++ $post_id = cubewp_is_elementor_editing() ? cubewp_get_elementor_preview_post_id() : get_the_ID();+ if ( ! $post_id ) {+ return;+ }++ $excerpt = get_the_excerpt( $post_id );++ // Fallback: Trim post content if excerpt is missing+ if ( empty( $excerpt ) ) {+ $content = get_post_field( 'post_content', $post_id );+ $excerpt = wp_trim_words( wp_strip_all_tags( $content ), $length );+ }++ // Apply custom length trim if needed+ $excerpt = wp_trim_words( $excerpt, $length );++ // Add Read More link if enabled+ if ( 'yes' === $settings['show_read_more'] ) {+ $read_more_text = ! empty( $settings['read_more_text'] ) ? $settings['read_more_text'] : esc_html__( 'Read More', 'cubewp-framework' );+ $target_attr = ( 'yes' === $settings['read_more_new_tab'] ) ? ' target="_blank" rel="noopener noreferrer"' : '';+ $post_url = get_permalink( $post_id );++ $excerpt .= sprintf(+ ' <a href="%1$s"%2$s class="cwp-read-more">%3$s</a>',+ esc_url( $post_url ),+ $target_attr,+ esc_html( $read_more_text )+ );+ }++ echo wp_kses_post( $excerpt );+ }+}
Vulnerability Existed: no Not Applicable - No Vulnerability Found Old Code: N/A Fixed Code: N/A Explanation: This is a new file (created from /dev/null), not a diff showing a security fix. The code implements a WordPress Elementor dynamic tag for displaying post excerpts. Analysis of the implementation shows proper security practices: 1. **Output Escaping**: The code correctly uses `esc_html__()` for translatable strings, `esc_url()` for URLs, `esc_html()` for user-controlled text, and `wp_kses_post()` for the final output containing HTML markup. 2. **Input Validation**: The excerpt length is validated using `intval()` to ensure it's a numeric value, and the control definition restricts it between 5-100 words. 3. **WordPress Security Standards**: The file includes the standard WordPress security check (`if ( ! defined( 'ABSPATH' ) )`), follows WordPress coding standards, and uses WordPress functions appropriately. 4. **HTML Attributes**: The `target_attr` is properly constructed as a string literal with `rel="noopener noreferrer"` included for security when opening links in new tabs. No security vulnerabilities (CWE) are present in this new code. The implementation follows WordPress security best practices for output escaping and input handling.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-post-info.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-post-info.php 2026-01-18 00:20:56.213778845 +0000@@ -40,9 +40,9 @@ if ( $field == 'publish_date' ) { echo get_the_date( '', $post_id ); } else if ( $field == 'publish_time' ) {- echo get_the_time( '', $post_id );+ echo esc_html(get_the_time( '', $post_id )); } else if ( $field == 'views' ) {- echo get_post_meta( $post_id, 'cubewp_post_views', true );+ echo esc_html(get_post_meta( $post_id, 'cubewp_post_views', true )); } }
``` Vulnerability Existed: yes TRUE POSITIVE Cross-site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-post-info.php Lines 43, 45 Old Code: echo get_the_time( '', $post_id ); echo get_post_meta( $post_id, 'cubewp_post_views', true ); Fixed Code: echo esc_html(get_the_time( '', $post_id )); echo esc_html(get_post_meta( $post_id, 'cubewp_post_views', true )); Explanation: The original code directly echoed user-controlled data without proper sanitization. The `get_the_time()` and `get_post_meta()` functions return post data that could potentially contain malicious HTML or JavaScript if compromised or injected. By wrapping the output with `esc_html()`, the fix properly escapes HTML special characters, preventing XSS attacks by converting any HTML/JavaScript into harmless display text. This is consistent with WordPress security best practices for output escaping. ```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-post-term.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-post-term.php 2026-01-18 00:20:56.213778845 +0000@@ -41,13 +41,29 @@ return $terms[0]->name; } else if ( $field == 'term_url' ) { return get_term_link( $terms[0]->term_id );+ } else if ( $field == 'term_description' ) {+ return $terms[0]->description; } else if ( $field == 'custom_meta' ) { $field = $this->get_settings( 'post_term_custom_field' ); if ( ! $field ) { return '';+ } + $use_for_icon = $this->get_settings( 'use_for_icon' );+ $icon_width = $this->get_settings( 'icon_width' );+ $icon_width_unit = $icon_width['unit'];+ $icon_width_size = $icon_width['size'];+ $icon_width_style = $icon_width_size . $icon_width_unit;+ + $value = get_term_meta( $terms[0]->term_id, $field, true ); + if( $use_for_icon == 'yes' ) {+ if ( preg_match( '/^data:image\/[a-zA-Z]+;base64,/', $value ) || preg_match( '/^https?:\/\/.+\.(jpg|jpeg|png|gif|svg|webp)$/i', $value ) ) {+ return '<img src="' . $value . '" alt="" style="max-width:100%; max-height:100%; width: ' . $icon_width_style . ';" />';+ } else {+ return '<i class="' . $value . '" style="font-size: ' . $icon_width_style . ';"></i>';+ }+ } else {+ return wp_kses_post($value); }-- return get_term_meta( $terms[0]->term_id, $field, true ); } else if ( $field == 'all_terms' ) { $output = ''; foreach ( $terms as $key => $term ) {@@ -74,10 +90,11 @@ 'type' => Controls_Manager::SELECT, 'label' => esc_html__( 'Select Term Field', 'cubewp-framework' ), 'options' => array(- "term_name" => esc_html__( "Term Name", "cubewp-framework" ),- "term_url" => esc_html__( "Term URL", "cubewp-framework" ),- "custom_meta" => esc_html__( "Custom Term Meta", "cubewp-framework" ),- "all_terms" => esc_html__( "All Selected Terms", "cubewp-framework" )+ "term_name" => esc_html__( "Term Name", "cubewp-framework" ),+ "term_url" => esc_html__( "Term URL", "cubewp-framework" ),+ "term_description" => esc_html__( "Term Description", "cubewp-framework" ),+ "custom_meta" => esc_html__( "Custom Term Meta", "cubewp-framework" ),+ "all_terms" => esc_html__( "All Selected Terms", "cubewp-framework" ) ), 'default' => 'term_name', 'condition' => array(@@ -92,6 +109,40 @@ "post_term_field" => "custom_meta", ), ] );+ $this->add_control( 'use_for_icon', [+ 'type' => Controls_Manager::SWITCHER,+ 'label' => esc_html__( 'Use For Icon', 'cubewp-framework' ),+ 'default' => 'no',+ 'return_value' => 'yes',+ 'condition' => array(+ 'post_taxonomy!' => '',+ "post_term_field" => "custom_meta",+ ),+ ] );+ $this->add_control( 'icon_width', [+ 'type' => Controls_Manager::SLIDER,+ 'label' => esc_html__( 'Icon Width', 'cubewp-framework' ),+ 'size_units' => [ 'px', '%' ],+ 'range' => [+ 'px' => [+ 'min' => 8,+ 'max' => 256,+ ],+ '%' => [+ 'min' => 1,+ 'max' => 100,+ ],+ ],+ 'default' => [+ 'unit' => 'px',+ 'size' => 24,+ ],+ 'condition' => [+ 'post_taxonomy!' => '',+ "post_term_field" => "custom_meta",+ "use_for_icon" => "yes",+ ],+ ] ); } private static function get_post_type_tax() {@@ -114,4 +165,5 @@ } } -}\ No newline at end of file+}+ \ No newline at end of file
I'll analyze this code diff for security vulnerabilities.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Cross-Site Scripting (XSS) - CWE-79** - cube/modules/elementor/class-cubewp-tag-post-term.php - Lines 57-62
**Old Code:**
```php
return get_term_meta( $terms[0]->term_id, $field, true );
```
**Fixed Code:**
```php
$value = get_term_meta( $terms[0]->term_id, $field, true );
if( $use_for_icon == 'yes' ) {
if ( preg_match( '/^data:image\/[a-zA-Z]+;base64,/', $value ) || preg_match( '/^https?:\/\/.+\.(jpg|jpeg|png|gif|svg|webp)$/i', $value ) ) {
return '<img src="' . $value . '" alt="" style="max-width:100%; max-height:100%; width: ' . $icon_width_style . ';" />';
} else {
return '<i class="' . $value . '" style="font-size: ' . $icon_width_style . ';"></i>';
}
} else {
return wp_kses_post($value);
}
```
Explanation:
The old code returned untrusted term meta data directly without sanitization. The fixed code introduces `wp_kses_post()` sanitization in the else branch (line 65), which removes potentially dangerous HTML/JavaScript. However, the fix is **incomplete and introduces new vulnerabilities** in the icon handling paths:
1. Line 59-60: The `<img src>` attribute directly concatenates `$value` without escaping, allowing XSS via malicious image URLs.
2. Line 62: The `<i class>` attribute directly concatenates `$value` without escaping, allowing XSS via class names containing malicious attributes.
The regex validation is insufficient—it only validates URL/base64 format but doesn't prevent XSS payloads within attributes.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
**HTML/Attribute Injection - CWE-80** - cube/modules/elementor/class-cubewp-tag-post-term.php - Lines 59-60
**Old Code:**
```php
return get_term_meta( $terms[0]->term_id, $field, true );
```
**Fixed Code:**
```php
return '<img src="' . $value . '" alt="" style="max-width:100%; max-height:100%; width: ' . $icon_width_style . ';" />';
```
Explanation:
While the regex validates that `$value` matches an image URL pattern, the concatenation into an HTML attribute is not properly escaped. An attacker could potentially craft URLs with `"` or `>` characters to break out of the attribute, depending on how the regex is evaluated. The proper fix would use `esc_url()` for the src attribute: `esc_url( $value )`.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
**HTML/Attribute Injection - CWE-80** - cube/modules/elementor/class-cubewp-tag-post-term.php - Lines 56-57
**Old Code:**
```php
return get_term_meta( $terms[0]->term_id, $field, true );
```
**Fixed Code:**
```php
$icon_width_style = $icon_width_size . $icon_width_unit;
```
Explanation:
The `$icon_width_style` is concatenated directly into inline CSS without sanitization (line 60, 64). While the unit is controlled by a slider input, `$icon_width_size` is derived from user-configurable settings. If these settings aren't validated server-side, an attacker could inject CSS expressions or other malicious CSS. The fix should use `esc_attr()` or dedicated CSS sanitization when outputting inline styles.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-post-url.php@@ -0,0 +1,50 @@+<?php+if (! defined('ABSPATH')) {+ exit; // Exit if accessed directly.+}++use Elementor\Controls_Manager;+use Elementor\Core\DynamicTags\Tag;+use Elementor\Modules\DynamicTags\Module;++class CubeWp_Tag_Post_URL extends Tag+{+ public function get_name()+ {+ return 'cubewp-post-url-tag';+ }++ public function get_title()+ {+ return esc_html__('Post URL', 'cubewp-framework');+ }++ public function get_group()+ {+ return ['cubewp-single-fields'];+ }++ public function get_categories()+ {+ return [+ Module::URL_CATEGORY,+ ];+ }++ public function is_settings_required()+ {+ return true;+ }++ public function render()+ {++ if (cubewp_is_elementor_editing()) {+ echo esc_url(get_post_permalink(cubewp_get_elementor_preview_post_id()));+ } else {+ echo esc_url(get_post_permalink());+ }+ }++ protected function register_controls() {}+}
Vulnerability Existed: no No vulnerabilities identified - CWE IDs: N/A - File: cube/modules/elementor/class-cubewp-tag-post-url.php [All] Old Code: N/A (new file) Fixed Code: N/A (new file) Explanation: This is a new file addition for an Elementor dynamic tag class. The code demonstrates secure practices: 1. **Proper input handling**: The `esc_url()` function is used to escape all URL outputs (lines 42, 44), which prevents XSS vulnerabilities when displaying URLs. 2. **WordPress security patterns**: The file follows WordPress security conventions: - ABSPATH check at the top (lines 1-3) prevents direct file access - Uses WordPress core functions (`get_post_permalink()`, `esc_html__()`) - Proper use of escaping functions for output 3. **No user input**: The code doesn't directly accept or process user input - it retrieves post URLs from the WordPress database, which is a trusted source. 4. **Safe conditionals**: The check for `cubewp_is_elementor_editing()` is a simple boolean check without security implications. The implementation is secure as written.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-radio.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-radio.php 2026-01-18 00:20:56.213778845 +0000@@ -51,7 +51,7 @@ if(is_array($value)){ $value = implode(", ",$value); }- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-radio.php - Line 54 Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without sanitization. If `cubewp_core_data()` returns user-controlled or untrusted data without proper escaping, it could allow arbitrary HTML/JavaScript to be injected into the page, resulting in a Stored or Reflected XSS vulnerability. The fix wraps the output with `esc_html()`, which is a WordPress escaping function that converts HTML special characters to entities, preventing the browser from interpreting any injected HTML or JavaScript code. This is the appropriate mitigation for outputting data in an HTML context.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-range.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-range.php 2026-01-18 00:20:56.213778845 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); } }\ No newline at end of file
``` Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-range.php [Line 51] Old Code: echo cubewp_core_data($value); Fixed Code: echo esc_html(cubewp_core_data($value)); Explanation: The original code directly echoes the output of `cubewp_core_data($value)` without any sanitization or escaping. This is a reflected XSS vulnerability because user-controlled data (via `$value` from `get_field_value()`) could contain malicious HTML or JavaScript that would be executed in the browser. The fix applies `esc_html()` to escape HTML entities, preventing the browser from interpreting any HTML/JavaScript tags and rendering them as plain text instead. This is the appropriate sanitization function for outputting data in an HTML context in WordPress. ```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-repeating-field.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-repeating-field.php 2026-01-18 00:20:56.213778845 +0000@@ -51,12 +51,16 @@ $label = isset( $options["label"] ) ? $options["label"] : ""; $field_type = isset($options['type']) ? $options['type'] : ''; $value = get_field_value( $field );+ if( empty( $value ) ) {+ return;+ } $args = array( 'type' => $field_type, 'container_class' => "", 'value' => $value, 'label' => $label, );+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo CubeWp_Single_Page_Trait::field_repeating_field($args); }
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: yes FALSE POSITIVE Missing Output Escaping - CWE-79 (Cross-site Scripting) - cube/modules/elementor/class-cubewp-tag-repeating-field.php - Line 64 Old Code: ```php echo CubeWp_Single_Page_Trait::field_repeating_field($args); ``` Fixed Code: ```php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo CubeWp_Single_Page_Trait::field_repeating_field($args); ``` Explanation: This is NOT actually a security fix—it's the opposite. The vulnerability existed in the original code where unescaped output from `CubeWp_Single_Page_Trait::field_repeating_field()` was being echoed directly to the page. However, the "fix" in the new version doesn't address the vulnerability; instead, it suppresses the WordPress security warning via a phpcs ignore comment. This allows potentially dangerous unescaped output to remain without proper sanitization. A proper fix would escape the output using appropriate WordPress functions like `wp_kses_post()` or `esc_html()` depending on the content type, rather than simply ignoring the security check.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-switch.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-switch.php 2026-01-18 00:20:56.213778845 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-switch.php (Line 51) Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any HTML escaping. This is a reflected XSS vulnerability because user-controlled input (via `$value` from `get_field_value()`) could contain malicious JavaScript that would be executed in the browser context. The fix applies `esc_html()` to escape HTML special characters, preventing the injection of executable scripts. This is appropriate for displaying text content in HTML context where you want to preserve the text but prevent code execution.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-text.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-text.php 2026-01-18 00:20:56.213778845 +0000@@ -46,7 +46,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-text.php Line 49 Old Code: ``` echo cubewp_core_data($value); ``` Fixed Code: ``` echo esc_html(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any sanitization or escaping. This is a reflected XSS vulnerability because user-controlled data could be passed through `$value` and rendered directly in the HTML output without being escaped. An attacker could inject malicious JavaScript code that would execute in the context of a user's browser session. The fix wraps the output with `esc_html()`, which is a WordPress function that escapes HTML special characters, converting potentially dangerous characters like `<`, `>`, `&`, `"`, and `'` into their HTML entity equivalents. This prevents the browser from interpreting injected code as HTML/JavaScript and renders it as plain text instead.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-textarea.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-textarea.php 2026-01-18 00:20:56.213778845 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo wp_kses_post(cubewp_core_data($value)); }
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-textarea.php - Line 51 Old Code: ```php echo cubewp_core_data($value); ``` Fixed Code: ```php echo wp_kses_post(cubewp_core_data($value)); ``` Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any sanitization or escaping. This creates a Stored/Reflected XSS vulnerability because if `$value` contains user-controlled data, an attacker could inject malicious JavaScript code that would be executed in the browser context of users viewing this content. The fix applies `wp_kses_post()`, a WordPress security function that sanitizes HTML content while preserving safe tags. This function strips out potentially dangerous HTML/JavaScript while allowing safe formatting tags, preventing XSS payloads from being executed. This is the appropriate sanitization method for outputting post content that may contain HTML formatting.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-time-picker.php 2026-01-18 00:20:47.525239021 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-time-picker.php 2026-01-18 00:20:56.213778845 +0000@@ -48,8 +48,7 @@ return; } $value = get_field_value( $field );- - echo cubewp_core_data($value);+ echo esc_html(cubewp_core_data($value)); }
``` Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-time-picker.php [Line 52] Old Code: echo cubewp_core_data($value); Fixed Code: echo esc_html(cubewp_core_data($value)); Explanation: The original code directly echoed the output of `cubewp_core_data($value)` without any sanitization or escaping. This creates a reflected/stored XSS vulnerability where unsanitized user input (via the `$value` parameter from `get_field_value()`) could be output directly to the HTML context. An attacker could inject malicious JavaScript code that would execute in the browser of any user viewing this content. The fix applies `esc_html()`, a WordPress escaping function that converts HTML special characters to their entity equivalents (e.g., `<` becomes `<`, `>` becomes `>`). This prevents the browser from interpreting injected HTML/JavaScript tags as executable code, effectively mitigating the XSS vulnerability. ```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-title.php 2026-01-18 00:20:47.529239270 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-title.php 2026-01-18 00:20:56.213778845 +0000@@ -26,13 +26,57 @@ return true; } - protected function register_controls() {}+protected function register_controls()+ {+ // Toggle to enable/disable line limit+ $this->add_control(+ 'line_limit_enable',+ [+ 'label' => esc_html__('Enable Line Limit', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SWITCHER,+ 'label_on' => esc_html__('Yes', 'cubewp-framework'),+ 'label_off' => esc_html__('No', 'cubewp-framework'),+ 'return_value' => 'yes',+ 'default' => 'no',+ ]+ ); - public function render() {+ // Line limit control — only visible if the above switch is ON+ $this->add_control(+ 'line_limit',+ [+ 'label' => esc_html__('Max Lines', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::NUMBER,+ 'default' => 1,+ 'min' => 1,+ 'max' => 5,+ 'step' => 1,+ 'description' => esc_html__('Set how many lines to show before truncating with ellipsis.', 'cubewp-framework'),+ 'condition' => [+ 'line_limit_enable' => 'yes',+ ],+ ]+ );+ }++ public function render()+ { if (cubewp_is_elementor_editing()) {- echo get_the_title(cubewp_get_elementor_preview_post_id());- }else {- echo get_the_title();+ $title = get_the_title(cubewp_get_elementor_preview_post_id());+ } else {+ $title = get_the_title();+ }+ if (empty($title)) {+ return;+ }++ $settings = $this->get_settings_for_display();+ $enable_limit = ! empty($settings['line_limit_enable']) && $settings['line_limit_enable'] === 'yes';+ $line_limit = ! empty($settings['line_limit']) ? intval($settings['line_limit']) : 1;+ if ($enable_limit) {+ echo '<span class="cubewp-post-title-tag cubewp-clamp-' . intval($line_limit) . '">' . esc_html($title) . '</span>';+ } else {+ echo esc_html($title); } } }\ No newline at end of file
I'll analyze this code diff for security vulnerabilities. **Vulnerability 1:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-title.php - Lines 32-33 (old code) Old Code: ```php echo get_the_title(cubewp_get_elementor_preview_post_id()); ``` and ```php echo get_the_title(); ``` Fixed Code: ```php $title = get_the_title(cubewp_get_elementor_preview_post_id()); // ... later ... echo esc_html($title); ``` and ```php $title = get_the_title(); // ... later ... echo esc_html($title); ``` Explanation: The original code directly echoed the output of `get_the_title()` without escaping. While `get_the_title()` typically returns sanitized data, it's a WordPress best practice to escape all output when rendering in HTML context, especially in frontend-facing code. The fixed version properly escapes the title using `esc_html()` before output, preventing potential XSS vulnerabilities if the title data is ever compromised or contains special characters. **Vulnerability 2:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-title.php - Line 51 (old code area, new line 65) Old Code: ```php echo '<span class="cubewp-post-title-tag cubewp-clamp-' . $line_limit . '">' . get_the_title() . '</span>'; ``` Fixed Code: ```php echo '<span class="cubewp-post-title-tag cubewp-clamp-' . intval($line_limit) . '">' . esc_html($title) . '</span>'; ``` Explanation: The fixed code adds `intval()` around `$line_limit` to ensure it's cast to an integer, preventing potential injection through that attribute. More importantly, it wraps the title output with `esc_html()` for proper HTML escaping. The original code (implicit in the refactored section) would output the title without escaping, creating an XSS vulnerability if malicious content were present in the post title.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-url.php 2026-01-18 00:20:47.529239270 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-url.php 2026-01-18 00:20:56.213778845 +0000@@ -48,7 +48,7 @@ return; } $value = get_field_value( $field );- echo cubewp_core_data($value);+ echo esc_url(cubewp_core_data($value)); }
Vulnerability Existed: yes TRUE POSITIVE Cross-site Scripting (XSS) - CWE-79 - cube/modules/elementor/class-cubewp-tag-url.php - Line 51 [Old Code] echo cubewp_core_data($value); [Fixed Code] echo esc_url(cubewp_core_data($value)); Explanation: The original code directly echoes the output of `cubewp_core_data($value)` without any sanitization or escaping. Since this is in a URL context (based on the class name `cubewp-tag-url`), the value could contain malicious JavaScript or other XSS payloads if user input reaches this function. The fix applies `esc_url()`, which is the appropriate WordPress escaping function for URL output contexts. This prevents XSS attacks by escaping special characters that could break out of the URL context and execute arbitrary code in the browser.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-user.php 2026-01-18 00:20:47.529239270 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-user.php 2026-01-18 00:20:56.213778845 +0000@@ -75,7 +75,7 @@ } if ( $content_type == 'full' ) {- return get_user_details( $value );+ return cubewp_get_user_details( $value ); }else { if ( is_array( $value ) ) { foreach ( $value as $val ) {
Based on my analysis of the code diff, here is the security assessment: --- **Vulnerability Existed: not sure** **Potential Function Namespace/Undefined Function Issue - No CWE (Code Quality/Runtime Error) - class-cubewp-tag-user.php - Line 78** Old Code: ```php return get_user_details( $value ); ``` Fixed Code: ```php return cubewp_get_user_details( $value ); ``` Explanation: This change renames the function call from `get_user_details()` to `cubewp_get_user_details()`. This could indicate one of the following scenarios: 1. **Function Name Collision Fix**: The original `get_user_details()` function may have been conflicting with another function of the same name (either from WordPress core, another plugin, or a theme). The namespaced version `cubewp_get_user_details()` prevents naming conflicts and ensures the intended CubeWP framework function is called. 2. **Correcting an Undefined Function**: The original code may have been calling a non-existent `get_user_details()` function, causing a fatal error. The fix changes it to the correctly-named `cubewp_get_user_details()` function that exists within the CubeWP framework. Without access to the function definitions themselves, I cannot definitively determine if this fixes a security vulnerability (such as function spoofing or undefined function exploitation), but it does address a critical code quality issue that could lead to runtime errors or unintended function execution if a different `get_user_details()` exists in the global namespace. This is primarily a **code correctness fix** rather than a direct security vulnerability patch, but it prevents potential issues from calling the wrong function.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/elementor/class-cubewp-tag-wysiwyg-editor.php 2026-01-18 00:20:47.529239270 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/class-cubewp-tag-wysiwyg-editor.php 2026-01-18 00:20:56.213778845 +0000@@ -47,9 +47,41 @@ if ( ! $field ) { return; }- $value = get_field_value( $field );- echo cubewp_core_data($value);+ $value = get_field_value( $field );+ // Ensure string, preserve line breaks/paragraphs, then allow safe HTML + SVG.+ $value = is_string( $value ) ? $value : '';+ $value = wpautop( $value );+ echo wp_kses( $value, $this->allowed_svg() ); }- + public function allowed_svg(): array {+ $allowed = wp_kses_allowed_html('post'); // start from default post context+ $allowed['svg'] = [+ 'class' => true,+ 'xmlns' => true,+ 'width' => true,+ 'height' => true,+ 'viewBox' => true,+ 'fill' => true,+ 'stroke' => true,+ 'stroke-width'=> true,+ 'role' => true,+ 'aria-hidden' => true,+ 'focusable' => true,+ ];+ $allowed['path'] = [+ 'd' => true,+ 'fill' => true,+ 'stroke' => true,+ 'stroke-width'=> true,+ 'fill-rule' => true,+ 'clip-rule' => true,+ 'stroke-linecap' => true,+ 'stroke-linejoin' => true,+ ];+ $allowed['g'] = [ 'fill' => true, 'stroke' => true, 'clip-path' => true ];+ $allowed['title'] = [];+ $allowed['use'] = [ 'href' => true, 'xlink:href' => true ];+ return $allowed;+ } }\ No newline at end of file
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/elementor/class-cubewp-tag-wysiwyg-editor.php - Lines 50-51
Old Code:
$value = get_field_value( $field );
echo cubewp_core_data($value);
Fixed Code:
$value = get_field_value( $field );
// Ensure string, preserve line breaks/paragraphs, then allow safe HTML + SVG.
$value = is_string( $value ) ? $value : '';
$value = wpautop( $value );
echo wp_kses( $value, $this->allowed_svg() );
Explanation:
The original code directly echoed the output of `cubewp_core_data($value)` without proper sanitization or escaping. This is a classic Stored/Reflected XSS vulnerability (CWE-79) where unsanitized user input is output to the page. The fix implements proper output escaping using WordPress's `wp_kses()` function with a whitelist of allowed HTML/SVG tags via the `allowed_svg()` method. The fix also adds type checking to ensure the value is a string before processing, and uses `wpautop()` to preserve formatting while `wp_kses()` strips any dangerous HTML/JavaScript that isn't in the allowed list.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-color.php@@ -0,0 +1,117 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_color extends Tag { + + public function get_name() { + return 'cubewp-taxonomy-color-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy Color', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'color' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function render() { + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return; + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $value = get_term_meta( $term->term_id, $field, true ); + if ( $value ) { + echo esc_html( cubewp_core_data( $value ) ); + } + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return; + } + + $value = get_term_meta( $term_id, $field, true ); + if ( ! $value ) { + return; + } + + echo esc_html( cubewp_core_data( $value ) ); + } + +} +
I'll analyze this code diff for security vulnerabilities. ``` Vulnerability Existed: no [Proper Output Escaping] - [CWE-79: Improper Neutralization of Input During Web Page Generation] - class-cubewp-tag-taxonomy-color.php [Lines 89, 113] Old Code: N/A (New File) Fixed Code: echo esc_html( cubewp_core_data( $value ) ); Explanation: This is a new file, not a security fix. However, the code demonstrates proper security practices. The output is correctly escaped using esc_html() before being echoed. The value retrieved from get_term_meta() and processed through cubewp_core_data() is properly sanitized for HTML context. This prevents XSS (Cross-Site Scripting) vulnerabilities that could occur if user-controlled data were output without escaping. ``` ``` Vulnerability Existed: not sure [Insufficient Input Validation] - [CWE-20: Improper Input Validation] - class-cubewp-tag-taxonomy-color.php [Lines 79, 107] Old Code: N/A (New File) Fixed Code: $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); Explanation: The $field variable is used as a meta key in get_term_meta() without validation. While the field source is controlled via a SELECT dropdown in the UI (reducing risk), the 'custom_field_key' setting comes from user input via a TEXT control. Without strict validation, this could theoretically be exploited if not properly validated at the settings level. However, this is partially mitigated by the fact that get_term_meta() is a safe WordPress function and the value is escaped before output. ```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-gallery.php@@ -0,0 +1,156 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Data_Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_gallery extends Data_Tag { + + public function get_name() { + return 'cubewp-taxonomy-gallery-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy Gallery', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::GALLERY_CATEGORY, + Module::MEDIA_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'gallery' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function get_value( $options = array() ) { + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return array(); + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $values = get_term_meta( $term->term_id, $field, true ); + return $this->process_gallery_values( $values ); + } + return array(); + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return array(); + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return array(); + } + + $values = get_term_meta( $term_id, $field, true ); + if ( ! $values ) { + return array(); + } + + return $this->process_gallery_values( $values ); + } + + private function process_gallery_values( $values ) { + $returnArr = array(); + if ( is_array( $values ) && count( $values ) > 0 ) { + foreach ( $values as $key => $value ) { + $image_id = is_numeric( $value ) ? (int) $value : 0; + if ( ! $image_id ) { + continue; + } + if ( ! wp_attachment_is_image( $image_id ) ) { + continue; + } + $url = wp_get_attachment_image_url( $image_id, 'full' ); + if ( ! $url ) { + continue; + } + $returnArr[ $key ] = array( + 'id' => $image_id, + 'url' => $url, + ); + } + } else { + $image_id = 0; + if ( is_string( $values ) && filter_var( $values, FILTER_VALIDATE_URL ) ) { + $image_id = attachment_url_to_postid( $values ); + } elseif ( is_numeric( $values ) ) { + $image_id = (int) $values; + } + if ( $image_id && wp_attachment_is_image( $image_id ) ) { + $url = wp_get_attachment_image_url( $image_id, 'full' ); + if ( $url ) { + $returnArr = array( + 'id' => $image_id, + 'url' => $url, + ); + } + } + } + return $returnArr; + } + +} +
Analyzing the provided code diff for security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: no
**Improper Input Validation - CWE-20** - CWE-20 - class-cubewp-tag-taxonomy-gallery.php - Lines 77-80
Old Code:
N/A (new file)
Fixed Code:
```php
$field_source = $this->get_settings( 'field_source' );
$field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' );
```
Explanation:
The code properly validates the `field_source` setting using strict equality (`===`) before conditionally selecting between two field options. The field values are retrieved from internal settings (Elementor controls) rather than directly from user input, and are later used as meta keys with `get_term_meta()`, which safely handles the key parameter. No vulnerability exists here.
---
**Vulnerability 2:**
Vulnerability Existed: no
**Use of Insufficiently Random Values - CWE-330** - CWE-330 - class-cubewp-tag-taxonomy-gallery.php - Lines 133-137
Old Code:
N/A (new file)
Fixed Code:
```php
if ( is_string( $values ) && filter_var( $values, FILTER_VALIDATE_URL ) ) {
$image_id = attachment_url_to_postid( $values );
}
```
Explanation:
The code validates URLs using `filter_var()` with `FILTER_VALIDATE_URL` before passing to `attachment_url_to_postid()`, which is a WordPress core function designed to safely convert URLs to attachment IDs. The URL validation mitigates URL-based injection risks. No vulnerability exists.
---
**Vulnerability 3:**
Vulnerability Existed: no
**SQL Injection - CWE-89** - CWE-89 - class-cubewp-tag-taxonomy-gallery.php - Lines 94, 110
Old Code:
N/A (new file)
Fixed Code:
```php
$values = get_term_meta( $term->term_id, $field, true );
$values = get_term_meta( $term_id, $field, true );
```
Explanation:
The code uses WordPress core functions `get_term_meta()` which properly sanitize inputs. Term IDs are cast to integers `(int)`, and the `$field` parameter comes from predefined Elementor controls or validated user input within the plugin context. WordPress handles parameterization internally. No SQL injection vulnerability exists.
---
**Overall Assessment:** This code file contains no identified security vulnerabilities. It properly validates inputs, uses WordPress core functions correctly, and implements appropriate type casting and validation checks.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-google-address.php@@ -0,0 +1,132 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_google_address extends Tag { + + public function get_name() { + return 'cubewp-taxonomy-google-address-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy Google Address', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + Module::POST_META_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'google_address' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function render() { + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return; + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $value = get_term_meta( $term->term_id, $field, true ); + if ( is_array( $value ) && isset( $value['address'] ) ) { + $value = $value['address']; + } elseif ( is_array( $value ) && count( $value ) > 0 ) { + $value = isset( $value['address'] ) ? $value['address'] : ''; + } + if ( $value ) { + echo esc_html( cubewp_core_data( $value ) ); + } + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return; + } + + $value = get_term_meta( $term_id, $field, true ); + if ( ! $value ) { + return; + } + + // Handle Google Address format + if ( is_array( $value ) && isset( $value['address'] ) ) { + $value = $value['address']; + } elseif ( is_array( $value ) && count( $value ) > 0 ) { + $value = isset( $value['address'] ) ? $value['address'] : ''; + } + + if ( $value ) { + echo esc_html( cubewp_core_data( $value ) ); + } + } + +} +
Analyzing the provided code diff for security vulnerabilities:
**Vulnerability Existed: no**
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-tag-taxonomy-google-address.php Lines 98, 128**
**Old Code:**
N/A (New file)
**Fixed Code:**
```php
echo esc_html( cubewp_core_data( $value ) );
```
**Explanation:**
No vulnerability exists in this code. The output is properly escaped using `esc_html()` before being displayed. While the code calls `cubewp_core_data()` on the value before escaping, the final output to the page is protected with `esc_html()`, which prevents XSS attacks. The term meta value is retrieved from the database (a trusted source in WordPress context) and is properly sanitized before display. The double-handling (cubewp_core_data + esc_html) is redundant but not vulnerable.
---
**Vulnerability Existed: no**
**Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CWE-22 - class-cubewp-tag-taxonomy-google-address.php Lines 82, 115**
**Old Code:**
N/A (New file)
**Fixed Code:**
```php
$field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' );
```
**Explanation:**
No vulnerability exists. The `$field` variable is used as a term meta key name, not as a file path or system command. WordPress's `get_term_meta()` function uses the key parameter safely as a meta key lookup, not for path traversal. The value comes from Elementor settings which are typically sanitized by Elementor's control system.
---
**Vulnerability Existed: not sure**
**Improper Input Validation - CWE-20 - class-cubewp-tag-taxonomy-google-address.php Lines 82**
**Old Code:**
N/A (New file)
**Fixed Code:**
```php
$field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' );
```
**Explanation:**
Uncertain if `cubewp_core_data()` function properly handles all data types. Without seeing the implementation of `cubewp_core_data()`, it's unclear if it safely handles the processed `$value`. The code handles array values and extracts the 'address' key, but the ultimate security depends on what `cubewp_core_data()` does with its input. If this function performs additional processing or transformations, there could be edge cases not covered here.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-image.php@@ -0,0 +1,160 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Data_Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_image extends Data_Tag { + + public function get_name() { + return 'cubewp-taxonomy-image-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy Image', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::IMAGE_CATEGORY, + Module::URL_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'image' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function get_value( $options = array() ) { + $returnArr = array(); + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return $returnArr; + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $value = get_term_meta( $term->term_id, $field, true ); + if ( $value ) { + $image_id = $this->normalize_image_id( $value ); + if ( $image_id && wp_attachment_is_image( $image_id ) ) { + $url = wp_get_attachment_image_url( $image_id, 'full' ); + if ( $url ) { + return array( + 'id' => (int) $image_id, + 'url' => $url, + ); + } + } + } + } + return $returnArr; + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return $returnArr; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return $returnArr; + } + + $value = get_term_meta( $term_id, $field, true ); + if ( ! $value ) { + return $returnArr; + } + + $image_id = $this->normalize_image_id( $value ); + if ( ! $image_id || ! wp_attachment_is_image( $image_id ) ) { + return $returnArr; + } + + $url = wp_get_attachment_image_url( $image_id, 'full' ); + if ( ! $url ) { + return $returnArr; + } + + $returnArr = array( + 'id' => (int) $image_id, + 'url' => $url, + ); + + return $returnArr; + } + + private function normalize_image_id( $value ) { + $image_id = 0; + if ( is_array( $value ) ) { + if ( isset( $value['id'] ) && is_numeric( $value['id'] ) ) { + $image_id = (int) $value['id']; + } elseif ( isset( $value['url'] ) && is_string( $value['url'] ) ) { + $image_id = attachment_url_to_postid( $value['url'] ); + } + } elseif ( is_numeric( $value ) ) { + $image_id = (int) $value; + } elseif ( is_string( $value ) && filter_var( $value, FILTER_VALIDATE_URL ) ) { + $image_id = attachment_url_to_postid( $value ); + } + + return $image_id; + } + +} +
I need to analyze this code diff for security vulnerabilities. This is a new file being added, so I'll examine it for potential security issues.
## Security Analysis
**Vulnerability Existed: no**
**Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-tag-taxonomy-image.php - Lines 15, 38, 40, 68**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
public function get_title() {
return esc_html__( 'Taxonomy Image', 'cubewp-framework' );
}
```
**Explanation:**
This code does NOT contain XSS vulnerabilities. The developer has properly implemented output escaping using `esc_html__()` for all user-facing strings in the interface. The `get_title()`, `register_controls()` labels, and descriptions all use appropriate escaping functions. While the `$url` returned from `wp_get_attachment_image_url()` is not escaped in the return array (line 100, 137), this is correct because the URL is returned as structured data to be used by Elementor's dynamic tags system, not directly echoed to HTML. Elementor will handle the escaping when rendering.
---
**Vulnerability Existed: no**
**Broken Access Control / Insecure Direct Object Reference - CWE-639 - class-cubewp-tag-taxonomy-image.php - Lines 85-110**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
$preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null;
if ( $preview_term_id ) {
$term = get_term( (int) $preview_term_id );
if ( $term && ! is_wp_error( $term ) ) {
$value = get_term_meta( $term->term_id, $field, true );
```
**Explanation:**
This code does NOT contain direct object reference vulnerabilities. The `term_id` is properly cast to `(int)` before being used with `get_term()`, preventing injection attacks. WordPress's `get_term()` function includes proper capability checks for taxonomy access. However, note that `get_term_meta()` retrieves metadata without additional capability verification, but this is standard WordPress behavior and appropriate for term meta retrieval in an Elementor plugin context where the user already has access to preview/edit the term.
---
**Vulnerability Existed: no**
**Input Validation - CWE-20 - class-cubewp-tag-taxonomy-image.php - Lines 68-75**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
$this->add_control(
'custom_field_key',
[
'type' => \Elementor\Controls_Manager::TEXT,
'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ),
'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ),
'condition' => [
'field_source' => 'custom',
],
]
);
```
**Explanation:**
This code does NOT contain validation vulnerabilities. The `custom_field_key` is used directly as a meta key in `get_term_meta()` (line 127), which is safe because WordPress's `get_term_meta()` function properly sanitizes meta key lookups. The value is not used for SQL queries or unsanitized output. The code properly validates that `$field` exists before using it (line 87).
---
**Summary:** This is a well-written security-conscious implementation. The developer has properly used WordPress escaping functions, type casting, and sanitization functions. No security vulnerabilities were identified in this code.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-oembed.php@@ -0,0 +1,118 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_oembed extends Tag { + + public function get_name() { + return 'cubewp-taxonomy-oembed-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy oEmbed', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + Module::URL_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'oembed' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function render() { + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return; + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $value = get_term_meta( $term->term_id, $field, true ); + if ( $value ) { + echo wp_kses_post( cubewp_core_data( $value ) ); + } + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return; + } + + $value = get_term_meta( $term_id, $field, true ); + if ( ! $value ) { + return; + } + + echo wp_kses_post( cubewp_core_data( $value ) ); + } + +} +
I'll analyze this code diff for security vulnerabilities.
**Analysis Results:**
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-oembed.php - Lines 91, 115
[Old Code]
```php
echo wp_kses_post( cubewp_core_data( $value ) );
```
[Fixed Code]
```php
echo wp_kses_post( cubewp_core_data( $value ) );
```
Explanation:
This code contains a potential XSS vulnerability. The issue is that `cubewp_core_data()` function's behavior is unknown—if it doesn't properly sanitize/escape its output, the subsequent `wp_kses_post()` call may be insufficient. The real concern: user-supplied input from `get_term_meta()` is passed through `cubewp_core_data()` with no validation of what that function does. If `cubewp_core_data()` performs operations like URL reconstruction, HTML generation, or data transformation without proper escaping, malicious data stored in term meta could be rendered as executable code. The `$field` variable itself comes from user-configurable settings (`custom_field_key`) without validation, and there's no guarantee the term meta value hasn't been poisoned by an authenticated attacker with term meta write permissions.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Input Validation - CWE-20** - cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-oembed.php - Lines 79-80
[Old Code]
```php
$field_source = $this->get_settings( 'field_source' );
$field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' );
```
[Fixed Code]
```php
$field_source = $this->get_settings( 'field_source' );
$field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' );
```
Explanation:
The `$field` variable (which becomes the term meta key) is used directly in `get_term_meta()` without validation. An attacker with settings access could inject arbitrary term meta keys. While `get_term_meta()` itself is safe, there's no validation that `$field` is a legitimate/expected meta key. This could allow information disclosure if combined with other vulnerabilities, or could be used to retrieve sensitive meta values not intended for display.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
**Type Confusion / Insufficient Input Validation - CWE-843** - cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-oembed.php - Line 87
[Old Code]
```php
$term = get_term( (int) $preview_term_id );
```
[Fixed Code]
```php
$term = get_term( (int) $preview_term_id );
```
Explanation:
The `$preview_term_id` is cast to `(int)` which is good, but `cubewp_get_preview_term_id()` is not a WordPress core function—its return value is unvalidated. If this function can be compromised or returns unexpected data types, the cast may not be sufficient. However, the subsequent `is_wp_error()` check provides some mitigation. Uncertainty remains about whether `cubewp_get_preview_term_id()` has proper security controls.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-text.php@@ -0,0 +1,117 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_text extends Tag { + + public function get_name() { + return 'cubewp-taxonomy-text-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy Text', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'text' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function render() { + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return; + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $value = get_term_meta( $term->term_id, $field, true ); + if ( $value ) { + echo esc_html( cubewp_core_data( $value ) ); + } + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return; + } + + $value = get_term_meta( $term_id, $field, true ); + if ( ! $value ) { + return; + } + + echo esc_html( cubewp_core_data( $value ) ); + } + +} +
I'll analyze this code diff for security vulnerabilities.
```
Vulnerability Existed: no
[Improper Input Validation] - [CWE-20] - [cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-text.php] [Lines 77-78]
[Old Code]
N/A (new file)
[Fixed Code]
$field_source = $this->get_settings( 'field_source' );
$field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' );
Explanation:
The custom_field_key is used directly as a meta key in get_term_meta() without validation. While this is potentially concerning, the code is properly escaped when output using esc_html() on line 91 and 114. The meta key itself is not user-controlled at runtime in a dangerous way since it comes from Elementor control settings. No vulnerability exists in this implementation.
Vulnerability Existed: not sure
[Cross-Site Scripting (XSS)] - [CWE-79] - [cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-text.php] [Lines 88, 114]
[Old Code]
N/A (new file)
[Fixed Code]
echo esc_html( cubewp_core_data( $value ) );
Explanation:
The code properly uses esc_html() for output escaping. However, the security depends on what cubewp_core_data() does. If cubewp_core_data() returns unescaped data or applies transformations that could introduce unescaped content, XSS could occur. The proper escaping is present in this file, but the security of cubewp_core_data() is uncertain from this code alone. Assuming cubewp_core_data() is a safe utility function, no vulnerability exists here.
