CWE-89• Year: 2025
Analyzed CVEs:CVE-2025-10587,CVE-2025-10586,CVE-2025-30876,CVE-2025-1702,CVE-2025-52832,CVE-2025-4203,CVE-2025-46248,CVE-2025-47640,CVE-2025-39595,CVE-2025-54678,CVE-2025-22785,CVE-2025-47671,CVE-2025-12482,CVE-2025-26988,CVE-2025-49452,CVE-2025-7670,CVE-2025-31534,CVE-2025-9172,CVE-2025-49870,CVE-2025-54726,CVE-2025-31551,CVE-2025-48283,CVE-2025-28904,CVE-2025-32550,CVE-2025-30774,CVE-2025-0308,CVE-2025-30807,CVE-2025-2186,CVE-2025-7036,CVE-2025-10862,CVE-2025-39587,CVE-2025-26943,CVE-2025-30886,CVE-2025-47682,CVE-2025-31599,CVE-2025-31542,CVE-2025-8994,CVE-2025-0723,CVE-2025-24780,CVE-2025-48278,CVE-2025-1768,CVE-2025-1264,CVE-2025-47490,CVE-2025-10748,CVE-2025-31089,CVE-2025-25151,CVE-2025-24672,CVE-2025-5673,CVE-2025-9776,CVE-2025-49876,CVE-2025-9451,CVE-2025-10649,CVE-2025-31564,CVE-2025-3436,CVE-2025-30819,CVE-2025-2128,CVE-2025-48118,CVE-2025-6986,CVE-2025-24728,CVE-2025-10042,CVE-2025-2074,CVE-2025-11980,CVE-2025-49327,CVE-2025-3428,CVE-2025-46242,CVE-2025-48299,CVE-2025-3429,CVE-2025-26971,CVE-2025-31910,CVE-2025-30843,CVE-2025-3470,CVE-2025-58604,CVE-2025-62015,CVE-2025-10187,CVE-2025-22352,CVE-2025-10185,CVE-2025-47460,CVE-2025-10048,CVE-2025-3430,CVE-2025-10683,CVE-2025-58789,CVE-2025-39566,CVE-2025-49854,CVE-2025-49315,CVE-2025-32203,CVE-2025-49263,CVE-2025-54043,CVE-2025-49326,CVE-2025-12620,CVE-2025-24683,CVE-2025-22527,CVE-2025-0861,CVE-2025-3427,CVE-2025-48301,CVE-2025-22652,CVE-2025-49328,CVE-2025-53256,CVE-2025-47537,CVE-2025-47587,CVE-2025-10036
--- cache/community-events_1.5.1/community-events.php 2025-11-20 22:02:40.612929918 +0000+++ cache/community-events_1.5.2/community-events.php 2025-11-20 22:02:41.597993245 +0000@@ -2,7 +2,7 @@ /*Plugin Name: Community Events Plugin URI: https://ylefebvre.github.io/wordpress-plugins/community-events/ Description: A plugin used to manage events and display them in a widget-Version: 1.5.1+Version: 1.5.2 Author: Yannick Lefebvre Author URI: https://ylefebvre.github.io Copyright 2024 Yannick Lefebvre (email : [email protected])@@ -3205,10 +3205,10 @@ } } else- $venueid = $_POST['event_venue'];+ $venueid = intval( $_POST['event_venue'] ); $newevent = array("event_name" => sanitize_text_field($_POST['event_name']), "event_start_date" => sanitize_text_field($_POST['event_start_date']), "event_start_hour" => sanitize_text_field($_POST['event_start_hour']), "event_start_minute" => sanitize_text_field($_POST['event_start_minute']), "event_start_ampm" => sanitize_text_field($_POST['event_start_ampm']),- "event_description" => sanitize_text_field($_POST['event_description']), "event_url" => sanitize_url($_POST['event_url']), "event_ticket_url" => sanitize_url($_POST['event_ticket_url']), "event_venue" => intval( $venueid ), "event_category" => sanitize_text_field( $_POST['event_category'] ),+ "event_description" => sanitize_text_field($_POST['event_description']), "event_url" => sanitize_url($_POST['event_url']), "event_ticket_url" => sanitize_url($_POST['event_ticket_url']), "event_venue" => $venueid, "event_category" => intval( sanitize_text_field( $_POST['event_category'] ) ), "event_submitter" => sanitize_text_field( $username ), "event_end_hour" => sanitize_text_field( ( isset( $_POST['event_end_hour'] ) ? $_POST['event_end_hour'] : '' ) ), "event_end_minute" => sanitize_text_field( ( isset( $_POST['event_end_minute'] ) ? $_POST['event_end_minute'] : '' ) ), "event_end_ampm" => sanitize_text_field(( isset( $_POST['event_end_ampm'] ) ? $_POST['event_end_ampm'] : '' ))); if (isset($_POST['submiteventnew']))@@ -3257,7 +3257,7 @@ $headers = "MIME-Version: 1.0\r\n"; $headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; - $venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . $venueid;+ $venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . intval( $venueid ); $venuename = $wpdb->get_var($venuenamequery); $categorynamequery = "select event_cat_name from " . $wpdb->prefix . "ce_category where event_cat_id = " . $newevent['event_category'];
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CWE-89 - community-events.php 3260
Old Code:
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . "ce_category where event_cat_id = " . $newevent['event_category'];
Fixed Code:
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . "ce_category where event_cat_id = " . intval($newevent['event_category']);
Explanation:
The old code at line 3260 constructs an SQL query by directly concatenating user-controlled data ($newevent['event_category']) into the query string. While the code attempts to sanitize $_POST['event_category'] with sanitize_text_field() at line 3208, this function is designed for output sanitization, not SQL injection protection. sanitize_text_field() removes tags and special characters but does not prevent SQL injection attacks. The attacker-controlled value reaches the SQL sink unsanitized for SQL context, allowing SQL injection if the value contains malicious SQL syntax.
Vulnerability Existed: no
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CWE-89 - community-events.php 3257
Old Code:
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . $venueid;
Fixed Code:
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . intval( $venueid );
Explanation:
The old code at line 3257 was already fixed in the diff. The $venueid variable is properly cast to integer using intval() at line 3205 when assigned from $_POST['event_venue'], making it safe for SQL concatenation. The explicit type casting ensures the value is numeric and cannot contain SQL injection payloads.
The Community Events plugin for WordPress is vulnerable to SQL Injection via the ‘event_venue’ parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/community-events_1.5.1/community-events.php 2025-11-20 22:02:40.612929918 +0000+++ cache/community-events_1.5.2/community-events.php 2025-11-20 22:02:41.597993245 +0000@@ -2,7 +2,7 @@ /*Plugin Name: Community Events Plugin URI: https://ylefebvre.github.io/wordpress-plugins/community-events/ Description: A plugin used to manage events and display them in a widget-Version: 1.5.1+Version: 1.5.2 Author: Yannick Lefebvre Author URI: https://ylefebvre.github.io Copyright 2024 Yannick Lefebvre (email : [email protected])@@ -3205,10 +3205,10 @@ } } else- $venueid = $_POST['event_venue'];+ $venueid = intval( $_POST['event_venue'] ); $newevent = array("event_name" => sanitize_text_field($_POST['event_name']), "event_start_date" => sanitize_text_field($_POST['event_start_date']), "event_start_hour" => sanitize_text_field($_POST['event_start_hour']), "event_start_minute" => sanitize_text_field($_POST['event_start_minute']), "event_start_ampm" => sanitize_text_field($_POST['event_start_ampm']),- "event_description" => sanitize_text_field($_POST['event_description']), "event_url" => sanitize_url($_POST['event_url']), "event_ticket_url" => sanitize_url($_POST['event_ticket_url']), "event_venue" => intval( $venueid ), "event_category" => sanitize_text_field( $_POST['event_category'] ),+ "event_description" => sanitize_text_field($_POST['event_description']), "event_url" => sanitize_url($_POST['event_url']), "event_ticket_url" => sanitize_url($_POST['event_ticket_url']), "event_venue" => $venueid, "event_category" => intval( sanitize_text_field( $_POST['event_category'] ) ), "event_submitter" => sanitize_text_field( $username ), "event_end_hour" => sanitize_text_field( ( isset( $_POST['event_end_hour'] ) ? $_POST['event_end_hour'] : '' ) ), "event_end_minute" => sanitize_text_field( ( isset( $_POST['event_end_minute'] ) ? $_POST['event_end_minute'] : '' ) ), "event_end_ampm" => sanitize_text_field(( isset( $_POST['event_end_ampm'] ) ? $_POST['event_end_ampm'] : '' ))); if (isset($_POST['submiteventnew']))@@ -3257,7 +3257,7 @@ $headers = "MIME-Version: 1.0\r\n"; $headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; - $venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . $venueid;+ $venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . intval( $venueid ); $venuename = $wpdb->get_var($venuenamequery); $categorynamequery = "select event_cat_name from " . $wpdb->prefix . "ce_category where event_cat_id = " . $newevent['event_category'];
Vulnerability Existed: yes
FALSE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - community-events.php 3260
Old Code:
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . "ce_category where event_cat_id = " . $newevent['event_category'];
Fixed Code:
$categorynamequery = "select event_cat_name from " . $wpdb->prefix . "ce_category where event_cat_id = " . intval($newevent['event_category']);
Explanation:
The vulnerability exists at line 3260 where $newevent['event_category'] is directly concatenated into an SQL query. Tracing the data flow:
- Entry point: $_POST['event_category'] at line 3208
- Transformation: sanitize_text_field($_POST['event_category']) at line 3208, then intval() at line 3208
- However, the intval() result is stored in $newevent['event_category'] but then used directly in SQL concatenation at line 3260
- The value reaches the sink unsanitized for SQL context because while it was cast to int earlier, it's stored in an array and then used directly in SQL string concatenation without proper parameterization or casting at the point of use
- An attacker could potentially control the structure of the SQL query through this value
Vulnerability Existed: no
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - community-events.php 3257
Old Code:
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . $venueid;
Fixed Code:
$venuenamequery = "select ce_venue_name from " . $wpdb->prefix . "ce_venues where ce_venue_id = " . intval($venueid);
Explanation:
The fix adds intval() to $venueid at the point of SQL query construction. Tracing the data flow:
- Entry point: $_POST['event_venue'] at line 3205
- Transformation: intval($_POST['event_venue']) at line 3205
- The value is properly cast to integer before being stored in $venueid
- When used in the SQL query at line 3257, it's already an integer value, making SQL injection impossible
- The additional intval() in the fixed code provides defense in depth but the original was already safe due to the earlier intval() cast
The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/ultimate-member_2.10.0/includes/core/class-member-directory.php 2025-11-20 22:13:16.735820735 +0000+++ cache/ultimate-member_2.10.1/includes/core/class-member-directory.php 2025-11-20 22:18:58.509770365 +0000@@ -1,6 +1,8 @@ <?php namespace um\core; +use WP_User_Query;+ if ( ! defined( 'ABSPATH' ) ) { exit; }@@ -1708,6 +1710,7 @@ $regexp_map = array( '/select(.*?)from/im', '/select(.*?)sleep/im',+ "/sleep\(\d+\)/im", // avoid any sleep injections '/select(.*?)database/im', '/select(.*?)where/im', '/update(.*?)set/im',@@ -1768,7 +1771,7 @@ * @param $type * @param $primary_table * @param $primary_id_column- * @param \WP_User_Query $context+ * @param WP_User_Query $context * * @return array */@@ -2940,7 +2943,7 @@ add_filter( 'pre_user_query', array( &$this, 'pagination_changes' ), 10, 1 ); - $user_query = new \WP_User_Query( $this->query_args );+ $user_query = new WP_User_Query( $this->query_args ); remove_filter( 'pre_user_query', array( &$this, 'pagination_changes' ), 10 );
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - includes/core/class-member-directory.php [1710]
Old Code:
```php
$regexp_map = array(
'/select(.*?)from/im',
'/select(.*?)sleep/im',
'/select(.*?)database/im',
'/select(.*?)where/im',
'/update(.*?)set/im',
```
Fixed Code:
```php
$regexp_map = array(
'/select(.*?)from/im',
'/select(.*?)sleep/im',
"/sleep\(\d+\)/im", // avoid any sleep injections
'/select(.*?)database/im',
'/select(.*?)where/im',
'/update(.*?)set/im',
```
Explanation:
The vulnerability existed because the original regex pattern `/select(.*?)sleep/im` only blocked "select" followed by "sleep", but did not block "sleep()" function calls directly. An attacker could inject sleep() payloads not preceded by "select" to cause time-based SQL injection. The fix adds a new pattern `/sleep\(\d+\)/im` that explicitly blocks sleep() function calls regardless of context, preventing this bypass. The taint flow shows user input reaches SQL query construction through directory search parameters, where sleep() injection was possible despite existing filters.
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/ultimate-member_2.10.0/includes/core/class-permalinks.php 2025-11-20 22:13:16.735820735 +0000+++ cache/ultimate-member_2.10.1/includes/core/class-permalinks.php 2025-11-20 22:18:58.509770365 +0000@@ -134,52 +134,70 @@ exit; } - $redirect = um_get_core_page( 'login', 'account_active' );- $set_password_required = get_user_meta( $user_id, 'um_set_password_required', true );+ // Activate account link is valid. Can be approved below. - um_fetch_user( $user_id );+ um_fetch_user( $user_id ); // @todo maybe don't need to fetch. UM()->common()->users()->approve( $user_id, true );- if ( ! empty( $set_password_required ) ) {- $redirect = um_user( 'password_reset_link' );- }- um_reset_user(); $user_role = UM()->roles()->get_priority_user_role( $user_id ); $user_role_data = UM()->roles()->role_data( $user_role ); - // log in automatically+ // Log in automatically after activation. $login = ! empty( $user_role_data['login_email_activate'] ); // Role setting "Login user after validating the activation link?"- if ( ! is_user_logged_in() && $login ) {+ if ( $login && ! is_user_logged_in() ) { UM()->user()->auto_login( $user_id ); } /**- * UM hook+ * Fires on user activation after visit link for email confirmation.+ *+ * @hook um_after_email_confirmation+ *+ * @param {int} $user_id The user ID. *- * @type action- * @title um_after_email_confirmation- * @description Action on user activation- * @input_vars- * [{"var":"$user_id","type":"int","desc":"User ID"}]- * @change_log- * ["Since: 2.0"]- * @usage add_action( 'um_after_email_confirmation', 'function_name', 10, 1 );- * @example- * <?php- * add_action( 'um_after_email_confirmation', 'my_after_email_confirmation', 10, 1 );+ * @since 2.0+ *+ * @example <caption>Doing some code after email confirmation and approved $user_id.</caption> * function my_after_email_confirmation( $user_id ) { * // your code here * }- * ?>+ * add_filter( 'um_after_email_confirmation', 'my_after_email_confirmation' ); */ do_action( 'um_after_email_confirmation', $user_id ); + // Prepare redirect link.+ $set_password_required = get_user_meta( $user_id, 'um_set_password_required', true ); if ( empty( $set_password_required ) ) {- $redirect = empty( $user_role_data['url_email_activate'] ) ? um_get_core_page( 'login', 'account_active' ) : trim( $user_role_data['url_email_activate'] ); // Role setting "URL redirect after email activation"+ // Role setting "URL redirect after email activation".+ $redirect = empty( $user_role_data['url_email_activate'] ) ? um_get_core_page( 'login', 'account_active' ) : trim( $user_role_data['url_email_activate'] );+ } else {+ // Redirect to the change password page if there is no password for this user.+ um_fetch_user( $user_id );+ $redirect = um_user( 'password_reset_link' ); }+ /**+ * Filter to change the redirect URL after email confirmation.+ *+ * @hook um_after_email_confirmation_redirect+ *+ * @param {string} $redirect The redirect URL.+ * @param {int} $user_id The user ID.+ * @param {bool} $login Auto login has been applied and user currently is logged in.+ *+ * @since 2.0+ *+ * @example <caption>Change redirect after confirmation only for the user with ID=99.</caption>+ * function my_after_email_confirmation_redirect( $redirect, $user_id, $login ) {+ * // your code here+ * if ( $user_id === 99 ) {+ * $redirect = 'custom_url';+ * }+ * return $redirect;+ * }+ * add_filter( 'um_after_email_confirmation_redirect', 'my_after_email_confirmation_redirect', 10, 3 );+ */ $redirect = apply_filters( 'um_after_email_confirmation_redirect', $redirect, $user_id, $login );-- exit( wp_redirect( $redirect ) );+ um_safe_redirect( $redirect ); } }
Vulnerability Existed: no
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - includes/core/class-permalinks.php 134-204
Old Code:
```php
$redirect = apply_filters( 'um_after_email_confirmation_redirect', $redirect, $user_id, $login );
exit( wp_redirect( $redirect ) );
```
Fixed Code:
```php
$redirect = apply_filters( 'um_after_email_confirmation_redirect', $redirect, $user_id, $login );
um_safe_redirect( $redirect );
```
Explanation:
The code change replaces `wp_redirect($redirect)` with `um_safe_redirect($redirect)`. The `um_safe_redirect()` function performs validation to ensure redirects only go to allowed domains. User input flows from the `url_email_activate` role setting through `$user_role_data['url_email_activate']` to the `$redirect` variable. However, the redirect value is either: 1) a hardcoded core page URL from `um_get_core_page()`, 2) a trimmed role setting value, or 3) a password reset link from `um_user('password_reset_link')`. All these sources are controlled by the site administrator, not external attackers. The `um_safe_redirect()` function provides additional protection by validating the redirect target against allowed domains. There is no unvalidated external user input reaching the redirect sink.
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/ultimate-member_2.10.0/includes/core/um-actions-profile.php 2025-11-20 22:13:16.739820993 +0000+++ cache/ultimate-member_2.10.1/includes/core/um-actions-profile.php 2025-11-20 22:18:58.512770555 +0000@@ -734,24 +734,28 @@ $image = um_get_user_avatar_url( $user_id, 'original' ); } - $image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.- $image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );- $image_info = wp_check_filetype( $image_path );-- $imagesizes = getimagesize( $image_path );- if ( is_array( $imagesizes ) ) {- $image_width = $imagesizes[0];- $image_height = $imagesizes[1];+ $image_info = array();+ $image_width = $image_size;+ $image_height = $image_size;+ if ( false === strpos( $image, 'gravatar.com' ) ) {+ // Ignore Gravatar image here and handler a real image.+ $image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.+ $image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );+ $image_info = wp_check_filetype( $image_path );+ $imagesizes = getimagesize( $image_path );+ if ( is_array( $imagesizes ) ) {+ list( $image_width, $image_height ) = $imagesizes;+ } } else {- $image_width = $image_size;- $image_height = $image_size;+ // Gravatar image.+ $image_path = esc_url_raw( $image ); } $person = array(- '@context' => 'https://schema.org',- '@type' => 'ProfilePage',- 'dateCreated' => um_user( 'user_registered' ),- 'mainEntity' => array(+ '@context' => 'https://schema.org',+ '@type' => 'ProfilePage',+ 'dateCreated' => um_user( 'user_registered' ),+ 'mainEntity' => array( '@type' => 'Person', 'name' => esc_attr( $title ), 'alternateName' => um_user( 'user_login' ),@@ -762,6 +766,7 @@ ), ), );+ $user_last_update = um_user( 'last_update' ); if ( ! empty( $user_last_update ) ) { if ( is_numeric( $user_last_update ) ) {@@ -813,7 +818,7 @@ <?php if ( is_ssl() ) { ?> <meta property="og:image:secure_url" content="<?php echo esc_url( $image ); ?>"/> <?php } ?>- <?php if ( $image_info['type'] ) { ?>+ <?php if ( ! empty( $image_info['type'] ) ) { ?> <meta property="og:image:type" content="<?php echo esc_attr( $image_info['type'] ); ?>" /> <?php } ?> <meta property="og:url" content="<?php echo esc_url( $url ); ?>"/>
Vulnerability Existed: no
CWE-200: Information Exposure - CWE-200 - includes/core/um-actions-profile.php 734-818
Old Code:
```php
$image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.
$image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );
$image_info = wp_check_filetype( $image_path );
$imagesizes = getimagesize( $image_path );
if ( is_array( $imagesizes ) ) {
$image_width = $imagesizes[0];
$image_height = $imagesizes[1];
} else {
$image_width = $image_size;
$image_height = $image_size;
}
```
Fixed Code:
```php
$image_info = array();
$image_width = $image_size;
$image_height = $image_size;
if ( false === strpos( $image, 'gravatar.com' ) ) {
// Ignore Gravatar image here and handler a real image.
$image = current( explode( '?', $image ) ); // strip $_GET attributes from photo URL.
$image_path = wp_normalize_path( ABSPATH . wp_parse_url( $image, PHP_URL_PATH ) );
$image_info = wp_check_filetype( $image_path );
$imagesizes = getimagesize( $image_path );
if ( is_array( $imagesizes ) ) {
list( $image_width, $image_height ) = $imagesizes;
}
} else {
// Gravatar image.
$image_path = esc_url_raw( $image );
}
```
Explanation:
The code change adds a check to skip local file operations for Gravatar images. Previously, the code would attempt to process any user avatar URL as a local file path, which could cause errors or expose internal path information when Gravatar URLs were processed. The fix prevents these file operations for Gravatar URLs, avoiding potential information disclosure through error messages or path exposure. The change is defensive and prevents processing external URLs as local files, but does not represent a security vulnerability in the original code since user input was already sanitized through WordPress functions and no direct information exposure vulnerability existed.
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/ultimate-member_2.10.0/includes/frontend/class-enqueue.php 2025-11-20 22:13:16.741821121 +0000+++ cache/ultimate-member_2.10.1/includes/frontend/class-enqueue.php 2025-11-20 22:18:58.513770618 +0000@@ -144,18 +144,6 @@ $localize_data = apply_filters( 'um_enqueue_localize_data', $localize_data ); wp_localize_script( 'um_scripts', 'um_scripts', $localize_data ); - // Makes the honeypot.- if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {- ob_start();- ?>- jQuery( window ).on( 'load', function() {- jQuery('input[name="<?php echo esc_js( UM()->honeypot ); ?>"]').val('');- });- <?php- $inline_script = ob_get_clean();- wp_add_inline_script( 'um_scripts', $inline_script );- }- wp_register_script( 'um_dropdown', $js_url . 'dropdown' . $suffix . '.js', array( 'jquery' ), UM_VERSION, true ); wp_register_script( 'um_members', $js_url . 'um-members' . $suffix . '.js', array( 'jquery', 'wp-util', 'jquery-ui-slider', 'um_dropdown', 'wp-hooks', 'jquery-masonry', 'um_scripts' ), UM_VERSION, true );@@ -206,18 +194,6 @@ $deps = array_merge( array( 'um_ui', 'um_tipsy', 'um_raty', 'select2', 'um_fileupload', 'um_common', 'um_responsive', 'um_modal' ), self::$fonticons_handlers ); wp_register_style( 'um_styles', $css_url . 'um-styles' . $suffix . '.css', $deps, UM_VERSION ); - // Makes the honeypot invisible.- if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {- ob_start();- ?>- .<?php echo esc_attr( UM()->honeypot ); ?>_name {- display: none !important;- }- <?php- $inline_styles = ob_get_clean();- wp_add_inline_style( 'um_styles', $inline_styles );- }- wp_register_style( 'um_members', $css_url . 'um-members' . $suffix . '.css', array( 'um_styles' ), UM_VERSION ); // RTL styles. if ( is_rtl() ) {
Vulnerability Existed: no
Cross-Site Scripting (XSS) - CWE-79 - includes/frontend/class-enqueue.php [Lines 144-154, 206-216]
Old Code:
```php
// Makes the honeypot.
if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {
ob_start();
?>
jQuery( window ).on( 'load', function() {
jQuery('input[name="<?php echo esc_js( UM()->honeypot ); ?>"]').val('');
});
<?php
$inline_script = ob_get_clean();
wp_add_inline_script( 'um_scripts', $inline_script );
}
// Makes the honeypot invisible.
if ( ! empty( UM()->fields()->set_mode ) && ( 'profile' !== UM()->fields()->set_mode || true === UM()->fields()->editing ) ) {
ob_start();
?>
.<?php echo esc_attr( UM()->honeypot ); ?>_name {
display: none !important;
}
<?php
$inline_styles = ob_get_clean();
wp_add_inline_style( 'um_styles', $inline_styles );
}
```
Fixed Code:
```php
// Both honeypot code blocks have been completely removed
```
Explanation:
The removed code contained proper output escaping using `esc_js()` for JavaScript context and `esc_attr()` for CSS context. These WordPress escaping functions properly sanitize output to prevent XSS attacks. The honeypot variable `UM()->honeypot` was correctly escaped before being output in both JavaScript and CSS contexts. The removal appears to be a feature change rather than a security fix, as the existing code was already properly secured against XSS vulnerabilities.
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/ultimate-member_2.10.0/ultimate-member.php 2025-11-20 22:13:16.760822342 +0000+++ cache/ultimate-member_2.10.1/ultimate-member.php 2025-11-20 22:18:58.524771315 +0000@@ -3,7 +3,7 @@ * Plugin Name: Ultimate Member * Plugin URI: http://ultimatemember.com/ * Description: The easiest way to create powerful online communities and beautiful user profiles with WordPress- * Version: 2.10.0+ * Version: 2.10.1 * Author: Ultimate Member * Author URI: http://ultimatemember.com/ * Text Domain: ultimate-member
Vulnerability Existed: no CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - ultimate-member.php [3-7] Old Code: ```php * Version: 2.10.0 ``` Fixed Code: ```php * Version: 2.10.1 ``` Explanation: The diff shows only a version number change from 2.10.0 to 2.10.1 in the plugin header metadata. This is a routine version update with no user input handling, data flow, or security-sensitive operations. The version string is hardcoded and not derived from any user input. There are no sinks, entry points, or data transformations that could lead to a vulnerability.
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 2.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/cost-calculator-builder_3.2.67/cost-calculator-builder.php 2025-11-20 22:13:16.204786601 +0000+++ cache/cost-calculator-builder_3.2.68/cost-calculator-builder.php 2025-11-20 22:13:27.701525586 +0000@@ -8,7 +8,7 @@ * License: GNU General Public License v2 or later * License URI: http://www.gnu.org/licenses/gpl-2.0.html * Text Domain: cost-calculator-builder- * Version: 3.2.67+ * Version: 3.2.68 */ if ( ! defined( 'ABSPATH' ) ) {@@ -17,7 +17,7 @@ define( 'CALC_DIR', __DIR__ ); define( 'CALC_FILE', __FILE__ );-define( 'CALC_VERSION', '3.2.67' );+define( 'CALC_VERSION', '3.2.68' ); define( 'CALC_WP_TESTED_UP', '6.7.1' ); define( 'CALC_DB_VERSION', '3.2.65' ); define( 'CALC_PATH', dirname( CALC_FILE ) );
Vulnerability Existed: no No vulnerability - N/A - cost-calculator-builder.php [8,17] Old Code: * Version: 3.2.67 define( 'CALC_VERSION', '3.2.67' ); Fixed Code: * Version: 3.2.68 define( 'CALC_VERSION', '3.2.68' ); Explanation: The changes only update version numbers from 3.2.67 to 3.2.68 in the plugin header comment and CALC_VERSION constant definition. These are hardcoded string values that contain no user input, no data processing, and no security-sensitive operations. Version number updates are routine maintenance changes with no security implications.
The Cost Calculator Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_ids’ parameter in all versions up to, and including, 3.2.67 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/cost-calculator-builder_3.2.67/includes/classes/models/Payments.php 2025-11-20 22:13:16.396798944 +0000+++ cache/cost-calculator-builder_3.2.68/includes/classes/models/Payments.php 2025-11-20 22:13:27.874536707 +0000@@ -52,15 +52,29 @@ public static function update_payment_status_by_order_ids( $order_ids, $status = '' ) { global $wpdb; - return $wpdb->query(- $wpdb->prepare(- 'UPDATE `%1s` SET `status` = "%2s", `updated_at` = "%3s" WHERE order_id IN (%4s)', //phpcs:ignore- self::_table(),- $status,- wp_date( 'Y-m-d H:i:s' ),- implode( ',', $order_ids )- )+ $statuses = array( 'pending', 'cancelled', 'rejected', 'complete' );+ if ( ! in_array( $status, $statuses, true ) ) {+ wp_send_json(+ array(+ 'message' => 'Invalid status: ' . $status,+ 'success' => false,+ )+ );+ }++ $order_ids = array_map( 'intval', (array) $order_ids );+ $placeholders = implode( ',', array_fill( 0, count( $order_ids ), '%d' ) );++ $query = sprintf(+ "UPDATE `%s` SET `status` = %%s, `updated_at` = %%s WHERE order_id IN (%s)", //phpcs:ignore+ self::_table(),+ $placeholders );++ $args = array_merge( array( $query, $status, wp_date( 'Y-m-d H:i:s' ) ), $order_ids );+ $prepared_query = call_user_func_array( array( $wpdb, 'prepare' ), $args );++ return $wpdb->query( $prepared_query ); //phpcs:ignore } /**
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/classes/models/Payments.php 52-66
Old Code:
```php
return $wpdb->query(
$wpdb->prepare(
'UPDATE `%1s` SET `status` = "%2s", `updated_at` = "%3s" WHERE order_id IN (%4s)', //phpcs:ignore
self::_table(),
$status,
wp_date( 'Y-m-d H:i:s' ),
implode( ',', $order_ids )
)
);
```
Fixed Code:
```php
$statuses = array( 'pending', 'cancelled', 'rejected', 'complete' );
if ( ! in_array( $status, $statuses, true ) ) {
wp_send_json(
array(
'message' => 'Invalid status: ' . $status,
'success' => false,
)
);
}
$order_ids = array_map( 'intval', (array) $order_ids );
$placeholders = implode( ',', array_fill( 0, count( $order_ids ), '%d' ) );
$query = sprintf(
"UPDATE `%s` SET `status` = %%s, `updated_at` = %%s WHERE order_id IN (%s)", //phpcs:ignore
self::_table(),
$placeholders
);
$args = array_merge( array( $query, $status, wp_date( 'Y-m-d H:i:s' ) ), $order_ids );
$prepared_query = call_user_func_array( array( $wpdb, 'prepare' ), $args );
return $wpdb->query( $prepared_query ); //phpcs:ignore
```
Explanation:
The old code was vulnerable to SQL injection because it used `implode(',', $order_ids)` directly in the SQL query without proper parameterization. The `%4s` placeholder in `$wpdb->prepare()` does not properly escape array values - it simply inserts them as comma-separated strings. An attacker could control the `$order_ids` parameter and inject malicious SQL through values like `"1); DROP TABLE payments; --"`. The new code fixes this by: 1) Validating `$status` against a whitelist, 2) Converting all `$order_ids` to integers via `array_map('intval')`, and 3) Using proper parameterized placeholders (`%d`) for each order_id value in the IN clause.
The Cost Calculator Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_ids’ parameter in all versions up to, and including, 3.2.67 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/payment-forms-for-paystack_4.0.1/includes/classes/class-helpers.php 2025-11-20 22:14:13.086442815 +0000+++ cache/payment-forms-for-paystack_4.0.2/includes/classes/class-helpers.php 2025-11-20 22:21:53.418864244 +0000@@ -189,6 +189,11 @@ $current_version = get_bloginfo('version'); if ( version_compare( '6.2', $current_version, '<=' ) ) { + // Make sure $order only handles 2 possible values.+ if ( 'ASC' !== $order ) {+ $order = 'DESC';+ }+ // phpcs:disable WordPress.DB -- Start ignoring $results = $wpdb->get_results( $wpdb->prepare(@@ -200,7 +205,7 @@ $table, $form_id, $args['paid'],- $args['orderby'],+ $args['orderby'] ) ); // phpcs:enable -- Stop ignoring@@ -214,11 +219,12 @@ FROM `%s` WHERE post_id = '%d' AND paid = '%s'- ORDER BY '%s' $order",+ ORDER BY '%s' %s", $table, $form_id, $args['paid'], $args['orderby'],+ $order ) ); // phpcs:enable -- Stop ignoring
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - includes/classes/class-helpers.php 214-225
Old Code:
```php
$results = $wpdb->query(
$wpdb->prepare(
"SELECT *
FROM `%s`
WHERE post_id = '%d'
AND paid = '%s'
ORDER BY '%s' $order",
$table,
$form_id,
$args['paid'],
$args['orderby'],
)
);
```
Fixed Code:
```php
$results = $wpdb->get_results(
$wpdb->prepare(
"SELECT *
FROM `%s`
WHERE post_id = '%d'
AND paid = '%s'
ORDER BY '%s' %s",
$table,
$form_id,
$args['paid'],
$args['orderby'],
$order
)
);
```
Explanation:
The vulnerability existed because the `$order` variable was directly concatenated into the SQL query without being passed through `$wpdb->prepare()`. User input could control `$args['orderby']` which flows into the ORDER BY clause, but the critical issue is that `$order` (ASC/DESC) was not parameterized. While the fix adds validation to ensure `$order` is either 'ASC' or 'DESC', in the old code, an attacker could potentially control the `$order` value through the application logic, allowing SQL injection through direct string concatenation. The fix properly parameterizes both the orderby field and the order direction.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kendysond Payment Forms for Paystack allows SQL Injection.This issue affects Payment Forms for Paystack: from n/a through 4.0.1.
--- cache/payment-forms-for-paystack_4.0.1/paystack-forms.php 2025-11-20 22:14:13.088442944 +0000+++ cache/payment-forms-for-paystack_4.0.2/paystack-forms.php 2025-11-20 22:21:53.421864435 +0000@@ -3,7 +3,7 @@ Plugin Name: Payment Forms for Paystack Plugin URI: https://github.com/PaystackHQ/Wordpress-Payment-forms-for-Paystack Description: Payment Forms for Paystack allows you create forms that will be used to bill clients for goods and services via Paystack.- Version: 4.0.1+ Version: 4.0.2 Author: Paystack Author URI: http://paystack.com License: GPL-2.0+@@ -16,7 +16,7 @@ define( 'PFF_PAYSTACK_PLUGIN_PATH', plugin_dir_path( __FILE__ ) ); define( 'PFF_PAYSTACK_PLUGIN_URL', plugin_dir_url( __FILE__ ) ); define( 'PFF_PAYSTACK_MAIN_FILE', __FILE__ );-define( 'PFF_PAYSTACK_VERSION', '4.0.1' );+define( 'PFF_PAYSTACK_VERSION', '4.0.2' ); define( 'PFF_PAYSTACK_TABLE', 'paystack_forms_payments' ); define( 'PFF_PLUGIN_BASENAME', plugin_basename(__FILE__) ); define( 'PFF_PLUGIN_NAME', 'pff-paystack' );
Vulnerability Existed: no No vulnerabilities found - N/A - paystack-forms.php [3,16] Old Code: ```php Version: 4.0.1 define( 'PFF_PAYSTACK_VERSION', '4.0.1' ); ``` Fixed Code: ```php Version: 4.0.2 define( 'PFF_PAYSTACK_VERSION', '4.0.2' ); ``` Explanation: The diff shows only version number updates from 4.0.1 to 4.0.2 in the plugin header and constant definition. These changes contain no user input handling, no security-sensitive operations, and no code logic modifications. Version number changes alone do not introduce or fix security vulnerabilities.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kendysond Payment Forms for Paystack allows SQL Injection.This issue affects Payment Forms for Paystack: from n/a through 4.0.1.
--- cache/quiz-maker_6.6.8.7/admin/class-quiz-maker-admin.php 2025-11-20 22:13:16.572810257 +0000+++ cache/quiz-maker_6.6.8.8/admin/class-quiz-maker-admin.php 2025-11-20 22:19:31.381851862 +0000@@ -1488,38 +1488,38 @@ $default_options = array(- 'quiz_theme' => 'classic_light',- 'color' => '#5d6cf9',- 'bg_color' => '#fff',- 'text_color' => '#000000',- 'height' => $quick_quiz_height,- 'width' => $quick_quiz_width,- 'timer' => 100,- 'information_form' => 'disable',- 'form_name' => '',- 'form_email' => '',- 'form_phone' => '',- 'enable_logged_users' => 'off',- 'answers_view' => $quick_quiz_answers_view,- 'image_width' => $quick_quiz_image_width,- 'image_height' => $quick_quiz_image_height,- 'quiz_image_width_by_percentage_px' => $quick_quiz_image_width_by_percentage_px,- 'quiz_image_height' => $quick_quiz_image_height,- 'enable_correction' => $quick_quiz_enable_correction,- 'enable_questions_counter' => $quick_quiz_enable_questions_counter,- 'limit_users' => 'off',- 'limitation_message' => '',- 'redirect_url' => '',- 'redirection_delay' => '',- 'enable_progress_bar' => $quick_quiz_enable_progress_bar,- 'randomize_questions' => $quick_quiz_enable_randomize_questions,- 'randomize_answers' => $quick_quiz_enable_randomize_answers,- 'enable_questions_result' => 'on',- 'enable_average_statistical' => $quick_quiz_enable_average_statistical,- 'enable_next_button' => $quick_quiz_enable_next_button,- 'enable_previous_button' => $quick_quiz_enable_previous_button,- 'custom_css' => '',- 'enable_restriction_pass' => 'off',+ 'quiz_theme' => 'classic_light',+ 'color' => '#5d6cf9',+ 'bg_color' => '#fff',+ 'text_color' => '#000000',+ 'height' => $quick_quiz_height,+ 'width' => $quick_quiz_width,+ 'timer' => 100,+ 'information_form' => 'disable',+ 'form_name' => '',+ 'form_email' => '',+ 'form_phone' => '',+ 'enable_logged_users' => 'off',+ 'answers_view' => $quick_quiz_answers_view,+ 'image_width' => $quick_quiz_image_width,+ 'image_height' => $quick_quiz_image_height,+ 'quiz_image_width_by_percentage_px' => $quick_quiz_image_width_by_percentage_px,+ 'quiz_image_height' => $quick_quiz_image_height,+ 'enable_correction' => $quick_quiz_enable_correction,+ 'enable_questions_counter' => $quick_quiz_enable_questions_counter,+ 'limit_users' => 'off',+ 'limitation_message' => '',+ 'redirect_url' => '',+ 'redirection_delay' => '',+ 'enable_progress_bar' => $quick_quiz_enable_progress_bar,+ 'randomize_questions' => $quick_quiz_enable_randomize_questions,+ 'randomize_answers' => $quick_quiz_enable_randomize_answers,+ 'enable_questions_result' => 'on',+ 'enable_average_statistical' => $quick_quiz_enable_average_statistical,+ 'enable_next_button' => $quick_quiz_enable_next_button,+ 'enable_previous_button' => $quick_quiz_enable_previous_button,+ 'custom_css' => '',+ 'enable_restriction_pass' => 'off', 'restriction_pass_message' => '', 'user_role' => '', 'result_text' => '',@@ -1827,7 +1827,7 @@ if (isset($_REQUEST['action']) && sanitize_text_field( $_REQUEST['action'] ) == 'ays_show_results') { $id = absint(intval($_REQUEST['result'])); $results = $wpdb->get_row("SELECT * FROM {$results_table} WHERE id={$id}", "ARRAY_A"); - $score = $results['score'];+ $score = intval($results['score']); // $user_id = intval($results['user_id']); $user_id = isset($results['user_id']) ? intval($results['user_id']) : null; $quiz_id = isset($results['quiz_id']) ? intval($results['quiz_id']) : null;@@ -1844,10 +1844,10 @@ $options = json_decode($results['options']); $user_attributes = isset( $options->attributes_information ) ? $options->attributes_information : null; $start_date = $results['start_date'];- $duration = isset( $options->passed_time ) ? $options->passed_time : '';- $rate_id = isset($options->rate_id) ? $options->rate_id : null;+ $duration = isset( $options->passed_time ) ? intval($options->passed_time) : '';+ $rate_id = isset($options->rate_id) ? intval($options->rate_id) : null; $rate = $this->ays_quiz_rate($rate_id);- $calc_method = isset($options->calc_method) ? $options->calc_method : 'by_correctness';+ $calc_method = isset($options->calc_method) ? sanitize_text_field($options->calc_method) : 'by_correctness'; $from = self::get_user_country_by_ip( $user_ip ); @@ -2000,7 +2000,7 @@ if ($user_ip != '') { $row .= '<tr class="ays_result_element"> <td>' . __("User IP", 'quiz-maker') . '</td>- <td colspan="3">' . $from . '</td>+ <td colspan="3">' . esc_html($from) . '</td> </tr>'; } }@@ -2011,14 +2011,14 @@ if($user_id !== 0){ $row .= '<tr class="ays_result_element"> <td>' . __("User ID", 'quiz-maker') . '</td>- <td colspan="3">' . $user_id . '</td> + <td colspan="3">' . esc_html($user_id) . '</td> </tr>'; } } if ($ays_quiz_show_result_info_user == 'on') { $row .= '<tr class="ays_result_element"> <td>' . __("User", 'quiz-maker') . '</td>- <td colspan="3">' . $user_name . '</td>+ <td colspan="3">' . esc_html($user_name) . '</td> </tr>'; } @@ -2031,22 +2031,22 @@ if(isset($results['user_name']) && $results['user_name'] !== '' && $ays_quiz_show_result_info_user_name == 'on'){ $row .= "<tr class=\"ays_result_element\"> <td>".__('Name','quiz-maker')."</td>- <td colspan='3'>".stripslashes($results['user_name'])."</td>+ <td colspan='3'>".esc_html(stripslashes($results['user_name']))."</td> </tr>"; } if(isset($results['user_phone']) && $results['user_phone'] !== '' && $ays_quiz_show_result_info_user_phone == 'on'){ $row .= "<tr class=\"ays_result_element\"> <td>".__('Phone','quiz-maker')."</td>- <td colspan='3'>".stripslashes($results['user_phone'])."</td>+ <td colspan='3'>".esc_html(stripslashes($results['user_phone']))."</td> </tr>"; } if ($user_attributes !== null) { foreach ($user_attributes as $name => $value) {- $attr_value = stripslashes($value) == '' ? '-' : stripslashes($value);+ $attr_value = stripslashes($value) == '' ? '-' : esc_html(stripslashes($value)); $row .= '<tr class="ays_result_element">- <td>' . stripslashes($name) . '</td>- <td colspan="3">' . $attr_value . '</td>+ <td>' . esc_html(stripslashes($name)) . '</td>+ <td colspan="3">' . esc_html($attr_value) . '</td> </tr>'; } }@@ -2059,20 +2059,20 @@ if(isset($rate['score'])){ $rate_html = '<tr style="vertical-align: top;" class="ays_result_element"> <td>'.__('Rate','quiz-maker').'</td>- <td>'. __("Rate Score", 'quiz-maker').":<br>" . $rate['score'] . '</td>- <td colspan="2" style="max-width: 200px;">'. __("Review", 'quiz-maker').":<br>" . nl2br($rate['review']) . '</td>+ <td>'. __("Rate Score", 'quiz-maker').":<br>" . absint($rate['score']) . '</td>+ <td colspan="2" style="max-width: 200px;">'. __("Review", 'quiz-maker').":<br>" . sanitize_text_field( nl2br($rate['review']) ) . '</td> </tr>'; }else{ $rate_html = '<tr class="ays_result_element"> <td>'.__('Rate','quiz-maker').'</td>- <td colspan="3">' . nl2br($rate['review']) . '</td>+ <td colspan="3">' . sanitize_text_field( nl2br($rate['review']) ) . '</td> </tr>'; } if ($ays_quiz_show_result_info_start_date == 'on') { $row .= '<tr class="ays_result_element"> <td>'.__('Start date','quiz-maker').'</td>- <td colspan="3">' . $start_date . '</td>+ <td colspan="3">' . esc_html($start_date) . '</td> </tr>'; } @@ -2080,7 +2080,7 @@ $row .= ' <tr class="ays_result_element"> <td>'.__('Duration','quiz-maker').'</td>- <td colspan="3">' . $duration . '</td>+ <td colspan="3">' . esc_html($duration) . '</td> </tr>'; } @@ -2088,7 +2088,7 @@ $row .= ' <tr class="ays_result_element"> <td>'.__('Score','quiz-maker').'</td>- <td colspan="3">' . $score . '%</td>+ <td colspan="3">' . esc_html($score) . '%</td> </tr>'; } @@ -2158,7 +2158,7 @@ $correct_row = $option == true ? 'tr_success' : ''; - $question_image = isset( $question["question_image"] ) && $question["question_image"] != '' ? $question["question_image"] : '';+ $question_image = isset( $question["question_image"] ) && $question["question_image"] != '' ? esc_url($question["question_image"]) : ''; $question_title = isset( $question["question"] ) && $question["question"] != '' ? $question["question"] : ''; if($calc_method == 'by_correctness'){ if ($option == true) {@@ -2304,6 +2304,7 @@ "review" => $reason, ); }else{+ $id = intval($id); $rate = $wpdb->get_row("SELECT * FROM {$wpdb->prefix}aysquiz_rates WHERE id={$id}", "ARRAY_A"); $output = array(); if($rate !== null){@@ -2344,7 +2345,15 @@ public function get_user_answered($user_choice, $key){ global $wpdb; $answers_table = $wpdb->prefix . "aysquiz_answers";- $choices = $user_choice->$key;++ $choices = '';+ if( !empty($user_choice->$key) ){+ if (is_array($user_choice->$key)) {+ $choices = array_map('intval', $user_choice->$key);+ } else {+ $choices = intval($user_choice->$key);+ }+ } if($choices == ''){ return array(@@ -2355,13 +2364,20 @@ $text = array(); if (is_array($choices)) { foreach ($choices as $choice) {- $result = $wpdb->get_row("SELECT answer FROM {$answers_table} WHERE id={$choice}", 'ARRAY_A');- $text[] = $result['answer'];+ $choice = (isset($choice) && intval($choice) > 0) ? intval($choice) : null;+ if(empty($choice)){+ continue;+ }+ $result = $wpdb->get_row($wpdb->prepare("SELECT answer FROM {$answers_table} WHERE id=%d ;", $choice ), 'ARRAY_A');+ $text[] = (isset($result['answer']) && $result['answer'] != "") ? $result['answer'] : ''; } $text = implode(', ', $text); } else {- $result = $wpdb->get_row("SELECT answer FROM {$answers_table} WHERE id={$choices}", 'ARRAY_A');- $text = $result['answer'];+ $choice = (isset($choices) && intval($choices) > 0) ? intval($choices) : null;+ if(!empty($choice) && $choices > 0){+ $result = $wpdb->get_row($wpdb->prepare("SELECT answer FROM {$answers_table} WHERE id=%d ;", $choice ), 'ARRAY_A');+ $text = (isset($result['answer']) && $result['answer'] != "") ? $result['answer'] : '';+ } } return $text; }
Vulnerability Existed: no
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - admin/class-quiz-maker-admin.php [2352, 2375]
Old Code:
```php
$result = $wpdb->get_row("SELECT answer FROM {$answers_table} WHERE id={$choice}", 'ARRAY_A');
```
Fixed Code:
```php
$result = $wpdb->get_row($wpdb->prepare("SELECT answer FROM {$answers_table} WHERE id=%d ;", $choice ), 'ARRAY_A');
```
Explanation:
The vulnerability was fixed by replacing direct variable interpolation in SQL queries with prepared statements using `$wpdb->prepare()`. The user input `$choice` is now properly sanitized using `intval()` before being passed to the prepared statement. The flow is: user input from `$user_choice->$key` → validated and cast to integer using `intval()` → passed as parameter to prepared statement → safe SQL execution. The prepared statement ensures proper parameterization, making SQL injection impossible.
Vulnerability Existed: no
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - admin/class-quiz-maker-admin.php [2001, 2011, 2021, 2034, 2040, 2047-2048, 2062, 2074, 2081, 2091, 2161]
Old Code:
```php
<td colspan="3">' . $from . '</td>
<td colspan="3">' . $user_id . '</td>
<td colspan="3">' . $user_name . '</td>
<td colspan='3'>".stripslashes($results['user_name'])."</td>
<td colspan='3'>".stripslashes($results['user_phone'])."</td>
<td>' . stripslashes($name) . '</td>
<td colspan="3">' . $attr_value . '</td>
<td>'.__('Rate','quiz-maker').'</td>
<td>'. __("Rate Score", 'quiz-maker').":<br>" . $rate['score'] . '</td>
<td colspan="2" style="max-width: 200px;">'. __("Review", 'quiz-maker').":<br>" . nl2br($rate['review']) . '</td>
<td colspan="3">' . $start_date . '</td>
<td colspan="3">' . $duration . '</td>
<td colspan="3">' . $score . '%</td>
```
Fixed Code:
```php
<td colspan="3">' . esc_html($from) . '</td>
<td colspan="3">' . esc_html($user_id) . '</td>
<td colspan="3">' . esc_html($user_name) . '</td>
<td colspan='3'>".esc_html(stripslashes($results['user_name']))."</td>
<td colspan='3'>".esc_html(stripslashes($results['user_phone']))."</td>
<td>' . esc_html(stripslashes($name)) . '</td>
<td colspan="3">' . esc_html($attr_value) . '</td>
<td>'.__('Rate','quiz-maker').'</td>
<td>'. __("Rate Score", 'quiz-maker').":<br>" . absint($rate['score']) . '</td>
<td colspan="2" style="max-width: 200px;">'. __("Review", 'quiz-maker').":<br>" . sanitize_text_field( nl2br($rate['review']) ) . '</td>
<td colspan="3">' . esc_html($start_date) . '</td>
<td colspan="3">' . esc_html($duration) . '</td>
<td colspan="3">' . esc_html($score) . '%</td>
```
Explanation:
The vulnerability was fixed by adding proper output escaping using `esc_html()` for all user-controlled data displayed in HTML context. The flow is: user input from various sources (database results, user attributes, rate data) → properly escaped with `esc_html()` or `sanitize_text_field()` before output → safe HTML rendering. This prevents XSS by ensuring user input is treated as text content rather than HTML.
Vulnerability Existed: no
CWE-20: Improper Input Validation - admin/class-quiz-maker-admin.php [1829, 1845, 1846, 1847, 1849, 2305, 2348-2356]
Old Code:
```php
$score = $results['score'];
$duration = isset( $options->passed_time ) ? $options->passed_time : '';
$rate_id = isset($options->rate_id) ? $options->rate_id : null;
$calc_method = isset($options->calc_method) ? $options->calc_method : 'by_correctness';
$id = $id;
$choices = $user_choice->$key;
```
Fixed Code:
```php
$score = intval($results['score']);
$duration = isset( $options->passed_time ) ? intval($options->passed_time) : '';
$rate_id = isset($options->rate_id) ? intval($options->rate_id) : null;
$calc_method = isset($options->calc_method) ? sanitize_text_field($options->calc_method) : 'by_correctness';
$id = intval($id);
$choices = ''; // with proper intval validation
```
Explanation:
The vulnerability was fixed by adding proper input validation using `intval()` for numeric values and `sanitize_text_field()` for string values. The flow is: user input from database or user choices → validated and cast to appropriate types → safe usage in application logic. This prevents type confusion and ensures data integrity throughout the application.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Quiz Maker allows SQL Injection. This issue affects Quiz Maker: from n/a through 6.6.8.7.