Vulnerability Existed: no
[Missing Authorization Check] - [CWE-862] - [cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-text.php] [Lines 82-95]
[Old Code]
N/A (new file)
[Fixed Code]
$preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null;
if ( $preview_term_id ) {
$term = get_term( (int) $preview_term_id );
Explanation:
This is an Elementor dynamic tag class used in backend preview rendering. Authorization checks are not required here as Elementor handles permission validation for backend rendering. The get_term() function is used appropriately with cast to int, and this is a preview-only context. No vulnerability exists.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-textarea.php@@ -0,0 +1,117 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_textarea extends Tag { + + public function get_name() { + return 'cubewp-taxonomy-textarea-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy Textarea', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'textarea' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function render() { + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return; + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $value = get_term_meta( $term->term_id, $field, true ); + if ( $value ) { + echo wp_kses_post( cubewp_core_data( $value ) ); + } + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return; + } + + $value = get_term_meta( $term_id, $field, true ); + if ( ! $value ) { + return; + } + + echo wp_kses_post( cubewp_core_data( $value ) ); + } + +} +
I'll analyze this code diff for security vulnerabilities. --- **Vulnerability Existed: not sure** **Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-tag-taxonomy-textarea.php - Lines 89, 112** **Old Code:** ```php echo wp_kses_post( cubewp_core_data( $value ) ); ``` **Fixed Code:** ```php echo wp_kses_post( cubewp_core_data( $value ) ); ``` **Explanation:** The code uses `wp_kses_post()` to sanitize output, which is appropriate for post content. However, the security depends entirely on the `cubewp_core_data()` function, which is not defined in this file. **Vulnerability Assessment:** - If `cubewp_core_data()` performs proper escaping/sanitization before returning, the code is safe - If `cubewp_core_data()` returns unsanitized user input or database values, XSS is possible despite `wp_kses_post()` - The `$field` variable (lines 79-80) is derived from user-controlled settings but is only used as a meta key parameter to `get_term_meta()`, which is safe - The `$value` comes from `get_term_meta()` (database), which is trusted data, making XSS less likely unless the database contains previously injected content **Uncertainty Reason:** Without seeing the implementation of `cubewp_core_data()`, it's unclear if this function introduces additional processing that could bypass `wp_kses_post()` or if it properly sanitizes the value before `wp_kses_post()` is applied. The presence of `wp_kses_post()` suggests awareness of XSS risks, but the actual vulnerability depends on the upstream function's behavior.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-url.php@@ -0,0 +1,117 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Taxonomy_url extends Tag { + + public function get_name() { + return 'cubewp-taxonomy-url-tag'; + } + + public function get_title() { + return esc_html__( 'Taxonomy URL', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::URL_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'field_source', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Field Source', 'cubewp-framework' ), + 'options' => [ + 'cubewp' => esc_html__( 'CubeWP Field', 'cubewp-framework' ), + 'custom' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + ], + 'default' => 'cubewp', + ] + ); + + $options = array(); + if ( function_exists( 'cubewp_get_taxonomy_fields_by_type' ) ) { + $options = cubewp_get_taxonomy_fields_by_type( array( 'url' ) ); + } + + $this->add_control( + 'user_selected_field', + [ + 'type' => \Elementor\Controls_Manager::SELECT, + 'label' => esc_html__( 'Select custom field', 'cubewp-framework' ), + 'options' => $options, + 'condition' => [ + 'field_source' => 'cubewp', + ], + ] + ); + + $this->add_control( + 'custom_field_key', + [ + 'type' => \Elementor\Controls_Manager::TEXT, + 'label' => esc_html__( 'Custom Term Meta Key', 'cubewp-framework' ), + 'description' => esc_html__( 'Enter the term meta key/slug', 'cubewp-framework' ), + 'condition' => [ + 'field_source' => 'custom', + ], + ] + ); + } + + public function render() { + $field_source = $this->get_settings( 'field_source' ); + $field = 'cubewp' === $field_source ? $this->get_settings( 'user_selected_field' ) : $this->get_settings( 'custom_field_key' ); + + if ( ! $field ) { + return; + } + + $preview_term_id = function_exists( 'cubewp_get_preview_term_id' ) ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term( (int) $preview_term_id ); + if ( $term && ! is_wp_error( $term ) ) { + $value = get_term_meta( $term->term_id, $field, true ); + if ( $value ) { + echo esc_url( cubewp_core_data( $value ) ); + } + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return; + } + + $value = get_term_meta( $term_id, $field, true ); + if ( ! $value ) { + return; + } + + echo esc_url( cubewp_core_data( $value ) ); + } + +} +
# Security Analysis Report
**File:** cube/modules/elementor/taxonomy/class-cubewp-tag-taxonomy-url.php
**Analysis:** This is a new file (diff shows creation from /dev/null), so there are no "fixes" to existing vulnerabilities. However, the security analysis reveals the following findings:
---
## Vulnerability 1
**Vulnerability Existed:** not sure
**CWE-94 - Improper Control of Generation of Code ('Code Injection') - class-cubewp-tag-taxonomy-url.php - Lines 88-91**
**Old Code:**
```php
N/A (new file)
```
**Fixed Code:**
```php
$value = get_term_meta( $term->term_id, $field, true );
if ( $value ) {
echo esc_url( cubewp_core_data( $value ) );
}
```
**Explanation:**
The code calls `cubewp_core_data( $value )` on user-controlled data retrieved from term meta. While `esc_url()` is applied to the output, the security depends entirely on what `cubewp_core_data()` does. If this function does not properly sanitize/escape its output before `esc_url()` is applied, or if it modifies the data in an unsafe way, there could be an injection vulnerability. Additionally, the `$field` variable comes from user settings in the Elementor control and is used directly in `get_term_meta()` without validation, though this is likely safe as a meta key parameter.
---
## Vulnerability 2
**Vulnerability Existed:** not sure
**CWE-94 - Improper Control of Generation of Code ('Code Injection') - class-cubewp-tag-taxonomy-url.php - Lines 109-112**
**Old Code:**
```php
N/A (new file)
```
**Fixed Code:**
```php
$value = get_term_meta( $term_id, $field, true );
if ( ! $value ) {
return;
}
echo esc_url( cubewp_core_data( $value ) );
```
**Explanation:**
Same concern as Vulnerability 1 - the security of this code depends on the implementation of `cubewp_core_data()`. The function is called with user-controlled term meta values, and proper sanitization is critical. Without visibility into this function's implementation, it cannot be definitively determined if a vulnerability exists.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-term-count.php@@ -0,0 +1,55 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Term_count extends Tag { + + public function get_name() { + return 'cubewp-term-count-tag'; + } + + public function get_title() { + return esc_html__( 'Term Count', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + ]; + } + + public function is_settings_required() { + return false; + } + + public function render() { + $preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null; + if ($preview_term_id) { + $term = get_term((int) $preview_term_id); + if ($term && ! is_wp_error($term)) { + $term_count = isset( $term->count ) ? $term->count : 0; + echo esc_html( $term_count ); + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_count = isset( $cubewp_term->count ) ? $cubewp_term->count : 0; + echo esc_html( $term_count ); + } + +} +
I'll analyze this code diff for security vulnerabilities.
```
Vulnerability Existed: no
Improper Input Validation - CWE-20 - class-cubewp-tag-term-count.php (Line 34)
[N/A - No vulnerability in old code]
$preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null;
if ($preview_term_id) {
$term = get_term((int) $preview_term_id);
Explanation:
While the code casts $preview_term_id to int on line 35, this is a proper security practice. The int cast sanitizes the input before passing it to get_term(), preventing potential SQL injection or data type confusion attacks. The code properly validates that $preview_term_id is truthy before use, and the WordPress get_term() function is safe for use with sanitized integer inputs.
```
```
Vulnerability Existed: no
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-tag-term-count.php (Lines 38, 50)
[N/A - No vulnerability in original code]
echo esc_html( $term_count );
echo esc_html( $term_count );
Explanation:
The code properly escapes output using esc_html() before echoing. Since $term_count is retrieved from the WordPress term object's count property (a numeric value), and it's escaped before output, there is no XSS vulnerability. The escaping is appropriate for HTML context.
```
```
Vulnerability Existed: no
Use of Potentially Dangerous Function - CWE-78 - class-cubewp-tag-term-count.php (Lines 33, 43)
[N/A - No vulnerability in original code]
$preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null;
global $cubewp_term;
Explanation:
The use of function_exists() is a proper defensive check before calling cubewp_get_preview_term_id(). The use of global variables and function_exists() are standard WordPress patterns. No execution of arbitrary code or unsafe operations are present. The global $cubewp_term is checked with isset() and is_object() before use, which is appropriate validation.
```
**Summary:** This new file contains no security vulnerabilities. The code demonstrates security best practices including input validation (int casting), output escaping (esc_html), and proper existence checks before function/object usage.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-term-description.php@@ -0,0 +1,102 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Controls_Manager; +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Term_description extends Tag { + + public function get_name() { + return 'cubewp-term-description-tag'; + } + + public function get_title() { + return esc_html__( 'Term Description', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + ]; + } + + public function is_settings_required() { + return true; + } + + protected function register_controls() { + $this->add_control( + 'description_length', + [ + 'label' => esc_html__( 'Description Length (words)', 'cubewp-framework' ), + 'type' => Controls_Manager::NUMBER, + 'default' => 0, + 'min' => 0, + 'max' => 500, + 'description' => esc_html__( 'Set to 0 to show full description. Set a number to limit the word count.', 'cubewp-framework' ), + ] + ); + + $this->add_control( + 'more_text', + [ + 'label' => esc_html__( 'More Text', 'cubewp-framework' ), + 'type' => Controls_Manager::TEXT, + 'default' => esc_html__( '...', 'cubewp-framework' ), + 'description' => esc_html__( 'Text to append when description is trimmed (e.g., "...", "Read more")', 'cubewp-framework' ), + 'condition' => [ + 'description_length!' => [0, ''], + ], + ] + ); + } + + public function render() { + $settings = $this->get_settings(); + $length = ! empty( $settings['description_length'] ) ? intval( $settings['description_length'] ) : 0; + $more_text = ! empty( $settings['more_text'] ) ? $settings['more_text'] : '...'; + + $preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null; + if ( $preview_term_id ) { + $term = get_term((int) $preview_term_id); + if ( $term && ! is_wp_error($term) ) { + $description = isset( $term->description ) ? $term->description : ''; + if ( ! empty( $description ) ) { + if ( $length > 0 ) { + $description = wp_trim_words( wp_strip_all_tags( $description ), $length, $more_text ); + } + echo wp_kses_post( $description ); + } + return; + } + } + + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $description = isset( $cubewp_term->description ) ? $cubewp_term->description : ''; + + if ( empty( $description ) ) { + return; + } + + // Apply word limit if set + if ( $length > 0 ) { + $description = wp_trim_words( wp_strip_all_tags( $description ), $length, $more_text ); + } + + echo wp_kses_post( $description ); + } + +} +
# Security Analysis Report
## File: cube/modules/elementor/taxonomy/class-cubewp-tag-term-description.php
This is a new file (created from /dev/null), so I'm analyzing it for inherent security vulnerabilities rather than fixes.
---
### Vulnerability 1
**Vulnerability Existed:** no
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-tag-term-description.php - Lines 73, 99**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
echo wp_kses_post( $description );
```
**Explanation:**
The code properly uses `wp_kses_post()` to escape the term description before output. This WordPress function sanitizes HTML while preserving safe markup, effectively preventing XSS vulnerabilities. The description data comes from the WordPress term object or preview function, and is properly escaped before display.
---
### Vulnerability 2
**Vulnerability Existed:** no
**Improper Neutralization of Special Elements used in an SQL Statement ('SQL Injection') - CWE-89 - class-cubewp-tag-term-description.php - Lines 67, 68**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
$preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null;
if ( $preview_term_id ) {
$term = get_term((int) $preview_term_id);
```
**Explanation:**
The code properly casts `$preview_term_id` to an integer before passing it to `get_term()`, which prevents SQL injection. The WordPress `get_term()` function uses prepared statements internally, and the integer cast ensures only numeric values are passed.
---
### Vulnerability 3
**Vulnerability Existed:** no
**Improper Control of Interaction Frequency - CWE-799 - class-cubewp-tag-term-description.php - Lines 48-57**
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
'max' => 500,
```
**Explanation:**
The `description_length` control includes proper validation with min (0) and max (500) constraints at the UI level, preventing unreasonable word count values that could cause performance issues.
---
## Summary
**No security vulnerabilities detected.** The code demonstrates good security practices:
- Proper output escaping using `wp_kses_post()`
- Input validation and casting
- Safe WordPress API usage
- Proper existence checks before function calls
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-term-name.php@@ -0,0 +1,53 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Term_name extends Tag { + + public function get_name() { + return 'cubewp-term-name-tag'; + } + + public function get_title() { + return esc_html__( 'Term Name', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::TEXT_CATEGORY, + ]; + } + + public function is_settings_required() { + return false; + } + + public function render() { + $preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null; + if ($preview_term_id) { + $term = get_term((int) $preview_term_id); + if ($term && ! is_wp_error($term)) { + echo esc_html( $term->name ); + return; + } + } + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return; + } + + $term_name = isset( $cubewp_term->name ) ? $cubewp_term->name : ''; + echo esc_html( $term_name ); + } + +} +
Vulnerability Existed: no Output Encoding - CWE-79 - cube/modules/elementor/taxonomy/class-cubewp-tag-term-name.php Lines 37, 50 Old Code: N/A (New file - no previous version to compare) Fixed Code: ```php echo esc_html( $term->name ); // Line 37 echo esc_html( $term_name ); // Line 50 ``` Explanation: This is a new file, not a fix for an existing vulnerability. The code properly implements output encoding using `esc_html()` for all user-facing data before echoing. Both instances where term names are output (lines 37 and 50) use proper escaping, which prevents XSS (Cross-Site Scripting) attacks. The code correctly sanitizes the `$term->name` property from WordPress term objects and the `$cubewp_term->name` property before display. This follows WordPress security best practices for handling dynamic content in templates.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- /dev/null+++ cache/cubewp-framework_1.1.28/cube/modules/elementor/taxonomy/class-cubewp-tag-term-url.php@@ -0,0 +1,68 @@+<?php +if ( ! defined( 'ABSPATH' ) ) { + exit; // Exit if accessed directly. +} + +use Elementor\Core\DynamicTags\Data_Tag; +use Elementor\Modules\DynamicTags\Module; + +class CubeWp_Tag_Term_url extends Data_Tag { + + public function get_name() { + return 'cubewp-term-url-tag'; + } + + public function get_title() { + return esc_html__( 'Term URL', 'cubewp-framework' ); + } + + public function get_group() { + return [ 'cubewp-taxonomy-fields' ]; + } + + public function get_categories() { + return [ + Module::URL_CATEGORY, + ]; + } + + public function is_settings_required() { + return false; + } + + public function get_value( $options = array() ) { + $preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null; + if ($preview_term_id) { + $term = get_term((int) $preview_term_id); + if ($term && ! is_wp_error($term)) { + $term_link = get_term_link($term); + if (! is_wp_error($term_link)) { + return $term_link; + } + } + } + global $cubewp_term; + + if ( ! isset( $cubewp_term ) || ! is_object( $cubewp_term ) ) { + return ''; + } + + $term_id = isset( $cubewp_term->term_id ) ? $cubewp_term->term_id : 0; + if ( ! $term_id ) { + return ''; + } + + $term_link = get_term_link( $term_id ); + if ( is_wp_error( $term_link ) ) { + return ''; + } + + return $term_link; + } + + protected function register_controls() { + // No controls needed for term URL + } + +} +
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: no
**Unrestricted URL Output - CWE-79 (Cross-Site Scripting)** - CWE-79 - class-cubewp-tag-term-url.php - Lines 37-38, 56
**Old Code:**
```php
return $term_link;
```
**Fixed Code:**
```php
return $term_link;
```
**Explanation:**
This is a new file, so there is no "old code" to compare. However, analyzing the current implementation: The code returns `$term_link` directly without escaping at lines 37-38 and 56. The `get_term_link()` WordPress function returns a URL string that is not pre-escaped for HTML context. When this value is used in an Elementor dynamic tag context, it will be output to HTML without sanitization, creating a potential XSS vulnerability if the term slug or taxonomy name contains malicious characters.
**Recommendation:** The return value should be escaped using `esc_url()` before returning:
```php
return esc_url( $term_link );
```
---
Vulnerability Existed: not sure
**Insufficient Input Validation - CWE-20** - CWE-20 - class-cubewp-tag-term-url.php - Line 34
**Old Code:**
N/A (new file)
**Fixed Code:**
```php
$preview_term_id = function_exists('cubewp_get_preview_term_id') ? cubewp_get_preview_term_id() : null;
if ($preview_term_id) {
$term = get_term((int) $preview_term_id);
```
**Explanation:**
The code casts `$preview_term_id` to `(int)` which provides basic validation, but there's uncertainty about whether `cubewp_get_preview_term_id()` could return a malicious value or whether additional validation is needed. The function existence check is present, but the return value's validity isn't verified beyond type casting. This is likely adequate for WordPress plugin context where `get_term()` has built-in validation, but without seeing the implementation of `cubewp_get_preview_term_id()`, full assessment is uncertain.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/list-tables/class-cubewp-post-types-custom-fields-table.php 2026-01-18 00:20:47.529239270 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/list-tables/class-cubewp-post-types-custom-fields-table.php 2026-01-18 00:20:56.213778845 +0000@@ -53,9 +53,11 @@ public function usort_reorder( $a, $b ) { // If no sort, default to title- $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'group_name';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'group_name'; // If no order, default to asc- $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc'; // Determine sort order $result = strcmp( $a[$orderby], $b[$orderby] ); // Send final sort direction to usort@@ -112,11 +114,12 @@ protected function process_bulk_action() { // Detect when a bulk action is being triggered. if ( 'delete' === $this->current_action() ) { - $nonce = esc_html( $_REQUEST['_wpnonce'] );+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) { if(isset($_REQUEST['cwp_group_bulk_action'])){-- $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash foreach($bulk_request as $group){ new CubeWp_Update_Frontend_Forms(array('group_id'=>$group,'group_options'=>true)); wp_delete_post($group, true);@@ -124,41 +127,49 @@ } } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_delete_group')) { if(isset($_REQUEST['groupid'])){- new CubeWp_Update_Frontend_Forms(array('group_id'=>sanitize_text_field($_REQUEST['groupid']),'group_options'=>true));- wp_delete_post(sanitize_text_field($_REQUEST['groupid']), true);+ new CubeWp_Update_Frontend_Forms(array('group_id'=>sanitize_text_field(wp_unslash($_REQUEST['groupid'])),'group_options'=>true));+ wp_delete_post(sanitize_text_field(wp_unslash($_REQUEST['groupid'])), true); }- wp_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'duplicate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_duplicate_group')) { if(isset($_REQUEST['groupid'])){- self::duplicate_group($_REQUEST['groupid']);+ self::duplicate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'deactivate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_status_group')) { if(isset($_REQUEST['groupid'])){- self::deactivate_group($_REQUEST['groupid']);+ self::deactivate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'activate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_status_group')) { if(isset($_REQUEST['groupid'])){- self::activate_group($_REQUEST['groupid']);+ self::activate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('custom-fields') );+ exit; } }
# Security Analysis of Code Diff
## Vulnerability 1: Improper Output Encoding / Unsafe Redirect
**Vulnerability Existed:** yes
**CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') / CWE-200 - Information Exposure Through an Error Message - Multiple instances**
**File:** cube/modules/list-tables/class-cubewp-post-types-custom-fields-table.php
**Lines:** 138, 144, 151, 157, 163
**Old Code:**
```php
wp_redirect( CubeWp_Submenu::_page_action('custom-fields') );
```
**Fixed Code:**
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('custom-fields') );
exit;
```
**Explanation:**
The original code used `wp_redirect()` which performs a redirect without validating that the URL is safe (internal to the site). If `CubeWp_Submenu::_page_action()` could be manipulated to return an external URL, this could lead to an open redirect vulnerability (CWE-601). The fix uses `wp_safe_redirect()` which validates that the redirect location is internal to the site, preventing open redirect attacks. Additionally, adding `exit;` after the redirect ensures no further code execution occurs, which is a WordPress security best practice.
---
## Vulnerability 2: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
**Vulnerability Existed:** yes
**CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Multiple instances**
**File:** cube/modules/list-tables/class-cubewp-post-types-custom-fields-table.php
**Lines:** 56, 59, 117, 130, 135, 141, 148, 154, 160, 166
**Old Code:**
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'group_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
**Fixed Code:**
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'group_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc';
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
// And similar fixes for $_REQUEST['groupid'] and $_REQUEST['cwp_group_bulk_action']
```
**Explanation:**
The original code uses `sanitize_text_field()` directly on superglobal values without first unslashing them via `wp_unslash()`. In WordPress, `$_GET`, `$_POST`, and `$_REQUEST` are automatically slashed by WordPress when magic quotes are enabled or as a defensive measure. Using `sanitize_text_field()` without `wp_unslash()` first can lead to double-escaped data or improper sanitization. Additionally, the old code used `esc_html()` on the nonce instead of `sanitize_text_field()`, and didn't check `isset()` before accessing the array key. The fix properly unslashes user input before sanitization using `wp_unslash()`, checks for key existence with `isset()`, and provides sensible defaults, following WordPress security best practices to prevent XSS vulnerabilities.
---
## Vulnerability 3: Improper Input Validation / Array Processing Without Proper Sanitization
**Vulnerability Existed:** yes
**CWE-20 - Improper Input Validation**
**File:** cube/modules/list-tables/class-cubewp-post-types-custom-fields-table.php
**Lines:** 120-121
**Old Code:**
```php
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']);
```
**Fixed Code:**
```php
/* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
```
**Explanation:**
The original code passes `$_REQUEST['cwp_group_bulk_action']` directly to a custom sanitization function without first using `wp_unslash()`. The fix adds PHPCS ignore directives to document that this line intentionally bypasses certain security checks, acknowledging the issue exists. However, note that this is **not a complete fix** - it only suppresses the PHPCS warnings rather than actually fixing the underlying vulnerability. A proper fix would involve using `wp_unslash()` before passing to the sanitization function: `CubeWp_Sanitize_text_Array(wp_unslash($_REQUEST['cwp_group_bulk_action']))`.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/list-tables/class-cubewp-post-types-list-table.php 2026-01-18 00:20:47.529239270 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/list-tables/class-cubewp-post-types-list-table.php 2026-01-18 00:20:56.213778845 +0000@@ -63,9 +63,11 @@ public function usort_reorder( $a, $b ) { // If no sort, default to title- $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'plural_name';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'plural_name'; // If no order, default to asc- $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc'; // Determine sort order $result = strcmp( $a[$orderby], $b[$orderby] ); // Send final sort direction to usort@@ -114,10 +116,11 @@ protected function process_bulk_action() { // Detect when a bulk action is being triggered. if ( 'delete' === $this->current_action() ) { - $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) { $get_CustomTypes = CWP_types();- $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_types_bulk_action']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $bulk_request = isset($_REQUEST['cwp_types_bulk_action']) ? CubeWp_Sanitize_text_Array($_REQUEST['cwp_types_bulk_action']) : array(); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash foreach($bulk_request as $type){ if($type){ unset($get_CustomTypes[$type]);@@ -127,15 +130,17 @@ } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_delete_post_type')) { $get_CustomTypes = CWP_types();- if(isset($get_CustomTypes[sanitize_text_field($_REQUEST['postTypeslug'])])){- unset($get_CustomTypes[sanitize_text_field($_REQUEST['postTypeslug'])]);+ if(isset($get_CustomTypes[sanitize_text_field(wp_unslash($_REQUEST['postTypeslug']))])){+ unset($get_CustomTypes[sanitize_text_field(wp_unslash($_REQUEST['postTypeslug']))]); update_option('cwp_custom_types', $get_CustomTypes); }- wp_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );+ exit; } }
I'll analyze the provided code diff for security vulnerabilities.
## Security Analysis
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - class-cubewp-post-types-list-table.php Lines 66-67, 70-71
Old Code:
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'plural_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';
```
Fixed Code:
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'plural_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc';
```
Explanation:
The old code used `sanitize_text_field()` directly on `$_GET` values without first applying `wp_unslash()`. In WordPress, `$_GET` values may contain slashes added by magic quotes or slashing middleware. `sanitize_text_field()` does not remove these slashes, so escaped quotes could remain in the output. Using `wp_unslash()` before sanitization ensures that any escaped characters are properly decoded before sanitization, preventing potential bypass of sanitization.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - class-cubewp-post-types-list-table.php Line 117
Old Code:
```php
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
Fixed Code:
```php
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
```
Explanation:
The old code used `esc_html()` on a nonce value intended for `wp_verify_nonce()`. The `esc_html()` function is for output escaping, not input sanitization. It would convert HTML entities, breaking the nonce verification. The fixed code properly uses `wp_unslash()` followed by `sanitize_text_field()` to prepare the nonce for verification while also adding an `isset()` check to prevent undefined index warnings.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Input Validation - CWE-20** - class-cubewp-post-types-list-table.php Line 120
Old Code:
```php
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_types_bulk_action']);
```
Fixed Code:
```php
$bulk_request = isset($_REQUEST['cwp_types_bulk_action']) ? CubeWp_Sanitize_text_Array($_REQUEST['cwp_types_bulk_action']) : array();
```
Explanation:
The old code directly accessed `$_REQUEST['cwp_types_bulk_action']` without checking if it exists, which could cause an undefined index notice/warning. The fixed code adds an `isset()` check to prevent this, providing a safe default empty array if the key is missing.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - class-cubewp-post-types-list-table.php Line 135
Old Code:
```php
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
Fixed Code:
```php
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
```
Explanation:
Same as Vulnerability 2 - the use of `esc_html()` on a nonce is incorrect. Nonces must be sanitized (not escaped) before verification, and the fixed code properly applies `wp_unslash()` and `sanitize_text_field()` with an existence check.
---
**Vulnerability 5:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - class-cubewp-post-types-list-table.php Lines 138-139
Old Code:
```php
if(isset($get_CustomTypes[sanitize_text_field($_REQUEST['postTypeslug'])])){
unset($get_CustomTypes[sanitize_text_field($_REQUEST['postTypeslug'])]);
```
Fixed Code:
```php
if(isset($get_CustomTypes[sanitize_text_field(wp_unslash($_REQUEST['postTypeslug']))])){
unset($get_CustomTypes[sanitize_text_field(wp_unslash($_REQUEST['postTypeslug']))]);
```
Explanation:
Similar to Vulnerability 1, the old code sanitizes `$_REQUEST['postTypeslug']` without first applying `wp_unslash()`. This can leave escaped characters in place that should have been decoded before sanitization.
---
**Vulnerability 6:**
Vulnerability Existed: yes
TRUE POSITIVE
**Open Redirect - CWE-601** - class-cubewp-post-types-list-table.php Line 142
Old Code:
```php
wp_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );
```
Fixed Code:
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );
exit;
```
Explanation:
The old code uses `wp_redirect()` which does not validate that the redirect URL is safe (local). `wp_safe_redirect()` should be used instead, which verifies the URL stays within the same host, preventing open redirect vulnerabilities. Additionally, the fixed code adds `exit;` to ensure the redirect is executed immediately and no further code is processed.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/list-tables/class-cubewp-settings-custom-fields-table.php 2026-01-18 00:20:47.529239270 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/list-tables/class-cubewp-settings-custom-fields-table.php 2026-01-18 00:20:56.213778845 +0000@@ -49,9 +49,11 @@ public function usort_reorder( $a, $b ) { // If no sort, default to title- $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'group_name';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'group_name'; // If no order, default to asc- $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc'; // Determine sort order $result = strcmp( $a[$orderby], $b[$orderby] ); // Send final sort direction to usort@@ -108,10 +110,11 @@ protected function process_bulk_action() { // Detect when a bulk action is being triggered. if ( 'delete' === $this->current_action() ) { - $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) { if(isset($_REQUEST['cwp_group_bulk_action'])){- $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash foreach($bulk_request as $group){ $group_fields = get_post_meta($group, '_cwp_group_fields', true); $group_fields = explode(',', $group_fields);@@ -129,11 +132,12 @@ } } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_delete_group')) { if(isset($_REQUEST['groupid'])){- $group_fields = get_post_meta($_REQUEST['groupid'], '_cwp_group_fields', true);+ $group_fields = get_post_meta(sanitize_text_field(wp_unslash($_REQUEST['groupid'])), '_cwp_group_fields', true); $group_fields = explode(',', $group_fields); if(isset($group_fields) && !empty($group_fields)){ $fieldOptions = CWP()->get_custom_fields('settings');@@ -144,36 +148,43 @@ } CWP()->update_custom_fields( 'settings', $fieldOptions ); }- wp_delete_post(sanitize_text_field($_REQUEST['groupid']), true);+ wp_delete_post(sanitize_text_field(wp_unslash($_REQUEST['groupid'])), true); }- wp_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'duplicate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_duplicate_group')) { if(isset($_REQUEST['groupid'])){- self::duplicate_group($_REQUEST['groupid']);+ self::duplicate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'deactivate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_status_group')) { if(isset($_REQUEST['groupid'])){- self::deactivate_group($_REQUEST['groupid']);+ self::deactivate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'activate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_status_group')) { if(isset($_REQUEST['groupid'])){- self::activate_group($_REQUEST['groupid']);+ self::activate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ exit; } }
# Security Analysis of Code Diff
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Input Validation - CWE-20** - CWE-20 - class-cubewp-settings-custom-fields-table.php (lines 52-53)
**Old Code:**
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'group_name';
```
**Fixed Code:**
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'group_name';
```
**Explanation:**
The original code was vulnerable to character encoding attacks. User input from `$_GET['orderby']` may contain magic quotes or slashes that need to be stripped before sanitization. Using `wp_unslash()` before `sanitize_text_field()` ensures that any escaped characters are properly handled, preventing bypass of sanitization filters and potential injection attacks.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Input Validation - CWE-20** - CWE-20 - class-cubewp-settings-custom-fields-table.php (lines 55-56)
**Old Code:**
```php
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';
```
**Fixed Code:**
```php
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc';
```
**Explanation:**
Same vulnerability as above. The `$_GET['order']` parameter requires `wp_unslash()` before sanitization to properly handle escaped characters and prevent potential injection attacks through improper encoding handling.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Input During Web Page Generation - CWE-79 (Cross-Site Scripting)** - CWE-79 - class-cubewp-settings-custom-fields-table.php (lines 113)
**Old Code:**
```php
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
**Fixed Code:**
```php
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
```
**Explanation:**
The original code used `esc_html()` on the nonce, which is intended for output escaping, not input sanitization. Nonces should be sanitized using `sanitize_text_field()` with `wp_unslash()` for proper handling. Additionally, the fix adds an `isset()` check to prevent undefined index notices and provides a safe default value.
---
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Neutralization of Special Elements used in a Command - CWE-78 (OS Command Injection)** - CWE-78 - class-cubewp-settings-custom-fields-table.php (lines 137)
**Old Code:**
```php
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']);
```
**Fixed Code:**
```php
/* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
```
**Explanation:**
The original code was vulnerable because `$_REQUEST['cwp_group_bulk_action']` was passed directly to `CubeWp_Sanitize_text_Array()` without `wp_unslash()`, which could allow escaped characters to bypass sanitization. While the fix doesn't change the core logic, the phpcs comments indicate acknowledgment of the security issue. The proper fix would be to add `wp_unslash()`: `CubeWp_Sanitize_text_Array(wp_unslash($_REQUEST['cwp_group_bulk_action']))`.
---
**Vulnerability 5:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Redirect - CWE-601 (URL Redirection to Untrusted Site)** - CWE-601 - class-cubewp-settings-custom-fields-table.php (lines 146-147)
**Old Code:**
```php
wp_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );
```
**Fixed Code:**
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );
exit;
```
**Explanation:**
The original code used `wp_redirect()` which can be vulnerable to open redirect attacks if the destination URL is not properly validated. Switching to `wp_safe_redirect()` ensures that redirects only occur to allowed hosts. Additionally, adding `exit;` ensures that code execution stops immediately after the redirect header is sent, preventing potential logic flow vulnerabilities.
---
**Vulnerability 6:**
Vulnerability Existed: yes
FALSE POSITIVE
**Improper Input Validation - CWE-20** - CWE-20 - class-cubewp-settings-custom-fields-table.php (lines 139-140)
**Old Code:**
```php
$group_fields = get_post_meta($_REQUEST['groupid'], '_cwp_group_fields', true);
```
**Fixed Code:**
```php
$group_fields = get_post_meta(sanitize_text_field(wp_unslash($_REQUEST['groupid'])), '_cwp_group_fields', true);
```
**Explanation:**
The original code passed unsanitized `$_REQUEST['groupid']` directly to `get_post_meta()`. While WordPress functions typically handle escaping, passing user input directly without sanitization and unslashing violates security best practices and could potentially lead to SQL injection or data manipulation attacks depending on the underlying implementation.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/list-tables/class-cubewp-taxonomies-list-table.php 2026-01-18 00:20:47.533239518 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/list-tables/class-cubewp-taxonomies-list-table.php 2026-01-18 00:20:56.213778845 +0000@@ -63,9 +63,11 @@ public function usort_reorder( $a, $b ) { // If no sort, default to title- $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'plural_name';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'plural_name'; // If no order, default to asc- $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc'; // Determine sort order $result = strcmp( $a[$orderby], $b[$orderby] ); // Send final sort direction to usort@@ -114,12 +116,13 @@ protected function process_bulk_action() { // Detect when a bulk action is being triggered. if ( 'delete' === $this->current_action() ) { - $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) { $get_CustomTax = get_option('cwp_custom_taxonomies'); $tax_custom_fields = CWP()->get_custom_fields( 'taxonomy' ); if(!empty($_REQUEST['cwp_tax_bulk_action'])){- $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tax_bulk_action']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tax_bulk_action']); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash foreach($bulk_request as $type){ if($type){ new CubeWp_Update_Frontend_Forms(array('taxnomoy_slug'=>$type));@@ -135,12 +138,13 @@ } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_delete_post_type')) { $get_CustomTax = get_option('cwp_custom_taxonomies'); $tax_custom_fields = CWP()->get_custom_fields( 'taxonomy' );- $termSlug = sanitize_text_field($_REQUEST['termslug']);+ $termSlug = isset($_REQUEST['termslug']) ? sanitize_text_field(wp_unslash($_REQUEST['termslug'])) : ''; if(isset($get_CustomTax[$termSlug])){ new CubeWp_Update_Frontend_Forms(array('taxnomoy_slug'=>$termSlug)); unset($get_CustomTax[$termSlug]);@@ -151,7 +155,8 @@ update_option('cwp_custom_taxonomies', $get_CustomTax); } - wp_redirect( CubeWp_Submenu::_page_action('taxonomies') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('taxonomies') );+ exit; } }
I'll analyze this code diff for security fixes following the specified format.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Unescaped Data in `$_GET` Superglobal - CWE-80 (Improper Neutralization of Input During Web Page Generation) - class-cubewp-taxonomies-list-table.php - Lines 66-67
Old Code:
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'plural_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';
```
Fixed Code:
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'plural_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc';
```
Explanation:
The old code was missing `wp_unslash()` before `sanitize_text_field()`. When WordPress applies `addslashes()` to `$_GET` data during request processing, the backslashes need to be removed with `wp_unslash()` before sanitization. Without this, escaped quotes and special characters could bypass sanitization or cause data corruption. The fix properly unslashes the data before sanitization, following WordPress security best practices.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Unsafe Redirect - CWE-601 (URL Redirection to Untrusted Site) - class-cubewp-taxonomies-list-table.php - Line 158
Old Code:
```php
wp_redirect( CubeWp_Submenu::_page_action('taxonomies') );
```
Fixed Code:
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('taxonomies') );
exit;
```
Explanation:
The old code used `wp_redirect()` which does not validate that the redirect URL is safe and local. This could potentially allow open redirect attacks if `CubeWp_Submenu::_page_action()` returns an attacker-controlled URL. The fix replaces it with `wp_safe_redirect()`, which validates the redirect URL to ensure it's local to the WordPress installation. Additionally, `exit;` is added to ensure code execution stops after the redirect header, preventing further code execution.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
Missing `wp_unslash()` Before Sanitization - CWE-20 (Improper Input Validation) - class-cubewp-taxonomies-list-table.php - Lines 119, 144
Old Code:
```php
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
Fixed Code:
```php
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
```
Explanation:
The old code used `esc_html()` on a nonce value from `$_REQUEST`, which is incorrect. Nonces should be sanitized with `sanitize_text_field()` and `wp_unslash()`, not escaped with `esc_html()`. The fix also adds `isset()` check to prevent undefined key notices and properly sanitizes the nonce by unslashing before sanitization. Additionally, using `sanitize_text_field()` is more appropriate than `esc_html()` for nonce validation.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Missing Input Validation and `wp_unslash()` - CWE-20 (Improper Input Validation) - class-cubewp-taxonomies-list-table.php - Line 147
Old Code:
```php
$termSlug = sanitize_text_field($_REQUEST['termslug']);
```
Fixed Code:
```php
$termSlug = isset($_REQUEST['termslug']) ? sanitize_text_field(wp_unslash($_REQUEST['termslug'])) : '';
```
Explanation:
The old code directly sanitizes `$_REQUEST['termslug']` without first checking if the key exists (which could cause undefined key notices) and without unslashing the data first. WordPress adds slashes to `$_REQUEST` data, so `wp_unslash()` must be called before `sanitize_text_field()` to properly handle the data. The fix adds existence checking with `isset()` and properly unslashes before sanitization, preventing potential data corruption and following WordPress security standards.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/list-tables/class-cubewp-taxonomy-custom-fields-table.php 2026-01-18 00:20:47.533239518 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/list-tables/class-cubewp-taxonomy-custom-fields-table.php 2026-01-18 00:20:56.217779093 +0000@@ -51,9 +51,11 @@ public function usort_reorder( $a, $b ) { // If no sort, default to title- $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'field_name';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'field_name'; // If no order, default to asc- $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc'; // Determine sort order $result = strcmp( $a[$orderby], $b[$orderby] ); // Send final sort direction to usort@@ -100,9 +102,10 @@ protected function process_bulk_action() { // Detect when a bulk action is being triggered. if ( 'delete' === $this->current_action() ) { - $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) {- $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tax_fields_bulk_action']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $bulk_request = isset($_REQUEST['cwp_tax_fields_bulk_action']) ? CubeWp_Sanitize_text_Array($_REQUEST['cwp_tax_fields_bulk_action']) : array(); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash if(!empty($bulk_request)){ foreach($bulk_request as $field){ $tax_custom_fields = CWP()->get_custom_fields( 'taxonomy' );@@ -118,11 +121,12 @@ } } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_delete_tax_field')) { if(isset($_REQUEST['fieldid'])){ - $fieldid = sanitize_text_field($_REQUEST['fieldid']);+ $fieldid = isset($_REQUEST['fieldid']) ? sanitize_text_field(wp_unslash($_REQUEST['fieldid'])) : ''; $tax_custom_fields = CWP()->get_custom_fields( 'taxonomy' ); if(isset($tax_custom_fields) && !empty($tax_custom_fields)){ foreach($tax_custom_fields as $taxonomy => $tax_fields){@@ -133,7 +137,8 @@ } CWP()->update_custom_fields( 'taxonomy', $tax_custom_fields); }- wp_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') );+ exit; } }
I'll analyze this code diff for security fixes following the specified format.
---
**Vulnerability 1: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-79 - Cross-site Scripting (XSS) - class-cubewp-taxonomy-custom-fields-table.php - Lines 54-55, 58-59
Old Code:
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'field_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';
```
Fixed Code:
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'field_name';
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc';
```
Explanation:
The original code used `sanitize_text_field()` directly on `$_GET` values without first applying `wp_unslash()`. In WordPress, `$_GET` and `$_POST` data are automatically slashed by WordPress for database safety. When these values are used in output or logic, they must be unslashed before sanitization to properly remove any unintended escape sequences that could be used for XSS attacks. The fix applies `wp_unslash()` before `sanitize_text_field()`, ensuring proper handling of the input.
---
**Vulnerability 2: Improper Handling of Exceptional Conditions**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-252 - Unchecked Return Value - class-cubewp-taxonomy-custom-fields-table.php - Line 105
Old Code:
```php
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
Fixed Code:
```php
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
```
Explanation:
The original code directly accessed `$_REQUEST['_wpnonce']` without checking if it exists, which could cause a PHP notice/warning if the key is missing. Additionally, it used `esc_html()` instead of proper sanitization. The fix adds an `isset()` check to safely handle missing values and uses `sanitize_text_field(wp_unslash())` for proper input handling before nonce verification.
---
**Vulnerability 3: Improper Handling of Exceptional Conditions**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-252 - Unchecked Return Value - class-cubewp-taxonomy-custom-fields-table.php - Line 106
Old Code:
```php
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tax_fields_bulk_action']);
```
Fixed Code:
```php
$bulk_request = isset($_REQUEST['cwp_tax_fields_bulk_action']) ? CubeWp_Sanitize_text_Array($_REQUEST['cwp_tax_fields_bulk_action']) : array();
```
Explanation:
The original code directly accessed `$_REQUEST['cwp_tax_fields_bulk_action']` without checking if it exists, which could trigger a PHP notice. The fix adds an `isset()` check to safely handle the case where the array key is missing, providing an empty array as a fallback.
---
**Vulnerability 4: Improper Handling of Exceptional Conditions**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-252 - Unchecked Return Value - class-cubewp-taxonomy-custom-fields-table.php - Line 126
Old Code:
```php
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
Fixed Code:
```php
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
```
Explanation:
Same as Vulnerability 2 - the original code directly accessed a potentially missing `$_REQUEST` key without checking existence and used incorrect escaping function. The fix adds proper existence checking and uses correct sanitization.
---
**Vulnerability 5: Improper Handling of Exceptional Conditions**
Vulnerability Existed: yes
FALSE POSITIVE
CWE-252 - Unchecked Return Value - class-cubewp-taxonomy-custom-fields-table.php - Line 129
Old Code:
```php
$fieldid = sanitize_text_field($_REQUEST['fieldid']);
```
Fixed Code:
```php
$fieldid = isset($_REQUEST['fieldid']) ? sanitize_text_field(wp_unslash($_REQUEST['fieldid'])) : '';
```
Explanation:
The original code directly accessed `$_REQUEST['fieldid']` without checking if it exists, which could trigger a PHP notice if missing. Additionally, it didn't apply `wp_unslash()` before sanitization. The fix adds an `isset()` check for safety and applies proper `wp_unslash()` before sanitization.
---
**Vulnerability 6: Improper Restriction of Rendered UI Layers or Frames**
Vulnerability Existed: yes
TRUE POSITIVE
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') - class-cubewp-taxonomy-custom-fields-table.php - Lines 140-141
Old Code:
```php
wp_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') );
```
Fixed Code:
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') );
exit;
```
Explanation:
The original code used `wp_redirect()` which can be vulnerable to open redirects if the URL comes from untrusted sources. The fix uses `wp_safe_redirect()`, which validates that the redirect URL is on the same host/domain before redirecting. Additionally, an `exit` statement is added after the redirect to ensure script execution stops after the redirect, following WordPress best practices.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/list-tables/class-cubewp-user-custom-fields-table.php 2026-01-18 00:20:47.533239518 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/list-tables/class-cubewp-user-custom-fields-table.php 2026-01-18 00:20:56.217779093 +0000@@ -51,9 +51,11 @@ public function usort_reorder( $a, $b ) { // If no sort, default to title- $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'group_name';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'group_name'; // If no order, default to asc- $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';+ // phpcs:disable WordPress.Security.NonceVerification.Recommended -- Read-only use of query vars to render notice; no state change performed.+ $order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc'; // Determine sort order $result = strcmp( $a[$orderby], $b[$orderby] ); // Send final sort direction to usort@@ -109,10 +111,11 @@ protected function process_bulk_action() { // Detect when a bulk action is being triggered. if ( 'delete' === $this->current_action() ) { - $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) { if(isset($_REQUEST['cwp_group_bulk_action'])){- $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_group_bulk_action']); //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash foreach($bulk_request as $group){ new CubeWp_Update_Frontend_Forms(array('group_id'=>$group,'form_type'=>'user','group_options'=>true)); wp_delete_post($group, true);@@ -121,40 +124,47 @@ } } if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_delete_group')) { if(isset($_REQUEST['groupid'])){- new CubeWp_Update_Frontend_Forms(array('group_id'=>sanitize_text_field($_REQUEST['groupid']),'form_type'=>'user','group_options'=>true));- wp_delete_post(sanitize_text_field($_REQUEST['groupid']), true);+ new CubeWp_Update_Frontend_Forms(array('group_id'=>sanitize_text_field(wp_unslash($_REQUEST['groupid'])),'form_type'=>'user','group_options'=>true));+ wp_delete_post(sanitize_text_field(wp_unslash($_REQUEST['groupid'])), true); }- wp_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'duplicate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_duplicate_group')) { if(isset($_REQUEST['groupid'])){- self::duplicate_group($_REQUEST['groupid']);+ self::duplicate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'deactivate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_status_group')) { if(isset($_REQUEST['groupid'])){- self::deactivate_group($_REQUEST['groupid']);+ self::deactivate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ exit; } }+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */ if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'activate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );+ $nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : ''; if(wp_verify_nonce( $nonce, 'cwp_status_group')) { if(isset($_REQUEST['groupid'])){- self::activate_group($_REQUEST['groupid']);+ self::activate_group(sanitize_text_field(wp_unslash($_REQUEST['groupid']))); }- wp_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ exit; } }
# Security Analysis - CubeWP User Custom Fields Table
## Vulnerability 1: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
**Vulnerability Existed:** yes
FALSE POSITIVE
**CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - class-cubewp-user-custom-fields-table.php - Lines 54-56**
**Old Code:**
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field($_GET['orderby']) : 'group_name';
// ...
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field($_GET['order']) : 'asc';
```
**Fixed Code:**
```php
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field(wp_unslash($_GET['orderby'])) : 'group_name';
// ...
$order = ( ! empty($_GET['order'] ) ) ? sanitize_text_field(wp_unslash($_GET['order'])) : 'asc';
```
**Explanation:**
The original code was vulnerable because `sanitize_text_field()` should be preceded by `wp_unslash()` when processing user input. Without `wp_unslash()`, magic quotes slashes added by WordPress aren't removed before sanitization, potentially allowing XSS vectors to bypass the sanitization. The fix adds `wp_unslash()` to properly strip slashes before sanitization.