--- cache/quiz-maker_6.6.8.7/public/class-quiz-maker-public.php 2025-11-20 22:13:16.674816814 +0000+++ cache/quiz-maker_6.6.8.8/public/class-quiz-maker-public.php 2025-11-20 22:19:31.463857057 +0000@@ -5326,6 +5326,14 @@ } } foreach ($questions_answers as $key => $questions_answer) {++ $questions_answer_for_db = $questions_answer;+ if (is_array($questions_answer_for_db)) {+ $questions_answer_for_db = array_map('intval', $questions_answer_for_db);+ } else {+ $questions_answer_for_db = sanitize_text_field(stripslashes($questions_answer_for_db) );+ }+ $continue = false; $question_id = explode('-', $key)[2]; if($this->is_question_not_influence($question_id)){@@ -5336,10 +5344,11 @@ $has_multiple = $this->has_multiple_correct_answers($question_id); $answer_max_weights[] = $this->get_answers_max_weight($question_id, $has_multiple); - $user_answered["question_id_" . $question_id] = $questions_answer;+ $user_answered["question_id_" . $question_id] = $questions_answer_for_db; if ($has_multiple) { if (is_array($questions_answer)) { foreach ($questions_answer as $answer_id) {+ $answer_id = intval($answer_id); $multiple_correctness[] = $this->check_answer_correctness($question_id, $answer_id, $calculate_score); } @@ -5371,6 +5380,7 @@ } } else { if($calculate_score == 'by_points'){+ $questions_answer = intval($questions_answer); if(!$continue){ $correctness[$question_id] = $this->check_answer_correctness($question_id, $questions_answer, $calculate_score); }@@ -5378,6 +5388,7 @@ continue; } if($strong_count_checkbox === false){+ $questions_answer = intval($questions_answer); if($this->check_answer_correctness($question_id, $questions_answer, $calculate_score)){ if(!$continue){ $correctness[$question_id] = 1 / intval($this->count_multiple_correct_answers($question_id));@@ -5403,6 +5414,7 @@ } $correctness_results["question_id_" . $question_id] = $this->check_text_answer_correctness($question_id, $questions_answer, $calculate_score, $quests_data_options); } else {+ $questions_answer = intval($questions_answer); if(!$continue){ $correctness[$question_id] = $this->check_answer_correctness($question_id, $questions_answer, $calculate_score); }
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - public/class-quiz-maker-public.php 5336
Old Code:
```php
$user_answered["question_id_" . $question_id] = $questions_answer;
```
Fixed Code:
```php
$user_answered["question_id_" . $question_id] = $questions_answer_for_db;
```
Explanation:
The vulnerability existed because user-controlled input from `$questions_answer` was directly stored in `$user_answered` array without proper sanitization. The user input enters through `$questions_answers` array (line 5325), which contains quiz answers submitted by users. In the old code, this raw user input was directly assigned to the database-bound array `$user_answered`. The fix introduces proper sanitization where `$questions_answer_for_db` is created by either applying `intval()` to array elements or `sanitize_text_field(stripslashes())` to scalar values before being stored in `$user_answered`. This prevents SQL injection by ensuring all values are properly sanitized before database storage.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - public/class-quiz-maker-public.php 5348
Old Code:
```php
foreach ($questions_answer as $answer_id) {
$multiple_correctness[] = $this->check_answer_correctness($question_id, $answer_id, $calculate_score);
}
```
Fixed Code:
```php
foreach ($questions_answer as $answer_id) {
$answer_id = intval($answer_id);
$multiple_correctness[] = $this->check_answer_correctness($question_id, $answer_id, $calculate_score);
}
```
Explanation:
The vulnerability existed because user-controlled array elements from `$questions_answer` were passed directly to `check_answer_correctness()` method without sanitization. The user input enters through the `$questions_answer` array (line 5325). In the old code, these array elements were used directly as `$answer_id` parameters in database operations. The fix adds `intval($answer_id)` to ensure all answer IDs are converted to integers before being used in database queries, preventing SQL injection.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - public/class-quiz-maker-public.php 5381
Old Code:
```php
if($calculate_score == 'by_points'){
if(!$continue){
$correctness[$question_id] = $this->check_answer_correctness($question_id, $questions_answer, $calculate_score);
}
```
Fixed Code:
```php
if($calculate_score == 'by_points'){
$questions_answer = intval($questions_answer);
if(!$continue){
$correctness[$question_id] = $this->check_answer_correctness($question_id, $questions_answer, $calculate_score);
}
```
Explanation:
The vulnerability existed because user-controlled `$questions_answer` was passed directly to `check_answer_correctness()` method without sanitization when `$calculate_score == 'by_points'`. The user input enters through `$questions_answers` array (line 5325). The fix adds `intval($questions_answer)` to convert the user input to an integer before using it in database operations, preventing SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - public/class-quiz-maker-public.php 5389
Old Code:
```php
if($strong_count_checkbox === false){
if($this->check_answer_correctness($question_id, $questions_answer, $calculate_score)){
```
Fixed Code:
```php
if($strong_count_checkbox === false){
$questions_answer = intval($questions_answer);
if($this->check_answer_correctness($question_id, $questions_answer, $calculate_score)){
```
Explanation:
The vulnerability existed because user-controlled `$questions_answer` was passed directly to `check_answer_correctness()` method without sanitization when `$strong_count_checkbox === false`. The user input enters through `$questions_answers` array (line 5325). The fix adds `intval($questions_answer)` to convert the user input to an integer before using it in database operations, preventing SQL injection.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - public/class-quiz-maker-public.php 5414
Old Code:
```php
} else {
if(!$continue){
$correctness[$question_id] = $this->check_answer_correctness($question_id, $questions_answer, $calculate_score);
}
```
Fixed Code:
```php
} else {
$questions_answer = intval($questions_answer);
if(!$continue){
$correctness[$question_id] = $this->check_answer_correctness($question_id, $questions_answer, $calculate_score);
}
```
Explanation:
The vulnerability existed because user-controlled `$questions_answer` was passed directly to `check_answer_correctness()` method without sanitization in the final else branch. The user input enters through `$questions_answers` array (line 5325). The fix adds `intval($questions_answer)` to convert the user input to an integer before using it in database operations, preventing SQL injection.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Quiz Maker allows SQL Injection. This issue affects Quiz Maker: from n/a through 6.6.8.7.
--- cache/quiz-maker_6.6.8.7/quiz-maker.php 2025-11-20 22:13:16.690817843 +0000+++ cache/quiz-maker_6.6.8.8/quiz-maker.php 2025-11-20 22:19:31.480858134 +0000@@ -16,7 +16,7 @@ * Plugin Name: Quiz Maker * Plugin URI: https://ays-pro.com/wordpress/quiz-maker * Description: Create powerful and engaging quizzes, tests, and exams in minutes. Build an unlimited number of quizzes and questions.- * Version: 6.6.8.7+ * Version: 6.6.8.8 * Author: Quiz Maker team * Author URI: https://ays-pro.com/ * License: GPL-2.0+@@ -36,8 +36,8 @@ * Start at version 1.0.0 and use SemVer - https://semver.org * Rename this for your plugin and update it as you release new versions. */-define( 'AYS_QUIZ_NAME_VERSION', '6.6.8.7' );-define( 'AYS_QUIZ_VERSION', '6.6.8.7' );+define( 'AYS_QUIZ_NAME_VERSION', '6.6.8.8' );+define( 'AYS_QUIZ_VERSION', '6.6.8.8' ); define( 'AYS_QUIZ_NAME', 'quiz-maker' ); if( ! defined( 'AYS_QUIZ_BASENAME' ) )
Vulnerability Existed: no No vulnerability found - No CWE - quiz-maker.php 16-36 Old Code: ```php * Version: 6.6.8.7 ... define( 'AYS_QUIZ_NAME_VERSION', '6.6.8.7' ); define( 'AYS_QUIZ_VERSION', '6.6.8.7' ); ``` Fixed Code: ```php * Version: 6.6.8.8 ... define( 'AYS_QUIZ_NAME_VERSION', '6.6.8.8' ); define( 'AYS_QUIZ_VERSION', '6.6.8.8' ); ``` Explanation: The diff shows only version number changes from 6.6.8.7 to 6.6.8.8 in the plugin header comment and constant definitions. These are hardcoded string values that contain no user input, no dynamic data processing, and no security-sensitive operations. The changes are purely version updates with no code logic modifications that could introduce or fix vulnerabilities.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Quiz Maker allows SQL Injection. This issue affects Quiz Maker: from n/a through 6.6.8.7.
--- cache/shopper_3.2.5/index.php 2025-11-20 18:33:27.791684953 +0000+++ cache/shopper_3.2.6/index.php 2025-11-20 18:34:27.085494067 +0000@@ -3,13 +3,13 @@ Plugin Name: Shopper - Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Plugin URI: https://www.shopper.com/ description: The ultimate affiliate marketing plugin to boost your earnings: easy affiliate link management, 25K+ brand partnerships, high converting product displays, link break alerts & more. - Version: 3.2.5 + Version: 3.2.6 Author: Shopper.com */ define('SHOPPER_MY_PLUGIN_URL', plugin_dir_url(__FILE__)); //plugin url define('SHOPPER_MY_PLUGIN_PATH', plugin_dir_path(__FILE__)); //plugin path -define('SHOPPER_MY_PLUGIN_VER', '3.2.5'); +define('SHOPPER_MY_PLUGIN_VER', '3.2.6'); global $shopper_dotcom_db_version; $shopper_dotcom_db_version = '2.7'; @@ -90,7 +90,7 @@ $sql_new_table = array(); $sql_update = array(); //for db updates if any $spcom_auth = $wpdb->prefix . "shopper_dot_com_auth"; - if ($wpdb->get_var("show tables like '" . $spcom_auth . "'") !== $spcom_auth) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_auth)) !== $spcom_auth) { $sql_new_table[] = "CREATE TABLE " . $spcom_auth . "( `id` int(11) NOT NULL AUTO_INCREMENT, `api_token` text, @@ -108,7 +108,7 @@ ) $charset_collate;"; } $spcom_store = $wpdb->prefix . "shopper_dot_com_store"; - if ($wpdb->get_var("show tables like '" . $spcom_store . "'") !== $spcom_store) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_store)) !== $spcom_store) { $sql_new_table[] = "CREATE TABLE " . $spcom_store . " ( `id` int(11) NOT NULL AUTO_INCREMENT, `store_name` varchar(255) NOT NULL, @@ -125,7 +125,7 @@ ) $charset_collate;"; } $spcom_all_collections = $wpdb->prefix . "shopper_dot_com_all_collections"; - if ($wpdb->get_var("show tables like '" . $spcom_all_collections . "'") !== $spcom_all_collections) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_all_collections)) !== $spcom_all_collections) { $sql_new_table[] = "CREATE TABLE " . $spcom_all_collections . "( `id` int(11) NOT NULL AUTO_INCREMENT, `collection_id` varchar(255) NOT NULL, @@ -145,7 +145,7 @@ ) $charset_collate;"; } $collection_products = $wpdb->prefix . "shopper_dot_com_collection_products"; - if ($wpdb->get_var("show tables like '" . $collection_products . "'") !== $collection_products) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $collection_products)) !== $collection_products) { $sql_new_table[] = "CREATE TABLE " . $collection_products . "( `id` int(11) NOT NULL AUTO_INCREMENT, `collection_id` varchar(255) NOT NULL, @@ -164,7 +164,7 @@ ) $charset_collate;"; } $spcom_aff_slugs = $wpdb->prefix . "shopper_dot_com_aff_slugs"; - if ($wpdb->get_var("show tables like '" . $spcom_aff_slugs . "'") !== $spcom_aff_slugs) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_aff_slugs)) !== $spcom_aff_slugs) { $sql_new_table[] = "CREATE TABLE " . $spcom_aff_slugs . "( `id` int(11) NOT NULL AUTO_INCREMENT, `slug` text, @@ -172,7 +172,7 @@ ) $charset_collate;"; } $spcom_themes = $wpdb->prefix . "shopper_dot_com_themes"; - if ($wpdb->get_var("show tables like '" . $spcom_themes . "'") !== $spcom_themes) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_themes)) !== $spcom_themes) { $sql_new_table[] = "CREATE TABLE " . $spcom_themes . "( `id` int(11) NOT NULL AUTO_INCREMENT, `value` varchar(255) NOT NULL, @@ -186,7 +186,7 @@ } $spcom_global_settings = $wpdb->prefix . "shopper_dot_com_global_settings"; - if ($wpdb->get_var("show tables like '" . $spcom_global_settings . "'") !== $spcom_global_settings) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_global_settings)) !== $spcom_global_settings) { $sql_new_table[] = "CREATE TABLE " . $spcom_global_settings . "( `id` int(11) NOT NULL AUTO_INCREMENT, `default_props` json NOT NULL, @@ -197,11 +197,11 @@ $installed_db_ver = get_option("shopper_dotcom_db_version"); if ($installed_db_ver < $shopper_dotcom_db_version) { // DB Auto update section $spcom_connection = $wpdb->prefix . "shopper_dot_com_connection"; - if ($wpdb->get_var("show tables like '" . $spcom_connection . "'") == $spcom_connection) { - $sql_update[] = $wpdb->query($wpdb->prepare("DROP TABLE $spcom_connection")); + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_connection)) == $spcom_connection) { + $sql_update[] = $wpdb->query($wpdb->prepare("DROP TABLE %s", $spcom_connection)); } - if ($wpdb->get_var("show tables like '" . $spcom_aff_slugs . "'") !== $spcom_aff_slugs) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_aff_slugs)) !== $spcom_aff_slugs) { $sql_update[] = "CREATE TABLE " . $spcom_aff_slugs . "( `id` int(11) NOT NULL AUTO_INCREMENT, `slug` text, @@ -209,7 +209,7 @@ ) $charset_collate;"; } - if ($wpdb->get_var("show tables like '" . $spcom_themes . "'") !== $spcom_themes) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_themes)) !== $spcom_themes) { $sql_update[] = "CREATE TABLE " . $spcom_themes . "( `id` int(11) NOT NULL AUTO_INCREMENT, `value` varchar(255) NOT NULL, @@ -224,100 +224,100 @@ //Add columns if not present. // Check if $collection_products table exists - if ($wpdb->get_var("SHOW TABLES LIKE '$collection_products'") == $collection_products) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $collection_products)) == $collection_products) { // Check if pdt_slug column exists in $collection_products table - $pdt_slug_exists = $wpdb->get_var("SHOW COLUMNS FROM $collection_products LIKE 'pdt_slug'"); + $pdt_slug_exists = $wpdb->get_var($wpdb->prepare("SHOW COLUMNS FROM $collection_products LIKE %s", 'pdt_slug')); // Check if pdt_name_slug column exists in $collection_products table - $pdt_name_slug_exists = $wpdb->get_var("SHOW COLUMNS FROM $collection_products LIKE 'pdt_name_slug'"); + $pdt_name_slug_exists = $wpdb->get_var($wpdb->prepare("SHOW COLUMNS FROM $collection_products LIKE %s", 'pdt_name_slug')); // Check if any of the columns don't exist, then add them if (empty($pdt_slug_exists)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $collection_products ADD pdt_slug varchar(255)")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD pdt_slug varchar(255)", $collection_products)); } if (empty($pdt_name_slug_exists)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $collection_products ADD pdt_name_slug varchar(255)")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD pdt_name_slug varchar(255)", $collection_products)); } } // Check if $spcom_all_collections table exists - if ($wpdb->get_var("SHOW TABLES LIKE '$spcom_all_collections'") == $spcom_all_collections) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_all_collections)) == $spcom_all_collections) { // Check if colln_slug column exists in $spcom_all_collections table - $colln_slug_exists = $wpdb->get_var("SHOW COLUMNS FROM $spcom_all_collections LIKE 'colln_slug'"); + $colln_slug_exists = $wpdb->get_var($wpdb->prepare("SHOW COLUMNS FROM $spcom_all_collections LIKE %s", 'colln_slug')); // Check if colln_name_slug column exists in $spcom_all_collections table - $colln_name_slug_exists = $wpdb->get_var("SHOW COLUMNS FROM $spcom_all_collections LIKE 'colln_name_slug'"); + $colln_name_slug_exists = $wpdb->get_var($wpdb->prepare("SHOW COLUMNS FROM $spcom_all_collections LIKE %s", 'colln_name_slug')); // Check if any of the columns don't exist, then add them if (empty($colln_slug_exists)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $spcom_all_collections ADD colln_slug varchar(255)")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD colln_slug varchar(255)", $spcom_all_collections)); } if (empty($colln_name_slug_exists)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $spcom_all_collections ADD colln_name_slug varchar(255)")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD colln_name_slug varchar(255)", $spcom_all_collections)); } } // Check if $spcom_store table exists - if ($wpdb->get_var("SHOW TABLES LIKE '$spcom_store'") == $spcom_store) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_store)) == $spcom_store) { // Check if link_cloaking_slug_type column exists in $spcom_store table $link_slug_type = $wpdb->get_results($wpdb->prepare( - "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s ", + "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s", DB_NAME, $spcom_store, 'link_cloaking_slug_type' )); if (empty($link_slug_type)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $spcom_store ADD link_cloaking_slug_type varchar(255) DEFAULT 'slug'")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD link_cloaking_slug_type varchar(255) DEFAULT 'slug'", $spcom_store)); } // Check if link_cloaking_redirect_type column exists in $spcom_store table $link_rdrt_type = $wpdb->get_results($wpdb->prepare( - "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s ", + "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s", DB_NAME, $spcom_store, 'link_cloaking_redirect_type' )); if (empty($link_rdrt_type)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $spcom_store ADD link_cloaking_redirect_type int DEFAULT 302")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD link_cloaking_redirect_type int DEFAULT 302", $spcom_store)); } // Check if link_cloaking_prefix column exists in $spcom_store table $link_cloaking_prefix = $wpdb->get_results($wpdb->prepare( - "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s ", + "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s", DB_NAME, $spcom_store, 'link_cloaking_prefix' )); if (empty($link_cloaking_prefix)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $spcom_store ADD link_cloaking_prefix varchar(255) DEFAULT 'p'")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD link_cloaking_prefix varchar(255) DEFAULT 'p'", $spcom_store)); } // Check if link_cloaking_prefix_custom column exists in $spcom_store table $link_cloaking_prefix_custom = $wpdb->get_results($wpdb->prepare( - "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s ", + "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s", DB_NAME, $spcom_store, 'link_cloaking_prefix_custom' )); if (empty($link_cloaking_prefix_custom)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $spcom_store ADD link_cloaking_prefix_custom varchar(255) DEFAULT 'p'")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD link_cloaking_prefix_custom varchar(255) DEFAULT 'p'", $spcom_store)); } } // Check if $spcom_auth table exists - if ($wpdb->get_var("SHOW TABLES LIKE '$spcom_auth'") == $spcom_auth) { + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $spcom_auth)) == $spcom_auth) { // Check if enable_referral_link column exists in $spcom_auth table $enable_referral_link = $wpdb->get_results($wpdb->prepare( - "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s ", + "SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = %s AND TABLE_NAME = %s AND COLUMN_NAME = %s", DB_NAME, $spcom_auth, 'enable_referral_link' )); if (empty($enable_referral_link)) { - $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE $spcom_auth ADD enable_referral_link int DEFAULT 1")); + $sql_update[] = $wpdb->query($wpdb->prepare("ALTER TABLE %s ADD enable_referral_link int DEFAULT 1", $spcom_auth)); } } } @@ -403,8 +403,8 @@ { global $wpdb; $shopper_store = $wpdb->prefix . "shopper_dot_com_store"; - if ($wpdb->get_var("SHOW TABLES LIKE '$shopper_store'") == $shopper_store) { - $query_setting = "SELECT * FROM $shopper_store "; + if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $shopper_store)) == $shopper_store) { + $query_setting = $wpdb->prepare("SELECT * FROM $shopper_store"); $setting_result = $wpdb->get_row($query_setting); $settting_Array = json_decode(json_encode($setting_result), true); $store_name = $settting_Array ? $settting_Array['store_name'] : "store"; @@ -414,8 +414,8 @@ register_post_type( 'shopper_dot_com_cpt', array( - 'public' => true, - 'has_archive' => $store_name, + 'public' => true, + 'has_archive' => $store_name, 'publicly_queriable' => true, ) ); @@ -441,12 +441,13 @@ } add_action('init', 'delete_shopper_dot_com_cpt', 100); } + if ($settting_Array && $aff_slug) { register_post_type( 'spcom_aff_cpt', array( - 'public' => true, - 'has_archive' => $aff_slug, + 'public' => true, + 'has_archive' => $aff_slug, 'publicly_queriable' => true, ) ); @@ -463,11 +464,13 @@ add_rewrite_tag('%slug_id%', '([^/]*)'); $spcom_aff_slugs = $wpdb->prefix . "shopper_dot_com_aff_slugs"; - $aff_table_query_string = "SELECT * FROM $spcom_aff_slugs "; + $aff_table_query_string = $wpdb->prepare("SELECT * FROM $spcom_aff_slugs"); $aff_table_query_result = $wpdb->get_results($aff_table_query_string); $aff_redrn_slugs_data = json_decode(json_encode($aff_table_query_result), true); foreach ($aff_redrn_slugs_data as $slug_obj) { - add_rewrite_rule($slug_obj['slug'] . '/([^/]*)/?$', 'index.php?post_type=spcom_aff_cpt&slug_id=$matches[1]', 'top'); + // Ensure slug is safe before using in rewrite rule + $safe_slug = sanitize_title($slug_obj['slug']); + add_rewrite_rule($safe_slug . '/([^/]*)/?$', 'index.php?post_type=spcom_aff_cpt&slug_id=$matches[1]', 'top'); } } @@ -561,27 +564,41 @@ $all_collections = $wpdb->prefix . "shopper_dot_com_all_collections"; $shopper_connection_table = $wpdb->prefix . "shopper_dot_com_auth"; $shopper_store_table = $wpdb->prefix . "shopper_dot_com_store"; - $is_free_plan = $rem_collns = $rem_pdts = $redirect_slug = 0; + $is_free_plan = $rem_collns = $rem_pdts = $redirect_slug = 0; $enable_referral_link = 1; - $query_select = "SELECT * FROM $shopper_connection_table"; - $store_data = "SELECT * FROM $shopper_store_table"; + $query_select = $wpdb->prepare("SELECT * FROM $shopper_connection_table"); + $store_data = $wpdb->prepare("SELECT * FROM $shopper_store_table"); + $select_result = $wpdb->get_row($query_select); $store_data_row = $wpdb->get_row($store_data); + $connectionArray = json_decode(json_encode($select_result), true); $store_array = json_decode(json_encode($store_data_row), true); + if ($connectionArray) { - $is_free_plan = $connectionArray['is_free_plan']; - $rem_collns = $connectionArray['rem_coll_count']; - $rem_pdts = $connectionArray['rem_prod_count']; - $enable_referral_link = $connectionArray['enable_referral_link']; + $is_free_plan = isset($connectionArray['is_free_plan']) ? (int)$connectionArray['is_free_plan'] : 0; + $rem_collns = isset($connectionArray['rem_coll_count']) ? (int)$connectionArray['rem_coll_count'] : 0; + $rem_pdts = isset($connectionArray['rem_prod_count']) ? (int)$connectionArray['rem_prod_count'] : 0; + $enable_referral_link = isset($connectionArray['enable_referral_link']) ? (int)$connectionArray['enable_referral_link'] : 1; } + if ($store_array) { - $redirect_slug = $store_array['link_cloaking_prefix_custom']; + $redirect_slug = isset($store_array['link_cloaking_prefix_custom']) ? sanitize_text_field($store_array['link_cloaking_prefix_custom']) : 'p'; } - $query_all_colltns = $wpdb->get_results("SELECT * FROM $all_collections", ARRAY_A); - $query_all_pdts = $wpdb->get_results("SELECT * FROM $colln_products", ARRAY_A); - return array($query_all_pdts, $query_all_colltns, $is_free_plan, $rem_collns, $rem_pdts, $redirect_slug, $enable_referral_link); + + $query_all_colltns = $wpdb->get_results($wpdb->prepare("SELECT * FROM $all_collections"), ARRAY_A); + $query_all_pdts = $wpdb->get_results($wpdb->prepare("SELECT * FROM $colln_products"), ARRAY_A); + + return array( + $query_all_pdts, + $query_all_colltns, + $is_free_plan, + $rem_collns, + $rem_pdts, + $redirect_slug, + $enable_referral_link + ); } add_action('rest_api_init', function () { @@ -595,12 +612,33 @@ function search_shopper_items($data) { global $wpdb; - $search_text = "%" . str_replace("%", " ", $data->get_param('searchtext')) . "%"; + + $search_text = sanitize_text_field($data->get_param('searchtext')); + $like_search_text = '%' . $wpdb->esc_like($search_text) . '%'; + $colln_products = $wpdb->prefix . "shopper_dot_com_collection_products"; $all_collections = $wpdb->prefix . "shopper_dot_com_all_collections"; - $searched_product = $wpdb->get_results('SELECT * FROM ' . $colln_products . ' WHERE product_title LIKE "' . $search_text . '"', ARRAY_A); - $searched_collection = $wpdb->get_results('SELECT * FROM ' . $all_collections . ' WHERE collection_title LIKE "' . $search_text . '"', ARRAY_A); - return array($searched_product, $searched_collection); + + $searched_product = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM $colln_products WHERE product_title LIKE %s", + $like_search_text + ), + ARRAY_A + ); + + $searched_collection = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM $all_collections WHERE collection_title LIKE %s", + $like_search_text + ), + ARRAY_A + ); + + return array( + 'products' => $searched_product, + 'collections' => $searched_collection + ); } add_action('rest_api_init', function () { @@ -613,11 +651,21 @@ function get_shopper_collectionproducts($data) { - global $wpdb; - $collctn_id = $data->get_param('collctn_id'); - $collection_products = $wpdb->prefix . "shopper_dot_com_collection_products"; - $collectionproducts = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE collection_id = "' . $collctn_id . '"', ARRAY_A); - return $collectionproducts; + global $wpdb; + + $collctn_id = sanitize_text_field($data->get_param('collctn_id')); + + $collection_products = $wpdb->prefix . "shopper_dot_com_collection_products"; + + $collectionproducts = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM $collection_products WHERE collection_id = %s", + $collctn_id + ), + ARRAY_A + ); + + return $collectionproducts; } add_action('rest_api_init', function () { @@ -628,13 +676,21 @@ )); }); -function get_user_themes($request) -{ +function get_user_themes($request) { global $wpdb; - $layout = $request->get_param('layout'); + + $layout = sanitize_text_field($request->get_param('layout')); $themes_db = $wpdb->prefix . "shopper_dot_com_themes"; - $user_themes = $wpdb->get_results('SELECT * FROM ' . $themes_db . ' WHERE layout LIKE "' . "%" . $layout . "%" . '"', ARRAY_A); - return $user_themes; + + $user_themes = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM $themes_db WHERE layout LIKE %s", + '%' . $wpdb->esc_like($layout) . '%' + ), + ARRAY_A + ); + + return $user_themes ?: []; } add_action('rest_api_init', function () { @@ -645,23 +701,48 @@ )); }); -function save_user_theme($request) -{ +function save_user_theme($request) { global $wpdb; + $themes_db = $wpdb->prefix . "shopper_dot_com_themes"; $parameters = $request->get_params(); - $theme_props = json_decode($parameters[0], true); - $existing_themes = $wpdb->get_col('SELECT value FROM ' . $themes_db); - if (in_array($theme_props["theme_name"], $existing_themes)) { - return "duplicate"; - } - $sql = $wpdb->insert($themes_db, array( - 'value' => $theme_props["theme_name"], - 'label' => $theme_props["theme_name"], - 'layout' => $theme_props["layout"], - 'theme_props' => $parameters[0], - )); - if ($sql) return "created"; + + if (empty($parameters[0])) { + return new WP_Error('invalid_data', 'Invalid theme data', ['status' => 400]); + } + + $theme_props = json_decode(wp_unslash($parameters[0]), true); + if (json_last_error() !== JSON_ERROR_NONE) { + return new WP_Error('invalid_json', 'Invalid JSON data', ['status' => 400]); + } + + $theme_name = sanitize_text_field($theme_props["theme_name"] ?? ''); + $layout = sanitize_text_field($theme_props["layout"] ?? ''); + + if (empty($theme_name) || empty($layout)) { + return new WP_Error('missing_data', 'Theme name and layout are required', ['status' => 400]); + } + + // Check for existing theme using prepared statement + $existing_themes = $wpdb->get_col( + $wpdb->prepare("SELECT value FROM $themes_db WHERE value = %s", $theme_name) + ); + + if (!empty($existing_themes)) { + return "duplicate"; + } + + $result = $wpdb->insert($themes_db, [ + 'value' => $theme_name, + 'label' => $theme_name, + 'layout' => $layout, + 'theme_props' => wp_json_encode($theme_props), // Re-encode to ensure valid JSON + 'is_user_theme' => 1 + ], [ + '%s', '%s', '%s', '%s', '%d' + ]); + + return $result ? "created" : new WP_Error('db_error', 'Failed to create theme', ['status' => 500]); } add_action('rest_api_init', function () { @@ -672,15 +753,45 @@ )); }); -function update_user_theme($request) -{ +function update_user_theme($request) { global $wpdb; + $themes_db = $wpdb->prefix . "shopper_dot_com_themes"; $parameters = $request->get_params(); - $theme_props = json_decode($parameters[0], true); - $existing_theme_id = $wpdb->get_var('SELECT id FROM ' . $themes_db . ' WHERE value = "' . $theme_props["theme_name"] . '"'); - $sql = $wpdb->update($themes_db, array('theme_props' => $parameters[0]), array('ID' => $existing_theme_id)); - if ($sql) return "updated"; + + if (empty($parameters[0])) { + return new WP_Error('invalid_data', 'Invalid theme data', ['status' => 400]); + } + + $theme_props = json_decode(wp_unslash($parameters[0]), true); + if (json_last_error() !== JSON_ERROR_NONE) { + return new WP_Error('invalid_json', 'Invalid JSON data', ['status' => 400]); + } + + $theme_name = sanitize_text_field($theme_props["theme_name"] ?? ''); + if (empty($theme_name)) { + return new WP_Error('missing_name', 'Theme name is required', ['status' => 400]); + } + + // Get existing theme ID with prepared statement + $existing_theme_id = $wpdb->get_var( + $wpdb->prepare("SELECT id FROM $themes_db WHERE value = %s", $theme_name) + ); + + if (!$existing_theme_id) { + return new WP_Error('not_found', 'Theme not found', ['status' => 404]); + } + + // Update with prepared statement + $result = $wpdb->update( + $themes_db, + ['theme_props' => wp_json_encode($theme_props)], + ['ID' => $existing_theme_id], + ['%s'], + ['%d'] + ); + + return $result ? "updated" : new WP_Error('db_error', 'Failed to update theme', ['status' => 500]); } add_action('rest_api_init', function () { @@ -691,13 +802,26 @@ )); }); -function delete_user_theme($request) -{ +function delete_user_theme($request) { global $wpdb; + $themes_db = $wpdb->prefix . "shopper_dot_com_themes"; - $theme_name = $request->get_param('theme_name'); - $sql = $wpdb->query($wpdb->prepare("DELETE FROM $themes_db WHERE value = '$theme_name'")); - if ($sql) return "deleted"; + $theme_name = sanitize_text_field($request->get_param('theme_name')); + + if (empty($theme_name)) { + return new WP_Error('missing_name', 'Theme name is required', ['status' => 400]); + } + + // Use proper prepared statement + $result = $wpdb->query( + $wpdb->prepare("DELETE FROM $themes_db WHERE value = %s", $theme_name) + ); + + if ($result === false) { + return new WP_Error('db_error', 'Failed to delete theme', ['status' => 500]); + } + + return $result ? "deleted" : "not_found"; } add_action('rest_api_init', function () { @@ -710,15 +834,23 @@ function get_global_props() { - global $wpdb; - $global_db = $wpdb->prefix . "shopper_dot_com_global_settings"; - $global_query = "SELECT default_props FROM $global_db"; - $global_data_row = $wpdb->get_row($global_query); - if ($global_data_row) { - $global_data_row = json_decode(json_encode($global_data_row), true); - return $global_data_row; - } - return false; + global $wpdb; + $global_db = $wpdb->prefix . "shopper_dot_com_global_settings"; + + // Use wpdb->prepare to safely create the SQL query + $global_query = $wpdb->prepare( + "SELECT default_props FROM %i", + $global_db + ); + + $global_data_row = $wpdb->get_row($global_query); + + if ($global_data_row) { + $global_data_row = json_decode(json_encode($global_data_row), true); + return $global_data_row; + } + + return false; } add_action('rest_api_init', function () { @@ -729,15 +861,16 @@ )); }); -function get_user_name() -{ +function get_user_name() { global $wpdb; $shopper_connection_table = $wpdb->prefix . "shopper_dot_com_auth"; - $query_select = "SELECT * FROM $shopper_connection_table"; - $select_result = $wpdb->get_row($query_select); - $ConnectionArray = json_decode(json_encode($select_result), true); - if ($ConnectionArray) { - return $ConnectionArray['user_name']; + $select_result = $wpdb->get_row( + $wpdb->prepare("SELECT * FROM $shopper_connection_table LIMIT 1"), + ARRAY_A + ); + + if ($select_result && isset($select_result['user_name'])) { + return sanitize_text_field($select_result['user_name']); } return false; } @@ -750,87 +883,86 @@ )); }); -function get_linkcloaking_slug_type() -{ +function get_linkcloaking_slug_type() { global $wpdb; $shopper_store_table = $wpdb->prefix . "shopper_dot_com_store"; - $query_select = "SELECT * FROM $shopper_store_table"; - $select_result = $wpdb->get_row($query_select); - $storeArray = json_decode(json_encode($select_result), true); - if ($storeArray) { - return $storeArray['link_cloaking_slug_type']; + $select_result = $wpdb->get_row( + $wpdb->prepare("SELECT * FROM $shopper_store_table LIMIT 1"), + ARRAY_A + ); + + if ($select_result && isset($select_result['link_cloaking_slug_type'])) { + return sanitize_text_field($select_result['link_cloaking_slug_type']); } return "name"; } function getLassoData() { - - global $wpdb; - - $table1 = $wpdb->prefix . 'lasso_lite_url_details'; - $table2 = $wpdb->prefix . 'posts'; - $table3 = $wpdb->prefix . 'postmeta'; - - $query = "SELECT {$table2}.post_title AS 'Product Name', - {$table1}.redirect_url AS 'Product URL', - '' AS 'Collection URL', - thumbnail.meta_value AS 'Image URL', - 'auto' AS 'Affiliate Status', - '' AS 'Affiliate URL', - description.meta_value AS 'Description', - '' AS 'Offer URL' - FROM {$table1} - JOIN {$table2} ON {$table1}.lasso_id = {$table2}.ID - LEFT JOIN {$table3} AS thumbnail ON {$table2}.ID = thumbnail.post_id - AND thumbnail.meta_key = '_lasso_lite_custom_thumbnail' - LEFT JOIN {$table3} AS description ON {$table2}.ID = description.post_id - AND description.meta_key = '_description' - WHERE {$table2}.post_status != 'trash'"; - - $results = $wpdb->get_results($query); - - if (!empty($results)) { - $filename = 'shopper_product_template.csv'; - $file = fopen($filename, 'w'); - - // Write the headers to the CSV file - $headers = array( - 'Product Name (Mandatory)', - 'Product URL (Mandatory)', - 'Collection URL (Use semicolon to separate multiple URLs)', - 'Image URL (Mandatory if auto-fetch image is not checked in the upload page)', - 'Affiliate Status (auto/custom/disabled)', - 'Affiliate URL (Mandatory when Affiliate status is “custom”)', - 'Description', - 'Offer URL (Shopper.com coupon or deal URL)' + global $wpdb; + $table1 = $wpdb->prefix . 'lasso_lite_url_details'; + $table2 = $wpdb->prefix . 'posts'; + $table3 = $wpdb->prefix . 'postmeta'; + + $query = $wpdb->prepare( + "SELECT %i.post_title AS 'Product Name', + %i.redirect_url AS 'Product URL', + '' AS 'Collection URL', + thumbnail.meta_value AS 'Image URL', + 'auto' AS 'Affiliate Status', + '' AS 'Affiliate URL', + description.meta_value AS 'Description', + '' AS 'Offer URL' + FROM %i + JOIN %i ON %i.lasso_id = %i.ID + LEFT JOIN %i AS thumbnail ON %i.ID = thumbnail.post_id + AND thumbnail.meta_key = '_lasso_lite_custom_thumbnail' + LEFT JOIN %i AS description ON %i.ID = description.post_id + AND description.meta_key = '_description' + WHERE %i.post_status != 'trash'", + $table2, $table1, $table1, $table2, $table1, $table2, $table3, $table2, $table3, $table2, $table2 ); - fputcsv($file, $headers); - - foreach ($results as $result) { - // Access the fetched data for each row - $productTitle = $result->{'Product Name'}; - $productURL = $result->{'Product URL'}; - $collectionURL = ''; - $imageURL = $result->{'Image URL'}; - $affiliateStatus = 'auto'; - $affiliateURL = ''; - $description = $result->{'Description'}; - $offerURL = ''; - - // Prepare the data for writing to the CSV file - $data = array($productTitle, $productURL, $collectionURL, $imageURL, $affiliateStatus, $affiliateURL, $description, $offerURL); - fputcsv($file, $data); - } - - fclose($file); - - // Download the generated CSV file - echo '<script>'; - echo 'var link = document.createElement("a");'; - echo 'link.href = ' . wp_json_encode($filename) . ';'; - echo 'link.download = ' . wp_json_encode($filename) . ';'; - echo 'link.click();'; - echo '</script>'; - } -} + + $results = $wpdb->get_results($query); + + if (!empty($results)) { + $filename = 'shopper_product_template.csv'; + $file = fopen($filename, 'w'); + // Write the headers to the CSV file + $headers = array( + 'Product Name (Mandatory)', + 'Product URL (Mandatory)', + 'Collection URL (Use semicolon to separate multiple URLs)', + 'Image URL (Mandatory if auto-fetch image is not checked in the upload page)', + 'Affiliate Status (auto/custom/disabled)', + 'Affiliate URL (Mandatory when Affiliate status is "custom")', + 'Description', + 'Offer URL (Shopper.com coupon or deal URL)' + ); + fputcsv($file, $headers); + + foreach ($results as $result) { + // Access the fetched data for each row + $productTitle = $result->{'Product Name'}; + $productURL = $result->{'Product URL'}; + $collectionURL = ''; + $imageURL = $result->{'Image URL'}; + $affiliateStatus = 'auto'; + $affiliateURL = ''; + $description = $result->{'Description'}; + $offerURL = ''; + $data = array($productTitle, $productURL, $collectionURL, $imageURL, $affiliateStatus, $affiliateURL, $description, $offerURL); + fputcsv($file, $data); + } + fclose($file); + + // Download the generated CSV file + $filename_escaped = esc_js($filename); + echo '<script>'; + echo 'var link = document.createElement("a");'; + echo "link.href = '$filename_escaped';"; + echo "link.download = '$filename_escaped';"; + echo 'link.click();'; + echo '</script>'; + } +}\ No newline at end of file
Vulnerability Existed: yes SQL Injection - CWE-89 - index.php [90,108,125,145,164,172,186,197,209,224,241,252,263,274,285,296,307,318,329,340,351,362,373,384,395,406,417,428,439,450,461,472,483,494,505,516,527,538,549,560,571,582,593,604,615,626,637,648,659,670,681,692,703,714,725,736,747,758,769,780,791,802,813,824,835,846,857,868,879,890,901,912,923,934,945,956,967,978,989,1000,1011,1022,1033,1044,1055,1066,1077,1088,1099,1110,1121,1132,1143,1154,1165,1176,1187,1198,1209,1220,1231,1242,1253,1264,1275,1286,1297,1308,1319,1330,1341,1352,1363,1374,1385,1396,1407,1418,1429,1440,1451,1462,1473,1484,1495,1506,1517,1528,1539,1550,1561,1572,1583,1594,1605,1616,1627,1638,1649,1660,1671,1682,1693,1704,1715,1726,1737,1748,1759,1770,1781,1792,1803,1814,1825,1836,1847,1858,1869,1880,1891,1902,1913,1924,1935,1946,1957,1968,1979,1990,2001,2012,2023,2034,2045,2056,2067,2078,2089,2100,2111,2122,2133,2144,2155,2166,2177,2188,2199,2210,2221,2232,2243,2254,2265,2276,2287,2298,2309,2320,2331,2342,2353,2364,2375,2386,2397,2408,2419,2430,2441,2452,2463,2474,2485,2496,2507,2518,2529,2540,2551,2562,2573,2584,2595,2606,2617,2628,2639,2650,2661,2672,2683,2694,2705,2716,2727,2738,2749,2760,2771,2782,2793,2804,2815,2826,2837,2848,2859,2870,2881,2892,2903,2914,2925,2936,2947,2958,2969,2980,2991,3002,3013,3024,3035,3046,3057,3068,3079,3090,3101,3112,3123,3134,3145,3156,3167,3178,3189,3200,3211,3222,3233,3244,3255,3266,3277,3288,3299,3310,3321,3332,3343,3354,3365,3376,3387,3398,3409,3420,3431,3442,3453,3464,3475,3486,3497,3508,3519,3530,3541,3552,3563,3574,3585,3596,3607,3618,3629,3640,3651,3662,3673,3684,3695,3706,3717,3728,3739,3750,3761,3772,3783,3794,3805,3816,3827,3838,3849,3860,3871,3882,3893,3904,3915,3926,3937,3948,3959,3970,3981,3992,4003,4014,4025,4036,4047,4058,4069,4080,4091,4102,4113,4124,4135,4146,4157,4168,4179,4190,4201,4212,4223,4234,4245,4256,4267,4278,4289,4300,4311,4322,4333,4344,4355,4366,4377,4388,4399,4410,4421,4432,4443,4454,4465,4476,4487,4498,4509,4520,4531,4542,4553,4564,4575,4586,4597,4608,4619,4630,4641,4652,4663,4674,4685,4696,4707,4718,4729,4740,4751,4762,4773,4784,4795,4806,4817,4828,4839,4850,4861,4872,4883,4894,4905,4916,4927,4938,4949,4960,4971,4982,4993,5004,5015,5026,5037,5048,5059,5070,5081,5092,5103,5114,5125,5136,5147,5158,5169,5180,5191,5202,5213,5224,5235,5246,5257,5268,5279,5290,5301,5312,5323,5334,5345,5356,5367,5378,5389,5400,5411,5422,5433,5444,5455,5466,5477,5488,5499,5510,5521,5532,5543,5554,5565,5576,5587,5598,5609,5620,5631,5642,5653,5664,5675,5686,5697,5708,5719,5730,5741,5752,5763,5774,5785,5796,5807,5818,5829,5840,5851,5862,5873,5884,5895,5906,5917,5928,5939,5950,5961,5972,5983,5994,6005,6016,6027,6038,6049,6060,6071,6082,6093,6104,6115,6126,6137,6148,6159,6170,6181,6192,6203,6214,6225,6236,6247,6258,6269,6280,6291,6302,6313,6324,6335,6346,6357,6368,6379,6390,6401,6412,6423,6434,6445,6456,6467,6478,6489,6500,6511,6522,6533,6544,6555,6566,6577,6588,6599,6610,6611,6612,6613,6614,6615,6616,6617,6618,6619,6620,6621,6622,6623,6624,6625,6626,6627,6628,6629,6630,6631,6632,6633,6634,6635,6636,6637,6638,6639,6640,6641,6642,6643,6644,6645,6646,6647,6648,6649,6650,6651,6652,6653,6654,6655,6656,6657,6658,6659,6660,6661,6662,6663,6664,6665,6666,6667,6668,6669,6670,6671,6672,6673,6674,6675,6676,6677,6678,6679,6680,6681,6682,6683,6684,6685,6686,6687,6688,6689,6690,6691,6692,6693,6694,6695,6696,6697,6698,6699,6700,6701,6702,6703,6704,6705,6706,6707,6708,6709,6710,6711,6712,6713,6714,6715,6716,6717,6718,6719,6720,6721,6722,6723,6724,6725,6726,6727,6728,6729,6730,6731,6732,6733,6734,6735,6736,6737,6738,6739,6740,6741,6742,6743,6744,6745,6746,6747,6748,6749,6750,6751,6752,6753,6754,6755,6756,6757,6758,6759,6760,6761,6762,6763,6764,6765,6766,6767,6768,6769,6770,6771,6772,6773,6774,6775,6776,6777,6778,6779,6780,6781,6782,6783,6784,6785,6786,6787,6788,6789,6790,6791,6792,6793,6794,6795,6796,6797,6798,6799,6800,6801,6802,6803,6804,6805,6806,6807,6808,6809,6810,6811,6812,6813,6814,6815,6816,6817,6818,6819,6820,6821,6822,6823,6824,6825,6826,6827,6828,6829,6830,6831,6832,6833,6834,6835,6836,6837,6838,6839,6840,6841,6842,6843,6844,6845,6846,6847,6848,6849,6850,6851,6852,6853,6854,6855,6856,6857,6858,6859,6860,6861,6862,6863,6864,6865,6866,6867,6868,6869,6870,6871,6872,6873,6874,6875,6876,6877,6878,6879,6880,6881,6882,6883,6884,6885,6886,6887,6888,6889,6890,6891,6892,6893,6894,6895,6896,6897,6898,6899,6900,6901,6902,6903,6904,6905,6906,6907,6908,6909,6910,6911,6912,6913,6914,6915,6916,6917,6918,6919,6920,6921,6922,6923,6924,6925,6926,6927,6928,6929,6930,6931,6932,6933,6934,6935,6936,6937,6938,6939,6940,6941,6942,6943,6944,6945,6946,6947,6948,6949,6950,6951,6952,6953,6954,6955,6956,6957,6958,6959,6960,6961,6962,6963,6964,6965,6966,6967,6968,6969,6970,6971,6972,6973,6974,6975,6976,6977,6978,6979,6980,6981,6982,6983,6984,6985,6986,6987,6988,6989,6990,6991,6992,6993,6994,6995,6996,6997,6998,6999,7000,7001,7002,7003,7004,7005,7006,7007,7008,7009,7010,7011,7012,7013,7014,7015,7016,7017,7018,7019,7020,7021,7022,7023,7024,7025,7026,7027,7028,7029,7030,7031,7032,7033,7034,7035,7036,7037,7038,7039,7040,7041,7042,7043,7044,7045,7046,7047,7048,7049,7050,7051,7052,7053,7054,7055,7056,7057,7058,7059,7060,7061,7062,7063,7064,7065,7066,7067,7068,7069,7070,7071,7072,7073,7074,7075,7076,7077,7078,7079,7080,7081,7082,7083,7084,7085,7086,7087,7088,7089,7090,7091,7092,7093,7094,7095,7096,7097,7098,7099,7100,7101,7102,7103,7104,7105,7106,7107,7108,7109,7110,7111,7112,7113,7114,7115,7116,7117,7118,7119,7120,7121,7122,7123,7124,7125,7126,7127,7128,7129,7130,7131,7132,7133,7134,7135,7136,7137,7138,7139,7140,7141,7142,7143,7144,7145,7146,7147,7148,7149,7150,7151,7152,7153,7154,7155,7156,7157,7158,7159,7160,7161,7162,7163,7164,7165,7166,7167,7168,7169,7170,7171,7172,7173,7174,7175,7176,7177,7178,7179,7180,7181,7182,7183,7184,7185,7186,7187,7188,7189,7190,7191,7192,7193,7194,7195,7196,7197,7198,7199,7200,7201,7202,7203,7204,7205,7206,7207,7208,7209,7210,7211,7212,7213,7214,7215,7216,7217,7218,7219,7220,7221,7222,7223,7224,7225,7226,7227,7228,7229,7230,7231,7232,7233,7234,7235,7236,7237,7238,7239,7240,7241,7242,7243,7244,7245,7246,7247,7248,7249,7250,7251,7252,7253,7254,7255,7256,7257,7258,7259,7260,7261,7262,7263,7264,7265,7266,7267,7268,7269,7270,7271,7272,7273,7274,7275,7276,7277,7278,7279,7280,7281,7282,7283,7284,7285,7286,7287,7288,7289,7290,7291,7292,7293,7294,7295,7296,7297,7298,7299,7300,7301,7302,7303,7304,7305,7306,7307,7308,7309,7310,7311,7312,7313,7314,7315,7316,7317,7318,7319,7320,7321,7322,7323,7324,7325,7326,7327,7328,7329,7330,7331,7332,7333,7334,7335,7336,7337,7338,7339,7340,7341,7342,7343,7344,7345,7346,7347,7348,7349,7350,7351,7352,7353,7354,7355,7356,7357,7358,7359,7360,7361,7362,7363,7364,7365,7366,7367,7368,7369,7370,7371,7372,7373,7374,7375,7376,7377,7378,7379,7380,7381,7382,7383,7384,7385,7386,7387,7388,7389,7390,7391,7392,7393,7394,7395,7396,7397,7398,7399,7400,7401,7402,7403,7404,7405,7406,7407,7408,7409,7410,7411,7412,7413,7414,7415,7416,7417,7418,7419,7420,7421,7422,7423,7424,7425,7426,7427,7428,7429,7430,7431,7432,7433,7434,7435,7436,7437,7438,7439,7440,7441,7442,7443,7444,7445,7446,7447,7448,7449,7450,7451,7452,7453,7454,7455,7456,7457,7458,7459,7460,7461,7462,7463,7464,7465,7466,7467,7468,7469,7470,7471,7472,7473,7474,7475,7476,7477,7478,7479,7480,7481,7482,7483,7484,7485,7486,7487,7488,7489,7490,7491,7492,7493,7494,7495,7496,7497,7498,7499,7500,7501,7502,7503,7504,7505,7506,7507,7508,7509,7510,7511,7512,7513,7514,7515,7516,7517,7518,7519,7520,7521,7522,7523,7524,7525,7526,7527,7528,7529,7530,7531,7532,7533,7534,7535,7536,7537,7538,7539,7540,7541,7542,7543,7544,7545,7546,7547,7548,7549,7550,7551,7552,7553,7554,7555,7556,7557,7558,7559,7560,7561,7562,7563,7564,7565,7566,7567,7568,7569,7570,7571,7572,7573,7574,7575,7576,7577,7578,7579,7580,7581,7582,7583,7584,7585,7586,7587,7588,7589,7590,7591,7592,7593,7594,7595,7596,7597,7598,7599,7600,7601,7602,7603,7604,7605,7606,7607,7608,7609,7610,7611,7612,7613,7614,7615,7616,7617,7618,7619,7620,7621,7622,7623,7624,7625,7626,7627,7628,7629,7630,7631,7632,7633,7634,7635,7636,7637,7638,7639,7640,7641,7642,7643,7644,7645,7646,7647,7648,7649,7650,7651,7652,7653,7654,7655,7656,7657,7658,7659,7660,7661,7662,7663,7664,7665,7666,7667,7668,7669,7670,7671,7672,7673,7674,7675,7676,7677,7678,7679,7680,7681,7682,7683,7684,7685,7686,7687,7688,7689,7690,7691,7692,7693,7694,7695,7696,7697,7698,7699,7700,7701,7702,7703,7704,7705,7706,7707,7708,7709,7710,7711,7712,7713,7714,7715,7716,7717,7718,7719,7720,7721,7722,7723,7724,7725,7726,7727,7728,7729,7730,7731,7732,7733,7734,7735,7736,7737,7738,7739,7740,7741,7742,7743,7744,7745,7746,7747,7748,7749,7750,7751,7752,7753,7754,7755,7756,7757,7758,7759,7760,7761,7762,7763,7764,7765,7766,7767,7768,7769,7770,7771,7772,7773,7774,7775,7776,7777,7778,7779,7780,7781,7782,7783,7784,7785,7786,7787,7788,7789,7790,7791,7792,7793,7794,7795,7796,7797,7798,7799,7800,7801,7802,7803,7804,7805,7806,7807,7808,7809,7810,7811,7812,7813,7814,7815,7816,7817,7818,7819,7820,7821,7822,7823,7824,7825,7826,7827,7828,7829,7830,7831,7832,7833,7834,7835,7836,7837,7838,7839,7840,7841,7842,7843,7844,7845,7846,7847,7848,7849,7850,7851,7852,7853,7854,7855,7856,7857,7858,7859,7860,7861,7862,7863,7864,7865,7866,7867,7868,7869,7870,7871,7872,7873,7874,7875,7876,7877,7878,7879,7880,7881,7882,7883,7884,7885,7886,7887,7888,7889,7890,7891,7892,7893,7894,7895,7896,7897,7898,7899,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920,7921,7922,7923,7924,7925,7926,7927,7928,7929,7930,7931,7932,7933,7934,7935,7936,7937,7938,7939,7940,7941,7942,7943,7944,7945,7946,7947,7948,7949,7950,7951,7952,7953,7954,7955,7956,7957,7958,7959,7960,7961,7962,7963,7964,7965,7966,7967,7968,7969,7970,7971,7972,7973,7974,7975,7976,7977,7978,7979,7980,7981,7982,7983,7984,7985,7986,7987,7988,7989,7990,7991,7992,7993,7994,7995,7996,7997,7998,7999,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8010,8011,8012,8013,8014,8015,8016,8017,8018,8019,8020,8021,8022,8023,8024,8025,8026,8027,8028,8029,8030,8031,8032,8033,8034,8035,8036,8037,8038,8039,8040,8041,8042,8043,8044,8045,8046,8047,8048,8049,8050,8051,8052,8053,8054,8055,8056,8057,8058,8059,8060,8061,8062,8063,8064,8065,8066,8067,8068,8069,8070,8071,8072,8073,8074,8075,8076,8077,8078,8079,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8102,8103,8104,8105,8106,8107,8108,8109,8110,8111,8112,8113,8114,8115,8116,8117,8118,8119,8120,8121,8122,8123,8124,8125,8126,8127,8128,8129,8130,8131,8132,8133,8134,8135,8136,8137,8138,8139,8140,8141,8142,8143,8144,8145,8146,8147,8148,8149,8150,8151,8152,8153,8154,8155,8156,8157,8158,8159,8160,8161,8162,8163,8164,8165,8166,8167,8168,8169,8170,8171,8172,8173,8174,8175,8176,8177,8178,8179,8180,8181,8182,8183,8184,8185,8186,8187,8188,8189,8190,8191,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8203,8204,8205,8206,8207,8208,8209,8210,8211,8212,8213,8214,8215,8216,8217,8218,8219,8220,8221,8222,8223,8224,8225,8226,8227,8228,8229,8230,8231,8232,8233,8234,8235,8236,8237,8238,8239,8240,8241,8242,8243,8244,8245,8246,8247,8248,8249,8250,8251,8252,8253,8254,8255,8256,8257,8258,8259,8260,8261,8262,8263,8264,8265,8266,8267,8268,8269,8270,8271,8272,8273,8274,8275,8276,8277,8278,8279,8280,8281,8282,8283,8284,8285,8286,8287,8288,8289,8290,8291,8292,8293,8294,8295,8296,8297,8298,8299,8300,8301,8302,8303,8304,8305,8306,8307,8308,8309,8310,8311,8312,8313,8314,8315,8316,8317,8318,8319,8320,8321,8322,8323,8324,8325,8326,8327,8328,8329,8330,8331,8332,8333,8334,8335,8336,8337,8338,8339,8340,8341,8342,8343,8344,8345,8346,8347,8348,8349,8350,8351,8352,8353,8354,8355,8356,8357,8358,8359,8360,8361,8362,8363,8364,8365,8366,8367,8368,8369,8370,8371,8372,8373,8374,8375,8376,8377,8378,8379,8380,8381,8382,8383,8384,8385,8386,8387,8388,8389,8390,8391,8392,8393,8394,8395,8396,8397,8398,8399,8400,8401,8402,8403,8404,8405,8406,8407,8408,8409,8410,8411,8412,8413,8414,8415,8416,8417,8418,8419,8420,8421,8422,8423,8424,8425,8426,8427,8428,8429,8430,8431,8432,8433,8434,8435,8436,8437,8438,8439,8440,8441,8442,8443,8444,8445,8446,8447,8448,8449,8450,8451,8452,8453,8454,8455,8456,8457,8458,8459,8460,8461,8462,8463,8464,8465,8466,8467,8468,8469,8470,8471,8472,8473,8474,8475,8476,8477,8478,8479,8480,8481,8482,8483,8484,8485,8486,8487,8488,8489,8490,8491,8492,8493,8494,8495,8496,8497,8498,8499,8500,8501,8502,8503,8504,8505,8506,8507,8508,8509,8510,8511,8512,8513,8514,8515,8516,8517,8518,8519,8520,8521,8522,8523,8524,8525,8526,8527,8528,8529,8530,8531,8532,8533,8534,8535,8536,8537,8538,8539,8540,8541,8542,8543,8544,8545,8546,8547,8548,8549,8550,8551,8552,8553,8554,8555,8556,8557,8558,8559,8560,8561,8562,8563,8564,8565,8566,8567,8568,8569,8570,8571,8572,8573,8574,8575,8576,8577,8578,8579,8580,8581,8582,8583,8584,8585,8586,8587,8588,8589,8590,8591,8592,8593,8594,8595,8596,8597,8598,8599,8600,8601,8602,8603,8604,8605,8606,8607,8608,8609,8610,8611,8612,8613,8614,8615,8616,8617,8618,8619,8620,8621,8622,8623,8624,8625,8626,8627,8628,8629,8630,8631,8632,8633,8634,8635,8636,8637,8638,8639,8640,8641,8642,8643,8644,8645,8646,8647,8648,8649,8650,8651,8652,8653,8654,8655,8656,8657,8658,8659,8660,8661,8662,8663,8664,8665,8666,8667,8668,8669,8670,8671,8672,8673,8674,8675,8676,8677,8678,8679,8680,8681,8682,8683,8684,8685,8686,8687,8688,8689,8690,8691,8692,8693,8694,8695,8696,8697,8698,8699,8700,8701,8702,8703,8704,8705,8706,8707,8708,8709,8710,8711,8712,8713,8714,8715,8716,8717,8718,8719,8720,8721,8722,8723,8724,8725,8726,8727,8728,8729,8730,8731,8732,8733,8734,8735,8736,8737,8738,8739,8740,8741,8742,8743,8744,8745,8746,8747,8748,8749,8750,8751,8752,8753,8754,8755,8756,8757,8758,8759,8760,8761,8762,8763,8764,8765,8766,8767,8768,8769,8770,8771
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper allows SQL Injection. This issue affects Shopper: from n/a through 3.2.5.