---
## Vulnerability 2: Improper Output Neutralization for Logs (CWE-117) / Open Redirect
**Vulnerability Existed:** yes
FALSE POSITIVE
**CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') - class-cubewp-user-custom-fields-table.php - Lines 132, 147, 154, 161**
**Old Code:**
```php
wp_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );
```
**Fixed Code:**
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );
exit;
```
**Explanation:**
The original code used `wp_redirect()` which doesn't validate redirect destinations. An attacker could potentially manipulate the URL returned by `CubeWp_Submenu::_page_action()` to redirect users to malicious sites. The fix uses `wp_safe_redirect()` which validates that redirects stay within the same host. The addition of `exit;` ensures no further code execution after redirect, which is a WordPress security best practice.
---
## Vulnerability 3: Missing Nonce Verification
**Vulnerability Existed:** not sure
**CWE-352 - Cross-Site Request Forgery (CSRF) - class-cubewp-user-custom-fields-table.php - Lines 114, 127, 140, 153, 160**
**Old Code:**
```php
$nonce = esc_html( $_REQUEST['_wpnonce'] );
```
**Fixed Code:**
```php
$nonce = isset($_REQUEST['_wpnonce']) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
```
**Explanation:**
The original approach using `esc_html()` was insufficient for nonce validation. The fix improves this by: (1) checking if the nonce exists before accessing it, (2) using `wp_unslash()` before `sanitize_text_field()` to properly handle escaped input, and (3) using proper sanitization instead of escaping. However, the real vulnerability mitigation depends on `wp_verify_nonce()` being called correctly afterward, which appears to be the case. The phpcs comments acknowledge that nonce verification should ideally occur, but since these are read-only operations, the risk is lower.
---
## Vulnerability 4: Improper Input Validation / Missing Input Sanitization
**Vulnerability Existed:** yes
TRUE POSITIVE
**CWE-20 - Improper Input Validation - class-cubewp-user-custom-fields-table.php - Lines 128-130, 143-144, 151-152, 158-159, 165-166**
**Old Code:**
```php
new CubeWp_Update_Frontend_Forms(array('group_id'=>sanitize_text_field($_REQUEST['groupid']),'form_type'=>'user','group_options'=>true));
wp_delete_post(sanitize_text_field($_REQUEST['groupid']), true);
```
**Fixed Code:**
```php
new CubeWp_Update_Frontend_Forms(array('group_id'=>sanitize_text_field(wp_unslash($_REQUEST['groupid'])),'form_type'=>'user','group_options'=>true));
wp_delete_post(sanitize_text_field(wp_unslash($_REQUEST['groupid'])), true);
```
**Explanation:**
Similar to the first vulnerability, the original code was missing `wp_unslash()` calls. When processing `$_REQUEST` variables that may contain escaped quotes, `sanitize_text_field()` alone doesn't properly handle the escaping layer. The fix adds `wp_unslash()` before sanitization to properly remove WordPress magic quote slashes before applying sanitization filters.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/post-types/class-cubewp-metabox.php 2026-01-18 00:20:47.533239518 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/post-types/class-cubewp-metabox.php 2026-01-18 00:20:56.217779093 +0000@@ -28,11 +28,11 @@ $args = array( 'numberposts' => -1, 'post_type' => 'cwp_form_fields',- 'meta_key' => '_cwp_group_order',+ 'meta_key' => '_cwp_group_order',// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key 'orderby' => 'meta_value_num', 'order' => 'ASC', 'post_status' => array('publish', 'private'),- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query 'key' => '_cwp_group_types', 'value' => '', 'compare' => '!='@@ -160,7 +160,10 @@ if (isset($taxonomies) && !empty($taxonomies)) { $comma = $_group_terms = $_group_terms_name = ''; foreach ($taxonomies as $single => $objects) {- $terms = get_terms($single, array('hide_empty' => false));+ $terms = get_terms(array(+ 'taxonomy' => $single,+ 'hide_empty' => false,+ )); if (!empty($terms)) { foreach ($terms as $term) { if (isset($group_terms) && is_array($group_terms) && in_array($term->term_id, $group_terms)) {@@ -221,6 +224,7 @@ $output .= '</tbody>'; $output .= '</table>'; + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($output); } @@ -238,7 +242,7 @@ if (isset($_POST['cwp_meta_box_nonce'])) { // verify nonce- if (! wp_verify_nonce($_POST['cwp_meta_box_nonce'], basename(__FILE__)))+ if (! isset($_POST['cwp_meta_box_nonce']) || ! wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_meta_box_nonce'])), basename(__FILE__))) return $post_id; // check autosave@@ -246,7 +250,7 @@ return $post_id; // check permissions- if ('page' == $_POST['post_type']) {+ if (isset($_POST['post_type']) && 'page' == sanitize_text_field(wp_unslash($_POST['post_type']))) { if (! current_user_can('edit_page', $post_id)) return $post_id; } elseif (! current_user_can('edit_post', $post_id)) {@@ -254,7 +258,7 @@ } if (isset($_POST['cwp_meta'])) {-+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized */ $fields = CubeWp_Sanitize_Fields_Array($_POST['cwp_meta'], 'post_types'); $fieldOptions = CWP()->get_custom_fields('post_types');
I'll analyze the provided code diff for security fixes.
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/post-types/class-cubewp-metabox.php (Line 245)
[Old Code]
if (! wp_verify_nonce($_POST['cwp_meta_box_nonce'], basename(__FILE__)))
[Fixed Code]
if (! isset($_POST['cwp_meta_box_nonce']) || ! wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_meta_box_nonce'])), basename(__FILE__)))
Explanation:
The old code accessed $_POST['cwp_meta_box_nonce'] without first checking if it exists, which could cause a PHP notice/warning. More critically, the nonce value was not sanitized before being passed to wp_verify_nonce(). The fix adds an isset() check and applies sanitize_text_field(wp_unslash()) to properly sanitize the user input before verification.
```
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - cube/modules/post-types/class-cubewp-metabox.php (Line 253)
[Old Code]
if ('page' == $_POST['post_type']) {
[Fixed Code]
if (isset($_POST['post_type']) && 'page' == sanitize_text_field(wp_unslash($_POST['post_type']))) {
Explanation:
The old code directly accessed $_POST['post_type'] without checking if it exists or sanitizing it. This is a direct access to unsanitized user input which violates WordPress security standards. The fix adds an isset() check to prevent undefined index notices and applies sanitize_text_field(wp_unslash()) to properly sanitize the POST data.
```
```
Vulnerability Existed: not sure
Deprecated Function Usage - CWE-1104 - cube/modules/post-types/class-cubewp-metabox.php (Lines 163-167)
[Old Code]
$terms = get_terms($single, array('hide_empty' => false));
[Fixed Code]
$terms = get_terms(array(
'taxonomy' => $single,
'hide_empty' => false,
));
Explanation:
The old code uses the deprecated function signature for get_terms() where taxonomy is passed as the first parameter. WordPress deprecated this in favor of passing an array with 'taxonomy' as a key. While not strictly a security vulnerability, this is a deprecated API usage that can lead to issues in future WordPress versions. The fix updates to the current recommended function signature.
```
```
Vulnerability Existed: no
WordPress.Security.EscapeOutput.OutputNotEscaped - CWE-79 - cube/modules/post-types/class-cubewp-metabox.php (Line 227)
[Old Code]
echo cubewp_core_data($output);
[Fixed Code]
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo cubewp_core_data($output);
Explanation:
This is not a vulnerability fix but rather a suppression of a linting warning via a phpcs:ignore comment. The code itself hasn't changed—only a comment was added. This suggests that the cubewp_core_data() function is expected to properly escape its output, and the suppression is intentional to inform the code linter that this is acceptable.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/post-types/class-cubewp-post-types.php 2026-01-18 00:20:47.533239518 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/post-types/class-cubewp-post-types.php 2026-01-18 00:20:56.217779093 +0000@@ -46,6 +46,7 @@ * @version 1.0 */ private function add_new_cpt() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { $this->cpt_form_edit(); }@@ -90,23 +91,29 @@ foreach ($default_cpt as $single_cpt) { $labels = array(- 'name' => _x($single_cpt['label'], 'Post Type General Name', 'cubewp-framework'),- 'singular_name' => _x($single_cpt['singular'], 'Post Type Singular Name', 'cubewp-framework'),- 'menu_name' => sprintf(__('%s', 'cubewp-framework'), $single_cpt['label']),- 'all_items' => sprintf(__('All %s', 'cubewp-framework'), $single_cpt['label']),- 'view_item' => sprintf(__('View %s', 'cubewp-framework'), $single_cpt['singular']),- 'add_new_item' => sprintf(__('Add New %s', 'cubewp-framework'), $single_cpt['singular']),- 'add_new' => __('Add New', 'cubewp-framework'),- 'edit_item' => sprintf(__('Edit %s', 'cubewp-framework'), $single_cpt['singular']),- 'update_item' => sprintf(__('Update %s', 'cubewp-framework'), $single_cpt['singular']),- 'search_items' => sprintf(__('Search %s', 'cubewp-framework'), $single_cpt['singular']),- 'not_found' => __('Not Found', 'cubewp-framework'),- 'not_found_in_trash' => __('Not found in Trash', 'cubewp-framework'),+ 'name' => $single_cpt['label'],+ 'singular_name' => $single_cpt['singular'],+ 'menu_name' => $single_cpt['label'],+ /* translators: %s: post type plural label. */+ 'all_items' => sprintf( __( 'All %s', 'cubewp-framework' ), $single_cpt['label'] ),+ /* translators: %s: post type singular name. */+ 'view_item' => sprintf( __( 'View %s', 'cubewp-framework' ), $single_cpt['singular'] ),+ /* translators: %s: post type singular name. */+ 'add_new_item' => sprintf( __( 'Add New %s', 'cubewp-framework' ), $single_cpt['singular'] ),+ 'add_new' => __( 'Add New', 'cubewp-framework' ),+ /* translators: %s: post type singular name. */+ 'edit_item' => sprintf( __( 'Edit %s', 'cubewp-framework' ), $single_cpt['singular'] ),+ /* translators: %s: post type singular name. */+ 'update_item' => sprintf( __( 'Update %s', 'cubewp-framework' ), $single_cpt['singular'] ),+ /* translators: %s: post type singular name. */+ 'search_items' => sprintf( __( 'Search %s', 'cubewp-framework' ), $single_cpt['singular'] ),+ 'not_found' => __( 'Not Found', 'cubewp-framework' ),+ 'not_found_in_trash' => __( 'Not found in Trash', 'cubewp-framework' ), ); $args = array(- 'label' => sprintf(__('%s', 'cubewp-framework'), $single_cpt['label']),- 'description' => sprintf(__('%s', 'cubewp-framework'), $single_cpt['description']),+ 'label' => $single_cpt['label'],+ 'description' => $single_cpt['description'], 'labels' => $labels, 'menu_icon' => $single_cpt['icon'], 'supports' => $single_cpt['supports'],@@ -134,6 +141,7 @@ register_post_status( 'inactive', array( 'label' => _x( 'Inactive ', 'Inactive', 'cubewp-framework' ), 'public' => true,+ /* translators: %s: post type plural label. */ 'label_count' => _n_noop( 'Inactive s <span class="count">(%s)</span>', 'Inactive s <span class="count">(%s)</span>', 'cubewp-framework' ), 'post_type' => array( 'cwp_form_fields','cwp_user_fields','cwp_settings_fields' ), 'show_in_admin_all_list' => true,@@ -154,37 +162,37 @@ private function save_postType() { if (isset($_POST['cwp']['postType'])) {- if( ! wp_verify_nonce( $_POST['cwp_post_type_nonce'], basename( __FILE__ ) ) )+ if( !isset($_POST['cwp_post_type_nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['cwp_post_type_nonce'])), basename( __FILE__ ) ) ) return ''; - $CPT_slug = sanitize_text_field($_POST['cwp']['postType']['slug']);+ $CPT_slug = isset($_POST['cwp']['postType']['slug']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['slug'])) : ''; if(is_numeric($CPT_slug)){ return ''; } $cpt = array( $CPT_slug => array(- 'label' => sanitize_text_field($_POST['cwp']['postType']['label']),- 'singular' => sanitize_text_field($_POST['cwp']['postType']['singular']),- 'icon' => sanitize_text_field($_POST['cwp']['postType']['icon']),- 'slug' => sanitize_text_field($_POST['cwp']['postType']['slug']),- 'description' => sanitize_text_field($_POST['cwp']['postType']['description']),- 'supports' => CubeWp_Sanitize_text_Array($_POST['cwp']['postType']['supports']),- 'hierarchical' => sanitize_text_field($_POST['cwp']['postType']['hierarchical']),- 'public' => sanitize_text_field($_POST['cwp']['postType']['public']),- 'show_ui' => sanitize_text_field($_POST['cwp']['postType']['show_ui']),- 'menu_position' => intval($_POST['cwp']['postType']['menu_position']),- 'show_in_menu' => sanitize_text_field($_POST['cwp']['postType']['show_in_menu']),- 'show_in_nav_menus' => sanitize_text_field($_POST['cwp']['postType']['show_in_nav_menus']),- 'show_in_admin_bar' => sanitize_text_field($_POST['cwp']['postType']['show_in_admin_bar']),- 'can_export' => sanitize_text_field($_POST['cwp']['postType']['can_export']),- 'has_archive' => sanitize_text_field($_POST['cwp']['postType']['has_archive']),- 'exclude_from_search' => sanitize_text_field($_POST['cwp']['postType']['exclude_from_search']),- 'publicly_queryable' => sanitize_text_field($_POST['cwp']['postType']['publicly_queryable']),- 'query_var' => sanitize_text_field($_POST['cwp']['postType']['query_var']),- 'rewrite' => sanitize_text_field($_POST['cwp']['postType']['rewrite']),- 'rewrite_slug' => sanitize_text_field($_POST['cwp']['postType']['rewrite_slug']),- 'rewrite_withfront' => sanitize_text_field($_POST['cwp']['postType']['rewrite_withfront']),- 'show_in_rest' => sanitize_text_field($_POST['cwp']['postType']['show_in_rest']),+ 'label' => isset($_POST['cwp']['postType']['label']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['label'])) : '',+ 'singular' => isset($_POST['cwp']['postType']['singular']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['singular'])) : '',+ 'icon' => isset($_POST['cwp']['postType']['icon']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['icon'])) : '',+ 'slug' => isset($_POST['cwp']['postType']['slug']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['slug'])) : '',+ 'description' => isset($_POST['cwp']['postType']['description']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['description'])) : '',+ 'supports' => isset($_POST['cwp']['postType']['supports']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['postType']['supports']) : array(), //phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash+ 'hierarchical' => isset($_POST['cwp']['postType']['hierarchical']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['hierarchical'])) : '',+ 'public' => isset($_POST['cwp']['postType']['public']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['public'])) : '',+ 'show_ui' => isset($_POST['cwp']['postType']['show_ui']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['show_ui'])) : '',+ 'menu_position' => intval(isset($_POST['cwp']['postType']['menu_position']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['menu_position'])) : ''),+ 'show_in_menu' => isset($_POST['cwp']['postType']['show_in_menu']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['show_in_menu'])) : '',+ 'show_in_nav_menus' => isset($_POST['cwp']['postType']['show_in_nav_menus']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['show_in_nav_menus'])) : '',+ 'show_in_admin_bar' => isset($_POST['cwp']['postType']['show_in_admin_bar']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['show_in_admin_bar'])) : '',+ 'can_export' => isset($_POST['cwp']['postType']['can_export']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['can_export'])) : '',+ 'has_archive' => isset($_POST['cwp']['postType']['has_archive']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['has_archive'])) : '',+ 'exclude_from_search' => isset($_POST['cwp']['postType']['exclude_from_search']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['exclude_from_search'])) : '',+ 'publicly_queryable' => isset($_POST['cwp']['postType']['publicly_queryable']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['publicly_queryable'])) : '',+ 'query_var' => isset($_POST['cwp']['postType']['query_var']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['query_var'])) : '',+ 'rewrite' => isset($_POST['cwp']['postType']['rewrite']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['rewrite'])) : '',+ 'rewrite_slug' => isset($_POST['cwp']['postType']['rewrite_slug']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['rewrite_slug'])) : '',+ 'rewrite_withfront' => isset($_POST['cwp']['postType']['rewrite_withfront']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['rewrite_withfront'])) : '',+ 'show_in_rest' => isset($_POST['cwp']['postType']['show_in_rest']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['show_in_rest'])) : '', ) ); @@ -196,7 +204,8 @@ } update_option('cwp_custom_types', $dataMerge);- wp_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );+ exit; } } @@ -228,8 +237,10 @@ public function get_postTypeBYsLug() { $get_CustomTypes = CWP_types(); if (!empty($get_CustomTypes)) {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && 'edit' == $_GET['action'] && !empty($_GET['postTypeid'])) {- $singleCPT = $get_CustomTypes[sanitize_text_field($_GET['postTypeid'])];+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $singleCPT = $get_CustomTypes[sanitize_text_field(wp_unslash($_GET['postTypeid']))]; return $singleCPT; } }@@ -244,6 +255,7 @@ * @version 1.0 */ private function cpt_form_display() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { return; } @@ -253,7 +265,7 @@ ?> <div class="wrap cwp-post-type-title"> <h1 class="wp-heading-inline"><?php esc_html_e('Custom Post Types', 'cubewp-framework'); ?></h1>- <a href="<?php echo CubeWp_Submenu::_page_action('cubewp-post-types','new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>+ <a href="<?php echo esc_url(CubeWp_Submenu::_page_action('cubewp-post-types','new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a> </div> <hr class="wp-header-end"> <div class="wrap cwp-post-type-wrape">@@ -309,17 +321,17 @@ <div class="cpt-form wrap cubewp-wrap"> <form id="post" class="cwpposttype" method="post" action="" enctype="multipart/form-data"> <div class="wrap cwp-post-type-title">- <?php echo self::_title(); ?> - <?php echo self::save_button(); ?> + <?php echo wp_kses_post(self::_title()); ?> + <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?> </div> <hr class="wp-header-end">- <input type="hidden" name="cwp_post_type_nonce" value="<?php echo wp_create_nonce( basename( __FILE__ ) ); ?>">+ <input type="hidden" name="cwp_post_type_nonce" value="<?php echo esc_attr(wp_create_nonce( basename( __FILE__ ) )); ?>"> <div id="poststuff" class="padding-0"> <div id="post-body" class="metabox-holder columns-2">- <?php echo self::post_type_side_actions($postType); ?>+ <?php echo wp_kses_post(self::post_type_side_actions($postType)); ?> <div id="postbox-container-2" class="postbox-container postbox-container-top">- <?php echo self::post_type_basic_settings($postType); ?>- <?php echo self::post_type_options($postType); ?>+ <?php echo wp_kses_post(self::post_type_basic_settings($postType)); ?>+ <?php echo wp_kses_post(self::post_type_options($postType)); ?> </div> <div class="clear"></div>@@ -347,6 +359,7 @@ <table class="form-table"> <tbody> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'hierarchical', 'name' => 'cwp[postType][hierarchical]',@@ -356,6 +369,7 @@ 'description' => esc_html__( '(default: false) Whether or not the post type can have parent-child relationships.', 'cubewp-framework' ), )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'public', 'name' => 'cwp[postType][public]',@@ -365,6 +379,7 @@ 'description' => esc_html__( '(Custom Post Type UI default: true) Whether or not posts of this type should be shown in the admin UI and is publicly queryable.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'show_ui', 'name' => 'cwp[postType][show_ui]',@@ -374,6 +389,7 @@ 'description' => esc_html__( '(default: true) Whether or not to generate a default UI for managing this post type.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'show_in_menu', 'name' => 'cwp[postType][show_in_menu]',@@ -383,6 +399,7 @@ 'description' => esc_html__( '(default: true) Whether or not to show the post type in the admin menu and where to show that menu.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'menu_position', 'name' => 'cwp[postType][menu_position]',@@ -402,6 +419,7 @@ 'description' => esc_html__('The position in the menu order the post type should appear. show_in_menu must be true.', 'cubewp-framework') )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'show_in_nav_menus', 'name' => 'cwp[postType][show_in_nav_menus]',@@ -411,6 +429,7 @@ 'description' => esc_html__( '(Custom Post Type UI default: true) Whether or not this post type is available for selection in navigation menus.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'show_in_admin_bar', 'name' => 'cwp[postType][show_in_admin_bar]',@@ -420,6 +439,7 @@ 'description' => esc_html__( '(default: true) Makes this post type available via the admin bar.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'can_export', 'name' => 'cwp[postType][can_export]',@@ -429,6 +449,7 @@ 'description' => esc_html__( '(default: true) Whether to allow this post type to be exported.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'has_archive', 'name' => 'cwp[postType][has_archive]',@@ -438,6 +459,7 @@ 'description' => esc_html__( '(default: true) Whether or not the post type will have a post type archive URL.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'exclude_from_search', 'name' => 'cwp[postType][exclude_from_search]',@@ -447,6 +469,7 @@ 'description' => esc_html__( '(default: false) Whether or not to exclude posts with this post type from front end search results.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'publicly_queryable', 'name' => 'cwp[postType][publicly_queryable]',@@ -456,6 +479,7 @@ 'description' => esc_html__( '(default: true) Whether or not queries can be performed on the front end as part of parse_request()', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'query_var', 'name' => 'cwp[postType][query_var]',@@ -465,6 +489,7 @@ 'description' => esc_html__( '(default: true) Sets the query_var key for this post type.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'rewrite', 'name' => 'cwp[postType][rewrite]',@@ -474,6 +499,7 @@ 'description' => esc_html__( '(default: false) Whether or not WordPress should use rewrites for this post type.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/text/field', '', array( 'id' => 'rewrite_slug', 'name' => 'cwp[postType][rewrite_slug]',@@ -483,7 +509,7 @@ 'description' => esc_html__( 'Custom post type slug to use instead of the default.', 'cubewp-framework' ) )); -+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'rewrite_withfront', 'name' => 'cwp[postType][rewrite_withfront]',@@ -493,6 +519,7 @@ 'description' => esc_html__( '(default: true) Should the permalink structure be prepended with the front base.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/dropdown/field', '', array( 'id' => 'show_in_rest', 'name' => 'cwp[postType][show_in_rest]',@@ -528,6 +555,7 @@ <tbody> <?php + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/text/field', '', array( 'id' => 'post_type_slug', 'name' => 'cwp[postType][slug]',@@ -540,6 +568,7 @@ 'extra_attrs' => 'maxlength=20 '. isset($postType['slug']) && !empty($postType['slug']) ? 'readonly' : '', )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/text/field', '', array( 'id' => 'label', 'name' => 'cwp[postType][label]',@@ -550,6 +579,7 @@ 'required' => true, )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/text/field', '', array( 'id' => 'singular', 'name' => 'cwp[postType][singular]',@@ -560,6 +590,7 @@ 'required' => true, )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/text/field', '', array( 'id' => 'description', 'name' => 'cwp[postType][description]',@@ -570,6 +601,7 @@ 'required' => false, )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/post_type/text/field', '', array( 'id' => 'icon', 'name' => 'cwp[postType][icon]',@@ -579,6 +611,7 @@ 'required' => true, 'tooltip' => 'Select this post type icon for WordPress menu.', 'description' => sprintf(+ /* translators: %s: dashicons list. */ esc_html__( 'Few quick picks for icon. For more click on more icons. %s', 'cubewp-framework' ),self::dashicons_list() ), ));@@ -650,6 +683,7 @@ </td> </tr>'; + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($html); ?> </tbody>@@ -669,6 +703,7 @@ * @version 1.0 */ private static function _title() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['postTypeid']))) { return '<h1>'. esc_html(__('Edit Post Type', 'cubewp-framework')) .'</h1>'; } else {@@ -684,6 +719,7 @@ * @version 1.0 */ private static function save_button() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['postTypeid']))) { return '<input type="hidden" name="action" value="update_post_type"><input type="submit" class="cwp-save-button button button-primary button-large" name="Save" value="'. esc_html(__('Update', 'cubewp-framework')) .'" />'; } else {
I'll analyze this security-focused code diff following the requested format.
Vulnerability 1: Missing Nonce Verification (CWE-352)
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Request Forgery (CSRF) - CWE-352 - class-cubewp-post-types.php Lines 49-50
[Old Code]
if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) {
[Fixed Code]
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) {
Explanation:
The fix does NOT actually address the vulnerability—it only suppresses the WordPress coding standard warning via phpcs:ignore comments. The underlying CSRF risk remains because $_GET['action'] is used without nonce verification. A proper fix would validate a nonce token before processing the action.
Vulnerability 2: Improper Output Escaping
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-post-types.php Line 268
[Old Code]
<a href="<?php echo CubeWp_Submenu::_page_action('cubewp-post-types','new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
[Fixed Code]
<a href="<?php echo esc_url(CubeWp_Submenu::_page_action('cubewp-post-types','new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
Explanation:
The fix properly escapes the URL output using esc_url() to prevent XSS attacks through URL injection. This is a legitimate security fix.
Vulnerability 3: Improper Input Validation and Sanitization (Nonce)
Vulnerability Existed: yes
TRUE POSITIVE
Insufficient Input Validation - CWE-20 - class-cubewp-post-types.php Line 165
[Old Code]
if( ! wp_verify_nonce( $_POST['cwp_post_type_nonce'], basename( __FILE__ ) ) )
[Fixed Code]
if( !isset($_POST['cwp_post_type_nonce']) || ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['cwp_post_type_nonce'])), basename( __FILE__ ) ) )
Explanation:
The fix adds isset() check to prevent undefined index notices and applies wp_unslash() and sanitize_text_field() to the nonce before verification. This is a proper security improvement for input handling.
Vulnerability 4: Unsafe Redirect
Vulnerability Existed: yes
TRUE POSITIVE
Open Redirect - CWE-601 - class-cubewp-post-types.php Lines 207-208
[Old Code]
wp_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );
[Fixed Code]
wp_safe_redirect( CubeWp_Submenu::_page_action('cubewp-post-types') );
exit;
Explanation:
The fix replaces wp_redirect() with wp_safe_redirect(), which validates that redirect URLs stay within the same host, preventing open redirect vulnerabilities. Adding exit; also prevents further code execution after the redirect.
Vulnerability 5: Missing Input Sanitization on $_POST Values
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-post-types.php Lines 169-201
[Old Code]
$CPT_slug = sanitize_text_field($_POST['cwp']['postType']['slug']);
[Fixed Code]
$CPT_slug = isset($_POST['cwp']['postType']['slug']) ? sanitize_text_field(wp_unslash($_POST['cwp']['postType']['slug'])) : '';
Explanation:
The fix adds isset() checks for all $_POST array accesses and applies wp_unslash() before sanitization. This prevents undefined index notices and ensures proper handling of magic quotes. All subsequent $_POST accesses in the array are similarly improved throughout the function.
Vulnerability 6: Missing wp_unslash in $_GET Access
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-post-types.php Line 242
[Old Code]
$singleCPT = $get_CustomTypes[sanitize_text_field($_GET['postTypeid'])];
[Fixed Code]
$singleCPT = $get_CustomTypes[sanitize_text_field(wp_unslash($_GET['postTypeid']))];
Explanation:
The fix adds wp_unslash() to properly handle potential magic quotes before sanitization. This ensures the value is correctly processed according to WordPress standards.
Vulnerability 7: Improper Output Escaping (HTML Content)
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-post-types.php Lines 324-325
[Old Code]
<?php echo self::_title(); ?>
<?php echo self::save_button(); ?>
[Fixed Code]
<?php echo wp_kses_post(self::_title()); ?>
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?>
Explanation:
The _title() output is properly escaped using wp_kses_post(). However, save_button() still lacks proper escaping and only has a phpcs:ignore comment, indicating the vulnerability partially remains for that method's output.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/post-types/class-cubewp-posttype-custom-fields-display.php 2026-01-18 00:20:47.533239518 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/post-types/class-cubewp-posttype-custom-fields-display.php 2026-01-18 00:20:56.217779093 +0000@@ -34,6 +34,7 @@ * @since 1.0.0 */ public static function add_new_group() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])){ self::edit_group(); }@@ -46,6 +47,7 @@ */ public static function group_display() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { return; }@@ -61,7 +63,7 @@ <a class="nav-tab" href="?page=settings-custom-fields"><?php esc_html_e('Settings', 'cubewp-framework'); ?></a> </nav> </div>- <a href="<?php echo CubeWp_Submenu::_page_action('custom-fields', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>+ <a href="<?php echo esc_url(CubeWp_Submenu::_page_action('custom-fields', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a> </div> <hr class="wp-header-end"> <?php $customFieldsGroupTable->prepare_items(); ?>@@ -100,11 +102,11 @@ <form id="post" class="cwpgroup" method="post" action="" enctype="multipart/form-data"> <div class="wrap cwp-post-type-title width-40 margin-bottom-0 margin-left-minus-20 margin-right-0">- <?php echo self::_title(); ?>- <?php echo self::save_button(); ?>+ <?php echo wp_kses_post(self::_title()); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?> </div> <hr class="wp-header-end">- <input type="hidden" name="cwp_group_nonce" value="<?php echo wp_create_nonce( basename( __FILE__ ) ); ?>">+ <input type="hidden" name="cwp_group_nonce" value="<?php echo esc_attr(wp_create_nonce( basename( __FILE__ ) )); ?>"> <input type="hidden" class="" name="cwp[group][id]" value="<?php echo esc_attr($group['id']); ?>"> <div id="poststuff" class="padding-0"> <div id="post-body" class="metabox-holder columns-2">@@ -121,6 +123,7 @@ <td class="text-left"> <ul class="cwp-checkbox-outer margin-0"> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::get__types($group['types']); ?> </ul>@@ -132,6 +135,7 @@ </div> <div class="custom-fields-conditional-taxonomies-list"> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::get_taxonomies_by_post_types( $group['types'], $group['terms'] ); ?> </div>@@ -147,6 +151,7 @@ <table class="form-table cwp-validation"> <tbody> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'name' => 'cwp[group][name]',@@ -158,6 +163,7 @@ 'extra_attrs' => 'maxlength=20', 'tooltip' => 'Give a name for this group. Which will be used to show grouped data in metaboxes', ));+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'type' => 'number',@@ -170,6 +176,7 @@ 'extra_attrs' => 'maxlength=20', 'tooltip' => 'Give a order number for this group. Which will be used to show in order', ));+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'name' => 'cwp[group][description]',@@ -207,11 +214,13 @@ </div> </div> <div class="cwp-group-fields-content">- <?php echo self::get_fields($group['fields'], $group['sub_fields']); ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo self::get_fields($group['fields'], $group['sub_fields']); ?> </div> </div> </div>- <?php self::add_new_field_btn(); ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ self::add_new_field_btn(); ?> <div class="clear"></div> </div> </div>@@ -225,6 +234,7 @@ * @since 1.0 */ private static function _title() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))) { return '<h1>'. esc_html(__('Edit Custom Fields Group (Post Types)', 'cubewp-framework')) .'</h1>'; } else {@@ -239,6 +249,7 @@ * @since 1.0.0 */ private static function save_button() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))){ $name = 'cwp_edit_group'; }else{@@ -283,7 +294,8 @@ */ public static function cwp_get_taxonomies_by_post_types(){ check_ajax_referer( 'cubewp_custom_fields_nonce', 'nonce' );- $post_types = sanitize_text_field($_POST['post_types']);+ $post_types = isset($_POST['post_types']) ? sanitize_text_field(wp_unslash($_POST['post_types'])) : '';+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::get_taxonomies_by_post_types( explode(',', $post_types) ); wp_die(); }@@ -307,7 +319,11 @@ if(isset($types) && !empty($types)){ $taxonomies = get_object_taxonomies( $types, 'objects' ); foreach($taxonomies as $single){- $terms = get_terms( $single->name, array('hide_empty' => false, 'parent' => 0 ));+ $terms = get_terms(array(+ 'taxonomy' => $single->name,+ 'hide_empty' => false,+ 'parent' => 0,+ )); if(isset($terms) && !empty($terms)){ $html .= '<div class="postbox"> <div class="postbox-header">
Based on my analysis of the code diff, here are the security findings:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-posttype-custom-fields-display.php Line 64
Old Code:
```php
<a href="<?php echo CubeWp_Submenu::_page_action('custom-fields', 'new'); ?>" class="page-title-action">
```
Fixed Code:
```php
<a href="<?php echo esc_url(CubeWp_Submenu::_page_action('custom-fields', 'new')); ?>" class="page-title-action">
```
Explanation:
The URL output in the href attribute was not being properly escaped. The return value of `CubeWp_Submenu::_page_action()` could contain special characters that, if untrusted input is processed by that function, could be used for XSS attacks. The fix applies `esc_url()` to properly escape the URL for safe output in HTML attributes.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-posttype-custom-fields-display.php Line 109
Old Code:
```php
<input type="hidden" name="cwp_group_nonce" value="<?php echo wp_create_nonce( basename( __FILE__ ) ); ?>">
```
Fixed Code:
```php
<input type="hidden" name="cwp_group_nonce" value="<?php echo esc_attr(wp_create_nonce( basename( __FILE__ ) )); ?>">
```
Explanation:
Nonce values output in HTML attributes should be escaped with `esc_attr()` to prevent attribute injection or XSS. Although nonces should theoretically only contain safe characters, escaping is a defense-in-depth practice when outputting any value in an HTML attribute context.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-posttype-custom-fields-display.php Lines 105-106
Old Code:
```php
<?php echo self::_title(); ?>
<?php echo self::save_button(); ?>
```
Fixed Code:
```php
<?php echo wp_kses_post(self::_title()); ?>
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?>
```
Explanation:
The `_title()` method returns HTML containing escaped content (esc_html wrapping), but when that HTML is output, it needs to be treated as safe HTML using `wp_kses_post()`. The `save_button()` output still lacks proper escaping; the phpcs ignore comment acknowledges this without actually fixing it, indicating this function's output may contain unescaped content that should be addressed.
---
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-posttype-custom-fields-display.php Line 297
Old Code:
```php
$post_types = sanitize_text_field($_POST['post_types']);
```
Fixed Code:
```php
$post_types = isset($_POST['post_types']) ? sanitize_text_field(wp_unslash($_POST['post_types'])) : '';
```
Explanation:
The fixed code adds two improvements: (1) It checks if `$_POST['post_types']` exists before accessing it to prevent undefined index notices, and (2) It applies `wp_unslash()` before `sanitize_text_field()`, which is the correct order for handling WordPress-escaped data. Without unslashing first, serialized slashes could remain in the sanitized value.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
Deprecated Function Usage - CWE-1104 - class-cubewp-posttype-custom-fields-display.php Line 310 → Lines 322-326
Old Code:
```php
$terms = get_terms( $single->name, array('hide_empty' => false, 'parent' => 0 ));
```
Fixed Code:
```php
$terms = get_terms(array(
'taxonomy' => $single->name,
'hide_empty' => false,
'parent' => 0,
));
```
Explanation:
The old code used the deprecated calling convention for `get_terms()`. WordPress deprecated passing the taxonomy name as the first positional argument. The fixed code uses the modern array-based parameter format where the taxonomy is specified in the 'taxonomy' key. This ensures compatibility with current and future WordPress versions.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/recaptcha/class-cubewp-frontend-recaptcha.php 2026-01-18 00:20:47.533239518 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/recaptcha/class-cubewp-frontend-recaptcha.php 2026-01-18 00:20:56.217779093 +0000@@ -1,4 +1,12 @@ <?php+/**+ * CubeWp Frontend Recaptcha.+ *+ * @version 1.0+ * @package cubewp/cube/modules/recaptcha+ */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals if (! defined('ABSPATH')) { exit;@@ -78,7 +86,7 @@ } $output = ''; if (self::$recaptcha_type == 'google_v2') {- $output .= '<div class="cubewp-form-recaptcha" id="cubewp-form-recaptcha-' . rand(000000000, 999999999) . '"></div>';+ $output .= '<div class="cubewp-form-recaptcha" id="cubewp-form-recaptcha-' . wp_rand(000000000, 999999999) . '"></div>'; } return $output; }@@ -89,7 +97,7 @@ wp_send_json( array( 'type' => 'error',- 'msg' => esc_html__('Error! Please Check Captcha.', 'cubewp-frontend'),+ 'msg' => esc_html__('Error! Please Check Captcha.', 'cubewp-framework'), ) ); }@@ -98,7 +106,7 @@ wp_send_json( array( 'type' => 'error',- 'msg' => esc_html__('Captcha Error! Please Disable VPN Or Try Again Later.', 'cubewp-frontend'),+ 'msg' => esc_html__('Captcha Error! Please Disable VPN Or Try Again Later.', 'cubewp-framework'), ) ); }
Based on my analysis of the provided code diff, here are the security findings:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Weak Random Number Generation - CWE-338 - cube/modules/recaptcha/class-cubewp-frontend-recaptcha.php - Line 81
Old Code:
```php
$output .= '<div class="cubewp-form-recaptcha" id="cubewp-form-recaptcha-' . rand(000000000, 999999999) . '"></div>';
```
Fixed Code:
```php
$output .= '<div class="cubewp-form-recaptcha" id="cubewp-form-recaptcha-' . wp_rand(000000000, 999999999) . '"></div>';
```
Explanation:
The original code used PHP's `rand()` function which is cryptographically weak and predictable. This is a security vulnerability because IDs generated with `rand()` can be guessed or predicted by attackers. The fix replaces `rand()` with `wp_rand()`, which is WordPress's recommended function for generating random numbers. While `wp_rand()` is still not cryptographically secure for sensitive operations, it provides better randomness than the native `rand()` function and is the appropriate choice for generating non-sensitive DOM element IDs in a WordPress context.
---
**Vulnerability 2:**
Vulnerability Existed: no
Text Domain Inconsistency - CWE-1025 (Weaknesses in Localization) - cube/modules/recaptcha/class-cubewp-frontend-recaptcha.php - Lines 91, 101
Old Code:
```php
'msg' => esc_html__('Error! Please Check Captcha.', 'cubewp-frontend'),
'msg' => esc_html__('Captcha Error! Please Disable VPN Or Try Again Later.', 'cubewp-frontend'),
```
Fixed Code:
```php
'msg' => esc_html__('Error! Please Check Captcha.', 'cubewp-framework'),
'msg' => esc_html__('Captcha Error! Please Disable VPN Or Try Again Later.', 'cubewp-framework'),
```
Explanation:
This change corrects the text domain from 'cubewp-frontend' to 'cubewp-framework' in translation function calls. This is not a security vulnerability per se, but rather a localization/consistency fix. The proper text domain ensures that translations are correctly loaded from the right language files. This is good practice for WordPress plugin development but does not represent a security fix for an exploitable vulnerability.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/search/class-cubewp-search-ajax-hooks.php 2026-01-18 00:20:47.537239767 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/search/class-cubewp-search-ajax-hooks.php 2026-01-18 00:20:56.217779093 +0000@@ -36,9 +36,17 @@ $grid_class = 'cwp-col-12 cwp-col-md-4'; } $latLng = array();- $post_data = CubeWp_Sanitize_text_Array($_POST);+ $post_data = CubeWp_Sanitize_text_Array($_POST); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash - $post_type = isset($post_data['post_type']) ? $post_data['post_type'] : '';+ $allowed_post_types = CWP_all_post_types();+ $post_type = isset($post_data['post_type']) ? sanitize_text_field($post_data['post_type']) : '';++ $post_data['post_status'] = 'publish'; // Ensure only published posts are queried++ // Validate post_type against allowed list+ if (!in_array($post_type, $allowed_post_types, true)) {+ $post_type = '';+ } $post_data['posts_per_page'] = apply_filters('cubewp/search/post_per_page', $posts_per_page, $post_data); @@ -63,6 +71,7 @@ 'data' => $_DATA, ); $data = apply_filters('cubewp_frontend_search_data', '', $data_args);+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/frontend/before/search/loop', ''); $promotional_cards = [];@@ -94,8 +103,10 @@ if (isset($promotional_cards[$counter]) && !empty($promotional_cards[$counter])) { $promotional_cardID = $promotional_cards[$counter]['option']; $width = $promotional_cards[$counter]['width'];+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_promotional_card_output($promotional_cardID, $width); }+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo CubeWp_frontend_grid_HTML(get_the_ID(), $grid_class, $style); $counter++; }@@ -108,14 +119,16 @@ 'posts_per_page' => $post_per_page, 'page_num' => $page_num );+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args);+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/frontend/after/search/loop', ''); $grid_view_html = ob_get_contents(); ob_end_clean(); } else { $grid_view_html = self::cwp_no_result_found(); }- wp_reset_query();+ wp_reset_postdata(); if (empty($latLng)) $latLng = ''; if (empty($data)) $data = '';
Vulnerability Existed: yes
TRUE POSITIVE
[Improper Input Validation] - [CWE-20] - [cube/modules/search/class-cubewp-search-ajax-hooks.php] [Lines 39-40]
Old Code:
```php
$post_data = CubeWp_Sanitize_text_Array($_POST);
$post_type = isset($post_data['post_type']) ? $post_data['post_type'] : '';
```
Fixed Code:
```php
$post_data = CubeWp_Sanitize_text_Array($_POST); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
$allowed_post_types = CWP_all_post_types();
$post_type = isset($post_data['post_type']) ? sanitize_text_field($post_data['post_type']) : '';
$post_data['post_status'] = 'publish'; // Ensure only published posts are queried
// Validate post_type against allowed list
if (!in_array($post_type, $allowed_post_types, true)) {
$post_type = '';
}
```
Explanation:
The original code used `$post_data['post_type']` directly without additional sanitization, and more critically, without validating it against an allowlist of permitted post types. This allowed arbitrary post type values to be passed to the query, potentially exposing unintended post types. The fix adds: (1) additional `sanitize_text_field()` call for defense-in-depth, (2) retrieval of allowed post types via `CWP_all_post_types()`, (3) strict allowlist validation using `in_array()` with strict comparison, and (4) forced post status to 'publish' to prevent querying unpublished content. This demonstrates proper input validation using both sanitization and allowlisting.
---
Vulnerability Existed: not sure
[Improper Neutralization of Output During Web Page Generation] - [CWE-79] - [cube/modules/search/class-cubewp-search-ajax-hooks.php] [Lines 71-126]
Old Code:
```php
echo apply_filters('cubewp_frontend_search_data', '', $data_args);
echo apply_filters('cubewp/frontend/before/search/loop', '');
// ... other echo statements ...
echo apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args);
echo apply_filters('cubewp/frontend/after/search/loop', '');
```
Fixed Code:
```php
$data = apply_filters('cubewp_frontend_search_data', '', $data_args);
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp/frontend/before/search/loop', '');
// ... other echo statements with phpcs:ignore comments added ...
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args);
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp/frontend/after/search/loop', '');
```
Explanation:
The fix adds `phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped` comments to multiple `echo apply_filters()` statements. These comments suppress PHPCS warnings but do not actually fix XSS vulnerabilities—they only hide them from static analysis. If the filters return unescaped user-controlled data, these lines remain vulnerable to XSS attacks. The proper fix would be to escape output with `wp_kses_post()`, `esc_html()`, or similar functions, or ensure filters return pre-escaped content. The code change suggests the developers are aware of potential issues but chose to suppress warnings rather than implement actual security fixes, which is a defensive programming concern.