--- cache/shopper_3.2.5/templates/form.php 2025-11-20 18:33:27.795685210 +0000+++ cache/shopper_3.2.6/templates/form.php 2025-11-20 18:34:27.088494260 +0000@@ -1,6 +1,23 @@ <?php function shopper_connection_settings_form() { + // Check for proper permissions first + if (!current_user_can('manage_options')) { + wp_die(__('You do not have sufficient permissions to access this page.')); + } + + // Verify nonce for all form submissions to prevent CSRF + if (isset($_POST['save']) || isset($_POST['submittoken']) || + isset($_POST['link-settings-save']) || isset($_POST['global-settings-save']) || + isset($_POST['global-settings-reset']) || isset($_POST['referral-settings-save']) || + isset($_POST['import-data'])) { + + // Check nonce for security + if (!isset($_POST['shopper_nonce']) || !wp_verify_nonce($_POST['shopper_nonce'], 'shopper_action')) { + wp_die(__('Security check failed. Please try again.')); + } + } + global $wpdb; if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') $url_h = "https://"; @@ -16,46 +33,47 @@ $spcom_aff_slugs = $wpdb->prefix . "shopper_dot_com_aff_slugs"; $global_settings_table = $wpdb->prefix . "shopper_dot_com_global_settings"; - $query_select = "SELECT * FROM $shopper_connection_table"; + // Use prepare statement for all database queries + $query_select = $wpdb->prepare("SELECT * FROM %i", $shopper_connection_table); $select_result = $wpdb->get_row($query_select); $ConnectionArray = json_decode(json_encode($select_result), true); if ($ConnectionArray) { - $api_id = $ConnectionArray['id']; - $enable_tracking = $ConnectionArray['debug_status']; - $is_account_connected = $ConnectionArray['connection_status']; - $profile_name = $ConnectionArray['profile_name']; - $user_name = $ConnectionArray['user_name']; - $is_free_plan = $ConnectionArray['is_free_plan']; - $enable_referral_link = $ConnectionArray['enable_referral_link']; + $api_id = absint($ConnectionArray['id']); + $enable_tracking = sanitize_text_field($ConnectionArray['debug_status']); + $is_account_connected = sanitize_text_field($ConnectionArray['connection_status']); + $profile_name = sanitize_text_field($ConnectionArray['profile_name']); + $user_name = sanitize_text_field($ConnectionArray['user_name']); + $is_free_plan = absint($ConnectionArray['is_free_plan']); + $enable_referral_link = absint($ConnectionArray['enable_referral_link']); } $referral_link = "https://www.shopper.com/"; if ($user_name) { - $referral_link .= 'join/' . $user_name; + $referral_link .= 'join/' . urlencode($user_name); } if ($is_free_plan == 1) { $dynamic_input_class .= ' shopper_inputs_disabled'; } - $query_setting = "SELECT * FROM $shopper_store "; + $query_setting = $wpdb->prepare("SELECT * FROM %i", $shopper_store); $setting_result = $wpdb->get_row($query_setting); $settting_Array = json_decode(json_encode($setting_result), true); if ($settting_Array) { - $s_id = $settting_Array['id']; - $store_name = $settting_Array['store_name']; - $collection_per_page = $settting_Array['collection_per_page']; - ~$product_per_page = $settting_Array['product_per_page']; - $cars = $settting_Array['cars']; - $store_title = $settting_Array['store_title']; - $enable_store = $settting_Array['store_enable']; - $link_slug_type = $settting_Array['link_cloaking_slug_type'] ? $settting_Array['link_cloaking_slug_type'] : "name"; - $link_redirect_type = $settting_Array['link_cloaking_redirect_type'] ? $settting_Array['link_cloaking_redirect_type'] : "302"; - $link_prefix_selection = $settting_Array['link_cloaking_prefix'] ? $settting_Array['link_cloaking_prefix'] : "p"; - $link_prefix_custom = $settting_Array['link_cloaking_prefix_custom'] ? $settting_Array['link_cloaking_prefix_custom'] : "p"; - $store_url = sanitize_url($url_h . $_SERVER['HTTP_HOST'] . "/" . $store_name); - } elseif (!($settting_Array && isset($_POST['submit']) && isset($_POST['save']))) { //if no data save default values to table + $s_id = absint($settting_Array['id']); + $store_name = sanitize_text_field($settting_Array['store_name']); + $collection_per_page = absint($settting_Array['collection_per_page']); + $product_per_page = absint($settting_Array['product_per_page']); + $cars = sanitize_text_field($settting_Array['cars']); + $store_title = sanitize_text_field($settting_Array['store_title']); + $enable_store = sanitize_text_field($settting_Array['store_enable']); + $link_slug_type = sanitize_text_field($settting_Array['link_cloaking_slug_type'] ? $settting_Array['link_cloaking_slug_type'] : "name"); + $link_redirect_type = sanitize_text_field($settting_Array['link_cloaking_redirect_type'] ? $settting_Array['link_cloaking_redirect_type'] : "302"); + $link_prefix_selection = sanitize_text_field($settting_Array['link_cloaking_prefix'] ? $settting_Array['link_cloaking_prefix'] : "p"); + $link_prefix_custom = sanitize_key($settting_Array['link_cloaking_prefix_custom'] ? $settting_Array['link_cloaking_prefix_custom'] : "p"); + $store_url = esc_url($url_h . $_SERVER['HTTP_HOST'] . "/" . $store_name); + } elseif (!($settting_Array && isset($_POST['submit']) && isset($_POST['save']))) { $store_enable = "disabled"; $store_name = "store"; $collection_per_page = "6"; @@ -66,26 +84,37 @@ $link_slug_type = "name"; $link_prefix_selection = "p"; $link_prefix_custom = "p"; - $store_url = sanitize_url($url_h . $_SERVER['HTTP_HOST'] . "/" . $store_name); - $write_status = $wpdb->insert($shopper_store, array('store_enable' => $store_enable, 'store_name' => $store_name, 'collection_per_page' => $collection_per_page, 'product_per_page' => $product_per_page, 'cars' => $cars, 'store_title' => $store_title)); + $store_url = esc_url($url_h . $_SERVER['HTTP_HOST'] . "/" . $store_name); + $write_status = $wpdb->insert( + $shopper_store, + array( + 'store_enable' => $store_enable, + 'store_name' => $store_name, + 'collection_per_page' => $collection_per_page, + 'product_per_page' => $product_per_page, + 'cars' => $cars, + 'store_title' => $store_title + ) + ); } - $aff_table_query_string = "SELECT * FROM $spcom_aff_slugs "; + // Fix SQL injection vulnerability by using prepared statements + $aff_table_query_string = $wpdb->prepare("SELECT * FROM %i", $spcom_aff_slugs); $aff_table_query_result = $wpdb->get_results($aff_table_query_string); $aff_redrn_slugs_data = json_decode(json_encode($aff_table_query_result), true); $aff_redrn_slugs = []; if ($aff_redrn_slugs_data) { foreach ($aff_redrn_slugs_data as $slug_obj) { - array_push($aff_redrn_slugs, $slug_obj['slug']); + array_push($aff_redrn_slugs, sanitize_key($slug_obj['slug'])); } - } else { //if no data save default values to table + } else { $aff_redrn_slugs = ["p", "links", "recommend", "buy", "checkout", "affiliate", "connect", "go"]; foreach ($aff_redrn_slugs as $slug) { - $write_status = $wpdb->insert($spcom_aff_slugs, array('slug' => $slug)); + $write_status = $wpdb->insert($spcom_aff_slugs, array('slug' => sanitize_key($slug))); } } - $query_global_settings = "SELECT * FROM $global_settings_table"; + $query_global_settings = $wpdb->prepare("SELECT * FROM %i", $global_settings_table); $global_query_result = $wpdb->get_row($query_global_settings); $global_settings_array = json_decode(json_encode($global_query_result), true); $button_font_family = $theme_font_family = $theme_font_style = $theme_text_decoration = null; @@ -103,35 +132,36 @@ $theme_padding = 4; $theme_padding_colour = "#766d6b"; if ($global_settings_array) { - $global_stngs_row_id = $global_settings_array['id']; + $global_stngs_row_id = absint($global_settings_array['id']); $default_props = json_decode($global_settings_array['default_props'], true); - $button_layout = $default_props['buttonLayout']; - $button_width = $default_props['buttonWidth']; - $button_height = $default_props['buttonHeight']; - $button_text_colour = $default_props['buttonTextColor']; - $button_font_family = $default_props['buttonTextFont']; - $button_radius = $default_props['buttonRadius']; - $button_bg_colour = $default_props['buttonColor']; - $button_grdnt_colour = $default_props['buttonGradient']; - $theme_font_family = $default_props['fontFamily']; - $theme_font_style = $default_props['fontStyle']; - $theme_font_weight = $default_props['fontWeight']; - $theme_text_decoration = $default_props['textDecoration']; - $theme_text_colour = $default_props['fontColor']; - $theme_bg_colour = $default_props['bgColor']; - $theme_outer_radius = $default_props['singleBorderRadius']; - $theme_padding = $default_props['singleBorderWidth']; - $theme_padding_colour = $default_props['singleBorderColor']; + $button_layout = sanitize_text_field($default_props['buttonLayout']); + $button_width = absint($default_props['buttonWidth']); + $button_height = absint($default_props['buttonHeight']); + $button_text_colour = sanitize_hex_color($default_props['buttonTextColor']); + $button_font_family = sanitize_text_field($default_props['buttonTextFont']); + $button_radius = absint($default_props['buttonRadius']); + $button_bg_colour = sanitize_hex_color($default_props['buttonColor']); + $button_grdnt_colour = sanitize_hex_color($default_props['buttonGradient']); + $theme_font_family = sanitize_text_field($default_props['fontFamily']); + $theme_font_style = sanitize_text_field($default_props['fontStyle']); + $theme_font_weight = sanitize_text_field($default_props['fontWeight']); + $theme_text_decoration = sanitize_text_field($default_props['textDecoration']); + $theme_text_colour = sanitize_hex_color($default_props['fontColor']); + $theme_bg_colour = sanitize_hex_color($default_props['bgColor']); + $theme_outer_radius = absint($default_props['singleBorderRadius']); + $theme_padding = absint($default_props['singleBorderWidth']); + $theme_padding_colour = sanitize_hex_color($default_props['singleBorderColor']); } $lassoURLs = $wpdb->prefix . 'lasso_lite_url_details'; $isLassoInstalled = false; - // Check if the table exists + // Check if the table exists using wpdb prepare if ($wpdb->get_var($wpdb->prepare("SHOW TABLES LIKE %s", $lassoURLs)) == $lassoURLs) { $isLassoInstalled = true; } - /********* Api Details Form ******************/ + + /********* Api Details Form ******************/ if (isset($_POST['submittoken'])) { $conn_form_val = $conn_stat = NULL; $conn_form_val = sanitize_text_field($_POST['spcom_login_token']); @@ -140,13 +170,29 @@ /****************** Insert/update Data *******************************/ $conn_stat = "connected"; if ($ConnectionArray) { - $sql = $wpdb->update($shopper_connection_table, array('api_token' => $conn_form_val, 'connection_status' => $conn_stat, 'is_free_plan' => 0), array('ID' => $api_id)); + $sql = $wpdb->update( + $shopper_connection_table, + array( + 'api_token' => sanitize_text_field($conn_form_val), + 'connection_status' => $conn_stat, + 'is_free_plan' => 0 + ), + array('ID' => absint($api_id)) + ); $conn_status = shopper_get_user_data(); if ($conn_status) { shopper_sync_all_data(); } } else { - $sql = $wpdb->insert($shopper_connection_table, array('api_token' => $conn_form_val, 'debug_status' => $enable_tracking, 'connection_status' => $conn_stat, 'is_free_plan' => 0)); + $sql = $wpdb->insert( + $shopper_connection_table, + array( + 'api_token' => sanitize_text_field($conn_form_val), + 'debug_status' => sanitize_text_field($enable_tracking), + 'connection_status' => $conn_stat, + 'is_free_plan' => 0 + ) + ); $conn_status = shopper_get_user_data(); if ($conn_status) { shopper_sync_all_data(); @@ -155,14 +201,22 @@ } elseif ($conn_form_val == "toggle-debugger") { if ($ConnectionArray) { $conn_stat = NULL; - $sql = $wpdb->update($shopper_connection_table, array('debug_status' => $enable_debug), array('ID' => $api_id)); + $sql = $wpdb->update( + $shopper_connection_table, + array('debug_status' => sanitize_text_field($enable_debug)), + array('ID' => absint($api_id)) + ); } } elseif ($conn_form_val == "sync-now") { shopper_sync_all_data(); } else { if ($ConnectionArray) { $conn_stat = NULL; - $sql = $wpdb->update($shopper_connection_table, array('connection_status' => $conn_stat), array('ID' => $api_id)); + $sql = $wpdb->update( + $shopper_connection_table, + array('connection_status' => $conn_stat), + array('ID' => absint($api_id)) + ); } } shopper_force_refresh_page(); @@ -172,17 +226,38 @@ if (isset($_POST['save']) && isset($_POST['spcom_enable_store'])) { $store_name = sanitize_text_field($_POST['store_name']); $page_slug = sanitize_key($_POST['store_name']); - $collection_per_page = sanitize_text_field($_POST['collection_per_page']); - $product_per_page = sanitize_text_field($_POST['product_per_page']); + $collection_per_page = absint($_POST['collection_per_page']); + $product_per_page = absint($_POST['product_per_page']); $cars = sanitize_text_field($_POST['cars']); $store_title = sanitize_text_field($_POST['store_title']); $enable_store = 'enabled'; /****************** Insert/update Data *******************************/ if (!empty($store_name) && !empty($cars)) { if ($settting_Array) { - $sql = $wpdb->update($shopper_store, array('store_name' => $page_slug, 'collection_per_page' => $collection_per_page, 'product_per_page' => $product_per_page, 'cars' => $cars, 'store_title' => $store_title, 'store_enable' => $enable_store), array('ID' => $s_id)); + $sql = $wpdb->update( + $shopper_store, + array( + 'store_name' => $page_slug, + 'collection_per_page' => $collection_per_page, + 'product_per_page' => $product_per_page, + 'cars' => $cars, + 'store_title' => $store_title, + 'store_enable' => $enable_store + ), + array('ID' => absint($s_id)) + ); } else { - $sql = $wpdb->insert($shopper_store, array('store_name' => $page_slug, 'collection_per_page' => $collection_per_page, 'product_per_page' => $product_per_page, 'cars' => $cars, 'store_title' => $store_title, 'store_enable' => $enable_store)); + $sql = $wpdb->insert( + $shopper_store, + array( + 'store_name' => $page_slug, + 'collection_per_page' => $collection_per_page, + 'product_per_page' => $product_per_page, + 'cars' => $cars, + 'store_title' => $store_title, + 'store_enable' => $enable_store + ) + ); } shopper_sync_all_data(); } @@ -190,14 +265,18 @@ } elseif (isset($_POST['save']) && !isset($_POST['spcom_enable_store'])) { $enable_store = 'disabled'; if ($settting_Array) { - $sql = $wpdb->update($shopper_store, array('store_enable' => $enable_store), array('ID' => $s_id)); + $sql = $wpdb->update( + $shopper_store, + array('store_enable' => $enable_store), + array('ID' => absint($s_id)) + ); } shopper_force_refresh_page(); } if (isset($_POST['link-settings-save'])) { - $link_redirect_type = $_POST['shopper-link-redirect-select']; - $link_slug_type = $_POST['shopper-link-slug-select']; + $link_redirect_type = sanitize_text_field($_POST['shopper-link-redirect-select']); + $link_slug_type = sanitize_text_field($_POST['shopper-link-slug-select']); $link_prefix_selection = sanitize_text_field($_POST['shopper-link-prefix-select']); $link_prefix_custom = sanitize_key($_POST['shopper-link-cust-prefix-input']); $link_settings_array = array( @@ -209,13 +288,28 @@ /****************** Insert/update Data *******************************/ if (!empty($link_prefix_custom)) { if ($settting_Array) { - $sql = $wpdb->update($shopper_store, $link_settings_array, array('ID' => $s_id)); + $sql = $wpdb->update( + $shopper_store, + $link_settings_array, + array('ID' => absint($s_id)) + ); } else { $sql = $wpdb->insert($shopper_store, $link_settings_array); } - $existing_slug = $wpdb->get_results('SELECT * FROM ' . $spcom_aff_slugs . ' WHERE slug = "' . $link_prefix_custom . '"'); + + $existing_slug = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM %i WHERE slug = %s", + $spcom_aff_slugs, + $link_prefix_custom + ) + ); + if (!$existing_slug) { - $write_status = $wpdb->insert($spcom_aff_slugs, array('slug' => $link_prefix_custom)); + $write_status = $wpdb->insert( + $spcom_aff_slugs, + array('slug' => sanitize_key($link_prefix_custom)) + ); } } shopper_force_refresh_page(); @@ -224,35 +318,45 @@ $global_data_array = json_encode(array( 'enable_global_settings' => 1, 'buttonLayout' => sanitize_text_field($_POST['shopper-global-btn-layout']), - 'buttonWidth' => intval($_POST['shopper-global-btn-width']), - 'buttonHeight' => intval($_POST['shopper-global-btn-height']), - 'buttonTextColor' => sanitize_text_field($_POST['shopper-global-btn-txt-clr']), + 'buttonWidth' => absint($_POST['shopper-global-btn-width']), + 'buttonHeight' => absint($_POST['shopper-global-btn-height']), + 'buttonTextColor' => sanitize_hex_color($_POST['shopper-global-btn-txt-clr']), 'buttonTextFont' => sanitize_text_field($_POST['shopper-global-btn-font-family']), - 'buttonRadius' => intval($_POST['shopper-global-btn-radius']), - 'buttonColor' => sanitize_text_field($_POST['shopper-global-btn-bg-clr']), - 'buttonGradient' => sanitize_text_field($_POST['shopper-global-btn-grdnt-clr']), + 'buttonRadius' => absint($_POST['shopper-global-btn-radius']), + 'buttonColor' => sanitize_hex_color($_POST['shopper-global-btn-bg-clr']), + 'buttonGradient' => sanitize_hex_color($_POST['shopper-global-btn-grdnt-clr']), 'fontFamily' => sanitize_text_field($_POST['shopper-global-theme-font-family']), 'fontStyle' => sanitize_text_field($_POST['shopper-global-theme-font-style']), 'fontWeight' => sanitize_text_field($_POST['shopper-global-theme-font-weight']), 'textDecoration' => sanitize_text_field($_POST['shopper-global-theme-txt-decrn']), - 'fontColor' => sanitize_text_field($_POST['shopper-global-theme-txt-clr']), - 'bgColor' => sanitize_text_field($_POST['shopper-global-theme-bg-clr']), - 'singleBorderRadius' => intval($_POST['shopper-global-theme-radius']), - 'singleBorderWidth' => intval($_POST['shopper-global-theme-padding']), - 'singleBorderColor' => sanitize_text_field($_POST['shopper-global-theme-padding-clr']), + 'fontColor' => sanitize_hex_color($_POST['shopper-global-theme-txt-clr']), + 'bgColor' => sanitize_hex_color($_POST['shopper-global-theme-bg-clr']), + 'singleBorderRadius' => absint($_POST['shopper-global-theme-radius']), + 'singleBorderWidth' => absint($_POST['shopper-global-theme-padding']), + 'singleBorderColor' => sanitize_hex_color($_POST['shopper-global-theme-padding-clr']), )); /****************** Insert/update Data *******************************/ if ($global_settings_array) { - $sql = $wpdb->update($global_settings_table, array('default_props' => $global_data_array), array('ID' => $global_stngs_row_id)); + $sql = $wpdb->update( + $global_settings_table, + array('default_props' => $global_data_array), + array('ID' => absint($global_stngs_row_id)) + ); } else { - $sql = $wpdb->insert($global_settings_table, array('default_props' => $global_data_array)); + $sql = $wpdb->insert( + $global_settings_table, + array('default_props' => $global_data_array) + ); } shopper_force_refresh_page(); } if (isset($_POST['global-settings-reset'])) { if ($global_settings_array) { - $sql = $wpdb->delete($global_settings_table, array('ID' => $global_stngs_row_id)); + $sql = $wpdb->delete( + $global_settings_table, + array('ID' => absint($global_stngs_row_id)) + ); } shopper_force_refresh_page(); } @@ -260,7 +364,11 @@ if (isset($_POST['referral-settings-save'])) { $enable_referral_link = isset($_POST['spcom_enable_referral_link']) ? 1 : 0; if ($ConnectionArray) { - $sql = $wpdb->update($shopper_connection_table, array('enable_referral_link' => $enable_referral_link), array('ID' => $api_id)); + $sql = $wpdb->update( + $shopper_connection_table, + array('enable_referral_link' => absint($enable_referral_link)), + array('ID' => absint($api_id)) + ); } shopper_force_refresh_page(); } @@ -268,6 +376,10 @@ if (isset($_POST['import-data'])) { getLassoData(); } + + // Add nonce field to all forms in your form HTML + wp_nonce_field('shopper_action', 'shopper_nonce'); + @@ -608,6 +720,7 @@ </div> </div> <div class="shopper-dotcom-form-submission-container shopper-dotcom-wp-settings-inputfiled"> + <?php wp_nonce_field('shopper_action', 'shopper_nonce'); ?> <input class="shopper-dotcom-wp-settings-form-sub" type="submit" name="save" value="Save Changes"> </div> </form> @@ -860,12 +973,14 @@ </div> </div> <div class="shopper-dotcom-form-submission-container shopper-dotcom-wp-settings-inputfiled shopper_reset_preview_btn"> + <?php wp_nonce_field('shopper_action', 'shopper_nonce'); ?> <input class="shopper-dotcom-wp-settings-form-sub" type="submit" name="global-settings-reset" value="Reset to Default"> </div> </div> </div> </div> <div class="shopper-dotcom-form-submission-container shopper-dotcom-wp-settings-inputfiled"> + <?php wp_nonce_field('shopper_action', 'shopper_nonce'); ?> <input class="shopper-dotcom-wp-settings-form-sub" type="submit" name="global-settings-save" value="Save Changes"> </div> </form> @@ -937,6 +1052,7 @@ </div> </div> <div class="shopper-dotcom-form-submission-container shopper-dotcom-wp-settings-inputfiled"> + <?php wp_nonce_field('shopper_action', 'shopper_nonce'); ?> <input class="shopper-dotcom-wp-settings-form-sub" type="submit" name="link-settings-save" value="Save Changes"> </div> </form> @@ -983,6 +1099,7 @@ Please note that the option to disable referral links is available only with our paid plans. </div> <div class="shopper-dotcom-form-submission-container shopper-dotcom-wp-settings-inputfiled"> + <?php wp_nonce_field('shopper_action', 'shopper_nonce'); ?> <input class="shopper-dotcom-form-hidden-items shopper-dotcom-wp-settings-form-sub" type="submit" id="shopper-referral-settings-save" name="referral-settings-save" value="Save Changes"> </div> </form> @@ -1049,6 +1166,7 @@ </div> <?php } ?> <div class="shopper-dotcom-wp-settings-inputfiled spcom__font shopper-dotcom-form-hidden-items"> + <?php wp_nonce_field('shopper_action', 'shopper_nonce'); ?> <button class="shopper-dotcom-wp-settings-form-sub-button" id="shopper-dotcom-wp-settings-form-sub-button" type="submit" name="submittoken" value="Login"> </div> </div> @@ -1078,6 +1196,7 @@ </div> </div> <div class="shopper-dotcom-form-submission-container shopper-dotcom-wp-settings-inputfiled"> + <?php wp_nonce_field('shopper_action', 'shopper_nonce'); ?> <input class="shopper-dotcom-wp-settings-form-sub" type="submit" name="import-data" value="Download"> </div> </div>
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - templates/form.php [35,56,99,115,157]
Old Code:
```php
$query_select = "SELECT * FROM $shopper_connection_table";
$query_setting = "SELECT * FROM $shopper_store ";
$aff_table_query_string = "SELECT * FROM $spcom_aff_slugs ";
$query_global_settings = "SELECT * FROM $global_settings_table";
$existing_slug = $wpdb->get_results('SELECT * FROM ' . $spcom_aff_slugs . ' WHERE slug = "' . $link_prefix_custom . '"');
```
Fixed Code:
```php
$query_select = $wpdb->prepare("SELECT * FROM %i", $shopper_connection_table);
$query_setting = $wpdb->prepare("SELECT * FROM %i", $shopper_store);
$aff_table_query_string = $wpdb->prepare("SELECT * FROM %i", $spcom_aff_slugs);
$query_global_settings = $wpdb->prepare("SELECT * FROM %i", $global_settings_table);
$existing_slug = $wpdb->get_results($wpdb->prepare("SELECT * FROM %i WHERE slug = %s", $spcom_aff_slugs, $link_prefix_custom));
```
Explanation:
The old code directly concatenates table names into SQL queries without proper sanitization. Table names in WordPress are dynamic and could be controlled by an attacker if they can influence the database prefix or table structure. The fixed code uses WordPress's `$wpdb->prepare()` with `%i` placeholder for table names, which properly escapes identifiers. The vulnerable lines show direct string concatenation of table variables into SQL queries, creating SQL injection vectors.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Request Forgery (CSRF) - CWE-352 - templates/form.php [1-16]
Old Code:
```php
function shopper_connection_settings_form()
{
global $wpdb;
// No CSRF protection
```
Fixed Code:
```php
function shopper_connection_settings_form()
{
// Check for proper permissions first
if (!current_user_can('manage_options')) {
wp_die(__('You do not have sufficient permissions to access this page.'));
}
// Verify nonce for all form submissions to prevent CSRF
if (isset($_POST['save']) || isset($_POST['submittoken']) ||
isset($_POST['link-settings-save']) || isset($_POST['global-settings-save']) ||
isset($_POST['global-settings-reset']) || isset($_POST['referral-settings-save']) ||
isset($_POST['import-data'])) {
// Check nonce for security
if (!isset($_POST['shopper_nonce']) || !wp_verify_nonce($_POST['shopper_nonce'], 'shopper_action')) {
wp_die(__('Security check failed. Please try again.'));
}
}
```
Explanation:
The old code had no CSRF protection, allowing attackers to trick authenticated users into performing unintended actions. The fixed code adds proper nonce verification for all form submissions and permission checks. Multiple form submission points throughout the code (save, submittoken, link-settings-save, etc.) were vulnerable to CSRF attacks without this protection.
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - templates/form.php [161,226-227,314-315,318-319,322-323,326-327,330-331,334-335]
Old Code:
```php
$conn_form_val = $_POST['spcom_login_token'];
$collection_per_page = $_POST['collection_per_page'];
$product_per_page = $_POST['product_per_page'];
$buttonWidth' => $_POST['shopper-global-btn-width'],
$buttonHeight' => $_POST['shopper-global-btn-height'],
$buttonRadius' => $_POST['shopper-global-btn-radius'],
$singleBorderRadius' => $_POST['shopper-global-theme-radius'],
$singleBorderWidth' => $_POST['shopper-global-theme-padding'],
```
Fixed Code:
```php
$conn_form_val = sanitize_text_field($_POST['spcom_login_token']);
$collection_per_page = absint($_POST['collection_per_page']);
$product_per_page = absint($_POST['product_per_page']);
$buttonWidth' => absint($_POST['shopper-global-btn-width']),
$buttonHeight' => absint($_POST['shopper-global-btn-height']),
$buttonRadius' => absint($_POST['shopper-global-btn-radius']),
$singleBorderRadius' => absint($_POST['shopper-global-theme-radius']),
$singleBorderWidth' => absint($_POST['shopper-global-theme-padding']),
```
Explanation:
The old code directly used user input from `$_POST` without proper validation or sanitization. This could lead to various security issues including stored XSS, type confusion, or other injection attacks. The fixed code properly sanitizes text fields with `sanitize_text_field()` and numeric fields with `absint()` to ensure only expected data types are processed. User input flows directly from form submissions to database operations without adequate validation in the vulnerable code.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper allows SQL Injection. This issue affects Shopper: from n/a through 3.2.5.
--- cache/shopper_3.2.5/templates/product-data.php 2025-11-20 18:33:27.795685210 +0000+++ cache/shopper_3.2.6/templates/product-data.php 2025-11-20 18:34:27.088494260 +0000@@ -46,7 +46,14 @@ $collection_slug = sanitize_text_field($collns[$i]['slug']); $uniqCollectionName = makeUniqueNameSlug($collectionname); - $sqlquery = $wpdb->get_results('SELECT * FROM ' . $all_collections . ' WHERE collection_id="' . $collectionid . '"'); + $sqlquery = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM %i WHERE collection_id = %s", + $all_collections, + $collectionid + ) + ); + if (!$sqlquery) { $write_status = $wpdb->insert($all_collections, array( 'collection_id' => $collectionid, @@ -109,7 +116,14 @@ $productSlug = sanitize_text_field($coll_pdts[$j]['slug']); $uniqProductName = makeUniqueNameSlug($productname); - $sqlquery = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE product_id = "' . $productid . '"'); + $sqlquery = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM %i WHERE product_id = %s", + $collection_products, + $productid + ) + ); + if (!$sqlquery) { $write_status = $wpdb->insert($collection_products, array( 'collection_id' => $prod_coll_id, @@ -134,7 +148,16 @@ foreach ($query_all_colltns as $collection) { $collctn_id = sanitize_text_field($collection->collection_id); $coll_id = sanitize_text_field($collection->id); - $prod_fetch_query = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE collection_id = "' . $collctn_id . '"' . ' AND product_image IS NOT NULL ' . 'LIMIT 3', ARRAY_A); + + $prod_fetch_query = $wpdb->get_results( + $wpdb->prepare( + "SELECT * FROM %i WHERE collection_id = %s AND product_image IS NOT NULL LIMIT 3", + $collection_products, + $collctn_id + ), + ARRAY_A + ); + if (count($prod_fetch_query) > 0) { if (!sanitize_text_field($collection->collection_image)) { $coll_image = $prod_fetch_query[0]['product_image']; @@ -170,8 +193,13 @@ $originalSlug = strtolower(str_replace(' ', '-', $originalSlug)); $count = 0; - $existingProductNames = $wpdb->get_col('SELECT pdt_name_slug FROM ' . $products_db); - $existingCollectionNames = $wpdb->get_col('SELECT colln_name_slug FROM ' . $collections_db); + + $products_db_esc = esc_sql($products_db); + $collections_db_esc = esc_sql($collections_db); + + $existingProductNames = $wpdb->get_col("SELECT pdt_name_slug FROM $products_db_esc"); + $existingCollectionNames = $wpdb->get_col("SELECT colln_name_slug FROM $collections_db_esc"); + $existingNameSlugs = array_merge($existingProductNames, $existingCollectionNames); foreach ($existingNameSlugs as $existingProduct) { if ($existingProduct === $originalSlug) { @@ -208,6 +236,8 @@ try { // Perform a GET request to the API global $wpdb; + // FIX: Ensure page parameter is properly sanitized and validated + $page = absint($page); $colln_url = "http://api.shopper.com/v1/collections" . "?page=$page"; $colln_response = wp_remote_get($colln_url, $args); $colln_body = wp_remote_retrieve_body($colln_response); @@ -226,7 +256,16 @@ $is_free_tier = $enable_referral_link = 1; $rem_coll_count = $colln_data['total'] - count($colln_data['collections']); } - $sql = $wpdb->update($shopper_connection_table, array('is_free_plan' => $is_free_tier, 'enable_referral_link' => $enable_referral_link, 'rem_coll_count' => $rem_coll_count), array('ID' => $api_id)); + // FIX: Use prepare with proper data sanitization + $sql = $wpdb->update( + $shopper_connection_table, + array( + 'is_free_plan' => intval($is_free_tier), + 'enable_referral_link' => intval($enable_referral_link), + 'rem_coll_count' => intval($rem_coll_count) + ), + array('ID' => absint($api_id)) + ); return $colln_data['collections']; } else { return false; @@ -241,6 +280,8 @@ try { // Perform a GET request to the API global $wpdb; + // FIX: Ensure page parameter is properly sanitized and validated + $page = absint($page); $prod_url = "http://api.shopper.com/v1/products" . "?page=$page"; $prod_response = wp_remote_get($prod_url, $args); $prod_body = wp_remote_retrieve_body($prod_response); @@ -259,7 +300,16 @@ $is_free_tier = $enable_referral_link = 1; $rem_prod_count = $prod_data['total'] - count($prod_data['products']); } - $sql = $wpdb->update($shopper_connection_table, array('is_free_plan' => $is_free_tier, 'enable_referral_link' => $enable_referral_link, 'rem_prod_count' => $rem_prod_count), array('ID' => $api_id)); + // FIX: Use proper data sanitization + $sql = $wpdb->update( + $shopper_connection_table, + array( + 'is_free_plan' => intval($is_free_tier), + 'enable_referral_link' => intval($enable_referral_link), + 'rem_prod_count' => intval($rem_prod_count) + ), + array('ID' => absint($api_id)) + ); return $prod_data['products']; } else { return false; @@ -293,10 +343,20 @@ if ($response_code == 200) { $body = wp_remote_retrieve_body($response); $user_array = json_decode($body, true); - $profile_name = $user_array['profile_name']; - $user_name = $user_array['user_name']; - $user_mail = $user_array['email']; - $sql = $wpdb->update($shopper_connection_table, array('profile_name' => $profile_name, 'user_name' => $user_name, 'user_mail' => $user_mail), array('ID' => $row_id)); + $profile_name = sanitize_text_field($user_array['profile_name']); + $user_name = sanitize_text_field($user_array['user_name']); + $user_mail = sanitize_email($user_array['email']); + + // FIX: Sanitize data before database operation + $sql = $wpdb->update( + $shopper_connection_table, + array( + 'profile_name' => $profile_name, + 'user_name' => $user_name, + 'user_mail' => $user_mail + ), + array('ID' => absint($row_id)) + ); return true; } else { return false; @@ -312,18 +372,18 @@ try { global $wpdb, $wp_version; $shopper_connection_table = $wpdb->prefix . "shopper_dot_com_auth"; - $query_select = "SELECT * FROM $shopper_connection_table"; + $query_select = $wpdb->prepare("SELECT * FROM %i", $shopper_connection_table); $select_result = $wpdb->get_row($query_select); $ConnectionArray = json_decode(json_encode($select_result), true); $profile_name = $user_name = $user_mail = ""; if ($ConnectionArray) { - $profile_name = $ConnectionArray['profile_name']; - $user_name = $ConnectionArray['user_name']; - $user_mail = $ConnectionArray['user_mail']; + $profile_name = sanitize_text_field($ConnectionArray['profile_name']); + $user_name = sanitize_text_field($ConnectionArray['user_name']); + $user_mail = sanitize_email($ConnectionArray['user_mail']); } $shopper_store = $wpdb->prefix . "shopper_dot_com_store"; - $query_setting = "SELECT * FROM $shopper_store "; + $query_setting = $wpdb->prepare("SELECT * FROM %i", $shopper_store); $setting_result = $wpdb->get_row($query_setting); $setttings_Array = json_decode(json_encode($setting_result), true); $site_url = get_site_url(); @@ -331,10 +391,11 @@ $all_plugins = get_plugins(); $plugins_list = ""; foreach ($all_plugins as $plugins) { - $plugins_list = $plugins_list . $plugins['Name'] . ", "; + $plugins_list = $plugins_list . sanitize_text_field($plugins['Name']) . ", "; } $wp_cur_timezone = wp_timezone_string(); - $mysql_cur_version = json_decode(json_encode($wpdb->get_row("SELECT @@VERSION")), true)["@@VERSION"]; + + $mysql_cur_version = $wpdb->get_var("SELECT VERSION()"); $args = array( 'headers' => array('Content-Type' => 'application/json; charset=utf-8'), @@ -342,17 +403,17 @@ 'name' => $profile_name, 'user_name' => $user_name, 'user_email' => $user_mail, - 'store_slug' => $setttings_Array['store_name'], - 'home_page' => $setttings_Array['cars'], - 'wp_host_url' => $site_url, - 'plugin_version' => SHOPPER_MY_PLUGIN_VER, - 'wp_version' => $wp_version, - 'php_version' => PHP_VERSION, - 'mysql_version' => $mysql_cur_version, - 'wp_theme' => $cur_theme->get('Name'), - 'wp_theme_version' => $cur_theme->get('Version'), - 'wp_server_timezone' => $wp_cur_timezone, - 'installed_plugins' => $plugins_list, + 'store_slug' => sanitize_text_field($setttings_Array['store_name']), + 'home_page' => sanitize_text_field($setttings_Array['cars']), + 'wp_host_url' => esc_url($site_url), + 'plugin_version' => sanitize_text_field(SHOPPER_MY_PLUGIN_VER), + 'wp_version' => sanitize_text_field($wp_version), + 'php_version' => sanitize_text_field(PHP_VERSION), + 'mysql_version' => sanitize_text_field($mysql_cur_version), + 'wp_theme' => sanitize_text_field($cur_theme->get('Name')), + 'wp_theme_version' => sanitize_text_field($cur_theme->get('Version')), + 'wp_server_timezone' => sanitize_text_field($wp_cur_timezone), + 'installed_plugins' => sanitize_text_field($plugins_list), )), 'method' => 'POST', 'data_format' => 'body',
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - templates/product-data.php [49, 112, 151, 175, 176, 372, 385]
Old Code:
```php
$sqlquery = $wpdb->get_results('SELECT * FROM ' . $all_collections . ' WHERE collection_id="' . $collectionid . '"');
$sqlquery = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE product_id = "' . $productid . '"');
$prod_fetch_query = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE collection_id = "' . $collctn_id . '"' . ' AND product_image IS NOT NULL ' . 'LIMIT 3', ARRAY_A);
$existingProductNames = $wpdb->get_col('SELECT pdt_name_slug FROM ' . $products_db);
$existingCollectionNames = $wpdb->get_col('SELECT colln_name_slug FROM ' . $collections_db);
$query_select = "SELECT * FROM $shopper_connection_table";
$query_setting = "SELECT * FROM $shopper_store ";
```
Fixed Code:
```php
$sqlquery = $wpdb->get_results(
$wpdb->prepare(
"SELECT * FROM %i WHERE collection_id = %s",
$all_collections,
$collectionid
)
);
$sqlquery = $wpdb->get_results(
$wpdb->prepare(
"SELECT * FROM %i WHERE product_id = %s",
$collection_products,
$productid
)
);
$prod_fetch_query = $wpdb->get_results(
$wpdb->prepare(
"SELECT * FROM %i WHERE collection_id = %s AND product_image IS NOT NULL LIMIT 3",
$collection_products,
$collctn_id
),
ARRAY_A
);
$products_db_esc = esc_sql($products_db);
$collections_db_esc = esc_sql($collections_db);
$existingProductNames = $wpdb->get_col("SELECT pdt_name_slug FROM $products_db_esc");
$existingCollectionNames = $wpdb->get_col("SELECT colln_name_slug FROM $collections_db_esc");
$query_select = $wpdb->prepare("SELECT * FROM %i", $shopper_connection_table);
$query_setting = $wpdb->prepare("SELECT * FROM %i", $shopper_store);
```
Explanation:
The old code directly concatenates user-controlled variables into SQL queries without proper sanitization. Variables like $collectionid, $productid, $collctn_id, $products_db, $collections_db, $shopper_connection_table, and $shopper_store are used in SQL queries without parameterization. These variables could be controlled by an attacker to inject malicious SQL code. The fixed code uses $wpdb->prepare() with proper placeholders (%i for identifiers, %s for strings) to safely parameterize the queries, preventing SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation - CWE-20 - templates/product-data.php [239, 283, 347, 350, 351, 352, 379, 380, 381, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416]
Old Code:
```php
$page = absint($page);
$colln_url = "http://api.shopper.com/v1/collections" . "?page=$page";
$page = absint($page);
$prod_url = "http://api.shopper.com/v1/products" . "?page=$page";
$profile_name = $user_array['profile_name'];
$user_name = $user_array['user_name'];
$user_mail = $user_array['email'];
$sql = $wpdb->update($shopper_connection_table, array('profile_name' => $profile_name, 'user_name' => $user_name, 'user_mail' => $user_mail), array('ID' => $row_id));
$profile_name = $ConnectionArray['profile_name'];
$user_name = $ConnectionArray['user_name'];
$user_mail = $ConnectionArray['user_mail'];
$plugins_list = $plugins_list . $plugins['Name'] . ", ";
$mysql_cur_version = json_decode(json_encode($wpdb->get_row("SELECT @@VERSION")), true)["@@VERSION"];
```
Fixed Code:
```php
$page = absint($page);
$colln_url = "http://api.shopper.com/v1/collections" . "?page=$page";
$page = absint($page);
$prod_url = "http://api.shopper.com/v1/products" . "?page=$page";
$profile_name = sanitize_text_field($user_array['profile_name']);
$user_name = sanitize_text_field($user_array['user_name']);
$user_mail = sanitize_email($user_array['email']);
$sql = $wpdb->update(
$shopper_connection_table,
array(
'profile_name' => $profile_name,
'user_name' => $user_name,
'user_mail' => $user_mail
),
array('ID' => absint($row_id))
);
$profile_name = sanitize_text_field($ConnectionArray['profile_name']);
$user_name = sanitize_text_field($ConnectionArray['user_name']);
$user_mail = sanitize_email($ConnectionArray['user_mail']);
$plugins_list = $plugins_list . sanitize_text_field($plugins['Name']) . ", ";
$mysql_cur_version = $wpdb->get_var("SELECT VERSION()");
```
Explanation:
The old code uses unsanitized user input from API responses and database results in various contexts. Variables like $profile_name, $user_name, $user_mail, and plugin names are used without proper sanitization when stored in the database or used in API calls. The fixed code applies appropriate sanitization functions (sanitize_text_field, sanitize_email, absint) to validate and sanitize the input data before use, preventing potential security issues like XSS or data corruption.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper allows SQL Injection. This issue affects Shopper: from n/a through 3.2.5.
--- cache/shopper_3.2.5/templates/template-aff-rdrctn.php 2025-11-20 18:33:27.795685210 +0000+++ cache/shopper_3.2.6/templates/template-aff-rdrctn.php 2025-11-20 18:34:27.088494260 +0000@@ -1,5 +1,4 @@ <?php- /** * Template Name: Affiliate Redirection Page * Template Post Type: spcom_aff_cpt@@ -10,7 +9,10 @@ $collection_products = $wpdb->prefix . "shopper_dot_com_collection_products"; $all_collections = $wpdb->prefix . "shopper_dot_com_all_collections"; $shopper_store_table = $wpdb->prefix . "shopper_dot_com_store";-$query_select = "SELECT * FROM $shopper_store_table";++$slug_id = sanitize_text_field($slug_id);++$query_select = $wpdb->prepare("SELECT * FROM %i", $shopper_store_table); $select_result = $wpdb->get_row($query_select); $storeArray = json_decode(json_encode($select_result), true); $affiliate_link = false;@@ -20,16 +22,35 @@ } if ($linkSlugType == "name") {- $current_product = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE pdt_name_slug = "' . $slug_id . '"', ARRAY_A);- $current_collection = $wpdb->get_results('SELECT * FROM ' . $all_collections . ' WHERE colln_name_slug = "' . $slug_id . '"', ARRAY_A);+ $current_product = $wpdb->get_results(+ $wpdb->prepare("SELECT * FROM $collection_products WHERE pdt_name_slug = %s", $slug_id),+ ARRAY_A+ );+ $current_collection = $wpdb->get_results(+ $wpdb->prepare("SELECT * FROM $all_collections WHERE colln_name_slug = %s", $slug_id),+ ARRAY_A+ ); } else {- $current_product = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE pdt_slug = "' . $slug_id . '"', ARRAY_A);- $current_collection = $wpdb->get_results('SELECT * FROM ' . $all_collections . ' WHERE colln_slug = "' . $slug_id . '"', ARRAY_A);+ $current_product = $wpdb->get_results(+ $wpdb->prepare("SELECT * FROM $collection_products WHERE pdt_slug = %s", $slug_id),+ ARRAY_A+ );+ $current_collection = $wpdb->get_results(+ $wpdb->prepare("SELECT * FROM $all_collections WHERE colln_slug = %s", $slug_id),+ ARRAY_A+ ); } -if (!count($current_product) && !count($current_collection)) { // for the old links to work- $current_product = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE product_id = "' . $slug_id . '"', ARRAY_A);- $current_collection = $wpdb->get_results('SELECT * FROM ' . $all_collections . ' WHERE collection_id = "' . $slug_id . '"', ARRAY_A);+// For old links to work+if (!count($current_product) && !count($current_collection)) {+ $current_product = $wpdb->get_results(+ $wpdb->prepare("SELECT * FROM $collection_products WHERE product_id = %s", $slug_id),+ ARRAY_A+ );+ $current_collection = $wpdb->get_results(+ $wpdb->prepare("SELECT * FROM $all_collections WHERE collection_id = %s", $slug_id),+ ARRAY_A+ ); } if (count($current_product)) {@@ -37,14 +58,17 @@ } elseif (count($current_collection)) { $affiliate_link = $current_collection[0]['collection_url']; }+ if ($affiliate_link) { $status_code = 302;- $shopper_store_table = $wpdb->prefix . "shopper_dot_com_store";- $store_table = "SELECT * FROM $shopper_store_table";+ $store_table = $wpdb->prepare("SELECT * FROM %i", $shopper_store_table); $store_data_row = $wpdb->get_row($store_table); $store_array = json_decode(json_encode($store_data_row), true); if ($store_array) { $status_code = $store_array['link_cloaking_redirect_type']; }+ $affiliate_link = esc_url_raw($affiliate_link);+ wp_redirect($affiliate_link, $status_code);-}+ exit; // Always call exit after redirect+}\ No newline at end of file
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - templates/template-aff-rdrctn.php 15
Old Code: `$query_select = "SELECT * FROM $shopper_store_table";`
Fixed Code: `$query_select = $wpdb->prepare("SELECT * FROM %i", $shopper_store_table);`
Explanation:
The old code directly interpolates `$shopper_store_table` into the SQL query string without sanitization. While `$shopper_store_table` is constructed using `$wpdb->prefix`, making it less likely to be directly attacker-controlled, the lack of proper table name escaping still represents a SQL injection vulnerability. The fix uses `$wpdb->prepare` with `%i` placeholder for proper table name escaping.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - templates/template-aff-rdrctn.php 24-30
Old Code: `$current_product = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE pdt_name_slug = "' . $slug_id . '"', ARRAY_A);`
Fixed Code: `$current_product = $wpdb->get_results($wpdb->prepare("SELECT * FROM $collection_products WHERE pdt_name_slug = %s", $slug_id), ARRAY_A);`
Explanation:
The old code directly concatenates user-controlled `$slug_id` into SQL queries without sanitization. `$slug_id` comes from external input and is used in multiple SQL queries. The fix uses `$wpdb->prepare` with `%s` placeholder to properly escape the string value, preventing SQL injection.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - templates/template-aff-rdrctn.php 32-38
Old Code: `$current_product = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE pdt_slug = "' . $slug_id . '"', ARRAY_A);`
Fixed Code: `$current_product = $wpdb->get_results($wpdb->prepare("SELECT * FROM $collection_products WHERE pdt_slug = %s", $slug_id), ARRAY_A);`
Explanation:
Same vulnerability as above - direct concatenation of user-controlled `$slug_id` into SQL queries. The fix applies proper parameterized queries with `$wpdb->prepare`.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - templates/template-aff-rdrctn.php 43-49
Old Code: `$current_product = $wpdb->get_results('SELECT * FROM ' . $collection_products . ' WHERE product_id = "' . $slug_id . '"', ARRAY_A);`
Fixed Code: `$current_product = $wpdb->get_results($wpdb->prepare("SELECT * FROM $collection_products WHERE product_id = %s", $slug_id), ARRAY_A);`
Explanation:
Same vulnerability pattern - direct concatenation of `$slug_id` into SQL queries for backward compatibility. The fix uses parameterized queries.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - templates/template-aff-rdrctn.php 62
Old Code: `$store_table = "SELECT * FROM $shopper_store_table";`
Fixed Code: `$store_table = $wpdb->prepare("SELECT * FROM %i", $shopper_store_table);`
Explanation:
Same table name interpolation vulnerability as the first instance. The fix uses proper table name escaping with `%i` placeholder.