---
Vulnerability Existed: no
[Improper Resource Cleanup] - [CWE-459] - [cube/modules/search/class-cubewp-search-ajax-hooks.php] [Line 131]
Old Code:
```php
wp_reset_query();
```
Fixed Code:
```php
wp_reset_postdata();
```
Explanation:
This is a bug fix rather than a security vulnerability. `wp_reset_query()` is deprecated and should only be used after `query_posts()`. The correct function after `WP_Query` is `wp_reset_postdata()`, which properly restores the global `$post` variable. While not a direct security issue, using the wrong function could lead to unexpected behavior in template rendering and data leakage in edge cases. The fix ensures proper resource cleanup and follows WordPress best practices.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/search/class-cubewp-search-builder.php 2026-01-18 00:20:47.537239767 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/search/class-cubewp-search-builder.php 2026-01-18 00:20:56.217779093 +0000@@ -195,6 +195,7 @@ 'switcher_types' => $types, 'switcher_title' => esc_html__('Select Post Type','cubewp-framework'), );+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo self::CubeWp_Form_Builder($args); }
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Output During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/search/class-cubewp-search-builder.php Line 198
Old Code:
```php
echo self::CubeWp_Form_Builder($args);
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo self::CubeWp_Form_Builder($args);
```
Explanation:
This is NOT actually a security fix—it's a suppression of a security warning. The diff adds a phpcs (PHP CodeSniffer) ignore comment that suppresses WordPress security checks for unescaped output. The underlying vulnerability (CWE-79: Cross-site Scripting) still exists. The `CubeWp_Form_Builder()` function's return value is being echoed directly without escaping, which could allow XSS attacks if the function returns user-controlled data or unsanitized content. The phpcs directive merely tells the linter to ignore this issue rather than fixing it. A proper security fix would wrap the output with an appropriate escaping function like `wp_kses_post()`, `esc_html()`, or `esc_attr()` depending on context.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/settings/class-cubewp-settings-ajax-hooks.php 2026-01-18 00:20:47.537239767 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/settings/class-cubewp-settings-ajax-hooks.php 2026-01-18 00:20:56.217779093 +0000@@ -15,27 +15,27 @@ 'status' => 'error', 'html' => esc_html__('Invalid User Session.', 'cubewp-framework'), ));- die($res);+ die(wp_kses_post($res)); }- if (!isset($_POST['cwpNonce']) || !wp_verify_nonce( $_POST['cwpNonce'], 'plugin_settings-options' )) {+ if (!isset($_POST['cwpNonce']) || !wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['cwpNonce'])), 'plugin_settings-options' )) { $res = json_encode(array( 'status' => 'error', 'html' => esc_html__('There Is A Problem With Nonce.', 'cubewp-framework'), ));- die($res);+ die(wp_kses_post($res)); } if (isset($_POST['activeTab']) && !empty($_POST['activeTab'])) { // Saving Last Options Tab User Use Via Cookie For 1 Day $cookie_name = "cwp-options-lastUsedTab";- $cookie_value = sanitize_text_field($_POST['activeTab']);+ $cookie_value = isset($_POST['activeTab']) ? sanitize_text_field(wp_unslash($_POST['activeTab'])) : ''; setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); } $status = 'error'; $msg = esc_html__('Unexpected Error Occurred.', 'cubewp-framework'); $settings_helpers = new CubeWp_Settings_Helpers();- $post_data = wp_unslash( $_POST['cwpOptions'] );+ $post_data = isset($_POST['cwpOptions']) ? wp_unslash( $_POST['cwpOptions'] ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $values = $settings_helpers::parse_str( $post_data ); if(isset($_POST['reset'])){@@ -84,7 +84,7 @@ if($update == true){ do_action( 'cubewp/after/settings/saved', 'saved'); }- die($res);+ die(wp_kses_post($res)); } public static function cwp_save_default_options( $reset = '', $resetID = 0 ) {@@ -94,7 +94,7 @@ 'status' => 'error', 'html' => esc_html__('Invalid User Session.', 'cubewp-framework'), ));- die($res);+ die(wp_kses_post($res)); } if($reset == 'all'){@@ -124,8 +124,8 @@ } public static function cwp_get_font_attributes(){- - $font_family = isset($_POST['font_family']) ? sanitize_text_field($_POST['font_family']) : '';+ /* phpcs:ignore WordPress.Security.NonceVerification.Missing */+ $font_family = isset($_POST['font_family']) ? sanitize_text_field(wp_unslash($_POST['font_family'])) : ''; $font_styles_options = apply_filters("cubewp/settings/font_styles/options", '', $font_family); $font_subsets_options = apply_filters("cubewp/settings/font_subsets/options", '', $font_family);
Now I'll analyze the security patch based on the diff provided:
---
## Security Analysis Results
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Output Escaping - CWE-79 (Cross-site Scripting) - class-cubewp-settings-ajax-hooks.php - Lines 18, 25, 87, 97
Old Code:
```php
die($res);
```
Fixed Code:
```php
die(wp_kses_post($res));
```
Explanation:
The old code outputs JSON-encoded data directly without escaping. Although the content is JSON-encoded with `json_encode()`, the `die()` function outputs raw PHP variables without proper HTML escaping. When this JSON response is processed by JavaScript and potentially rendered back to HTML, an attacker could inject malicious scripts. The fix properly escapes the output using `wp_kses_post()`, which removes any potentially dangerous HTML/JavaScript while preserving safe formatting.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Unvalidated/Unsanitized Input - CWE-20 (Improper Input Validation) - class-cubewp-settings-ajax-hooks.php - Line 20
Old Code:
```php
if (!isset($_POST['cwpNonce']) || !wp_verify_nonce( $_POST['cwpNonce'], 'plugin_settings-options' )) {
```
Fixed Code:
```php
if (!isset($_POST['cwpNonce']) || !wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['cwpNonce'])), 'plugin_settings-options' )) {
```
Explanation:
The old code passes unsanitized `$_POST['cwpNonce']` directly to `wp_verify_nonce()`. Although nonces are security tokens, they should still be sanitized before processing to prevent unexpected behavior from special characters or encoding issues. The fix properly sanitizes the input with `wp_unslash()` and `sanitize_text_field()`, ensuring safe processing while maintaining nonce verification integrity.
---
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
Missing Input Validation - CWE-20 - class-cubewp-settings-ajax-hooks.php - Line 31
Old Code:
```php
$cookie_value = sanitize_text_field($_POST['activeTab']);
```
Fixed Code:
```php
$cookie_value = isset($_POST['activeTab']) ? sanitize_text_field(wp_unslash($_POST['activeTab'])) : '';
```
Explanation:
The old code sanitizes `$_POST['activeTab']` but doesn't account for magic quotes or PHP's `stripslashes`. Using `wp_unslash()` ensures proper handling of slashed content. Additionally, the fixed version adds redundant `isset()` checking (already checked on line 28) but ensures defensive programming. The fix also removes potential issues from raw POST data by properly unslashing before sanitization.
---
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
Missing Input Existence Check - CWE-20 - class-cubewp-settings-ajax-hooks.php - Line 38
Old Code:
```php
$post_data = wp_unslash( $_POST['cwpOptions'] );
```
Fixed Code:
```php
$post_data = isset($_POST['cwpOptions']) ? wp_unslash( $_POST['cwpOptions'] ) : array(); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
```
Explanation:
The old code directly accesses `$_POST['cwpOptions']` without checking if it exists, potentially causing an undefined index notice/error. The fix adds proper existence checking with `isset()` and provides a safe default empty array fallback. This prevents potential errors and makes the code more robust.
---
**Vulnerability 5:**
Vulnerability Existed: yes
FALSE POSITIVE
Missing Nonce Verification - CWE-352 (Cross-Site Request Forgery) - class-cubewp-settings-ajax-hooks.php - Line 128
Old Code:
```php
public static function cwp_get_font_attributes(){
$font_family = isset($_POST['font_family']) ? sanitize_text_field($_POST['font_family']) : '';
```
Fixed Code:
```php
public static function cwp_get_font_attributes(){
/* phpcs:ignore WordPress.Security.NonceVerification.Missing */
$font_family = isset($_POST['font_family']) ? sanitize_text_field(wp_unslash($_POST['font_family'])) : '';
```
Explanation:
The old code has no nonce verification in this AJAX endpoint that accepts POST data. The fix adds `wp_unslash()` for proper input handling and adds a phpcs ignore comment acknowledging that nonce verification is missing. While the comment doesn't technically fix the vulnerability, it indicates awareness of the security issue. Ideally, this function should include proper nonce verification like other endpoints in the class.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/settings/class-cubewp-settings-custom-fields-display.php 2026-01-18 00:20:47.537239767 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/settings/class-cubewp-settings-custom-fields-display.php 2026-01-18 00:20:56.217779093 +0000@@ -44,6 +44,7 @@ * @since 1.0.0 */ public static function add_new_group() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])){ self::edit_group(); }@@ -56,6 +57,7 @@ */ public static function group_display() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { return; }@@ -71,7 +73,7 @@ <a class="nav-tab nav-tab-active" href="?page=settings-custom-fields"><?php esc_html_e('Settings', 'cubewp-framework'); ?></a> </nav> </div>- <a href="<?php echo CubeWp_Submenu::_page_action('settings-custom-fields', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>+ <a href="<?php echo esc_url(CubeWp_Submenu::_page_action('settings-custom-fields', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a> </div> <hr class="wp-header-end"> <?php $customFieldsGroupTable->prepare_items(); ?>@@ -110,11 +112,11 @@ <form id="post" class="cwpgroup" method="post" action="" enctype="multipart/form-data"> <div class="wrap cwp-post-type-title width-40 margin-bottom-0 margin-left-minus-20 margin-right-0">- <?php echo self::_title(); ?>- <?php echo self::save_button(); ?>+ <?php echo wp_kses_post(self::_title()); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?> </div> <hr class="wp-header-end">- <input type="hidden" name="cwp_group_nonce" value="<?php echo wp_create_nonce( basename( __FILE__ ) ); ?>">+ <input type="hidden" name="cwp_group_nonce" value="<?php echo esc_attr(wp_create_nonce( basename( __FILE__ ) )); ?>"> <input type="hidden" class="" name="cwp[group][id]" value="<?php echo esc_attr($group['id']); ?>"> <div id="poststuff" class="padding-0"> <div id="post-body" class="metabox-holder columns-2">@@ -128,6 +130,7 @@ <table class="form-table cwp-validation"> <tbody> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'name' => 'cwp[group][name]',@@ -139,6 +142,7 @@ 'extra_attrs' => 'maxlength=20', 'tooltip' => 'Give a name for this group. Which will be used to show grouped data in metaboxes', ));+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'type' => 'number',@@ -151,6 +155,7 @@ 'extra_attrs' => 'maxlength=20', 'tooltip' => 'Give a order number for this group. Which will be used to show in order', ));+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'name' => 'cwp[group][description]',@@ -188,7 +193,7 @@ </div> </div> <div class="cwp-group-fields-content">- <?php echo self::get_fields($group['fields'], $group['sub_fields']); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::get_fields($group['fields'], $group['sub_fields']); ?> </div> </div> </div>@@ -206,6 +211,7 @@ * @since 1.0 */ private static function _title() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))) { return '<h1>'. esc_html(__('Edit Custom Fields Group (Settings)', 'cubewp-framework')) .'</h1>'; } else {@@ -220,6 +226,7 @@ * @since 1.0.0 */ private static function save_button() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))){ $name = 'cwp_edit_group'; }else{@@ -229,17 +236,16 @@ } public static function save_group() {- + /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_POST['cwp']['group'])) {-- $group = isset($_POST['cwp']['group']) ? $_POST['cwp']['group'] : array();+ $group = isset($_POST['cwp']['group']) ? $_POST['cwp']['group'] : array(); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated $groupID = isset($group['id']) ? sanitize_text_field($group['id']) : ''; $groupName = isset($group['name']) ? sanitize_text_field($group['name']) : ''; $groupDesc = isset($group['description']) ? sanitize_text_field($group['description']) : ''; $groupOrder = isset($group['order']) ? sanitize_text_field($group['order']) : 0; if (!empty($groupName)) {- if (isset($_POST['cwp_save_group'])) {+ if (isset($_POST['cwp_save_group'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing $post_data = array( 'post_type' => 'cwp_settings_fields', 'post_title' => $groupName,@@ -247,7 +253,7 @@ 'post_status' => 'publish', ); $post_id = wp_insert_post($post_data);- } else if (isset($_POST['cwp_edit_group']) && !empty($groupID)) {+ } else if (isset($_POST['cwp_edit_group']) && !empty($groupID)) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing $post_data = array( 'ID' => $groupID, 'post_title' => $groupName,@@ -263,10 +269,11 @@ } }- self::save_custom_fields($_POST['cwp'],$post_id,'post_types');+ self::save_custom_fields(isset($_POST['cwp']) ? $_POST['cwp'] : array(),$post_id,'post_types'); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated if (!empty($post_id) ) {- wp_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );+ exit; } }
Based on my analysis of the diff, here are the security vulnerabilities and fixes:
---
**Vulnerability 1: Unescaped URL Output**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation - CWE-79 - class-cubewp-settings-custom-fields-display.php [76]
Old Code:
```php
<a href="<?php echo CubeWp_Submenu::_page_action('settings-custom-fields', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
```
Fixed Code:
```php
<a href="<?php echo esc_url(CubeWp_Submenu::_page_action('settings-custom-fields', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
```
Explanation:
The `_page_action()` function's return value was directly output in an href attribute without escaping. This could allow malicious URL injection if the function doesn't properly sanitize the query string. The fix applies `esc_url()` to properly escape URLs for HTML attributes.
---
**Vulnerability 2: Unescaped HTML Output**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Output During Web Page Generation - CWE-79 - class-cubewp-settings-custom-fields-display.php [115]
Old Code:
```php
<?php echo self::_title(); ?>
```
Fixed Code:
```php
<?php echo wp_kses_post(self::_title()); ?>
```
Explanation:
The `_title()` method returns HTML content (contains `<h1>` tags) that was output without proper escaping. The fix applies `wp_kses_post()` which allows safe HTML while removing potentially dangerous content.
---
**Vulnerability 3: Unescaped Nonce Value in HTML Attribute**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Output During Web Page Generation - CWE-79 - class-cubewp-settings-custom-fields-display.php [119]
Old Code:
```php
<input type="hidden" name="cwp_group_nonce" value="<?php echo wp_create_nonce( basename( __FILE__ ) ); ?>">
```
Fixed Code:
```php
<input type="hidden" name="cwp_group_nonce" value="<?php echo esc_attr(wp_create_nonce( basename( __FILE__ ) )); ?>">
```
Explanation:
The nonce value was output directly in an HTML attribute without escaping. Although `wp_create_nonce()` typically returns safe values, best practice requires escaping all attribute values with `esc_attr()` to prevent attribute injection attacks.
---
**Vulnerability 4: Unvalidated Redirect**
Vulnerability Existed: yes
FALSE POSITIVE
Uncontrolled Resource Consumption in Redirects - CWE-601 - class-cubewp-settings-custom-fields-display.php [275]
Old Code:
```php
wp_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );
```
Fixed Code:
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('settings-custom-fields') );
exit;
```
Explanation:
The code uses `wp_redirect()` instead of `wp_safe_redirect()`. The `wp_safe_redirect()` function validates that the redirect location is same-site, preventing open redirect vulnerabilities. Additionally, `exit;` was added to ensure the script terminates after the redirect, preventing further code execution.
---
**Vulnerability 5: Missing Input Validation on POST Data**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-settings-custom-fields-display.php [272]
Old Code:
```php
self::save_custom_fields($_POST['cwp'],$post_id,'post_types');
```
Fixed Code:
```php
self::save_custom_fields(isset($_POST['cwp']) ? $_POST['cwp'] : array(),$post_id,'post_types'); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated
```
Explanation:
The original code directly accessed `$_POST['cwp']` without checking if it exists, which could cause PHP notices. The fix adds an `isset()` check with a fallback empty array. However, note that the phpcs comments indicate the underlying security issues with missing nonce verification and unsanitized input remain unresolved in the actual logic.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/settings/class-cubewp-settings-fields.php 2026-01-18 00:20:47.537239767 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/settings/class-cubewp-settings-fields.php 2026-01-18 00:20:56.217779093 +0000@@ -56,7 +56,8 @@ ); $field_args['class'] = $field_args['class'] . ' cwp-single-select'; $output .= cwp_render_dropdown_input( $field_args );- $args['desc'] = sprintf(__( 'Select The Page Used For %s Submission (Page must include the %s Submission Shortcode)', 'cubewp-framework' ), $postTypeLabel, $postTypeLabel);+ /* translators: %1$s: post type label, %2$s: post type label. */+ $args['desc'] = sprintf(__( 'Select The Page Used For %1$s Submission (Page must include the %2$s Submission Shortcode)', 'cubewp-framework' ), esc_html($postTypeLabel), esc_html($postTypeLabel)); $output .= apply_filters( "cubewp/settings/desc/field", '', $args ); $output .= '</fieldset>'; }@@ -275,13 +276,13 @@ $output .= '<fieldset id="cwp-'. esc_attr($args['id']).'" class="cwp-field-container cwp-'. esc_attr($args['type']).'-container" data-id="'. esc_attr($args['id']).'" data-type="'. esc_attr($args['type']).'">'; $field_args = array(- 'id' => $args['id'],- 'name' => $args['id'],- 'placeholder' => $args['placeholder'],- 'class' => $args['class'],- 'value' => $args['value'],- 'extra_attrs' => $args['extra_attrs'],- 'row' => $args['row'],+ 'id' => isset($args['id']) ? $args['id'] : '',+ 'name' => isset($args['id']) ? $args['id'] : '',+ 'placeholder' => isset($args['placeholder']) ? $args['placeholder'] : '',+ 'class' => isset($args['class']) ? $args['class'] : '',+ 'value' => isset($args['value']) ? $args['value'] : '',+ 'extra_attrs' => isset($args['extra_attrs']) ? $args['extra_attrs'] : '',+ 'row' => isset($args['row']) ? $args['row'] : 10, ); $output .= cwp_render_textarea_input( $field_args ); $output .= apply_filters("cubewp/settings/desc/field", '', $args);@@ -504,7 +505,7 @@ } } $output .= '<a href="' . $image_thumb . '" target="_blank"><img id="' . $args['id'] . '_preview" class="image_preview" alt="image" src="' . $image_thumb . '" /></a>' . "\n";- $output .= '<input id="' . $args['id'] . '_button" data-multiple="false" type="button" data-uploader_title="' . __('Upload', 'cubewp-framework') . '" data-uploader_button_text="' . __('Use image', 'cubewp-framework') . '" class="image_upload_button button" value="' . __('Upload', 'plugin_textdomain') . '" />' . "\n";+ $output .= '<input id="' . $args['id'] . '_button" data-multiple="false" type="button" data-uploader_title="' . __('Upload', 'cubewp-framework') . '" data-uploader_button_text="' . __('Use image', 'cubewp-framework') . '" class="image_upload_button button" value="' . __('Upload', 'cubewp-framework') . '" />' . "\n"; $output .= '<input id="' . $args['id'] . '_delete" type="button" class="image_delete_button button" value="' . __('Remove', 'cubewp-framework') . '" />' . "\n"; $output .= '<input id="' . $args['id'] . '" class="image_data_field" type="hidden" name="' . $args['id'] . '" value="' . $args['value'] . '"/><br/>' . "\n"; @@ -732,7 +733,12 @@ $taxonomy = $args['args']['taxonomies']; unset($args['args']['taxonomies']);- $terms = get_terms( $taxonomy, $args['args'] );+ // Merge taxonomy into args array+ $terms_args = array_merge( $args['args'], array(+ 'taxonomy' => $taxonomy,+ 'hide_empty' => false,+ ));+ $terms = get_terms( $terms_args ); $options = array(); if(isset($terms) && !empty($terms) && !isset($terms->errors)){
Now analyzing the diff for security vulnerabilities:
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/settings/class-cubewp-settings-fields.php - Lines 59-60
**Old Code:**
```php
$args['desc'] = sprintf(__( 'Select The Page Used For %s Submission (Page must include the %s Submission Shortcode)', 'cubewp-framework' ), $postTypeLabel, $postTypeLabel);
```
**Fixed Code:**
```php
/* translators: %1$s: post type label, %2$s: post type label. */
$args['desc'] = sprintf(__( 'Select The Page Used For %1$s Submission (Page must include the %2$s Submission Shortcode)', 'cubewp-framework' ), esc_html($postTypeLabel), esc_html($postTypeLabel));
```
Explanation:
The original code directly interpolates `$postTypeLabel` into a string output via `sprintf()` without proper escaping. If `$postTypeLabel` contains user-controlled data or unsanitized input from the database, it could be rendered as HTML and execute malicious JavaScript in the browser. The fix adds `esc_html()` escaping to ensure any HTML special characters are properly encoded, preventing XSS injection.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Validation of Array Index - CWE-129 - cube/modules/settings/class-cubewp-settings-fields.php - Lines 278-286
**Old Code:**
```php
$field_args = array(
'id' => $args['id'],
'name' => $args['id'],
'placeholder' => $args['placeholder'],
'class' => $args['class'],
'value' => $args['value'],
'extra_attrs' => $args['extra_attrs'],
'row' => $args['row'],
);
```
**Fixed Code:**
```php
$field_args = array(
'id' => isset($args['id']) ? $args['id'] : '',
'name' => isset($args['id']) ? $args['id'] : '',
'placeholder' => isset($args['placeholder']) ? $args['placeholder'] : '',
'class' => isset($args['class']) ? $args['class'] : '',
'value' => isset($args['value']) ? $args['value'] : '',
'extra_attrs' => isset($args['extra_attrs']) ? $args['extra_attrs'] : '',
'row' => isset($args['row']) ? $args['row'] : 10,
);
```
Explanation:
The original code directly accesses array indices without checking if they exist, which could generate PHP notices or warnings if the indices are missing. While not a direct security vulnerability, undefined array indices can lead to information disclosure (PHP notices in error logs) or unexpected behavior. The fix adds proper `isset()` checks with fallback values, improving robustness and preventing potential information leakage through error messages.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Incorrect Text Domain - CWE-693 - cube/modules/settings/class-cubewp-settings-fields.php - Line 507
**Old Code:**
```php
$output .= '<input id="' . $args['id'] . '_button" data-multiple="false" type="button" data-uploader_title="' . __('Upload', 'cubewp-framework') . '" data-uploader_button_text="' . __('Use image', 'cubewp-framework') . '" class="image_upload_button button" value="' . __('Upload', 'plugin_textdomain') . '" />' . "\n";
```
**Fixed Code:**
```php
$output .= '<input id="' . $args['id'] . '_button" data-multiple="false" type="button" data-uploader_title="' . __('Upload', 'cubewp-framework') . '" data-uploader_button_text="' . __('Use image', 'cubewp-framework') . '" class="image_upload_button button" value="' . __('Upload', 'cubewp-framework') . '" />' . "\n";
```
Explanation:
The original code uses an incorrect text domain `'plugin_textdomain'` for one of the `__()` translation calls, while the others use `'cubewp-framework'`. This is inconsistent and prevents proper translation. While not a direct security vulnerability, using wrong text domains can be considered a localization/internationalization issue. The fix corrects the text domain to match the others, ensuring consistent translation handling.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Deprecated Function Usage - CWE-695 - cube/modules/settings/class-cubewp-settings-fields.php - Lines 735-742
**Old Code:**
```php
$terms = get_terms( $taxonomy, $args['args'] );
```
**Fixed Code:**
```php
// Merge taxonomy into args array
$terms_args = array_merge( $args['args'], array(
'taxonomy' => $taxonomy,
'hide_empty' => false,
));
$terms = get_terms( $terms_args );
```
Explanation:
The original code uses an outdated calling convention for WordPress's `get_terms()` function. In WordPress 4.5+, passing taxonomy as a separate parameter is deprecated. The function signature changed to require taxonomy to be passed within the arguments array. The fix properly merges the taxonomy into the arguments array and calls `get_terms()` with the correct modern signature, preventing deprecation warnings and potential breaking changes in future WordPress versions.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/settings/class-cubewp-settings.php 2026-01-18 00:20:47.537239767 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/settings/class-cubewp-settings.php 2026-01-18 00:20:56.217779093 +0000@@ -1,4 +1,13 @@ <?php+/**+ * CubeWp Settings.+ *+ * @version 1.0+ * @package cubewp/cube/modules/settings+ */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if ( ! defined('ABSPATH')) { exit; }@@ -65,7 +74,7 @@ <div id="cubewp-settings-tabs"> <div class="cubewp-settings-tabs-header"> <img src="<?php echo esc_url(CWP_PLUGIN_URI . "cube/assets/admin/images/logo-2.png"); ?>"- alt="<?php esc_html_e("CubeWP Logo", "cube"); ?>">+ alt="<?php esc_html_e("CubeWP Logo", "cubewp-framework"); ?>"> </div> <?php $counter = 0;@@ -79,8 +88,8 @@ } $counter ++; ?>- <div class="cubewp-setting-tab <?php esc_attr_e($class); ?>" data-target-id="<?php esc_attr_e($id); ?>">- <span class="dashicons <?php esc_attr_e($icon); ?>"></span>+ <div class="cubewp-setting-tab <?php echo esc_attr($class); ?>" data-target-id="<?php echo esc_attr($id); ?>">+ <span class="dashicons <?php echo esc_attr($icon); ?>"></span> <?php echo esc_html($data['title']); ?> </div> <?php@@ -91,9 +100,9 @@ $id = 'section_'.$group; $class = 'custom-section'; ?>- <div class="cubewp-setting-tab <?php esc_attr_e($class); ?>" data-target-id="<?php esc_attr_e($id); ?>">- <span class="dashicons <?php esc_attr_e($icon); ?>"></span>- <?php echo get_the_title($group) ?>+ <div class="cubewp-setting-tab <?php echo esc_attr($class); ?>" data-target-id="<?php echo esc_attr($id); ?>">+ <span class="dashicons <?php echo esc_attr($icon); ?>"></span>+ <?php echo esc_html(get_the_title($group)); ?> </div> <?php }@@ -115,7 +124,7 @@ $class .= " " . self::current_active_tab($id, $counter); $counter ++; ?>- <div id="<?php esc_attr_e($id) ?>" class="cubewp-settings-tabs-content <?php esc_attr_e($class) ?>">+ <div id="<?php echo esc_attr($id) ?>" class="cubewp-settings-tabs-content <?php echo esc_attr($class) ?>"> <h2><?php echo esc_html($data['title']) ?></h2> <table class="form-table"> <tbody>@@ -124,7 +133,8 @@ $field = self::set_field_value($field); ?> <tr>- <?php echo apply_filters("cubewp/settings/{$field['type']}/field", '', $field) ?>+ <?php // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped+ echo apply_filters("cubewp/settings/{$field['type']}/field", '', $field); ?> </tr> <?php $this->check_dependencies($field);@@ -142,8 +152,8 @@ $id = 'section_'.$group; $class = 'custom-section'; ?>- <div id="<?php esc_attr_e($id) ?>" class="cubewp-settings-tabs-content <?php esc_attr_e($class) ?>">- <h2><?php echo get_the_title($group) ?></h2>+ <div id="<?php echo esc_attr($id) ?>" class="cubewp-settings-tabs-content <?php echo esc_attr($class) ?>">+ <h2><?php echo esc_html(get_the_title($group)); ?></h2> <table class="form-table"> <tbody> <?php@@ -159,6 +169,7 @@ $field['desc'] = $field['description']; $field['title'] = $field['label']; $field = self::set_field_value($field);+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters("cubewp/admin/post/{$field['type']}/field", '', $field); $this->check_dependencies($field); }@@ -186,7 +197,7 @@ $cookie_name = "cwp-options-lastUsedTab"; if (isset($_COOKIE[$cookie_name]) && ! empty($_COOKIE[$cookie_name])) {- $lastUsedTab = sanitize_text_field( $_COOKIE[$cookie_name] );+ $lastUsedTab = sanitize_text_field( wp_unslash($_COOKIE[$cookie_name]) ); } if ($counter == 0 && empty($lastUsedTab)) {@@ -202,7 +213,7 @@ public function cubewp_setting_actions(string $position) { ?>- <div class="cubewp-setting-actions cubewp-setting-actions-<?php esc_attr_e($position); ?>">+ <div class="cubewp-setting-actions cubewp-setting-actions-<?php echo esc_attr($position); ?>"> <button class="button-primary cwp-save-settings"> <?php esc_html_e('Save settings', 'cubewp-framework'); ?> </button>
Based on my analysis of the code diff, here are the security vulnerabilities: --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-settings.php lines 82-85 Old Code: ```php <?php esc_attr_e($class); ?> <?php esc_attr_e($id); ?> <?php esc_attr_e($icon); ?> ``` Fixed Code: ```php <?php echo esc_attr($class); ?> <?php echo esc_attr($id); ?> <?php echo esc_attr($icon); ?> ``` Explanation: The code was using `esc_attr_e()` which is an output escaping function that echoes and localizes strings. However, `$class`, `$id`, and `$icon` are not translatable strings - they're variable values. Using `echo esc_attr()` is the correct approach to output escaped attribute values. The original code would fail to properly escape these values in all contexts. --- **Vulnerability 2:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-settings.php lines 104-105 Old Code: ```php <?php echo get_the_title($group) ?> ``` Fixed Code: ```php <?php echo esc_html(get_the_title($group)); ?> ``` Explanation: The function `get_the_title()` returns unescaped data. When directly echoing it in HTML context, any malicious content in the title (which can be user-controlled via post titles) could execute as JavaScript. The fix wraps it with `esc_html()` to properly escape HTML special characters. --- **Vulnerability 3:** Vulnerability Existed: yes FALSE POSITIVE Improper Input Validation - CWE-78 / CWE-94 - class-cubewp-settings.php line 200 Old Code: ```php $lastUsedTab = sanitize_text_field( $_COOKIE[$cookie_name] ); ``` Fixed Code: ```php $lastUsedTab = sanitize_text_field( wp_unslash($_COOKIE[$cookie_name]) ); ``` Explanation: WordPress stores cookie values with slashes added by PHP's `magic_quotes` behavior (historically, now deprecated but still relevant for compatibility). The `sanitize_text_field()` function expects unslashed input. Without `wp_unslash()`, the cookie value may not be properly sanitized if it contains escaped characters, potentially leading to improper validation or injection vulnerabilities. --- **Vulnerability 4:** Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-settings.php line 213 Old Code: ```php <div class="cubewp-setting-actions cubewp-setting-actions-<?php esc_attr_e($position); ?>"> ``` Fixed Code: ```php <div class="cubewp-setting-actions cubewp-setting-actions-<?php echo esc_attr($position); ?>"> ``` Explanation: Same as Vulnerability 1 - using `esc_attr_e()` instead of `echo esc_attr()` for variable values. The `$position` parameter is a string variable, not a translatable string, so it should use `esc_attr()` with explicit `echo`.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/taxonomies/class-cubewp-taxonomy-custom-fields.php 2026-01-18 00:20:47.541240015 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/taxonomies/class-cubewp-taxonomy-custom-fields.php 2026-01-18 00:20:56.217779093 +0000@@ -1,15 +1,21 @@ <?php- /**- * Creates the submenu item for the plugin.- *- * @package Custom_Admin_Settings- * Creates the submenu item for the plugin.+ * CubeWp Taxonomy Custom Fields. * * Registers a new menu item under 'Tools' and uses the dependency passed into * the constructor in order to display the page corresponding to this menu item. *- * @package CubeWp_Taxonomy_Custom_Fields+ * @package cubewp/cube/modules/taxonomies+ */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals++if ( ! defined( 'ABSPATH' ) ) {+ exit;+}++/**+ * CubeWp_Taxonomy_Custom_Fields */ class CubeWp_Taxonomy_Custom_Fields { @@ -22,6 +28,7 @@ private static function taxonomy_custom_fields_display() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { return; }@@ -39,7 +46,7 @@ <a class="nav-tab" href="?page=settings-custom-fields"><?php esc_html_e('Settings', 'cubewp-framework'); ?></a> </nav> </div>- <a href="<?php echo CubeWp_Submenu::_page_action('taxonomy-custom-fields', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>+ <a href="<?php echo esc_url(CubeWp_Submenu::_page_action('taxonomy-custom-fields', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a> </div> <hr class="wp-header-end"> <?php $taxonomycustomFieldsTable->prepare_items(); ?>@@ -52,6 +59,7 @@ } private static function edit_taxonomy_custom_fields() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(!isset($_GET['action'])){ return; }@@ -60,14 +68,16 @@ $FieldData = array(); $tax_custom_fields = CWP()->get_custom_fields( 'taxonomy' ); + /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['fieldid']) && $_GET['fieldid'] != '' ){- $tax_custom_field = array_column($tax_custom_fields, sanitize_text_field($_GET['fieldid']));+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $tax_custom_field = array_column($tax_custom_fields, sanitize_text_field(wp_unslash($_GET['fieldid']))); $FieldData = isset($tax_custom_field[0]) ? $tax_custom_field[0] : array(); } $defaults = array( 'name' => '',- 'slug' => 'cwp_field_'. rand(10000000,1000000000000),+ 'slug' => 'cwp_field_'. wp_rand(10000000,1000000000000), 'type' => '', 'description' => '', 'placeholder' => '',@@ -146,8 +156,8 @@ <div class="wrap cubewp-wrap"> <form method="post" action="" id="post"> <div class="wrap cwp-post-type-title width-40 margin-bottom-0 margin-left-minus-20 margin-right-0">- <?php echo self::_title(); ?>- <?php echo self::save_button(); ?>+ <?php echo wp_kses_post(self::_title()); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?> </div> <hr class="wp-header-end"> <div id="poststuff" class="padding-0">@@ -165,6 +175,7 @@ <td class="text-left"> <ul class="cwp-checkbox-outer margin-0"> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomies/taxonomy/customfield', '', array( 'id' => 'taxonomies-list', 'name' => 'cwp_taxonomies[]]',@@ -196,6 +207,7 @@ <?php foreach( $field_settings as $field_setting ){ $fields = apply_filters("cubewp/admin/taxonomies/{$field_setting['type']}/customfield", '', $field_setting);+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters( 'cubewp/taxonomies/custom_fields/single/field/output', $fields, $field_setting); } ?>@@ -214,12 +226,13 @@ } private static function save_taxonomy_field() {- - if(isset($_POST['cwp_taxonomies']) && !empty($_POST['cwp_taxonomies'])){- if(isset($_POST['cwp_tax_fields']) && !empty($_POST['cwp_tax_fields'])){+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ if(isset($_POST['cwp_taxonomies']) && !empty($_POST['cwp_taxonomies'])){ // phpcs:ignore WordPress.Security.NonceVerification.Missing+ if(isset($_POST['cwp_tax_fields']) && !empty($_POST['cwp_tax_fields'])){ // phpcs:ignore WordPress.Security.NonceVerification.Missing $cwp_tax_custom_fields = CWP()->get_custom_fields( 'taxonomy' ); $cwp_tax_custom_fields = isset($cwp_tax_custom_fields) && !empty($cwp_tax_custom_fields) ? $cwp_tax_custom_fields : array();+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing */ $field_options = isset($_POST['cwp_tax_fields']) ? CubeWp_Sanitize_text_Array($_POST['cwp_tax_fields']) : array(); if(isset($cwp_tax_custom_fields) && !empty($cwp_tax_custom_fields)){@@ -233,20 +246,23 @@ } } - foreach($_POST['cwp_taxonomies'] as $taxonomy){+ foreach($_POST['cwp_taxonomies'] as $taxonomy){ // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_POST['cwp_taxonomies']) && !empty($_POST['cwp_taxonomies'])){+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.NonceVerification.Missing */ $taxnomies = CubeWp_Sanitize_text_Array($_POST['cwp_taxonomies']); $field_options['taxonomies'] = implode(',', $taxnomies); } $cwp_tax_custom_fields[$taxonomy][$field_options['slug']] = $field_options; } CWP()->update_custom_fields( 'taxonomy', $cwp_tax_custom_fields );- wp_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') ); exit; } } } private static function _title() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))) { return '<h1>'. esc_html(__('Edit Taxonomy Field', 'cubewp-framework')) .'</h1>'; } else {@@ -254,6 +270,7 @@ } } private static function save_button() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))){ $name = 'cwp_save_field'; }else{
I'll analyze this code diff for security fixes following the specified format.
---
**Vulnerability 1: Missing Output Escaping**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-taxonomy-custom-fields.php Line 49
[Old Code]
```
<a href="<?php echo CubeWp_Submenu::_page_action('taxonomy-custom-fields', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
```
[Fixed Code]
```
<a href="<?php echo esc_url(CubeWp_Submenu::_page_action('taxonomy-custom-fields', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
```
Explanation:
The URL output in the href attribute was not escaped. By wrapping the output with `esc_url()`, the fix properly escapes URL output to prevent XSS attacks where malicious JavaScript could be injected through the URL.
---
**Vulnerability 2: Unslashed User Input**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-taxonomy-custom-fields.php Line 73
[Old Code]
```
$tax_custom_field = array_column($tax_custom_fields, sanitize_text_field($_GET['fieldid']));
```
[Fixed Code]
```
$tax_custom_field = array_column($tax_custom_fields, sanitize_text_field(wp_unslash($_GET['fieldid'])));
```
Explanation:
WordPress automatically adds slashes to $_GET data when `magic_quotes_gpc` is enabled. The fix applies `wp_unslash()` before sanitization to properly remove these slashes, ensuring correct data processing and preventing bypass of sanitization routines.
---
**Vulnerability 3: Weak Random Number Generation**
Vulnerability Existed: yes
TRUE POSITIVE
Use of Insufficiently Random Values - CWE-338 - class-cubewp-taxonomy-custom-fields.php Line 80
[Old Code]
```
'slug' => 'cwp_field_'. rand(10000000,1000000000000),
```
[Fixed Code]
```
'slug' => 'cwp_field_'. wp_rand(10000000,1000000000000),
```
Explanation:
The native `rand()` function is not cryptographically secure. WordPress's `wp_rand()` is a more secure alternative that uses better randomness sources when available, reducing predictability of generated values.
---
**Vulnerability 4: Unsafe Redirect**
Vulnerability Existed: yes
FALSE POSITIVE
Open Redirect - CWE-601 - class-cubewp-taxonomy-custom-fields.php Line 259
[Old Code]
```
wp_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') );
```
[Fixed Code]
```
wp_safe_redirect( CubeWp_Submenu::_page_action('taxonomy-custom-fields') );
```
Explanation:
`wp_redirect()` does not validate redirect URLs. `wp_safe_redirect()` adds a whitelist check to ensure redirects stay within the same host, preventing open redirect vulnerabilities where attackers could redirect users to malicious external sites.
---
**Vulnerability 5: Missing Output Escaping in Dynamic Content**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-taxonomy-custom-fields.php Line 159
[Old Code]
```
<?php echo self::_title(); ?>
```
[Fixed Code]
```
<?php echo wp_kses_post(self::_title()); ?>
```
Explanation:
The output from `_title()` method was not escaped. Adding `wp_kses_post()` ensures HTML is properly filtered to allow safe HTML tags while preventing XSS payloads.
---
**Summary:**
Five security vulnerabilities were identified and fixed in this diff:
1. Unescaped URL output (XSS)
2. Unslashed user input before sanitization
3. Weak random number generation
4. Unsafe redirect functionality
5. Unescaped dynamic content output (XSS)
All fixes follow WordPress security best practices and align with OWASP guidelines for secure coding.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/taxonomies/class-cubewp-taxonomy-metabox.php 2026-01-18 00:20:47.541240015 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/taxonomies/class-cubewp-taxonomy-metabox.php 2026-01-18 00:20:56.217779093 +0000@@ -43,6 +43,7 @@ } $output .= apply_filters( "cubewp/admin/post/{$field['type']}/field", '', $field ); }+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data( $output ); } }@@ -72,8 +73,8 @@ } $args[$field['slug']] = array( 'type' => $field['type'],- 'meta_key' => $field['slug'],- 'meta_value' => $value,+ 'meta_key' => $field['slug'],// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key+ 'meta_value' => $value,// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_value 'label' => $field['name'], ); }@@ -82,8 +83,9 @@ } public static function cwp_save_taxonomy_custom_fields( $term_id = 0 ){+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_POST['cwp_term_meta'])) {- $POST_DATA = CubeWp_Sanitize_Fields_Array($_POST['cwp_term_meta'],'taxonomy');+ $POST_DATA = CubeWp_Sanitize_Fields_Array($_POST['cwp_term_meta'],'taxonomy'); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated foreach($POST_DATA as $key => $val ){ update_term_meta( $term_id, $key, $val ); }
I need to analyze this code diff for security vulnerabilities. Let me examine it carefully.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/modules/taxonomies/class-cubewp-taxonomy-metabox.php - Line 46
Old Code:
```php
echo cubewp_core_data( $output );
```
Fixed Code:
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo cubewp_core_data( $output );
```
Explanation:
The vulnerability existed but was NOT actually fixed. The code still echoes unsanitized output without proper escaping. The `$output` variable is built by concatenating user input and filter results without escaping. The phpcs ignore comment merely suppresses the security warning without addressing the underlying issue. A proper fix would wrap the output with `wp_kses_post()`, `esc_html()`, or another appropriate escaping function depending on the expected content type.
---
**Vulnerability 2:**
Vulnerability Existed: not sure
Missing CSRF Nonce Verification - CWE-352 - cube/modules/taxonomies/class-cubewp-taxonomy-metabox.php - Lines 85-88
Old Code:
```php
public static function cwp_save_taxonomy_custom_fields( $term_id = 0 ){
if(isset($_POST['cwp_term_meta'])) {
$POST_DATA = CubeWp_Sanitize_Fields_Array($_POST['cwp_term_meta'],'taxonomy');
```
Fixed Code:
```php
public static function cwp_save_taxonomy_custom_fields( $term_id = 0 ){
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
if(isset($_POST['cwp_term_meta'])) {
$POST_DATA = CubeWp_Sanitize_Fields_Array($_POST['cwp_term_meta'],'taxonomy'); // phpcs:ignore WordPress.Security.NonceVerification.Missing, ...
```
Explanation:
The vulnerability (missing nonce verification) was NOT fixed. Like the first issue, phpcs ignore comments were added without addressing the actual security problem. The function directly accesses `$_POST['cwp_term_meta']` without verifying a WordPress nonce, making it vulnerable to CSRF attacks. A proper fix would check `wp_verify_nonce()` before processing the POST data. The uncertainty stems from not knowing if nonce verification happens elsewhere in the calling hook.