Vulnerability Existed: yes
FALSE POSITIVE
Unvalidated Redirect - CWE-601 - templates/template-aff-rdrctn.php 70
Old Code: `wp_redirect($affiliate_link, $status_code);`
Fixed Code: `$affiliate_link = esc_url_raw($affiliate_link); wp_redirect($affiliate_link, $status_code);`
Explanation:
The old code uses `wp_redirect` with `$affiliate_link` directly from the database without validation. An attacker could manipulate database values to create open redirects. The fix adds `esc_url_raw()` to validate and sanitize the URL before redirection.
Vulnerability Existed: yes
FALSE POSITIVE
Missing Exit After Redirect - CWE-670 - templates/template-aff-rdrctn.php 70
Old Code: `wp_redirect($affiliate_link, $status_code);`
Fixed Code: `wp_redirect($affiliate_link, $status_code); exit;`
Explanation:
The old code calls `wp_redirect()` without immediately calling `exit`, allowing subsequent code execution which could lead to security issues. The fix adds the required `exit` call after redirect.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper allows SQL Injection. This issue affects Shopper: from n/a through 3.2.5.
--- cache/shopper_3.2.5/templates/template-store.php 2025-11-20 18:33:27.795685210 +0000+++ cache/shopper_3.2.6/templates/template-store.php 2025-11-20 18:34:27.088494260 +0000@@ -9,35 +9,57 @@ global $wpdb, $paged; $shopper_store = $wpdb->prefix . "shopper_dot_com_store";-$dbdata = $wpdb->get_results("SELECT * FROM $shopper_store");-$store_name = $dbdata[0]->store_name;-$store_title = $dbdata[0]->store_title;-$req_url = sanitize_url($_SERVER['REQUEST_URI']);-if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on')- $url_h = "https://";-else- $url_h = "http://";+$dbdata = $wpdb->get_row($wpdb->prepare("SELECT * FROM $shopper_store LIMIT 1"));++if (!$dbdata) {+ return;+}++$store_name = sanitize_text_field($dbdata->store_name);+$store_title = sanitize_text_field($dbdata->store_title);++// URL handling+$req_url = esc_url_raw($_SERVER['REQUEST_URI']);+$url_h = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? "https://" : "http://"; $site_url = trailingslashit(get_site_url());-$collctn = "/" . strtolower($store_name) . "/";-$collctn_url = sanitize_url($url_h . $_SERVER['HTTP_HOST'] . $collctn);-$collctn_full_url = sanitize_url($collctn . get_query_var('spcomcollection'));-$getcondition = $wpdb->get_results("SELECT cars,collection_per_page,product_per_page,link_cloaking_prefix_custom FROM $shopper_store");-$carts = $getcondition[0]->cars;-$coll_per_page = $getcondition[0]->collection_per_page;-$pro_per_page = $getcondition[0]->product_per_page;-$aff_redrctn_slug = $getcondition[0]->link_cloaking_prefix_custom;+$collctn = "/" . sanitize_title($store_name) . "/";+$collctn_url = esc_url_raw($url_h . $_SERVER['HTTP_HOST'] . $collctn);+$collctn_full_url = esc_url_raw($collctn . sanitize_text_field(get_query_var('spcomcollection')));++// Get store conditions with prepared statement+$getcondition = $wpdb->get_row($wpdb->prepare("SELECT cars, collection_per_page, product_per_page, link_cloaking_prefix_custom FROM $shopper_store LIMIT 1"));++if ($getcondition) {+ $carts = sanitize_text_field($getcondition->cars);+ $coll_per_page = absint($getcondition->collection_per_page);+ $pro_per_page = absint($getcondition->product_per_page);+ $aff_redrctn_slug = sanitize_title($getcondition->link_cloaking_prefix_custom);+} else {+ // Set default values if no conditions found+ $carts = '';+ $coll_per_page = 10;+ $pro_per_page = 10;+ $aff_redrctn_slug = 'p';+}+ $redirection_path = trailingslashit($site_url . $aff_redrctn_slug);-$page_id = get_query_var('paged') ? (int) get_query_var('paged') : (get_query_var('pageno') ? (int) get_query_var('pageno') : 1);+$page_id = get_query_var('paged') ? absint(get_query_var('paged')) : (get_query_var('pageno') ? absint(get_query_var('pageno')) : 1); $prod_start = ($page_id - 1) * $pro_per_page; $coll_start = ($page_id - 1) * $coll_per_page;++// Collection and product queries $all_collections = $wpdb->prefix . "shopper_dot_com_all_collections"; $collection_products = $wpdb->prefix . "shopper_dot_com_collection_products";-$query_all_colltns = $wpdb->get_results("SELECT * FROM $all_collections");-$query_all_pdts = $wpdb->get_results("SELECT * FROM $collection_products");++$query_all_colltns = $wpdb->get_results($wpdb->prepare("SELECT * FROM $all_collections"));+$query_all_pdts = $wpdb->get_results($wpdb->prepare("SELECT * FROM $collection_products"));++// URL processing $page_pos = strpos($req_url, '/page');-if ($page_pos) {+if ($page_pos !== false) { $req_url = substr($req_url, 0, $page_pos + 1); }+ function getPdtUrlSlug($pdt) { $pdt_slug = $pdt->pdt_name_slug;@@ -46,16 +68,21 @@ } return $pdt_slug; }-function getCollectionData($collnSlug)-{++function getCollectionData($collnSlug) { global $wpdb;+ + $collnSlug = sanitize_title($collnSlug); $all_collections = $wpdb->prefix . "shopper_dot_com_all_collections";- $collectionData = $wpdb->get_results('SELECT collection_id, collection_title FROM ' . $all_collections . ' WHERE colln_name_slug = "' . $collnSlug . '"');- $resultDictionary = array();- if (isset($collectionData)) {- $resultDictionary = $collectionData[0];- }- return $resultDictionary;+ + $collectionData = $wpdb->get_row(+ $wpdb->prepare(+ "SELECT collection_id, collection_title FROM $all_collections WHERE colln_name_slug = %s LIMIT 1",+ $collnSlug+ )+ );+ + return $collectionData ?: array(); } if ($req_url == ("/" . strtolower($store_name) . "/") || $req_url == ("/" . strtolower($store_name))) { ?>
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - templates/template-store.php 73-79
Old Code:
```php
function getCollectionData($collnSlug)
{
global $wpdb;
$all_collections = $wpdb->prefix . "shopper_dot_com_all_collections";
$collectionData = $wpdb->get_results('SELECT collection_id, collection_title FROM ' . $all_collections . ' WHERE colln_name_slug = "' . $collnSlug . '"');
$resultDictionary = array();
if (isset($collectionData)) {
$resultDictionary = $collectionData[0];
}
return $resultDictionary;
}
```
Fixed Code:
```php
function getCollectionData($collnSlug) {
global $wpdb;
$collnSlug = sanitize_title($collnSlug);
$all_collections = $wpdb->prefix . "shopper_dot_com_all_collections";
$collectionData = $wpdb->get_row(
$wpdb->prepare(
"SELECT collection_id, collection_title FROM $all_collections WHERE colln_name_slug = %s LIMIT 1",
$collnSlug
)
);
return $collectionData ?: array();
}
```
Explanation:
The old code directly concatenates the `$collnSlug` parameter into the SQL query string without any sanitization. The `$collnSlug` parameter comes from `get_query_var('spcomcollection')` which is user-controlled input. This allows an attacker to inject malicious SQL code. The new code uses `$wpdb->prepare()` with parameterized queries and adds `sanitize_title()` to properly sanitize the input before use.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - templates/template-store.php 9
Old Code:
```php
$dbdata = $wpdb->get_results("SELECT * FROM $shopper_store");
```
Fixed Code:
```php
$dbdata = $wpdb->get_row($wpdb->prepare("SELECT * FROM $shopper_store LIMIT 1"));
```
Explanation:
The old code uses direct string concatenation for SQL queries without parameterization. While `$shopper_store` is constructed from `$wpdb->prefix`, making it less likely to be directly controllable, this pattern is unsafe. The new code properly uses `$wpdb->prepare()` for all database queries.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - templates/template-store.php 18
Old Code:
```php
$getcondition = $wpdb->get_results("SELECT cars,collection_per_page,product_per_page,link_cloaking_prefix_custom FROM $shopper_store");
```
Fixed Code:
```php
$getcondition = $wpdb->get_row($wpdb->prepare("SELECT cars, collection_per_page, product_per_page, link_cloaking_prefix_custom FROM $shopper_store LIMIT 1"));
```
Explanation:
The old code uses direct string concatenation for SQL queries without parameterization. The new code properly uses `$wpdb->prepare()` for all database queries.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - templates/template-store.php 47-48
Old Code:
```php
$query_all_colltns = $wpdb->get_results("SELECT * FROM $all_collections");
$query_all_pdts = $wpdb->get_results("SELECT * FROM $collection_products");
```
Fixed Code:
```php
$query_all_colltns = $wpdb->get_results($wpdb->prepare("SELECT * FROM $all_collections"));
$query_all_pdts = $wpdb->get_results($wpdb->prepare("SELECT * FROM $collection_products"));
```
Explanation:
The old code uses direct string concatenation for SQL queries without parameterization. The new code properly uses `$wpdb->prepare()` for all database queries.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper allows SQL Injection. This issue affects Shopper: from n/a through 3.2.5.
--- cache/shopper_3.2.5/uninstall.php 2025-11-20 18:33:27.795685210 +0000+++ cache/shopper_3.2.6/uninstall.php 2025-11-20 18:34:27.089494324 +0000@@ -2,14 +2,17 @@ // If uninstall not called from WordPress, then exit. if (!defined('WP_UNINSTALL_PLUGIN')) {- exit();+ exit; } -if (!current_user_can('activate_plugins')) {- exit();+// Verify user capabilities+if (!current_user_can('delete_plugins')) { + wp_die(__('You do not have sufficient permissions to uninstall this plugin.', 'shopper-dot-com')); } global $wpdb;++// Define all plugin tables $tableArray = [ $wpdb->prefix . "shopper_dot_com_auth", $wpdb->prefix . "shopper_dot_com_collection_products",@@ -19,10 +22,23 @@ $wpdb->prefix . "shopper_dot_com_themes", $wpdb->prefix . "shopper_dot_com_global_settings", ];++// Delete all plugin options delete_option('shopper_dotcom_db_version'); +// Drop all plugin tables foreach ($tableArray as $tablename) {- if ($wpdb->get_var("show tables like '" . $tablename . "'") == $tablename) {- $wpdb->query($wpdb->prepare("DROP TABLE $tablename"));+ // Verify table exists using prepared statement+ $table_exists = $wpdb->get_var(+ $wpdb->prepare("SHOW TABLES LIKE %s", $tablename)+ );+ + if ($table_exists === $tablename) {+ $wpdb->query(+ $wpdb->prepare("DROP TABLE IF EXISTS %i", $tablename)+ ); } }++// Clear any cached data+wp_cache_flush();
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - uninstall.php [Lines 32-34]
Old Code:
```
if ($wpdb->get_var("show tables like '" . $tablename . "'") == $tablename) {
$wpdb->query($wpdb->prepare("DROP TABLE $tablename"));
}
```
Fixed Code:
```
// Verify table exists using prepared statement
$table_exists = $wpdb->get_var(
$wpdb->prepare("SHOW TABLES LIKE %s", $tablename)
);
if ($table_exists === $tablename) {
$wpdb->query(
$wpdb->prepare("DROP TABLE IF EXISTS %i", $tablename)
);
}
```
Explanation:
The old code contains SQL injection vulnerability in the DROP TABLE query. The $tablename variable is directly interpolated into the SQL string at line 34: `$wpdb->query($wpdb->prepare("DROP TABLE $tablename"))`. While $wpdb->prepare() is used, the table name is not properly parameterized - it's concatenated directly into the SQL string before prepare() is called. This means an attacker who can control the table name (though unlikely in this context) could inject arbitrary SQL. The fixed code properly uses %i placeholder for identifier sanitization in the DROP TABLE query, ensuring safe table name handling.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper allows SQL Injection. This issue affects Shopper: from n/a through 3.2.5.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/ChannelDetails.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/ChannelDetails.php 2025-11-20 22:19:32.249906852 +0000@@ -1,87 +1,154 @@-<?php -function cnp_channeldetails() { - - global $wpdb; global $cnp_channeltable_name;global $cnp_channelgrptable_name; global $cnp_settingtable_name; - $info = $_REQUEST["info"]; - $cnpresltdsply = ""; - if($info=="saved") - { - echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>"; - } - if($info=="failed") - { - echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>"; - } - if($info=="upd") - { - echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>"; - } - if($info=="del") - { - $delid=$_GET["did"]; - $wpdb->query("delete from ".$cnp_channeltable_name." where cnpchannel_id =".$delid); - echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>"; - } - -?> -<script type="text/javascript"> - /* <![CDATA[ */ - jQuery(document).ready(function(){ - jQuery('#cnpformslist').dataTable(); - jQuery("tr:even").css("background-color", "#f1f1f1"); - }); - /* ]]> */ - -</script> -<?php /*<td nowrap><u><a href="admin.php?page=cnpform_add&cnpid='.$id.'"">Edit</a></u></td> <th></th>*/ - $cnpfrmid = $_REQUEST['cnpviewid']; - $rcnpid = $_REQUEST['cnpid']; - $cnpresltdsply = '<div class="wrap"> - <h2>View Channels </h2><p></p> - <table class="wp-list-table widefat" id="cnpformslist" ><thead><tr><th><u>ID</u></th><th><u>Channel</u></th><th><u>Start Date/Time</u></th><th><u>End Date/Time</u></th><th></th></tr></thead><tbody>'; - - $sql = "select * from ".$cnp_channeltable_name." join ".$cnp_channelgrptable_name." on cnpchannelgrp_ID = cnpchannel_cnpchannelgrp_ID join ".$cnp_settingtable_name ." on cnpstngs_ID = cnpchannelgrp_cnpstngs_ID where cnpchannel_cnpchannelgrp_ID ='".$cnpfrmid."' order by cnpchannel_id desc"; - $result = $wpdb->get_results($sql); - - if($wpdb->num_rows > 0 ) - { $sno=1; - foreach($result as $cnpchannelData): - - $id = $cnpchannelData->cnpchannel_id; - $cnpfrmid = $cnpchannelData->cnpchannel_cnpchannelgrp_ID; - $cname = $cnpchannelData->cnpchannel_channelName; - - $stdate = $cnpchannelData->cnpchannel_channelStartDate; - $eddate = $cnpchannelData->cnpchannel_channelEndDate; - $seldate = $cnpchannelData->cnpchannel_DateCreated; - $frmstdate = new DateTime($stdate); - $frmeddate = new DateTime($eddate); - $isexistpledgetvchannel = isexistpledgetvchannel($cnpchannelData->cnpstngs_AccountNumber,$cnpchannelData->cnpstngs_guid,$cnpchannelData->cnpchannel_channelName); - - if($isexistpledgetvchannel != "no"){ - $rtrnval = explode("~",$isexistpledgetvchannel); - $cname = $rtrnval[1]." (".$cname.")"; - } - if($eddate == "0000-00-00 00:00:00") {$eddate ="";} - if($eddate!=""){ - $eddate = new DateTime($eddate); - $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);} - $cnpresltdsply .= '<tr><td>'.$sno.'</td><td >'.$cname.'</td><td >'.$frmstdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td> - <td >'.$nwenddt.'</td><td nowrap>'; - if($isexistpledgetvchannel == "no"){ - $cnpresltdsply .= '<font color="red"><strong>Channel has been deleted from Connect</strong></font>'; - }else{ - if(count($result)!= 1){ - $cnpresltdsply .= '<u><a href="admin.php?page=cnp_channeldetails&cnpviewid='.$cnpfrmid.'&cnpid='.$rcnpid.'&info=del&did='.$id.'" ><span class="dashicons dashicons-trash"></span></a></u>'; - }else{$cnpresltdsply .= ' ';}} - - $cnpresltdsply .= '</td></tr>'; - $sno++; - endforeach; - } - else { $cnpresltdsply .= '<tr><td>No Record Found!</td><tr>'; } - - $cnpresltdsply .= '</tbody></table></div><div class="dataTables_paginate" ><a href="admin.php?page=cnp_pledgetvchannelsdetails"><strong>Go back to Channels</strong></a></div>'; - echo $cnpresltdsply ; -} +<?php+function cnp_channeldetails() {++ global $wpdb; global $cnp_channeltable_name;global $cnp_channelgrptable_name; global $cnp_settingtable_name;+ $info = isset($_REQUEST["info"]) ? sanitize_text_field(wp_unslash($_REQUEST["info"])) : '';++ $cnpresltdsply = "";+ if($info=="saved")+ {+ echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>";+ }+ if($info=="failed")+ {+ echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+ }+ if($info=="upd")+ {+ echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>";+ }+ if ($info == "del") {+ + $delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;++ if ($delid > 0) {+ + $deleted = $wpdb->delete(+ $cnp_channeltable_name, // Table name+ ['cnpchannel_id' => $delid], // WHERE clause+ ['%d'] // Data format (integer)+ );++ if ($deleted) {+ echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+ } else {+ echo "<div class='error' id='message'><p><strong>Failed to delete the record.</strong></p></div>";+ }+ } else {+ echo "<div class='error' id='message'><p><strong>Invalid ID provided.</strong></p></div>";+ }+}+++?>+<script type="text/javascript">+ /* <![CDATA[ */+ jQuery(document).ready(function(){+ jQuery('#cnpformslist').dataTable();+ jQuery("tr:even").css("background-color", "#f1f1f1");+ });+ /* ]]> */++</script>+<?php + $cnpfrmid = isset($_REQUEST['cnpviewid']) ? sanitize_text_field(wp_unslash($_REQUEST['cnpviewid'])) : '';+$rcnpid = isset($_REQUEST['cnpid']) ? sanitize_text_field(wp_unslash($_REQUEST['cnpid'])) : '';++$cnpresltdsply = '<div class="wrap">+ <h2>View Channels </h2><p></p>+ <table class="wp-list-table widefat" id="cnpformslist">+ <thead>+ <tr>+ <th><u>ID</u></th>+ <th><u>Channel</u></th>+ <th><u>Start Date/Time</u></th>+ <th><u>End Date/Time</u></th>+ <th></th>+ </tr>+ </thead>+ <tbody>';++// Use a prepared SQL query for security+$sql = $wpdb->prepare(+ "SELECT * + FROM {$cnp_channeltable_name} + JOIN {$cnp_channelgrptable_name} ON cnpchannelgrp_ID = cnpchannel_cnpchannelgrp_ID + JOIN {$cnp_settingtable_name} ON cnpstngs_ID = cnpchannelgrp_cnpstngs_ID + WHERE cnpchannel_cnpchannelgrp_ID = %d + ORDER BY cnpchannel_id DESC",+ $cnpfrmid+);++$result = $wpdb->get_results($sql);++if (!empty($result)) {+ $sno = 1;++ foreach ($result as $cnpchannelData) {+ $id = $cnpchannelData->cnpchannel_id;+ $cnpfrmid = $cnpchannelData->cnpchannel_cnpchannelgrp_ID;+ $cname = esc_html($cnpchannelData->cnpchannel_channelName);++ $stdate = $cnpchannelData->cnpchannel_channelStartDate;+ $eddate = $cnpchannelData->cnpchannel_channelEndDate;++ $frmstdate = new DateTime($stdate);+ $frmeddate = ($eddate === "0000-00-00 00:00:00") ? null : new DateTime($eddate);+++ $isexistpledgetvchannel = isexistpledgetvchannel(+ $cnpchannelData->cnpstngs_AccountNumber,+ $cnpchannelData->cnpstngs_guid,+ $cnpchannelData->cnpchannel_channelName+ );++ if ($isexistpledgetvchannel !== "no") {+ $rtrnval = explode("~", $isexistpledgetvchannel);+ $cname = esc_html($rtrnval[1]) . " (" . esc_html($cname) . ")";+ }++ $nwenddt = $frmeddate ? $frmeddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) : '';++ $cnpresltdsply .= '<tr>+ <td>' . esc_html($sno) . '</td>+ <td>' . $cname . '</td>+ <td>' . $frmstdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+ <td>' . esc_html($nwenddt) . '</td>+ <td nowrap>';++ if ($isexistpledgetvchannel === "no") {+ $cnpresltdsply .= '<font color="red"><strong>Channel has been deleted from Connect</strong></font>';+ } else {+ if (count($result) != 1) {+ $delete_url = esc_url(+ add_query_arg(+ [+ 'page' => 'cnp_channeldetails',+ 'cnpviewid' => $cnpfrmid,+ 'cnpid' => $rcnpid,+ 'info' => 'del',+ 'did' => $id,+ ],+ admin_url('admin.php')+ )+ );+ $cnpresltdsply .= '<u><a href="' . $delete_url . '"><span class="dashicons dashicons-trash"></span></a></u>';+ } else {+ $cnpresltdsply .= ' ';+ }+ }++ $cnpresltdsply .= '</td></tr>';+ $sno++;+ }+} else {+ $cnpresltdsply .= '<tr><td colspan="5">No Record Found!</td></tr>';+}++++ + $cnpresltdsply .= '</tbody></table></div><div class="dataTables_paginate" ><a href="admin.php?page=cnp_pledgetvchannelsdetails"><strong>Go back to Channels</strong></a></div>';+ echo $cnpresltdsply ;+} ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - ChannelDetails.php 18
Old Code:
`$wpdb->query("delete from ".$cnp_channeltable_name." where cnpchannel_id =".$delid);`
Fixed Code:
`$deleted = $wpdb->delete( $cnp_channeltable_name, ['cnpchannel_id' => $delid], ['%d'] );`
Explanation:
In the old code, `$delid` is directly concatenated into the SQL query without sanitization. The user input `$_GET["did"]` flows into `$delid` without validation, then directly into the SQL query. This allows SQL injection since an attacker can control the value of `did` parameter to modify the query structure. The fixed code uses WordPress's `$wpdb->delete()` method with parameterized queries, which prevents SQL injection by separating data from query structure.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - ChannelDetails.php 54
Old Code:
`$sql = "select * from ".$cnp_channeltable_name." join ".$cnp_channelgrptable_name." on cnpchannelgrp_ID = cnpchannel_cnpchannelgrp_ID join ".$cnp_settingtable_name ." on cnpstngs_ID = cnpchannelgrp_cnpstngs_ID where cnpchannel_cnpchannelgrp_ID ='".$cnpfrmid."' order by cnpchannel_id desc";`
Fixed Code:
`$sql = $wpdb->prepare( "SELECT * FROM {$cnp_channeltable_name} JOIN {$cnp_channelgrptable_name} ON cnpchannelgrp_ID = cnpchannel_cnpchannelgrp_ID JOIN {$cnp_settingtable_name} ON cnpstngs_ID = cnpchannelgrp_cnpstngs_ID WHERE cnpchannel_cnpchannelgrp_ID = %d ORDER BY cnpchannel_id DESC", $cnpfrmid );`
Explanation:
In the old code, `$cnpfrmid` (from `$_REQUEST['cnpviewid']`) is directly concatenated into the SQL query string without sanitization. This allows SQL injection since an attacker can control the query structure through the `cnpviewid` parameter. The fixed code uses WordPress's `$wpdb->prepare()` with parameterized queries, ensuring the user input is properly escaped and preventing SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - ChannelDetails.php 56-116
Old Code:
Multiple instances of direct variable output without escaping in HTML context (e.g., `$cname`, `$sno`, `$nwenddt`)
Fixed Code:
Uses `esc_html()` for all dynamic content output (e.g., `esc_html($cname)`, `esc_html($sno)`, `esc_html($nwenddt)`)
Explanation:
The old code directly outputs user-controlled data (`$cname` from database, `$sno` counter, `$nwenddt` date) into HTML without escaping. This creates persistent XSS vulnerabilities since an attacker could store malicious scripts in the database that would execute when the page is viewed. The fixed code properly escapes all dynamic content using `esc_html()` before output, preventing XSS attacks.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - ChannelDetails.php 95-105
Old Code:
`$cnpresltdsply .= '<u><a href="admin.php?page=cnp_channeldetails&cnpviewid='.$cnpfrmid.'&cnpid='.$rcnpid.'&info=del&did='.$id.'" ><span class="dashicons dashicons-trash"></span></a></u>';`
Fixed Code:
Uses `esc_url()` and `add_query_arg()` to safely construct URLs
Explanation:
The old code constructs URLs by directly concatenating user-controlled parameters (`$cnpfrmid`, `$rcnpid`, `$id`) into href attributes without URL encoding. This allows XSS through javascript: URLs or other URL-based attacks. The fixed code uses WordPress's `esc_url()` and `add_query_arg()` functions to safely construct and escape URLs, preventing XSS through URL attributes.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/FormAdd.php 2025-11-20 22:13:36.786109522 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/FormAdd.php 2025-11-20 22:19:32.277908626 +0000@@ -1,67 +1,84 @@ <?php ob_start();-if ( ! defined( 'ABSPATH' ) ) exit;-function cnps_addform() {- -if(isset($_POST["cnpbtnsave"]))-{- $addform= wp_unslash( sanitize_text_field( $_POST["addformval"]));- global $wpdb;- global $cnp_table_name;- if($addform==1)- {- $cnprtnval = CNPCF_addNewForms($cnp_table_name,$_POST);- if($cnprtnval == true){$cnpredirectval = "saved";}else{$cnpredirectval = "failed";}- wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval);- exit;- }- else if($addform==2)- {- $cnprtnval =CNPCF_updateForms($cnp_table_name,$_POST);- if($cnprtnval == true){$cnpredirectval = "upd";}else{$cnpredirectval = "failed";}- wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval);- exit;- } -} $dsplycntnt ="";- $cnpaccountfriendlynams = CNPCF_getAccountIdList();- $cnpsettingscount = CNPCF_getAccountNumbersCount();- if($cnpsettingscount==1){$dsplycntnt = 'class="disabled"';}- $hidval = 1;- $act=wp_unslash( sanitize_text_field( $_REQUEST["cnpviewid"] ) );- if(isset($act) && $act!="")- {- global $wpdb;- global $cnp_table_name;- global $cnp_formtable_name;- $cnpviewid = wp_unslash( sanitize_text_field( $_GET['cnpviewid'] ) );- $cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_table_name,'cnpform_ID',$cnpviewid);- $cnpfrmrtnval = CNPCF_GetCnPGroupDetails($cnp_formtable_name,'cnpform_cnpform_ID',$cnpviewid);- foreach ($cnpfrmdtresult as $cnprtnval) {}-- if (count($cnpfrmdtresult)> 0 )- {--- $cnpfrmid = $cnprtnval->cnpform_ID;- $cnpfrmgroupname = $cnprtnval->cnpform_groupname;- $cnpfrmAccountNumber = $cnprtnval->cnpform_cnpstngs_ID;- $cnpfrmtype = $cnprtnval->cnpform_type;- $cnpfrmptype = $cnprtnval->cnpform_ptype;- $cnpfrmtext = $cnprtnval->cnpform_text;- $cnpfrmimg = $cnprtnval->cnpform_img;- $cnpfrmshortcode = $cnprtnval->cnpform_shortcode;- $cnpfrmStartDate = $cnprtnval->cnpform_Form_StartDate;- $cnpfrmEndDate = $cnprtnval->cnpform_Form_EndDate;- $cnpfrmerrmsg = $cnprtnval->cnpform_custommsg;- if($cnpfrmEndDate == "0000-00-00 00:00:00") {$cnpfrmEndDate ="";}- $cnpfrmstatus = $cnprtnval->cnpform_status;- $btn = "Update form";- $hidval = 2;+if (!defined('ABSPATH')) {+ exit; // Prevent direct access+} - $cnpeditaccountfriendlynams = CNPCF_editgetAccountIdList($cnpfrmAccountNumber);+function cnps_addform() {+ +if (isset($_POST["cnpbtnsave"])) {+ + $addform = isset($_POST["addformval"]) ? sanitize_text_field(wp_unslash($_POST["addformval"])) : '';++ + global $wpdb;+ global $cnp_table_name;++ if ($addform == 1) {+ + $cnprtnval = CNPCF_addNewForms($cnp_table_name, $_POST);++ + $cnpredirectval = $cnprtnval ? "saved" : "failed";+ wp_redirect(admin_url("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval));+ exit;++ } elseif ($addform == 2) {+ // Update existing form+ $cnprtnval = CNPCF_updateForms($cnp_table_name, $_POST);++ $cnpredirectval = $cnprtnval ? "upd" : "failed";+ wp_redirect(admin_url("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval));+ exit;+ }+} +$dsplycntnt ="";+$cnpaccountfriendlynams = CNPCF_getAccountIdList();+$cnpsettingscount = CNPCF_getAccountNumbersCount();+$dsplycntnt = ($cnpsettingscount == 1) ? 'class="disabled"' : '';+$hidval = 1;+$act = isset($_REQUEST["cnpviewid"]) ? sanitize_text_field(wp_unslash($_REQUEST["cnpviewid"])) : '';++if (!empty($act)) {+global $wpdb;+global $cnp_table_name;+global $cnp_formtable_name;+++$cnpviewid = isset($_GET['cnpviewid']) ? sanitize_text_field(wp_unslash($_GET['cnpviewid'])) : '';++if (!empty($cnpviewid)) {+ + $cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_table_name, 'cnpform_ID', $cnpviewid);+ $cnpfrmrtnval = CNPCF_GetCnPGroupDetails($cnp_formtable_name, 'cnpform_cnpform_ID', $cnpviewid);++ + if (!empty($cnpfrmdtresult) && is_array($cnpfrmdtresult)) {+ $cnprtnval = $cnpfrmdtresult[0]; ++ // Assign values from the result+ $cnpfrmid = $cnprtnval->cnpform_ID;+ $cnpfrmgroupname = $cnprtnval->cnpform_groupname;+ $cnpfrmAccountNumber = $cnprtnval->cnpform_cnpstngs_ID;+ $cnpfrmtype = $cnprtnval->cnpform_type;+ $cnpfrmptype = $cnprtnval->cnpform_ptype;+ $cnpfrmtext = $cnprtnval->cnpform_text;+ $cnpfrmimg = $cnprtnval->cnpform_img;+ $cnpfrmshortcode = $cnprtnval->cnpform_shortcode;+ $cnpfrmStartDate = $cnprtnval->cnpform_Form_StartDate;+ $cnpfrmEndDate = ($cnprtnval->cnpform_Form_EndDate === "0000-00-00 00:00:00") ? '' : $cnprtnval->cnpform_Form_EndDate;+ $cnpfrmerrmsg = $cnprtnval->cnpform_custommsg;+ $cnpfrmstatus = $cnprtnval->cnpform_status;+$cnpfrmguid="";+ + $btn = "Update form";+ $hidval = 2;+ + $cnpeditaccountfriendlynams = CNPCF_editgetAccountIdList($cnpfrmAccountNumber);+ } +} - } $cnpeditdsplycntnt ='<style> .ui-widget-header,.ui-state-default, ui-button {@@ -220,7 +237,7 @@ </td></tr> </table> </div>- <div style="text-align-last:center;">+ <div style="text-align-last:center;position: relative;top: 10px;"> <div> <input type="button" name="cnpbtnedit" id="cnpbtnedit" value="Close" class="add-new-h2" onclick="window.history.go(-1); return false;"> <input type="submit" name="cnpbtnsave" id="cnpbtnsave" value="Save" class="add-new-h2"> <div class="dataTables_paginate" ><a href="admin.php?page=cnp_formsdetails"><strong>Go back to Form Groups</strong></a></div>@@ -237,7 +254,7 @@ } else {-+$btn = isset($btn) ? $btn : ''; $cnpdsplycntnt ='<div class="Fader" style="display:none;"> </div> <div id="dialogForm" title="URL Parameter(s):" style="display:none;"> <form id="myform" method="post">@@ -360,7 +377,7 @@ </td></tr> </table> </div>- <div style="text-align-last:center;">+ <div style="text-align-last:center;position: relative;top: 10px;"> <div> <br> <input type="button" name="cnpbtnclose" id="cnpbtnclose" value="Close" class="add-new-h2" onclick="window.history.go(-1); return false;">
Vulnerability Existed: no
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - FormAdd.php [Lines 21, 38, 46]
Old Code:
```php
$act=wp_unslash( sanitize_text_field( $_REQUEST["cnpviewid"] ) );
// ...
$cnpviewid = wp_unslash( sanitize_text_field( $_GET['cnpviewid'] ) );
// ...
$cnpredirectval = "saved";}else{$cnpredirectval = "failed";}
wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval);
```
Fixed Code:
```php
$act = isset($_REQUEST["cnpviewid"]) ? sanitize_text_field(wp_unslash($_REQUEST["cnpviewid"])) : '';
// ...
$cnpviewid = isset($_GET['cnpviewid']) ? sanitize_text_field(wp_unslash($_GET['cnpviewid'])) : '';
// ...
$cnpredirectval = $cnprtnval ? "saved" : "failed";
wp_redirect(admin_url("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval));
```
Explanation:
The code properly sanitizes user input from $_REQUEST and $_GET using sanitize_text_field() and wp_unslash(). The redirect values ("saved", "failed", "upd") are hardcoded strings not derived from user input. The admin_url() function provides additional safety for URL construction. No unsanitized user input reaches output contexts.
Vulnerability Existed: no
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - FormAdd.php [Lines 17, 26, 49, 50]
Old Code:
```php
$cnprtnval = CNPCF_addNewForms($cnp_table_name,$_POST);
// ...
$cnprtnval = CNPCF_updateForms($cnp_table_name,$_POST);
// ...
$cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_table_name, 'cnpform_ID', $cnpviewid);
```
Fixed Code:
```php
$cnprtnval = CNPCF_addNewForms($cnp_table_name, $_POST);
// ...
$cnprtnval = CNPCF_updateForms($cnp_table_name, $_POST);
// ...
$cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_table_name, 'cnpform_ID', $cnpviewid);
```
Explanation:
The code uses wrapper functions (CNPCF_addNewForms, CNPCF_updateForms, CNPCF_GetCnPGroupDetails) for database operations. The $cnpviewid parameter passed to CNPCF_GetCnPGroupDetails is sanitized with sanitize_text_field(). Without seeing the implementation of these database wrapper functions, we cannot confirm SQL injection exists. The code shows proper input sanitization before passing to database functions.
Vulnerability Existed: no
CWE-352 - Cross-Site Request Forgery (CSRF) - FormAdd.php [Lines 9, 240, 363]
Old Code:
```php
if(isset($_POST["cnpbtnsave"]))
// ...
<input type="submit" name="cnpbtnsave" id="cnpbtnsave" value="Save" class="add-new-h2">
```
Fixed Code:
```php
if (isset($_POST["cnpbtnsave"]))
// ...
<input type="submit" name="cnpbtnsave" id="cnpbtnsave" value="Save" class="add-new-h2">
```
Explanation:
The form submission checks for the presence of $_POST["cnpbtnsave"] but does not include a nonce verification. However, this is an admin-side functionality that requires WordPress administrator privileges. CSRF protection is typically implemented via nonces in WordPress, but the absence alone doesn't constitute a vulnerability since admin actions require authentication. The code structure suggests this is intended for authenticated admin users only.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/FormDetails.php 2025-11-20 22:13:36.786109522 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/FormDetails.php 2025-11-20 22:19:32.277908626 +0000@@ -1,77 +1,128 @@-<?php -function cnp_formdetails() { - - global $wpdb; global $cnp_formtable_name; - $info = $_REQUEST["info"]; - $cnpresltdsply = ""; - if($info=="saved") - { - echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>"; - } - if($info=="failed") - { - echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>"; - } - if($info=="upd") - { - echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>"; - } - if($info=="del") - { - $delid=$_GET["did"]; - $wpdb->query("delete from ".$cnp_formtable_name." where cnpform_ID =".$delid); - echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>"; - } - -?> -<script type="text/javascript"> - /* <![CDATA[ */ - jQuery(document).ready(function(){ - jQuery('#cnpformslist').dataTable(); - jQuery("tr:even").css("background-color", "#f1f1f1"); - }); - /* ]]> */ - -</script> -<?php /*<td nowrap><u><a href="admin.php?page=cnpform_add&cnpid='.$id.'"">Edit</a></u></td> <th></th>*/ - $cnpfrmid = $_REQUEST['cnpviewid']; - $rcnpid = $_REQUEST['cnpid']; - $cnpresltdsply = '<div class="wrap"> - <h2>View Forms </h2><p></p> - <table class="wp-list-table widefat" id="cnpformslist" ><thead><tr><th><u>ID</u></th><th><u>Campaign Name</u></th><th><u>Form Name</u></th><th><u>GUID</u></th><th><u>Start Date/Time</u></th><th><u>End Date/Time</u></th><th></th></tr></thead><tbody>'; - - $sql = "select * from ".$cnp_formtable_name." where cnpform_cnpform_ID ='".$cnpfrmid."' order by cnpform_id desc"; - $result = $wpdb->get_results($sql); - if($wpdb->num_rows > 0 ) - { $sno=1; - foreach($result as $cnpformData): - - $id = $cnpformData->cnpform_id; - $cnpfrmid = $cnpformData->cnpform_cnpform_ID; - $cname = $cnpformData->cnpform_CampaignName; - $fname = $cnpformData->cnpform_FormName; - $guid = $cnpformData->cnpform_GUID; - $stdate = $cnpformData->cnpform_FormStartDate; - $eddate = $cnpformData->cnpform_FormEndDate; - $seldate = $cnpformData->cnpform_DateCreated; - $frmstdate = new DateTime($stdate); - $frmeddate = new DateTime($eddate); - if($eddate == "0000-00-00 00:00:00") {$eddate ="";} - if($eddate!=""){ - $eddate = new DateTime($eddate); - $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);} - $cnpresltdsply .= '<tr><td>'.$sno.'</td><td >'.$cname.'</td><td >'.$fname.'</td><td >'.$guid.'</td> <td >'.$frmstdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td> - <td >'.$nwenddt.'</td><td nowrap><u>'; - if(count($result)!= 1){ - $cnpresltdsply .= '<a href="admin.php?page=cnp_formdetails&cnpviewid='.$cnpfrmid.'&cnpid='.$rcnpid.'&info=del&did='.$id.'" ><span class="dashicons dashicons-trash"></span></a></u>'; - }else{$cnpresltdsply .= ' ';} - $cnpresltdsply .= '</td></tr>'; - $sno++; - endforeach; - } - else { $cnpresltdsply .= '<tr><td>No Record Found!</td><tr>'; } - - $cnpresltdsply .= '</tbody></table></div><div class="dataTables_paginate" ><a href="admin.php?page=cnp_formsdetails"><strong>Go back to Form Groups</strong></a></div>'; - echo $cnpresltdsply ; -} +<?php+function cnp_formdetails() {++ global $wpdb; global $cnp_formtable_name;++ if (isset($_REQUEST["info"])) {+ $info = sanitize_text_field($_REQUEST["info"]);+ } ++ $cnpresltdsply = "";+ if(isset($info) && $info ==="saved")+ {+ echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>";+ }+ if(isset($info) && $info ==="failed")+ {+ echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+ }+ if(isset($info) && $info ==="upd")+ {+ echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>";+ }+ + if (isset($info) && $info === "del") {+ + $delid = isset($_GET['did']) ? absint($_GET['did']) : 0; ++ if ($delid > 0) {+ global $wpdb;+ global $cnp_formtable_name;++ $wpdb->query(+ $wpdb->prepare("DELETE FROM {$cnp_formtable_name} WHERE cnpform_ID = %d", $delid)+ );++ + if ($wpdb->rows_affected > 0) {+ echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+ } else {+ echo "<div class='error' id='message'><p><strong>No record found to delete.</strong></p></div>";+ }+ } else {+ echo "<div class='error' id='message'><p><strong>Invalid record ID.</strong></p></div>";+ }+}++?>+<script type="text/javascript">+ /* <![CDATA[ */+ jQuery(document).ready(function(){+ jQuery('#cnpformslist').dataTable();+ jQuery("tr:even").css("background-color", "#f1f1f1");+ });+ /* ]]> */++</script>+<?php + ++$cnpfrmid = isset($_REQUEST['cnpviewid']) ? absint($_REQUEST['cnpviewid']) : 0;+$rcnpid = isset($_REQUEST['cnpid']) ? absint($_REQUEST['cnpid']) : 0;++if ($cnpfrmid > 0 ) { + global $wpdb;+ global $cnp_formtable_name;++ $cnpresltdsply = '<div class="wrap">+ <h2>View Forms </h2><p></p>+ <table class="wp-list-table widefat" id="cnpformslist">+ <thead><tr><th><u>ID</u></th><th><u>Campaign Name</u></th><th><u>Form Name</u></th><th><u>GUID</u></th><th><u>Start Date/Time</u></th><th><u>End Date/Time</u></th><th></th></tr></thead><tbody>';++ // Prepare the query to avoid SQL injection+ $sql = $wpdb->prepare(+ "SELECT * FROM {$cnp_formtable_name} WHERE cnpform_cnpform_ID = %d ORDER BY cnpform_id DESC",+ $cnpfrmid+ );+ $result = $wpdb->get_results($sql);++ if ($wpdb->num_rows > 0) {+ $sno = 1;+ foreach ($result as $cnpformData) {+ $id = $cnpformData->cnpform_id;+ $cnpfrmid = $cnpformData->cnpform_cnpform_ID;+ $cname = sanitize_text_field($cnpformData->cnpform_CampaignName);+ $fname = sanitize_text_field($cnpformData->cnpform_FormName);+ $guid = sanitize_text_field($cnpformData->cnpform_GUID);+ $stdate = $cnpformData->cnpform_FormStartDate;+ $eddate = $cnpformData->cnpform_FormEndDate;++ + $frmstdate = new DateTime($stdate);+ $nwenddt = "";+ if ($eddate != "0000-00-00 00:00:00") {+ $eddate = new DateTime($eddate);+ $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);+ }++ $cnpresltdsply .= '<tr><td>' . $sno . '</td>+ <td>' . $cname . '</td>+ <td>' . $fname . '</td>+ <td>' . $guid . '</td>+ <td>' . $frmstdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+ <td>' . $nwenddt . '</td>+ <td nowrap><u>';++ if (count($result) != 1) {+ $cnpresltdsply .= '<a href="admin.php?page=cnp_formdetails&cnpviewid=' . $cnpfrmid . '&cnpid=' . $rcnpid . '&info=del&did=' . $id . '">+ <span class="dashicons dashicons-trash"></span></a></u>';+ } else {+ $cnpresltdsply .= ' ';+ }++ $cnpresltdsply .= '</td></tr>';+ $sno++;+ }+ } else {+ $cnpresltdsply .= '<tr><td colspan="7">No Record Found!</td></tr>';+ }++ $cnpresltdsply .= '</tbody></table></div><div class="dataTables_paginate">+ <a href="admin.php?page=cnp_formsdetails"><strong>Go back to Form Groups</strong></a></div>';+ echo $cnpresltdsply;+} else {+ echo '<div class="error"><p><strong>Invalid request parameters!</strong></p></div>';+}++} ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - FormDetails.php [26-27]
Old Code:
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_formtable_name." where cnpform_ID =".$delid);
```
Fixed Code:
```php
$delid = isset($_GET['did']) ? absint($_GET['did']) : 0;
if ($delid > 0) {
$wpdb->query(
$wpdb->prepare("DELETE FROM {$cnp_formtable_name} WHERE cnpform_ID = %d", $delid)
);
}
```
Explanation:
The old code directly concatenates user input ($_GET["did"]) into an SQL query without sanitization. The attacker-controlled value from $_GET["did"] reaches the SQL sink unvalidated and unsanitized, allowing SQL injection. The new code uses absint() to ensure the value is a positive integer and wpdb->prepare() with parameterized queries to prevent SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - FormDetails.php [64]
Old Code:
```php
$sql = "select * from ".$cnp_formtable_name." where cnpform_cnpform_ID ='".$cnpfrmid."' order by cnpform_id desc";
```
Fixed Code:
```php
$sql = $wpdb->prepare(
"SELECT * FROM {$cnp_formtable_name} WHERE cnpform_cnpform_ID = %d ORDER BY cnpform_id DESC",
$cnpfrmid
);
```
Explanation:
The old code directly concatenates user input ($_REQUEST['cnpviewid']) into an SQL query without sanitization. The attacker-controlled value from $_REQUEST['cnpviewid'] reaches the SQL sink unvalidated and unsanitized, allowing SQL injection. The new code uses wpdb->prepare() with parameterized queries and absint() validation to prevent SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-site Scripting - CWE-79 - FormDetails.php [78-85]
Old Code:
```php
$cname = $cnpformData->cnpform_CampaignName;
$fname = $cnpformData->cnpform_FormName;
$guid = $cnpformData->cnpform_GUID;
// ... later output directly in HTML
$cnpresltdsply .= '<td>'.$cname.'</td><td>'.$fname.'</td><td>'.$guid.'</td>';
```
Fixed Code:
```php
$cname = sanitize_text_field($cnpformData->cnpform_CampaignName);
$fname = sanitize_text_field($cnpformData->cnpform_FormName);
$guid = sanitize_text_field($cnpformData->cnpform_GUID);
// ... later output in HTML after sanitization
$cnpresltdsply .= '<td>' . $cname . '</td><td>' . $fname . '</td><td>' . $guid . '</td>';
```
Explanation:
The old code directly outputs database values into HTML without sanitization. Database-stored values ($cnpformData->cnpform_CampaignName, $cnpformData->cnpform_FormName, $cnpformData->cnpform_GUID) reach the HTML sink unsanitized, allowing stored XSS if malicious content was previously stored in the database. The new code uses sanitize_text_field() to escape the output before including it in HTML.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/Functions/functionscnp.php 2025-11-20 22:13:36.787109586 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/Functions/functionscnp.php 2025-11-20 22:19:32.277908626 +0000@@ -1,961 +1,1403 @@-<?php - -function CNPCF_getImageTextButton($guid,$cnptyp,$cnptxt) -{ - global $wpdb; - global $cnp_table_name; - global $cnp_formtable_name; - global $cnprtrnstr; - $cnpGetImagesql = "SELECT * FROM " .$cnp_table_name. " WHERE cnpform_groupname='" .$guid. "' and - cnpform_ptype ='".$cnptxt."'"; - $cnpimgresult = $wpdb->get_results($cnpGetImagesql); - - if($wpdb->num_rows > 0 ) - { - foreach ($cnpimgresult as $cnpimgresultsarr) - { - if($cnptxt == "text"){$cnprtrnstr= $cnpimgresultsarr->cnpform_text ;} - else if($cnptxt == "button"){$cnprtrnstr= $cnpimgresultsarr->cnpform_text ;} - else if($cnptxt == "image"){$cnprtrnstr= $cnpimgresultsarr->cnpform_img;} - } - } -return $cnprtrnstr; -} -function CNPCF_isExistShortcode($cnpshortcode) -{ - global $wpdb; - global $cnp_table_name; - global $cnprtrnstr; - $currentdate = CFCNP_PLUGIN_CURRENTTIME; - $cnpGetImagesql = "SELECT * FROM " .$cnp_table_name. " WHERE (cnpform_shortcode ='[CnPConnect " .$cnpshortcode. "]' OR cnpform_shortcode ='[CnP.Form " .$cnpshortcode. "]') AND cnpform_status =1 AND IF (cnpform_Form_EndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpform_Form_StartDate and cnpform_Form_EndDate, cnpform_Form_StartDate <= '".$currentdate."') order by cnpform_Date_Modified ASC Limit 1"; - $cnpimgresult = $wpdb->get_results($cnpGetImagesql); - if($wpdb->num_rows > 0 )return true; else return false; - -} -function CNPCF_isExistchannelShortcode($cnpshortcode) -{ - global $wpdb; - global $cnp_channelgrptable_name; - global $cnprtrnstr; - $currentdate = CFCNP_PLUGIN_CURRENTTIME; - $cnpGetImagesql = "SELECT * FROM " .$cnp_channelgrptable_name. " WHERE (cnpchannelgrp_shortcode ='[CnP.pledgeTV " .$cnpshortcode. "]') AND cnpchannelgrp_status =1 AND IF (cnpchannelgrp_channel_EndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpchannelgrp_channel_StartDate and cnpchannelgrp_channel_EndDate, cnpchannelgrp_channel_StartDate <= '".$currentdate."') order by cnpchannelgrp_Date_Modified ASC Limit 1"; - $cnpimgresult = $wpdb->get_results($cnpGetImagesql); - if($wpdb->num_rows > 0 )return true; else return false; - -} -function CNPCF_getGroupCustomerrmsg($cnpshortcode) -{ - global $wpdb; - global $cnp_table_name; - global $cnprtrnstr; //AND cnpform_status =1 AND IF (cnpform_Form_EndDate !='0000-00-00', CURDATE() between cnpform_Form_StartDate and cnpform_Form_EndDate, cnpform_Form_StartDate <= CURDATE()) order by cnpform_Date_Modified ASC Limit 1 - $cnpGetImagesql = "SELECT cnpform_custommsg FROM " .$cnp_table_name. " WHERE cnpform_shortcode ='[CnPConnect " .$cnpshortcode. "]' or cnpform_shortcode ='[CnP.Form " .$cnpshortcode. "]' "; - $cnperrresult = $wpdb->get_results($cnpGetImagesql); - if($wpdb->num_rows > 0 ) - { - foreach ($cnperrresult as $cnperrresultsarr) - { - $cnprtrnstr= $cnperrresultsarr->cnpform_custommsg; - - } - } -return $cnprtrnstr; -} -function CNPCF_getGroupchnlCustomerrmsg($cnpshortcode) -{ - global $wpdb; - global $cnp_channelgrptable_name; - global $cnprtrnstr; //AND cnpform_status =1 AND IF (cnpform_Form_EndDate !='0000-00-00', CURDATE() between cnpform_Form_StartDate and cnpform_Form_EndDate, cnpform_Form_StartDate <= CURDATE()) order by cnpform_Date_Modified ASC Limit 1 - $cnpGetImagesql = "SELECT cnpchannelgrp_custommsg FROM " .$cnp_channelgrptable_name. " WHERE cnpchannelgrp_shortcode ='[CnP.pledgeTV " .$cnpshortcode. "]'"; - $cnperrresult = $wpdb->get_results($cnpGetImagesql); - if($wpdb->num_rows > 0 ) - { - foreach ($cnperrresult as $cnperrresultsarr) - { - $cnprtrnstr= $cnperrresultsarr->cnpchannelgrp_custommsg; - - } - } -return $cnprtrnstr; -} -function CNPCF_getcnpGuid($cnpshortcode) -{ - global $wpdb; - global $cnp_table_name; - global $cnprtrnstr; - $cnpGetguidsql = "SELECT cnpform_guid FROM " .$cnp_table_name. " WHERE cnpform_shortcode ='[CnP " .$cnpshortcode. "]' or cnpform_shortcode ='[CnP.Form " .$cnpshortcode. "]' "; - $cnpfrmcntresult = $wpdb->get_results($cnpGetguidsql); - foreach ($cnpfrmcntresult as $cnpresultsarr) { - $cnpform_accountId= $cnpresultsarr->cnpform_guid; - return $cnpform_accountId; - } - -} -function CNPCF_getFormType($groupname) -{ - global $wpdb; - global $cnp_table_name; - global $cnprtrnstr; - $currentdate = CFCNP_PLUGIN_CURRENTTIME; - $cnpGetguidsql = "SELECT cnpform_type,cnpform_ptype,cnpform_text,cnpform_img FROM " .$cnp_table_name. " WHERE cnpform_groupname ='".$groupname."' AND cnpform_status =1 AND IF (cnpform_Form_EndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpform_Form_StartDate and cnpform_Form_EndDate, cnpform_Form_StartDate <= '".$currentdate."') order by cnpform_Date_Modified DESC Limit 1"; - $cnpfrmcntresult = $wpdb->get_results($cnpGetguidsql); - foreach ($cnpfrmcntresult as $cnpresultsarr) { - $cnpform_accountId= $cnpresultsarr->cnpform_type; - return $cnpform_accountId."--".$cnpresultsarr->cnpform_ptype."--".$cnpresultsarr->cnpform_text."--".$cnpresultsarr->cnpform_img; - } - -} -function CNPCF_getCountForms($frmid) -{ - global $wpdb; - global $cnp_formtable_name; - global $cnprtrnstr; - $currentdate = CFCNP_PLUGIN_CURRENTTIME; - $cnpGetFrmCntsql = "SELECT * FROM " .$cnp_formtable_name. " WHERE IF (cnpform_FormEndDate !='0000-00-00', cnpform_FormEndDate >= '".$currentdate."' , cnpform_FormStartDate != '') and cnpform_cnpform_ID =".$frmid ; - $cnpfrmcntresult = $wpdb->get_results($cnpGetFrmCntsql); - return $wpdb->num_rows; - -} -function CNPCF_getCountChannels($chnlid) -{ - global $wpdb; - global $cnp_channeltable_name; - global $cnp_channelgrptable_name; - global $cnp_settingtable_name; - global $cnprtrnstr; - $currentdate = CFCNP_PLUGIN_CURRENTTIME; - /* $cnpGetFrmCntsql = "select * from ".$cnp_channeltable_name." join ".$cnp_channelgrptable_name." on cnpchannelgrp_ID = cnpchannel_cnpchannelgrp_ID join ".$cnp_settingtable_name ." on cnpstngs_ID = cnpchannelgrp_cnpstngs_ID WHERE IF (cnpchannel_channelEndDate !='0000-00-00', cnpchannel_channelEndDate >= '".$currentdate."' , cnpchannel_channelStartDate != '') and cnpchannel_cnpchannelgrp_ID ='".$chnlid."'";*/ - $cnpGetFrmCntsql = "SELECT * FROM " .$cnp_channeltable_name. " WHERE IF (cnpchannel_channelEndDate !='0000-00-00', cnpchannel_channelEndDate >= '".$currentdate."' , cnpchannel_channelStartDate != '') and cnpchannel_cnpchannelgrp_ID =".$chnlid ; - - $result = $wpdb->get_results($cnpGetFrmCntsql); - $totnoofchannels = $wpdb->num_rows; - if($wpdb->num_rows > 0 ) - { $sno=0; - /*foreach($result as $cnpchannelData): - $isexistpledgetvchannel = isexistpledgetvchannel($cnpchannelData->cnpstngs_AccountNumber,$cnpchannelData->cnpstngs_guid,$cnpchannelData->cnpchannel_channelName); - if($isexistpledgetvchannel != "no"){ $sno = $sno+1;} - endforeach; */ - } - // if($sno == $wpdb->num_rows){return $wpdb->num_rows;}else{return $sno." of ".$wpdb->num_rows;} - -return $wpdb->num_rows; -} -function CNPCF_getAccountId($frmid) -{ - - global $wpdb; - global $cnp_formtable_name; - global $cnprtrnstr; - $cnpGetFrmCntsql = "SELECT cnpform_accountId FROM " .$cnp_formtable_name. " WHERE cnpform_id =".$frmid; - $cnpfrmcntresult = $wpdb->get_results($cnpGetFrmCntsql); - foreach ($cnpfrmcntresult as $cnpresultsarr) { - $cnpform_accountId= $cnpresultsarr->cnpform_accountId; - return $cnpform_accountId; - } - - - -} -function CNPCF_getFormId($frmid) -{ - global $wpdb; - global $cnp_formtable_name; - global $cnprtrnstr; - $cnpGetFrmsql = "SELECT cnpform_formId FROM " .$cnp_formtable_name. " WHERE cnpform_id =".$frmid; - $cnpfrmresult = $wpdb->get_results($cnpGetFrmsql); - foreach ($cnpfrmresult as $cnpresultsarr) { - $cnpform_formId= $cnpresultsarr->cnpform_formId; - return $cnpform_formId; - } -} -function CNPCF_getFormDates($frmid) -{ - - global $wpdb; - global $cnp_formtable_name; - global $cnprtrnstr; - $cnpGetFrmDtsql = "SELECT * FROM " .$cnp_formtable_name. " WHERE cnpform_id =".$frmid; - $cnpfrmdtresult = $wpdb->get_results($cnpGetFrmDtsql); - foreach ($cnpfrmdtresult as $cnpresultsarr) { - $cnpform_frmdates= $cnpresultsarr->cnpform_FormStartDate ."||" . $cnpresultsarr->cnpform_FormEndDate; - return $cnpform_frmdates; - } - -} -/*************************************************/ -function CNPCF_addNewChannel($tblname,$forminfo) - { - global $wpdb; global $cnp_channelgrptable_name; global $cnp_channeltable_name; - $count = sizeof($forminfo); - - if($count > 0) - { - - if( $forminfo['lstchnlaccntfrndlynam'] !="") - { - - $chnlcode= CNPCF_getChannelShortCode(sanitize_text_field(trim($forminfo['txtcnpchnlgrp']))); - $current_time = CFCNP_PLUGIN_CURRENTTIME; - - - - //$active = 1; - $active = $forminfo['lstchnlsts']; - $cnpsettingid = explode("||",$forminfo['lstchnlaccntfrndlynam']); - $frmgrpstartdt = $forminfo['txtcnpchnlstrtdt']; - $frmgrpenddt = $forminfo['txtcnpchnlenddt']; - $frmgrpenddt1 = ""; - - if(get_option('date_format') != "d/m/Y"){ - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($frmgrpstartdt)); - - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($frmgrpstartdt); - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - - if($frmgrpenddt !=""){ - if(get_option('date_format') != "d/m/Y"){ - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($frmgrpenddt)); - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($frmgrpenddt); - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - } - $cnpchnlgrp = sanitize_text_field(trim($forminfo['txtcnpchnlgrp'])); - - $sSQL = "INSERT INTO ".$cnp_channelgrptable_name."(cnpchannelgrp_groupname,cnpchannelgrp_cnpstngs_ID, cnpchannelgrp_shortcode,cnpchannelgrp_channel_StartDate,cnpchannelgrp_channel_EndDate, cnpchannelgrp_status,cnpchannelgrp_custommsg,cnpchannelgrp_Date_Created,cnpchannelgrp_Date_Modified)values('$cnpchnlgrp','$cnpsettingid[2]', '$chnlcode', - '$frmgrpstartdt1','$frmgrpenddt1',$active,'$forminfo[txtchnlerrortxt]', - '$current_time','$current_time')"; - $wpdb->query($sSQL); - $lastid = $wpdb->insert_id; - $noofforms = $forminfo['hidnoofforms']; - if($noofforms == ""){$noofforms = 1;} - - for($inc=0;$inc< $noofforms;$inc++) - { - $lstcnpactivechannel = "lstcnpactivechannel".$forminfo['hdncnpchnlcnt'][$inc]; - $txtcnpchnlstrtdt = "txtcnpchnlstrtdt".$forminfo['hdncnpchnlcnt'][$inc]; - $txtcnpchnlenddt = "txtcnpchnlenddt".$forminfo['hdncnpchnlcnt'][$inc]; - - $txtcnpformenddt1=""; - - - if(get_option('date_format') != "d/m/Y"){ - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpchnlstrtdt])); - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($forminfo[$txtcnpchnlstrtdt]); - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - - if($forminfo[$txtcnpchnlenddt]!=""){ - if(get_option('date_format') != "d/m/Y"){ - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpchnlenddt])); - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($forminfo[$txtcnpchnlenddt]); - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - } - - - - - $sSQL = "INSERT INTO ".$cnp_channeltable_name."(cnpchannel_cnpchannelgrp_ID,cnpchannel_channelName, cnpchannel_channelStartDate,cnpchannel_channelEndDate,cnpchannel_channelStatus,cnpchannel_DateCreated)values('$lastid','$forminfo[$lstcnpactivechannel]', '$txtcnpformstrtdt1','$txtcnpformenddt1',$active,'$current_time')"; - $wpdb->query($sSQL); - } - return true;}else{return false;}}else{ return false;} - } -/*************************************************/ - function CNPCF_addNewForms($tblname,$forminfo) - { - global $wpdb; global $cnp_table_name; global $cnp_formtable_name; - $count = sizeof($forminfo); - - if($count > 0) - { - - if( $forminfo['lstaccntfrndlynam'] !="") - { - - $frmcode= CNPCF_getFormShortCode($forminfo['txtcnpfrmgrp']); - $current_time = CFCNP_PLUGIN_CURRENTTIME; - $maxsize = 10000000; //set to approx 10 MB - - if(is_uploaded_file($_FILES['txtpopupimg']['tmp_name'])) { - //checks size of uploaded image on server side - if( $_FILES['txtpopupimg']['size'] < $maxsize) { - - $finfo = finfo_open(FILEINFO_MIME_TYPE); - //checks whether uploaded file is of image type - if(strpos(finfo_file($finfo, $_FILES['txtpopupimg']['tmp_name']),"image")===0) - { - // prepare the image for insertion - $imgData =addslashes (file_get_contents($_FILES['txtpopupimg']['tmp_name'])); - } - else - { - $msg="<p>Uploaded file is not an image.</p>"; - } - } - else { - // if the file is not less than the maximum allowed, print an error - $msg='<div>File exceeds the Maximum File limit</div> - <div>Maximum File limit is '.$maxsize.' bytes</div> - <div>File '.$_FILES['txtpopupimg']['name'].' is '.$_FILES['txtpopupimg']['size']. - ' bytes</div><hr />'; - } - } - else - $msg = "File not uploaded successfully."; - // $active = 1; - - $active = $forminfo['lstfrmsts']; - $cnpsettingid = explode("||",$forminfo['lstaccntfrndlynam']); - $frmgrpstartdt = $forminfo['txtcnpformstrtdt']; - $frmgrpenddt = $forminfo['txtcnpformenddt']; - $frmgrpenddt1 = ""; - - if(get_option('date_format') != "d/m/Y"){ - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($frmgrpstartdt)); - - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($frmgrpstartdt); - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - - if($frmgrpenddt !=""){ - if(get_option('date_format') != "d/m/Y"){ - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($frmgrpenddt)); - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($frmgrpenddt); - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - } - $sSQL = "INSERT INTO ".$cnp_table_name."(cnpform_groupname,cnpform_cnpstngs_ID,cnpform_type, cnpform_ptype,cnpform_text,cnpform_img,cnpform_shortcode,cnpform_Form_StartDate,cnpform_Form_EndDate, cnpform_status,cnpform_custommsg,cnpform_Date_Created,cnpform_Date_Modified)values('$forminfo[txtcnpfrmgrp]','$cnpsettingid[2]', '$forminfo[lstfrmtyp]','$forminfo[lstpopuptyp]','$forminfo[txtpopuptxt]','{$imgData}','$frmcode', - '$frmgrpstartdt1','$frmgrpenddt1',$active,'$forminfo[txterrortxt]', - '$current_time','$current_time')"; - - $wpdb->query($sSQL); - $lastid = $wpdb->insert_id; - $noofforms = $forminfo['hidnoofforms']; - if($noofforms == ""){$noofforms = 1;} - for($inc=0;$inc< $noofforms;$inc++) - { - $lstcnpactivecamp = "lstcnpactivecamp".$forminfo['hdncnpformcnt'][$inc]; - $lstcnpfrmtyp = "hdncnpformname".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpguid = "txtcnpguid".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformstrtdt = "txtcnpformstrtdt".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformenddt = "txtcnpformenddt".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformurlparms = "txtbtnurlparms".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformenddt1=""; - - if(get_option('date_format') != "d/m/Y"){ - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpformstrtdt])); - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($forminfo[$txtcnpformstrtdt]); - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - - if($forminfo[$txtcnpformenddt]!=""){ - if(get_option('date_format') != "d/m/Y"){ - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpformenddt])); - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($forminfo[$txtcnpformenddt]); - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - } - $sSQL = "INSERT INTO ".$cnp_formtable_name."(cnpform_cnpform_ID,cnpform_CampaignName,cnpform_FormName,cnpform_GUID,cnpform_FormStartDate,cnpform_FormEndDate,cnpform_FormStatus,cnpform_DateCreated,cnpform_urlparameters)values('$lastid','$forminfo[$lstcnpactivecamp]','$forminfo[$lstcnpfrmtyp]','$forminfo[$txtcnpguid]','$txtcnpformstrtdt1','$txtcnpformenddt1',$active, '$current_time','$forminfo[$txtcnpformurlparms]')"; - $wpdb->query($sSQL); - } - return true;}else{return false;}}else{ return false;} - } - - function CNPCF_addSettings($tblname,$forminfo) - { - global $wpdb; global $cnp_settingtable_name; - $count = sizeof($forminfo); - - if($count > 0) - { - $scnpSQL = "SELECT * FROM ".$cnp_settingtable_name." where cnpstngs_frndlyname ='".$forminfo['txtcnpfrmfrndlynm']."' or cnpstngs_AccountNumber = '".$forminfo['txtcnpacntid']."'"; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - if( $cnpformrows == 0) - { - - -if(isset($forminfo['txtcnpacntid']) && $forminfo['txtcnpacntid']!="" && isset($forminfo['txtcnpacntguid']) && $forminfo['txtcnpacntguid']!="") -{ - - - $current_time = CFCNP_PLUGIN_CURRENTTIME; - $cnpactive =1; - $sSQL = "INSERT INTO ".$cnp_settingtable_name."(cnpstngs_frndlyname,cnpstngs_AccountNumber,cnpstngs_guid,cnpstngs_status,cnpstngs_Date_Created,cnpstngs_Date_Modified)values('$forminfo[txtcnpfrmfrndlynm]','$forminfo[txtcnpacntid]', - '$forminfo[txtcnpacntguid]',$cnpactive, - '$current_time', - '$current_time')"; - $wpdb->query($sSQL); - - - - - //return $cnpcampcnt; - return true;}else{return false;} - } - else{return "error";} - } -} -function CNPCF_getActivecampaigns($cnpaccountno,$cnpaccountguid,$retrnstrng){ - $connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0); - $client = new SoapClient('https://resources.connect.clickandpledge.com/wordpress/Auth2.wsdl', $connect); - - $accountid = $cnpaccountno; - $accountguid = $cnpaccountguid; - $xmlr = new SimpleXMLElement("<GetActiveCampaignList2></GetActiveCampaignList2>"); - $xmlr->addChild('accountId', $accountid); - $xmlr->addChild('AccountGUID', $accountguid); - $xmlr->addChild('username', CFCNP_PLUGIN_UID); - $xmlr->addChild('password', CFCNP_PLUGIN_PWD); - $response = $client->GetActiveCampaignList2($xmlr); - - $responsearr = $response->GetActiveCampaignList2Result->connectCampaign; - - if($retrnstrng =="count"){ - $cnpcampcnt = count($responsearr); - return $cnpcampcnt;} - if($retrnstrng =="lst"){ - return $responsearr; - } -} - function CNPCF_getfrmsts($tablenm,$filedname,$wherefldid,$fieldid) - { - - global $wpdb; - global $cnp_formtable_name; - global $cnprtrnstr; - $cnpGetFrmDtsql = "SELECT ".$filedname." as fldsts FROM " .$tablenm. " WHERE " .$wherefldid. " =".$fieldid; - $cnpfrmdtresult = $wpdb->get_results($cnpGetFrmDtsql); - foreach ($cnpfrmdtresult as $cnpresultsarr) { - $cnpform_frmdates= $cnpresultsarr->fldsts;if($cnpform_frmdates == "1")$cnprtrnstr = "Active";else $cnprtrnstr = "Inactive"; - return $cnprtrnstr; - } - - } - - function CNPCF_GetCnPGroupDetails($tablenm,$filedname,$wherefldid) - { - - global $wpdb; - global $cnp_formtable_name; - global $cnprtrnstr; - $cnpGetFrmDtsql = "SELECT * FROM " .$tablenm. " WHERE " .$filedname. " = ".$wherefldid; - $cnpfrmdtresult = $wpdb->get_results($cnpGetFrmDtsql); - - return $cnpfrmdtresult; - } - - function CNPCF_updateCnPstatus($tablenm,$filedname,$wherefldid,$fieldid,$sts) - { - - global $wpdb; - global $cnp_formtable_name; - global $cnprtrnstr; - if($sts == "Active"){$updtsts ="0";}else{$updtsts ="1";} - $cnpGetFrmeDtsql = "update " .$tablenm. " SET ".$filedname." = '".$updtsts."' WHERE " .$wherefldid. " =".$fieldid; - $returnval = $wpdb->query($cnpGetFrmeDtsql); - /*if($returnval){$cnpGetFrmeDtsql = "update " .$tablenm. " SET ".$filedname." = '".$updtsts."' WHERE " .$wherefldid. " =".$fieldid; - $returnval = $wpdb->query($cnpGetFrmeDtsql);}*/ - return true; - } - function CNPCF_updateChannels($tblname,$forminfo) - { - global $wpdb; global $cnp_channelgrptable_name;global $cnp_channeltable_name; - $count = sizeof($forminfo); - if($count>0) - { - $current_time = CFCNP_PLUGIN_CURRENTTIME; - $frmgrpstartdt = $forminfo['txtcnpchnlstrtdt']; - $frmgrpenddt = $forminfo['txtcnpchnlenddt']; - $frmgrpenddt1 = ""; - - /*//$frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($frmgrpstartdt)); - if($frmgrpenddt !=""){ - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($frmgrpenddt));} - */ - if(get_option('date_format') != "d/m/Y") - { - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($frmgrpstartdt)); - if($frmgrpenddt !=""){ - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($frmgrpenddt)); - } - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($frmgrpstartdt); - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - if($frmgrpenddt !=""){ - $dateval = CNPCF_getDateFormat($frmgrpenddt); - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - - } - - // cnpform_shortcode='$frmcode', - $active =1;//cnpform_groupname ='$forminfo[txtcnpfrmgrp]', - $sSQL = "UPDATE ".$cnp_channelgrptable_name." set - cnpchannelgrp_channel_StartDate='$frmgrpstartdt1', - cnpchannelgrp_channel_EndDate='$frmgrpenddt1', - cnpchannelgrp_status='$forminfo[lstchnlsts]', - cnpchannelgrp_custommsg='$forminfo[txterrortxt]', - cnpchannelgrp_Date_Modified='$current_time' - where cnpchannelgrp_ID ='".$forminfo['hdnfrmid']."'"; - $wpdb->query($sSQL); - $noofforms = $forminfo['hidnoofforms']; - $wpdb->query("delete from ".$cnp_channeltable_name." where cnpchannel_cnpchannelgrp_ID =".$forminfo['hdnfrmid']); - - - for($inc=0;$inc< $noofforms;$inc++) - { - - $lstcnpactivecamp = "lstcnpeditactivecamp".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformstrtdt = "txtcnpformstrtdt".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformenddt = "txtcnpformenddt".$forminfo['hdncnpformcnt'][$inc]; - /* $lstcnpactivecamp = "lstcnpeditactivecamp".$inc; - - $txtcnpformstrtdt = "txtcnpformstrtdt".$inc; - $txtcnpformenddt = "txtcnpformenddt".$inc;*/ - $txtcnpformenddt1 = ""; - - if(get_option('date_format') != "d/m/Y") - { - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpformstrtdt])); - if($forminfo[$txtcnpformenddt] !=""){ - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpformenddt])); - } - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($forminfo[$txtcnpformstrtdt]); - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - if($forminfo[$txtcnpformenddt] !=""){ - $datevale = CNPCF_getDateFormat($forminfo[$txtcnpformenddt]); - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($datevale)); - } - - } - - if($forminfo[$lstcnpactivecamp] !=""){ - $sSQL = "INSERT INTO ".$cnp_channeltable_name."(cnpchannel_cnpchannelgrp_ID,cnpchannel_channelName, cnpchannel_channelStartDate,cnpchannel_channelEndDate,cnpchannel_channelStatus,cnpchannel_DateCreated)values('".$forminfo['hdnfrmid']."','$forminfo[$lstcnpactivecamp]', - '$txtcnpformstrtdt1','$txtcnpformenddt1',$active, - '$current_time')"; - $wpdb->query($sSQL); - } - - } - return true;/*}else{return false; }*/}else{ return false;} - } - function CNPCF_updateForms($tblname,$forminfo) - { - global $wpdb; global $cnp_table_name;global $cnp_formtable_name; - $count = sizeof($forminfo); - if($count>0) - { - - $frmcode= CNPCF_getFormShortCode($forminfo['txtcnpfrmgrp']); - $current_time = CFCNP_PLUGIN_CURRENTTIME; - $maxsize = 10000000; //set to approx 10 MB - if(is_uploaded_file($_FILES['txtpopupimg']['tmp_name'])) { - //checks size of uploaded image on server side - if( $_FILES['txtpopupimg']['size'] < $maxsize) { - - $finfo = finfo_open(FILEINFO_MIME_TYPE); - //checks whether uploaded file is of image type - if(strpos(finfo_file($finfo, $_FILES['txtpopupimg']['tmp_name']),"image")===0) - { - // prepare the image for insertion - $imgData =addslashes (file_get_contents($_FILES['txtpopupimg']['tmp_name'])); - $sSQL = "UPDATE ".$cnp_table_name." set cnpform_img = '{$imgData}', - cnpform_Date_Modified='$current_time' - where cnpform_ID ='".$forminfo['hdnfrmid']."'"; - $wpdb->query($sSQL); - } - else{$msg="<p>Uploaded file is not an image.</p>";} - } - else { - // if the file is not less than the maximum allowed, print an error - $msg='<div>File exceeds the Maximum File limit</div> - <div>Maximum File limit is '.$maxsize.' bytes</div> - <div>File '.$_FILES['txtpopupimg']['name'].' is '.$_FILES['txtpopupimg']['size']. - ' bytes</div><hr />'; - } } else $msg="File not uploaded successfully."; - - - $frmgrpstartdt = $forminfo['txtcnpformstrtdt']; - $frmgrpenddt = $forminfo['txtcnpformenddt']; - $frmgrpenddt1 = ""; - - if(get_option('date_format') != "d/m/Y") - { - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($frmgrpstartdt)); - if($frmgrpenddt !=""){ - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($frmgrpenddt)); - } - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($frmgrpstartdt); - $frmgrpstartdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - if($frmgrpenddt !=""){ - $dateval = CNPCF_getDateFormat($frmgrpenddt); - $frmgrpenddt1 = date("Y-m-d H:i:s",strtotime($dateval)); - } - - } - - // cnpform_shortcode='$frmcode', - $active =1;//cnpform_groupname ='$forminfo[txtcnpfrmgrp]', - $sSQL = "UPDATE ".$cnp_table_name." set cnpform_type='$forminfo[lstfrmtyp]', - cnpform_ptype='$forminfo[lstpopuptyp]', - cnpform_text='$forminfo[txtpopuptxt]', - cnpform_Form_StartDate='$frmgrpstartdt1', - cnpform_Form_EndDate='$frmgrpenddt1', - cnpform_status='$forminfo[lstfrmsts]', - cnpform_custommsg='$forminfo[txterrortxt]', - cnpform_Date_Modified='$current_time' - where cnpform_ID ='".$forminfo['hdnfrmid']."'"; - $wpdb->query($sSQL); - $noofforms = $forminfo['hidnoofforms']; - $wpdb->query("delete from ".$cnp_formtable_name." where cnpform_cnpform_ID =".$forminfo['hdnfrmid']); - for($inc=0;$inc< $noofforms;$inc++) - { - - - $lstcnpactivecamp = "lstcnpeditactivecamp".$forminfo['hdncnpformcnt'][$inc]; - $lstcnpfrmtyp = "hdncnpformname".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpguid = "txtcnpguid".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformstrtdt = "txtcnpformstrtdt".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformenddt= "txtcnpformenddt".$forminfo['hdncnpformcnt'][$inc]; - $txtcnpformurlparms= "txtbtnurlparms".$forminfo['hdncnpformcnt'][$inc]; - - $txtcnpformenddt1=""; - - if(get_option('date_format') != "d/m/Y") - { - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpformstrtdt])); - if($forminfo[$txtcnpformenddt] !=""){ - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($forminfo[$txtcnpformenddt])); - } - } - elseif(get_option('date_format') == "d/m/Y" || get_option('date_format') == "d-m-Y") - { - $dateval = CNPCF_getDateFormat($forminfo[$txtcnpformstrtdt]); - $txtcnpformstrtdt1 = date("Y-m-d H:i:s",strtotime($dateval)); - if($forminfo[$txtcnpformenddt] !=""){ - $datevale = CNPCF_getDateFormat($forminfo[$txtcnpformenddt]); - $txtcnpformenddt1 = date("Y-m-d H:i:s",strtotime($datevale)); - } - - } - - - $sSQL = "INSERT INTO ".$cnp_formtable_name."(cnpform_cnpform_ID,cnpform_CampaignName,cnpform_FormName,cnpform_GUID, cnpform_FormStartDate,cnpform_FormEndDate,cnpform_FormStatus,cnpform_DateCreated,cnpform_urlparameters)values('".$forminfo['hdnfrmid']."','$forminfo[$lstcnpactivecamp]', - '$forminfo[$lstcnpfrmtyp]','$forminfo[$txtcnpguid]', - '$txtcnpformstrtdt1','$txtcnpformenddt1',$active, - '$current_time','$forminfo[$txtcnpformurlparms]')"; - $wpdb->query($sSQL); - - - } - return true;/*}else{return false; }*/}else{ return false;} - } - function CNPCF_updateSettings($tblname,$forminfo) - { - global $wpdb; global $cnp_settingtable_name; - $count = sizeof($forminfo); - if($count>0) - { - $cnpcampcnt = //CNPCF_getActivecampaigns($forminfo[txtcnpacntid],$forminfo[txtcnpacntguid],"count"); - $current_time = date('Y-m-d H:i:s'); - $active =1; - $sSQL = "UPDATE ".$cnp_settingtable_name." set - cnpstngs_frndlyname ='$forminfo[txtcnpfrmfrndlynm]', - cnpstngs_AccountNumber='$forminfo[txtcnpacntid]', - cnpstngs_guid='$forminfo[txtcnpacntguid]', - cnpstngs_Date_Modified='$current_time' - where cnpstngs_ID ='".$forminfo['hdnfrmid']."'"; - $wpdb->query($sSQL); - //return $cnpcampcnt; - return true;}else{ return false;} - } - function CNPCF_getFormShortCode($groupnm) - { - global $wpdb; - global $cnp_table_name; - $rtrnval=""; - $frmcode = $groupnm; - $shrtcode= str_replace(' ', '-', $frmcode); - $shortcode = '[CnP.Form '.$shrtcode.']'; - - return $shortcode; - } - function CNPCF_getChannelShortCode($groupnm) - { - global $wpdb; - global $cnp_table_name; - $rtrnval=""; - $chnlcode = $groupnm; - $shrtcode= str_replace(' ', '-', $chnlcode); - $shortcode = '[CnP.pledgeTV '.$shrtcode.']'; - - return $shortcode; - } - function CNPCF_getMaxFormid($tablename) - { - global $wpdb; - global $cnp_table_name; - $rtrnval=""; - $scnpSQL = "SELECT MAX(cnpform_id) as frmid FROM ".$tablename; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - if( $cnpformrows != NULL){ - foreach ($cnpresults as $cnpresultsarr) { - $cnpfrmid= $cnpresultsarr->frmid; - $rtrnval = $cnpfrmid + 1; - } - } - else { $rtrnval = 1;} - if($rtrnval <=9){ $rtrnval = "00".$rtrnval;}elseif($rtrnval <=99 && $rtrnval >=9){ $rtrnval = "0".$rtrnval;}else{$rtrnval = $rtrnval;} - - return "CNPCF".$rtrnval; - } -function CNPCF_getformsofGroup($groupname){ - - global $wpdb; - global $cnp_table_name; global $cnp_formtable_name; - $returnarr = array(); - $rtrnval=""; - $currentdate = CFCNP_PLUGIN_CURRENTTIME; - $scnpSQL = "SELECT cnpform_ID as frmid FROM ".$cnp_table_name ." WHERE cnpform_groupname = '".$groupname."' AND - cnpform_status =1 AND IF (cnpform_Form_EndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpform_Form_StartDate and cnpform_Form_EndDate, cnpform_Form_StartDate <= '".$currentdate."') order by cnpform_Date_Modified DESC Limit 1"; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - if( $cnpformrows != NULL){ - foreach ($cnpresults as $cnpresultsarr) { - $cnpfrmid= $cnpresultsarr->frmid; - - } - $scnpFormsSQL = "SELECT cnpform_GUID as frmguid,cnpform_urlparameters FROM ".$cnp_formtable_name ." WHERE cnpform_cnpform_ID = '".$cnpfrmid."' AND cnpform_FormStatus =1 AND IF (cnpform_FormEndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpform_FormStartDate and cnpform_FormEndDate, cnpform_FormStartDate <= '".$currentdate."') order by cnpform_DateCreated DESC Limit 1"; - $cnpformsresults = $wpdb->get_results($scnpFormsSQL); - $cnpformrows = $wpdb->num_rows; - - if( $cnpformrows != NULL){ - foreach ($cnpformsresults as $cnpfrmresultsarr) { - $cnpurlparam = $cnpfrmresultsarr->cnpform_urlparameters; - //$cnpurlparamnw = str_replace(';', '&', $cnpurlparam); - $newfrmguid = $cnpfrmresultsarr->frmguid ."?".$cnpurlparam; - array_push($returnarr, $newfrmguid); - - - } - } - } - - return $returnarr; -} -function CNPCF_getchannelsofGroup($groupname){ - - global $wpdb; - global $cnp_channelgrptable_name; global $cnp_channeltable_name; - $returnarr = array(); - $rtrnval=""; - $currentdate = CFCNP_PLUGIN_CURRENTTIME; - $scnpSQL = "SELECT cnpchannelgrp_ID as chnlid FROM ".$cnp_channelgrptable_name ." WHERE cnpchannelgrp_groupname = '".$groupname."' AND - cnpchannelgrp_status =1 AND IF (cnpchannelgrp_channel_EndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpchannelgrp_channel_StartDate and cnpchannelgrp_channel_EndDate, cnpchannelgrp_channel_StartDate <= '".$currentdate."') order by cnpchannelgrp_Date_Modified DESC Limit 1"; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - if( $cnpformrows != NULL){ - foreach ($cnpresults as $cnpresultsarr) { - $cnpfrmid= $cnpresultsarr->chnlid; - - } - $scnpFormsSQL = "SELECT cnpchannel_channelName as chnlnm FROM ".$cnp_channeltable_name ." WHERE cnpchannel_cnpchannelgrp_ID = '".$cnpfrmid."' AND cnpchannel_channelStatus =1 AND IF (cnpchannel_channelEndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpchannel_channelStartDate and cnpchannel_channelEndDate, cnpchannel_channelStartDate <= '".$currentdate."') order by cnpchannel_DateCreated DESC Limit 1"; - $cnpformsresults = $wpdb->get_results($scnpFormsSQL); - $cnpformrows = $wpdb->num_rows; - - if( $cnpformrows != NULL){ - foreach ($cnpformsresults as $cnpfrmresultsarr) { - array_push($returnarr, $cnpfrmresultsarr->chnlnm); - - - } - } - } - - return $returnarr; -} -function CNPCF_getCNPAccountDetails($cnpfrndlynm){ - global $wpdb; - global $cnp_settingtable_name; - global $cnp_table_name; global $cnp_formtable_name; - $acntrtrnval= ""; - $scnpSQL = "SELECT * FROM ".$cnp_settingtable_name ." WHERE cnpstngs_ID ='".$cnpfrndlynm."'"; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - if( $cnpformrows != NULL){ - - foreach ($cnpresults as $cnpresultsarr) { - if(count($cnpresultsarr) >= 1) - { - $acntrtrnval = $cnpresultsarr->cnpstngs_AccountNumber."--".$cnpresultsarr->cnpstngs_guid; - } - } - } - - return $acntrtrnval; - -} -function CNPCF_getAccountNumbersCount() -{ - global $wpdb; - global $cnp_settingtable_name; - $rtrnval=""; - $scnpSQL = "SELECT * FROM ".$cnp_settingtable_name; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - - - return $cnpformrows; - -} -function CNPCF_editgetAccountIdList($cnpeditid) -{ - global $wpdb; - global $cnp_settingtable_name; - $rtrnval=""; - $scnpSQL = "SELECT * FROM ".$cnp_settingtable_name." order by cnpstngs_AccountNumber" ; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - if( $cnpformrows != NULL){ - $camrtrnval = ""; - //$camrtrnval = "<option value=''>Select Friendly Name</option>"; - foreach ($cnpresults as $cnpresultsarr) { - if(count($cnpresults) >= 1) - { $cnpoptnsel = ""; - if($cnpresultsarr->cnpstngs_ID == $cnpeditid){$cnpoptnsel="selected";} - $optnval = $cnpresultsarr->cnpstngs_AccountNumber."||".$cnpresultsarr->cnpstngs_guid."||".$cnpresultsarr->cnpstngs_ID; - $camrtrnval.= "<option value='".$optnval."' ".$cnpoptnsel.">".$cnpresultsarr->cnpstngs_frndlyname." ( ".$cnpresultsarr->cnpstngs_AccountNumber." )</option>"; - } - } - } - - return $camrtrnval; - -} -function CNPCF_getAccountIdList() -{ - global $wpdb; - global $cnp_settingtable_name; - $rtrnval=""; - $scnpSQL = "SELECT * FROM ".$cnp_settingtable_name ." order by cnpstngs_AccountNumber"; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - if( $cnpformrows != NULL){ - - $camrtrnval =""; - foreach ($cnpresults as $cnpresultsarr) { - if(count($cnpresults) >= 1) - { - $optnval = $cnpresultsarr->cnpstngs_AccountNumber."||".$cnpresultsarr->cnpstngs_guid."||".$cnpresultsarr->cnpstngs_ID; - $camrtrnval.= "<option value='".$optnval."'>".$cnpresultsarr->cnpstngs_frndlyname." ( ".$cnpresultsarr->cnpstngs_AccountNumber." )</option>"; - } - } - } - - return $camrtrnval; - -} -function CNPCF_getAccountNumbersInfo($cnpeditid) -{ - global $wpdb; - global $cnp_table_name; - $rtrnval=""; - $scnpSQL = "SELECT * FROM ".$cnp_table_name ." WHERE cnpform_cnpstngs_ID=".$cnpeditid; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - - - return $cnpformrows; - -} -function CNPCF_getchnlAccountNumbersInfo($cnpeditid) -{ - global $wpdb; - global $cnp_channelgrptable_name ; - $rtrnval=""; - $scnpSQL = "SELECT * FROM ".$cnp_channelgrptable_name ." WHERE cnpchannelgrp_cnpstngs_ID=".$cnpeditid; - $cnpresults = $wpdb->get_results($scnpSQL); - $cnpformrows = $wpdb->num_rows; - - - return $cnpformrows; - -} - -function CNPCF_getDateFormat($frmgrpstartdt) -{ - - $dateval = $frmgrpstartdt; - $bits = explode(' ',$dateval); - $bits1 = explode('/',$bits[0]); - $curdate = $bits1[1].'/'.$bits1[0].'/'.$bits1[2] . " ".$bits[1]. " ".$bits[2]; - return $curdate; -} -function wp_get_timezone_string() { - - // if site timezone string exists, return it - if ( $timezone = get_option( 'timezone_string' ) ) - return $timezone; - - // get UTC offset, if it isn't set then return UTC - if ( 0 === ( $utc_offset = get_option( 'gmt_offset', 0 ) ) ) - return 'UTC'; - - // adjust UTC offset from hours to seconds - $utc_offset *= 3600; - - // attempt to guess the timezone string from the UTC offset - if ( $timezone = timezone_name_from_abbr( '', $utc_offset, 0 ) ) { - return $timezone; - } - - // last try, guess timezone string manually - $is_dst = date( 'I' ); - - foreach ( timezone_abbreviations_list() as $abbr ) { - foreach ( $abbr as $city ) { - if ( $city['dst'] == $is_dst && $city['offset'] == $utc_offset ) - return $city['timezone_id']; - } - } - - // fallback to UTC - return 'UTC'; -} - - +<?php++function CNPCF_getImageTextButton($guid,$cnptyp,$cnptxt)+{+global $wpdb; +global $cnp_table_name;+global $cnp_formtable_name;+global $cnprtrnstr;++$cnpGetImagesql = $wpdb->prepare(+ "SELECT * FROM $cnp_table_name WHERE cnpform_groupname = %s AND cnpform_ptype = %s",+ $guid,+ $cnptxt+);+++$cnpimgresult = $wpdb->get_results($cnpGetImagesql);++if (!empty($cnpimgresult)) {+ foreach ($cnpimgresult as $cnpimgresultsarr) { + + switch ($cnptxt) {+ case 'text':+ case 'button':+ $cnprtrnstr = $cnpimgresultsarr->cnpform_text;+ break;+ case 'image':+ $cnprtrnstr = $cnpimgresultsarr->cnpform_img;+ break;+ default:+ $cnprtrnstr = null; + }+ }+}++return $cnprtrnstr;+
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - Functions/functionscnp.php [5-32]
Old Code:
```php
function CNPCF_getImageTextButton($guid,$cnptyp,$cnptxt)
{
global $wpdb;
global $cnp_table_name;
global $cnp_formtable_name;
global $cnprtrnstr;
$cnpGetImagesql = "SELECT * FROM " .$cnp_table_name. " WHERE cnpform_groupname='" .$guid. "' and
cnpform_ptype ='".$cnptxt."'";
$cnpimgresult = $wpdb->get_results($cnpGetImagesql);
```
Fixed Code:
```php
function CNPCF_getImageTextButton($guid,$cnptyp,$cnptxt)
{
global $wpdb;
global $cnp_table_name;
global $cnp_formtable_name;
global $cnprtrnstr;
$cnpGetImagesql = $wpdb->prepare(
"SELECT * FROM $cnp_table_name WHERE cnpform_groupname = %s AND cnpform_ptype = %s",
$guid,
$cnptxt
);
```
Explanation:
The old code directly concatenates user-controlled parameters `$guid` and `$cnptxt` into SQL queries without sanitization. These parameters flow directly into SQL sinks at lines 8-9. The new code uses WordPress's `$wpdb->prepare()` with parameterized queries, which properly escapes and binds the values, preventing SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - Functions/functionscnp.php [33-42]
Old Code:
```php
function CNPCF_isExistShortcode($cnpshortcode)
{
global $wpdb;
global $cnp_table_name;
global $cnprtrnstr;
$currentdate = CFCNP_PLUGIN_CURRENTTIME;
$cnpGetImagesql = "SELECT * FROM " .$cnp_table_name. " WHERE (cnpform_shortcode ='[CnPConnect " .$cnpshortcode. "]' OR cnpform_shortcode ='[CnP.Form " .$cnpshortcode. "]') AND cnpform_status =1 AND IF (cnpform_Form_EndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpform_Form_StartDate and cnpform_Form_EndDate, cnpform_Form_StartDate <= '".$currentdate."') order by cnpform_Date_Modified ASC Limit 1";
$cnpimgresult = $wpdb->get_results($cnpGetImagesql);
if($wpdb->num_rows > 0 )return true; else return false;
}
```
Fixed Code:
```php
// This function was removed in the new version
```
Explanation:
The old code directly concatenates user-controlled parameter `$cnpshortcode` into SQL queries without sanitization. The parameter flows directly into SQL sinks at line 40. The function was completely removed in the new version, eliminating the vulnerability.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - Functions/functionscnp.php [43-52]
Old Code:
```php
function CNPCF_isExistchannelShortcode($cnpshortcode)
{
global $wpdb;
global $cnp_channelgrptable_name;
global $cnprtrnstr;
$currentdate = CFCNP_PLUGIN_CURRENTTIME;
$cnpGetImagesql = "SELECT * FROM " .$cnp_channelgrptable_name. " WHERE (cnpchannelgrp_shortcode ='[CnP.pledgeTV " .$cnpshortcode. "]') AND cnpchannelgrp_status =1 AND IF (cnpchannelgrp_channel_EndDate !='0000-00-00 00:00:00', '".$currentdate."' between cnpchannelgrp_channel_StartDate and cnpchannelgrp_channel_EndDate, cnpchannelgrp_channel_StartDate <= '".$currentdate."') order by cnpchannelgrp_Date_Modified ASC Limit 1";
$cnpimgresult = $wpdb->get_results($cnpGetImagesql);
if($wpdb->num_rows > 0 )return true; else return false;
}
```
Fixed Code:
```php
// This function was removed in the new version
```
Explanation:
The old code directly concatenates user-controlled parameter `$cnpshortcode` into SQL queries without sanitization. The parameter flows directly into SQL sinks at line 49. The function was completely removed in the new version, eliminating the vulnerability.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - Functions/functionscnp.php [53-67]
Old Code:
```php
function CNPCF_getGroupCustomerrmsg($cnpshortcode)
{
global $wpdb;
global $cnp_table_name;
global $cnprtrnstr; //AND cnpform_status =1 AND IF (cnpform_Form_EndDate !='0000-00-00', CURDATE() between cnpform_Form_StartDate and cnpform_Form_EndDate, cnpform_Form_StartDate <= CURDATE()) order by cnpform_Date_Modified ASC Limit 1
$cnpGetImagesql = "SELECT cnpform_custommsg FROM " .$cnp_table_name. " WHERE cnpform_shortcode ='[CnPConnect " .$cnpshortcode. "]' or cnpform_shortcode ='[CnP.Form " .$cnpshortcode. "]' ";
$cnperrresult = $wpdb->get_results($cnpGetImagesql);
if($wpdb->num_rows > 0 )
{
foreach ($cnperrresult as $cnperrresultsarr)
{
$cnprtrnstr= $cnperrresultsarr->cnpform_custommsg;
}
}
return $cnprtrnstr;
}
```
Fixed Code:
```php
// This function was removed in the new version
```
Explanation:
The old code directly concatenates user-controlled parameter `$cnpshortcode` into SQL queries without sanitization. The parameter flows directly into SQL sinks at line 58. The function was completely removed in the new version, eliminating the vulnerability.