---
**Vulnerability 3:**
Vulnerability Existed: not sure
Input Validation/Sanitization Issue - CWE-20 - cube/modules/taxonomies/class-cubewp-taxonomy-metabox.php - Lines 87-88
Old Code:
```php
$POST_DATA = CubeWp_Sanitize_Fields_Array($_POST['cwp_term_meta'],'taxonomy');
```
Fixed Code:
```php
$POST_DATA = CubeWp_Sanitize_Fields_Array($_POST['cwp_term_meta'],'taxonomy'); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated
```
Explanation:
The vulnerability was NOT fixed. The phpcs ignore comments indicate that WordPress standards require unslashing and additional validation that is missing. While `CubeWp_Sanitize_Fields_Array()` may provide some sanitization, the code bypasses WordPress standard practices. Without seeing the implementation of that function, it's uncertain if it properly handles unslashing and validation according to WordPress security standards.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/taxonomies/class-cubewp-taxonomy.php 2026-01-18 00:20:47.541240015 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/taxonomies/class-cubewp-taxonomy.php 2026-01-18 00:20:56.217779093 +0000@@ -65,6 +65,7 @@ if(isset($taxonomies) && !empty($taxonomies)){ $comma = $tax_names = ''; foreach($taxonomies as $taxonomy){+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['CWPtermid']) && $_GET['CWPtermid'] == $taxonomy->name ){ return; }@@ -78,8 +79,10 @@ private function get_taxonomiesBySlug() { $get_CustomTaxonomies = get_option('cwp_custom_taxonomies'); if (!empty($get_CustomTaxonomies)) {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && 'edit' == $_GET['action'] && !empty($_GET['CWPtermid'])) {- $singleCPT = $get_CustomTaxonomies[sanitize_text_field($_GET['CWPtermid'])];+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $singleCPT = $get_CustomTaxonomies[sanitize_text_field(wp_unslash($_GET['CWPtermid']))]; return $singleCPT; } }@@ -92,19 +95,29 @@ foreach ($C_taxonomies as $single_ctax) { if(isset($single_ctax['post_types']) && !empty($single_ctax['post_types'])){ $labels = array(- 'name' => _x($single_ctax['name'], 'taxonomy general name', 'textdomain'),- 'singular_name' => _x($single_ctax['singular'], 'taxonomy singular name', 'textdomain'),- 'search_items' => sprintf(__('Search %s', 'cubewp-framework'), $single_ctax['name']),- 'all_items' => sprintf(__('All %s', 'cubewp-framework'), $single_ctax['name']),- 'parent_item' => sprintf(__('Parent %s', 'cubewp-framework'), $single_ctax['name']),- 'parent_item_colon' => sprintf(__('Parent %s:', 'cubewp-framework'), $single_ctax['name']),- 'edit_item' => sprintf(__('Edit %s', 'cubewp-framework'), $single_ctax['singular']),- 'update_item' => sprintf(__('Update %s', 'cubewp-framework'), $single_ctax['singular']),- 'add_new_item' => sprintf(__('Add new %s', 'cubewp-framework'), $single_ctax['singular']),- 'new_item_name' => sprintf(__('New %s name', 'cubewp-framework'), $single_ctax['singular']),- 'menu_name' => sprintf(__('%s', 'cubewp-framework'), $single_ctax['name']),- 'back_to_items' => sprintf(__('Back to %s', 'cubewp-framework'), $single_ctax['name']),- 'not_found' => sprintf(__('No %s found', 'cubewp-framework'), $single_ctax['name']),+ 'name' => $single_ctax['name'],+ 'singular_name' => $single_ctax['singular'],+ /* translators: %s: taxonomy plural name. */+ 'search_items' => sprintf( __( 'Search %s', 'cubewp-framework' ), $single_ctax['name'] ),+ /* translators: %s: taxonomy plural name. */+ 'all_items' => sprintf( __( 'All %s', 'cubewp-framework' ), $single_ctax['name'] ),+ /* translators: %s: taxonomy singular name. */+ 'parent_item' => sprintf( __( 'Parent %s', 'cubewp-framework' ), $single_ctax['name'] ),+ /* translators: %s: taxonomy singular name. */+ 'parent_item_colon' => sprintf( __( 'Parent %s:', 'cubewp-framework' ), $single_ctax['name'] ),+ /* translators: %s: taxonomy singular name. */+ 'edit_item' => sprintf( __( 'Edit %s', 'cubewp-framework' ), $single_ctax['singular'] ),+ /* translators: %s: taxonomy singular name. */+ 'update_item' => sprintf( __( 'Update %s', 'cubewp-framework' ), $single_ctax['singular'] ),+ /* translators: %s: taxonomy singular name. */+ 'add_new_item' => sprintf( __( 'Add new %s', 'cubewp-framework' ), $single_ctax['singular'] ),+ /* translators: %s: taxonomy singular name. */+ 'new_item_name' => sprintf( __( 'New %s name', 'cubewp-framework' ), $single_ctax['singular'] ),+ 'menu_name' => $single_ctax['name'],+ /* translators: %s: taxonomy plural name. */+ 'back_to_items' => sprintf( __( 'Back to %s', 'cubewp-framework' ), $single_ctax['name'] ),+ /* translators: %s: taxonomy plural name. */+ 'not_found' => sprintf( __( 'No %s found', 'cubewp-framework' ), $single_ctax['name'] ), ); $args = array(@@ -127,26 +140,26 @@ public function save_CWPterm() { if (isset($_POST['cwp']['CWPterm'])) { - if( ! wp_verify_nonce( $_POST['cwp_taxonomy_nonce'], basename( __FILE__ ) ) )+ if( isset($_POST['cwp_taxonomy_nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['cwp_taxonomy_nonce'])), basename( __FILE__ ) ) ) return ''; - $ctax_slug = sanitize_text_field($_POST['cwp']['CWPterm']['slug']);+ $ctax_slug = sanitize_text_field($_POST['cwp']['CWPterm']['slug']); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash if(is_numeric($ctax_slug)){ return ''; } $ctax = array( $ctax_slug => array(- 'slug' => sanitize_text_field($_POST['cwp']['CWPterm']['slug']),- 'name' => sanitize_text_field($_POST['cwp']['CWPterm']['name']),- 'singular' => sanitize_text_field($_POST['cwp']['CWPterm']['singular']),- 'post_types' => isset($_POST['cwp']['CWPterm']['post_types']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['CWPterm']['post_types']) : '',- 'hierarchical' => sanitize_text_field($_POST['cwp']['CWPterm']['hierarchical']),- 'public' => sanitize_text_field($_POST['cwp']['CWPterm']['public']),- 'show_ui' => sanitize_text_field($_POST['cwp']['CWPterm']['show_ui']),- 'show_admin_column' => sanitize_text_field($_POST['cwp']['CWPterm']['show_admin_column']),- 'query_var' => sanitize_text_field($_POST['cwp']['CWPterm']['query_var']),- 'show_in_rest' => sanitize_text_field($_POST['cwp']['CWPterm']['show_in_rest']),+ 'slug' => isset($_POST['cwp']['CWPterm']['slug']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['slug'])) : '', + 'name' => isset($_POST['cwp']['CWPterm']['name']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['name'])) : '', + 'singular' => isset($_POST['cwp']['CWPterm']['singular']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['singular'])) : '', + 'post_types' => isset($_POST['cwp']['CWPterm']['post_types']) ? CubeWp_Sanitize_text_Array($_POST['cwp']['CWPterm']['post_types']) : '', // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized+ 'hierarchical' => isset($_POST['cwp']['CWPterm']['hierarchical']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['hierarchical'])) : '', + 'public' => isset($_POST['cwp']['CWPterm']['public']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['public'])) : '', + 'show_ui' => isset($_POST['cwp']['CWPterm']['show_ui']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['show_ui'])) : '', + 'show_admin_column' => isset($_POST['cwp']['CWPterm']['show_admin_column']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['show_admin_column'])) : '', + 'query_var' => isset($_POST['cwp']['CWPterm']['query_var']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['query_var'])) : '', + 'show_in_rest' => isset($_POST['cwp']['CWPterm']['show_in_rest']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['show_in_rest'])) : '', ) ); @@ -157,19 +170,20 @@ $dataMerge = $ctax; } update_option('cwp_custom_taxonomies', $dataMerge);- wp_redirect( CubeWp_Submenu::_page_action('cubewp-taxonomies') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('cubewp-taxonomies') );+ exit; } } public function add_new_ctax() {- if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) {+ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended $this->tax_form_edit(); } } public function ctax_form_display() {- if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) {+ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended return; } @@ -178,7 +192,7 @@ <div class="wrap cwp-post-type-wrape"> <div class="wrap cwp-post-type-title width-40"> <h1 class="wp-heading-inline"><?php esc_html_e('Custom Taxonomies', 'cubewp-framework'); ?></h1>- <a href="<?php echo CubeWp_Submenu::_page_action('cubewp-taxonomies', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>+ <a href="<?php echo esc_url(CubeWp_Submenu::_page_action('cubewp-taxonomies', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a> </div> <hr class="wp-header-end"> <?php $customFieldsTaxonomiesTable->prepare_items(); ?>@@ -211,18 +225,18 @@ <div class="wrap cubewp-wrap"> <form id="post" class="cwptaxonomyform" method="post" action="" enctype="multipart/form-data"> <div class="wrap cwp-post-type-title width-40 margin-bottom-0 margin-left-minus-20 margin-right-0">- <?php echo self::_title(); ?>- <?php echo self::save_button(); ?>+ <?php echo wp_kses_post(self::_title()); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?> </div> <hr class="wp-header-end">- <input type="hidden" name="cwp_taxonomy_nonce" value="<?php echo wp_create_nonce(basename(__FILE__)); ?>">+ <input type="hidden" name="cwp_taxonomy_nonce" value="<?php echo esc_attr(wp_create_nonce(basename(__FILE__))); ?>"> <div id="poststuff" class="padding-0"> <div id="post-body" class="metabox-holder columns-2">- <?php echo self::taxonomy_side_actions($CWPterm); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::taxonomy_side_actions($CWPterm); ?> <div id="postbox-container-2" class="postbox-container postbox-container-top"> - <?php echo self::taxonomy_basic_settings($CWPterm); ?>- <?php echo self::taxonomy_options($CWPterm); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::taxonomy_basic_settings($CWPterm); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::taxonomy_options($CWPterm); ?> </div> <div class="clear"></div>@@ -250,6 +264,7 @@ <table class="form-table"> <tbody> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array( 'id' => 'public', 'name' => 'cwp[CWPterm][public]',@@ -259,6 +274,7 @@ 'description' => esc_html__( '(default: true) Whether a taxonomy is intended for use publicly either via the admin interface or by front-end users.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array( 'id' => 'show_ui', 'name' => 'cwp[CWPterm][show_ui]',@@ -268,6 +284,7 @@ 'description' => esc_html__( '(default: true) Whether to generate a default UI for managing this custom taxonomy.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array( 'id' => 'show_admin_column', 'name' => 'cwp[CWPterm][show_admin_column]',@@ -277,6 +294,7 @@ 'description' => esc_html__( '(default: true) Whether to allow automatic creation of taxonomy columns on associated post-types.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array( 'id' => 'hierarchical', 'name' => 'cwp[CWPterm][hierarchical]',@@ -286,6 +304,7 @@ 'description' => esc_html__( '(default: true) Whether the taxonomy can have parent-child relationships.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array( 'id' => 'query_var', 'name' => 'cwp[CWPterm][query_var]',@@ -295,6 +314,7 @@ 'description' => esc_html__( '(default: true) Sets the query_var key for this taxonomy.', 'cubewp-framework' ) )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array( 'id' => 'show_in_rest', 'name' => 'cwp[CWPterm][show_in_rest]',@@ -329,6 +349,7 @@ <table class="form-table cwp-validation"> <tbody> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/text/field', '', array( 'id' => 'taxonomy_slug', 'name' => 'cwp[CWPterm][slug]',@@ -340,6 +361,7 @@ 'tooltip' => 'Give a slug for this taxonomy. Which will be used to get this taxonomy data', )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/text/field', '', array( 'id' => 'name', 'name' => 'cwp[CWPterm][name]',@@ -350,6 +372,7 @@ 'tooltip' => 'Give a name for this taxonomy. Enter taxonomy name with "s" at the end', )); + // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/taxonomy/text/field', '', array( 'id' => 'singular', 'name' => 'cwp[CWPterm][singular]',@@ -394,11 +417,12 @@ </ul> </td>'; $output .= CubeWp_Admin::cwp_tr_end();+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($output); ?> </tbody> </table>- <a id="category-add-toggle" href="<?php echo CubeWp_Submenu::_page_action('cubewp-post-types','new'); ?>" class="hide-if-no-js taxonomy-add-new"><?php esc_html_e('+Add New Post Type', 'cubewp-framework'); ?></a>+ <a id="category-add-toggle" href="<?php echo esc_url(CubeWp_Submenu::_page_action('cubewp-post-types','new')); ?>" class="hide-if-no-js taxonomy-add-new"><?php esc_html_e('+Add New Post Type', 'cubewp-framework'); ?></a> </div> </div> </div> @@ -414,7 +438,7 @@ * @version 1.0 */ private static function _title() {- if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['CWPtermid']))) {+ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['CWPtermid']))) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended return '<h1>'. esc_html(__('Edit Taxonomy', 'cubewp-framework')) .'</h1>'; } else { return '<h1>'. esc_html(__('Create New Taxonomy', 'cubewp-framework')) .'</h1>';@@ -423,7 +447,7 @@ } private static function save_button() {- if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['CWPtermid']))) {+ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['CWPtermid']))) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended $button_label = __('Update', 'cubewp-framework'); } else { $button_label = __('Save', 'cubewp-framework');
I'll analyze this security-focused diff for vulnerabilities systematically.
---
## Vulnerability 1
**Vulnerability Existed:** yes
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-taxonomy.php Lines 195, 228-230, 235-238**
**Old Code:**
```php
<?php echo self::_title(); ?>
<?php echo self::save_button(); ?>
<?php echo self::taxonomy_side_actions($CWPterm); ?>
<?php echo self::taxonomy_basic_settings($CWPterm); ?>
<?php echo self::taxonomy_options($CWPterm); ?>
```
**Fixed Code:**
```php
<?php echo wp_kses_post(self::_title()); ?>
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?>
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::taxonomy_side_actions($CWPterm); ?>
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::taxonomy_basic_settings($CWPterm); ?>
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::taxonomy_options($CWPterm); ?>
```
**Explanation:**
Output escaping is applied to `_title()` with `wp_kses_post()`, which is a proper XSS mitigation. However, the other methods are only suppressed with phpcs ignore comments without actual escaping. This is a partial fix—`_title()` is now protected but `save_button()`, `taxonomy_side_actions()`, `taxonomy_basic_settings()`, and `taxonomy_options()` remain unescaped. The phpcs comments suppress warnings but don't prevent XSS if these methods return user-controlled or unsanitized content.
---
## Vulnerability 2
**Vulnerability Existed:** yes
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-taxonomy.php Lines 232**
**Old Code:**
```php
<input type="hidden" name="cwp_taxonomy_nonce" value="<?php echo wp_create_nonce(basename(__FILE__)); ?>">
```
**Fixed Code:**
```php
<input type="hidden" name="cwp_taxonomy_nonce" value="<?php echo esc_attr(wp_create_nonce(basename(__FILE__))); ?>">
```
**Explanation:**
The nonce value is now properly escaped with `esc_attr()` for HTML attribute context. This prevents attribute-based XSS attacks. The fix is correct and necessary.
---
## Vulnerability 3
**Vulnerability Existed:** yes
**Improper Neutralization of Special Elements used in an SQL Command - CWE-89 - class-cubewp-taxonomy.php Line 83**
**Old Code:**
```php
$singleCPT = $get_CustomTaxonomies[sanitize_text_field($_GET['CWPtermid'])];
```
**Fixed Code:**
```php
$singleCPT = $get_CustomTaxonomies[sanitize_text_field(wp_unslash($_GET['CWPtermid']))];
```
**Explanation:**
The `wp_unslash()` function removes WordPress slashes (magic quotes protection) before sanitization. While this improves data handling and prevents double-escaping issues, the vulnerability concern is partially addressed. However, this appears to be array key access rather than SQL, so the primary risk is data integrity rather than SQL injection. The fix is WordPress best practice.
---
## Vulnerability 4
**Vulnerability Existed:** yes
**Missing Nonce Verification - CWE-352 - class-cubewp-taxonomy.php Line 143**
**Old Code:**
```php
if( ! wp_verify_nonce( $_POST['cwp_taxonomy_nonce'], basename( __FILE__ ) ) )
return '';
```
**Fixed Code:**
```php
if( isset($_POST['cwp_taxonomy_nonce']) && ! wp_verify_nonce( sanitize_text_field(wp_unslash($_POST['cwp_taxonomy_nonce'])), basename( __FILE__ ) ) )
return '';
```
**Explanation:**
The nonce value is now properly unslashed and sanitized before verification, and the isset check prevents undefined index errors. This is a proper CSRF protection improvement, though the phpcs ignore comments added elsewhere suggest the developers are suppressing secondary warnings about missing nonce verification in GET requests.
---
## Vulnerability 5
**Vulnerability Existed:** yes
**Improper Input Validation - CWE-20 - class-cubewp-taxonomy.php Lines 148-159**
**Old Code:**
```php
$ctax_slug = sanitize_text_field($_POST['cwp']['CWPterm']['slug']);
// ... (multiple POST accesses without isset checks)
'slug' => sanitize_text_field($_POST['cwp']['CWPterm']['slug']),
'name' => sanitize_text_field($_POST['cwp']['CWPterm']['name']),
```
**Fixed Code:**
```php
$ctax_slug = sanitize_text_field($_POST['cwp']['CWPterm']['slug']); // phpcs:ignore ...
// ...
'slug' => isset($_POST['cwp']['CWPterm']['slug']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['slug'])) : '',
'name' => isset($_POST['cwp']['CWPterm']['name']) ? sanitize_text_field(wp_unslash($_POST['cwp']['CWPterm']['name'])) : '',
```
**Explanation:**
The fix adds `isset()` checks and `wp_unslash()` to all POST data accesses, preventing undefined index notices and properly handling WordPress magic quotes. This improves input validation and defensive programming. However, the first line retains the phpcs ignore instead of applying isset(), creating inconsistency.
---
## Vulnerability 6
**Vulnerability Existed:** yes
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-taxonomy.php Lines 195, 425**
**Old Code:**
```php
<a href="<?php echo CubeWp_Submenu::_page_action('cubewp-taxonomies', 'new'); ?>" class="page-title-action">
<a id="category-add-toggle" href="<?php echo CubeWp_Submenu::_page_action('cubewp-post-types','new'); ?>"
```
**Fixed Code:**
```php
<a href="<?php echo esc_url(CubeWp_Submenu::_page_action('cubewp-taxonomies', 'new')); ?>" class="page-title-action">
<a id="category-add-toggle" href="<?php echo esc_url(CubeWp_Submenu::_page_action('cubewp-post-types','new')); ?>"
```
**Explanation:**
URLs are now escaped with `esc_url()`, preventing URL-based XSS and javascript: protocol injection attacks. This is a correct and necessary fix.
---
## Vulnerability 7
**Vulnerability Existed:** yes
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-taxonomy.php Lines 268, 278, 288, 298, 308, 318, 356, 368, 376, 422**
**Old Code:**
```php
echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array(...));
echo apply_filters('cubewp/admin/taxonomy/text/field', '', array(...));
echo cubewp_core_data($output);
```
**Fixed Code:**
```php
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp/admin/taxonomy/dropdown/field', '', array(...));
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp/admin/taxonomy/text/field', '', array(...));
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo cubewp_core_data($output);
```
**Explanation:**
These lines add phpcs ignore comments but do NOT add actual output escaping. The vulnerabilities remain—if these filter functions or `cubewp_core_data()` return unsanitized HTML, XSS is still possible. Suppressing warnings does not fix the underlying security issue.
---
## Vulnerability 8
**Vulnerability Existed:** yes
**Unvalidated Redirects and Forwards - CWE-601 - class-cubewp-taxonomy.php Line 173**
**Old Code:**
```php
wp_redirect( CubeWp_Submenu::_page_action('cubewp-taxonomies') );
```
**Fixed Code:**
```php
wp_safe_redirect( CubeWp_Submenu::_page_action('cubewp-taxonomies') );
exit;
```
**Explanation:**
The fix uses `wp_safe_redirect()` instead of `wp_redirect()`, which validates that redirects stay within the same site and prevents open redirect vulnerabilities. The `exit;` statement properly terminates execution after the redirect header. This is a correct fix.
---
## Summary
**Actual Security Fixes:** 5
- Nonce verification improvements
- Output escaping (partial)
- URL escaping
- Safe redirects
- Input validation with isset checks and unslashing
**Incomplete Fixes:** 3
- Multiple methods still not properly escaped (suppressed with phpcs comments only)
- Filter outputs not escaped (only suppressed)
**Overall Assessment:** This patch addresses several real vulnerabilities but relies heavily on phpcs ignore comments to suppress warnings rather than fixing all underlying issues.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/theme-builder/class-cubewp-theme-builder-rules.php 2026-01-18 00:20:47.541240015 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/theme-builder/class-cubewp-theme-builder-rules.php 2026-01-18 00:20:56.217779093 +0000@@ -124,6 +124,61 @@ $template_options .= '</optgroup>'; return $template_options; }++ /**+ * Method render_postcard_options+ *+ * @return string+ * @since 1.1.28+ */+ public static function render_postcard_options() {+ $template_options = '';+ $template_options .= '<optgroup label="Posts">';+ foreach (self::get_public_post_types() as $post_type) {+ $template_options .= '<option value="postcard_' . esc_attr($post_type['name']) . '">Post Card ' . esc_html($post_type['label']) . '</option>';+ }+ $template_options .= '</optgroup>';+ return $template_options;+ }++ /**+ * Method render_termcard_options+ *+ * @return string+ * @since 1.1.28+ */+ public static function render_termcard_options() {+ $template_options = '';+ $template_options .= '<optgroup label="Taxonomies">';+ foreach (self::get_public_taxonomies() as $taxonomy) {+ $template_options .= '<option value="termcard_' . esc_attr($taxonomy['name']) . '">' . esc_html($taxonomy['label']) . '</option>';+ }+ $template_options .= '</optgroup>';+ return $template_options;+ }+ + /**+ * Method render_pages_options+ *+ * @return string+ * @since 1.1.xx+ */+ public static function render_pages_options()+ {+ $template_options = '';+ $pages = get_pages(array(+ 'sort_column' => 'post_title',+ 'sort_order' => 'ASC',+ ));+ if (! empty($pages)) {+ $template_options .= '<optgroup label="Specific Pages">';+ foreach ($pages as $page) {+ $template_options .= '<option value="single_page_' . esc_attr($page->ID) . '">' . esc_html($page->post_title) . '</option>';+ }+ $template_options .= '</optgroup>';+ }+ return $template_options;+ } /** * Method render_block_options@@ -191,39 +246,63 @@ * @return JSON * @since 1.1.16 */- public static function get_template_options() {+ public static function get_template_options()+ {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (!isset($_POST['template_type'])) { wp_send_json_error(['message' => 'Template type not specified']); }- - $template_type = sanitize_text_field($_POST['template_type']);+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $template_type = sanitize_text_field(wp_unslash($_POST['template_type']));+ $custom_template_types = apply_filters('cubewp/theme_builder/options/register', array()); $template_options = ''; //$exclude_options = '';- - switch ($template_type) {- case 'single':- $template_options .= self::render_single_options();- break;- - case 'archive':- $template_options .= self::render_archive_options();- break;- - case 'block':- $template_options .= self::render_block_options(); - break;- - case '404':- case 'mega-menu':- case 'shop':- $template_options .= '<option value="all">all</option>';- break;- - default:+ if (isset($custom_template_types[$template_type])) {+ $custom_template_options = apply_filters('cubewp_tb_custom_template_options', '', $template_type);+ if (!empty($custom_template_options)) {+ $template_options .= $custom_template_options;+ } else { $template_options .= self::render_default_options();- break;+ }+ } else {+ switch ($template_type) {+ case 'single':+ $template_options .= self::render_single_options();+ break;++ case 'archive':+ $template_options .= self::render_archive_options();+ break;++ case 'postcard':+ $template_options .= self::render_postcard_options();+ break;+ + case 'termcard':+ $template_options .= self::render_termcard_options();+ break;++ case 'block':+ $template_options .= self::render_block_options();+ break;++ case 'header':+ case 'footer':+ $template_options .= self::render_default_options();+ $template_options .= self::render_pages_options();+ break;++ case '404':+ case 'mega-menu':+ case 'shop':+ $template_options .= '<option value="all">all</option>';+ break;++ default:+ $template_options .= self::render_default_options();+ break;+ } }- wp_send_json_success([ 'template_options' => $template_options, //'exclude_options' => $exclude_options
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-rules.php [258-259]
Old Code:
if (!isset($_POST['template_type'])) {
wp_send_json_error(['message' => 'Template type not specified']);
}
$template_type = sanitize_text_field($_POST['template_type']);
Fixed Code:
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
if (!isset($_POST['template_type'])) {
wp_send_json_error(['message' => 'Template type not specified']);
}
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
$template_type = sanitize_text_field(wp_unslash($_POST['template_type']));
Explanation:
The fix adds wp_unslash() before sanitizing the $_POST input. When WordPress sanitizes data, it may receive slashed strings from $_POST in some configurations. Without wp_unslash(), the comparison logic in the subsequent switch statement could fail to match intended cases if the input contains escaped characters, potentially leading to unpredictable template rendering. The wp_unslash() ensures the input is properly normalized before sanitization, preventing bypass of intended logic flows.
The phpcs:ignore comments suppress warnings about missing nonce verification, which was not addressed in this diff and remains a potential CSRF vulnerability.
```
---
```
Vulnerability Existed: not sure
Cross-Site Scripting (XSS) via Unvalidated Filter Output - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-rules.php [260-267]
Old Code:
Not applicable (new code path)
Fixed Code:
$custom_template_types = apply_filters('cubewp/theme_builder/options/register', array());
...
if (isset($custom_template_types[$template_type])) {
$custom_template_options = apply_filters('cubewp_tb_custom_template_options', '', $template_type);
if (!empty($custom_template_options)) {
$template_options .= $custom_template_options;
}
}
Explanation:
The new code accepts HTML output from apply_filters() and directly concatenates it into $template_options without escaping. While WordPress filters are commonly used to return pre-escaped content, there is no guarantee that custom implementations will properly escape their output. If a third-party plugin implements the 'cubewp_tb_custom_template_options' filter and returns unescaped HTML containing user-controlled data, this could result in XSS. The fix would be uncertain whether this is vulnerable without seeing all filter implementations, but defensive coding would suggest escaping or validating filter output.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/theme-builder/class-cubewp-theme-builder-table.php 2026-01-18 00:20:47.541240015 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/theme-builder/class-cubewp-theme-builder-table.php 2026-01-18 00:20:56.217779093 +0000@@ -7,8 +7,8 @@ * @package cubewp/cube/mobules/theme builder */ -if ( ! defined( 'ABSPATH' ) ) {- exit;+if (! defined('ABSPATH')) {+ exit; } @@ -16,111 +16,119 @@ * CubeWP_TB_List_Table */ -class CubeWp_Theme_Builder_Table extends WP_List_Table {+class CubeWp_Theme_Builder_Table extends WP_List_Table+{ public static $cubewp_tb = array(); public static $search_type = '';- public function __construct() {- parent::__construct(self::$cubewp_tb );+ public function __construct()+ {+ parent::__construct(self::$cubewp_tb); } - public function no_items() {+ public function no_items()+ { echo '<div class="elementor-template_library-blank_state"> <div class="elementor-blank_state"> <i class="eicon-folder"></i> <h3>Create Your First Theme Template</h3> <p>Create theme template and edit with Elementor and become theme developer with zero coding knowledge.</p>- <a href="#" class="ctb-add-new-template page-title-action">'.esc_html__('Add New Template', 'cubewp-framework').'</a>+ <a href="#" class="ctb-add-new-template page-title-action">' . esc_html__('Add New Template', 'cubewp-framework') . '</a> </div> </div>'; } - public function display() {+ public function display()+ { $search_type = self::$search_type; $found_type = 'all';- if(!empty($search_type) && !in_array($search_type, array('activated', 'deactivated','all'))){- $found_type = array_filter($this->items, function($template) use ($search_type) {+ if (!empty($search_type) && !in_array($search_type, array('activated', 'deactivated', 'all'))) {+ $found_type = array_filter($this->items, function ($template) use ($search_type) { return isset($template['type']) && $template['type'] === $search_type; }); } if (!empty($found_type)) { $singular = $this->_args['singular'];- $this->display_tablenav( 'top' );+ $this->display_tablenav('top'); - $this->screen->render_screen_reader_content( 'heading_list' );- ?>- <table class="wp-list-table <?php echo implode( ' ', $this->get_table_classes() ); ?>">- <?php $this->print_table_description(); ?>- <thead>+ $this->screen->render_screen_reader_content('heading_list');+?>+ <table class="wp-list-table <?php echo esc_attr(implode(' ', $this->get_table_classes())); ?>">+ <?php $this->print_table_description(); ?>+ <thead> <tr> <?php $this->print_column_headers(); ?> </tr>- </thead>+ </thead> - <tbody id="the-list"- <?php- if ( $singular ) {- echo " data-wp-lists='list:$singular'";- }- ?>- >- <?php $this->display_rows_or_placeholder(); ?>- </tbody>+ <tbody id="the-list"+ <?php+ if ($singular) {+ echo esc_attr(" data-wp-lists='list:$singular'");+ }+ ?>>+ <?php $this->display_rows_or_placeholder(); ?>+ </tbody> - <tfoot>+ <tfoot> <tr>- <?php $this->print_column_headers( false ); ?>+ <?php $this->print_column_headers(false); ?> </tr>- </tfoot>+ </tfoot> - </table>- <?php- $this->display_tablenav( 'bottom' );- }else{- echo $this->no_items();+ </table>+<?php+ $this->display_tablenav('bottom');+ } else {+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ $this->no_items(); } } - function column_name( $item ) {+ function column_name($item)+ {++ $tb_demo_id = (isset($item['tb_demo_id']) && !empty($item['tb_demo_id'])) ? '&tb_demo_id=' . $item['tb_demo_id'] : ''; - $tb_demo_id = (isset($item['tb_demo_id']) && !empty($item['tb_demo_id'])) ? '&tb_demo_id='.$item['tb_demo_id'] : '';- - $status = get_post_status( $item['ID'] ) == 'inactive' ? '<span class="post-state inactive"> Inactive </span>' : '';+ $status = get_post_status($item['ID']) == 'inactive' ? '<span class="post-state inactive"> Inactive </span>' : ''; $status = empty($status) ? '<span class="post-state"> Active </span>' : $status;- - $title = '<strong>' . ucfirst($item['name']) .'</strong> '.$status;++ $title = '<strong>' . ucfirst($item['name']) . '</strong> ' . $status; $actions = [- 'edit' => '<a href="#" data-tid="'. $item['ID'] .'" data-tlocation="'. $item['location'] .'" data-ttype="'. $item['type'] .'" data-tname="'. $item['name'] .'" class="ctb-add-new-template ctb-edit-template">Edit</a>',+ 'edit' => '<a href="#" data-tid="' . $item['ID'] . '" data-tlocation="' . $item['location'] . '" data-ttype="' . $item['type'] . '" data-tname="' . $item['name'] . '" class="ctb-add-new-template ctb-edit-template">Edit</a>', ];- $actions['delete'] = sprintf( '<a href="%s">'. esc_html__('Delete', 'cubewp-framework') .'</a>', CubeWp_Submenu::_page_action('cubewp-theme-builder','delete', '&template_id='.absint( $item['ID']), '&_wpnonce='.wp_create_nonce( 'cwp_delete_group' )));- - $actions['edit-with-elementor'] = sprintf( '<a href="%s">'. esc_html__('Edit with Elementor', 'cubewp-framework') .'</a>', admin_url('post.php?post='.absint( $item['ID']). '&action=elementor'.$tb_demo_id));- - - $status_btn = get_post_status( $item['ID'] ) == 'inactive' ? true : false;- if($status_btn){- $actions['Activate'] = sprintf( '<a href="%s">'. esc_html__('Activate', 'cubewp-framework') .'</a>', CubeWp_Submenu::_page_action('cubewp-theme-builder','activate', '&template_id='.absint( $item['ID']), '&_wpnonce='.wp_create_nonce( 'cwp_template_status' )));- }else{- $actions['Deactivate'] = sprintf( '<a href="%s">'. esc_html__('Deactivate', 'cubewp-framework') .'</a>', CubeWp_Submenu::_page_action('cubewp-theme-builder','deactivate', '&template_id='.absint( $item['ID']), '&_wpnonce='.wp_create_nonce( 'cwp_template_status' )));+ $actions['delete'] = sprintf('<a href="%s">' . esc_html__('Delete', 'cubewp-framework') . '</a>', CubeWp_Submenu::_page_action('cubewp-theme-builder', 'delete', '&template_id=' . absint($item['ID']), '&_wpnonce=' . wp_create_nonce('cwp_delete_group')));++ $actions['edit-with-elementor'] = sprintf('<a href="%s">' . esc_html__('Edit with Elementor', 'cubewp-framework') . '</a>', admin_url('post.php?post=' . absint($item['ID']) . '&action=elementor' . $tb_demo_id));+++ $status_btn = get_post_status($item['ID']) == 'inactive' ? true : false;+ if ($status_btn) {+ $actions['Activate'] = sprintf('<a href="%s">' . esc_html__('Activate', 'cubewp-framework') . '</a>', CubeWp_Submenu::_page_action('cubewp-theme-builder', 'activate', '&template_id=' . absint($item['ID']), '&_wpnonce=' . wp_create_nonce('cwp_template_status')));+ } else {+ $actions['Deactivate'] = sprintf('<a href="%s">' . esc_html__('Deactivate', 'cubewp-framework') . '</a>', CubeWp_Submenu::_page_action('cubewp-theme-builder', 'deactivate', '&template_id=' . absint($item['ID']), '&_wpnonce=' . wp_create_nonce('cwp_template_status'))); }- return $title . $this->row_actions( $actions );+ return $title . $this->row_actions($actions); } - function column_location( $item ) {+ function column_location($item)+ { - return isset($item['location_display']) ? $item['location_display']: '';+ return isset($item['location_display']) ? $item['location_display'] : ''; } - function column_type( $item ) {+ function column_type($item)+ { - return isset($item['type']) ? ucfirst($item['type']): '';+ return isset($item['type']) ? ucfirst($item['type']) : ''; } - public function column_default( $item, $column_name ){+ public function column_default($item, $column_name)+ { return isset($item[$column_name]) ? $item[$column_name] : '-'; } - public function get_columns(){+ public function get_columns()+ { $columns = array( 'cb' => '<input type="checkbox" />',@@ -131,7 +139,8 @@ return $columns; } - protected function column_cb( $item ) {+ protected function column_cb($item)+ { return sprintf( '<input type="checkbox" name="%1$s[]" value="%2$s" />', 'cwp_tb_bulk_action', // Let's simply repurpose the table's singular label ("movie").@@ -139,75 +148,84 @@ ); } - protected function get_bulk_actions() {+ protected function get_bulk_actions()+ { $actions = array(- 'delete' => _x( 'Delete', 'List table bulk action', 'cubewp-framework' ),+ 'delete' => _x('Delete', 'List table bulk action', 'cubewp-framework'), ); return $actions; } - protected function process_bulk_action() {+ protected function process_bulk_action()+ { //cwp_pre($this->_args['plural']); exit; // Detect when a bulk action is being triggered.- if ( 'delete' === $this->current_action() ) { - $nonce = esc_html( $_REQUEST['_wpnonce'] );- if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) {- if(isset($_REQUEST['cwp_tb_bulk_action'])){- $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tb_bulk_action']);- foreach($bulk_request as $post){- wp_delete_post($post, true);- } - } + if ('delete' === $this->current_action()) {+ $nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';+ if (wp_verify_nonce($nonce, 'bulk-' . $this->_args['plural'])) {+ if (isset($_REQUEST['cwp_tb_bulk_action'])) {+ $bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tb_bulk_action']); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized+ foreach ($bulk_request as $post) {+ wp_delete_post($post, true);+ }+ } } }- if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );- if(wp_verify_nonce( $nonce, 'cwp_delete_group')) {- if(isset($_REQUEST['template_id'])){- wp_delete_post(sanitize_text_field($_REQUEST['template_id']), true);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {+ $nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';+ if (wp_verify_nonce($nonce, 'cwp_delete_group')) {+ if (isset($_REQUEST['template_id'])) {+ wp_delete_post(sanitize_text_field(wp_unslash($_REQUEST['template_id'])), true); }- wp_redirect( CubeWp_Submenu::_page_action('cubewp-theme-builder') );+ wp_safe_redirect(CubeWp_Submenu::_page_action('cubewp-theme-builder'));+ exit; } }- if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'deactivate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );- if(wp_verify_nonce( $nonce, 'cwp_template_status')) {- if(isset($_REQUEST['template_id'])){- self::deactivate_group($_REQUEST['template_id']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'deactivate') {+ $nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';+ if (wp_verify_nonce($nonce, 'cwp_template_status')) {+ if (isset($_REQUEST['template_id'])) {+ self::deactivate_group(sanitize_text_field(wp_unslash($_REQUEST['template_id']))); }- wp_redirect( CubeWp_Submenu::_page_action('cubewp-theme-builder') );+ wp_safe_redirect(CubeWp_Submenu::_page_action('cubewp-theme-builder'));+ exit; } }- if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'activate') {- $nonce = esc_html( $_REQUEST['_wpnonce'] );- if(wp_verify_nonce( $nonce, 'cwp_template_status')) {- if(isset($_REQUEST['template_id'])){- self::activate_group($_REQUEST['template_id']);+ /* phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotValidated */+ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'activate') {+ $nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';+ if (wp_verify_nonce($nonce, 'cwp_template_status')) {+ if (isset($_REQUEST['template_id'])) {+ self::activate_group(sanitize_text_field(wp_unslash($_REQUEST['template_id']))); }- wp_redirect( CubeWp_Submenu::_page_action('cubewp-theme-builder') );+ wp_safe_redirect(CubeWp_Submenu::_page_action('cubewp-theme-builder'));+ exit; } }- } - public function deactivate_group($post_id = 0){+ public function deactivate_group($post_id = 0)+ { $data = array( 'ID' => $post_id, 'post_type' => 'cubewp-tb', 'post_status' => 'inactive', );- - wp_update_post( $data );++ wp_update_post($data); }- public function activate_group($post_id = 0){+ public function activate_group($post_id = 0)+ { $data = array( 'ID' => $post_id, 'post_type' => 'cubewp-tb', 'post_status' => 'publish', );- - wp_update_post( $data );++ wp_update_post($data); } /**@@ -216,20 +234,21 @@ * @param string $slug The post type slug. * @return string The post type name or an empty string if not found. */- public static function get_post_type_slug($string) {+ public static function get_post_type_slug($string)+ { // Check if the string is empty if (empty($string)) { return ''; }- + // Split the string by underscores $parts = explode('_', $string);- + // Check if the second part exists and return it if (isset($parts[1])) { return $parts[1]; }- + // Return an empty string if no second part is found return ''; }@@ -240,7 +259,8 @@ * @param string $slug The post type slug. * @return int The first post ID or 0 if no posts are found. */- public static function get_first_post_id_by_post_type($slug) {+ public static function get_first_post_id_by_post_type($slug)+ { // Query to get the first post ID of the post type $query_args = array( 'post_type' => $slug,@@ -255,7 +275,8 @@ return ($query->have_posts()) ? $query->posts[0] : 0; } - public static function check_if_post_available_by_status($post_status = 'publish') {+ public static function check_if_post_available_by_status($post_status = 'publish')+ { $args = array( 'numberposts' => 1,@@ -263,38 +284,40 @@ 'post_type' => 'cubewp-tb', 'post_status' => $post_status, );- $posts = get_posts( $args );- if(isset($posts) && !empty($posts)){+ $posts = get_posts($args);+ if (isset($posts) && !empty($posts)) { return true; } return false; } - public static function convert_to_capitalized_words($string) {+ public static function convert_to_capitalized_words($string)+ { // Check if the string is empty if (empty($string)) { return $string; }- + // Split the string by underscores $words = explode('_', $string);- + // Remove empty elements caused by consecutive underscores- $words = array_filter($words, function($word) {+ $words = array_filter($words, function ($word) { return !empty($word); });- + // Capitalize each word $words = array_map('ucfirst', $words);- + // Join the words back together with a space $capitalizedString = implode(' ', $words);- + return $capitalizedString; } - public function prepare_items() {+ public function prepare_items()+ { global $wpdb; //This is used only if making any database queries /*@@ -302,36 +325,36 @@ */ $per_page = 20; - + $columns = $this->get_columns(); $hidden = array(); $sortable = $this->get_sortable_columns(); - - $this->_column_headers = array( $columns, $hidden, $sortable ); - + $this->_column_headers = array($columns, $hidden, $sortable);++ $this->process_bulk_action(); - + $args = array(- 'numberposts' => -1,- 'fields' => 'ids',- 'post_type' => 'cubewp-tb',- 'post_status' => array('inactive','publish')+ 'numberposts' => -1,+ 'fields' => 'ids',+ 'post_type' => 'cubewp-tb',+ 'post_status' => array('inactive', 'publish') ); // Getting type of template- self::$search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? $_GET['cwp-template-type'] : 'activated';+ self::$search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? sanitize_text_field(wp_unslash($_GET['cwp-template-type'])) : 'activated'; // phpcs:ignore WordPress.Security.NonceVerification.Recommended $search_type = self::$search_type; - if(!empty($search_type) && $search_type == 'activated'){+ if (!empty($search_type) && $search_type == 'activated') { $args['post_status'] = 'publish';- }elseif(!empty($search_type) && $search_type == 'deactivated'){+ } elseif (!empty($search_type) && $search_type == 'deactivated') { $args['post_status'] = 'inactive'; } - if(!empty($search_type) && !in_array($search_type, array('activated', 'deactivated','all'))){- $args['meta_query'] = array(+ if (!empty($search_type) && !in_array($search_type, array('activated', 'deactivated', 'all'))) {+ $args['meta_query'] = array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query array( 'key' => 'template_type', 'value' => $search_type,@@ -340,12 +363,21 @@ ); } - $posts = get_posts( $args );- if(isset($posts) && !empty($posts)){+ $posts = get_posts($args);+ if (isset($posts) && !empty($posts)) { $_data = array();- foreach($posts as $post){+ foreach ($posts as $post) { $type = get_post_meta($post, 'template_type', true); $tem_location = get_post_meta($post, 'template_location', true);+ if (! empty($type) && $type === 'header' && ! empty($tem_location) && strpos($tem_location, 'single_page_') === 0) {+ $page_id = (int) str_replace('single_page_', '', $tem_location);+ if ($page_id > 0) {+ $title = get_the_title($page_id);+ if ($title && ! is_wp_error($title)) {+ $tem_location = $title;+ }+ }+ } $data = array(); $data['ID'] = $post;@@ -354,36 +386,36 @@ $data['location'] = $tem_location; $data['location_display'] = self::convert_to_capitalized_words($tem_location); - if($type == 'single'){+ if ($type == 'single') { $post_type_slug = self::get_post_type_slug($tem_location); $first_post_id = self::get_first_post_id_by_post_type($post_type_slug); $data['tb_demo_id'] = $first_post_id; }- + $_data[] = $data; } $data = $_data;- }else{+ } else { $data = array(); }- + $current_page = $this->get_pagenum(); - - $total_items = count( $data ); - - $data = array_slice( $data, ( ( $current_page - 1 ) * $per_page ), $per_page );+ $total_items = count($data);+++ $data = array_slice($data, (($current_page - 1) * $per_page), $per_page);+ - $this->items = $data; - - $this->set_pagination_args( array(++ $this->set_pagination_args(array( 'total_items' => $total_items, // WE have to calculate the total number of items. 'per_page' => $per_page, // WE have to determine how many items to show on a page.- 'total_pages' => ceil( $total_items / $per_page ), // WE have to calculate the total number of pages.- ) );+ 'total_pages' => ceil($total_items / $per_page), // WE have to calculate the total number of pages.+ )); }-}\ No newline at end of file+}
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 41
Old Code:
echo implode( ' ', $this->get_table_classes() );
Fixed Code:
echo esc_attr(implode(' ', $this->get_table_classes()));
Explanation:
The old code directly echoed the result of implode() without proper escaping, which could allow XSS if table classes contain user-controlled data. The fix adds esc_attr() to escape the output for safe use in HTML attributes.
```
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 47
Old Code:
echo " data-wp-lists='list:$singular'";
Fixed Code:
echo esc_attr(" data-wp-lists='list:$singular'");
Explanation:
The old code directly echoed a data attribute containing the $singular variable without escaping. If $singular contains special characters or quotes, it could break out of the attribute and allow XSS. The fix adds esc_attr() to properly escape the attribute value.
```
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 57
Old Code:
echo $this->no_items();
Fixed Code:
echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ $this->no_items();
Explanation:
The old code echoed output from no_items() without escaping. While no_items() contains hardcoded HTML, the phpcs ignore comment indicates awareness of potential output escaping issues. This is partially addressed but remains a concern if no_items() content changes to include user data.
```
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Special Elements used in an SQL Statement ('SQL Injection') - CWE-89 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 164
Old Code:
$nonce = esc_html( $_REQUEST['_wpnonce'] );
if(wp_verify_nonce( $nonce, 'bulk-' . $this->_args['plural'] ) ) {
if(isset($_REQUEST['cwp_tb_bulk_action'])){
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tb_bulk_action']);
Fixed Code:
$nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';
if (wp_verify_nonce($nonce, 'bulk-' . $this->_args['plural'])) {
if (isset($_REQUEST['cwp_tb_bulk_action'])) {
$bulk_request = CubeWp_Sanitize_text_Array($_REQUEST['cwp_tb_bulk_action']); // phpcs:ignore
Explanation:
The old code accessed $_REQUEST without proper sanitization before use. The fix adds wp_unslash() and sanitize_text_field() to properly handle magic quotes and sanitize input. It also adds isset() checks and safer null coalescing patterns. The phpcs ignore comment acknowledges the reliance on CubeWp_Sanitize_text_Array().
```
```
Vulnerability Existed: yes
TRUE POSITIVE
Open Redirect - CWE-601 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 172
Old Code:
wp_redirect( CubeWp_Submenu::_page_action('cubewp-theme-builder') );
Fixed Code:
wp_safe_redirect(CubeWp_Submenu::_page_action('cubewp-theme-builder'));
exit;
Explanation:
The old code used wp_redirect() which doesn't validate the redirect URL. An attacker could potentially manipulate the redirect destination. The fix uses wp_safe_redirect() which only allows redirects to the same site, preventing open redirect vulnerabilities. Also added exit; to halt execution immediately after redirect.
```
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 175
Old Code:
$nonce = esc_html( $_REQUEST['_wpnonce'] );
if(wp_verify_nonce( $nonce, 'cwp_delete_group')) {
if(isset($_REQUEST['template_id'])){
wp_delete_post(sanitize_text_field($_REQUEST['template_id']), true);
Fixed Code:
$nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';
if (wp_verify_nonce($nonce, 'cwp_delete_group')) {
if (isset($_REQUEST['template_id'])) {
wp_delete_post(sanitize_text_field(wp_unslash($_REQUEST['template_id'])), true);
Explanation:
The old code didn't use wp_unslash() before sanitize_text_field(), which means magic quotes wouldn't be properly handled. The fix adds wp_unslash() to remove slashes before sanitization, ensuring proper input handling and preventing injection attacks.
```
```
Vulnerability Existed: yes
FALSE POSITIVE
Open Redirect - CWE-601 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 180
Old Code:
wp_redirect( CubeWp_Submenu::_page_action('cubewp-theme-builder') );
Fixed Code:
wp_safe_redirect(CubeWp_Submenu::_page_action('cubewp-theme-builder'));
exit;
Explanation:
Same open redirect vulnerability as line 172. The fix replaces wp_redirect() with wp_safe_redirect() for safer redirects and adds exit; to halt execution.
```
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 183
Old Code:
if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'deactivate') {
$nonce = esc_html( $_REQUEST['_wpnonce'] );
if(wp_verify_nonce( $nonce, 'cwp_template_status')) {
if(isset($_REQUEST['template_id'])){
self::deactivate_group($_REQUEST['template_id']);
Fixed Code:
if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'deactivate') {
$nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';
if (wp_verify_nonce($nonce, 'cwp_template_status')) {
if (isset($_REQUEST['template_id'])) {
self::deactivate_group(sanitize_text_field(wp_unslash($_REQUEST['template_id'])));
Explanation:
The old code passed $_REQUEST['template_id'] directly to deactivate_group() without sanitization. The fix adds sanitize_text_field() and wp_unslash() to properly sanitize the input before passing it to the function.
```
```
Vulnerability Existed: yes
TRUE POSITIVE
Open Redirect - CWE-601 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 188
Old Code:
wp_redirect( CubeWp_Submenu::_page_action('cubewp-theme-builder') );
Fixed Code:
wp_safe_redirect(CubeWp_Submenu::_page_action('cubewp-theme-builder'));
exit;
Explanation:
Same open redirect vulnerability. The fix replaces wp_redirect() with wp_safe_redirect() and adds exit;.
```
```
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 191
Old Code:
if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'activate') {
$nonce = esc_html( $_REQUEST['_wpnonce'] );
if(wp_verify_nonce( $nonce, 'cwp_template_status')) {
if(isset($_REQUEST['template_id'])){
self::activate_group($_REQUEST['template_id']);
Fixed Code:
if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'activate') {
$nonce = isset($_REQUEST['_wpnonce']) ? esc_html(sanitize_text_field(wp_unslash($_REQUEST['_wpnonce']))) : '';
if (wp_verify_nonce($nonce, 'cwp_template_status')) {
if (isset($_REQUEST['template_id'])) {
self::activate_group(sanitize_text_field(wp_unslash($_REQUEST['template_id'])));
Explanation:
The old code passed unsanitized $_REQUEST['template_id'] to activate_group(). The fix adds proper sanitization with sanitize_text_field() and wp_unslash().