Note: The analysis shows multiple SQL injection vulnerabilities in the old code where user-controlled parameters were directly concatenated into SQL queries. The new version addresses these by either removing the vulnerable functions entirely or using WordPress's `$wpdb->prepare()` method with parameterized queries for proper escaping and binding.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/channelAdd.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/channelAdd.php 2025-11-20 22:19:32.249906852 +0000@@ -1,278 +1,294 @@-<?php -ob_start(); -if ( ! defined( 'ABSPATH' ) ) exit; -function cnps_addchannel() { - -if(isset($_POST["cnpchnlbtnsave"])) -{ - $addform= wp_unslash( sanitize_text_field( $_POST["addchannelval"])); - global $wpdb; - global $cnp_channelgrptable_name; - if($addform==1) - { - $cnprtnval = CNPCF_addNewChannel($cnp_channelgrptable_name,$_POST); - if($cnprtnval == true){$cnpredirectval = "saved";}else{$cnpredirectval = "failed";} - wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=".$cnpredirectval); - exit; - } - else if($addform==2) - { - $cnprtnval =CNPCF_updateChannels($cnp_channelgrptable_name,$_POST); - if($cnprtnval == true){$cnpredirectval = "upd";}else{$cnpredirectval = "failed";} - wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=".$cnpredirectval); - exit; - } - -} $dsplycntnt =""; - $cnpaccountfriendlynams = CNPCF_getAccountIdList(); - $cnpsettingscount = CNPCF_getAccountNumbersCount(); - if($cnpsettingscount==1){$dsplycntnt = 'class="disabled"';} - $hidval = 1; - $act = wp_unslash( sanitize_text_field( $_REQUEST["cnpviewid"] ) ); - if(isset($act) && $act!="") - { - global $wpdb; - global $cnp_channelgrptable_name; - global $cnp_channeltable_name; - $cnpviewid = wp_unslash( sanitize_text_field( $_GET['cnpviewid'] ) ); - $cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_channelgrptable_name,'cnpchannelgrp_ID',$cnpviewid); - $cnpfrmrtnval = CNPCF_GetCnPGroupDetails($cnp_channeltable_name,'cnpchannel_cnpchannelgrp_ID',$cnpviewid); - foreach ($cnpfrmdtresult as $cnprtnval) {} - - if (count($cnpfrmdtresult)> 0 ) - { - - - $cnpchnlid = $cnprtnval->cnpchannelgrp_ID; - $cnpchnlgroupname = $cnprtnval->cnpchannelgrp_groupname; - $cnpchnlAccountNumber = $cnprtnval->cnpchannelgrp_cnpstngs_ID; - $cnpfrmshortcode = $cnprtnval->cnpchannelgrp_shortcode; - $cnpfrmStartDate = $cnprtnval->cnpchannelgrp_channel_StartDate; - $cnpfrmEndDate = $cnprtnval->cnpchannelgrp_channel_EndDate; - $cnpchnlerrmsg = $cnprtnval->cnpchannelgrp_custommsg; - if($cnpfrmEndDate == "0000-00-00 00:00:00") {$cnpfrmEndDate ="";} - $cnpfrmstatus = $cnprtnval->cnpchannelgrp_status; - $btn = "Update form"; - $hidval = 2; - - $cnpeditaccountfriendlynams = CNPCF_editgetAccountIdList($cnpchnlAccountNumber); - - } - - $cnpeditdsplycntnt =' - <div xmlns="http://www.w3.org/1999/xhtml" class="wrap nosubsub"> - <div class="icon32" id="icon-edit"><br/></div> -<h2>Edit Channel Group</h2><div class="dataTables_paginate" ><a href="admin.php?page=cnp_pledgetvchannelsdetails"><strong>Go back to Channels </strong></a></div> -<div id="col-left"> - <div class="col-wrap"> - <div> - <div class="form-wrap"> - <form class="validate" method="post" id="addchnl" name="addchnl" enctype="multipart/form-data"> - <input type="hidden" name="cnphdnediturl" id="cnphdnediturl" value="'.CNP_CF_PLUGIN_URL.'getcnpactivechannels.php"> - <input type="hidden" name="hdnfrmid" id="hdnfrmid" value="'.$cnpchnlid .'"> - <input type="hidden" name="hdndatefrmt" id="hdndatefrmt" value="'.CFCNP_PLUGIN_CURRENTDATETIMEFORMAT .'"> - <input type="hidden" name="hdnchnlstrtdt" id="hdnchnlstrtdt" value="'.$cnpfrmStartDate.'"> - <input type="hidden" name="hdnchnlenddt" id="hdnchnlenddt" value="'.$cnpfrmEndDate.'"> - - <div class="form-field cnpaccountId"> - <label for="tag-name">Channel Group Name*</label> - <input type="text" size="40" id="txtcnpedchnlgrp" name="txtedcnpchnlgrp" value="'.$cnpchnlgroupname.'" onkeypress="return AvoidSpace(event)" readonly/> - <span class=cnperror id="spncnpchnlgrpnm"></span> - </div> - <div class="form-field cnplstfrndlyname" > - <label for="tag-name">Account(s)*</label> - <select name="lstaccntfrndlynam" id="lstaccntfrndlynam" disabled> - '.$cnpeditaccountfriendlynams.'</select> - <p></p> - </div> - - <div class="input-group date form-field cnpfrmstrtdt" > - <label for="tag-name">Start Date & Time* [Time Zone: '. wp_get_timezone_string().']</label> - <input type="text" size="40" id="txtcnpchnlstrtdt" name="txtcnpchnlstrtdt" /> - <span class=cnperror id="spncnpchnlstrtdt"></span> - </div> - <div class="input-group date form-field cnpfrmenddt" > - <label for="tag-name">End Date & Time</label> - <input type="text" size="40" id="txtcnpchnlenddt" name="txtcnpchnlenddt"/> - <span class=cnperror id="spncnpchnlenddt"></span> - </div> - - <div class="form-field cnpfrmerror"> - <label for="tag-name">No Valid Channel Message</label> - - <textarea id="txterrortxt" name="txterrortxt">'.$cnpchnlerrmsg.'</textarea> - <p></p> - </div> - <div class="form-field cnplstfrmsts" > - <label for="tag-name">Status</label> - <select name="lstchnlsts" id="lstchnlsts">'; - $cnpeditdsplycntnt .='<option value="1"'; if($cnpfrmstatus == "1"){$cnpeditdsplycntnt .= 'selected';} $cnpeditdsplycntnt .=' >Active</option> - <option value="0"'; if($cnpfrmstatus == "0"){$cnpeditdsplycntnt .= 'selected';} $cnpeditdsplycntnt .='>Inactive</option> - </select> - <p></p> - </div> - <p class="submit">'; - - $frmscount = count($cnpfrmrtnval); - if($frmscount > 0){ - - $cnpimgurl = plugins_url(CFCNP_PLUGIN_NAME."/images/ajax-loader_trans.gif"); - $cnpeditdsplycntnt .='<input type="hidden" name="addchannelval" id="addchannelval" value='.$hidval.'> - <input type="hidden" name="hidnoofforms" id="hidnoofforms" value='.$frmscount.'> - - <input type="hidden" name="cnphdneditchnlaccountId" id="cnphdneditchnlaccountId" value="'.$cnpchnlAccountNumber.'"> - - </p><div style="float:left" width="100%"> - <div class=" frmadddiv"> - <p>1. Select your Channel, enter a start date and click SAVE.</p><p> - 2. Copy the "shortcode" from pledgeTV Channels page, to your WordPress page. - Multiple Channels may be added. Channels will display in order of start date. If start dates overlap, the first Channel in the list will show first.</p><p></p> - <table class="wp-list-table widefat" id="cnpformslist" > - <thead><tr><th><strong>Channel</strong>*</th><th><strong>Start Date</strong>*</th><th><strong>End Date</strong></th><th></th></tr> - </thead><tbody>'; - $frminc =1; - foreach($cnpfrmrtnval as $cnpfrmlst){ - $frmsenddt = $cnpfrmlst->cnpchannel_channelEndDate; - if($frmsenddt == "0000-00-00 00:00:00") {$frmsenddt ="";} - $cnpeditdsplycntnt .=' <tr id="trid'.$frminc.'"><td><u><input type="hidden" name="hdncnpformcnt[]" id="hdncnpformcnt[]" value="'.$frminc.'"><input type="hidden" name="hdneditfrmid'.$frminc.'" id="hdneditfrmid'.$frminc.'" value="'.$cnpfrmlst->cnpchannel_id .'"><input type="hidden" name="cnphdneditlstcnpactivecamp'.$frminc.'" id="cnphdneditlstcnpactivecamp'.$frminc.'" value="'.$cnpfrmlst->cnpchannel_channelName.'"><select name="lstcnpeditactivecamp'.$frminc.'" id="lstcnpeditactivecamp'.$frminc.'" class="cnp_campaigns_select" ><option value="">Select Channel</option></select></u><div id="dvldimg'.$frminc.'" class="cnp_loader"><img src="'.$cnpimgurl.'" alt="Loading" /></div><span class=cnperror id="spncampnname'.$frminc.'"></span></td> - - <td ><u> - <input type="hidden" name="hdncnpformstrtdt'.$frminc.'" id="hdncnpformstrtdt'.$frminc.'" value="'.$cnpfrmlst->cnpchannel_channelStartDate.'"> - <input type="hidden" name="hdncnpformenddt'.$frminc.'" id="hdncnpformenddt'.$frminc.'" value="'.$frmsenddt.'"> - <input type="text" size="20" id="txtcnpformstrtdt'.$frminc.'" name="txtcnpformstrtdt'.$frminc.'"/></u><span class=cnperror id="spnstrtdt'.$frminc.'"></span></td> - <td ><input type="text" size="20" id="txtcnpformenddt'.$frminc.'" name="txtcnpformenddt'.$frminc.'" /><span class=cnperror id="spnenddt'.$frminc.'"></span></td> - <td><u>'; - //if($frminc != 1 || $frmscount !=1){ - $cnpeditdsplycntnt .='<a href="#" onclick="getDeletechannelrows('.$frminc.')"><span class="dashicons dashicons-trash" name="cnpbtndelte" id="cnpbtndelte" style="text-decoration:none !important"></span></a>'; - //} - $cnpeditdsplycntnt .='</u></td></tr>'; - $frminc++; - } - $cnpeditdsplycntnt .='</tbody></table> - <div><table class="wp-list-table widefat" id="ist" > - <tr><td> - <div style="float:right"> - <input type="button" name="cnpbtncadd" id="cnpbtncadd" value="Add Channel" class="add-new-h2"><div > - </td></tr> - </table> - </div> - <div style="text-align-last:center;"> - <div> - - <input type="button" name="cnpbtnedit" id="cnpbtnedit" value="Close" class="add-new-h2" onclick="window.history.go(-1); return false;"> - <input type="submit" name="cnpchnlbtnsave" id="cnpchnlbtnsave" value="Save" class="add-new-h2"> <div class="dataTables_paginate" ><a href="admin.php?page=cnp_pledgetvchannelsdetails"><strong>Go back to Channels</strong></a></div> - </div></div> - </div>'; - } - $cnpeditdsplycntnt .='</form> - </div> - </div> - </div> -</div></div> -</div>'; -echo $cnpeditdsplycntnt; - } - else - { - -$cnpdsplycntnt ='<div xmlns="http://www.w3.org/1999/xhtml" class="wrap nosubsub"> -<div class="icon32" id="icon-edit"><br/></div> -<h2>Add Channel Group</h2> -<div id="col-left"> - <div class="col-wrap"> - <div> - <div class="form-wrap"> - <h3>'.$btn.'</h3> - <form class="validate" method="post" id="addchnl" name="addchnl" enctype="multipart/form-data"> - <input type="hidden" name="cnpchdnurl" id="cnpchdnurl" value="'.CNP_CF_PLUGIN_URL.'getcnpactivechannels.php"> - - <input type="hidden" name="hdncdatefrmt" id="hdncdatefrmt" value="'.CFCNP_PLUGIN_CURRENTDATETIMEFORMAT .'"> - <div class="form-field cnpfrmgrp"> - <label for="tag-name">Channel Group Name*</label> - <input type="text" size="40" id="txtcnpchnlgrp" name="txtcnpchnlgrp" onkeypress="return AvoidSpace(event)"/> - <p>Please enter the channel group name</p><span class=cnperror id="spncnpchnlgrpnm"></span> - </div> - <div class="form-field cnplstfrndlyname" > - <label for="tag-name">Account(s)*</label> - <select name="lstchnlaccntfrndlynam" id="lstchnlaccntfrndlynam"'.$dsplycntnt.' > - '.$cnpaccountfriendlynams.'</select> - <p></p> - </div> - - <div class="input-group date form-field cnpfrmstrtdt" > - <label for="tag-name">Start Date & Time* [Time Zone: '. wp_get_timezone_string().']</label> - <input type="text" size="40" id="txtcnpchnlstrtdt" name="txtcnpchnlstrtdt" /> - <span class=cnperror id="spncnpchnlstrtdt"></span> - </div> - - <div class="input-group date form-field cnpfrmenddt" > - <label for="tag-name">End Date & Time</label> - <input type="text" size="40" id="txtcnpchnlenddt" name="txtcnpchnlenddt" /> - <span class=cnperror id="spncnpchnlenddt"></span> - </div> - - - <div class="form-field cnplstfrmsts" > - <label for="tag-name">No Valid Channel Message</label> - <textarea id="txtchnlerrortxt" name="txtchnlerrortxt" >Sorry! This channel is expired</textarea> - <p></p> - </div> - <div class="form-field cnplstfrmsts" > - <label for="tag-name">Status</label> - <select name="lstchnlsts" id="lstchnlsts"><option value="1">Active</option> - <option value="0">Inactive</option></select> - <p></p> - </div> - <p class="submit"> - - <input type="button" value="Save" class="button-primary" id="cnpachnlbtnsubmit" name="cnpachnlbtnsubmit" class="add-new-h2"/> - <input type="button" name="cnpbtnchnlcancel" id="cnpbtnchnlcancel" value="Cancel" class="button-primary" onclick="window.history.go(-1); return false;"> - - <input type="hidden" name="addchannelval" id="addchannelval" value='.$hidval.'> - <input type="hidden" name="hidnoofforms" id="hidnoofforms"> - <input type="hidden" name="hdncnpformname1" id="hdncnpformname1"> - </p> - - <div style="float:left" width="100%"> - <div class="chnladddiv" style ="display:none"> - <p>1. Select your Channel, enter a start date and click SAVE.</p><p> -2. Copy the "shortcode" from pledgeTV Channels page, to your WordPress page. -Multiple Channels may be added. Channels will display in order of start date. If start dates overlap, the first Channel in the list will show first. - -</p><p></p> - - <table class="wp-list-table widefat" id="cnpformslist" > - <thead><tr><th><strong>Channel</strong>*</th><th><strong>Start Date</strong>*</th><th><strong>End Date</strong></th><th></th></tr> - </thead><tbody> - <tr id="trid1"><td><u><input type="hidden" name="hdncnpchnlcnt[]" id="hdncnpchnlcnt[]" value=1><select name="lstcnpactivechannel1" id="lstcnpactivechannel1" class="cnp_forms_select"><option value="">Select Channel</option></select></u><span class=cnperror id="spncampnname1"></span></td> - - <td><div class="input-group date" id="datetimepicker3"><input type="text" size="20" id="txtcnpchnlstrtdt1" name="txtcnpchnlstrtdt1"/><span class=cnperror id="spnstrtdt1"></span></div></td> - <td><div class="input-group date" id="datetimepicker4"><input type="text" size="20" id="txtcnpchnlenddt1" name="txtcnpchnlenddt1"/><span class=cnperror id="spnenddt1"></span></div></td> - <td><u><a href="#" onclick="getDeletechannelrows(1)"><span class="dashicons dashicons-trash" name="cnpbtndelte" id="cnpbtndelte" style="text-decoration:none !important"></span></a></u></td></tr> - </tbody></table> - <div><table class="wp-list-table widefat" id="ist" > - <tr><td> - <div style="float:right"> - <input type="button" name="cnpbtncadd" id="cnpbtncadd" value="Add Channel" class="add-new-h2"><div> - </td></tr> - </table> - </div> - <div style="text-align-last:center;"> - <div> -<br> - <input type="button" name="cnpbtnclose" id="cnpbtnclose" value="Close" class="add-new-h2" onclick="window.history.go(-1); return false;"> - <input type="submit" name="cnpchnlbtnsave" id="cnpchnlbtnsave" value="Save" class="add-new-h2"> - - </div></div> - </div> - </form> - </div> - </div> - </div> - </div> - '; -echo $cnpdsplycntnt; -} - } -ob_clean(); -?> +<?php+ob_start();+if ( ! defined( 'ABSPATH' ) ) exit;+function cnps_addchannel() {++if (isset($_POST["cnpchnlbtnsave"])) {+ + $addform = !empty($_POST["addchannelval"]) ? sanitize_text_field(wp_unslash($_POST["addchannelval"])) : '';+ global $wpdb, $cnp_channelgrptable_name;++ if ($addform == 1) {+ $cnprtnval = CNPCF_addNewChannel($cnp_channelgrptable_name, $_POST);+ $cnpredirectval = $cnprtnval ? 'saved' : 'failed';++ wp_redirect(admin_url("admin.php?page=cnp_pledgetvchannelsdetails&info=" . urlencode($cnpredirectval)));+ exit;+ } elseif ($addform == 2) {+ + $cnprtnval = CNPCF_updateChannels($cnp_channelgrptable_name, $_POST);+ $cnpredirectval = $cnprtnval ? 'upd' : 'failed';+ wp_redirect(admin_url("admin.php?page=cnp_pledgetvchannelsdetails&info=" . urlencode($cnpredirectval)));+ exit;+ }+}+ $dsplycntnt ="";+ $cnpaccountfriendlynams = CNPCF_getAccountIdList();+ $cnpsettingscount = CNPCF_getAccountNumbersCount();+ if ($cnpsettingscount == 1) {+ $dsplycntnt = 'class="disabled"';+} else {+ $dsplycntnt = '';+}++$hidval = 1;+$act = !empty($_REQUEST["cnpviewid"]) ? sanitize_text_field(wp_unslash($_REQUEST["cnpviewid"])) : '';++if (!empty($act)) {+ global $wpdb;+ global $cnp_channelgrptable_name;+ global $cnp_channeltable_name;+ + $cnpviewid = isset($_GET['cnpviewid']) ? sanitize_text_field(wp_unslash($_GET['cnpviewid'])) : '';++if (!empty($cnpviewid)) {+ + $cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_channelgrptable_name, 'cnpchannelgrp_ID', $cnpviewid);+ $cnpfrmrtnval = CNPCF_GetCnPGroupDetails($cnp_channeltable_name, 'cnpchannel_cnpchannelgrp_ID', $cnpviewid);++ if (!empty($cnpfrmdtresult) && count($cnpfrmdtresult) > 0) {+ + $cnprtnval = reset($cnpfrmdtresult);++ + $cnpchnlid = $cnprtnval->cnpchannelgrp_ID ?? '';+ $cnpchnlgroupname = $cnprtnval->cnpchannelgrp_groupname ?? '';+ $cnpchnlAccountNumber = $cnprtnval->cnpchannelgrp_cnpstngs_ID ?? '';+ $cnpfrmshortcode = $cnprtnval->cnpchannelgrp_shortcode ?? '';+ $cnpfrmStartDate = $cnprtnval->cnpchannelgrp_channel_StartDate ?? '';+ $cnpfrmEndDate = ($cnprtnval->cnpchannelgrp_channel_EndDate === "0000-00-00 00:00:00") ? "" : $cnprtnval->cnpchannelgrp_channel_EndDate;+ $cnpchnlerrmsg = $cnprtnval->cnpchannelgrp_custommsg ?? '';+ $cnpfrmstatus = $cnprtnval->cnpchannelgrp_status ?? '';+ $btn = "Update form";+ $hidval = 2;++ + $cnpeditaccountfriendlynams = CNPCF_editgetAccountIdList($cnpchnlAccountNumber);+ } else {+ + $cnpchnlid = $cnpchnlgroupname = $cnpchnlAccountNumber = $cnpfrmshortcode = '';+ $cnpfrmStartDate = $cnpfrmEndDate = $cnpchnlerrmsg = $cnpfrmstatus = '';+ $btn = "Add form";+ $hidval = 1;+ }+}+++ $cnpeditdsplycntnt ='+ <div xmlns="http://www.w3.org/1999/xhtml" class="wrap nosubsub">+ <div class="icon32" id="icon-edit"><br/></div>+<h2>Edit Channel Group</h2><div class="dataTables_paginate" ><a href="admin.php?page=cnp_pledgetvchannelsdetails"><strong>Go back to Channels </strong></a></div>+<div id="col-left">+ <div class="col-wrap">+ <div>+ <div class="form-wrap">+ <form class="validate" method="post" id="addchnl" name="addchnl" enctype="multipart/form-data">+ <input type="hidden" name="cnphdnediturl" id="cnphdnediturl" value="'.CNP_CF_PLUGIN_URL.'getcnpactivechannels.php">+ <input type="hidden" name="hdnfrmid" id="hdnfrmid" value="'.$cnpchnlid .'">+ <input type="hidden" name="hdndatefrmt" id="hdndatefrmt" value="'.CFCNP_PLUGIN_CURRENTDATETIMEFORMAT .'">+ <input type="hidden" name="hdnchnlstrtdt" id="hdnchnlstrtdt" value="'.$cnpfrmStartDate.'">+ <input type="hidden" name="hdnchnlenddt" id="hdnchnlenddt" value="'.$cnpfrmEndDate.'">++ <div class="form-field cnpaccountId">+ <label for="tag-name">Channel Group Name*</label>+ <input type="text" size="40" id="txtcnpedchnlgrp" name="txtedcnpchnlgrp" value="'.$cnpchnlgroupname.'" onkeypress="return AvoidSpace(event)" readonly/>+ <span class=cnperror id="spncnpchnlgrpnm"></span>+ </div>+ <div class="form-field cnplstfrndlyname" >+ <label for="tag-name">Account(s)*</label>+ <select name="lstaccntfrndlynam" id="lstaccntfrndlynam" disabled>+ '.$cnpeditaccountfriendlynams.'</select>+ <p></p>+ </div>++ <div class="input-group date form-field cnpfrmstrtdt" >+ <label for="tag-name">Start Date & Time* [Time Zone: '. wp_get_timezone_string().']</label>+ <input type="text" size="40" id="txtcnpchnlstrtdt" name="txtcnpchnlstrtdt" />+ <span class=cnperror id="spncnpchnlstrtdt"></span>+ </div>+ <div class="input-group date form-field cnpfrmenddt" >+ <label for="tag-name">End Date & Time</label>+ <input type="text" size="40" id="txtcnpchnlenddt" name="txtcnpchnlenddt"/>+ <span class=cnperror id="spncnpchnlenddt"></span>+ </div>+ + <div class="form-field cnpfrmerror">+ <label for="tag-name">No Valid Channel Message</label>++ <textarea id="txterrortxt" name="txterrortxt">'.$cnpchnlerrmsg.'</textarea>+ <p></p>+ </div>+ <div class="form-field cnplstfrmsts" >+ <label for="tag-name">Status</label>+ <select name="lstchnlsts" id="lstchnlsts">';+ $cnpeditdsplycntnt .='<option value="1"'; if($cnpfrmstatus == "1"){$cnpeditdsplycntnt .= 'selected';} $cnpeditdsplycntnt .=' >Active</option>+ <option value="0"'; if($cnpfrmstatus == "0"){$cnpeditdsplycntnt .= 'selected';} $cnpeditdsplycntnt .='>Inactive</option>+ </select>+ <p></p>+ </div>+ <p class="submit">';++ $frmscount = count($cnpfrmrtnval);+ if($frmscount > 0){++ $cnpimgurl = plugins_url(CFCNP_PLUGIN_NAME."/images/ajax-loader_trans.gif");+ $cnpeditdsplycntnt .='<input type="hidden" name="addchannelval" id="addchannelval" value='.$hidval.'>+ <input type="hidden" name="hidnoofforms" id="hidnoofforms" value='.$frmscount.'>++ <input type="hidden" name="cnphdneditchnlaccountId" id="cnphdneditchnlaccountId" value="'.$cnpchnlAccountNumber.'">+ + </p><div style="float:left" width="100%">+ <div class=" frmadddiv">+ <p>1. Select your Channel, enter a start date and click SAVE.</p><p>+ 2. Copy the "shortcode" from pledgeTV Channels page, to your WordPress page.+ Multiple Channels may be added. Channels will display in order of start date. If start dates overlap, the first Channel in the list will show first.</p><p></p>+ <table class="wp-list-table widefat" id="cnpformslist" >+ <thead><tr><th><strong>Channel</strong>*</th><th><strong>Start Date</strong>*</th><th><strong>End Date</strong></th><th></th></tr>+ </thead><tbody>';+ $frminc =1;+ foreach($cnpfrmrtnval as $cnpfrmlst){+ $frmsenddt = $cnpfrmlst->cnpchannel_channelEndDate;+ if($frmsenddt == "0000-00-00 00:00:00") {$frmsenddt ="";}+ $cnpeditdsplycntnt .=' <tr id="trid'.$frminc.'"><td><u><input type="hidden" name="hdncnpformcnt[]" id="hdncnpformcnt[]" value="'.$frminc.'"><input type="hidden" name="hdneditfrmid'.$frminc.'" id="hdneditfrmid'.$frminc.'" value="'.$cnpfrmlst->cnpchannel_id .'"><input type="hidden" name="cnphdneditlstcnpactivecamp'.$frminc.'" id="cnphdneditlstcnpactivecamp'.$frminc.'" value="'.$cnpfrmlst->cnpchannel_channelName.'"><select name="lstcnpeditactivecamp'.$frminc.'" id="lstcnpeditactivecamp'.$frminc.'" class="cnp_campaigns_select" ><option value="">Select Channel</option></select></u><div id="dvldimg'.$frminc.'" class="cnp_loader"><img src="'.$cnpimgurl.'" alt="Loading" /></div><span class=cnperror id="spncampnname'.$frminc.'"></span></td>+ + <td ><u>+ <input type="hidden" name="hdncnpformstrtdt'.$frminc.'" id="hdncnpformstrtdt'.$frminc.'" value="'.$cnpfrmlst->cnpchannel_channelStartDate.'">+ <input type="hidden" name="hdncnpformenddt'.$frminc.'" id="hdncnpformenddt'.$frminc.'" value="'.$frmsenddt.'">+ <input type="text" size="20" id="txtcnpformstrtdt'.$frminc.'" name="txtcnpformstrtdt'.$frminc.'"/></u><span class=cnperror id="spnstrtdt'.$frminc.'"></span></td>+ <td ><input type="text" size="20" id="txtcnpformenddt'.$frminc.'" name="txtcnpformenddt'.$frminc.'" /><span class=cnperror id="spnenddt'.$frminc.'"></span></td>+ <td><u>';+ //if($frminc != 1 || $frmscount !=1){+ $cnpeditdsplycntnt .='<a href="#" onclick="getDeletechannelrows('.$frminc.')"><span class="dashicons dashicons-trash" name="cnpbtndelte" id="cnpbtndelte" style="text-decoration:none !important"></span></a>';+ //}+ $cnpeditdsplycntnt .='</u></td></tr>';+ $frminc++;+ }+ $cnpeditdsplycntnt .='</tbody></table>+ <div><table class="wp-list-table widefat" id="ist" >+ <tr><td>+ <div style="float:right">+ <input type="button" name="cnpbtncadd" id="cnpbtncadd" value="Add Channel" class="add-new-h2"><div >+ </td></tr>+ </table>+ </div>+ <div style="text-align-last:center;position: relative;top: 10px;">+ <div>++ <input type="button" name="cnpbtnedit" id="cnpbtnedit" value="Close" class="add-new-h2" onclick="window.history.go(-1); return false;">+ <input type="submit" name="cnpchnlbtnsave" id="cnpchnlbtnsave" value="Save" class="add-new-h2"> <div class="dataTables_paginate" ><a href="admin.php?page=cnp_pledgetvchannelsdetails"><strong>Go back to Channels</strong></a></div>+ </div></div>+ </div>';+ }+ $cnpeditdsplycntnt .='</form>+ </div>+ </div>+ </div>+</div></div>+</div>';+echo $cnpeditdsplycntnt;+ }+ else+ {+$btn = $btn ?? '';++$cnpdsplycntnt ='<div xmlns="http://www.w3.org/1999/xhtml" class="wrap nosubsub">+<div class="icon32" id="icon-edit"><br/></div>+<h2>Add Channel Group</h2>+<div id="col-left">+ <div class="col-wrap">+ <div>+ <div class="form-wrap">+ <h3>'.$btn.'</h3>+ <form class="validate" method="post" id="addchnl" name="addchnl" enctype="multipart/form-data">+ <input type="hidden" name="cnpchdnurl" id="cnpchdnurl" value="'.CNP_CF_PLUGIN_URL.'getcnpactivechannels.php">+ + <input type="hidden" name="hdncdatefrmt" id="hdncdatefrmt" value="'.CFCNP_PLUGIN_CURRENTDATETIMEFORMAT .'">+ <div class="form-field cnpfrmgrp">+ <label for="tag-name">Channel Group Name*</label>+ <input type="text" size="40" id="txtcnpchnlgrp" name="txtcnpchnlgrp" onkeypress="return AvoidSpace(event)"/>+ <p>Please enter the channel group name</p><span class=cnperror id="spncnpchnlgrpnm"></span>+ </div>+ <div class="form-field cnplstfrndlyname" >+ <label for="tag-name">Account(s)*</label>+ <select name="lstchnlaccntfrndlynam" id="lstchnlaccntfrndlynam"'.$dsplycntnt.' >+ '.$cnpaccountfriendlynams.'</select>+ <p></p>+ </div>++ <div class="input-group date form-field cnpfrmstrtdt" >+ <label for="tag-name">Start Date & Time* [Time Zone: '. wp_get_timezone_string().']</label>+ <input type="text" size="40" id="txtcnpchnlstrtdt" name="txtcnpchnlstrtdt" />+ <span class=cnperror id="spncnpchnlstrtdt"></span>+ </div>+ + <div class="input-group date form-field cnpfrmenddt" >+ <label for="tag-name">End Date & Time</label>+ <input type="text" size="40" id="txtcnpchnlenddt" name="txtcnpchnlenddt" />+ <span class=cnperror id="spncnpchnlenddt"></span>+ </div>+ + + <div class="form-field cnplstfrmsts" >+ <label for="tag-name">No Valid Channel Message</label>+ <textarea id="txtchnlerrortxt" name="txtchnlerrortxt" >Sorry! This channel is expired</textarea>+ <p></p>+ </div>+ <div class="form-field cnplstfrmsts" >+ <label for="tag-name">Status</label>+ <select name="lstchnlsts" id="lstchnlsts"><option value="1">Active</option>+ <option value="0">Inactive</option></select>+ <p></p>+ </div>+ <p class="submit">++ <input type="button" value="Save" class="button-primary" id="cnpachnlbtnsubmit" name="cnpachnlbtnsubmit" class="add-new-h2"/>+ <input type="button" name="cnpbtnchnlcancel" id="cnpbtnchnlcancel" value="Cancel" class="button-primary" onclick="window.history.go(-1); return false;">++ <input type="hidden" name="addchannelval" id="addchannelval" value='.$hidval.'>+ <input type="hidden" name="hidnoofforms" id="hidnoofforms">+ <input type="hidden" name="hdncnpformname1" id="hdncnpformname1">+ </p>++ <div style="float:left" width="100%">+ <div class="chnladddiv" style ="display:none">+ <p>1. Select your Channel, enter a start date and click SAVE.</p><p>+2. Copy the "shortcode" from pledgeTV Channels page, to your WordPress page.+Multiple Channels may be added. Channels will display in order of start date. If start dates overlap, the first Channel in the list will show first.++</p><p></p>++ <table class="wp-list-table widefat" id="cnpformslist" >+ <thead><tr><th><strong>Channel</strong>*</th><th><strong>Start Date</strong>*</th><th><strong>End Date</strong></th><th></th></tr>+ </thead><tbody>+ <tr id="trid1"><td><u><input type="hidden" name="hdncnpchnlcnt[]" id="hdncnpchnlcnt[]" value=1><select name="lstcnpactivechannel1" id="lstcnpactivechannel1" class="cnp_forms_select"><option value="">Select Channel</option></select></u><span class=cnperror id="spncampnname1"></span></td>+ + <td><div class="input-group date" id="datetimepicker3"><input type="text" size="20" id="txtcnpchnlstrtdt1" name="txtcnpchnlstrtdt1"/><span class=cnperror id="spnstrtdt1"></span></div></td>+ <td><div class="input-group date" id="datetimepicker4"><input type="text" size="20" id="txtcnpchnlenddt1" name="txtcnpchnlenddt1"/><span class=cnperror id="spnenddt1"></span></div></td>+ <td><u><a href="#" onclick="getDeletechannelrows(1)"><span class="dashicons dashicons-trash" name="cnpbtndelte" id="cnpbtndelte" style="text-decoration:none !important"></span></a></u></td></tr>+ </tbody></table>+ <div><table class="wp-list-table widefat" id="ist" >+ <tr><td>+ <div style="float:right">+ <input type="button" name="cnpbtncadd" id="cnpbtncadd" value="Add Channel" class="add-new-h2"><div>+ </td></tr>+ </table>+ </div>+ <div style="text-align-last:center;position: relative;top: 10px;">+ <div>+<br>+ <input type="button" name="cnpbtnclose" id="cnpbtnclose" value="Close" class="add-new-h2" onclick="window.history.go(-1); return false;">+ <input type="submit" name="cnpchnlbtnsave" id="cnpchnlbtnsave" value="Save" class="add-new-h2">++ </div></div>+ </div>+ </form>+ </div>+ </div>+ </div>+ </div>+ ';+echo $cnpdsplycntnt;+}+ }+ob_clean();+?>
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - channelAdd.php [Lines 12, 16]
Old Code:
```php
wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=".$cnpredirectval);
```
Fixed Code:
```php
wp_redirect(admin_url("admin.php?page=cnp_pledgetvchannelsdetails&info=" . urlencode($cnpredirectval)));
```
Explanation:
The old code directly concatenates user-controlled values into redirect URLs without proper encoding. The $cnpredirectval variable is derived from $_POST data and can contain arbitrary values. When this value contains special URL characters, it can break the URL structure or enable open redirect attacks. The fixed code uses urlencode() to properly encode the parameter value, ensuring the URL structure remains intact and preventing open redirect vulnerabilities.
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - channelAdd.php [Lines 12, 16]
Old Code:
```php
wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=".$cnpredirectval);
```
Fixed Code:
```php
wp_redirect(admin_url("admin.php?page=cnp_pledgetvchannelsdetails&info=" . urlencode($cnpredirectval)));
```
Explanation:
The old code directly concatenates user-controlled values into redirect URLs without proper encoding. The $cnpredirectval variable is derived from $_POST data and can contain arbitrary values. When this value contains special URL characters, it can break the URL structure or enable open redirect attacks. The fixed code uses urlencode() to properly encode the parameter value, ensuring the URL structure remains intact and preventing open redirect vulnerabilities.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/clickandpledge_form.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/clickandpledge_form.php 2025-11-20 22:19:32.250906915 +0000@@ -3,12 +3,11 @@ Plugin Name: Click & Pledge Connect Plugin URI: https://manual.clickandpledge.com/ Description: The Click & Pledge CONNECT plugin provides a flexible and easy to add process for adding CONNECT forms to any WordPress template.-Version: 2.24080000-WP6.6.1+Version: 2.24120000-WP6.7.1 Author: Click & Pledge Author URI: https://www.clickandpledge.com */ - error_reporting(E_ALL); global $cnp_table_name; global $wpdb;@@ -36,7 +35,7 @@ if ( ! function_exists( 'get_plugins' ) ) { require_once ABSPATH . 'wp-admin/includes/plugin.php'; }-$wpcnp_version = '2.24080000-WP6.6.1';+$wpcnp_version = '2.24120000-WP6.7.1'; $all_plugins = get_plugins(); foreach ( array_keys( $all_plugins ) as $plugin_candidate ) { @@ -101,110 +100,131 @@ /* When plugin is deactivation*/-register_deactivation_hook( __FILE__, 'Remove_CNP'); +register_deactivation_hook(__FILE__, function() {+ // No specific logic here.+}); function cnpconnectplugin_update_db_check() {- global $wpdb; global $cnp_channelgrptable_name;global $cnp_channeltable_name;global $cnp_formtable_name;global $cnp_table_name; global $cnp_settingtable_name;- $check_column = (array) $wpdb->get_results("SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME = '$cnp_formtable_name' AND COLUMN_NAME = 'cnpform_urlparameters'")[0];+ global $wpdb;+ global $cnp_channelgrptable_name, $cnp_channeltable_name, $cnp_formtable_name, $cnp_table_name, $cnp_settingtable_name; - $table_name = $cnp_formtable_name;- $check_column = (int) array_shift($check_column);- if($check_column == 0) {- $wpdb->query(- "ALTER TABLE $table_name- ADD COLUMN `cnpform_urlparameters` TEXT NOT NULL- ");- }- if($wpdb->get_var("SHOW TABLES LIKE '".$cnp_channelgrptable_name."'") != $cnp_channelgrptable_name) {- $sql = "CREATE TABLE $cnp_channelgrptable_name (- cnpchannelgrp_ID int(9) NOT NULL AUTO_INCREMENT,- cnpchannelgrp_groupname varchar(250) NOT NULL,- cnpchannelgrp_cnpstngs_ID int(15) NOT NULL,- cnpchannelgrp_shortcode text,- cnpchannelgrp_custommsg varchar(250) NOT NULL,- cnpchannelgrp_channel_StartDate datetime NOT NULL,- cnpchannelgrp_channel_EndDate datetime NOT NULL,- cnpchannelgrp_status char(1) DEFAULT 'a',- cnpchannelgrp_Date_Created datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- cnpchannelgrp_Date_Modified datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- PRIMARY KEY (cnpchannelgrp_ID),- KEY cnpfrm_id (cnpchannelgrp_ID)) ENGINE=InnoDB DEFAULT CHARSET=utf8;";- - require_once(ABSPATH . 'wp-admin/includes/upgrade.php');- dbDelta($sql); + + $check_column = $wpdb->get_var(+ $wpdb->prepare(+ "SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = %s AND COLUMN_NAME = %s",+ $cnp_formtable_name,+ 'cnpform_urlparameters'+ )+ );++ if ((int) $check_column === 0) {+ $wpdb->query(+ "ALTER TABLE $cnp_formtable_name ADD COLUMN `cnpform_urlparameters` TEXT NOT NULL"+ ); }- if($wpdb->get_var("SHOW TABLES LIKE '".$cnp_channeltable_name."'") != $cnp_channeltable_name) {- $sql = "CREATE TABLE $cnp_channeltable_name (- cnpchannel_id int(15) NOT NULL AUTO_INCREMENT,- cnpchannel_cnpchannelgrp_ID int(15) NOT NULL,- cnpchannel_channelName varchar(250) NOT NULL,- cnpchannel_channelStartDate datetime NOT NULL,- cnpchannel_channelEndDate datetime NOT NULL,- cnpchannel_channelStatus char(1) NOT NULL DEFAULT 'a',- cnpchannel_DateCreated datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- cnpchannel_DateModified datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- PRIMARY KEY (cnpchannel_id),KEY cnpfrm_id (cnpchannel_id)) ENGINE=InnoDB DEFAULT CHARSET=latin1;";-- require_once(ABSPATH . 'wp-admin/includes/upgrade.php');- dbDelta($sql);- }- if($wpdb->get_var("SHOW TABLES LIKE '".$cnp_formtable_name."'") != $cnp_formtable_name) {- $sql = "CREATE TABLE $cnp_formtable_name (- cnpform_id int(15) NOT NULL AUTO_INCREMENT,- cnpform_cnpform_ID int(15) NOT NULL,- cnpform_CampaignName varchar(250) NOT NULL,- cnpform_FormName varchar(250) NOT NULL,- cnpform_GUID varchar(250) NOT NULL,- cnpform_FormStartDate datetime NOT NULL,- cnpform_FormEndDate datetime NOT NULL,- cnpform_FormStatus char(1) NOT NULL DEFAULT 'a',- cnpform_DateCreated datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- cnpform_DateModified datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- PRIMARY KEY (cnpform_id),KEY cnpfrm_id (cnpform_id)) ENGINE=InnoDB DEFAULT CHARSET=latin1;"; - require_once(ABSPATH . 'wp-admin/includes/upgrade.php');- dbDelta($sql);- }- if($wpdb->get_var("SHOW TABLES LIKE '".$cnp_table_name."'") != $cnp_table_name) {- $sql = "CREATE TABLE $cnp_table_name (- cnpform_ID int(9) NOT NULL AUTO_INCREMENT,- cnpform_groupname varchar(250) NOT NULL,- cnpform_cnpstngs_ID int(15) NOT NULL,- cnpform_AccountNumber varchar(250) NOT NULL,- cnpform_guid text NOT NULL,- cnpform_type text NOT NULL,- cnpform_ptype text NOT NULL,- cnpform_text varchar(250) NOT NULL,- cnpform_img blob NOT NULL,- cnpform_shortcode text,- cnpform_custommsg varchar(250) NOT NULL,- cnpform_Form_StartDate datetime NOT NULL,- cnpform_Form_EndDate datetime NOT NULL,- cnpform_status char(1) DEFAULT 'a',- cnpform_Date_Created datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- cnpform_Date_Modified datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- PRIMARY KEY (cnpform_ID),- KEY cnpfrm_id (cnpform_ID)) ENGINE=InnoDB DEFAULT CHARSET=utf8;";+ + if ($wpdb->get_var("SHOW TABLES LIKE '{$cnp_channelgrptable_name}'") != $cnp_channelgrptable_name) {+ $sql = "CREATE TABLE $cnp_channelgrptable_name (+ cnpchannelgrp_ID INT(9) NOT NULL AUTO_INCREMENT,+ cnpchannelgrp_groupname VARCHAR(250) NOT NULL,+ cnpchannelgrp_cnpstngs_ID INT(15) NOT NULL,+ cnpchannelgrp_shortcode TEXT,+ cnpchannelgrp_custommsg VARCHAR(250) NOT NULL,+ cnpchannelgrp_channel_StartDate DATETIME NOT NULL,+ cnpchannelgrp_channel_EndDate DATETIME NOT NULL,+ cnpchannelgrp_status CHAR(1) DEFAULT 'a',+ cnpchannelgrp_Date_Created DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ cnpchannelgrp_Date_Modified DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ PRIMARY KEY (cnpchannelgrp_ID),+ KEY cnpfrm_id (cnpchannelgrp_ID)+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8;";+ require_once ABSPATH . 'wp-admin/includes/upgrade.php';+ dbDelta($sql);+ } -require_once(ABSPATH . 'wp-admin/includes/upgrade.php');-dbDelta($sql);- }- if($wpdb->get_var("SHOW TABLES LIKE '".$cnp_settingtable_name."'") != $cnp_settingtable_name) {- $sql = "CREATE TABLE $cnp_settingtable_name (- cnpstngs_ID int(9) NOT NULL AUTO_INCREMENT,- cnpstngs_frndlyname varchar(250) NOT NULL,- cnpstngs_AccountNumber varchar(250) NOT NULL,- cnpstngs_guid text NOT NULL,- cnpstngs_status char(1) DEFAULT 'a',- cnpstngs_Date_Created datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- cnpstngs_Date_Modified datetime NOT NULL DEFAULT '0000-00-00 00:00:00',- PRIMARY KEY (cnpstngs_ID),- KEY cnpstngs_id (cnpstngs_ID)) ENGINE=InnoDB DEFAULT CHARSET=utf8;";+ + if ($wpdb->get_var("SHOW TABLES LIKE '{$cnp_channeltable_name}'") != $cnp_channeltable_name) {+ $sql = "CREATE TABLE $cnp_channeltable_name (+ cnpchannel_id INT(15) NOT NULL AUTO_INCREMENT,+ cnpchannel_cnpchannelgrp_ID INT(15) NOT NULL,+ cnpchannel_channelName VARCHAR(250) NOT NULL,+ cnpchannel_channelStartDate DATETIME NOT NULL,+ cnpchannel_channelEndDate DATETIME NOT NULL,+ cnpchannel_channelStatus CHAR(1) NOT NULL DEFAULT 'a',+ cnpchannel_DateCreated DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ cnpchannel_DateModified DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ PRIMARY KEY (cnpchannel_id),+ KEY cnpfrm_id (cnpchannel_id)+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8;";+ require_once ABSPATH . 'wp-admin/includes/upgrade.php';+ dbDelta($sql);+ } - require_once(ABSPATH . 'wp-admin/includes/upgrade.php');- dbDelta($sql);- }+ + if ($wpdb->get_var("SHOW TABLES LIKE '{$cnp_formtable_name}'") != $cnp_formtable_name) {+ $sql = "CREATE TABLE $cnp_formtable_name (+ cnpform_id INT(15) NOT NULL AUTO_INCREMENT,+ cnpform_cnpform_ID INT(15) NOT NULL,+ cnpform_CampaignName VARCHAR(250) NOT NULL,+ cnpform_FormName VARCHAR(250) NOT NULL,+ cnpform_GUID VARCHAR(250) NOT NULL,+ cnpform_FormStartDate DATETIME NOT NULL,+ cnpform_FormEndDate DATETIME NOT NULL,+ cnpform_FormStatus CHAR(1) NOT NULL DEFAULT 'a',+ cnpform_DateCreated DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ cnpform_DateModified DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ PRIMARY KEY (cnpform_id),+ KEY cnpfrm_id (cnpform_id)+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8;";+ require_once ABSPATH . 'wp-admin/includes/upgrade.php';+ dbDelta($sql);+ }++ + if ($wpdb->get_var("SHOW TABLES LIKE '{$cnp_table_name}'") != $cnp_table_name) {+ $sql = "CREATE TABLE $cnp_table_name (+ cnpform_ID INT(9) NOT NULL AUTO_INCREMENT,+ cnpform_groupname VARCHAR(250) NOT NULL,+ cnpform_cnpstngs_ID INT(15) NOT NULL,+ cnpform_AccountNumber VARCHAR(250) NOT NULL,+ cnpform_guid TEXT NOT NULL,+ cnpform_type TEXT NOT NULL,+ cnpform_ptype TEXT NOT NULL,+ cnpform_text VARCHAR(250) NOT NULL,+ cnpform_img BLOB NOT NULL,+ cnpform_shortcode TEXT,+ cnpform_custommsg VARCHAR(250) NOT NULL,+ cnpform_Form_StartDate DATETIME NOT NULL,+ cnpform_Form_EndDate DATETIME NOT NULL,+ cnpform_status CHAR(1) DEFAULT 'a',+ cnpform_Date_Created DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ cnpform_Date_Modified DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ PRIMARY KEY (cnpform_ID),+ KEY cnpfrm_id (cnpform_ID)+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8;";+ require_once ABSPATH . 'wp-admin/includes/upgrade.php';+ dbDelta($sql);+ }++ + if ($wpdb->get_var("SHOW TABLES LIKE '{$cnp_settingtable_name}'") != $cnp_settingtable_name) {+ $sql = "CREATE TABLE $cnp_settingtable_name (+ cnpstngs_ID INT(9) NOT NULL AUTO_INCREMENT,+ cnpstngs_frndlyname VARCHAR(250) NOT NULL,+ cnpstngs_AccountNumber VARCHAR(250) NOT NULL,+ cnpstngs_guid TEXT NOT NULL,+ cnpstngs_status CHAR(1) DEFAULT 'a',+ cnpstngs_Date_Created DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ cnpstngs_Date_Modified DATETIME NOT NULL DEFAULT '0000-00-00 00:00:00',+ PRIMARY KEY (cnpstngs_ID),+ KEY cnpstngs_id (cnpstngs_ID)+ ) ENGINE=InnoDB DEFAULT CHARSET=utf8;";+ require_once ABSPATH . 'wp-admin/includes/upgrade.php';+ dbDelta($sql);+ } }+ add_action( 'plugins_loaded', 'cnpconnectplugin_update_db_check' ); /* Creates the admin menu for the plugin */@@ -224,43 +244,74 @@ } function cnp_getCnPUserChannelList($cnpacid) {- $cnpcnntaccountid = explode("~",$_POST['cnpacid']);- $cnpcntaccountid = $cnpcnntaccountid[0];- $cnpaccountGUID = $cnpcnntaccountid[1];- $cnpUID = "14059359-D8E8-41C3-B628-E7E030537905";- $cnpKey = "5DC1B75A-7EFA-4C01-BDCD-E02C536313A3";- $connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0);- $client = new SoapClient(CNP_CF_PLUGIN_PATH.'Auth2.wsdl', $connect);- - if( isset($cnpcntaccountid) && $cnpcntaccountid !="" && isset($cnpaccountGUID) && $cnpaccountGUID !="")- { - $xmlr = new SimpleXMLElement("<GetPledgeTVChannelList></GetPledgeTVChannelList>");- $cnpsel ="";- $xmlr->addChild('accountId', $cnpcntaccountid);- $xmlr->addChild('AccountGUID', $cnpaccountGUID);- $xmlr->addChild('username', $cnpUID);- $xmlr->addChild('password', $cnpKey);- $response = $client->GetPledgeTVChannelList($xmlr);- - $responsearr = $response->GetPledgeTVChannelListResult->PledgeTVChannel; - $cnptblresltdsply .= '';- - if(count($responsearr)>1){- for($inc = 0 ; $inc < count($responsearr);$inc++)- {- - $cnptblresltdsply .= '<tr><td>'.$responsearr[$inc]->ChannelURLID.'</td><td>'.$responsearr[$inc]->ChannelName.'</td><td>'.$responsearr[$inc]->CreatedDate.'</td><td>[CnP.pledgeTV '.$responsearr[$inc]->ChannelURLID.']</td></tr>';- }- }- else if(count($responsearr)==1){- $cnptblresltdsply .= '<tr><td>'.$responsearr->ChannelURLID.'</td><td>'.$responsearr->ChannelName.'</td><td>'.$responsearr->CreatedDate.'</td><td>[CnP.pledgeTV '.$responsearr->ChannelURLID.']</td></tr>';- }- }- - echo $cnptblresltdsply;- - die();+if (isset($_POST['cnpacid'])) {+ $cnpcnntaccountid = explode("~", sanitize_text_field($_POST['cnpacid']));+ + if (count($cnpcnntaccountid) === 2) {+ $cnpcntaccountid = $cnpcnntaccountid[0];+ $cnpaccountGUID = $cnpcnntaccountid[1];+ } else {+ die('Invalid input format.');+ }++ $cnpUID = "14059359-D8E8-41C3-B628-E7E030537905";+ $cnpKey = "5DC1B75A-7EFA-4C01-BDCD-E02C536313A3";+ $connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => true);++ try {+ + $client = new SoapClient(CNP_CF_PLUGIN_PATH . 'Auth2.wsdl', $connect);++ if (!empty($cnpcntaccountid) && !empty($cnpaccountGUID)) {+ + $xmlr = new SimpleXMLElement("<GetPledgeTVChannelList></GetPledgeTVChannelList>");+ $xmlr->addChild('accountId', htmlspecialchars($cnpcntaccountid));+ $xmlr->addChild('AccountGUID', htmlspecialchars($cnpaccountGUID));+ $xmlr->addChild('username', htmlspecialchars($cnpUID));+ $xmlr->addChild('password', htmlspecialchars($cnpKey));++ $response = $client->GetPledgeTVChannelList($xmlr);++ if (isset($response->GetPledgeTVChannelListResult->PledgeTVChannel)) {+ $responsearr = $response->GetPledgeTVChannelListResult->PledgeTVChannel;++ $cnptblresltdsply = '';++ if (is_array($responsearr)) {+ foreach ($responsearr as $channel) {+ $cnptblresltdsply .= '<tr>+ <td>' . htmlspecialchars($channel->ChannelURLID) . '</td>+ <td>' . htmlspecialchars($channel->ChannelName) . '</td>+ <td>' . htmlspecialchars($channel->CreatedDate) . '</td>+ <td>[CnP.pledgeTV ' . htmlspecialchars($channel->ChannelURLID) . ']</td>+ </tr>';+ }+ } else { + $cnptblresltdsply .= '<tr>+ <td>' . htmlspecialchars($responsearr->ChannelURLID) . '</td>+ <td>' . htmlspecialchars($responsearr->ChannelName) . '</td>+ <td>' . htmlspecialchars($responsearr->CreatedDate) . '</td>+ <td>[CnP.pledgeTV ' . htmlspecialchars($responsearr->ChannelURLID) . ']</td>+ </tr>';+ }+ + echo $cnptblresltdsply;+ } else {+ echo '<tr><td colspan="4">No channels found.</td></tr>';+ }+ }+ } catch (Exception $e) {+ // Log error and output a friendly error message+ error_log('SOAP Error: ' . $e->getMessage());+ echo '<tr><td colspan="4">An error occurred while fetching data. Please try again later.</td></tr>';+ }+} else {+ echo '<tr><td colspan="4">Invalid request.</td></tr>';+}++die();+ } /* Admin Page setup */ function CNP_Plugin_Menu() {@@ -414,51 +465,79 @@ require(dirname(__FILE__) . '/channelAdd.php'); require(dirname(__FILE__) . '/ChannelDetails.php'); function CNPCF_friendlyname() {-global $wpdb; global $cnp_settingtable_name;-$scnpSQL = "SELECT * FROM ".$cnp_settingtable_name." where cnpstngs_frndlyname ='".$_POST['param']."'";-$cnpresults = $wpdb->get_results($scnpSQL);-$cnpformrows = $wpdb->num_rows;-if($cnpformrows > 0)-{- echo "Friendly Name already exist.";- wp_die();+global $wpdb, $cnp_settingtable_name;++$param = sanitize_text_field($_POST['param']);++$scnpSQL = $wpdb->prepare(+ "SELECT * FROM {$cnp_settingtable_name} WHERE cnpstngs_frndlyname = %s",+ $param+);++$cnpresults = $wpdb->get_results($scnpSQL);+$cnpformrows = count($cnpresults);++if ($cnpformrows > 0) {+ echo "Friendly Name already exists.";+ wp_die(); } + } function CNPCF_cnpchnlgroupname() { global $wpdb; global $cnp_channelgrptable_name;- $scnpSQL = "SELECT * FROM ".$cnp_channelgrptable_name." where cnpchannelgrp_groupname = '".$_POST['param']."'";- $cnpresults = $wpdb->get_results($scnpSQL);- $cnpformrows = $wpdb->num_rows;- if($cnpformrows > 0)- {- echo "Channel group name already exist.";- wp_die();- }++$param = sanitize_text_field($_POST['param']);++$scnpSQL = $wpdb->prepare(+ "SELECT * FROM {$cnp_channelgrptable_name} WHERE cnpchannelgrp_groupname = %s",+ $param+);+$cnpresults = $wpdb->get_results($scnpSQL);+$cnpformrows = count($cnpresults);++if ($cnpformrows > 0) {+ echo "Channel group name already exists.";+ wp_die();+}+ } function CNPCF_cnpgroupname() {-global $wpdb; global $cnp_table_name;- $scnpSQL = "SELECT * FROM ".$cnp_table_name." where cnpform_groupname = '".$_POST['param']."'";- $cnpresults = $wpdb->get_results($scnpSQL);- $cnpformrows = $wpdb->num_rows;- if($cnpformrows > 0)- {- echo "Form group name already exist.";- wp_die();- }+global $wpdb, $cnp_table_name;++$param = sanitize_text_field($_POST['param']);++$scnpSQL = $wpdb->prepare(+ "SELECT * FROM {$cnp_table_name} WHERE cnpform_groupname = %s",+ $param+);+$cnpresults = $wpdb->get_results($scnpSQL);+$cnpformrows = count($cnpresults);++if ($cnpformrows > 0) {+ echo "Form group name already exists.";+ wp_die();+} } function CNPCF_cnpaccountid() {-global $wpdb; global $cnp_settingtable_name;- $scnpSQL = "SELECT * FROM ".$cnp_settingtable_name." where cnpstngs_AccountNumber = '".$_POST['param']."'";- $cnpresults = $wpdb->get_results($scnpSQL);- $cnpformrows = $wpdb->num_rows;- if($cnpformrows > 0)- {- echo "Account already exist.";- wp_die();- }+global $wpdb, $cnp_settingtable_name;++$param = sanitize_text_field($_POST['param']);++$scnpSQL = $wpdb->prepare(+ "SELECT * FROM {$cnp_settingtable_name} WHERE cnpstngs_AccountNumber = %s",+ $param+);++$cnpresults = $wpdb->get_results($scnpSQL);+$cnpformrows = count($cnpresults);++if ($cnpformrows > 0) {+ echo "Account already exists.";+ wp_die();+} } add_action('wp_ajax_CNPCF_friendlyname', 'CNPCF_friendlyname');@@ -477,193 +556,193 @@ wp_localize_script( 'ajax-js', 'ajax_params', array( 'ajax_url' => admin_url( 'admin-ajax.php' ) ) ); } add_action( 'wp_enqueue_scripts', 'load_jquery' );-function isexistpledgetvchannel($cnpaccid, $cnpaccguid,$channelid)+function isexistpledgetvchannel($cnpaccid, $cnpaccguid, $channelid) {- $cnpcntaccountid = $cnpaccid;- $cnpaccountGUID = $cnpaccguid;- $cnpUID = "14059359-D8E8-41C3-B628-E7E030537905";- $cnpKey = "5DC1B75A-7EFA-4C01-BDCD-E02C536313A3";- $connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0);- $client = new SoapClient(CNP_CF_PLUGIN_PATH.'Auth2.wsdl', $connect);- - if( isset($cnpcntaccountid) && $cnpcntaccountid !="" && isset($cnpaccountGUID) && $cnpaccountGUID !="")- { - $xmlr = new SimpleXMLElement("<GetPledgeTVChannelList></GetPledgeTVChannelList>");- $cnpsel ="";- $xmlr->addChild('accountId', $cnpcntaccountid);- $xmlr->addChild('AccountGUID', $cnpaccountGUID);- $xmlr->addChild('username', $cnpUID);- $xmlr->addChild('password', $cnpKey);- $response = $client->GetPledgeTVChannelList($xmlr);- //print_r($response);- $responsearr = $response->GetPledgeTVChannelListResult->PledgeTVChannel;- $cnptblresltdsply .= '';- $channelfound = "no";- if(count($responsearr)>1){- for($inc = 0 ; $inc < count($responsearr);$inc++)- {- - if($channelid == $responsearr[$inc]->ChannelURLID){- $channelfound = "yes~".$responsearr[$inc]->ChannelName;- }- }- }- else{ - if($channelid == $responsearr->ChannelURLID){- $channelfound = "yes~".$responsearr->ChannelName;- }- }- }-return $channelfound;-}-function cnpform_GetShortCode($frmid){-- global $wpdb;- global $cnp_table_name;- global $rtrnstr;-- $chkshortcodexit = CNPCF_isExistShortcode($frmid[0]);-- if($chkshortcodexit)- {- add_action('wp_footer', 'cnphook_js');- $cnpgrpnm= str_replace('-', ' ', $frmid[0]);- $formid = CNPCF_getformsofGroup($cnpgrpnm);- $formtyp = CNPCF_getFormType($cnpgrpnm);-- if(count($formid) >=1){- $rtrnstrarr ="";- for($frminc=0;$frminc < count($formid);$frminc++)- {-- $attrs = array( 'data-guid' => $formid[$frminc]) ;- $attrs_string = '';- if(!empty( $attrs ) ) {-- foreach ( $attrs as $key => $value ) {- $attrs_string .= "$key='" . esc_attr( $value ) . "' ";- }- $attrs = ltrim( $attrs_string );+ $cnpUID = "14059359-D8E8-41C3-B628-E7E030537905";+ $cnpKey = "5DC1B75A-7EFA-4C01-BDCD-E02C536313A3";+ $connect = ['soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0];++ try {+ + $wsdlPath = CNP_CF_PLUGIN_PATH . 'Auth2.wsdl';+ if (!file_exists($wsdlPath)) {+ throw new Exception("WSDL file not found: $wsdlPath");+ }++ + $client = new SoapClient($wsdlPath, $connect);++ if (!empty($cnpaccid) && !empty($cnpaccguid)) {+ + $xmlRequest = new SimpleXMLElement("<GetPledgeTVChannelList></GetPledgeTVChannelList>");+ $xmlRequest->addChild('accountId', $cnpaccid);+ $xmlRequest->addChild('AccountGUID', $cnpaccguid);+ $xmlRequest->addChild('username', $cnpUID);+ $xmlRequest->addChild('password', $cnpKey);++ + $response = $client->GetPledgeTVChannelList($xmlRequest);++ + $channels = $response->GetPledgeTVChannelListResult->PledgeTVChannel ?? null;+ $channelFound = "no";++ if ($channels) {+ + if (is_array($channels)) {+ foreach ($channels as $channel) {+ if ($channelid == $channel->ChannelURLID) {+ $channelFound = "yes~" . $channel->ChannelName;+ break;+ }+ }+ }+ + elseif ($channelid == $channels->ChannelURLID) {+ $channelFound = "yes~" . $channels->ChannelName;+ }+ }+ }+ } catch (Exception $e) {+ + error_log("SOAP Error: " . $e->getMessage());+ return "An error occurred. Please try again later.";+ } - }- $cnpshortcodearray = explode("--",$formtyp);-//" . $attrs . "- if($cnpshortcodearray[0] == 'inline')- {- $rtrnstrarr ='<div class="CnP_inlineform" '.$attrs.'></div>'; - - - }- else if($cnpshortcodearray[0] == 'popup')- {- - if($cnpshortcodearray[1] == 'text')- {- $cnpGetImagesql = $cnpshortcodearray[2];- $rtrnstrarr.= '<a class="CnP_formlink" data-guid="'.$formid[$frminc].'">'.$cnpGetImagesql.'</a>';- }- else if($cnpshortcodearray[1] == 'button')- {- - $cnpGetbuttontext = $cnpshortcodearray[2];- - //$rtrnstrarr.= '<p><input class="CnP_formlink" type="button" value="'.$cnpGetbuttontext.'" data-guid="'.$formid[$frminc].'" /></p>';- $cnpcurdatetim = date("hisYmd");- //$rtrnstrarr.= '<p><button class="CnP_formlink" type="button" data-guid="'.$formid[$frminc].'" >'.$cnpGetbuttontext.'</button></p>';- - $rtrnstrarr.= '<div class="wp-block-buttons">- <div class="wp-block-button"><a href="javascript:void(0);" class="wp-block-button__link CnP_formlink" data-guid="'.$formid[$frminc] ."". $cnpcurdatetim.'" style="cursor: pointer;">'.$cnpGetbuttontext.'</a></div>- </div>';- + return $channelFound;+} - }- else if($cnpshortcodearray[1] == 'image')- {- $cnpGetImage = $cnpshortcodearray[3];- $rtrnstrarr.= '<img class="CnP_formlink " src="data:image/jpeg;base64,'.base64_encode($cnpGetImage).'" data-guid="'.$formid[$frminc].'" style="cursor: pointer;">';- }- }- - }- return $rtrnstrarr;- }else{- $rtrnstr = CNPCF_getGroupCustomerrmsg($frmid[0]);- return $rtrnstr;+function cnpform_GetShortCode($frmid){ - }- }- else- {- +global $wpdb;+global $cnp_table_name;+global $rtrnstr;+++$chkshortcodexit = CNPCF_isExistShortcode($frmid[0]);++if ($chkshortcodexit) {+ + add_action('wp_footer', 'cnphook_js');++ + $cnpgrpnm = str_replace('-', ' ', $frmid[0]);+ $formid = CNPCF_getformsofGroup($cnpgrpnm);+ $formtyp = CNPCF_getFormType($cnpgrpnm);++ if (count($formid) >= 1) {+ $rtrnstrarr = '';++ for ($frminc = 0; $frminc < count($formid); $frminc++) {+ $attrs = ['data-guid' => $formid[$frminc]];+ $attrs_string = '';++ foreach ($attrs as $key => $value) {+ $attrs_string .= "$key='" . esc_attr($value) . "' ";+ }+ $attrs_string = ltrim($attrs_string);++ $cnpshortcodearray = explode("--", $formtyp);++ if ($cnpshortcodearray[0] === 'inline') {+ $rtrnstrarr .= '<div class="CnP_inlineform" ' . $attrs_string . '></div>';+ } elseif ($cnpshortcodearray[0] === 'popup') {+ if ($cnpshortcodearray[1] === 'text') {+ $cnpGetImagesql = $cnpshortcodearray[2];+ $rtrnstrarr .= '<a class="CnP_formlink" data-guid="' . $formid[$frminc] . '">' . $cnpGetImagesql . '</a>';+ } elseif ($cnpshortcodearray[1] === 'button') {+ $cnpGetbuttontext = $cnpshortcodearray[2];+ $cnpcurdatetim = "";++ $rtrnstrarr .= '<div class="wp-block-buttons">+ <div class="wp-block-button">+ <a href="javascript:void(0);" class="wp-block-button__link CnP_formlink" data-guid="' . $formid[$frminc] . $cnpcurdatetim . '" style="cursor: pointer;">' . $cnpGetbuttontext . '</a>+ </div>+ </div>';+ } elseif ($cnpshortcodearray[1] === 'image') {+ $cnpGetImage = $cnpshortcodearray[3];+ $rtrnstrarr .= '<img class="CnP_formlink" src="data:image/jpeg;base64,' . base64_encode($cnpGetImage) . '" data-guid="' . $formid[$frminc] . '" style="cursor: pointer;">';+ }+ }+ }++ return $rtrnstrarr;+ } else {+ $rtrnstr = CNPCF_getGroupCustomerrmsg($frmid[0]);+ return $rtrnstr;+ }+} else {+ $rtrnstr = CNPCF_getGroupCustomerrmsg($frmid[0]);+ return $rtrnstr;+} - $rtrnstr =CNPCF_getGroupCustomerrmsg($frmid[0]);- return $rtrnstr;- } } function cnpform_GetPledgeTVChannelsShortCode($chnlid){ - global $wpdb;- global $cnp_table_name;- global $rtrnstr;-- $chkshortcodexit = CNPCF_isExistchannelShortcode($chnlid[0]);-- if($chkshortcodexit)- {- - $cnpgrpnm = str_replace('-', ' ', $chnlid[0]);- $channelid = CNPCF_getchannelsofGroup($cnpgrpnm);- - if(count($channelid) >=1){- $rtrnstrarr ="";- for($frminc=0;$frminc < count($channelid);$frminc++)- {- $attrs = array('class' => 'cnp_pledgetv_wrapper', 'data-channel' => $channelid[$frminc],'data-iframe-width'=>'100%','data-iframe-height'=>'315') ;- $attrs_string = '';- if(!empty( $attrs ) ) {-- foreach ( $attrs as $key => $value ) {- $attrs_string .= "$key='" . esc_attr( $value ) . "' ";- }- $attrs = ltrim( $attrs_string );-- }- $tvrtrnstr ="<script>var list = document.getElementsByTagName('script');- var i = list.length, flag = false;- while (i--) { - if (list[i].src === 'https://pledge.tv/library/js/pledgetv.js') {- flag = true;- break;- }- }-- if (!flag) {- var tag = document.createElement('script');- tag.src = 'https://pledge.tv/library/js/pledgetv.js';- document.getElementsByTagName('body')[0].appendChild(tag);- }</script>";- - }- $tvrtrnstr.='<div '.$attrs .'></div>';- return $tvrtrnstr;- }else{- $rtrnstr = CNPCF_getGroupchnlCustomerrmsg($chnlid[0]);- return $rtrnstr;+global $wpdb;+global $cnp_table_name;+global $rtrnstr;++$chkshortcodexit = CNPCF_isExistchannelShortcode($chnlid[0]);++if ($chkshortcodexit) {+ $cnpgrpnm = str_replace('-', ' ', $chnlid[0]);+ $channelid = CNPCF_getchannelsofGroup($cnpgrpnm);++ if (count($channelid) >= 1) {+ $rtrnstrarr = "";++ for ($frminc = 0; $frminc < count($channelid); $frminc++) {+ $attrs = [+ 'class' => 'cnp_pledgetv_wrapper',+ 'data-channel' => $channelid[$frminc],+ 'data-iframe-width' => '100%',+ 'data-iframe-height' => '315'+ ];++ $attrs_string = '';+ foreach ($attrs as $key => $value) {+ $attrs_string .= "$key='" . esc_attr($value) . "' ";+ }++ $attrs_string = ltrim($attrs_string);++ $tvrtrnstr = "<script>+ var list = document.getElementsByTagName('script');+ var i = list.length, flag = false;+ while (i--) { + if (list[i].src === 'https://pledge.tv/library/js/pledgetv.js') {+ flag = true;+ break;+ }+ }++ if (!flag) {+ var tag = document.createElement('script');+ tag.src = 'https://pledge.tv/library/js/pledgetv.js';+ document.getElementsByTagName('body')[0].appendChild(tag);+ }+ </script>";++ $tvrtrnstr .= '<div ' . $attrs_string . '></div>';+ }++ return $tvrtrnstr;+ } else {+ $rtrnstr = CNPCF_getGroupchnlCustomerrmsg($chnlid[0]);+ return $rtrnstr;+ }+} else {+ $rtrnstr = CNPCF_getGroupchnlCustomerrmsg($chnlid[0]);+ return $rtrnstr;+} - }- }- else- {- - $rtrnstr =CNPCF_getGroupchnlCustomerrmsg($chnlid[0]);- return $rtrnstr;- } } function cnpform_GetPledgeTVChannelShortCode($chanelid){ global $wpdb; global $cnp_table_name;- //global $tvrtrnstr;+ $attrs = array('class' => 'cnp_pledgetv_wrapper', 'data-channel' => $chanelid[0],'data-iframe-width'=>'100%','data-iframe-height'=>'315') ; $attrs_string = '';@@ -727,7 +806,7 @@ add_action('admin_footer', 'cnpadddatetimepicker',1000); function cnphook_js() {- echo '<div style="display:none;"><input type="hidden" name="cnpversion" id="cnpversion" value="2.23110000-WP6.4.1" /></div>';+ echo '<div style="display:none;"><input type="hidden" name="cnpversion" id="cnpversion" value="2.24120000-WP6.7.1" /></div>'; ?> <script>
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - clickandpledge_form.php [108-112]
Old Code:
```php
$check_column = (array) $wpdb->get_results("SELECT count(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME = '$cnp_formtable_name' AND COLUMN_NAME = 'cnpform_urlparameters'")[0];
```
Fixed Code:
```php
$check_column = $wpdb->get_var(
$wpdb->prepare(
"SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = %s AND COLUMN_NAME = %s",
$cnp_formtable_name,
'cnpform_urlparameters'
)
);
```
Explanation:
The old code directly concatenates the `$cnp_formtable_name` variable into the SQL query string without sanitization. This variable is user-controlled through database operations and could potentially contain malicious SQL if an attacker can manipulate table names. The fixed code uses `$wpdb->prepare()` with proper parameter binding to safely include the table name in the query, preventing SQL injection.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - clickandpledge_form.php [115-118]
Old Code:
```php
$wpdb->query(
"ALTER TABLE $table_name
ADD COLUMN `cnpform_urlparameters` TEXT NOT NULL
");
```
Fixed Code:
```php
$wpdb->query(
"ALTER TABLE $cnp_formtable_name ADD COLUMN `cnpform_urlparameters` TEXT NOT NULL"
);
```
Explanation:
The old code directly concatenates `$table_name` (which equals `$cnp_formtable_name`) into the ALTER TABLE statement without sanitization. This allows SQL injection if an attacker can control the table name. While the fixed code still uses direct concatenation, the vulnerability remains present in both versions. The proper fix would require using a different approach since ALTER TABLE doesn't support prepared statement parameters in WordPress.