```
```
Vulnerability Existed: yes
TRUE POSITIVE
Open Redirect - CWE-601 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 196
Old Code:
wp_redirect( CubeWp_Submenu::_page_action('cubewp-theme-builder') );
Fixed Code:
wp_safe_redirect(CubeWp_Submenu::_page_action('cubewp-theme-builder'));
exit;
Explanation:
Same open redirect vulnerability. The fix replaces wp_redirect() with wp_safe_redirect() and adds exit;.
```
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-table.php - Line 347
Old Code:
self::$search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? $_GET['cwp-template-type'] : 'activated';
Fixed Code:
self::$search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? sanitize_text_field(wp_unslash($_GET['cwp-template-type'])) : 'activated'; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
Explanation:
The old code directly assigned $_GET['cwp-template-type'] without sanitization. This could allow XSS or other injection attacks. The fix adds sanitize_text_field() and wp_unslash() to properly sanitize the GET parameter.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/theme-builder/class-cubewp-theme-builder.php 2026-01-18 00:20:47.541240015 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/theme-builder/class-cubewp-theme-builder.php 2026-01-18 00:20:56.217779093 +0000@@ -1,5 +1,4 @@ <?php- /** * CubeWp Theme builder for display dynamic templates *@@ -7,6 +6,8 @@ * @package cubewp/cube/mobules/theme builder */ +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals+ if (! defined('ABSPATH')) { exit; }@@ -17,11 +18,33 @@ */ class CubeWp_Theme_Builder {+ /**+ * Cache resolved template ids per request to avoid duplicate lookups.+ *+ * @var array<string, int|array|false>+ */+ protected static $template_cache = array();++ /**+ * Cache rendered Elementor output per template id for this request.+ *+ * @var array<int, string>+ */+ protected static $render_cache = array();++ /**+ * Transient prefix used when an external object cache is not available.+ */+ const RENDER_TRANSIENT_PREFIX = 'cubewp_tb_render_'; public function __construct() { add_action('cubewp_theme_builder', array($this, 'display_cubewp_tb_admin_page')); add_filter('cubewp/theme_builder/blocks', array($this, 'hooks_from_settings'));++ add_action('save_post_cubewp-tb', array(__CLASS__, 'flush_template_cache'), 10, 1);+ add_action('delete_post', array(__CLASS__, 'maybe_flush_deleted_template_cache'), 10, 1);+ add_action('update_option_cwpOptions', array(__CLASS__, 'maybe_flush_cache_on_settings_change'), 10, 3); } /**@@ -68,21 +91,31 @@ } else { echo '<a href="#" class="ctb-add-new-template page-title-action">' . esc_html__('Add New Template', 'cubewp-framework') . '</a>'; }- $search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? $_GET['cwp-template-type'] : 'activated';+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? sanitize_text_field(wp_unslash($_GET['cwp-template-type'])) : 'activated'; $tabs = [ 'all' => esc_html__("All", 'cubewp-framework'), 'activated' => esc_html__("Activated", 'cubewp-framework'), 'deactivated' => esc_html__("Deactivated", 'cubewp-framework'), 'header' => esc_html__("Header", 'cubewp-framework'),- 'header' => esc_html__("Header", 'cubewp-framework'), 'footer' => esc_html__("Footer", 'cubewp-framework'), 'single' => esc_html__("Single", 'cubewp-framework'), 'archive' => esc_html__("Archive", 'cubewp-framework'),+ 'postcard' => esc_html__("Post Cards", 'cubewp-framework'),+ 'termcard' => esc_html__("Term Cards", 'cubewp-framework'), 'block' => esc_html__("Hooks", 'cubewp-framework'), 'shop' => esc_html__("Shop", 'cubewp-framework'), 'mega-menu' => esc_html__("Mega Menu", 'cubewp-framework'), '404' => esc_html__("404", 'cubewp-framework'), ];+ $custom_options = apply_filters('cubewp/theme_builder/options/register', array());+ if (!empty($custom_options) && is_array($custom_options)) {+ foreach ($custom_options as $key => $label) {+ if (is_string($label)) {+ $tabs[$key] = $label;+ }+ }+ } if (!class_exists('WooCommerce')) { unset($tabs['shop']); }@@ -102,7 +135,7 @@ <?php foreach ($tabs as $key => $tab) { $active_tab = !empty($search_type) && $search_type == $key ? 'nav-tab-active' : '';- echo ' <a class="nav-tab ' . $active_tab . '" href="?page=cubewp-theme-builder&cwp-template-type=' . $key . '">' . $tab . '</a>';+ echo ' <a class="nav-tab ' . esc_attr($active_tab) . '" href="?page=cubewp-theme-builder&cwp-template-type=' . esc_attr($key) . '">' . esc_html($tab) . '</a>'; } ?> </nav>@@ -148,6 +181,8 @@ <option value="footer">Footer</option> <option value="single">Single</option> <option value="archive">Archive</option>+ <option value="postcard">Post Card</option>+ <option value="termcard">Term Card</option> <?php // Check if there are blocks available via PHP $blocks = apply_filters('cubewp/theme_builder/blocks', array());@@ -202,19 +237,27 @@ */ public static function cubewp_theme_builder_template() {+ // Check nonce+ if(!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce')){+ wp_send_json_error(['message' => 'Invalid nonce']);+ return;+ }++ // Check if user is logged in if (!is_user_logged_in()) { wp_send_json_error(['message' => 'User not logged in']); return; } // Check if data is set+ if (!isset($_POST['data'])) { wp_send_json_error(['message' => 'No data received']); return; } // Parse and sanitize form data- parse_str($_POST['data'], $form_data);+ parse_str($_POST['data'], $form_data); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $template_type = sanitize_text_field($form_data['template_type']); $template_name = sanitize_text_field($form_data['template_name']);@@ -250,7 +293,7 @@ $args = array( 'post_type' => 'cubewp-tb', 'post_status' => 'publish',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query array( 'key' => 'template_type', 'value' => $template_type,@@ -269,16 +312,19 @@ // Change status to 'inactive' for existing posts if ($existing_posts->have_posts()) {- foreach ($existing_posts->posts as $existing_post_id) {- if ($existing_post_id != $post_id && $template_type != 'mega-menu') {- continue;- } elseif ($existing_post_id != $post_id && $template_type != 'cubewp_post_promotional_card') {- continue;- } else {- wp_update_post(array(- 'ID' => $existing_post_id,- 'post_status' => 'inactive'- ));+ // Bulk load meta cache to prevent N+1 queries+ update_meta_cache('post', $existing_posts->posts);+ // Deactivate other published templates of these types at this location+ $singleActiveTypes = ['mega-menu', 'cubewp_post_promotional_card', 'postcard', 'termcard'];+ if (in_array($template_type, $singleActiveTypes, true)) {+ foreach ($existing_posts->posts as $existing_post_id) {+ if ((int) $existing_post_id === (int) $post_id) {+ continue; // don't deactivate the one we're editing/creating+ }+ wp_update_post([+ 'ID' => $existing_post_id,+ 'post_status' => 'inactive',+ ]); } } }@@ -300,7 +346,7 @@ update_post_meta($post_id, 'template_location', $template_location); $response = '';- if ($_POST['template_action'] === 'save-edit') {+ if (isset($_POST['template_action']) && sanitize_text_field(wp_unslash($_POST['template_action'])) === 'save-edit') { $response = ['redirect' => get_edit_post_link($post_id, 'url')]; $response['redirect'] = add_query_arg(['action' => 'elementor'], $response['redirect']); @@ -328,20 +374,38 @@ { if ($type == '') return false; + if (array_key_exists($type, self::$template_cache)) {+ return self::$template_cache[$type];+ }+ global $post; $template_post_id = false;+ + // Specific page override for header templates+ if (($type === 'header' || $type === 'footer') && is_page()) {+ $page_id = get_queried_object_id();+ if ($page_id) {+ $template_post_id = self::get_template_post_id_by_location('single_page_' . $page_id, $type);+ if ($template_post_id) {+ return self::set_template_cache($type, (int) $template_post_id);+ }+ }+ } if ($type == 'block') {- return self::get_template_post_ids_by_location($type);+ $template_ids = self::get_template_post_ids_by_location($type);+ return self::set_template_cache($type, !empty($template_ids) ? $template_ids : false); } if ($type == '404' && is_404()) {- return self::get_template_post_id_by_location('all', $type);+ $template_post_id = self::get_template_post_id_by_location('all', $type);+ return self::set_template_cache($type, $template_post_id ? (int) $template_post_id : false); } if ($type == 'archive' && is_post_type_archive('product')) {- return self::get_template_post_id_by_location('all', 'shop');+ $template_post_id = self::get_template_post_id_by_location('all', 'shop');+ return self::set_template_cache($type, $template_post_id ? (int) $template_post_id : false); } if (is_singular() && !is_front_page()) {@@ -367,8 +431,10 @@ } elseif (is_search()) { $get_postType = get_post_type(); if (!isset($get_postType) && empty($get_postType)) {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['post_type'])) {- $get_postType = sanitize_text_field($_GET['post_type']);+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $get_postType = sanitize_text_field(wp_unslash($_GET['post_type'])); } } $template_post_id = self::get_template_post_id_by_location('archive_search_' . $get_postType, $type);@@ -397,7 +463,8 @@ // Default to Entire Site $template_post_id = self::get_template_post_id_by_location('entire_site', $type); }- return $template_post_id;++ return self::set_template_cache($type, $template_post_id ? (int) $template_post_id : false); } /**@@ -413,7 +480,7 @@ $args = array( 'post_type' => 'cubewp-tb', 'post_status' => 'publish',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query 'relation' => 'AND', // Ensure that both conditions are met array( 'key' => 'template_location',@@ -433,6 +500,8 @@ if ($query->have_posts()) { $post_id = $query->posts[0];+ // Bulk load meta cache to prevent N+1 queries+ update_meta_cache('post', $query->posts); wp_reset_postdata(); return $post_id; }@@ -452,7 +521,7 @@ $args = array( 'post_type' => 'cubewp-tb', 'post_status' => 'publish',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query array( 'key' => 'template_type', 'value' => $type,@@ -466,6 +535,8 @@ if ($query->have_posts()) { $post_id = $query->posts;+ // Bulk load meta cache to prevent N+1 queries+ update_meta_cache('post', $query->posts); wp_reset_postdata(); return $post_id; }@@ -499,22 +570,72 @@ * @return void */ public static function do_cubewp_theme_builder($template = '', $static_template_id = 0, $return = false)- {+ { if (empty($template)) return;-+ $template_id = $static_template_id > 0 ? $static_template_id : self::get_current_template_post_id($template); + + if (! empty($template_id) && ! is_array($template_id)) {- if (class_exists('\Elementor\Frontend')) {- $elementor_frontend_builder = new \Elementor\Frontend();- $elementor_frontend_builder->init();+ $should_bypass_cache = self::should_bypass_render_cache($template_id);+ $allow_persistent_caching = self::is_cache_enabled() && in_array($template, array('header', 'footer'), true);++ $cache_group = 'cubewp_theme_builder';+ $cache_key = 'template_' . $template_id;++ if ($allow_persistent_caching && !$should_bypass_cache) {+ $cached_content = self::get_cached_render($cache_key, $cache_group);+ + + if (false !== $cached_content && null !== $cached_content) {+ if ($return === true) {+ return $cached_content;+ }+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */$cached_content;+ return;+ }+ }++ if (isset(self::$render_cache[$template_id])) {+ $content = self::$render_cache[$template_id];+ if ($return === true) {+ return $content;+ }+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */$content;+ return;+ }++ $elementor_frontend_builder = null;++ if (class_exists('\Elementor\Plugin')) {+ $plugin_instance = \Elementor\Plugin::$instance;+ if ($plugin_instance && isset($plugin_instance->frontend)) {+ $elementor_frontend_builder = $plugin_instance->frontend;+ }+ }++ if (!$elementor_frontend_builder && class_exists('\Elementor\Frontend')) {+ static $standalone_frontend = null;+ if (!$standalone_frontend) {+ $standalone_frontend = new \Elementor\Frontend();+ $standalone_frontend->init();+ }+ $elementor_frontend_builder = $standalone_frontend;+ } + if ($elementor_frontend_builder) { $content = $elementor_frontend_builder->get_builder_content_for_display($template_id, true);+ self::$render_cache[$template_id] = $content;++ if ($allow_persistent_caching && !$should_bypass_cache) {+ self::set_cached_render($cache_key, $cache_group, $content, self::get_render_cache_ttl($template_id));+ } if ($return === true) { return $content; } else {- echo $content;+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */$content; } } }@@ -547,7 +668,7 @@ $args = array( 'post_type' => 'cubewp-tb', 'post_status' => 'publish',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query array( 'key' => 'template_type', 'value' => $template_type,@@ -564,6 +685,8 @@ $existing_posts = new WP_Query($args); $options = []; if ($existing_posts->have_posts()) {+ // Bulk load meta cache to prevent N+1 queries+ update_meta_cache('post', $existing_posts->posts); foreach ($existing_posts->posts as $existing_post_id) { $options[$existing_post_id] = get_the_title($existing_post_id); }@@ -578,4 +701,286 @@ $CubeClass = __CLASS__; new $CubeClass; }-}++ /**+ * Clear cached content when template changes.+ *+ * @param int $post_id+ *+ * @return void+ */+ public static function flush_template_cache($post_id)+ {+ if (get_post_type($post_id) !== 'cubewp-tb') {+ return;+ }++ $cache_group = 'cubewp_theme_builder';+ $cache_key = 'template_' . $post_id;+ self::delete_cached_render($cache_key, $cache_group);++ if (isset(self::$render_cache[$post_id])) {+ unset(self::$render_cache[$post_id]);+ }++ if (!empty(self::$template_cache)) {+ foreach (self::$template_cache as $type => $cached_id) {+ if ((int) $cached_id === (int) $post_id) {+ unset(self::$template_cache[$type]);+ }+ }+ }+ }++ /**+ * Clear cache when a template is deleted.+ *+ * @param int $post_id+ *+ * @return void+ */+ public static function maybe_flush_deleted_template_cache($post_id)+ {+ if (get_post_type($post_id) === 'cubewp-tb') {+ self::flush_template_cache($post_id);+ }+ }++ /**+ * Handle settings changes that affect caching.+ *+ * @param array|false $old_value+ * @param array|false $value+ * @param string $option+ *+ * @return void+ */+ public static function maybe_flush_cache_on_settings_change($old_value, $value, $option = '')+ {+ if ($option !== 'cwpOptions') {+ return;+ }++ $old_value = is_array($old_value) ? $old_value : array();+ $value = is_array($value) ? $value : array();++ $old_enabled = ! empty($old_value['cwp_tb_enable_cache']);+ $new_enabled = ! empty($value['cwp_tb_enable_cache']);++ if ($old_enabled !== $new_enabled) {+ self::flush_header_footer_cache();+ }+ }++ /**+ * Persist template cache values.+ *+ * @param string $type+ * @param int|array|false $value+ *+ * @return int|array|false+ */+ protected static function set_template_cache($type, $value)+ {+ self::$template_cache[$type] = $value;+ return self::$template_cache[$type];+ }++ /**+ * Determine if theme builder caching is enabled.+ *+ * @return bool+ */+ protected static function is_cache_enabled()+ {+ global $cwpOptions;+ if (empty($cwpOptions)) {+ $cwpOptions = get_option('cwpOptions');+ }++ $enabled = ! empty($cwpOptions['cwp_tb_enable_cache']);++ /**+ * Filter whether theme builder caching should be enabled.+ *+ * @param bool $enabled+ */+ return (bool) apply_filters('cubewp/theme_builder/cache_enabled', $enabled);+ }++ /**+ * Determine if we should bypass render cache for current request.+ *+ * @param int $template_id+ *+ * @return bool+ */+ protected static function should_bypass_render_cache($template_id)+ {+ if (class_exists('\Elementor\Plugin')) {+ $plugin_instance = \Elementor\Plugin::$instance;+ if ($plugin_instance && method_exists($plugin_instance, 'editor')) {+ $editor = $plugin_instance->editor;+ if ($editor && method_exists($editor, 'is_edit_mode') && $editor->is_edit_mode()) {+ return true;+ }+ }+ }++ if (isset($_GET['elementor-preview'])) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended+ return true;+ }++ /**+ * Allow overriding cache bypass logic.+ */+ return (bool) apply_filters('cubewp/theme_builder/bypass_cache', false, $template_id);+ }++ /**+ * Compute cache TTL for rendered template.+ *+ * @param int $template_id+ *+ * @return int+ */+ protected static function get_render_cache_ttl($template_id)+ {+ /**+ * Filter the cache TTL for theme builder rendered output.+ */+ return (int) apply_filters('cubewp/theme_builder/cache_ttl', HOUR_IN_SECONDS, $template_id);+ }++ /**+ * Flush cached renders for all header and footer templates.+ *+ * @return void+ */+ protected static function flush_header_footer_cache()+ {+ $args = array(+ 'post_type' => 'cubewp-tb',+ 'post_status' => 'any',+ 'fields' => 'ids',+ 'posts_per_page' => -1,+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query+ array(+ 'key' => 'template_type',+ 'value' => array('header', 'footer'),+ 'compare' => 'IN',+ ),+ ),+ );++ $query = new WP_Query($args);++ if ($query->have_posts()) {+ // Bulk load meta cache to prevent N+1 queries+ update_meta_cache('post', $query->posts);+ foreach ($query->posts as $post_id) {+ self::flush_template_cache($post_id);+ }+ }++ }++ /**+ * Check if object cache is enabled and functional.+ * Falls back to SQL cache (transients) if object cache is not available.+ *+ * @return bool True if object cache is available and working, false otherwise.+ */+ protected static function is_object_cache_available()+ {+ // Check if WordPress reports external object cache is available+ if (!wp_using_ext_object_cache()) {+ return false;+ }++ // Verify object cache is actually functional by testing it+ static $cache_available = null;+ + if ($cache_available === null) {+ $test_key = 'cubewp_tb_cache_test_' . time();+ $test_value = 'test_' . wp_rand(1000, 9999);+ $test_group = 'cubewp_theme_builder';+ + // Try to set and get a test value+ $set_result = wp_cache_set($test_key, $test_value, $test_group, 60);+ $get_result = wp_cache_get($test_key, $test_group);+ + // Clean up test value+ wp_cache_delete($test_key, $test_group);+ + // Object cache is available if set succeeded and get returned the same value+ $cache_available = ($set_result !== false && $get_result === $test_value);+ }+ + return $cache_available;+ }++ /**+ * Retrieve cached render using object cache or transients (SQL cache).+ * Automatically falls back to SQL cache if object cache is not available.+ *+ * @param string $cache_key+ * @param string $cache_group+ *+ * @return string|false|null+ */+ protected static function get_cached_render($cache_key, $cache_group)+ {+ // Use object cache if available, otherwise fall back to SQL cache (transients)+ if (self::is_object_cache_available()) {+ return wp_cache_get($cache_key, $cache_group);+ }++ // Fall back to SQL cache using transients+ return get_transient(self::RENDER_TRANSIENT_PREFIX . $cache_key);+ }++ /**+ * Store cached render using object cache or transients (SQL cache).+ * Automatically falls back to SQL cache if object cache is not available.+ *+ * @param string $cache_key+ * @param string $cache_group+ * @param string $content+ * @param int $ttl+ *+ * @return void+ */+ protected static function set_cached_render($cache_key, $cache_group, $content, $ttl)+ {+ // Use object cache if available, otherwise fall back to SQL cache (transients)+ if (self::is_object_cache_available()) {+ wp_cache_set($cache_key, $content, $cache_group, $ttl);+ return;+ }++ // Fall back to SQL cache using transients+ set_transient(self::RENDER_TRANSIENT_PREFIX . $cache_key, $content, $ttl);+ }++ /**+ * Delete cached render using object cache or transients (SQL cache).+ * Automatically falls back to SQL cache if object cache is not available.+ *+ * @param string $cache_key+ * @param string $cache_group+ *+ * @return void+ */+ protected static function delete_cached_render($cache_key, $cache_group)+ {+ // Use object cache if available, otherwise fall back to SQL cache (transients)+ if (self::is_object_cache_available()) {+ wp_cache_delete($cache_key, $cache_group);+ return;+ }++ // Fall back to SQL cache using transients+ delete_transient(self::RENDER_TRANSIENT_PREFIX . $cache_key);+ }+}\ No newline at end of file
I'll analyze this code diff for security vulnerabilities systematically.
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-theme-builder.php - Line 105
Old Code:
```php
echo ' <a class="nav-tab ' . $active_tab . '" href="?page=cubewp-theme-builder&cwp-template-type=' . $key . '">' . $tab . '</a>';
```
Fixed Code:
```php
echo ' <a class="nav-tab ' . esc_attr($active_tab) . '" href="?page=cubewp-theme-builder&cwp-template-type=' . esc_attr($key) . '">' . esc_html($tab) . '</a>';
```
Explanation:
The old code directly echoed unsanitized variables into HTML attributes and content. While `$key` and `$tab` come from a hardcoded array, `$active_tab` is derived from user input (`$_GET['cwp-template-type']`). The fix properly escapes output using `esc_attr()` for attributes and `esc_html()` for HTML content, preventing XSS attacks.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-theme-builder.php - Line 94
Old Code:
```php
$search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? $_GET['cwp-template-type'] : 'activated';
```
Fixed Code:
```php
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
$search_type = isset($_GET['cwp-template-type']) && !empty($_GET['cwp-template-type']) ? sanitize_text_field(wp_unslash($_GET['cwp-template-type'])) : 'activated';
```
Explanation:
The old code used unsanitized `$_GET` input directly. The fix adds `sanitize_text_field()` and `wp_unslash()` to properly sanitize the input before use, preventing injection attacks.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Missing CSRF Protection - CWE-352 - class-cubewp-theme-builder.php - Line 239-244
Old Code:
```php
public static function cubewp_theme_builder_template()
{
if (!is_user_logged_in()) {
wp_send_json_error(['message' => 'User not logged in']);
return;
}
```
Fixed Code:
```php
public static function cubewp_theme_builder_template()
{
// Check nonce
if(!isset($_POST['nonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['nonce'])), 'cubewp-admin-nonce')){
wp_send_json_error(['message' => 'Invalid nonce']);
return;
}
// Check if user is logged in
if (!is_user_logged_in()) {
wp_send_json_error(['message' => 'User not logged in']);
return;
}
```
Explanation:
The old code performed sensitive operations (creating/updating templates) via POST without CSRF token verification. The fix adds nonce verification using `wp_verify_nonce()`, protecting against CSRF attacks.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-theme-builder.php - Line 349
Old Code:
```php
if ($_POST['template_action'] === 'save-edit') {
```
Fixed Code:
```php
if (isset($_POST['template_action']) && sanitize_text_field(wp_unslash($_POST['template_action'])) === 'save-edit') {
```
Explanation:
The old code accessed `$_POST` without checking if it exists first, risking undefined index notices. Additionally, it didn't sanitize the value. The fix adds existence checking and sanitization using `sanitize_text_field()` and `wp_unslash()`.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - class-cubewp-theme-builder.php - Line 434
Old Code:
```php
if (isset($_GET['post_type'])) {
$get_postType = sanitize_text_field($_GET['post_type']);
}
```
Fixed Code:
```php
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
if (isset($_GET['post_type'])) {
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
$get_postType = sanitize_text_field(wp_unslash($_GET['post_type']));
}
```
Explanation:
The old code sanitized `$_GET` input but didn't apply `wp_unslash()` first. In WordPress, `$_GET` and `$_POST` are automatically slashed when `magic_quotes_gpc` is enabled (legacy). The fix adds `wp_unslash()` before sanitization to properly handle this, preventing bypasses of sanitization filters.
---
**Summary:**
This diff fixes **5 security vulnerabilities**:
- 1 XSS vulnerability (improper output escaping)
- 3 Input Validation vulnerabilities (missing sanitization/unslashing)
- 1 CSRF vulnerability (missing nonce verification)
The fixes follow WordPress security best practices by properly escaping output, sanitizing user input with `wp_unslash()`, and verifying nonces for state-changing operations.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/theme-update/theme-updater-class.php 2026-01-18 00:20:47.545240264 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/theme-update/theme-updater-class.php 2026-01-18 00:20:56.217779093 +0000@@ -37,8 +37,9 @@ $this->remote_api_url = $remote_api_url; $this->response_key = $this->theme_slug . '-update-response'; $this->strings = array(- 'update-notice' => __( "Updating this theme will lose any customizations you have made. 'Cancel' to stop, 'OK' to update.", 'edd-theme-updater' ),- 'update-available' => __('<strong>%1$s %2$s</strong> is available. <a href="%3$s" class="thickbox" title="%4s">Check out what\'s new</a> or <a href="%5$s"%6$s>update now</a>.', 'edd-theme-updater' )+ 'update-notice' => __( "Updating this theme will lose any customizations you have made. 'Cancel' to stop, 'OK' to update.", 'cubewp-framework' ),+ /* translators: 1: theme name, 2: version, 3: changelog URL, 4: modal title, 5: update URL, 6: extra attributes (e.g., onclick). */+ 'update-available' => __('<strong>%1$s %2$s</strong> is available. <a href="%3$s" class="thickbox" title="%4$s">Check out what\'s new</a> or <a href="%5$s"%6$s>update now</a>.', 'cubewp-framework' ) ); add_filter( 'site_transient_update_themes', array( &$this, 'theme_update_transient' ) );@@ -71,18 +72,17 @@ if ( version_compare( $this->version, $api_response->new_version, '<' ) ) { echo '<div id="update-nag">';- printf(- $strings['update-available'],- $theme->get( 'Name' ),- $api_response->new_version,- '#TB_inline?width=640&inlineId=' . $this->theme_slug . '_changelog',- $theme->get( 'Name' ),- $update_url,- $update_onclick- );+ $name = esc_html( $theme->get( 'Name' ) );+ $version = esc_html( $api_response->new_version );+ $changelog_id = $this->theme_slug . '_changelog';+ $changelog_url = esc_url( '#TB_inline?width=640&inlineId=' . $changelog_id );+ $title_attr = esc_attr( $theme->get( 'Name' ) );+ $update_href = esc_url( $update_url );+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- $strings['update-available'] is a controlled template; individual args are escaped.+ printf( $strings['update-available'], $name, $version, $changelog_url, $title_attr, $update_href, $update_onclick ); echo '</div>';- echo '<div id="' . $this->theme_slug . '_' . 'changelog" style="display:none;">';- echo wpautop( $api_response->sections['changelog'] );+ echo '<div id="' . esc_attr( $this->theme_slug . '_' . 'changelog' ) . '" style="display:none;">';+ echo wp_kses_post( wpautop( $api_response->sections['changelog'] ) ); echo '</div>'; } }
Based on my analysis of the provided diff, here are the security vulnerabilities identified:
---
**Vulnerability 1: Cross-Site Scripting (XSS) in HTML Attribute**
Vulnerability Existed: yes
FALSE POSITIVE
CWE: Improper Neutralization of Input During Web Page Generation - CWE-79 - cube/modules/theme-update/theme-updater-class.php (lines 84)
Old Code:
```php
echo '<div id="' . $this->theme_slug . '_' . 'changelog" style="display:none;">';
```
Fixed Code:
```php
echo '<div id="' . esc_attr( $this->theme_slug . '_' . 'changelog' ) . '" style="display:none;">';
```
Explanation:
The old code directly concatenated `$this->theme_slug` into the HTML `id` attribute without sanitization. Although `$this->theme_slug` is sanitized with `sanitize_key()` during initialization, using `esc_attr()` in the output context provides defense-in-depth and proper escaping specifically for HTML attributes. This prevents potential XSS if the slug value could be exploited through other vectors.
---
**Vulnerability 2: Unsafe HTML Content Output**
Vulnerability Existed: yes
FALSE POSITIVE
CWE: Improper Neutralization of Input During Web Page Generation - CWE-79 - cube/modules/theme-update/theme-updater-class.php (line 85)
Old Code:
```php
echo wpautop( $api_response->sections['changelog'] );
```
Fixed Code:
```php
echo wp_kses_post( wpautop( $api_response->sections['changelog'] ) );
```
Explanation:
The changelog content from the API response is passed through `wpautop()` but not properly sanitized before output. The `wp_kses_post()` function safely filters the content to allow only safe HTML tags and removes any potentially malicious scripts or attributes. This is critical because the changelog data comes from an external API source which should be considered untrusted.
---
**Vulnerability 3: Missing Attribute Escaping in Template String**
Vulnerability Existed: yes
TRUE POSITIVE
CWE: Improper Neutralization of Input During Web Page Generation - CWE-79 - cube/modules/theme-update/theme-updater-class.php (lines 74-82)
Old Code:
```php
printf(
$strings['update-available'],
$theme->get( 'Name' ),
$api_response->new_version,
'#TB_inline?width=640&inlineId=' . $this->theme_slug . '_changelog',
$theme->get( 'Name' ),
$update_url,
$update_onclick
);
```
Fixed Code:
```php
$name = esc_html( $theme->get( 'Name' ) );
$version = esc_html( $api_response->new_version );
$changelog_id = $this->theme_slug . '_changelog';
$changelog_url = esc_url( '#TB_inline?width=640&inlineId=' . $changelog_id );
$title_attr = esc_attr( $theme->get( 'Name' ) );
$update_href = esc_url( $update_url );
printf( $strings['update-available'], $name, $version, $changelog_url, $title_attr, $update_href, $update_onclick );
```
Explanation:
The old code passed unescaped values directly to `printf()`. The fixed code applies context-appropriate escaping functions to each variable before output: `esc_html()` for HTML content, `esc_url()` for URLs, and `esc_attr()` for HTML attributes. This prevents XSS vulnerabilities where user-controlled data (like theme name or version) could inject malicious scripts into the output.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/theme-update/theme-updater.php 2026-01-18 00:20:47.545240264 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/theme-update/theme-updater.php 2026-01-18 00:20:56.217779093 +0000@@ -2,7 +2,17 @@ /** * CubeWP Theme Updater *- * @package Theme Update+ * @package cubewp/cube/modules/theme-update+ */++// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals++if ( ! defined( 'ABSPATH' ) ) {+ exit;+}++/**+ * CubeWP Theme Updater */ if ( !class_exists( 'EDD_Theme_Updater' ) ) { // Load our custom theme updater
I'll analyze the provided code diff for security vulnerabilities.
---
**Vulnerability Existed:** no
**Improper Input Validation - CWE-20 - cube/modules/theme-update/theme-updater.php Lines 2-14**
**Old Code:**
```php
/**
* CubeWP Theme Updater
*
* @package Theme Update
*/
if ( !class_exists( 'EDD_Theme_Updater' ) ) {
```
**Fixed Code:**
```php
/**
* CubeWP Theme Updater
*
* @package cubewp/cube/modules/theme-update
*/
// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
/**
* CubeWP Theme Updater
*/
if ( !class_exists( 'EDD_Theme_Updater' ) ) {
```
**Explanation:**
This is a **security hardening fix, not a vulnerability patch**. The changes implement WordPress security best practices:
1. **Added ABSPATH check** - The new code adds a guard to prevent direct file access (`if ( ! defined( 'ABSPATH' ) ) { exit; }`). This prevents the file from being executed directly via a web request, which is a common vector for unauthorized code execution. This is a defensive measure, not fixing an existing vulnerability in the diff.
2. **Improved documentation** - Updated the `@package` annotation to be more specific and accurate.
3. **Added phpcs directive** - Disables WordPress coding standards check for global naming conventions, which is appropriate for WordPress plugin code.
**Conclusion:** No vulnerability existed in the old code that was fixed by this diff. Instead, the diff represents defensive security enhancements following WordPress security standards. The ABSPATH check is a preventive measure to protect against direct file access exploitation.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/users/class-cubewp-user-custom-fields-ui.php 2026-01-18 00:20:47.545240264 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/users/class-cubewp-user-custom-fields-ui.php 2026-01-18 00:20:56.217779093 +0000@@ -21,6 +21,7 @@ private static function group_display() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) { return; }@@ -38,7 +39,7 @@ <a class="nav-tab" href="?page=settings-custom-fields"><?php esc_html_e('Settings', 'cubewp-framework'); ?></a> </nav> </div>- <a href="<?php echo CubeWp_Submenu::_page_action('user-custom-fields', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>+ <a href="<?php echo esc_url(CubeWp_Submenu::_page_action('user-custom-fields', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a> </div> <hr class="wp-header-end"> <?php $customFieldsGroupTable->prepare_items(); ?>@@ -52,11 +53,13 @@ } private static function add_new_group() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])){ self::edit_group(); } } private static function _title() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))) { return '<h1>'. esc_html(__('Edit Custom Fields Group (User Roles)', 'cubewp-framework')) .'</h1>'; } else {@@ -83,11 +86,11 @@ <div class="wrap cubewp-wrap"> <form id="post" class="cwpgroup" method="post" action="" enctype="multipart/form-data"> <div class="wrap cwp-post-type-title margin-bottom-0 width-40 margin-left-minus-20 margin-right-0">- <?php echo self::_title(); ?>- <?php echo self::save_button(); ?>+ <?php echo wp_kses_post(self::_title()); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?> </div> <hr class="wp-header-end">- <input type="hidden" name="cwp_group_nonce" value="<?php echo wp_create_nonce( basename( __FILE__ ) ); ?>">+ <input type="hidden" name="cwp_group_nonce" value="<?php echo esc_attr(wp_create_nonce( basename( __FILE__ ) )); ?>"> <input type="hidden" class="" name="cwp[group][id]" value="<?php echo esc_attr($group['id']); ?>"> <div id="poststuff" class="padding-0"> <div id="post-body" class="metabox-holder columns-2">@@ -104,7 +107,7 @@ <td class="text-left"> <ul class="cwp-checkbox-outer margin-0"> <?php- echo self::_get_user_roles($group['user_roles']);+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::_get_user_roles($group['user_roles']); ?> </ul> </td>@@ -125,6 +128,7 @@ <table class="form-table cwp-validation"> <tbody> <?php+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'name' => 'cwp[group][name]',@@ -136,6 +140,7 @@ 'extra_attrs' => 'maxlength=20', 'tooltip' => 'Give a name for this group. Which will be used to show grouped data in metaboxes', ));+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'type' => 'number',@@ -148,6 +153,7 @@ 'extra_attrs' => 'maxlength=20', 'tooltip' => 'Give a order number for this group. Which will be used to show in order', ));+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo apply_filters('cubewp/admin/group/text/field', '', array( 'id' => '', 'name' => 'cwp[group][description]',@@ -185,7 +191,7 @@ </div> </div> <div class="cwp-group-fields-content">- <?php echo self::get_fields($group['fields'], $group['sub_fields']); ?>+ <?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::get_fields($group['fields'], $group['sub_fields']); ?> </div> </div> </div>@@ -199,6 +205,7 @@ } private static function save_button() {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if(isset($_GET['action']) && ('edit' == $_GET['action'] && !empty($_GET['groupid']))){ $name = 'cwp_edit_group'; }else{@@ -228,10 +235,10 @@ } public static function save_group() {- + /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_POST['cwp']['group'])) { - $group = isset($_POST['cwp']['group']) ? $_POST['cwp']['group'] : array();+ $group = isset($_POST['cwp']['group']) ? $_POST['cwp']['group'] : array(); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated $groupID = isset($group['id']) ? sanitize_text_field($group['id']) : ''; $groupName = isset($group['name']) ? sanitize_text_field($group['name']) : ''; $groupDesc = isset($group['description']) ? sanitize_text_field($group['description']) : '';@@ -239,6 +246,7 @@ $groupUserRoles = isset($group['user_roles']) ? CubeWp_Sanitize_text_Array($group['user_roles']) : array(); if (!empty($groupName)) {+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */ if (isset($_POST['cwp_save_group'])) { $post_data = array( 'post_type' => 'cwp_user_fields',@@ -247,7 +255,7 @@ 'post_status' => 'publish', ); $post_id = wp_insert_post($post_data);- } else if (isset($_POST['cwp_edit_group']) && !empty($groupID)) {+ } else if (isset($_POST['cwp_edit_group']) && !empty($groupID)) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing $post_data = array( 'ID' => $groupID, 'post_title' => $groupName,@@ -269,10 +277,11 @@ } }- self::save_custom_fields($_POST['cwp'],$post_id,'user');+ self::save_custom_fields($_POST['cwp'],$post_id,'user'); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated if (!empty($post_id) ) {- wp_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ wp_safe_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );+ exit; } }
```
Vulnerability Existed: yes
TRUE POSITIVE
Open Redirect - CWE-601 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Line 42
[Old Code]
<a href="<?php echo CubeWp_Submenu::_page_action('user-custom-fields', 'new'); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
[Fixed Code]
<a href="<?php echo esc_url(CubeWp_Submenu::_page_action('user-custom-fields', 'new')); ?>" class="page-title-action">+ <?php esc_html_e('Add New', 'cubewp-framework'); ?></a>
Explanation:
The URL output in the href attribute was not escaped. Without `esc_url()`, if `CubeWp_Submenu::_page_action()` returns a malicious URL (e.g., javascript: protocol or external redirect), it could be executed. The fix applies `esc_url()` to sanitize and validate the URL before output, preventing open redirect and XSS attacks.
---
Vulnerability Existed: yes
FALSE POSITIVE
Unvalidated Redirect - CWE-601 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Lines 283-284
[Old Code]
wp_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );
[Fixed Code]
wp_safe_redirect( CubeWp_Submenu::_page_action('user-custom-fields') );
exit;
Explanation:
`wp_redirect()` does not validate the redirect target URL, allowing potential open redirect attacks if the destination is user-controlled or improperly sanitized. The fix uses `wp_safe_redirect()` which validates that the redirect stays within the same host, preventing open redirect vulnerabilities. The `exit;` statement ensures the script terminates after redirect, preventing further code execution.
---
Vulnerability Existed: not sure
Missing Nonce Verification - CWE-352 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Lines 24, 56, 61, 208, 238, 242, 258
[Old Code]
if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) {
return;
}
[Fixed Code]
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
if (isset($_GET['action']) && ('new' == $_GET['action'] || 'edit' == $_GET['action'])) {
return;
}
Explanation:
The code checks `$_GET` parameters without nonce verification. However, the fix only adds phpcs ignore comments rather than implementing actual nonce validation. This appears to be a code review suppression rather than a real security fix. The vulnerability may still exist if nonce validation is not implemented elsewhere in the workflow. This is uncertain because the actual security fix (nonce validation) is not visible in this diff.
---
Vulnerability Existed: yes
FALSE POSITIVE
Output Encoding - CWE-79 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Lines 89-90
[Old Code]
<?php echo self::_title(); ?>
<?php echo self::save_button(); ?>
[Fixed Code]
<?php echo wp_kses_post(self::_title()); ?>
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::save_button(); ?>
Explanation:
`self::_title()` output was not escaped, creating an XSS vulnerability if the function returns user-controlled or untrusted HTML. The fix applies `wp_kses_post()` to allow safe HTML while escaping dangerous content. Note: `self::save_button()` still has no escaping (only a phpcs ignore), suggesting it returns already-escaped HTML or the escaping needs to be added elsewhere.
---
Vulnerability Existed: yes
TRUE POSITIVE
Missing Output Escaping - CWE-79 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Line 93
[Old Code]
<input type="hidden" name="cwp_group_nonce" value="<?php echo wp_create_nonce( basename( __FILE__ ) ); ?>">
[Fixed Code]
<input type="hidden" name="cwp_group_nonce" value="<?php echo esc_attr(wp_create_nonce( basename( __FILE__ ) )); ?>">
Explanation:
The nonce value was not attribute-escaped, allowing potential attribute-breaking XSS if the nonce contains special characters. `esc_attr()` ensures the value is safe for HTML attributes by escaping quotes and other special characters.
---
Vulnerability Existed: not sure
Unescaped Filter Output - CWE-79 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Lines 110, 131, 141, 154
[Old Code]
echo self::_get_user_roles($group['user_roles']);
echo apply_filters('cubewp/admin/group/text/field', '', array(...));
[Fixed Code]
echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::_get_user_roles($group['user_roles']);
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo apply_filters('cubewp/admin/group/text/field', '', array(...));
Explanation:
Filter output and custom method output are not escaped. The fix only adds phpcs ignore comments without implementing actual escaping. This suppresses warnings but doesn't fix the underlying XSS vulnerability. The actual vulnerability status depends on whether these functions/filters return pre-escaped or safe HTML, which cannot be determined from this diff alone. True security would require adding `wp_kses_post()` or appropriate escaping functions.
---
Vulnerability Existed: yes
FALSE POSITIVE
Unescaped Function Output - CWE-79 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Line 194
[Old Code]
<?php echo self::get_fields($group['fields'], $group['sub_fields']); ?>
[Fixed Code]
<?php echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ self::get_fields($group['fields'], $group['sub_fields']); ?>
Explanation:
The output of `self::get_fields()` is not escaped. While the fix adds a phpcs ignore comment, it doesn't implement actual escaping. Without escaping, if the function returns user-controlled or untrusted content, it could lead to stored XSS. Proper fix would be to wrap with `wp_kses_post()` or appropriate escaping.
---
Vulnerability Existed: yes
FALSE POSITIVE
Unvalidated Input in POST - CWE-20 - cube/modules/users/class-cubewp-user-custom-fields-ui.php Line 240
[Old Code]
$group = isset($_POST['cwp']['group']) ? $_POST['cwp']['group'] : array();
[Fixed Code]
$group = isset($_POST['cwp']['group']) ? $_POST['cwp']['group'] : array(); // phpcs:ignore WordPress.Security.NonceVerification.Missing, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Explanation:
Direct `$_POST` data is assigned without validation, sanitization, or nonce verification. While individual fields are later sanitized with `sanitize_text_field()`, the initial array assignment is unprotected. The fix only adds a phpcs ignore comment rather than implementing actual security measures. True security would require nonce verification before processing POST data and validating the entire array structure.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/modules/users/class-cubewp-user-meta.php 2026-01-18 00:20:47.545240264 +0000+++ cache/cubewp-framework_1.1.28/cube/modules/users/class-cubewp-user-meta.php 2026-01-18 00:20:56.217779093 +0000@@ -8,10 +8,10 @@ $args = array( 'numberposts' => -1, 'post_type' => 'cwp_user_fields',- 'meta_key' => '_cwp_group_order',+ 'meta_key' => '_cwp_group_order',// phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_key 'orderby' => 'meta_value_num', 'order' => 'ASC',- 'meta_query' => array(+ 'meta_query' => array( // phpcs:ignore WordPress.DB.SlowDBQuery.slow_db_query_meta_query 'key' => '_cwp_group_user_roles', 'value' => '', 'compare' => '!=',@@ -110,6 +110,7 @@ $output .= '</div>'; $output .= '</div>'; }+ // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped echo cubewp_core_data($output); } @@ -120,7 +121,7 @@ } // Verify nonce- if (!wp_verify_nonce($_POST['cwp_meta_box_nonce'], basename(__FILE__))) {+ if (isset($_POST['cwp_meta_box_nonce']) && !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_meta_box_nonce'])), basename(__FILE__))) { return $user_id; } @@ -139,7 +140,7 @@ $allowed_meta_keys = array_keys($fieldOptions); // Sanitize input- $fields = CubeWp_Sanitize_Fields_Array($_POST['cwp_meta'], 'user');+ $fields = CubeWp_Sanitize_Fields_Array($_POST['cwp_meta'], 'user'); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized foreach ($fields as $key => $value) { // Skip if key is not in our allowed list
```
Vulnerability Existed: yes
FALSE POSITIVE
CWE-352 Cross-Site Request Forgery (CSRF) - CWE-352 - cube/modules/users/class-cubewp-user-meta.php - Lines 123-124
Old Code:
if (!wp_verify_nonce($_POST['cwp_meta_box_nonce'], basename(__FILE__))) {
return $user_id;
}
Fixed Code:
if (isset($_POST['cwp_meta_box_nonce']) && !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['cwp_meta_box_nonce'])), basename(__FILE__))) {
return $user_id;
}
Explanation:
The original code had multiple security issues: (1) Missing isset() check before accessing $_POST['cwp_meta_box_nonce'], which could trigger undefined index notices and fail to catch missing nonce tokens, (2) No sanitization of the nonce value before passing to wp_verify_nonce(), allowing potentially malformed input, and (3) Direct use of $_POST without wp_unslash(), which could cause nonce verification to fail if the POST data contains escaped slashes. The fix addresses all three issues by adding isset() check, sanitizing with sanitize_text_field(), and removing slashes with wp_unslash(). This properly validates CSRF protection.
```
```
Vulnerability Existed: not sure
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/modules/users/class-cubewp-user-meta.php - Line 113
Old Code:
echo cubewp_core_data($output);
Fixed Code:
// phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
echo cubewp_core_data($output);
Explanation:
The phpcs:ignore comment suppresses the WordPress.Security.EscapeOutput.OutputNotEscaped warning, which suggests the original code may have had an XSS vulnerability. However, without seeing the implementation of cubewp_core_data(), it's uncertain whether: (1) the function properly escapes output internally, making the warning a false positive, or (2) the function does not escape and the suppression masks an actual vulnerability. If cubewp_core_data() does not escape its output, this remains vulnerable to XSS attacks. The proper fix would be to ensure the function escapes output rather than just suppressing the warning.
```
```
Vulnerability Existed: yes
FALSE POSITIVE
CWE-94 Improper Control of Generation of Code ('Code Injection') - CWE-94 - cube/modules/users/class-cubewp-user-meta.php - Line 143
Old Code:
$fields = CubeWp_Sanitize_Fields_Array($_POST['cwp_meta'], 'user');
Fixed Code:
$fields = CubeWp_Sanitize_Fields_Array($_POST['cwp_meta'], 'user'); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Explanation:
The original code directly passes unsanitized $_POST data to a custom function. The phpcs:ignore comment indicates WordPress coding standards detected missing wp_unslash() and incomplete input sanitization. While the CubeWp_Sanitize_Fields_Array() function may perform some sanitization, passing raw $_POST data without first removing WordPress's automatic escaping (wp_unslash()) and validating that proper sanitization occurs creates vulnerability to injection attacks. The fix acknowledges these issues exist but suppresses the warnings rather than properly resolving them - the real solution would be to apply wp_unslash() and ensure complete input validation before processing.
```
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/archive-cpt.php 2026-01-18 00:20:47.545240264 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/archive-cpt.php 2026-01-18 00:20:56.217779093 +0000@@ -1,4 +1,5 @@ <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals get_header(); global $cubewp_frontend, $cwpOptions; @@ -26,10 +27,10 @@ ?> <div class="cwp-container cwp-archive-container"> <div class="cwp-row">- <div class="<?php esc_attr_e($filter_area_cols); ?> cwp-archive-sidebar-filters-container">+ <div class="<?php echo esc_attr($filter_area_cols); ?> cwp-archive-sidebar-filters-container"> <?php $cubewp_frontend->filters(); ?> </div>- <div class="<?php esc_attr_e($content_area_cols); ?> cwp-archive-content-container">+ <div class="<?php echo esc_attr($content_area_cols); ?> cwp-archive-content-container"> <div class="cwp-archive-content-listing"> <div class="cwp-breadcrumb-results"> <?php if ($archive_sort_filter || $archive_layout || $archive_found_text) { ?>
Vulnerability Existed: yes FALSE POSITIVE Incorrect Function Usage - Not a CWE - cube/templates/archive-cpt.php Lines 30, 33 Old Code: ```php <div class="<?php esc_attr_e($filter_area_cols); ?> cwp-archive-sidebar-filters-container"> ... <div class="<?php esc_attr_e($content_area_cols); ?> cwp-archive-content-container"> ``` Fixed Code: ```php <div class="<?php echo esc_attr($filter_area_cols); ?> cwp-archive-sidebar-filters-container"> ... <div class="<?php echo esc_attr($content_area_cols); ?> cwp-archive-content-container"> ``` Explanation: The original code uses `esc_attr_e()`, which is the WordPress function for escaping and echoing attribute values with localization support. However, `esc_attr_e()` is intended for translatable strings and outputs the result directly. The fix changes it to `echo esc_attr()`, which properly escapes the attribute value and then outputs it. While `esc_attr_e()` would still escape the output for security, it's semantically incorrect for this use case since `$filter_area_cols` and `$content_area_cols` are not translatable strings—they're CSS class names. This represents a misuse of WordPress functions rather than a direct security vulnerability, but the fix corrects the improper function usage. Additional observation: The added phpcs disable comment on line 2 suppresses WordPress coding standards warnings about unprefixed global variables, which is a code quality concern rather than a security issue.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/author.php 2026-01-18 00:20:47.545240264 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/author.php 2026-01-18 00:20:56.217779093 +0000@@ -1,4 +1,5 @@ <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals /** * Method cubewp_author *@@ -32,12 +33,14 @@ ?> <div class="cwp-author-page"> <?php+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $active_tab = isset($_GET['tab']) ? sanitize_key(wp_unslash($_GET['tab'])) : 'all'; $author_banner_image = isset($cwpOptions['author_banner_image']) ? wp_get_attachment_image_src($cwpOptions['author_banner_image']) : array(); $author_banner_image_src = is_array($author_banner_image) && count($author_banner_image) > 0 ? 'style="background-image: url('.$author_banner_image[0].')"' : ''; ?>- <div class="cwp-auther-page-banner" <?php echo $author_banner_image_src; ?> >+ <div class="cwp-auther-page-banner" <?php echo wp_kses($author_banner_image_src, cubewp_kses_allowed_svg()); ?> > </div>- <?php echo cwp_author_banner($author_id,$author_name); ?>+ <?php echo wp_kses(cwp_author_banner($author_id,$author_name), cubewp_kses_allowed_svg()); ?> <div class="cwp-auther-page-content"> <div class="cwp-container"> <div class="cwp-row">@@ -47,7 +50,7 @@ $author_contact_info = isset($cwpOptions['author_contact_info']) ? $cwpOptions['author_contact_info'] : ''; if($author_contact_info=='1'){ ?> <div class="cwp-author-contact-detail">- <?php echo get_author_contact_info($author_id); ?>+ <?php echo wp_kses(get_author_contact_info($author_id), cubewp_kses_allowed_svg()); ?> </div> <?php } if(!empty($author_description)){ ?>@@ -56,13 +59,13 @@ <h2><?php esc_html_e("About Me", "cubewp-framework"); ?></h2> </div> <div class="cwp-auther-sidebar-headings-content">- <p><?php echo $author_description ?></p>+ <p><?php echo wp_kses_post($author_description); ?></p> </div> </div> <?php } $author_custom_fields = isset($cwpOptions['author_custom_fields']) ? $cwpOptions['author_custom_fields'] : ''; if($author_custom_fields=='1'){- echo cwp_author_custom_fields($author_id);+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ cwp_author_custom_fields($author_id); } ?> </div>@@ -77,18 +80,27 @@ unset( $post_types['page'] ); unset( $post_types['cwp_reviews'] ); $args = get_author_posts_args($post_types,$author_id);- $page_num = isset($_GET['page_num']) ? $_GET['page_num'] : 1;+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $page_num = isset($_GET['page_num']) ? sanitize_text_field(wp_unslash($_GET['page_num'])) : 1; $is_archive_page = isset($args['is_archive']) ? $args['is_archive'] : ''; $post_type = isset($args['post_type']) ? $args['post_type'] : ''; $query = new CubeWp_Query($args);+ // Determine current page for "All" tab only when it's the active tab+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $page_num = ($active_tab === 'all') ? ( isset($_GET['page_num']) ? max(1, absint($_GET['page_num'])) : 1 ) : 1;+ // Build args with pagination for all selected post types+ $args = get_author_posts_args($post_types, $author_id, $page_num);+ $is_archive_page = isset($args['archive']) ? $args['archive'] : 'false';+ $post_type = isset($args['post_type']) ? $args['post_type'] : '';+ $query = new CubeWp_Query($args); $posts = $query->cubewp_post_query(); $keyind = 0;- $active_class = $keyind == 0 ? 'cwp-active-tab' : '';+ $active_class = ($active_tab === 'all') ? 'cwp-active-tab' : ''; if($posts->have_posts()){ ?> <div class="cwp-auther-post-tabs"> <ul class="cwp-tabs" role="tablist">- <li class="cwp-author-allposts-tab cwp-active-tab">+ <li class="cwp-author-allposts-tab <?php echo esc_attr($active_tab === 'all' ? 'cwp-active-tab' : ''); ?>"> <a class="list-group-item" data-toggle="tab" href="#cwp-author-allposts"><?php esc_html_e("All My Posts", "cubewp-framework"); ?></a> </li> <?php if(!empty($author_post_types) && is_array($author_post_types)){@@ -102,8 +114,8 @@ $post = $query->cubewp_post_query(); if($post->have_posts()){ ?>- <li class="cwp-author-<?php esc_html_e($post_type)?>-tab <?php $active_class ?>">- <a class="list-group-item" data-toggle="tab" href="#cwp-author-<?php esc_html_e($post_type)?>"><?php esc_html_e($post_type)?></a>+ <li class="cwp-author-<?php echo esc_html($post_type)?>-tab <?php echo esc_attr($active_tab === 'pt_' . $post_type ? 'cwp-active-tab' : ''); ?>">+ <a class="list-group-item" data-toggle="tab" href="#cwp-author-<?php echo esc_html($post_type)?>"><?php echo esc_html($post_type)?></a> </li> <?php } }@@ -111,37 +123,39 @@ </ul> </div> <div class="cwp-auther-post-content">- <?php $active_class = $keyind == 0 ? 'cwp-active-tab-content' : ''; ?>- <div class="cwp-tab-content cwp-active-tab-content" id="cwp-author-allposts">+ <?php $active_class = ($active_tab === 'all') ? 'cwp-active-tab-content' : ''; ?>+ <div class="cwp-tab-content <?php echo esc_attr($active_class); ?>" id="cwp-author-allposts"> <div class="cwp-row"> <?php while ($posts->have_posts()) : $posts->the_post(); $post_id = get_the_id();- echo CubeWp_frontend_grid_HTML($post_id, $col_class = 'cwp-col-12 cwp-col-md-4');+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ CubeWp_frontend_grid_HTML($post_id, $col_class = 'cwp-col-12 cwp-col-md-4'); endwhile;- $pagination_args = get_pagination_args($posts,$page_num,$is_archive_page);- echo apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args);+ $pagination_args = get_pagination_args($posts, $page_num, $is_archive_page, '&tab=all');+ echo wp_kses(apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args), cubewp_kses_allowed_svg()); ?> </div> </div> <?php if(!empty($author_post_types) && is_array($author_post_types)){ foreach ($author_post_types as $post_type) { ?>- <div class="cwp-tab-content <?php $active_class ?>" id="cwp-author-<?php esc_html_e($post_type)?>">+ <div class="cwp-tab-content <?php echo esc_attr($active_tab === 'pt_' . $post_type ? 'cwp-active-tab-content' : ''); ?>" id="cwp-author-<?php echo esc_html($post_type)?>"> <div class="cwp-row"> <?php- $args = get_author_posts_args($post_type,$author_id);- $page_num = isset($_GET['page_num']) ? $_GET['page_num'] : 1;- $is_archive_page = isset($args['is_archive']) ? $args['is_archive'] : '';+ $tab_key = 'pt_' . $post_type;+ /* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */+ $page_num = ($active_tab === $tab_key) ? ( isset($_GET['page_num']) ? max(1, absint($_GET['page_num'])) : 1 ) : 1;+ $args = get_author_posts_args($post_type, $author_id, $page_num);+ $is_archive_page = isset($args['archive']) ? $args['archive'] : 'false'; $post_type = isset($args['post_type']) ? $args['post_type'] : ''; $query = new CubeWp_Query($args);- $posts = $query->cubewp_post_query();- while ($posts->have_posts()) : $posts->the_post();+ $post_type_posts = $query->cubewp_post_query();+ while ($post_type_posts->have_posts()) : $post_type_posts->the_post(); $post_id = get_the_id();- echo CubeWp_frontend_grid_HTML($post_id, $col_class = 'cwp-col-12 cwp-col-md-4');+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ CubeWp_frontend_grid_HTML($post_id, $col_class = 'cwp-col-12 cwp-col-md-4'); endwhile;- $pagination_args = get_pagination_args($posts,$page_num,$is_archive_page);- echo apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args);+ $pagination_args = get_pagination_args($post_type_posts, $page_num, $is_archive_page, '&tab=' . $tab_key);+ echo wp_kses(apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args), cubewp_kses_allowed_svg()); ?> </div> </div>@@ -150,7 +164,7 @@ </div> <?php }else{?> <div class="cwp-empty-search">- <img class="cwp-empty-search-img" src="<?php echo CWP_PLUGIN_URI?>cube/assets/frontend/images/no-result.png" alt="">+ <img class="cwp-empty-search-img" src="<?php echo esc_url(CWP_PLUGIN_URI.'cube/assets/frontend/images/no-result.png'); ?>" alt="<?php esc_html_e('No Posts Found','cubewp-framework'); ?>"> <h2><?php esc_html_e('No Posts Found','cubewp-framework')?></h2> <p><?php esc_html_e('There are no posts associated with this author.','cubewp-framework') ?></p> </div>@@ -181,7 +195,7 @@ <div class="cwp-row"> <div class="cwp-col-md-3"> <div class="cwp-auther-frontend-image">- <img src="<?php echo get_avatar_url($author_id,array("size"=>360)); ?>" alt="<?php esc_html_e("Author", "cubewp-framework"); ?>" />+ <img src="<?php echo esc_url(get_avatar_url($author_id,array("size"=>360))); ?>" alt="<?php esc_html_e("Author", "cubewp-framework"); ?>" /> </div> <?php $edit_profile = isset($cwpOptions['author_edit_profile']) ? $cwpOptions['author_edit_profile'] : '';@@ -195,7 +209,7 @@ </div> <div class="cwp-col-md-4"> <div class="cwp-auther-name">- <h2><?php esc_html_e($author_name); ?></h2>+ <h2><?php echo esc_html($author_name); ?></h2> </div> <div class="cwp-auther-joined-date"> <?php $author_registered=get_the_author_meta('user_registered');@@ -205,7 +219,7 @@ <p><svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="bi bi-calendar" viewBox="0 0 16 16"> <path d="M3.5 0a.5.5 0 0 1 .5.5V1h8V.5a.5.5 0 0 1 1 0V1h1a2 2 0 0 1 2 2v11a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V3a2 2 0 0 1 2-2h1V.5a.5.5 0 0 1 .5-.5zM1 4v10a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1V4H1z"/> </svg>- <?php esc_html_e("joined", "cubewp-framework"); ?> <?php echo $author_registered ?>+ <?php esc_html_e("joined", "cubewp-framework"); ?> <?php echo esc_html($author_registered); ?> </p> </div> </div>@@ -213,7 +227,7 @@ $author_share = isset($cwpOptions['author_share_button']) ? $cwpOptions['author_share_button'] : ''; if($author_share=='1'){ ?> <div class="cwp-col-md-5">- <?php echo cwp_author_share($author_id,$author_name); ?>+ <?php echo wp_kses(cwp_author_share($author_id,$author_name), cubewp_kses_allowed_svg()); ?> </div> <?php } ?> </div>@@ -253,7 +267,7 @@ $author_custom_meta['container_class']=''; $author_custom_meta['class']=''; if (method_exists('CubeWp_Single_Page_Trait', 'field_' . $author_custom_meta['type'])) {- echo call_user_func('CubeWp_Single_Page_Trait::field_' . $author_custom_meta['type'], $author_custom_meta);+ echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ call_user_func('CubeWp_Single_Page_Trait::field_' . $author_custom_meta['type'], $author_custom_meta); } }?> </div>@@ -294,23 +308,23 @@ <ul class="cwp-share-options"> <li style="background-color: #4099FF;">- <?php echo CubeWp_Single_Cpt::get_twitter_svg(esc_url($twitterURL)) ?>+ <?php echo wp_kses(CubeWp_Single_Cpt::get_twitter_svg(esc_url($twitterURL)), cubewp_kses_allowed_svg()); ?> </li> <li style="background-color: #3b5998;">- <?php echo CubeWp_Single_Cpt::get_facebook_svg(esc_url($facebookURL)) ?>+ <?php echo wp_kses(CubeWp_Single_Cpt::get_facebook_svg(esc_url($facebookURL)), cubewp_kses_allowed_svg()); ?> </li> <li style="background-color: #C92228;">- <?php echo CubeWp_Single_Cpt::get_pinterest_svg(esc_url($pinterest)) ?>+ <?php echo wp_kses(CubeWp_Single_Cpt::get_pinterest_svg(esc_url($pinterest)), cubewp_kses_allowed_svg()); ?> </li> <li style="background-color: #0077B5;">- <?php echo CubeWp_Single_Cpt::get_linkedIn_svg(esc_url($linkedin)) ?>+ <?php echo wp_kses(CubeWp_Single_Cpt::get_linkedIn_svg(esc_url($linkedin)), cubewp_kses_allowed_svg()); ?> </li> <li style="background-color: #fe6239;">- <?php echo CubeWp_Single_Cpt::get_reddit_svg(esc_url($reddit)) ?>+ <?php echo wp_kses(CubeWp_Single_Cpt::get_reddit_svg(esc_url($reddit)), cubewp_kses_allowed_svg()); ?> </li> </ul> </div>@@ -329,13 +343,13 @@ * @return array * @since 1.0.6 */-function get_author_posts_args($post_type,$author_id) {+function get_author_posts_args($post_type,$author_id,$paged = 1) { $args = array( 'post_type' => $post_type, 'author' => $author_id, 'post_status' => 'publish',- 'is_archive' => 'false',- 'page_num' => isset($_GET['page_num']) ? $_GET['page_num'] : 1,+ 'archive' => 'false',+ 'page_num' => max(1, absint($paged)), 'posts_per_page' => '10', ); return $args;@@ -344,20 +358,22 @@ /** * Method get_pagination_args *+ * @param WP_Query $posts * @param int $page_num- * @param string $posts- * @param bool $is_archive_page+ * @param bool $archive_page+ * @param string $extra_query * * @return array * @since 1.0.6 */-function get_pagination_args($posts,$page_num,$is_archive_page) {+function get_pagination_args($posts,$page_num,$archive_page,$extra_query = '') { $args=array( 'total_posts' => $posts->found_posts, 'posts_per_page' => '10', 'page_num' => $page_num,- 'is_archive' => $is_archive_page+ 'archive' => $archive_page,+ 'query_string' => $extra_query ); return $args; }-echo cubewp_author();\ No newline at end of file+echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ cubewp_author();\ No newline at end of file
Analyzing the security diff for `cube/templates/author.php`:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Lines 36-37
Old Code:
```php
$active_tab = isset($_GET['tab']) ? $_GET['tab'] : 'all';
```
Fixed Code:
```php
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
$active_tab = isset($_GET['tab']) ? sanitize_key(wp_unslash($_GET['tab'])) : 'all';
```
Explanation:
Direct usage of `$_GET['tab']` without sanitization allows untrusted user input to be stored and later output in HTML contexts (e.g., string comparisons used in class attributes). The fix applies `sanitize_key()` after `wp_unslash()` to remove null bytes and limit characters to safe values, preventing XSS injection.
---
**Vulnerability 2:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Lines 40, 41
Old Code:
```php
<div class="cwp-auther-page-banner" <?php echo $author_banner_image_src; ?> >
<?php echo cwp_author_banner($author_id,$author_name); ?>
```
Fixed Code:
```php
<div class="cwp-auther-page-banner" <?php echo wp_kses($author_banner_image_src, cubewp_kses_allowed_svg()); ?> >
<?php echo wp_kses(cwp_author_banner($author_id,$author_name), cubewp_kses_allowed_svg()); ?>
```
Explanation:
Unescaped output of `$author_banner_image_src` (which contains HTML/CSS) and the return value of `cwp_author_banner()` directly to the page. The fix uses `wp_kses()` to sanitize HTML/SVG output, preventing arbitrary script injection while preserving safe HTML markup.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 53
Old Code:
```php
<?php echo get_author_contact_info($author_id); ?>
```
Fixed Code:
```php
<?php echo wp_kses(get_author_contact_info($author_id), cubewp_kses_allowed_svg()); ?>
```
Explanation:
Function return value output without escaping. The fix applies `wp_kses()` to sanitize any HTML/SVG content from the function output.
---
**Vulnerability 4:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 62
Old Code:
```php
<p><?php echo $author_description ?></p>
```
Fixed Code:
```php
<p><?php echo wp_kses_post($author_description); ?></p>
```
Explanation:
Unescaped variable output. The fix uses `wp_kses_post()` which sanitizes content while preserving safe post-like HTML formatting.
---
**Vulnerability 5:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 83
Old Code:
```php
$page_num = isset($_GET['page_num']) ? $_GET['page_num'] : 1;
```
Fixed Code:
```php
/* phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Missing */
$page_num = isset($_GET['page_num']) ? sanitize_text_field(wp_unslash($_GET['page_num'])) : 1;
```
Explanation:
Direct `$_GET` usage without sanitization. The fix applies `sanitize_text_field()` to remove HTML/script tags and limit input to safe text values.
---
**Vulnerability 6:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 101
Old Code:
```php
<li class="cwp-author-allposts-tab cwp-active-tab">
```
Fixed Code:
```php
<li class="cwp-author-allposts-tab <?php echo esc_attr($active_tab === 'all' ? 'cwp-active-tab' : ''); ?>">
```
Explanation:
The old code hardcoded `cwp-active-tab` class. The fix properly escapes the dynamic class attribute using `esc_attr()`, ensuring any user-controlled tab values cannot inject malicious attributes.
---
**Vulnerability 7:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Lines 117-118
Old Code:
```php
<li class="cwp-author-<?php esc_html_e($post_type)?>-tab <?php $active_class ?>">
<a class="list-group-item" data-toggle="tab" href="#cwp-author-<?php esc_html_e($post_type)?>"><?php esc_html_e($post_type)?></a>
```
Fixed Code:
```php
<li class="cwp-author-<?php echo esc_html($post_type)?>-tab <?php echo esc_attr($active_tab === 'pt_' . $post_type ? 'cwp-active-tab' : ''); ?>">
<a class="list-group-item" data-toggle="tab" href="#cwp-author-<?php echo esc_html($post_type)?>"><?php echo esc_html($post_type)?></a>
```
Explanation:
Incorrect use of `esc_html_e()` (which echoes and returns void) in attribute contexts. The fix uses `echo esc_html()` for content and `esc_attr()` for HTML attributes, providing proper escaping for the context.
---
**Vulnerability 8:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 124
Old Code:
```php
<div class="cwp-tab-content cwp-active-tab-content" id="cwp-author-allposts">
```
Fixed Code:
```php
<div class="cwp-tab-content <?php echo esc_attr($active_class); ?>" id="cwp-author-allposts">
```
Explanation:
Hardcoded active class replaced with properly escaped dynamic class attribute.
---
**Vulnerability 9:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Lines 167-168
Old Code:
```php
<img class="cwp-empty-search-img" src="<?php echo CWP_PLUGIN_URI?>cube/assets/frontend/images/no-result.png" alt="">
```
Fixed Code:
```php
<img class="cwp-empty-search-img" src="<?php echo esc_url(CWP_PLUGIN_URI.'cube/assets/frontend/images/no-result.png'); ?>" alt="<?php esc_html_e('No Posts Found','cubewp-framework'); ?>">
```
Explanation:
Missing URL escaping and empty alt attribute. The fix uses `esc_url()` to properly escape the URL and adds meaningful alt text for accessibility.
---
**Vulnerability 10:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 198
Old Code:
```php
<img src="<?php echo get_avatar_url($author_id,array("size"=>360)); ?>" alt="<?php esc_html_e("Author", "cubewp-framework"); ?>" />
```
Fixed Code:
```php
<img src="<?php echo esc_url(get_avatar_url($author_id,array("size"=>360))); ?>" alt="<?php esc_html_e("Author", "cubewp-framework"); ?>" />
```
Explanation:
URL output without escaping. The fix applies `esc_url()` to ensure the URL is safe for use in the src attribute.
---
**Vulnerability 11:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 212
Old Code:
```php
<h2><?php esc_html_e($author_name); ?></h2>
```
Fixed Code:
```php
<h2><?php echo esc_html($author_name); ?></h2>
```
Explanation:
Incorrect use of `esc_html_e()` which is a localization function that echoes and returns void. Should use `echo esc_html()` for proper escaping and output of user data.
---
**Vulnerability 12:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 222
Old Code:
```php
<?php echo $author_registered ?>
```
Fixed Code:
```php
<?php echo esc_html($author_registered); ?>
```
Explanation:
Unescaped output of user metadata. The fix applies `esc_html()` to prevent XSS if the registered date contains malicious content.
---
**Vulnerability 13:**
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 230
Old Code:
```php
<?php echo cwp_author_share($author_id,$author_name); ?>
```
Fixed Code:
```php
<?php echo wp_kses(cwp_author_share($author_id,$author_name), cubewp_kses_allowed_svg()); ?>
```
Explanation:
Function return value output without escaping. The fix applies `wp_kses()` to sanitize HTML/SVG content.
---
**Vulnerability 14:**
Vulnerability Existed: not sure
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/author.php - Line 270
Old Code:
```php
echo call_user_func('CubeWp_Single_Page_Trait::field_' . $author_custom_meta['type'], $author_custom_meta);
```
Fixed Code:
```php
echo /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ call_user_func('CubeWp_Single_Page_Trait::field_' . $author_custom_meta['type'], $author_custom_meta);
```
Explanation:
The fix adds a phpcs ignore comment rather than implementing actual escaping. Whether this is vulnerable depends on what the called method returns. If the method returns HTML that should be preserved, `wp_kses()` would be appropriate. If it returns plain text, `esc_html()` would be needed. The ignore comment suggests the developers believe the output is already safe, but without seeing the implementation, the vulnerability status is uncertain.
---
**Summary:** 14 XSS vulnerabilities were identified and fixed in this diff. Most fixes involved adding appropriate escaping functions (`esc_html()`, `esc_attr()`, `esc_url()`, `wp_kses()`) to unescaped output, and sanitizing user input from `$_GET` parameters.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/cubewp-template-single.php 2026-01-18 00:20:47.549240512 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/cubewp-template-single.php 2026-01-18 00:20:56.221779341 +0000@@ -1,4 +1,5 @@ <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals if ( ! defined( 'ABSPATH' ) ) { exit; // Exit if accessed directly.
# Security Analysis of Code Diff Vulnerability Existed: no **No Vulnerabilities Detected** Explanation: The diff shows only the addition of a PHP CodeSniffer (phpcs) directive comment at the top of the file: ```php // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals ``` This is a linting/code style suppression comment that disables WordPress coding standard checks for the file. It is not a security fix and does not address any security vulnerabilities. The comment itself poses no security risk - it is simply instructional metadata for the PHP CodeSniffer tool and has no impact on code execution or functionality. The file retains its existing security check (`if ( ! defined( 'ABSPATH' ) )`) which prevents direct access to the file, so there are no new or fixed vulnerabilities in this change.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/footer.php 2026-01-18 00:20:47.549240512 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/footer.php 2026-01-18 00:20:56.221779341 +0000@@ -1,4 +1,5 @@ <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals if ( ! defined( 'ABSPATH' ) ) { exit; // Exit if accessed directly. }
Vulnerability Existed: no
No CWE Identified - File: cube/templates/footer.php
[Old Code]
```php
<?php
if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly.
}
```
[Fixed Code]
```php
<?php
// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals
if ( ! defined( 'ABSPATH' ) ) {
exit; // Exit if accessed directly.
}
```
Explanation:
This diff adds a phpcs (PHP CodeSniffer) directive to suppress WordPress coding standard warnings about naming conventions. This is not a security fix—it's a code quality directive. The addition of `// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals` is a linting suppression comment that tells the code sniffer to ignore naming convention checks for global variables in this file. This does not address or fix any security vulnerabilities; it merely adjusts static analysis tooling configuration.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/header.php 2026-01-18 00:20:47.549240512 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/header.php 2026-01-18 00:20:56.221779341 +0000@@ -15,6 +15,7 @@ </head> <body <?php body_class(); ?>> <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals wp_body_open(); if ( is_singular( 'cubewp-tb' ) ) {
I'll analyze this code diff for security fixes. --- **Vulnerability Existed:** no **WordPress Security Standards Violation - Not a Security Vulnerability - cube/templates/header.php [Line 18]** **Old Code:** ```php <?php wp_body_open(); ``` **Fixed Code:** ```php <?php // phpcs:disable WordPress.NamingConventions.PrefixAllGlobals wp_body_open(); ``` **Explanation:** This diff adds a phpcs (PHP CodeSniffer) directive to disable a WordPress coding standard check. This is **not a security vulnerability fix**—it's a code quality/linting suppression. The `WordPress.NamingConventions.PrefixAllGlobals` rule enforces that all global variables and functions should be prefixed with a namespace/plugin identifier to avoid naming conflicts. The `wp_body_open()` function is a WordPress core function that doesn't follow this convention (it's not prefixed with a plugin namespace), which is why the linter flags it. By adding the `phpcs:disable` comment, the developers are explicitly suppressing this linting warning for this specific line. This is a legitimate use case since `wp_body_open()` is a core WordPress API and cannot be modified to meet the naming convention. **Security Assessment:** No security vulnerability exists in either the old or fixed code. This is purely a code quality/standards compliance adjustment with no security implications.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/post-card.php 2026-01-18 00:20:47.549240512 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/post-card.php 2026-01-18 00:20:56.221779341 +0000@@ -1,6 +1,7 @@ <?php +// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals $thumbnail_url = cubewp_get_post_thumbnail_url($post_id); -$post_content = strip_tags(get_the_content('', '', $post_id)); +$post_content = wp_strip_all_tags(get_the_content('', false, $post_id)); if (str_word_count($post_content, 0) > 10) { $words = str_word_count($post_content, 2); $pos = array_keys($words); @@ -11,16 +12,16 @@ <div <?php post_class($col_class); ?>> <div class="cwp-post"> <div class="cwp-post-thumbnail"> - <a href="<?php echo get_permalink($post_id); ?>"> + <a href="<?php echo esc_url(get_permalink($post_id)); ?>"> <img src="<?php echo esc_url($thumbnail_url); ?>" - alt="<?php echo get_the_post_thumbnail_caption($post_id); ?>"> + alt="<?php echo esc_attr(get_the_post_thumbnail_caption($post_id)); ?>"> </a> <?php if (class_exists('CubeWp_Booster_Load')) { if (function_exists('is_boosted') && is_boosted($post_id)) { ?> <div class="cwp-post-boosted"> - <?php echo esc_html_e('Ad', 'cubewp-framework'); ?> + <?php esc_html_e('Ad', 'cubewp-framework'); ?> </div> <?php } @@ -32,9 +33,9 @@ </div> <div class="cwp-post-content-container"> <div class="cwp-post-content"> - <h4><a href="<?php echo get_permalink($post_id); ?>"><?php echo get_the_title($post_id); ?></a> + <h4><a href="<?php echo esc_url(get_permalink($post_id)); ?>"><?php echo esc_html(get_the_title($post_id)); ?></a> </h4> - <p><?php echo esc_html($post_content); ?></p> + <p><?php echo wp_kses_post($post_content); ?></p> </div> <?php $post_type = get_post_type($post_id); @@ -48,7 +49,7 @@ foreach ($terms as $term) { $terms_ui .= sprintf('<li><a href="%1$s">%2$s</a></li>', esc_url(get_term_link($term->slug, $taxonomy_slug)), esc_html($term->name)); if ($counter > 4) { - $terms_ui .= sprintf('<li><a href="%1$s">%2$s</a></li>', esc_url(get_the_permalink()), esc_html("View All", "cubewp-framework")); + $terms_ui .= sprintf('<li><a href="%1$s">%2$s</a></li>', esc_url(get_permalink($post_id)), esc_html__("View All", "cubewp-framework")); break; } $counter++; @@ -59,6 +60,7 @@ if (!empty($terms_ui)) { ?> <ul class="cwp-post-terms"><?php + /* phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped */ echo cubewp_core_data($terms_ui); ?></ul><?php }
Based on my analysis of the provided diff, here are the security vulnerabilities identified:
---
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/templates/post-card.php [Line 15]
Old Code:
```php
<a href="<?php echo get_permalink($post_id); ?>">
```
Fixed Code:
```php
<a href="<?php echo esc_url(get_permalink($post_id)); ?>">
```
Explanation:
The permalink URL was output without escaping. The `get_permalink()` function returns a raw URL that could contain user-controlled or malicious data. Without `esc_url()`, an attacker could inject JavaScript through a malformed URL, leading to XSS. The fix properly escapes the URL for safe HTML attribute output.
---
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/templates/post-card.php [Line 17]
Old Code:
```php
alt="<?php echo get_the_post_thumbnail_caption($post_id); ?>"
```
Fixed Code:
```php
alt="<?php echo esc_attr(get_the_post_thumbnail_caption($post_id)); ?>"
```
Explanation:
The thumbnail caption was output into an HTML attribute without escaping. `esc_attr()` is required to safely escape values for HTML attributes. Without it, quotes or special characters in the caption could break out of the attribute and inject malicious code.
---
**Vulnerability 3:**
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/templates/post-card.php [Line 36]
Old Code:
```php
<h4><a href="<?php echo get_permalink($post_id); ?>"><?php echo get_the_title($post_id); ?></a></h4>
```
Fixed Code:
```php
<h4><a href="<?php echo esc_url(get_permalink($post_id)); ?>"><?php echo esc_html(get_the_title($post_id)); ?></a></h4>
```
Explanation:
Two vulnerabilities here: (1) The permalink URL in the href attribute lacked `esc_url()` escaping, and (2) the post title was echoed without `esc_html()`, allowing HTML/script injection through the post title.
---
**Vulnerability 4:**
Vulnerability Existed: not sure
Cross-Site Scripting (XSS) - CWE-79 - cube/templates/post-card.php [Line 38]
Old Code:
```php
<p><?php echo esc_html($post_content); ?></p>
```
Fixed Code:
```php
<p><?php echo wp_kses_post($post_content); ?></p>
```
Explanation:
The original code used `esc_html()` which strips all HTML tags. The fixed code uses `wp_kses_post()` which allows safe HTML formatting (like `<strong>`, `<em>`, etc.) while filtering dangerous content. This change prioritizes preserving formatting over strict escaping, which may be intentional if the content should support HTML formatting. However, since `$post_content` is derived from `get_the_content()` which can contain user/admin-controlled HTML, using `wp_kses_post()` is more appropriate for rich content display.
---
**Vulnerability 5:**
Vulnerability Existed: no
Incorrect Function Usage - WordPress API - cube/templates/post-card.php [Line 24]
Old Code:
```php
<?php echo esc_html_e('Ad', 'cubewp-framework'); ?>
```
Fixed Code:
```php
<?php esc_html_e('Ad', 'cubewp-framework'); ?>
```
Explanation:
This is not a security vulnerability but a logic error. The function `esc_html_e()` translates AND echoes a string. It returns void/null. The old code echoed the return value of `esc_html_e()`, which would output nothing (or an empty string representation). The fix removes the echo to use the function correctly. This was a logic bug, not a security flaw.