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - clickandpledge_form.php [246-249]
Old Code:
```php
$cnpcnntaccountid = explode("~",$_POST['cnpacid']);
```
Fixed Code:
```php
$cnpcnntaccountid = explode("~", sanitize_text_field($_POST['cnpacid']));
```
Explanation:
The old code directly uses `$_POST['cnpacid']` without sanitization. This user input is later used in XML construction and SOAP calls, and while it's escaped in the output with `htmlspecialchars()`, the unsanitized input could still be vulnerable to other attack vectors. The fixed code properly sanitizes the input using `sanitize_text_field()` before processing.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - clickandpledge_form.php [468-471]
Old Code:
```php
$scnpSQL = "SELECT * FROM ".$cnp_settingtable_name." where cnpstngs_frndlyname ='".$_POST['param']."'";
```
Fixed Code:
```php
$param = sanitize_text_field($_POST['param']);
$scnpSQL = $wpdb->prepare(
"SELECT * FROM {$cnp_settingtable_name} WHERE cnpstngs_frndlyname = %s",
$param
);
```
Explanation:
The old code directly concatenates unsanitized `$_POST['param']` into the SQL query, creating a clear SQL injection vulnerability. The fixed code properly sanitizes the input and uses `$wpdb->prepare()` with parameter binding to safely include the value in the query.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - clickandpledge_form.php [485-488]
Old Code:
```php
$scnpSQL = "SELECT * FROM ".$cnp_channelgrptable_name." where cnpchannelgrp_groupname = '".$_POST['param']."'";
```
Fixed Code:
```php
$param = sanitize_text_field($_POST['param']);
$scnpSQL = $wpdb->prepare(
"SELECT * FROM {$cnp_channelgrptable_name} WHERE cnpchannelgrp_groupname = %s",
$param
);
```
Explanation:
The old code directly concatenates unsanitized `$_POST['param']` into the SQL query, creating a clear SQL injection vulnerability. The fixed code properly sanitizes the input and uses `$wpdb->prepare()` with parameter binding.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - clickandpledge_form.php [503-506]
Old Code:
```php
$scnpSQL = "SELECT * FROM ".$cnp_table_name." where cnpform_groupname = '".$_POST['param']."'";
```
Fixed Code:
```php
$param = sanitize_text_field($_POST['param']);
$scnpSQL = $wpdb->prepare(
"SELECT * FROM {$cnp_table_name} WHERE cnpform_groupname = %s",
$param
);
```
Explanation:
The old code directly concatenates unsanitized `$_POST['param']` into the SQL query, creating a clear SQL injection vulnerability. The fixed code properly sanitizes the input and uses `$wpdb->prepare()` with parameter binding.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - clickandpledge_form.php [521-524]
Old Code:
```php
$scnpSQL = "SELECT * FROM ".$cnp_settingtable_name." where cnpstngs_AccountNumber = '".$_POST['param']."'";
```
Fixed Code:
```php
$param = sanitize_text_field($_POST['param']);
$scnpSQL = $wpdb->prepare(
"SELECT * FROM {$cnp_settingtable_name} WHERE cnpstngs_AccountNumber = %s",
$param
);
```
Explanation:
The old code directly concatenates unsanitized `$_POST['param']` into the SQL query, creating a clear SQL injection vulnerability. The fixed code properly sanitizes the input and uses `$wpdb->prepare()` with parameter binding.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnpChannelsDetails.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnpChannelsDetails.php 2025-11-20 22:19:32.250906915 +0000@@ -1,130 +1,164 @@-<?php -function cnp_pledgetvchannelsdetails() { - - global $wpdb; global $cnp_settingtable_name;global $cnp_table_name; - $info = $_REQUEST["info"]; - $cnpresltdsply = ""; - if($info=="saved") - { - echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>"; - } - if($info=="failed") - { - echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>"; - } - if($info=="upd") - { - echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>"; - } - if($info=="sts") - { - echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>"; - } - if($info=="del") - { - $delid=$_GET["did"]; - $wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid); - echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>"; - } - if(isset($_GET['cnpsts']) && $_GET['cnpsts'] !="") - { - $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']); - if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";} - wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval); - exit; - } - -?> -<script type="text/javascript"> - /* <![CDATA[ */ - jQuery(document).ready(function(){ - - cnpchannelslist(); - jQuery('#cnpaccntid').change(function() { - - var oTable = jQuery('#cnpformslist').dataTable(); - oTable.fnClearTable(); - oTable.fnDraw(); - oTable.fnDestroy(); - cnpchannelslist(); - - }); - - }); - - function cnpchannelslist() - { - - var cnpconnectaccountid= jQuery('#cnpaccntid').val().trim(); - - jQuery.ajax({ - type: "POST", - url: ajaxurl , - serverSide: true, - data: { - 'action':'getCnPUserChannelList', - 'cnpacid':cnpconnectaccountid, - }, - cache: false, - beforeSend: function() { - jQuery("#dvldimg").show(); - jQuery('#cnpaccntid').attr("disabled", true); - - - }, - complete: function() { - - }, - success: function(htmlText) { - jQuery('#cnpaccntid').attr("disabled", false); - jQuery("#dvldimg").hide(); - - - var body = htmlText; - jQuery("#cnpformslist tbody").html(""); - if(htmlText != "") - { - - jQuery( "#cnpformslist tbody" ).append(body); - }else{ - -} - jQuery( "#cnpformslist" ).DataTable(); - jQuery("#cnpformslist tr:even").css("background-color", "#f1f1f1"); - }, - error: function(xhr, ajaxOptions, thrownError) { - alert(thrownError + "\r\n" + xhr.statusText + "\r\n" + xhr.responseText); - } - }); - - } - /* ]]> */ - -</script> -<style > -table#cnpformslist tr.even { - background-color: #f1f1f1; -} -</style> -<?php - $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap"> - <h2>Channels </h2>'; - $cnpresltdsply .= '<p><select name="cnpaccntid" id="cnpaccntid">'; - $sql = "select cnpstngs_AccountNumber,cnpstngs_frndlyname,cnpstngs_ID,cnpstngs_guid from ".$cnp_settingtable_name." where cnpstngs_status =1 order by cnpstngs_AccountNumber ASC"; - $result = $wpdb->get_results($sql); - if($wpdb->num_rows > 0 ) - { - foreach($result as $cnpformData): - $cnpdlctid=$cnpformData->cnpstngs_AccountNumber."~".$cnpformData->cnpstngs_guid; - $cnpresltdsply .= '<option value="'.$cnpdlctid.'" >'.$cnpformData->cnpstngs_frndlyname.' ( '.$cnpformData->cnpstngs_AccountNumber.')</option>'; - - endforeach; - } $cnpimgurl = plugins_url(CFCNP_PLUGIN_NAME."/images/ajax-loader_trans.gif"); - $cnpresltdsply .= ' </select><img id="dvldimg" src="'.$cnpimgurl.'" alt="Loading" class="cnp_loadertv" /></p><table class="wp-list-table widefat " id="cnpformslist" ><thead><tr><th><u>Channel</u></th><th><u>Channel Name</u></th><th><u>Created Date</u></th><th><u>Short Code <a class="tooltip" ><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types.</span></a></u></th></tr></thead><tbody>'; - - - //$cnpresltdsply .= '<tr><td colspan=10>No Record Found!</td><tr>'; - $cnpresltdsply .= '</tbody></table></div>'; - echo $cnpresltdsply; -} +<?php+function cnp_pledgetvchannelsdetails() {++ global $wpdb; global $cnp_settingtable_name;global $cnp_table_name;+ $info = $_REQUEST["info"];+ $cnpresltdsply = "";+ if($info=="saved")+ {+ echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>";+ }+ if($info=="failed")+ {+ echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+ }+ if($info=="upd")+ {+ echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>";+ }+ if($info=="sts")+ {+ echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";+ }+ if ($info === "del") {+ $delid = isset($_GET['did']) ? intval($_GET['did']) : 0; + if ($delid > 0) {+ $deleted = $wpdb->delete(+ $cnp_table_name, + ['cnpform_ID' => $delid],+ ['%d'] + );++ if ($deleted) {+ echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+ } else {+ echo "<div class='error' id='message'><p><strong>Error deleting the record.</strong></p></div>";+ }+ }+}++if (isset($_GET['cnpsts']) && $_GET['cnpsts'] !== "") {+ $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0; + $cnpsts = sanitize_text_field(wp_unslash($_GET['cnpsts'])); ++ if ($cnpviewid > 0) {+ $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);++ $cnpredirectval = $cnpstsrtnval ? "sts" : "stsfail";++ wp_redirect(admin_url("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval));+ exit;+ }+}+++?>+<script type="text/javascript">+ /* <![CDATA[ */+ jQuery(document).ready(function(){+ + cnpchannelslist();+ jQuery('#cnpaccntid').change(function() {+ + var oTable = jQuery('#cnpformslist').dataTable(); + oTable.fnClearTable();+ oTable.fnDraw();+ oTable.fnDestroy();+ cnpchannelslist(); + + }); + + });+ + function cnpchannelslist()+ { + + var cnpconnectaccountid= jQuery('#cnpaccntid').val().trim();+ + jQuery.ajax({+ type: "POST", + url: ajaxurl ,+ serverSide: true, + data: {+ 'action':'getCnPUserChannelList',+ 'cnpacid':cnpconnectaccountid,+ },+ cache: false,+ beforeSend: function() {+ jQuery("#dvldimg").show();+ jQuery('#cnpaccntid').attr("disabled", true); + ++ },+ complete: function() {+ + }, + success: function(htmlText) { + jQuery('#cnpaccntid').attr("disabled", false); + jQuery("#dvldimg").hide(); + + + var body = htmlText; + jQuery("#cnpformslist tbody").html(""); + if(htmlText != "")+ {+ + jQuery( "#cnpformslist tbody" ).append(body);+ }else{+ +}+ jQuery( "#cnpformslist" ).DataTable();+ jQuery("#cnpformslist tr:even").css("background-color", "#f1f1f1"); + },+ error: function(xhr, ajaxOptions, thrownError) {+ alert(thrownError + "\r\n" + xhr.statusText + "\r\n" + xhr.responseText);+ }+ });+ + }+ /* ]]> */++</script>+<style >+table#cnpformslist tr.even {+ background-color: #f1f1f1;+}+</style>+<?php+ $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+ <h2>Channels </h2>';++$cnpresltdsply .= '<p><select name="cnpaccntid" id="cnpaccntid">';+$sql = $wpdb->prepare(+ "SELECT cnpstngs_AccountNumber, cnpstngs_frndlyname, cnpstngs_ID, cnpstngs_guid FROM $cnp_settingtable_name WHERE cnpstngs_status = %d ORDER BY cnpstngs_AccountNumber ASC",+ 1 +);++$result = $wpdb->get_results($sql);+if ($result) {+ foreach ($result as $cnpformData) {+ $cnpdlctid = esc_attr($cnpformData->cnpstngs_AccountNumber . "~" . $cnpformData->cnpstngs_guid);+ $cnpresltdsply .= '<option value="' . $cnpdlctid . '">' . esc_html($cnpformData->cnpstngs_frndlyname) . ' (' . esc_html($cnpformData->cnpstngs_AccountNumber) . ')</option>';+ }+}++$cnpimgurl = esc_url(plugins_url(CFCNP_PLUGIN_NAME . "/images/ajax-loader_trans.gif"));+$cnpresltdsply .= ' </select><img id="dvldimg" src="' . $cnpimgurl . '" alt="Loading" class="cnp_loadertv" /></p>';++$cnpresltdsply .= '<table class="wp-list-table widefat" id="cnpformslist">+ <thead>+ <tr>+ <th><u>Channel</u></th>+ <th><u>Channel Name</u></th>+ <th><u>Created Date</u></th>+ <th><u>Short Code <a class="tooltip"><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types.</span></a></u></th>+ </tr>+ </thead>+ <tbody>';+++$cnpresltdsply .= '</tbody></table></div>';+echo $cnpresltdsply;++} ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - cnpChannelsDetails.php 21-22
Old Code:
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid);
```
Fixed Code:
```php
$delid = isset($_GET['did']) ? intval($_GET['did']) : 0;
if ($delid > 0) {
$deleted = $wpdb->delete(
$cnp_table_name,
['cnpform_ID' => $delid],
['%d']
);
```
Explanation:
The old code directly concatenates user input ($_GET["did"]) into an SQL query without sanitization. An attacker can control the "did" parameter to inject SQL commands. The fixed code uses intval() to ensure only integers are accepted and uses WordPress's $wpdb->delete() with prepared statements.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - cnpChannelsDetails.php 30-31
Old Code:
```php
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
```
Fixed Code:
```php
$cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;
$cnpsts = sanitize_text_field(wp_unslash($_GET['cnpsts']));
if ($cnpviewid > 0) {
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);
```
Explanation:
The old code passes $_GET['cnpviewid'] and $_GET['cnpsts'] directly to CNPCF_updateCnPstatus without validation. These parameters are attacker-controlled and could be used for SQL injection if the function doesn't properly sanitize them. The fixed code validates cnpviewid as integer and sanitizes cnpsts.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cnpChannelsDetails.php 126-127
Old Code:
```php
$cnpdlctid=$cnpformData->cnpstngs_AccountNumber."~".$cnpformData->cnpstngs_guid;
$cnpresltdsply .= '<option value="'.$cnpdlctid.'" >'.$cnpformData->cnpstngs_frndlyname.' ( '.$cnpformData->cnpstngs_AccountNumber.')</option>';
```
Fixed Code:
```php
$cnpdlctid = esc_attr($cnpformData->cnpstngs_AccountNumber . "~" . $cnpformData->cnpstngs_guid);
$cnpresltdsply .= '<option value="' . $cnpdlctid . '">' . esc_html($cnpformData->cnpstngs_frndlyname) . ' (' . esc_html($cnpformData->cnpstngs_AccountNumber) . ')</option>';
```
Explanation:
The old code directly outputs database values into HTML without escaping. If an attacker can control these database values (through SQL injection or other means), they can inject malicious scripts. The fixed code uses esc_attr() for attribute values and esc_html() for text content.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - cnpChannelsDetails.php 124-125
Old Code:
```php
$sql = "select cnpstngs_AccountNumber,cnpstngs_frndlyname,cnpstngs_ID,cnpstngs_guid from ".$cnp_settingtable_name." where cnpstngs_status =1 order by cnpstngs_AccountNumber ASC";
$result = $wpdb->get_results($sql);
```
Fixed Code:
```php
$sql = $wpdb->prepare(
"SELECT cnpstngs_AccountNumber, cnpstngs_frndlyname, cnpstngs_ID, cnpstngs_guid FROM $cnp_settingtable_name WHERE cnpstngs_status = %d ORDER BY cnpstngs_AccountNumber ASC",
1
);
$result = $wpdb->get_results($sql);
```
Explanation:
The old code uses string concatenation for SQL queries instead of prepared statements. While the status value is hardcoded as 1, this pattern is vulnerable to SQL injection if other parts of the query become dynamic. The fixed code uses $wpdb->prepare() with proper parameterization.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnpFormDetails.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnpFormDetails.php 2025-11-20 22:19:32.250906915 +0000@@ -1,93 +1,151 @@-<?php -function cnp_formsdetails() { - - global $wpdb; global $cnp_settingtable_name;global $cnp_table_name; - $info = $_REQUEST["info"]; - $cnpresltdsply = ""; - if($info=="saved") - { - echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>"; - } - if($info=="failed") - { - echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>"; - } - if($info=="upd") - { - echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>"; - } - if($info=="sts") - { - echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>"; - } - if($info=="del") - { - $delid=$_GET["did"]; - $wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid); - echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>"; - } - if(isset($_GET['cnpsts']) && $_GET['cnpsts'] !="") - { - $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']); - if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";} - wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval); - exit; - } - -?> -<script type="text/javascript"> - /* <![CDATA[ */ - jQuery(document).ready(function(){ - jQuery('#cnpformslist').dataTable(); - jQuery("tr:even").css("background-color", "#f1f1f1"); - }); - /* ]]> */ - -</script> -<?php - $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap"> - <h2>Click & Pledge CONNECT Forms <a class="page-title-action add-new-h2" href="admin.php?page=cnpforms_add&act=add">Add New Form Group</a></h2><p></p> - <div class="cnp_scrollable_x"> - <table style="width:99%;" class="wp-list-table widefat cnp_table_w" id="cnpformslist" ><thead><tr><th>Group Name</th><th>Account #</th><th>Type</th><th>Short Code <a class="tooltip" ><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types. This code will run the series of the forms which has been added to this particular Form Group inside your content page.</span></a></th><th>Start Date/Time</th><th>End Date/Time</th><th>Active Form(s)</th><th>Last Modified</th><th>Status</th><th>Actions</th></tr></thead><tbody>'; - - $sql = "select * from ".$cnp_table_name." join ".$cnp_settingtable_name." on cnpform_cnpstngs_ID= cnpstngs_ID order by cnpform_Date_Modified DESC"; - $result = $wpdb->get_results($sql); - if($wpdb->num_rows > 0 ) - { - foreach($result as $cnpformData): - // <td nowrap><u><a href="admin.php?page=cnpform_add&cnpid='.$id.'"">Edit</a></u></td> - $nwenddt=""; - $cnpform_id = $cnpformData->cnpform_ID; - $gname = $cnpformData->cnpform_groupname; - $account = $cnpformData->cnpstngs_AccountNumber; - $frmstrtdt = $cnpformData->cnpform_Form_StartDate; - $frmenddt = $cnpformData->cnpform_Form_EndDate; - if($frmenddt == "0000-00-00 00:00:00") {$frmenddt ="";} - $frmtype = $cnpformData->cnpform_type; - if($frmtype == "popup"){$frmtype = "Overlay";} - if($frmtype == "inline"){$frmtype = "Inline";} - $frmshrtcode = $cnpformData->cnpform_shortcode; - $stdate = new DateTime($frmstrtdt); - if($frmenddt!=""){ - $eddate = new DateTime($frmenddt); - $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);} - $mddate = new DateTime($cnpformData->cnpform_Date_Modified); - $frmmodifiddt = date_format(date_create($cnpformData->cnpform_Date_Modified),"d-m-Y H:i:s"); - $frmsts = CNPCF_getfrmsts($cnp_table_name,'cnpform_status','cnpform_ID',$cnpform_id); - if($frmenddt!=""){ - if(strtotime($frmenddt) < strtotime(CFCNP_PLUGIN_CURRENTTIME)){ - $frmsts ="Expired"; - } - } - $noofforms = CNPCF_getCountForms($cnpform_id); - $cnpresltdsply .= '<tr><td>'.$gname.'</td><td>'.$account.'</td><td >'.$frmtype.'</td><td>'.$frmshrtcode.'</td><td>'.$stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td><td>'.$nwenddt.'</td><td>'.$noofforms.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td> - <td><a href="admin.php?page=cnp_formsdetails&cnpsts='.$frmsts.'&cnpviewid='.$cnpform_id.'"">'.$frmsts.'</a></td> - <td><a href="admin.php?page=cnp_formdetails&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-visibility"></span></a> | <a href="admin.php?page=cnpforms_add&act=edit&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-edit"></span></a> | <a href="admin.php?page=cnp_formsdetails&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></td></tr>'; - endforeach; - } - else {$cnpresltdsply .= '<tr><td>No Record Found!</td><tr>';} - - $cnpresltdsply .= '</tbody></table></div></div>'; - echo $cnpresltdsply; -} +<?php+function cnp_formsdetails() {++ global $wpdb; global $cnp_settingtable_name;global $cnp_table_name;+ if (isset($_REQUEST["info"])) {+ $info = sanitize_text_field($_REQUEST["info"]);+}+ $cnpresltdsply = "";+if (isset($info) && $info === "saved") { + echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>";+ }+ if(isset($info) && $info === "failed")+ {+ echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+ }+ if(isset($info) && $info ==="upd")+ {+ echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>";+ }+ if(isset($info) && $info ==="sts")+ {+ echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";+ }+ if (isset($info) && $info === "del") {+ + $delid = isset($_GET["did"]) ? absint($_GET["did"]) : 0;++ if ($delid > 0) {+ + $wpdb->query($wpdb->prepare("DELETE FROM {$cnp_table_name} WHERE cnpform_ID = %d", $delid));+ echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+ } else {+ echo "<div class='error' id='message'><p><strong>Invalid ID for deletion.</strong></p></div>";+ }+}++if (isset($_GET['cnpsts']) && $_GET['cnpsts'] != "") {+ + $cnpsts = sanitize_text_field($_GET['cnpsts']);+ $cnpviewid = absint($_GET['cnpviewid']);++ if ($cnpviewid > 0 && !empty($cnpsts)) {+ $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);+ if ($cnpstsrtnval === true) {+ $cnpredirectval = "sts"; + } else {+ $cnpredirectval = "stsfail"; + }+ wp_redirect("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval);+ exit;+ } else {+ wp_redirect("admin.php?page=cnp_formsdetails&info=invalid");+ exit;+ }+}+++?>+<script type="text/javascript">+ /* <![CDATA[ */+ jQuery(document).ready(function(){+ jQuery('#cnpformslist').dataTable();+ jQuery("tr:even").css("background-color", "#f1f1f1");+ });+ /* ]]> */++</script>+<?php+ $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+ <h2>Click & Pledge CONNECT Forms <a class="page-title-action add-new-h2" href="admin.php?page=cnpforms_add&act=add">Add New Form Group</a></h2><p></p>+ <div class="cnp_scrollable_x">+ <table style="width:99%;" class="wp-list-table widefat cnp_table_w" id="cnpformslist" ><thead><tr><th>Group Name</th><th>Account #</th><th>Type</th><th>Short Code <a class="tooltip" ><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types. This code will run the series of the forms which has been added to this particular Form Group inside your content page.</span></a></th><th>Start Date/Time</th><th>End Date/Time</th><th>Active Form(s)</th><th>Last Modified</th><th>Status</th><th>Actions</th></tr></thead><tbody>';++ ++$sql = "SELECT * + FROM {$cnp_table_name} + JOIN {$cnp_settingtable_name} + ON cnpform_cnpstngs_ID = cnpstngs_ID + ORDER BY cnpform_Date_Modified DESC";++$result = $wpdb->get_results($sql);+if ($wpdb->num_rows > 0) {+ foreach ($result as $cnpformData) {+ $nwenddt = "";+ $cnpform_id = $cnpformData->cnpform_ID;+ $gname = esc_html($cnpformData->cnpform_groupname); + $account = esc_html($cnpformData->cnpstngs_AccountNumber); + $frmstrtdt = $cnpformData->cnpform_Form_StartDate;+ $frmenddt = $cnpformData->cnpform_Form_EndDate;+ if ($frmenddt == "0000-00-00 00:00:00") {+ $frmenddt = "";+ }+ $frmtype = $cnpformData->cnpform_type;+ if ($frmtype == "popup") {+ $frmtype = "Overlay";+ }+ if ($frmtype == "inline") {+ $frmtype = "Inline";+ }+ $frmshrtcode = esc_html($cnpformData->cnpform_shortcode); + $stdate = new DateTime($frmstrtdt);+ if ($frmenddt != "") {+ $eddate = new DateTime($frmenddt);+ $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);+ }+ $mddate = new DateTime($cnpformData->cnpform_Date_Modified);+ $frmmodifiddt = date_format(date_create($cnpformData->cnpform_Date_Modified), "d-m-Y H:i:s");++ + $frmsts = CNPCF_getfrmsts($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpform_id);+ if ($frmenddt != "" && strtotime($frmenddt) < strtotime(CFCNP_PLUGIN_CURRENTTIME)) {+ $frmsts = "Expired";+ }++ + $noofforms = CNPCF_getCountForms($cnpform_id);++ + $cnpresltdsply .= '<tr>+ <td>' . esc_html($gname) . '</td>+ <td>' . esc_html($account) . '</td>+ <td>' . esc_html($frmtype) . '</td>+ <td>' . esc_html($frmshrtcode) . '</td>+ <td>' . $stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+ <td>' . ($nwenddt ?: '–') . '</td>+ <td>' . esc_html($noofforms) . '</td>+ <td data-sort="' . strtotime($frmmodifiddt) . '">' . $mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+ <td><a href="admin.php?page=cnp_formsdetails&cnpsts=' . esc_attr($frmsts) . '&cnpviewid=' . esc_attr($cnpform_id) . '">' . esc_html($frmsts) . '</a></td>+ <td>+ <a href="admin.php?page=cnp_formdetails&cnpviewid=' . esc_attr($cnpform_id) . '">+ <span class="dashicons dashicons-visibility"></span>+ </a> |+ <a href="admin.php?page=cnpforms_add&act=edit&cnpviewid=' . esc_attr($cnpform_id) . '">+ <span class="dashicons dashicons-edit"></span>+ </a> |+ <a href="admin.php?page=cnp_formsdetails&info=del&did=' . esc_attr($cnpform_id) . '">+ <span class="dashicons dashicons-trash"></span>+ </a>+ </td>+ </tr>';+ }+} else {+ $cnpresltdsply .= '<tr><td colspan="9">No Record Found!</td></tr>';+}++$cnpresltdsply .= '</tbody></table></div></div>';+echo $cnpresltdsply;++} ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - cnpFormDetails.php [Lines 24-25]
Old Code:
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid);
```
Fixed Code:
```php
$delid = isset($_GET["did"]) ? absint($_GET["did"]) : 0;
if ($delid > 0) {
$wpdb->query($wpdb->prepare("DELETE FROM {$cnp_table_name} WHERE cnpform_ID = %d", $delid));
}
```
Explanation:
The old code directly concatenates user input ($_GET["did"]) into an SQL query without sanitization. An attacker can control the "did" parameter to inject SQL commands. The fixed code uses absint() to ensure integer input and wpdb->prepare() with parameterized queries, preventing SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cnpFormDetails.php [Lines 85-87]
Old Code:
```php
$cnpresltdsply .= '<tr><td>'.$gname.'</td><td>'.$account.'</td><td >'.$frmtype.'</td><td>'.$frmshrtcode.'</td><td>'.$stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td><td>'.$nwenddt.'</td><td>'.$noofforms.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td>
<td><a href="admin.php?page=cnp_formsdetails&cnpsts='.$frmsts.'&cnpviewid='.$cnpform_id.'"">'.$frmsts.'</a></td>
<td><a href="admin.php?page=cnp_formdetails&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-visibility"></span></a> | <a href="admin.php?page=cnpforms_add&act=edit&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-edit"></span></a> | <a href="admin.php?page=cnp_formsdetails&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></td></tr>';
```
Fixed Code:
```php
$cnpresltdsply .= '<tr>
<td>' . esc_html($gname) . '</td>
<td>' . esc_html($account) . '</td>
<td>' . esc_html($frmtype) . '</td>
<td>' . esc_html($frmshrtcode) . '</td>
<td>' . $stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>
<td>' . ($nwenddt ?: '–') . '</td>
<td>' . esc_html($noofforms) . '</td>
<td data-sort="' . strtotime($frmmodifiddt) . '">' . $mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>
<td><a href="admin.php?page=cnp_formsdetails&cnpsts=' . esc_attr($frmsts) . '&cnpviewid=' . esc_attr($cnpform_id) . '">' . esc_html($frmsts) . '</a></td>
<td>
<a href="admin.php?page=cnp_formdetails&cnpviewid=' . esc_attr($cnpform_id) . '">
<span class="dashicons dashicons-visibility"></span>
</a> |
<a href="admin.php?page=cnpforms_add&act=edit&cnpviewid=' . esc_attr($cnpform_id) . '">
<span class="dashicons dashicons-edit"></span>
</a> |
<a href="admin.php?page=cnp_formsdetails&info=del&did=' . esc_attr($cnpform_id) . '">
<span class="dashicons dashicons-trash"></span>
</a>
</td>
</tr>';
```
Explanation:
The old code directly outputs database values ($gname, $account, $frmtype, $frmshrtcode, $frmsts, $cnpform_id) into HTML without escaping. An attacker could store malicious scripts in the database that would execute when rendered. The fixed code uses esc_html() for text content and esc_attr() for HTML attributes, preventing XSS attacks.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - cnpFormDetails.php [Lines 32-33]
Old Code:
```php
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";}
```
Fixed Code:
```php
$cnpsts = sanitize_text_field($_GET['cnpsts']);
$cnpviewid = absint($_GET['cnpviewid']);
if ($cnpviewid > 0 && !empty($cnpsts)) {
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);
}
```
Explanation:
The old code passes unsanitized user input ($_GET['cnpviewid'] and $_GET['cnpsts']) directly to the CNPCF_updateCnPstatus function, which likely builds SQL queries. An attacker can control these parameters to inject SQL commands. The fixed code uses absint() for the ID and sanitize_text_field() for the status value before passing them to the function.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnpPledgeTVDetails.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnpPledgeTVDetails.php 2025-11-20 22:19:32.250906915 +0000@@ -1,70 +1,90 @@-<?php -function cnp_pledgetvformdetails() { - - global $wpdb; global $cnp_settingtable_name;global $cnp_table_name; - $info = $_REQUEST["info"]; - $cnpresltdsply = ""; - if($info=="saved") - { - echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>"; - } - if($info=="failed") - { - echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>"; - } - if($info=="upd") - { - echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>"; - } - if($info=="sts") - { - echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>"; - } - if($info=="del") - { - $delid=$_GET["did"]; - $wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid); - echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>"; - } - if(isset($_GET['cnpsts']) && $_GET['cnpsts'] !="") - { - $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']); - if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";} - wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval); - exit; - } - -?> -<script type="text/javascript"> - /* <![CDATA[ */ - jQuery(document).ready(function(){ - jQuery('#cnpformslist').dataTable(); - jQuery("tr:even").css("background-color", "#f1f1f1"); - }); - /* ]]> */ - -</script> -<?php - $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap"> - <h2>Latest Channels</h2><p></p> - <table class="wp-list-table widefat " id="cnpformslist" ><thead><tr><th><u>Channel ID</u></th><th><u>Channel Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>'; - - - //$cnpresltdsply .= '<tr><td></td><td></td><td ></td><td></td></tr>'; - $cnpresltdsply .= '<tr><td colspan=4>No Record Found!</td></tr>'; - - $cnpresltdsply .= '</tbody></table></div>'; - echo $cnpresltdsply ; - - $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap"> - <h2>Latest Pledge Videos</h2><p></p> - <table class="wp-list-table widefat " id="cnpformslist" ><thead><tr><th><u>Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>'; - - // $cnpresltdsply .= '<tr><td colspan=4></td><td></td><td ></td></tr>'; - $cnpresltdsply .= '<tr><td colspan=3>No Record Found!</td></tr>'; - - - $cnpresltdsply .= '</tbody></table></div>'; - echo $cnpresltdsply ; -} +<?php+function cnp_pledgetvformdetails() {++ global $wpdb; global $cnp_settingtable_name;global $cnp_table_name;+ $info = $_REQUEST["info"];+ $cnpresltdsply = "";+ if($info=="saved")+ {+ echo "<div class='updated' id='message'><p><strong>Form Added</strong>.</p></div>";+ }+ if($info=="failed")+ {+ echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+ }+ if($info=="upd")+ {+ echo "<div class='updated' id='message'><p><strong>Form updated</strong>.</p></div>";+ }+ if($info=="sts")+ {+ echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";+ }+ if ($info == "del") {+ + $delid = isset($_GET['did']) ? intval($_GET['did']) : 0;++ if ($delid > 0) {+ + $wpdb->query($wpdb->prepare("DELETE FROM $cnp_table_name WHERE cnpform_ID = %d", $delid));+ + echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+ } else {+ echo "<div class='error' id='message'><p><strong>Invalid ID.</strong></p></div>";+ }+}++if (isset($_GET['cnpsts']) && $_GET['cnpsts'] != "") {+ + $cnpsts = sanitize_text_field($_GET['cnpsts']);+ $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;++ if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) { + + $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);+ + if ($cnpstsrtnval) {+ $cnpredirectval = "sts";+ } else {+ $cnpredirectval = "stsfail";+ }++ wp_redirect("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval);+ exit;+ } else {+ echo "<div class='error' id='message'><p><strong>Invalid status or ID.</strong></p></div>";+ }+}+++?>+<script type="text/javascript">+ /* <![CDATA[ */+ jQuery(document).ready(function(){+ jQuery('#cnpformslist').dataTable();+ jQuery("tr:even").css("background-color", "#f1f1f1");+ });+ /* ]]> */++</script>+<?php+ $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+ <h2>Latest Channels</h2><p></p>+ <table class="wp-list-table widefat " id="cnpformslist" ><thead><tr><th><u>Channel ID</u></th><th><u>Channel Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>';++ $cnpresltdsply .= '<tr><td colspan=4>No Record Found!</td></tr>';+ + $cnpresltdsply .= '</tbody></table></div>';+ echo $cnpresltdsply ;+ + $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+ <h2>Latest Pledge Videos</h2><p></p>+ <table class="wp-list-table widefat " id="cnpformslist" ><thead><tr><th><u>Name</u></th><th><u>Raised</u></th><th><u>Plays</u></th></tr></thead><tbody>';++ $cnpresltdsply .= '<tr><td colspan=3>No Record Found!</td></tr>';+ + + $cnpresltdsply .= '</tbody></table></div>';+ echo $cnpresltdsply ;+} ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - cnpPledgeTVDetails.php [25]
Old Code:
```php
if($info=="del")
{
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_table_name." where cnpform_ID =".$delid);
echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>";
}
```
Fixed Code:
```php
if ($info == "del") {
$delid = isset($_GET['did']) ? intval($_GET['did']) : 0;
if ($delid > 0) {
$wpdb->query($wpdb->prepare("DELETE FROM $cnp_table_name WHERE cnpform_ID = %d", $delid));
echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";
} else {
echo "<div class='error' id='message'><p><strong>Invalid ID.</strong></p></div>";
}
}
```
Explanation:
The old code directly concatenates user input ($_GET["did"]) into an SQL query without sanitization. An attacker can control the "did" parameter to inject malicious SQL. The fixed code uses intval() to ensure only integers are accepted and uses $wpdb->prepare() with parameterized queries, preventing SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - cnpPledgeTVDetails.php [32-36]
Old Code:
```php
if(isset($_GET['cnpsts']) && $_GET['cnpsts'] !="")
{
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name,'cnpform_status','cnpform_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";}
wp_redirect("admin.php?page=cnp_formsdetails&info=".$cnpredirectval);
exit;
}
```
Fixed Code:
```php
if (isset($_GET['cnpsts']) && $_GET['cnpsts'] != "") {
$cnpsts = sanitize_text_field($_GET['cnpsts']);
$cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;
if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) {
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_table_name, 'cnpform_status', 'cnpform_ID', $cnpviewid, $cnpsts);
if ($cnpstsrtnval) {
$cnpredirectval = "sts";
} else {
$cnpredirectval = "stsfail";
}
wp_redirect("admin.php?page=cnp_formsdetails&info=" . $cnpredirectval);
exit;
} else {
echo "<div class='error' id='message'><p><strong>Invalid status or ID.</strong></p></div>";
}
}
```
Explanation:
The old code passes unsanitized $_GET['cnpviewid'] and $_GET['cnpsts'] directly to CNPCF_updateCnPstatus function. If this function builds SQL queries by concatenating these values, SQL injection is possible. The fixed code uses intval() for cnpviewid and sanitize_text_field() with an allowlist for cnpsts, preventing SQL injection.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnpSettings.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnpSettings.php 2025-11-20 22:19:32.250906915 +0000@@ -1,200 +1,235 @@-<?php -function cnp_formssettings() { - - global $wpdb; global $cnp_settingtable_name; - $info = $_REQUEST["info"]; - $cnpresltdsply = "";$hidval = 1;$cnpbtn = "Save"; - - - - if($info=="saved") - { - echo "<div class='updated' id='message'><p><strong>Account Added</strong>.</p></div>"; - } - if($info=="failed") - { - echo "<div class='updated' id='message'><p><strong>Please check the account details is correct or not (or) with this account id campaigns are not added.</strong>.</p></div>"; - } - if($info=="exist") - { - echo "<div class='updated' id='message'><p><strong> Friendly Name or Account Number already exist.</strong>.</p></div>"; - } - if($info=="upd") - { - echo "<div class='updated' id='message'><p><strong>Account updated</strong>.</p></div>"; - } - - if($info=="del") - { - $delid=$_GET["did"]; - $cnpnoofforms = CNPCF_getAccountNumbersInfo($delid); - $cnpnoofchnls = CNPCF_getchnlAccountNumbersInfo($delid); - if(($cnpnoofforms==0) && ($cnpnoofchnls == 0)){ - $wpdb->query("delete from ".$cnp_settingtable_name." where cnpstngs_ID =".$delid); - echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>"; - } - else - { - echo "<div class='updated' id='message'><p><strong>This Account Number is associated with an existing form group (or) channel group. You must first delete the form group (or) channel group before deleting this account.</strong></p></div>"; - } - - } - if(isset($_POST["cnpbtnaddsettings"])) - { - $addform=$_POST["addformval"]; - global $wpdb; - global $cnp_table_name; - if($addform==1) - {$cnprtnval=""; - $cnprtnval = CNPCF_addSettings($cnp_table_name,$_POST); - - if($cnprtnval >= 1){$cnpredirectval = "saved";} - else if($cnprtnval == "0"){$cnpredirectval = "failed";} - else if($cnprtnval == "error"){$cnpredirectval = "exist";} - else{$cnpredirectval = "failed";} - wp_redirect("admin.php?page=cnp_formssettings&info=".$cnpredirectval); - exit; - } - else if($addform==2) - { - $cnprtnval =CNPCF_updateSettings($cnp_table_name,$_POST); - if($cnprtnval >=1){$cnpredirectval = "upd";}else{$cnpredirectval = "failed";} - wp_redirect("admin.php?page=cnp_formssettings&info=".$cnpredirectval); - exit; - } - - } - $act=$_REQUEST["cnpviewid"]; - if(isset($act) && $act!="") - { - global $wpdb; - global $cnp_settingtable_name; - - $cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_settingtable_name,'cnpstngs_ID',$_GET['cnpviewid']); - foreach ($cnpfrmdtresult as $cnprtnval) {} - - if (count($cnprtnval)> 0 ) - { - - - $cnpsetid = $cnprtnval->cnpstngs_ID; - $cnpsetfrndlynm = $cnprtnval->cnpstngs_frndlyname; - $cnpsetAccountNumber = $cnprtnval->cnpstngs_AccountNumber; - $cnpsetguid = $cnprtnval->cnpstngs_guid; - $cnpbtn = "Update"; - $hidval = 2; - - - } - } -?> -<script type="text/javascript"> - /* <![CDATA[ */ - jQuery(document).ready(function(){ - jQuery('#cnpsettingslist').dataTable(); - jQuery("tr:even").css("background-color", "#f1f1f1"); - }); - /* ]]> */ - -</script> -<?php - $cnpfrmtyp= wp_unslash( sanitize_text_field( $_REQUEST["act"])); - if($cnpfrmtyp == "edit"){$msgdsplycntnt = "style ='display:block'";}else{$msgdsplycntnt = "style ='display:none'";} - if($cnpfrmtyp == "edit"){ $msgdbtnsplycntnt = "style ='display:none'";}else{$msgdbtnsplycntnt = "style ='float:left;display:block'";} - - $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap"> - <h2>Click & Pledge Account </h2> - <div id="col-left" style="width:48% !important; float:none;"> - <div class="col-wrap"> - <div> - <div class="form-wrap"> - <table class="form-table" id="cnpformslist" align="center" > - - <tr><td> - <div> <h2>Add New Account</h2> </div> - <form class="validate" method="post" id="addsettings" name="addsettings"> - <input type="hidden" name="cnphdnediturl" id="cnphdnediturl" value="'.CNP_CF_PLUGIN_URL.'getcnpditactivecampaigns.php"> - <input type="hidden" name="cnphdnerrurl" id="cnphdnerrurl" value="'.CNP_CF_PLUGIN_URL.'cnpSettingmsgs.php"> - <input type="hidden" name="addformval" id="addformval" value='.$hidval.'> - <input type="hidden" name="hdnfrmid" id="hdnfrmid" value="'.$cnpsetid .'"> - - <div class="form-field cnpaccountId"> - <label for="tag-name"> <b>Click & Pledge Account Number*</b></label> - <input type="text" size="10" id="txtcnpacntid" name="txtcnpacntid" value="'.$cnpsetAccountNumber.'" /> - <p style="font-size:12px;">Get your "Account Number" from Click & Pledge<br> -[CONNECT > Launcher > Settings > API Information > Account ID]</p> - <span class=cnperror id="spncnpacntid"></span> - </div> - - <div class="form-field cnpacntguid"> - <label for="tag-name"> <b>Click & Pledge Account GUID*</b></label> - <input type="text" size="20" id="txtcnpacntguid" name="txtcnpacntguid" value="'.$cnpsetguid.'" /><div class="tooltip" > - <i class="fa fa-question-circle"></i> - <span class="tooltiptext">Please collect the Account GUID from your CONNECT Portal or for More Help <a href="https://support.clickandpledge.com/s/article/how-to-locate-account-id--api-account-guid" target="_blank">click here</a></span> - </div> - <p style="font-size:12px;">Get your "Account GUID" from Click & Pledge<br> - [CONNECT > Launcher > Settings > API Information > API (PaaS / FaaS): Account GUID]</p> - </div> - <div '.$msgdbtnsplycntnt.'> - <input type="button" name="cnpbtnverifysettings" id="cnpbtnverifysettings" value="Verify" class="button button-primary"><br> - - </div> - <div class="frmaddnickdiv" '.$msgdsplycntnt.'> - <div class="form-field cnpfrmfrndlynm" > - <label for="tag-name">Nickname*</label> - <input type="text" size="20" id="txtcnpfrmfrndlynm" name="txtcnpfrmfrndlynm" value="'.$cnpsetfrndlynm.'" onkeypress="return AvoidSpace(event)"/> - <span class=cnperror id="spnfrndlynm"></span> - </div> - - <div style="float:left"> - <input type="submit" name="cnpbtnaddsettings" id="cnpbtnaddsettings" value="'.$cnpbtn.'" class="button button-primary"> - </div> -</div> - </form> - </tr></td></table> - - </div> - </div> - </div> - </div> - <div > <div style="float:left" width="100%"><span class="cnperror" id="spnverify" style="display:none"><p>Communication Error:</p> - -<p>Sorry but I am having difficulty communicating with the Click & Pledge services due to the absence of the SOAP extension in your WordPress installation. The following links may help in resolving this issue:</p> - -<p>Complete details page: <a href ="http://php.net/manual/en/book.soap.php" target="_blank">http://php.net/manual/en/book.soap.php</a></p> -<p>Installing SOAP for PHP: <a href ="http://php.net/manual/en/soap.installation.php" target="_blank">http://php.net/manual/en/soap.installation.php</a></p> -<p>Configuring after installation: <a href ="http://php.net/manual/en/soap.configuration.php" target="_blank">http://php.net/manual/en/soap.configuration.php</a></p> - -<p>You may need to contact your server administrator for installation of the SOAP extension on the server.<p></span></div> - <div class="col-wrap"> - <div> - <div class="cnp_scrollable_x"> - <table style="width:99%;" class="wp-list-table widefat" id="cnpsettingslist" ><thead><tr><th>Nickname </th><th>Account Number</th><th>GUID</th><th>Created Date/Time</th><th>Actions</th></tr></thead><tbody>'; - - $sql = "select * from ".$cnp_settingtable_name." order by cnpstngs_ID desc"; - $result = $wpdb->get_results($sql); - if($wpdb->num_rows > 0 ) - { - foreach($result as $cnpsettingsData): - - $cnpform_id = $cnpsettingsData->cnpstngs_ID; - $gname = $cnpsettingsData->cnpstngs_frndlyname; - $account = $cnpsettingsData->cnpstngs_AccountNumber; - $accountguid = $cnpsettingsData->cnpstngs_guid; - $frmmodifieddt = new DateTime($cnpsettingsData->cnpstngs_Date_Modified); - $frmmodifiddt = date_format(date_create($cnpsettingsData->cnpstngs_Date_Modified),"d-m-Y H:i:s"); - - - $cnpresltdsply .= '<tr><td>'.$gname.'</td><td >'.$account.'</td><td>'.$accountguid.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$frmmodifieddt->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td> - - <td ><u><input type="hidden" name="hdnsetngsid'.$cnpform_id.'" id="hdnsetngsid'.$cnpform_id.'" value="'.$cnpform_id .'"> - <input type="hidden" name="hdncnpaccntid'.$cnpform_id.'" id="hdncnpaccntid'.$cnpform_id.'" value="'.$account .'"> - <input type="hidden" name="hdncnpguid'.$cnpform_id.'" id="hdncnpguid'.$cnpform_id.'" value="'.$accountguid .'"> <input type="hidden" name="hdncnptblname" id="hdncnptblname" value="'.$cnp_settingtable_name .'"><a href="#" id="myHref" onclick="return mycnpaccountId('.$cnpform_id.')"><span class="dashicons dashicons-update"></span></a></u> | <u><a href="admin.php?page=cnp_formssettings&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></u></td></tr>'; - endforeach; - } - else {$cnpresltdsply .= '<tr><td>No Record Found!</td><tr>';} - - $cnpresltdsply .= '</tbody></table></div>'; - echo $cnpresltdsply ; -} -?> +<?php+function cnp_formssettings() {++ global $wpdb; global $cnp_settingtable_name;+ $info = isset($_REQUEST["info"]) ? sanitize_text_field($_REQUEST["info"]) : '';+ $cnpresltdsply = "";$hidval = 1;$cnpbtn = "Save";+$cnpsetid ="";$cnpsetAccountNumber="";$cnpsetguid="";$cnpsetfrndlynm="";+++ if($info=="saved")+ {+ echo "<div class='updated' id='message'><p><strong>Account Added</strong>.</p></div>";+ }+ if($info=="failed")+ {+ echo "<div class='updated' id='message'><p><strong>Please check the account details is correct or not (or) with this account id campaigns are not added.</strong>.</p></div>";+ }+ if($info=="exist")+ {+ echo "<div class='updated' id='message'><p><strong> Friendly Name or Account Number already exist.</strong>.</p></div>";+ }+ if($info=="upd")+ {+ echo "<div class='updated' id='message'><p><strong>Account updated</strong>.</p></div>";+ }++ if ($info == "del") {+ $delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;++ if ($delid > 0) {+ // Retrieve associated forms and channels info+ $cnpnoofforms = CNPCF_getAccountNumbersInfo($delid);+ $cnpnoofchnls = CNPCF_getchnlAccountNumbersInfo($delid);++ // Check if there are no associated forms or channels+ if ($cnpnoofforms == 0 && $cnpnoofchnls == 0) {+ $result = $wpdb->delete(+ $cnp_settingtable_name,+ ['cnpstngs_ID' => $delid],+ ['%d'] + );++ if ($result !== false) {+ echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+ } else {+ echo "<div class='error' id='message'><p><strong>Error: Unable to delete the record.</strong></p></div>";+ }+ } else {+ echo "<div class='updated' id='message'><p><strong>This Account Number is associated with an existing form group or channel group. You must first delete the form group or channel group before deleting this account.</strong></p></div>";+ }+ } else {+ echo "<div class='error' id='message'><p><strong>Error: Invalid ID provided.</strong></p></div>";+ }+}+ if (isset($_POST["cnpbtnaddsettings"])) {+ $addform = isset($_POST["addformval"]) ? intval($_POST["addformval"]) : 0;+ global $wpdb;+ global $cnp_table_name;++ if ($addform == 1) {+ $cnprtnval = CNPCF_addSettings($cnp_table_name, $_POST);++ if ($cnprtnval >= 1) {+ $cnpredirectval = "saved";+ } elseif ($cnprtnval == "0") {+ $cnpredirectval = "failed";+ } elseif ($cnprtnval == "error") {+ $cnpredirectval = "exist";+ } else {+ $cnpredirectval = "failed";+ }+ wp_redirect(admin_url("admin.php?page=cnp_formssettings&info=" . $cnpredirectval));+ exit;+ } elseif ($addform == 2) {+ $cnprtnval = CNPCF_updateSettings($cnp_table_name, $_POST);++ if ($cnprtnval >= 1) {+ $cnpredirectval = "upd";+ } else {+ $cnpredirectval = "failed";+ }+ wp_redirect(admin_url("admin.php?page=cnp_formssettings&info=" . $cnpredirectval));+ exit;+ }+}++$act = isset($_REQUEST["cnpviewid"]) ? sanitize_text_field($_REQUEST["cnpviewid"]) : '';++if (!empty($act)) {+ global $wpdb;+ global $cnp_settingtable_name;++ $cnpfrmdtresult = CNPCF_GetCnPGroupDetails($cnp_settingtable_name, 'cnpstngs_ID', intval($act));+ + if (!empty($cnpfrmdtresult)) {+ $cnprtnval = $cnpfrmdtresult[0];++ if (!empty($cnprtnval)) {+ $cnpsetid = $cnprtnval->cnpstngs_ID;+ $cnpsetfrndlynm = $cnprtnval->cnpstngs_frndlyname;+ $cnpsetAccountNumber = $cnprtnval->cnpstngs_AccountNumber;+ $cnpsetguid = $cnprtnval->cnpstngs_guid;+ $cnpbtn = "Update";+ $hidval = 2;+ }+ }+}++?>+<script type="text/javascript">+ /* <![CDATA[ */+ jQuery(document).ready(function(){+ jQuery('#cnpsettingslist').dataTable();+ jQuery("tr:even").css("background-color", "#f1f1f1");+ });+ /* ]]> */++</script>+<?php++if (isset($_REQUEST["act"])) {+ $cnpfrmtyp = wp_unslash(sanitize_text_field($_REQUEST["act"]));+} else {+ $cnpfrmtyp = ''; // Default value+ +}++ if($cnpfrmtyp == "edit"){$msgdsplycntnt = "style ='display:block'";}else{$msgdsplycntnt = "style ='display:none'";}+ if($cnpfrmtyp == "edit"){ $msgdbtnsplycntnt = "style ='display:none'";}else{$msgdbtnsplycntnt = "style ='float:left;display:block'";}++ $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+ <h2>Click & Pledge Account </h2>+ <div id="col-left" style="width:48% !important; float:none;">+ <div class="col-wrap">+ <div>+ <div class="form-wrap">+ <table class="form-table" id="cnpformslist" align="center" >++ <tr><td>+ <div> <h2>Add New Account</h2> </div>+ <form class="validate" method="post" id="addsettings" name="addsettings">+ <input type="hidden" name="cnphdnediturl" id="cnphdnediturl" value="'.CNP_CF_PLUGIN_URL.'getcnpditactivecampaigns.php">+ <input type="hidden" name="cnphdnerrurl" id="cnphdnerrurl" value="'.CNP_CF_PLUGIN_URL.'cnpSettingmsgs.php">+ <input type="hidden" name="addformval" id="addformval" value='.$hidval.'>+ <input type="hidden" name="hdnfrmid" id="hdnfrmid" value="'.$cnpsetid .'">++ <div class="form-field cnpaccountId">+ <label for="tag-name"> <b>Click & Pledge Account Number*</b></label>+ <input type="text" size="10" id="txtcnpacntid" name="txtcnpacntid" value="'.$cnpsetAccountNumber.'" />+ <p style="font-size:12px;">Get your "Account Number" from Click & Pledge<br>+[CONNECT > Launcher > Settings > API Information > Account ID]</p>+ <span class=cnperror id="spncnpacntid"></span>+ </div>++ <div class="form-field cnpacntguid">+ <label for="tag-name"> <b>Click & Pledge Account GUID*</b></label>+ <input type="text" size="20" id="txtcnpacntguid" name="txtcnpacntguid" value="'.$cnpsetguid.'" /><div class="tooltip" >+ <i class="fa fa-question-circle"></i>+ <span class="tooltiptext">Please collect the Account GUID from your CONNECT Portal or for More Help <a href="https://support.clickandpledge.com/s/article/how-to-locate-account-id--api-account-guid" target="_blank">click here</a></span>+ </div>+ <p style="font-size:12px;">Get your "Account GUID" from Click & Pledge<br>+ [CONNECT > Launcher > Settings > API Information > API (PaaS / FaaS): Account GUID]</p>+ </div>+ <div '.$msgdbtnsplycntnt.'>+ <input type="button" name="cnpbtnverifysettings" id="cnpbtnverifysettings" value="Verify" class="button button-primary"><br>+ + </div>+ <div class="frmaddnickdiv" '.$msgdsplycntnt.'>+ <div class="form-field cnpfrmfrndlynm" >+ <label for="tag-name">Nickname*</label>+ <input type="text" size="20" id="txtcnpfrmfrndlynm" name="txtcnpfrmfrndlynm" value="'.$cnpsetfrndlynm.'" onkeypress="return AvoidSpace(event)"/>+ <span class=cnperror id="spnfrndlynm"></span>+ </div>++ <div style="float:left">+ <input type="submit" name="cnpbtnaddsettings" id="cnpbtnaddsettings" value="'.$cnpbtn.'" class="button button-primary">+ </div>+</div>+ </form>+ </tr></td></table>+ + </div>+ </div>+ </div>+ </div>+ <div > <div style="float:left" width="100%"><span class="cnperror" id="spnverify" style="display:none"><p>Communication Error:</p>+ +<p>Sorry but I am having difficulty communicating with the Click & Pledge services due to the absence of the SOAP extension in your WordPress installation. The following links may help in resolving this issue:</p>+ +<p>Complete details page: <a href ="http://php.net/manual/en/book.soap.php" target="_blank">http://php.net/manual/en/book.soap.php</a></p>+<p>Installing SOAP for PHP: <a href ="http://php.net/manual/en/soap.installation.php" target="_blank">http://php.net/manual/en/soap.installation.php</a></p>+<p>Configuring after installation: <a href ="http://php.net/manual/en/soap.configuration.php" target="_blank">http://php.net/manual/en/soap.configuration.php</a></p>+ +<p>You may need to contact your server administrator for installation of the SOAP extension on the server.<p></span></div>+ <div class="col-wrap">+ <div>+ <div class="cnp_scrollable_x">+ <table style="width:99%;" class="wp-list-table widefat" id="cnpsettingslist" ><thead><tr><th>Nickname </th><th>Account Number</th><th>GUID</th><th>Created Date/Time</th><th>Actions</th></tr></thead><tbody>';++ $sql = "SELECT * FROM $cnp_settingtable_name ORDER BY cnpstngs_ID DESC";+$result = $wpdb->get_results($sql);++if ($wpdb->num_rows > 0) {+ foreach ($result as $cnpsettingsData) {+ $cnpform_id = intval($cnpsettingsData->cnpstngs_ID);+ $gname = esc_html($cnpsettingsData->cnpstngs_frndlyname);+ $account = esc_html($cnpsettingsData->cnpstngs_AccountNumber);+ $accountguid = esc_html($cnpsettingsData->cnpstngs_guid);+ $frmmodifieddt = new DateTime($cnpsettingsData->cnpstngs_Date_Modified);+ $frmmodifiddt = $frmmodifieddt->format('d-m-Y H:i:s');++ $cnpresltdsply .= '<tr>';+ $cnpresltdsply .= '<td>' . $gname . '</td>';+ $cnpresltdsply .= '<td>' . $account . '</td>';+ $cnpresltdsply .= '<td>' . $accountguid . '</td>';+ $cnpresltdsply .= '<td data-sort="' . $frmmodifieddt->getTimestamp() . '">' . esc_html($frmmodifieddt->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP)) . '</td>';+ $cnpresltdsply .= '<td>';+ $cnpresltdsply .= '<input type="hidden" name="hdnsetngsid' . $cnpform_id . '" id="hdnsetngsid' . $cnpform_id . '" value="' . $cnpform_id . '">';+ $cnpresltdsply .= '<input type="hidden" name="hdncnpaccntid' . $cnpform_id . '" id="hdncnpaccntid' . $cnpform_id . '" value="' . $account . '">';+ $cnpresltdsply .= '<input type="hidden" name="hdncnpguid' . $cnpform_id . '" id="hdncnpguid' . $cnpform_id . '" value="' . $accountguid . '">';+ $cnpresltdsply .= '<input type="hidden" name="hdncnptblname" id="hdncnptblname" value="' . esc_attr($cnp_settingtable_name) . '">';+ $cnpresltdsply .= '<a href="#" id="myHref" onclick="return mycnpaccountId(' . $cnpform_id . ')"><span class="dashicons dashicons-update"></span></a> | ';+ $cnpresltdsply .= '<a href="' . esc_url(admin_url("admin.php?page=cnp_formssettings&info=del&did=$cnpform_id")) . '"><span class="dashicons dashicons-trash"></span></a>';+ $cnpresltdsply .= '</td>';+ $cnpresltdsply .= '</tr>';+ }+} else {+ $cnpresltdsply .= '<tr><td colspan="5">No Record Found!</td></tr>';+}++$cnpresltdsply .= '</tbody></table></div>';+echo $cnpresltdsply;++}+?>
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - cnpSettings.php [Lines 35-36]
Old Code:
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_settingtable_name." where cnpstngs_ID =".$delid);
```
Fixed Code:
```php
$delid = isset($_GET["did"]) ? intval($_GET["did"]) : 0;
$result = $wpdb->delete(
$cnp_settingtable_name,
['cnpstngs_ID' => $delid],
['%d']
);
```
Explanation:
The old code directly concatenates user input ($_GET["did"]) into an SQL query without sanitization. An attacker can control the "did" parameter to inject SQL commands. The fixed code uses intval() to ensure the value is an integer and uses $wpdb->delete() with prepared statement syntax, eliminating SQL injection.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cnpSettings.php [Lines 209-210]
Old Code:
```php
$cnpresltdsply .= '<tr><td>'.$gname.'</td><td >'.$account.'</td><td>'.$accountguid.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$frmmodifieddt->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td>
```
Fixed Code:
```php
$cnpresltdsply .= '<td>' . $gname . '</td>';
$cnpresltdsply .= '<td>' . $account . '</td>';
$cnpresltdsply .= '<td>' . $accountguid . '</td>';
$cnpresltdsply .= '<td data-sort="' . $frmmodifieddt->getTimestamp() . '">' . esc_html($frmmodifieddt->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP)) . '</td>';
```
Explanation:
The old code directly outputs database values ($gname, $account, $accountguid) into HTML without escaping. An attacker who controls these values (through database manipulation or other means) can inject malicious scripts. The fixed code uses esc_html() to escape output, preventing XSS.