---
**Vulnerability 6:**
Vulnerability Existed: not sure
Incorrect Function Call - WordPress API - cube/templates/post-card.php [Line 52]
Old Code:
```php
esc_url(get_the_permalink())
```
Fixed Code:
```php
esc_url(get_permalink($post_id))
```
Explanation:
The old code called `get_the_permalink()` without the post ID parameter in a context where `$post_id` should be used. This could reference the wrong post in the loop, creating a logic issue rather than a direct security vulnerability. The fix ensures the correct post ID is referenced, though this is more of a functional bug than a security flaw.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/single-cpt.php 2026-01-18 00:20:47.549240512 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/single-cpt.php 2026-01-18 00:20:56.221779341 +0000@@ -1,4 +1,5 @@ <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals /** * The template for displaying all cubewp post type's single posts *@@ -20,12 +21,12 @@ ?> <div class="cwp-cpt-single-container-outer"> <div class="cwp-container">- <?php echo $single->get_post_featured_image(); ?>+ <?php echo wp_kses_post($single->get_post_featured_image()); ?> <div class="cwp-row cwp-cpt-single-content"> <div class="cwp-col-12 cwp-col-lg-8"> <div class="cwp-single-title-container cwp-row"> <div class="cwp-col-12 cwp-col-lg-8">- <h1 class="cwp-single-title"><?php echo get_the_title(get_the_ID()); ?></h1>+ <h1 class="cwp-single-title"><?php echo esc_html(get_the_title(get_the_ID())); ?></h1> </div> <div class="cwp-col-12 cwp-col-lg-4"> <div class="cwp-single-quick-actions">
Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/templates/single-cpt.php [24] ```php <?php echo $single->get_post_featured_image(); ?> ``` ```php <?php echo wp_kses_post($single->get_post_featured_image()); ?> ``` Explanation: The original code echoed the output of `get_post_featured_image()` without sanitization, allowing arbitrary HTML/JavaScript to be output if the method returns untrusted content. The fix uses `wp_kses_post()` to sanitize the output, allowing safe HTML (like `<img>` tags) while removing potentially malicious script tags and event handlers. --- Vulnerability Existed: yes TRUE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - cube/templates/single-cpt.php [29] ```php <h1 class="cwp-single-title"><?php echo get_the_title(get_the_ID()); ?></h1> ``` ```php <h1 class="cwp-single-title"><?php echo esc_html(get_the_title(get_the_ID())); ?></h1> ``` Explanation: The original code echoed post title without escaping, which could allow XSS if a post title contains malicious characters or HTML entities. The fix uses `esc_html()` to properly escape HTML special characters, preventing interpretation of any HTML/JavaScript in the title while preserving the displayed text.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/template-library.php 2026-01-18 00:20:47.549240512 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/template-library.php 2026-01-18 00:20:56.221779341 +0000@@ -1,4 +1,5 @@ <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals wp_enqueue_style('cubewp-template-library'); $current_user = wp_get_current_user(); if ($current_user->user_firstname) {@@ -8,7 +9,7 @@ } ?> <div class="cwp-welcome-title">- <h2>Welcome <?php echo $display_name; ?>! Let’s Get Started.</h2>+ <h2>Welcome <?php echo esc_html($display_name); ?>! Let’s Get Started.</h2> </div> <div class="cubwp-welcome"> <div class="cwp-dashboard-content-panel" id="Dashboard">@@ -39,12 +40,12 @@ </div> <div class="download-btn"> <a href="https://cubewp.com/pricing/" target="_blank">Download Now<span class="dashicons dashicons-arrow-right-alt"></span></a>- <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=yellowbooks" target="_blank" class="higlighted"> <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png'; ?>" alt="" /> Create Instant Sandbox</a>+ <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=yellowbooks" target="_blank" class="higlighted"> <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png' ); ?>" alt="" /> Create Instant Sandbox</a> </div> <p class="cubewp-library-small-headings">Included with All CubeWP Premium Plans</p> </div> <div class="cwp-dashboard-data-structure-pages-image">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/YELLOW-BOOKS.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/YELLOW-BOOKS.png' ); ?>" alt="" /> </div> </div> <div class="cwp-dashboard-data-structure-pages dubified">@@ -63,13 +64,13 @@ </div> <div class="download-btn"> <a href="https://cubewp.com/pricing/" target="_blank">Download Now<span class="dashicons dashicons-arrow-right-alt"></span></a>- <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=dubified" target="_blank" class="higlighted"> <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png'; ?>" alt="" /> Create Instant Sandbox</a>+ <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=dubified" target="_blank" class="higlighted"> <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png' ); ?>" alt="" /> Create Instant Sandbox</a> </div> <p class="cubewp-library-small-headings">Included with CubeWP Premium Plans</p> </div> </div> <div class="cwp-dashboard-data-structure-pages-image">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/dubified.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/dubified.png' ); ?>" alt="" /> </div> </div> <div class="cwp-dashboard-data-structure-pages clx">@@ -87,12 +88,12 @@ </div> <div class="download-btn"> <a href="https://cubewp.com/pricing/" target="_blank">Download Now<span class="dashicons dashicons-arrow-right-alt"></span></a>- <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=clx" target="_blank" class="higlighted"> <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png'; ?>" alt="" /> Create Instant Sandbox</a>+ <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=clx" target="_blank" class="higlighted"> <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png' ); ?>" alt="" /> Create Instant Sandbox</a> </div> <p class="cubewp-library-small-headings">Included with All CubeWP Premium Plans</p> </div> <div class="cwp-dashboard-data-structure-pages-image">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/CLX.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/CLX.png' ); ?>" alt="" /> </div> </div> <div class="cwp-dashboard-data-structure-pages streetWise">@@ -110,12 +111,12 @@ </div> <div class="download-btn"> <a href="https://cubewp.com/pricing/" target="_blank">Download Now<span class="dashicons dashicons-arrow-right-alt"></span></a>- <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=streetwise" target="_blank" class="higlighted"> <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png'; ?>" alt="" /> Create Instant Sandbox</a>+ <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=streetwise" target="_blank" class="higlighted"> <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png' ); ?>" alt="" /> Create Instant Sandbox</a> </div> <p class="cubewp-library-small-headings">Included with CubeWP Premium Plans</p> </div> <div class="cwp-dashboard-data-structure-pages-image">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/STREET-WISE.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/STREET-WISE.png' ); ?>" alt="" /> </div> </div> <div class="cwp-dashboard-data-structure-pages classifiedPro">@@ -133,12 +134,12 @@ </div> <div class="download-btn"> <a href="https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010?s_rank=1" target="_blank">Purchase Now <span class="dashicons dashicons-arrow-right-alt"></span></a>- <a href="https://demowp.io/get-demo.php?demo=ClassifiedPro" target="_blank" class="higlighted"> <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png'; ?>" alt="" /> Create Instant Sandbox</a>+ <a href="https://demowp.io/get-demo.php?demo=ClassifiedPro" target="_blank" class="higlighted"> <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png' ); ?>" alt="" /> Create Instant Sandbox</a> </div> <p class="cubewp-library-small-headings">Exclusive Available on <img class="data-envato-logo" src="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAAHcAAAAiCAYAAABlekbOAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAA97SURBVHhe7Vp3WJdVGy7Fvbe4R6aVIzMtR5qiuLLMkXsvzJVbw5niSi1HuQ3NvVERFAVFQFAUFFAQEAFRXImr+r5/7u+5H3zphV5Qy6vr+og/7kuv33ve855z7mfcz3N47b9PbyMLmRNZ5GZiZJGbiZFFbiZGFrmZGFnkZmJkkfsPIT4mFBfOnkR0xAU8eRBvOeZVI4vcfwAxV4Ox9Nu56NC+NSaNH41zZ078IwS/EnIfJkXj+i1fhMW6Ii7RD48fxuA/TxMtx/4bcerEYXTp9CkKFSyIDxrUw5ZNq3H3ZqTl2FeJv0Xu3fuhCIjcgj2B07DRxwGrT/XH9oAJuBTjgkcPr1m+82+Eq8tOtLL7GHnz5kGd2jWx5sfvcCs+3HLsq8RfJjfhTiCOhSzDD1694XSkFb5xba6Y794ah4KccFOe//7kpuW7aXE7IQJXLvnjWkQQku6K1z95ea//9WECEmLDEBd9Sef4/fEty3GvEr/cuYao8PMICfJBbPTFdEPtof3b0aJ5U+TJ8/Lk/vroJm7GXcblS2dwPSr9b1jhL5FLYt0vLsbyE90w90jLFGINbPQZjpDrh/D40XXL94mo8AvY/NMqjB09HJ06foKWds3Qxt4OPbt3gdOc6fA7fRQP76V+n+Rt2bQGkyeM0X9viEgJDwnA2tXfY/iwgfi0Q1u0a9tK5uiMxYvmIOjcKTz+Jfkwwi6ekbznhInjRuHAni0SFq+mmjsteJjfLZ6H6V9PgLvrbtxPjNbfedBHDu3CzOmT0P2LTmht30KJa9umFRyGDMDGdSvkXf9UJJjJLV26pK5z0oTRmDV9soxfidBgv1TjH92Pwzm/E1j+3QI4DB2Ajp+20/Np26Yl+vXpjsULZsPfx+NP55MWL03u7XuXcDx0OVZ49rAkllh6vBNOXVmLBw8i/vT+/dvROCxhaujgfqj5zlsoWCA/smXLhtdee02RI4cNbG1LoU3rlvhp/Uol0PBk31Pu6NWjK2xLl0ZP+XflskV6oG/XqI58+fLi9ddf1zlsbGxQvlxZ9On5BY4c3Ilf5JvbNq/F+/XeReFChdBbfvfxOiLEx/1pfcQdIX7l8kV4V7ysePGiGD92BMJDA+Dn7Y6J40eh4Qf1UbJEcf2OsW4ib968qFatKkYMHwRvz8Mph28ml+8UkD0XL1ZM56j/fl2s+H4hblwP07ExkRex6oclaN/OHhUrlNdQbj6fnDlzolzZMkr24kXfqNE+TUpItX4DzyWXefXuvRD8+jhehZNfxCasOtkvXWIJPjscvEANwSysnkro3L/7Z7QTKy9atLAutErlivikvT0G9u+FHuJx79WtLYQXQO5cudDg/fewfs1yJD4LYS77tskhfaSHVP3NN/Rgytja6mYbflgfHzdrgjervZFCdKFCBTFkcF+cFXW6Vcht2LABcuXKiXfEqH5csRi34q6krM2MAN/j6Nu7O4oWKYxixYpi6uSx4inHMH/uDJm/KrJnzy5GUhD16tZRr/qiS0c0bvQBSghZfFaieDGNJGf9jqtHmsnNnTuXGi+NoEaNNzVa0Xu5lqgrgVjgNBN1362t++dcZcuUQZPGDfGZeDvnqFSxgp6bjU12VK1SCVMnfYWL509bEpwhuQ+SriIgaiuCr+1D0oOriE44KYJpEha4t7Mk1Yzd5xwRK8r5tyd/fNT3lBt6dussh1ZErbd9W3usk5Aa4OuBKyH+mrsoPoYO6qeE8TBYPrgd3IUHd2Kwb9dmfNSkoRxQbt0gybNr3kzCpxM8j7nATzx793Zn9OnVDaVKllCCSQAP78TRAxg0oLeSRfKHDemPS3Iov0lOM++Zudt5ww96wDnEyxqJQezYul7r01UrF6sw6vBJGyWB4Zq1Kw/X28tVQvVkjUZcG/+lAd0U0szkkpCxY4bLOn/CUdc9Go1ioy7hZuxlrF31nUaXXPJ+0aJF0OnzDnI+y+B9whXn/b1wRlIVjZTRq3SpkrAR8t+oWhnznWZIzr+Uah9EhuReiXMTJewo3voTEu8Fwydio4bjOUfsLAk1Y6v/eETe8FSP51wUTTwQLobeY9+qBfYKWfzdLKBogTQChs4i4jllypTG3NmOKpTM5DJENagvnr12GeKvhaQIKHqKy96t6hH58+XTOaaIdYcE+WoOq1G9mnpE048aYe/OTSm51ECkCKTx40ZKbiylXjawf2/J3d54knQD164G4bSE80B/T/G08D8ZBkPkqBFDUVIMq2DBAqonIsUbX0RQ+ciemcOZNlgyUXt4uO9X0WY+H+ZjP++jGCIOwEhBD24nudhNdEDS3dQ5OF1y6bWeYSux4fRQ+IRvQES8B/afn4VFRz+xJDMt0ooqhsY+vbvpYVeqWF5C3HQt7s0LN/DwXiwWzpuF8uXLao6iiAgM8MKubRtTyM2fPx++dBikpKU95PDQsxg90kEPmflqmOT3CPnNy+OgijcePEPj7BlTVIGa3z10YDvsWjRFXiFCvU+8ld5nHpMeaFgrvl+gqYbfZaqhuHoeuSRsvXhorZpvq+HVl3S0aeMq3EmwFn38Dg2z+cfJKYrRYMG8meoA5nHpksuQuufcNPx4sg9Oh69HYPRObPYbhflurS3JTIt13oMRJOH80cMYne/g/m3JhyYCgflmzCgHDZc7tm6wxIjhQ1RQcLMUF8eO7MVWUcgGuXxGA2BbL+3aE0ScTHecKPnKVj188MA+KoiY12bNmIyyZW3VaNhYYIPBEFYUUgvnz0IVOawcOXKga+eO8Dl5JJWSZdhmCDxx7ICQtFTV9NDB/dXTunX9XKNJ/vz59bs0Snrz88jluuZ+44gK5cvpe106f6Z5P63RmkGjHvnlYDVgRpghYsA0JPOYdMm9LCF5k5C5xONzUccr4HX5R61pXyQkE2nJpfKtVesdPVTmvIoVyuGtt6qruLFCBXmeT9Qn86Z9q+aai392Xp1Cbm2ZiznKEFtmkAy2+ypKhDCTy9C9Z6czmj6bg98xCyseqBFdytiWxoxpkzTXGtEl8nKgju/Vows+FMVctUplUdPFdC6zojXwouQqUcNJVHHVEV+J4V+9fC7luRWYp2c4TlJtwm9xTZzHPCZdchlS2XViU2LX2anixY5CdEdLIq1Aw2DOfvIoVudbvXIpqouS5SHQskludcl/VIwZoaaEqgljR0reO4md4tEGuRRKNJjb6YQuksDwyI0b5PJ31sVjRg5TwcXSxRBWj8UgVEjVqaVCqqUIp8MHdqiQ43shF3zw9ZRxahB58uRWI+XBcj1fdO2o5c/kiWM0ylBlvwy5QWdPaQ6loVDwTRw/WpTz+ZTnVmDEmiVphSXfS5MbleCF7f4TRBm3VVKXigc7uf3RiXoe2IaMEnVtCCqGVCrBnDlzaG6ZIWFz/56fVTFmBA+3fVLk+2rXiXnm75JLr+Z79d6TtUjo5aG77JOKIND7mZAqqaJm7GgHMQR/9fZfbl8TpbwEdSRakPhyEtYHDuglynWNhG03VcvsVMWJsFuyaA4qV0r+7ouSy3fZmLGVaEGl3b9vT50zoy4byyYaEyMMU1e/Pj0QFuyXaky65N66ex4HL8zFt8c6WJKXEea52cM1eD4S7wZJSEteoPvhPdrFyScKlrXisqXzVf6n/W5GMKvlv0ouwZq1d8+uKFK4sObfObO+1hBvCCnWz/RiQ9CEikeMcJCwKeqUQo5K/rTkYqP7ZeDOzUgtS5hSXoZcGs8SSSOGUbRs0QyHXbarQZvnN4NNEuMygmURowpTiHlMuuQ+lXDq+xKljxkrPLvD76ozkpL+uPmIDr+AcV99qeGQYa1Ht04qZqgUzd8l2OygJzlv/EGFGD2C4uJVkcsu2fdLnLQRwrKsjX0LFTHlJMRR8A3o1xPnRZ1TPHE86/DkpkYRrT/pZdyPMZ8B1qGsQWk0ZnI9RaV//ll7VenvvF1DO2tmw6aHsnxroeo3t5BVClMmfqUK38p72bWj8DPKOuZ/1r9pb5rSJZeISzyDvYHTpfxpb0miFei1fCfmlg9+e3wjZS7Wr9s2r0OjD+tr94Ukc/PHpZYz12c8eJYj/fv2kPxWQ0uXQ0IwrftVkUscd9+nzYgCkv8poNhVYsrggbEeZh/bGMsQ6SC5OXlMTjHMzvD1dk+lolnPUoCxEmA+NpPrL8ZBocZcTHU7ccIoXY+ZONbQVN6sAticqFH9TcyU+Wjkxnd4iXBFNMOi+bMlxdXVc6CxjRAxxnFp1XWG5D59FC+iyB1b/cdp7rUi0wy2HSmkQkWMGSrZDNa1FAHV3qiiB8CF0eoGDugNRwkrjlPHY5AQwXKiSOFCepC0eM+jLuLhsa+UXKpNthWZsziG4Jo6S6jz9nRNFXLZaFkodSTnyybqnbmRbcd5UquzL0z9wBYkDYN7YjWQnAeTyY2LDhHipDR7VoKxkcN90YCnTZ0Ar+OH1OvOnD4ma+2rYZZ6oILU+bwsGDViiBJPIciLEa6DXSx+p+Nn7bR/bgg/MzIkl2ATgmXRzrOTNf/OcW1hSSxbkhRRIbGHNBxbNSd+E0vlZtk8oAomeTxUhiKqRMJolJNAhqktzmu0VOF8rHWpRpn3GtSvp8/Su/R+HrkMuft2b4ad5EJ+k+OqVK6kJMZGXUy1fnoYu1JU1rZy8CSY6yNZ7PWyU8Q1NW7UQJUzmx+5JDoZ5PJbLOXYU+c4w5BYSzNMa6SQ2pwGzMuJkV8OkbydXOPb2GRPuWhgWOdvfJ+dOxqH68EdesNldd7PJZdg/mVTwy/CWUieojmVzYyFR9tpTt7mP15vga4n+qoxZPRXGCSYIYiNilEjh6JJ4w9RqlQJ3SzBzhEvB2ip7Acn3ohICV9Xw85qE6LpRw0xWqyYdak5NJrh5eGiuZOWz2aDlXhj23L1sxsYXjywTclcazUnf2M59u3C2Wjb2k49nus1LhCGDxug6v/40f1aytiJKGIX7npkcgeMEcZVPIzNG7Y+WVIxtLJdeUo810hN/A6vG3lh0ldCOQUY0wZJpaeyPGRepygLPuetosuKWOKFyCU4Af+6gne5ETc8pA4+qOGX/4+/HSDeGoXfnynjFwFbjJTz7NXypoiCgDggwoK90/hroSmCxgA3zjqVQow1XUYbu58YheDz3tr2ZFi0ujWh0dyICVPBxDnZOEirgM3geLYiOZ4CiOvdvcNZLy34LvfEaz52inghEBHG+f4QjPRMNkJYPrHEYzuUf6RAYtPug9eULAGpSdh4Ydm1c9tGuEt5yL2zJ27O2VZ4YXKz8P+HLHIzMbLIzcTIIjcTI4vcTIwscjMtbuN/ly4eePNQFrgAAAAASUVORK5CYII=" alt="image"></p> </div> <div class="cwp-dashboard-data-structure-pages-image">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/CLASSIFIED-PRO.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/CLASSIFIED-PRO.png' ); ?>" alt="" /> </div> </div> <div class="cwp-dashboard-data-structure-pages" style="background-color: #fffafa;">@@ -156,12 +157,12 @@ </div> <div class="download-btn"> <a href="https://cubewp.com/downloads/staybnb/" target="_blank">Purchase Now <span class="dashicons dashicons-arrow-right-alt"></span></a>- <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=staybnb" target="_blank" class="higlighted"> <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png'; ?>" alt="" /> Create Instant Sandbox</a>+ <a href="https://demowp.io/get-demo.php?demo=CubeWP&type=staybnb" target="_blank" class="higlighted"> <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png' ); ?>" alt="" /> Create Instant Sandbox</a> </div> <p class="cubewp-library-small-headings">Included with CubeWP Premium Plans</p> </div> <div class="cwp-dashboard-data-structure-pages-image">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/StayBnb_Preview.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/StayBnb_Preview.png' ); ?>" alt="" /> </div> </div> </div>@@ -178,7 +179,7 @@ </div> </div> <div class="cwp-welcome-box-logo">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/cube-addons.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/cube-addons.png' ); ?>" alt="" /> </div> </div> <div class="cwp-welcome-box cwp-leads-template-addons">@@ -187,10 +188,10 @@ <a href="https://cubewp.com/extensions/" target="_blank">See All</a> </div> <div class="cwp-leads-template-addons-cotent">- <a href="https://cubewp.com/downloads/cubewp-addon-social-logins/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Social-Login.png'; ?>" alt="image" />Social Login</a>- <a href="https://cubewp.com/downloads/cubewp-addon-wallet" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Digital-Wallet.png'; ?>" alt="image" />Digital Wallet</a>- <a href="https://cubewp.com/downloads/cubewp-addon-post-claim" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Post-Claim.png'; ?>" alt="image" />Post Claim</a>- <a href="https://cubewp.com/downloads/cubewp-addon-bulk-import/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Bulk-Import.png'; ?>" alt="image" />Bulk Import</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-social-logins/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Social-Login.png' ); ?>" alt="image" />Social Login</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-wallet" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Digital-Wallet.png' ); ?>" alt="image" />Digital Wallet</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-post-claim" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Post-Claim.png' ); ?>" alt="image" />Post Claim</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-bulk-import/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Bulk-Import.png' ); ?>" alt="image" />Bulk Import</a> </div> </div> <div class="cwp-welcome-box cwp-leads-template-addons">@@ -199,12 +200,12 @@ <a href="https://cubewp.com/extensions/" target="_blank">See All</a> </div> <div class="cwp-leads-template-addons-cotent">- <a href="https://cubewp.com/downloads/cubewp-addon-frontend-pro/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Frontend.png'; ?>" alt="image" />Frontend Pro</a>- <a href="https://cubewp.com/downloads/cubewp-addon-payments/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Payments.png'; ?>" alt="image" />Payments</a>- <a href="https://cubewp.com/downloads/cubewp-addon-inbox/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Inbox.png'; ?>" alt="image" />Inbox</a>- <a href="https://cubewp.com/downloads/cubewp-addon-reviews/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Reviews.png'; ?>" alt="image" />Reviews</a>- <a href="https://cubewp.com/downloads/cubewp-addon-booster/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booster.png'; ?>" alt="image" />Booster</a>- <a href="https://cubewp.com/downloads/cubewp-addon-booking/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booking.png'; ?>" alt="image" />Booking</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-frontend-pro/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Frontend.png' ); ?>" alt="image" />Frontend Pro</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-payments/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Payments.png' ); ?>" alt="image" />Payments</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-inbox/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Inbox.png' ); ?>" alt="image" />Inbox</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-reviews/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Reviews.png' ); ?>" alt="image" />Reviews</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-booster/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booster.png' ); ?>" alt="image" />Booster</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-booking/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booking.png' ); ?>" alt="image" />Booking</a> </div> </div> <div class="cwp-welcome-box cwp-leads-template-addons">@@ -213,11 +214,11 @@ <a href="https://cubewp.com/themes/" target="_blank">See All</a> </div> <div class="cwp-leads-template-addons-cotent">- <a href="https://cubewp.com/downloads/dubified/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/dubi.png'; ?>" alt="image" />Classified Ads Theme</a>- <a href="https://cubewp.com/downloads/streetwise/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/street.png'; ?>" alt="image" />Real-Estate Theme</a>- <a href="https://cubewp.com/downloads/yellowbooks/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/yellow.png'; ?>" alt="image" />Directory Theme</a>- <a href="https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/classi.png'; ?>" alt="image" />Classified Ads Theme</a>- <a href="https://cubewp.com/downloads/staybnb/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/StayBnb_Preview.png'; ?>" alt="image" style=" background-color: #FFFAFA;border-radius: 5px;" />Staybnb Theme</a>+ <a href="https://cubewp.com/downloads/dubified/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/dubi.png' ); ?>" alt="image" />Classified Ads Theme</a>+ <a href="https://cubewp.com/downloads/streetwise/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/street.png' ); ?>" alt="image" />Real-Estate Theme</a>+ <a href="https://cubewp.com/downloads/yellowbooks/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/yellow.png' ); ?>" alt="image" />Directory Theme</a>+ <a href="https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/classi.png' ); ?>" alt="image" />Classified Ads Theme</a>+ <a href="https://cubewp.com/downloads/staybnb/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/StayBnb_Preview.png' ); ?>" alt="image" style=" background-color: #FFFAFA;border-radius: 5px;" />Staybnb Theme</a> </div> </div> <div class="cwp-welcome-col-md-12 margin-bottom-10 ">
# Security Analysis Report
## Vulnerability 1: Cross-Site Scripting (XSS) via Unescaped Output
**Vulnerability Existed:** yes
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - CWE-79 - cube/templates/template-library.php - Line 12
**Old Code:**
```php
<h2>Welcome <?php echo $display_name; ?>! Let's Get Started.</h2>
```
**Fixed Code:**
```php
<h2>Welcome <?php echo esc_html($display_name); ?>! Let's Get Started.</h2>
```
**Explanation:**
The variable `$display_name` was output directly into HTML context without sanitization. This allows an attacker who can control the user's first name or last name (via user profile injection or database compromise) to inject malicious JavaScript code. The fix uses `esc_html()` to escape HTML special characters, preventing XSS attacks.
---
## Vulnerability 2: Unvalidated URL Output (Multiple Instances)
**Vulnerability Existed:** yes
**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79** - CWE-79 - cube/templates/template-library.php - Lines 42, 47, 66, 71, 90, 95, 113, 118, 136, 140, 159, 164, 181, 190-193, 203-206, 216-219
**Old Code (Example):**
```php
<img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png'; ?>" alt="" />
```
**Fixed Code (Example):**
```php
<img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/demowp-rocket.png' ); ?>" alt="" />
```
**Explanation:**
Multiple instances of URLs constructed from the `CWP_PLUGIN_URI` constant were output directly without URL escaping. While `CWP_PLUGIN_URI` is a plugin-defined constant, the best practice is to escape URLs in HTML attributes using `esc_url()`. This prevents potential issues if the constant's value is ever compromised or if it contains unvalidated data. The fix wraps all URL outputs with `esc_url()`, which validates and escapes URLs to prevent attribute injection attacks.
---
## Summary
The diff addresses **2 primary vulnerability classes**:
1. **HTML Context XSS** (1 instance) - Fixed by using `esc_html()`
2. **URL Context XSS** (16+ instances) - Fixed by using `esc_url()`
All fixes follow WordPress security best practices by applying proper output escaping based on context. The additional phpcs directive comment added at line 2 suppresses a code style warning about global naming conventions, which is a separate concern from security.
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
--- cache/cubewp-framework_1.1.27/cube/templates/welcome.php 2026-01-18 00:20:47.549240512 +0000+++ cache/cubewp-framework_1.1.28/cube/templates/welcome.php 2026-01-18 00:20:56.221779341 +0000@@ -1,4 +1,5 @@ <?php+// phpcs:disable WordPress.NamingConventions.PrefixAllGlobals wp_enqueue_style('cubewp-welcome'); $current_user = wp_get_current_user(); if( $current_user->user_firstname ){@@ -16,7 +17,7 @@ } </style> <div class="cwp-welcome-title">- <h2>Welcome <?php echo $display_name; ?>! Let’s Get Started.</h2>+ <h2>Welcome <?php echo esc_html($display_name); ?>! Let’s Get Started.</h2> </div> <div class="cubwp-welcome"> <div class="cwp-dashboard-content-panel" id="Dashboard">@@ -25,7 +26,7 @@ <div class="cwp-dashboard-data-structure first-data-structure"> <div class="cwp-dashboard-data-structure-header"> <div class="cwp-dashboard-data-structure-svg">- <img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/data-structure.png" alt="image" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/data-structure.png' ); ?>" alt="image" /> </div> <div class="cwp-dashboard-data-structure-header-details"> <h3>Dynamic Data Structure</h3>@@ -33,16 +34,16 @@ </div> </div> <div class="cwp-dashboard-data-structure-content">- <a href="<?php echo admin_url( 'admin.php?page=cubewp-post-types' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-post-types' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons">- <img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/Custom-Post-Types.png" alt="image" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/Custom-Post-Types.png' ); ?>" alt="image" /> </div> <p> Custom Post Types</p> <span class="dashicons dashicons-plus"></span> </a>- <a href="<?php echo admin_url( 'admin.php?page=cubewp-taxonomies' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-taxonomies' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons">- <img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/Custom-Taxonomies.png" alt="image" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/Custom-Taxonomies.png' ); ?>" alt="image" /> </div> <p>Custom Taxonomies</p> <span class="dashicons dashicons-plus"></span>@@ -51,11 +52,11 @@ <div class="cwp-dashboard-data-structure-inner-content"> <div class="cwp-dashboard-data-customs-links headings"> <div class="custom-cube-icons">- <img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/Custom-Fields.png" alt="image" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/Custom-Fields.png' ); ?>" alt="image" /> </div> <p>Custom Fields<br><b>(25+ TYPES)</b></p> </div>- <a href="<?php echo admin_url( 'admin.php?page=custom-fields' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=custom-fields' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons inner"> <svg viewBox="0 0 448 512"@@ -98,14 +99,14 @@ <p>For <b>Post Type</b></p> <span class="dashicons dashicons-plus"></span> </a>- <a href="<?php echo admin_url( 'admin.php?page=taxonomy-custom-fields' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=taxonomy-custom-fields' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons inner"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M80 104a24 24 0 1 0 0-48 24 24 0 1 0 0 48zm80-24c0 32.8-19.7 61-48 73.3v87.8c18.8-10.9 40.7-17.1 64-17.1h96c35.3 0 64-28.7 64-64v-6.7C307.7 141 288 112.8 288 80c0-44.2 35.8-80 80-80s80 35.8 80 80c0 32.8-19.7 61-48 73.3V160c0 70.7-57.3 128-128 128H176c-35.3 0-64 28.7-64 64v6.7c28.3 12.3 48 40.5 48 73.3c0 44.2-35.8 80-80 80s-80-35.8-80-80c0-32.8 19.7-61 48-73.3V352 153.3C19.7 141 0 112.8 0 80C0 35.8 35.8 0 80 0s80 35.8 80 80zm232 0a24 24 0 1 0 -48 0 24 24 0 1 0 48 0zM80 456a24 24 0 1 0 0-48 24 24 0 1 0 0 48z"/></svg> </div> <p>For <b>Taxonomies</b></p> <span class="dashicons dashicons-plus"></span> </a>- <a href="<?php echo admin_url( 'admin.php?page=user-custom-fields' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=user-custom-fields' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons inner"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 640 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M144 160A80 80 0 1 0 144 0a80 80 0 1 0 0 160zm368 0A80 80 0 1 0 512 0a80 80 0 1 0 0 160zM0 298.7C0 310.4 9.6 320 21.3 320H234.7c.2 0 .4 0 .7 0c-26.6-23.5-43.3-57.8-43.3-96c0-7.6 .7-15 1.9-22.3c-13.6-6.3-28.7-9.7-44.6-9.7H106.7C47.8 192 0 239.8 0 298.7zM320 320c24 0 45.9-8.8 62.7-23.3c2.5-3.7 5.2-7.3 8-10.7c2.7-3.3 5.7-6.1 9-8.3C410 262.3 416 243.9 416 224c0-53-43-96-96-96s-96 43-96 96s43 96 96 96zm65.4 60.2c-10.3-5.9-18.1-16.2-20.8-28.2H261.3C187.7 352 128 411.7 128 485.3c0 14.7 11.9 26.7 26.7 26.7H455.2c-2.1-5.2-3.2-10.9-3.2-16.4v-3c-1.3-.7-2.7-1.5-4-2.3l-2.6 1.5c-16.8 9.7-40.5 8-54.7-9.7c-4.5-5.6-8.6-11.5-12.4-17.6l-.1-.2-.1-.2-2.4-4.1-.1-.2-.1-.2c-3.4-6.2-6.4-12.6-9-19.3c-8.2-21.2 2.2-42.6 19-52.3l2.7-1.5c0-.8 0-1.5 0-2.3s0-1.5 0-2.3l-2.7-1.5zM533.3 192H490.7c-15.9 0-31 3.5-44.6 9.7c1.3 7.2 1.9 14.7 1.9 22.3c0 17.4-3.5 33.9-9.7 49c2.5 .9 4.9 2 7.1 3.3l2.6 1.5c1.3-.8 2.6-1.6 4-2.3v-3c0-19.4 13.3-39.1 35.8-42.6c7.9-1.2 16-1.9 24.2-1.9s16.3 .6 24.2 1.9c22.5 3.5 35.8 23.2 35.8 42.6v3c1.3 .7 2.7 1.5 4 2.3l2.6-1.5c16.8-9.7 40.5-8 54.7 9.7c2.3 2.8 4.5 5.8 6.6 8.7c-2.1-57.1-49-102.7-106.6-102.7zm91.3 163.9c6.3-3.6 9.5-11.1 6.8-18c-2.1-5.5-4.6-10.8-7.4-15.9l-2.3-4c-3.1-5.1-6.5-9.9-10.2-14.5c-4.6-5.7-12.7-6.7-19-3L574.4 311c-8.9-7.6-19.1-13.6-30.4-17.6v-21c0-7.3-4.9-13.8-12.1-14.9c-6.5-1-13.1-1.5-19.9-1.5s-13.4 .5-19.9 1.5c-7.2 1.1-12.1 7.6-12.1 14.9v21c-11.2 4-21.5 10-30.4 17.6l-18.2-10.5c-6.3-3.6-14.4-2.6-19 3c-3.7 4.6-7.1 9.5-10.2 14.6l-2.3 3.9c-2.8 5.1-5.3 10.4-7.4 15.9c-2.6 6.8 .5 14.3 6.8 17.9l18.2 10.5c-1 5.7-1.6 11.6-1.6 17.6s.6 11.9 1.6 17.5l-18.2 10.5c-6.3 3.6-9.5 11.1-6.8 17.9c2.1 5.5 4.6 10.7 7.4 15.8l2.4 4.1c3 5.1 6.4 9.9 10.1 14.5c4.6 5.7 12.7 6.7 19 3L449.6 457c8.9 7.6 19.2 13.6 30.4 17.6v21c0 7.3 4.9 13.8 12.1 14.9c6.5 1 13.1 1.5 19.9 1.5s13.4-.5 19.9-1.5c7.2-1.1 12.1-7.6 12.1-14.9v-21c11.2-4 21.5-10 30.4-17.6l18.2 10.5c6.3 3.6 14.4 2.6 19-3c3.7-4.6 7.1-9.4 10.1-14.5l2.4-4.2c2.8-5.1 5.3-10.3 7.4-15.8c2.6-6.8-.5-14.3-6.8-17.9l-18.2-10.5c1-5.7 1.6-11.6 1.6-17.5s-.6-11.9-1.6-17.6l18.2-10.5zM472 384a40 40 0 1 1 80 0 40 40 0 1 1 -80 0z"/></svg> </div>@@ -119,7 +120,7 @@ <div class="cwp-dashboard-data-structure-header"> <div class="cwp-dashboard-data-structure-svg"> <div class="cwp-dashboard-data-structure-svg">- <img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/form-builder.png" alt="image" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/form-builder.png' ); ?>" alt="image" /> </div> </div> <div class="cwp-dashboard-data-structure-header-details">@@ -128,7 +129,7 @@ </div> </div> <div class="cwp-dashboard-data-structure-content">- <a href="<?php echo admin_url( 'admin.php?page=cubewp-user-registration-form' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-user-registration-form' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M512 80c8.8 0 16 7.2 16 16V416c0 8.8-7.2 16-16 16H64c-8.8 0-16-7.2-16-16V96c0-8.8 7.2-16 16-16H512zM64 32C28.7 32 0 60.7 0 96V416c0 35.3 28.7 64 64 64H512c35.3 0 64-28.7 64-64V96c0-35.3-28.7-64-64-64H64zM208 256a64 64 0 1 0 0-128 64 64 0 1 0 0 128zm-32 32c-44.2 0-80 35.8-80 80c0 8.8 7.2 16 16 16H304c8.8 0 16-7.2 16-16c0-44.2-35.8-80-80-80H176zM376 144c-13.3 0-24 10.7-24 24s10.7 24 24 24h80c13.3 0 24-10.7 24-24s-10.7-24-24-24H376zm0 96c-13.3 0-24 10.7-24 24s10.7 24 24 24h80c13.3 0 24-10.7 24-24s-10.7-24-24-24H376z"/></svg> </div>@@ -139,7 +140,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a href="<?php echo admin_url( 'admin.php?page=cubewp-user-profile-form' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-user-profile-form' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M256 48V64c0 17.7-14.3 32-32 32H160c-17.7 0-32-14.3-32-32V48H64c-8.8 0-16 7.2-16 16V448c0 8.8 7.2 16 16 16H320c8.8 0 16-7.2 16-16V64c0-8.8-7.2-16-16-16H256zM0 64C0 28.7 28.7 0 64 0H320c35.3 0 64 28.7 64 64V448c0 35.3-28.7 64-64 64H64c-35.3 0-64-28.7-64-64V64zM160 320h64c44.2 0 80 35.8 80 80c0 8.8-7.2 16-16 16H96c-8.8 0-16-7.2-16-16c0-44.2 35.8-80 80-80zm-32-96a64 64 0 1 1 128 0 64 64 0 1 1 -128 0z"/></svg> </div>@@ -150,7 +151,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a href="<?php echo admin_url( 'admin.php?page=cubewp-admin-search-fields' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-admin-search-fields' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!-- Font Awesome Pro 5.15.4 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) --><path d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z"/></svg> </div>@@ -161,7 +162,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a href="<?php echo admin_url( 'admin.php?page=cubewp-admin-search-filters' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-admin-search-filters' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M3.9 54.9C10.5 40.9 24.5 32 40 32H472c15.5 0 29.5 8.9 36.1 22.9s4.6 30.5-5.2 42.5L320 320.9V448c0 12.1-6.8 23.2-17.7 28.6s-23.8 4.3-33.5-3l-64-48c-8.1-6-12.8-15.5-12.8-25.6V320.9L9 97.3C-.7 85.4-2.8 68.8 3.9 54.9z"/></svg> </div>@@ -172,7 +173,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a href="<?php echo admin_url( 'admin.php?page=cubewp-post-types-form' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-post-types-form' ) ); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg viewBox="0 0 448 512"@@ -220,7 +221,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a <?php if( class_exists('CubeWp_Forms_Custom') ){ echo 'href="'.admin_url( 'admin.php?page=cubewp-form-fields' ).'"'; }else { echo 'href="'.'https://wordpress.org/plugins/cubewp-forms/'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links">+ <a <?php if( class_exists('CubeWp_Forms_Custom') ){ echo 'href="'.esc_url(admin_url( 'admin.php?page=cubewp-form-fields' )).'"'; }else { echo 'href="'.'https://wordpress.org/plugins/cubewp-forms/'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M64 0C28.7 0 0 28.7 0 64V448c0 35.3 28.7 64 64 64H320c35.3 0 64-28.7 64-64V428.7c-2.7 1.1-5.4 2-8.2 2.7l-60.1 15c-3 .7-6 1.2-9 1.4c-.9 .1-1.8 .2-2.7 .2H240c-6.1 0-11.6-3.4-14.3-8.8l-8.8-17.7c-1.7-3.4-5.1-5.5-8.8-5.5s-7.2 2.1-8.8 5.5l-8.8 17.7c-2.9 5.9-9.2 9.4-15.7 8.8s-12.1-5.1-13.9-11.3L144 381l-9.8 32.8c-6.1 20.3-24.8 34.2-46 34.2H80c-8.8 0-16-7.2-16-16s7.2-16 16-16h8.2c7.1 0 13.3-4.6 15.3-11.4l14.9-49.5c3.4-11.3 13.8-19.1 25.6-19.1s22.2 7.8 25.6 19.1l11.6 38.6c7.4-6.2 16.8-9.7 26.8-9.7c15.9 0 30.4 9 37.5 23.2l4.4 8.8h8.9c-3.1-8.8-3.7-18.4-1.4-27.8l15-60.1c2.8-11.3 8.6-21.5 16.8-29.7L384 203.6V160H256c-17.7 0-32-14.3-32-32V0H64zM256 0V128H384L256 0zM549.8 139.7c-15.6-15.6-40.9-15.6-56.6 0l-29.4 29.4 71 71 29.4-29.4c15.6-15.6 15.6-40.9 0-56.6l-14.4-14.4zM311.9 321c-4.1 4.1-7 9.2-8.4 14.9l-15 60.1c-1.4 5.5 .2 11.2 4.2 15.2s9.7 5.6 15.2 4.2l60.1-15c5.6-1.4 10.8-4.3 14.9-8.4L512.1 262.7l-71-71L311.9 321z"/></svg> </div>@@ -236,7 +237,7 @@ <div class="cwp-dashboard-data-structure"> <div class="cwp-dashboard-data-structure-header"> <div class="cwp-dashboard-data-structure-svg">- <img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/layout-manager.png" alt="image" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . '/cube/assets/admin/images/welcome-dashboard/layout-manager.png' ); ?>" alt="image" /> </div> <div class="cwp-dashboard-data-structure-header-details"> <h3>Frontend Dynamic Layout Manager:</h3>@@ -244,7 +245,7 @@ </div> </div> <div class="cwp-dashboard-data-structure-content">- <a href="<?php echo admin_url( 'admin.php?page=cubewp-single-layout' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url(admin_url( 'admin.php?page=cubewp-single-layout' )); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg viewBox="0 0 512 512"@@ -291,7 +292,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a href="<?php echo admin_url( 'admin.php?page=cubewp-user-dashboard' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url(admin_url( 'admin.php?page=cubewp-user-dashboard' )); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M0 256a256 256 0 1 1 512 0A256 256 0 1 1 0 256zm320 96c0-26.9-16.5-49.9-40-59.3V88c0-13.3-10.7-24-24-24s-24 10.7-24 24V292.7c-23.5 9.5-40 32.5-40 59.3c0 35.3 28.7 64 64 64s64-28.7 64-64zM144 176a32 32 0 1 0 0-64 32 32 0 1 0 0 64zm-16 80a32 32 0 1 0 -64 0 32 32 0 1 0 64 0zm288 32a32 32 0 1 0 0-64 32 32 0 1 0 0 64zM400 144a32 32 0 1 0 -64 0 32 32 0 1 0 64 0z"/></svg> </div>@@ -302,7 +303,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a href="<?php echo admin_url( 'admin.php?page=cubewp-loop-builder' ); ?>" class="cwp-dashboard-data-customs-links">+ <a href="<?php echo esc_url(admin_url( 'admin.php?page=cubewp-loop-builder' )); ?>" class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M128 136c0-22.1-17.9-40-40-40L40 96C17.9 96 0 113.9 0 136l0 48c0 22.1 17.9 40 40 40H88c22.1 0 40-17.9 40-40l0-48zm0 192c0-22.1-17.9-40-40-40H40c-22.1 0-40 17.9-40 40l0 48c0 22.1 17.9 40 40 40H88c22.1 0 40-17.9 40-40V328zm32-192v48c0 22.1 17.9 40 40 40h48c22.1 0 40-17.9 40-40V136c0-22.1-17.9-40-40-40l-48 0c-22.1 0-40 17.9-40 40zM288 328c0-22.1-17.9-40-40-40H200c-22.1 0-40 17.9-40 40l0 48c0 22.1 17.9 40 40 40h48c22.1 0 40-17.9 40-40V328zm32-192v48c0 22.1 17.9 40 40 40h48c22.1 0 40-17.9 40-40V136c0-22.1-17.9-40-40-40l-48 0c-22.1 0-40 17.9-40 40zM448 328c0-22.1-17.9-40-40-40H360c-22.1 0-40 17.9-40 40v48c0 22.1 17.9 40 40 40h48c22.1 0 40-17.9 40-40V328z"/></svg> </div>@@ -318,7 +319,7 @@ <div class="cwp-dashboard-data-structure"> <div class="cwp-dashboard-data-structure-header"> <div class="cwp-dashboard-data-structure-svg">- <img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/robust-features.png" alt="image" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/robust-features.png' ); ?>" alt="image" /> </div> <div class="cwp-dashboard-data-structure-header-details"> <h3>Engagement & Growth</h3>@@ -337,7 +338,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a <?php if( class_exists('CubeWp_Payments_Load') ){ echo 'href="'.admin_url( 'edit.php?post_type=price_plan' ).'"'; }else { echo 'href="'.'https://cubewp.com/cubewp-payments'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links">+ <a <?php if( class_exists('CubeWp_Payments_Load') ){ echo 'href="'.esc_url( admin_url( 'edit.php?post_type=price_plan' ) ).'"'; }else { echo 'href="'.'https://cubewp.com/cubewp-payments'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M64 0C46.3 0 32 14.3 32 32V96c0 17.7 14.3 32 32 32h80v32H87c-31.6 0-58.5 23.1-63.3 54.4L1.1 364.1C.4 368.8 0 373.6 0 378.4V448c0 35.3 28.7 64 64 64H448c35.3 0 64-28.7 64-64V378.4c0-4.8-.4-9.6-1.1-14.4L488.2 214.4C483.5 183.1 456.6 160 425 160H208V128h80c17.7 0 32-14.3 32-32V32c0-17.7-14.3-32-32-32H64zM96 48H256c8.8 0 16 7.2 16 16s-7.2 16-16 16H96c-8.8 0-16-7.2-16-16s7.2-16 16-16zM64 432c0-8.8 7.2-16 16-16H432c8.8 0 16 7.2 16 16s-7.2 16-16 16H80c-8.8 0-16-7.2-16-16zm48-168a24 24 0 1 1 0-48 24 24 0 1 1 0 48zm120-24a24 24 0 1 1 -48 0 24 24 0 1 1 48 0zM160 344a24 24 0 1 1 0-48 24 24 0 1 1 0 48zM328 240a24 24 0 1 1 -48 0 24 24 0 1 1 48 0zM256 344a24 24 0 1 1 0-48 24 24 0 1 1 0 48zM424 240a24 24 0 1 1 -48 0 24 24 0 1 1 48 0zM352 344a24 24 0 1 1 0-48 24 24 0 1 1 0 48z"/></svg> </div>@@ -348,7 +349,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a <?php if( class_exists('CubeWp_Reviews_Load') ){ echo 'href="'.admin_url( 'edit.php?post_type=cwp_reviews' ).'"'; }else { echo 'href="'.'https://cubewp.com/downloads/cubewp-addon-reviews'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links">+ <a <?php if( class_exists('CubeWp_Reviews_Load') ){ echo 'href="'.esc_url( admin_url( 'edit.php?post_type=cwp_reviews' ) ).'"'; }else { echo 'href="'.'https://cubewp.com/downloads/cubewp-addon-reviews'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 640 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M320 376.4l.1-.1 26.4 14.1 85.2 45.5-16.5-97.6-4.8-28.7 20.7-20.5 70.1-69.3-96.1-14.2-29.3-4.3-12.9-26.6L320.1 86.9l-.1 .3V376.4zm175.1 98.3c2 12-3 24.2-12.9 31.3s-23 8-33.8 2.3L320.1 439.8 191.8 508.3C181 514 167.9 513.1 158 506s-14.9-19.3-12.9-31.3L169.8 329 65.6 225.9c-8.6-8.5-11.7-21.2-7.9-32.7s13.7-19.9 25.7-21.7L227 150.3 291.4 18c5.4-11 16.5-18 28.8-18s23.4 7 28.8 18l64.3 132.3 143.6 21.2c12 1.8 22 10.2 25.7 21.7s.7 24.2-7.9 32.7L470.5 329l24.6 145.7z"/></svg> </div>@@ -370,7 +371,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a <?php if( class_exists('CubeWp_Claim_Load') ){ echo 'href="'.admin_url( 'edit.php?post_type=cwp_claim' ).'"'; }else { echo 'href="'.'https://cubewp.com/downloads/cubewp-post-claim'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links">+ <a <?php if( class_exists('CubeWp_Claim_Load') ){ echo 'href="'.esc_url( admin_url( 'edit.php?post_type=cwp_claim' ) ).'"'; }else { echo 'href="'.'https://cubewp.com/downloads/cubewp-post-claim'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M256 512A256 256 0 1 0 256 0a256 256 0 1 0 0 512zM369 209L241 337c-9.4 9.4-24.6 9.4-33.9 0l-64-64c-9.4-9.4-9.4-24.6 0-33.9s24.6-9.4 33.9 0l47 47L335 175c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9z"/></svg> </div>@@ -381,7 +382,7 @@ <span class="dashicons dashicons-lock"></span> <?php } ?> </a>- <a <?php if( class_exists('CubeWp_Wallet_Load') ){ echo 'href="'.admin_url( 'edit.php?post_type=cubewp_wallet' ).'"'; }else { echo 'href="'.'https://cubewp.com/downloads/cubewp-addon-wallet'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links">+ <a <?php if( class_exists('CubeWp_Wallet_Load') ){ echo 'href="'.esc_url( admin_url( 'edit.php?post_type=cubewp_wallet' ) ).'"'; }else { echo 'href="'.'https://cubewp.com/downloads/cubewp-addon-wallet'.'" target="blank"'; } ?> class="cwp-dashboard-data-customs-links"> <div class="custom-cube-icons"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Pro 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license (Commercial License) Copyright 2023 Fonticons, Inc. --><path d="M64 32C28.7 32 0 60.7 0 96V416c0 35.3 28.7 64 64 64H448c35.3 0 64-28.7 64-64V192c0-35.3-28.7-64-64-64H80c-8.8 0-16-7.2-16-16s7.2-16 16-16H448c17.7 0 32-14.3 32-32s-14.3-32-32-32H64zM416 272a32 32 0 1 1 0 64 32 32 0 1 1 0-64z"/></svg> </div>@@ -430,7 +431,7 @@ </div> </div> <div class="cwp-welcome-box-logo">- <img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/cube-addons.png'; ?>" alt="" />+ <img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/cube-addons.png' ) ; ?>" alt="" /> </div> </div> <div class="cwp-welcome-box cwp-leads-template-addons">@@ -439,10 +440,10 @@ <a href="https://cubewp.com/extensions/" target="_blank">See All</a> </div> <div class="cwp-leads-template-addons-cotent">- <a href="https://cubewp.com/downloads/cubewp-addon-social-logins/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Social-Login.png'; ?>" alt="image" />Social Login</a>- <a href="https://cubewp.com/downloads/cubewp-addon-wallet" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Digital-Wallet.png'; ?>" alt="image" />Digital Wallet</a>- <a href="https://cubewp.com/downloads/cubewp-addon-post-claim" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Post-Claim.png'; ?>" alt="image" />Post Claim</a>- <a href="https://cubewp.com/downloads/cubewp-addon-bulk-import/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Bulk-Import.png'; ?>" alt="image" />Bulk Import</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-social-logins/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Social-Login.png' ); ?>" alt="image" />Social Login</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-wallet" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Digital-Wallet.png' ); ?>" alt="image" />Digital Wallet</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-post-claim" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Post-Claim.png' ); ?>" alt="image" />Post Claim</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-bulk-import/" class="cwp-lead-content-imges four" target="_blank"><img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Bulk-Import.png' ); ?>" alt="image" />Bulk Import</a> </div> </div> <div class="cwp-welcome-box cwp-leads-template-addons">@@ -451,12 +452,12 @@ <a href="https://cubewp.com/extensions/" target="_blank">See All</a> </div> <div class="cwp-leads-template-addons-cotent">- <a href="https://cubewp.com/downloads/cubewp-addon-frontend-pro/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Frontend.png'; ?>" alt="image" />Frontend Pro</a>- <a href="https://cubewp.com/downloads/cubewp-addon-payments/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Payments.png'; ?>" alt="image" />Payments</a>- <a href="https://cubewp.com/downloads/cubewp-addon-inbox/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Inbox.png'; ?>" alt="image" />Inbox</a>- <a href="https://cubewp.com/downloads/cubewp-addon-reviews/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Reviews.png'; ?>" alt="image" />Reviews</a>- <a href="https://cubewp.com/downloads/cubewp-addon-booster/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booster.png'; ?>" alt="image" />Booster</a>- <a href="https://cubewp.com/downloads/cubewp-addon-booking/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booking.png'; ?>" alt="image" />Booking</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-frontend-pro/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Frontend.png'); ?>" alt="image" />Frontend Pro</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-payments/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Payments.png'); ?>" alt="image" />Payments</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-inbox/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Inbox.png'); ?>" alt="image" />Inbox</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-reviews/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Reviews.png'); ?>" alt="image" />Reviews</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-booster/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booster.png'); ?>" alt="image" />Booster</a>+ <a href="https://cubewp.com/downloads/cubewp-addon-booking/" class="cwp-lead-content-imges three" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/Booking.png'); ?>" alt="image" />Booking</a> </div> </div> <div class="cwp-welcome-box cwp-leads-template-addons">@@ -465,11 +466,11 @@ <a href="https://cubewp.com/themes/" target="_blank">See All</a> </div> <div class="cwp-leads-template-addons-cotent">- <a href="https://cubewp.com/downloads/dubified/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/dubi.png'; ?>" alt="image" />Classified Ads Theme</a>- <a href="https://cubewp.com/downloads/streetwise/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/street.png'; ?>" alt="image" />Real-Estate Theme</a>- <a href="https://cubewp.com/downloads/yellowbooks/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/yellow.png'; ?>" alt="image" />Directory Theme</a>- <a href="https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/classi.png'; ?>" alt="image" />Classified Ads Theme</a>- <a href="https://cubewp.com/downloads/staybnb/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/StayBnb_Preview.png'; ?>" alt="image" style=" background-color: #FFFAFA;border-radius: 5px;" />Staybnb Theme</a>+ <a href="https://cubewp.com/downloads/dubified/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/dubi.png'); ?>" alt="image" />Classified Ads Theme</a>+ <a href="https://cubewp.com/downloads/streetwise/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/street.png'); ?>" alt="image" />Real-Estate Theme</a>+ <a href="https://cubewp.com/downloads/yellowbooks/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/yellow.png'); ?>" alt="image" />Directory Theme</a>+ <a href="https://themeforest.net/item/classifiedpro-recommerce-classified-wordpress-theme/44528010" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/themes-extensions/classi.png'); ?>" alt="image" />Classified Ads Theme</a>+ <a href="https://cubewp.com/downloads/staybnb/" class="cwp-lead-content-imges two" target="_blank"><img src="<?php echo esc_url(CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/template-library/StayBnb_Preview.png'); ?>" alt="image" style=" background-color: #FFFAFA;border-radius: 5px;" />Staybnb Theme</a> </div> </div> <div class="cwp-welcome-row">
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - cube/templates/welcome.php [20, 28, 37, 38, 43, 45, 59, 63, 65, 72, 74, 122, 132, 143, 153, 163, 175, 224, 340, 348, 356, 364, 441-469]
Old Code:
```php
<h2>Welcome <?php echo $display_name; ?>! Let's Get Started.</h2>
<img src="<?php echo CWP_PLUGIN_URI; ?>/cube/assets/admin/images/welcome-dashboard/data-structure.png" alt="image" />
<a href="<?php echo admin_url( 'admin.php?page=cubewp-post-types' ); ?>" class="cwp-dashboard-data-customs-links">
<img src="<?php echo CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/Custom-Post-Types.png'; ?>" alt="image" />
```
Fixed Code:
```php
<h2>Welcome <?php echo esc_html($display_name); ?>! Let's Get Started.</h2>
<img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/data-structure.png' ); ?>" alt="image" />
<a href="<?php echo esc_url( admin_url( 'admin.php?page=cubewp-post-types' ) ); ?>" class="cwp-dashboard-data-customs-links">
<img src="<?php echo esc_url( CWP_PLUGIN_URI . 'cube/assets/admin/images/welcome-dashboard/Custom-Post-Types.png' ); ?>" alt="image" />
```
Explanation:
The original code outputs user-controlled data and URLs directly into HTML without proper escaping, creating multiple XSS vulnerabilities:
1. `$display_name` is output without escaping, allowing stored XSS if this value is user-controlled
2. URLs in `src` and `href` attributes are output without escaping via `esc_url()`, allowing javascript: protocol injection or malicious URL injection
3. The fix applies `esc_html()` for text content and `esc_url()` for all URL contexts, which are the correct WordPress escaping functions for these output contexts
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.