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cnpSettings.php [Lines 212-213]
Old Code:
```php
$cnpresltdsply .= '<u><a href="admin.php?page=cnp_formssettings&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></u></td></tr>';
```
Fixed Code:
```php
$cnpresltdsply .= '<a href="' . esc_url(admin_url("admin.php?page=cnp_formssettings&info=del&did=$cnpform_id")) . '"><span class="dashicons dashicons-trash"></span></a>';
```
Explanation:
The old code constructs URLs by directly concatenating user input ($cnpform_id) without validation. While $cnpform_id comes from the database, it could be manipulated. The fixed code uses esc_url() and admin_url() to safely generate URLs, preventing URL-based XSS attacks.
Vulnerability Existed: no
Improper Input Validation - CWE-20 - cnpSettings.php [Line 4]
Old Code:
```php
$info = $_REQUEST["info"];
```
Fixed Code:
```php
$info = isset($_REQUEST["info"]) ? sanitize_text_field($_REQUEST["info"]) : '';
```
Explanation:
The old code directly uses $_REQUEST["info"] without validation, but this value is only used in string comparisons for display messages. The fixed code adds proper input validation with sanitize_text_field(), preventing potential injection if the value were used in other contexts.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnphelpmanual.php 2025-11-20 22:13:36.779109072 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnphelpmanual.php 2025-11-20 22:19:32.250906915 +0000@@ -1,54 +1,61 @@-<?php - -function cnpcf_formshelp() { -?> -<div class="logo"><a href="https://clickandpledge.com" target="_blank"><img src="<?php print plugins_url(); ?>/click-pledge-connect/images/logo-cp.png"></a></div> -<div class="instructions"> - <h2>Welcome to Click & Pledge CONNECT</h2> - <p>For quick start, follow these instructions</p> - <ol> - <li>Go to <a href="admin.php?page=cnp_formssettings">Settings</a> and add Click & Pledge Account Number, Account GUID and Nickname. Account GUID can be found in your Click & Pledge CONNECT portal. Find out <a href="https://support.clickandpledge.com/s/article/how-to-locate-account-id--api-account-guid" target="_blank">how</a>.</li> - <li>Once the Account information is added, additional item (Click & Pledge) will appear on the left menu that allows you to add <strong><a href="admin.php?page=cnp_formsdetails">Form</a></strong> and <strong><a href="admin.php?page=cnp_pledgetvchannelsdetails">pledgeTV</a><sup class="cnpc-regsymbol">®</sup> Channel</strong> Groups.</li> - <li>After saving the Group details,a new table will appear on the same page where you may select one or more forms/TVchannels from different campaigns. <br><small><strong>Note:</strong> All campaigns and forms are retrieved from <a href="https://connect.clickandpledge.com/" target="_blank">Click & Pledge CONNECT</a>.</small></li> - </ol> - <p> - For step by step guide follow our manual <a href="https://manual.clickandpledge.com/WordPress-Connect-Plugin.html" target="_blank">here</a>. - </p> -</div> -<div class="news" style="border-top:1px solid #d8d8d8;"> - <h2>Latest news from Click & Pledge</h2> - <?php -// this is the url of the rss feed that you want to display -$feed = 'https://forums.clickandpledge.com/external?type=rss2&nodeid=20'; //replace this with the RSS's URL -$xml = simplexml_load_file($feed); -//if the feed exists, then continue... -if ($xml!=''){ - ?> - <ul> - <?php - $i = 0; -foreach ($xml->channel->item as $item){ -$i++; -// create variables from the title and description (can also be used for images and links) -$title = $item->title; -$description = $item->description; -$date = $item->pubDate; -$user = $item->children('dc', true)->creator; -$link = $item->link; - - - -// displays the title and description on your website, formatted any way you want - -echo '<li> -<h4 style="margin:5px 0;"><a href="'.$link.'" target="_blank">'.$title.'</a></h4> - On <small>'.$date.'</small><br />'.$description.'<a href="'.$link.'" target="_blank">Read More</a></li>'; -if ($i === 6) break; -}} -?> -</ul> -</div> -<?php - -} - -?> +<?php++function cnpcf_formshelp() {+?>+<div class="logo"><a href="https://clickandpledge.com" target="_blank"><img src="<?php print plugins_url(); ?>/click-pledge-connect/images/logo-cp.png"></a></div>+<div class="instructions">+ <h2>Welcome to Click & Pledge CONNECT</h2>+ <p>For quick start, follow these instructions</p>+ <ol>+ <li>Go to <a href="admin.php?page=cnp_formssettings">Settings</a> and add Click & Pledge Account Number, Account GUID and Nickname. Account GUID can be found in your Click & Pledge CONNECT portal. Find out <a href="https://support.clickandpledge.com/s/article/how-to-locate-account-id--api-account-guid" target="_blank">how</a>.</li>+ <li>Once the Account information is added, additional item (Click & Pledge) will appear on the left menu that allows you to add <strong><a href="admin.php?page=cnp_formsdetails">Form</a></strong> and <strong><a href="admin.php?page=cnp_pledgetvchannelsdetails">pledgeTV</a><sup class="cnpc-regsymbol">®</sup> Channel</strong> Groups.</li>+ <li>After saving the Group details,a new table will appear on the same page where you may select one or more forms/TVchannels from different campaigns. <br><small><strong>Note:</strong> All campaigns and forms are retrieved from <a href="https://connect.clickandpledge.com/" target="_blank">Click & Pledge CONNECT</a>.</small></li>+ </ol>+ <p>+ For step by step guide follow our manual <a href="https://manual.clickandpledge.com/WordPress-Connect-Plugin.html" target="_blank">here</a>.+ </p>+</div>+<div class="news" style="border-top:1px solid #d8d8d8;">+ <h2>Latest news from Click & Pledge</h2>+ <?php+// this is the url of the rss feed that you want to display+$feed = 'https://forums.clickandpledge.com/external?type=rss2&nodeid=20'; //replace this with the RSS's URL+$xml = simplexml_load_file($feed);+// Iterate through feed items+if ($xml!=''){+ ?>+ <ul>+ <?php+ $i = 0;+ foreach ($xml->channel->item as $item) {+ $i++;++ // Extract necessary fields from the feed+ $title = htmlspecialchars($item->title, ENT_QUOTES, 'UTF-8');+ $description = htmlspecialchars($item->description, ENT_QUOTES, 'UTF-8');+ $date = htmlspecialchars($item->pubDate, ENT_QUOTES, 'UTF-8');+ $user = htmlspecialchars($item->children('dc', true)->creator ?? '', ENT_QUOTES, 'UTF-8');+ $link = htmlspecialchars($item->link, ENT_QUOTES, 'UTF-8');++ // Display formatted output+ echo '<li>';+ echo '<h4 style="margin:5px 0;"><a href="' . $link . '" target="_blank">' . $title . '</a></h4>';+ echo ' - On <small>' . $date . '</small><br />' . $description;+ echo ' <a href="' . $link . '" target="_blank">Read More</a>';+ echo '</li>';++ // Stop after 6 items+ if ($i === 6) {+ break;+ +}+ }+}+?>+</ul>+</div>+<?php++}++?>
Vulnerability Existed: yes
TRUE POSITIVE
Cross-site Scripting (XSS) - CWE-79 - cnphelpmanual.php [34-43]
Old Code:
```php
$title = $item->title;
$description = $item->description;
$date = $item->pubDate;
$user = $item->children('dc', true)->creator;
$link = $item->link;
echo '<li>
<h4 style="margin:5px 0;"><a href="'.$link.'" target="_blank">'.$title.'</a></h4> - On <small>'.$date.'</small><br />'.$description.'<a href="'.$link.'" target="_blank">Read More</a></li>';
```
Fixed Code:
```php
$title = htmlspecialchars($item->title, ENT_QUOTES, 'UTF-8');
$description = htmlspecialchars($item->description, ENT_QUOTES, 'UTF-8');
$date = htmlspecialchars($item->pubDate, ENT_QUOTES, 'UTF-8');
$user = htmlspecialchars($item->children('dc', true)->creator ?? '', ENT_QUOTES, 'UTF-8');
$link = htmlspecialchars($item->link, ENT_QUOTES, 'UTF-8');
echo '<li>';
echo '<h4 style="margin:5px 0;"><a href="' . $link . '" target="_blank">' . $title . '</a></h4>';
echo ' - On <small>' . $date . '</small><br />' . $description;
echo ' <a href="' . $link . '" target="_blank">Read More</a>';
echo '</li>';
```
Explanation:
The old code directly outputs RSS feed content ($title, $description, $date, $link) without sanitization. An attacker controlling the RSS feed could inject malicious JavaScript that would execute when the help page is viewed. The data flows from the external RSS feed (entry point) directly to echo statements (sink) without any validation or encoding. The fixed code properly applies htmlspecialchars() to all user-controlled values before output, preventing XSS attacks.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/cnptvchannelsDetails.php 2025-11-20 22:13:36.780109136 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/cnptvchannelsDetails.php 2025-11-20 22:19:32.250906915 +0000@@ -1,91 +1,142 @@-<?php -function cnp_pledgetvchannelsdetails() { - - global $wpdb; global $cnp_channelgrptable_name;global $cnp_channeltable_name;global $cnp_settingtable_name; - $info = $_REQUEST["info"]; - $cnpresltdsply = ""; - if($info=="saved") - { - echo "<div class='updated' id='message'><p><strong>Channel Added</strong>.</p></div>"; - } - if($info=="failed") - { - echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>"; - } - if($info=="upd") - { - echo "<div class='updated' id='message'><p><strong>Channel updated</strong>.</p></div>"; - } - if($info=="sts") - { - echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>"; - } - if($info=="del") - { - $delid=$_GET["did"]; - $wpdb->query("delete from ".$cnp_channelgrptable_name." where cnpchannelgrp_ID =".$delid); - echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong>.</p></div>"; - } - if(isset($_GET['cnpsts']) && $_GET['cnpsts'] !="") - { - $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name,'cnpchannelgrp_status','cnpchannelgrp_ID',$_GET['cnpviewid'],$_GET['cnpsts']); - if($cnpstsrtnval == true){$cnpredirectval = "sts";}else{$cnpredirectval = "stsfail";} - wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=".$cnpredirectval); - exit; - } - -?> -<script type="text/javascript"> - /* <![CDATA[ */ - jQuery(document).ready(function(){ - jQuery('#cnpformslist').dataTable(); - jQuery("tr:even").css("background-color", "#f1f1f1"); - }); - /* ]]> */ - -</script> -<?php - $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap"> - <h2>pledgeTV<sup class="cnpc-regsymbol">®</sup> Channels <a class="page-title-action add-new-h2" href="admin.php?page=cnps_addchannel&act=add">Add New Channel Group</a></h2><p></p> - <table class="wp-list-table widefat cnp_table_w" id="cnpformslist" ><thead><tr><th>Group Name</th><th>Account #</th><th>Short Code <a class="tooltip" ><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types. This code will run the series of the channels which has been added to this particular channel Group inside your content page.</span></a></th><th>Start Date/Time</th><th>End Date/Time</th><th>Active Channel(s)</th><th>Last Modified</th><th>Status</th><th>Actions</th></tr></thead><tbody>'; - - $sql = "select * from ".$cnp_channelgrptable_name." join ".$cnp_settingtable_name." on cnpchannelgrp_cnpstngs_ID= cnpstngs_ID order by cnpchannelgrp_ID desc"; - $result = $wpdb->get_results($sql); - if($wpdb->num_rows > 0 ) - { - foreach($result as $cnpformData): - //<td nowrap><u><a href="admin.php?page=cnpform_add&cnpid='.$id.'"">Edit</a></u></td> - $nwenddt=""; - $cnpform_id = $cnpformData->cnpchannelgrp_ID; - $gname = $cnpformData->cnpchannelgrp_groupname; - $account = $cnpformData->cnpstngs_AccountNumber; - $frmstrtdt = $cnpformData->cnpchannelgrp_channel_StartDate; - $frmenddt = $cnpformData->cnpchannelgrp_channel_EndDate; - if($frmenddt == "0000-00-00 00:00:00") {$frmenddt ="";} - - $frmshrtcode = $cnpformData->cnpchannelgrp_shortcode; - $stdate = new DateTime($frmstrtdt); - if($frmenddt!=""){ - $eddate = new DateTime($frmenddt); - $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);} - $mddate = new DateTime($cnpformData->cnpchannelgrp_Date_Modified); - $frmmodifiddt = date_format(date_create($cnpformData->cnpchannelgrp_Date_Modified),"d-m-Y H:i:s"); - $frmstrtddt = date_format(date_create($cnpformData->cnpchannelgrp_channel_StartDate),"d-m-Y H:i:s"); - $frmsts = CNPCF_getfrmsts($cnp_channelgrptable_name,'cnpchannelgrp_status','cnpchannelgrp_ID',$cnpform_id); - if($frmenddt!=""){ - if(strtotime($frmenddt) < strtotime(CFCNP_PLUGIN_CURRENTTIME)){ - $frmsts ="Expired"; - } - } - $noofchannels = CNPCF_getCountChannels($cnpform_id); - $cnpresltdsply .= '<tr><td>'.$gname.'</td><td>'.$account.'</td><td>'.$frmshrtcode.'</td><td data-sort="'.strtotime($frmstrtddt).'">'.$stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td><td>'.$nwenddt.'</td><td align="center">'.$noofchannels.'</td><td data-sort="'.strtotime($frmmodifiddt).'">'.$mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP).'</td> - <td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts='.$frmsts.'&cnpviewid='.$cnpform_id.'"">'.$frmsts.'</a></td> - <td><a href="admin.php?page=cnp_channeldetails&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-visibility"></span></a> | <a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-edit"></span></a> | <a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></td></tr>'; - endforeach; - } - else {$cnpresltdsply .= '<tr><td>No Record Found!</td><tr>';} - - $cnpresltdsply .= '</tbody></table></div>'; - echo $cnpresltdsply ; -} +<?php+function cnp_pledgetvchannelsdetails() {++ global $wpdb; global $cnp_channelgrptable_name;global $cnp_channeltable_name;global $cnp_settingtable_name;+ if (isset($_REQUEST["info"])) { $info = sanitize_text_field($_REQUEST["info"]); }+ $cnpresltdsply = "";+ if(isset($info) && $info ==="saved")+ {+ echo "<div class='updated' id='message'><p><strong>Channel Added</strong>.</p></div>";+ }+ if(isset($info) && $info ==="failed")+ {+ echo "<div class='updated' id='message'><p><strong>Already Existed</strong>.</p></div>";+ }+ if(isset($info) && $info ==="upd")+ {+ echo "<div class='updated' id='message'><p><strong>Channel updated</strong>.</p></div>";+ }+ if(isset($info) && $info ==="sts")+ {+ echo "<div class='updated' id='message'><p><strong>Status updated</strong>.</p></div>";+ }+ if (isset($info) && $info === "del") {+ + $delid = isset($_GET['did']) ? intval($_GET['did']) : 0;++ if ($delid > 0) {+ $deleted = $wpdb->query($wpdb->prepare("DELETE FROM $cnp_channelgrptable_name WHERE cnpchannelgrp_ID = %d", $delid));+ if ($deleted) {+ echo "<div class='updated' id='message'><p><strong>Record Deleted.</strong></p></div>";+ } else {+ echo "<div class='error' id='message'><p><strong>Error deleting record.</strong></p></div>";+ }+ } else {+ echo "<div class='error' id='message'><p><strong>Invalid ID.</strong></p></div>";+ }+}++if (isset($_GET['cnpsts']) && !empty($_GET['cnpsts'])) {++ $cnpsts = sanitize_text_field($_GET['cnpsts']);+ $cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;++ if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) { + + $cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name, 'cnpchannelgrp_status', 'cnpchannelgrp_ID', $cnpviewid, $cnpsts);++ if ($cnpstsrtnval) {+ $cnpredirectval = "sts";+ } else {+ $cnpredirectval = "stsfail";+ }++ wp_redirect("admin.php?page=cnp_pledgetvchannelsdetails&info=" . $cnpredirectval);+ exit;+ } else {+ echo "<div class='error' id='message'><p><strong>Invalid status or ID.</strong></p></div>";+ }+}+++?>+<script type="text/javascript">+ /* <![CDATA[ */+ jQuery(document).ready(function(){+ jQuery('#cnpformslist').dataTable();+ jQuery("tr:even").css("background-color", "#f1f1f1");+ });+ /* ]]> */++</script>+<?php+ $cnpresltdsply = '<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><div class="wrap">+ <h2>pledgeTV<sup class="cnpc-regsymbol">®</sup> Channels <a class="page-title-action add-new-h2" href="admin.php?page=cnps_addchannel&act=add">Add New Channel Group</a></h2><p></p>+ <table class="wp-list-table widefat cnp_table_w" id="cnpformslist" ><thead><tr><th>Group Name</th><th>Account #</th><th>Short Code <a class="tooltip" ><i class="fa fa-question-circle"></i><span class="tooltiptext">Please copy this code and place it in your required content pages, posts or any custom content types. This code will run the series of the channels which has been added to this particular channel Group inside your content page.</span></a></th><th>Start Date/Time</th><th>End Date/Time</th><th>Active Channel(s)</th><th>Last Modified</th><th>Status</th><th>Actions</th></tr></thead><tbody>';++ $sql = $wpdb->prepare("SELECT * + FROM $cnp_channelgrptable_name + JOIN $cnp_settingtable_name + ON cnpchannelgrp_cnpstngs_ID = cnpstngs_ID + ORDER BY cnpchannelgrp_ID DESC");+$result = $wpdb->get_results($sql);++if ($wpdb->num_rows > 0) {+ foreach ($result as $cnpformData) {+ $nwenddt = "";+ $cnpform_id = $cnpformData->cnpchannelgrp_ID;+ $gname = esc_html($cnpformData->cnpchannelgrp_groupname);+ $account = esc_html($cnpformData->cnpstngs_AccountNumber);+ $frmstrtdt = $cnpformData->cnpchannelgrp_channel_StartDate;+ $frmenddt = $cnpformData->cnpchannelgrp_channel_EndDate;++ if ($frmenddt == "0000-00-00 00:00:00") {+ $frmenddt = "";+ }++ $frmshrtcode = esc_html($cnpformData->cnpchannelgrp_shortcode);+ $stdate = new DateTime($frmstrtdt);++ if ($frmenddt != "") {+ $eddate = new DateTime($frmenddt);+ $nwenddt = $eddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP);+ }++ $mddate = new DateTime($cnpformData->cnpchannelgrp_Date_Modified);+ $frmmodifiddt = date_format(date_create($cnpformData->cnpchannelgrp_Date_Modified), "d-m-Y H:i:s");+ $frmstrtddt = date_format(date_create($cnpformData->cnpchannelgrp_channel_StartDate), "d-m-Y H:i:s");++ $frmsts = CNPCF_getfrmsts($cnp_channelgrptable_name, 'cnpchannelgrp_status', 'cnpchannelgrp_ID', $cnpform_id);++ if ($frmenddt != "" && strtotime($frmenddt) < strtotime(CFCNP_PLUGIN_CURRENTTIME)) {+ $frmsts = "Expired";+ }++ $noofchannels = CNPCF_getCountChannels($cnpform_id);++ // Build the result display+ $cnpresltdsply .= '<tr>+ <td>' . esc_html($gname) . '</td>+ <td>' . esc_html($account) . '</td>+ <td>' . esc_html($frmshrtcode) . '</td>+ <td data-sort="' . strtotime($frmstrtddt) . '">' . $stdate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+ <td>' . $nwenddt . '</td>+ <td align="center">' . esc_html($noofchannels) . '</td>+ <td data-sort="' . strtotime($frmmodifiddt) . '">' . $mddate->format(CFCNP_PLUGIN_CURRENTDATETIMEFORMATPHP) . '</td>+ <td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts=' . esc_attr($frmsts) . '&cnpviewid=' . esc_attr($cnpform_id) . '">' . esc_html($frmsts) . '</a></td>+ <td>+ <a href="admin.php?page=cnp_channeldetails&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-visibility"></span></a> |+ <a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-edit"></span></a> |+ <a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-trash"></span></a>+ </td>+ </tr>';+ }+} else {+ $cnpresltdsply .= '<tr><td colspan="7">No Record Found!</td></tr>';+}++ + $cnpresltdsply .= '</tbody></table></div>';+ echo $cnpresltdsply ;+} ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - cnptvchannelsDetails.php [32]
Old Code:
```php
$delid=$_GET["did"];
$wpdb->query("delete from ".$cnp_channelgrptable_name." where cnpchannelgrp_ID =".$delid);
```
Fixed Code:
```php
$delid = isset($_GET['did']) ? intval($_GET['did']) : 0;
if ($delid > 0) {
$deleted = $wpdb->query($wpdb->prepare("DELETE FROM $cnp_channelgrptable_name WHERE cnpchannelgrp_ID = %d", $delid));
}
```
Explanation:
The old code directly concatenates user input ($_GET["did"]) into an SQL query without sanitization. An attacker can control the "did" parameter to inject malicious SQL. The fixed code uses intval() to ensure the value is an integer and uses $wpdb->prepare() with a parameterized query, preventing SQL injection.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - cnptvchannelsDetails.php [36-37]
Old Code:
```php
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name,'cnpchannelgrp_status','cnpchannelgrp_ID',$_GET['cnpviewid'],$_GET['cnpsts']);
```
Fixed Code:
```php
$cnpsts = sanitize_text_field($_GET['cnpsts']);
$cnpviewid = isset($_GET['cnpviewid']) ? intval($_GET['cnpviewid']) : 0;
if ($cnpviewid > 0 && in_array($cnpsts, ['active', 'inactive'], true)) {
$cnpstsrtnval = CNPCF_updateCnPstatus($cnp_channelgrptable_name, 'cnpchannelgrp_status', 'cnpchannelgrp_ID', $cnpviewid, $cnpsts);
}
```
Explanation:
The old code passes unsanitized $_GET['cnpviewid'] and $_GET['cnpsts'] directly to the CNPCF_updateCnPstatus function. If this function builds SQL queries with these values, SQL injection is possible. The fixed code validates cnpviewid as an integer and restricts cnpsts to specific allowed values.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cnptvchannelsDetails.php [65-75]
Old Code:
```php
$gname = $cnpformData->cnpchannelgrp_groupname;
$account = $cnpformData->cnpstngs_AccountNumber;
$frmshrtcode = $cnpformData->cnpchannelgrp_shortcode;
$cnpresltdsply .= '<tr><td>'.$gname.'</td><td>'.$account.'</td><td>'.$frmshrtcode.'</td>...';
```
Fixed Code:
```php
$gname = esc_html($cnpformData->cnpchannelgrp_groupname);
$account = esc_html($cnpformData->cnpstngs_AccountNumber);
$frmshrtcode = esc_html($cnpformData->cnpchannelgrp_shortcode);
$cnpresltdsply .= '<tr><td>' . esc_html($gname) . '</td><td>' . esc_html($account) . '</td><td>' . esc_html($frmshrtcode) . '</td>...';
```
Explanation:
The old code directly outputs database values into HTML without escaping, allowing stored XSS if malicious data is in the database. The fixed code uses esc_html() to properly escape all output for HTML context.
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cnptvchannelsDetails.php [76-78]
Old Code:
```php
$cnpresltdsply .= '<td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts='.$frmsts.'&cnpviewid='.$cnpform_id.'"">'.$frmsts.'</a></td>
<td><a href="admin.php?page=cnp_channeldetails&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-visibility"></span></a> | <a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid='.$cnpform_id.'""><span class="dashicons dashicons-edit"></span></a> | <a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did='.$cnpform_id.'" ><span class="dashicons dashicons-trash"></span></a></td>';
```
Fixed Code:
```php
$cnpresltdsply .= '<td><a href="admin.php?page=cnp_pledgetvchannelsdetails&cnpsts=' . esc_attr($frmsts) . '&cnpviewid=' . esc_attr($cnpform_id) . '">' . esc_html($frmsts) . '</a></td>
<td><a href="admin.php?page=cnp_channeldetails&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-visibility"></span></a> |
<a href="admin.php?page=cnps_addchannel&act=edit&cnpviewid=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-edit"></span></a> |
<a href="admin.php?page=cnp_pledgetvchannelsdetails&info=del&did=' . esc_attr($cnpform_id) . '"><span class="dashicons dashicons-trash"></span></a></td>';
```
Explanation:
The old code directly embeds variables in HTML attributes and content without proper escaping. The fixed code uses esc_attr() for URL parameters in href attributes and esc_html() for link text content, preventing XSS in both attribute and content contexts.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - cnptvchannelsDetails.php [54]
Old Code:
```php
$sql = "select * from ".$cnp_channelgrptable_name." join ".$cnp_settingtable_name." on cnpchannelgrp_cnpstngs_ID= cnpstngs_ID order by cnpchannelgrp_ID desc";
```
Fixed Code:
```php
$sql = $wpdb->prepare("SELECT *
FROM $cnp_channelgrptable_name
JOIN $cnp_settingtable_name
ON cnpchannelgrp_cnpstngs_ID = cnpstngs_ID
ORDER BY cnpchannelgrp_ID DESC");
```
Explanation:
The old code uses string concatenation for table names in SQL queries. While table names are typically not user-controlled, using $wpdb->prepare() provides additional security and follows WordPress coding standards.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/getcnpactivecampaigns.php 2025-11-20 22:13:36.787109586 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/getcnpactivecampaigns.php 2025-11-20 22:19:32.277908626 +0000@@ -2,63 +2,60 @@ define( 'CFCNP_PLUGIN_UID', "14059359-D8E8-41C3-B628-E7E030537905"); define( 'CFCNP_PLUGIN_SKY', "5DC1B75A-7EFA-4C01-BDCD-E02C536313A3");- $connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0);- $client = new SoapClient('https://resources.connect.clickandpledge.com/wordpress/Auth2.wsdl', $connect); - if( !isset($_REQUEST['CampaignId']) && isset($_REQUEST['AccountId_val']) && $_REQUEST['AccountId_val']!="" && isset($_REQUEST['AccountGUId_val']) && $_REQUEST['AccountGUId_val']!="")- { - - $accountid = $_REQUEST['AccountId_val'];- $accountguid = $_REQUEST['AccountGUId_val'];- $xmlr = new SimpleXMLElement("<GetActiveCampaignList2></GetActiveCampaignList2>");- $xmlr->addChild('accountId', $accountid);- $xmlr->addChild('AccountGUID', $accountguid);- $xmlr->addChild('username', CFCNP_PLUGIN_UID);- $xmlr->addChild('password', CFCNP_PLUGIN_SKY);- $response = $client->GetActiveCampaignList2($xmlr); - $responsearr = $response->GetActiveCampaignList2Result->connectCampaign;- $cnporderRes = [];- if( !is_array($responsearr)){+$connect = ['soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0];+$client = new SoapClient('https://resources.connect.clickandpledge.com/wordpress/Auth2.wsdl', $connect); - $cnporderRes[$responsearr->alias] = $responsearr->name;- }- else {- foreach ($responsearr as $obj) {- $cnporderRes[$obj->alias] = $obj->name;- }+if (!isset($_REQUEST['CampaignId']) && isset($_REQUEST['AccountId_val']) && !empty($_REQUEST['AccountId_val']) && isset($_REQUEST['AccountGUId_val']) && !empty($_REQUEST['AccountGUId_val'])) {+ + $accountid = $_REQUEST['AccountId_val'];+ $accountguid = $_REQUEST['AccountGUId_val'];+ + + $xmlr = new SimpleXMLElement("<GetActiveCampaignList2></GetActiveCampaignList2>");+ $xmlr->addChild('accountId', $accountid);+ $xmlr->addChild('AccountGUID', $accountguid);+ $xmlr->addChild('username', CFCNP_PLUGIN_UID);+ $xmlr->addChild('password', CFCNP_PLUGIN_SKY);+ + + try {+ $response = $client->GetActiveCampaignList2($xmlr);+ $responsearr = $response->GetActiveCampaignList2Result->connectCampaign;+ $cnporderRes = processResponse($responsearr);++ $camrtrnval = "<option value=''>Select Campaign Name</option>";+ foreach ($cnporderRes as $cnpkey => $cnpvalue) {+ $camrtrnval .= "<option value='" . $cnpkey . "'>" . $cnpvalue . " (" . $cnpkey . ")</option>";+ }++ echo $camrtrnval;++ } catch (Exception $e) {+ + echo "<option value=''>Error fetching campaign data: " . $e->getMessage() . "</option>"; }- natcasesort($cnporderRes);- $camrtrnval = "<option value=''>Select Campaign Name</option>";+} - - foreach ($cnporderRes as $cnpkey => $cnpvalue) {- $camrtrnval .= "<option value='" . $cnpkey . "'>" . $cnpvalue . " (" . $cnpkey . ")</option>";- } - - echo $camrtrnval;- -- }- if( isset($_REQUEST['AccountId_val']) && $_REQUEST['AccountId_val']!="" && - isset($_REQUEST['AccountGUId_val']) && $_REQUEST['AccountGUId_val']!="" && - isset($_REQUEST['CampaignId']) && $_REQUEST['CampaignId']!="" )- {-- $cnpaccountID = $_REQUEST['AccountId_val'];- $cnpaccountguidID = $_REQUEST['AccountGUId_val'];- $cnpcampaignId = $_REQUEST['CampaignId'];- $xmlr = new SimpleXMLElement("<GetActiveFormList2></GetActiveFormList2>");- $xmlr->addChild('accountId', $cnpaccountID);- $xmlr->addChild('AccountGUID', $cnpaccountguidID);- $xmlr->addChild('username', CFCNP_PLUGIN_UID);- $xmlr->addChild('password', CFCNP_PLUGIN_SKY);- $xmlr->addChild('campaignAlias', $cnpcampaignId);-- $frmresponse = $client->GetActiveFormList2($xmlr); - $frmresponsearr = $frmresponse->GetActiveFormList2Result->form;- $cnpforderRes = [];- if( !is_array($frmresponsearr)){+if (isset($_REQUEST['AccountId_val']) && !empty($_REQUEST['AccountId_val']) && isset($_REQUEST['AccountGUId_val']) && !empty($_REQUEST['AccountGUId_val']) && isset($_REQUEST['CampaignId']) && !empty($_REQUEST['CampaignId'])) {+ + $cnpaccountID = $_REQUEST['AccountId_val'];+ $cnpaccountguidID = $_REQUEST['AccountGUId_val'];+ $cnpcampaignId = $_REQUEST['CampaignId'];+ + + $xmlr = new SimpleXMLElement("<GetActiveFormList2></GetActiveFormList2>");+ $xmlr->addChild('accountId', $cnpaccountID);+ $xmlr->addChild('AccountGUID', $cnpaccountguidID);+ $xmlr->addChild('username', CFCNP_PLUGIN_UID);+ $xmlr->addChild('password', CFCNP_PLUGIN_SKY);+ $xmlr->addChild('campaignAlias', $cnpcampaignId);++ try {+ $frmresponse = $client->GetActiveFormList2($xmlr);+ $frmresponsearr = $frmresponse->GetActiveFormList2Result->form;+if( !is_array($frmresponsearr)){ $cnpforderRes[$frmresponsearr->formGUID] = $frmresponsearr->formName; } else {@@ -67,13 +64,34 @@ } } natcasesort($cnpforderRes);- $rtrnval = "<option value=''>Select Form Name</option>";- - foreach ($cnpforderRes as $cnpkey => $cnpvalue) {- $rtrnval .= "<option value='" . $cnpkey . "'>" . $cnpvalue ."</option>";- }+ $rtrnval = "<option value=''>Select Form Name</option>";+ foreach ($cnpforderRes as $cnpkey => $cnpvalue) {+ $rtrnval .= "<option value='" . $cnpkey . "'>" . $cnpvalue . "</option>";+ }++ echo $rtrnval;++ } catch (Exception $e) {+ + echo "<option value=''>Error fetching form data: " . $e->getMessage() . "</option>";+ }+}++function processResponse($responsearr) {+ $result = [];+ + if (!is_array($responsearr)) {+ + $result[$responsearr->alias] = $responsearr->name;+ } else {+ + foreach ($responsearr as $obj) {+ $result[$obj->alias] = $obj->name;+ }+ }+ + natcasesort($result); + return $result;+} - echo $rtrnval;- }- ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - getcnpactivecampaigns.php [32, 66]
Old Code:
```php
$camrtrnval .= "<option value='" . $cnpkey . "'>" . $cnpvalue . " (" . $cnpkey . ")</option>";
```
```php
$rtrnval .= "<option value='" . $cnpkey . "'>" . $cnpvalue . "</option>";
```
Fixed Code:
```php
$camrtrnval .= "<option value='" . esc_attr($cnpkey) . "'>" . esc_html($cnpvalue) . " (" . esc_html($cnpkey) . ")</option>";
```
```php
$rtrnval .= "<option value='" . esc_attr($cnpkey) . "'>" . esc_html($cnpvalue) . "</option>";
```
Explanation:
The vulnerability exists because user-controlled values ($cnpkey and $cnpvalue) are directly embedded into HTML output without proper escaping. These values originate from SOAP API responses ($responsearr->alias and $responsearr->name) which could potentially contain malicious scripts. The taint flow is: SOAP response → $responsearr → $cnpkey/$cnpvalue → HTML output via string concatenation. Since there is no validation or sanitization applied to these values before they are output in HTML context, an attacker who controls the SOAP API response could inject malicious scripts that execute when the HTML is rendered in a browser.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/getcnpactivechannels.php 2025-11-20 22:13:36.787109586 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/getcnpactivechannels.php 2025-11-20 22:19:32.277908626 +0000@@ -3,57 +3,60 @@ define( 'CFCNP_PLUGIN_SKY', "5DC1B75A-7EFA-4C01-BDCD-E02C536313A3"); $connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0); - $client = new SoapClient('Auth2.wsdl', $connect);+ $client = new SoapClient('Auth2.wsdl', $connect); - if( !isset($_REQUEST['CampaignId']) && isset($_REQUEST['AccountId_val']) && $_REQUEST['AccountId_val']!="" && isset($_REQUEST['AccountGUId_val']) && $_REQUEST['AccountGUId_val']!="")- { - - $accountid = $_REQUEST['AccountId_val'];- $accountguid = $_REQUEST['AccountGUId_val'];- $xmlr = new SimpleXMLElement("<GetPledgeTVChannelList></GetPledgeTVChannelList>");- $xmlr->addChild('accountId', $accountid);- $xmlr->addChild('AccountGUID', $accountguid);- $xmlr->addChild('username', CFCNP_PLUGIN_UID);- $xmlr->addChild('password', CFCNP_PLUGIN_SKY);-$response = $client->GetPledgeTVChannelList($xmlr);- $displymsg ="";- $responsearr = $response->GetPledgeTVChannelListResult->PledgeTVChannel;++if (!isset($_REQUEST['CampaignId']) && isset($_REQUEST['AccountId_val']) && !empty($_REQUEST['AccountId_val']) && isset($_REQUEST['AccountGUId_val']) && !empty($_REQUEST['AccountGUId_val'])) {++ + $accountid = $_REQUEST['AccountId_val'];+ $accountguid = $_REQUEST['AccountGUId_val']; - $orderRes = [];- if (!is_array($responsearr)) {- $orderRes[$responsearr->ChannelURLID] = $responsearr->ChannelName;- }- else {- foreach ($responsearr as $obj) {- $orderRes[$obj->ChannelURLID] = $obj->ChannelName;- }- }- natcasesort($orderRes);+ + $xmlr = new SimpleXMLElement("<GetPledgeTVChannelList></GetPledgeTVChannelList>");+ $xmlr->addChild('accountId', $accountid);+ $xmlr->addChild('AccountGUID', $accountguid);+ $xmlr->addChild('username', CFCNP_PLUGIN_UID);+ $xmlr->addChild('password', CFCNP_PLUGIN_SKY);++ + try {+ $response = $client->GetPledgeTVChannelList($xmlr);+ $responsearr = $response->GetPledgeTVChannelListResult->PledgeTVChannel;+ + + $orderRes = [];+ if (!is_array($responsearr)) {+ + $orderRes[$responsearr->ChannelURLID] = $responsearr->ChannelName;+ } else {+ + foreach ($responsearr as $obj) {+ $orderRes[$obj->ChannelURLID] = $obj->ChannelName;+ }+ }++ + natcasesort($orderRes);++ + $camrtrnval = "<option value=''>Select channel</option>";++ foreach ($orderRes as $key => $value) {+ if (!empty($key)) {+ $displymsg = ($_REQUEST['slcamp'] == $key) ? "selected" : "";+ $camrtrnval .= "<option value='" . $key . "' $displymsg>" . $value . " (" . $key . ")</option>";+ }+ }+ - $camrtrnval = "<option value=''>Select channel</option>";- if (count($orderRes) > 0) {- foreach ($orderRes as $key => $value) {- if($key !=""){- if($_REQUEST['slcamp'] == $key){$displymsg ="selected"; }else{$displymsg ="";}- $camrtrnval .= "<option value='" . $key . "' $displymsg>" . $value . " (" .$key . ")</option>";- }- }- }- /* if(!is_array($responsearr))- { if($_REQUEST['slcamp'] == $responsearr->ChannelURLID){$displymsg ="selected"; }else{$displymsg ="";}- if($responsearr->ChannelURLID !=""){- $camrtrnval.= "<option value='".$responsearr->ChannelURLID."' $displymsg>".$responsearr->ChannelName." (".$responsearr->ChannelURLID.")</option>";- }}else{- for($inc = 0 ; $inc < count($responsearr);$inc++)- {- if($_REQUEST['slcamp'] == $responsearr[$inc]->ChannelURLID){$displymsg = "selected"; }else{$displymsg ="";}- $camrtrnval .= "<option value='".$responsearr[$inc]->ChannelURLID."' $displymsg >".$responsearr[$inc]->ChannelName." (".$responsearr[$inc]->ChannelURLID.")</option>";- }+ echo $camrtrnval; - }*/- echo $camrtrnval;- + } catch (Exception $e) {+ + echo "<option value=''>Error fetching channels: " . esc_html($e->getMessage()) . "</option>";+ }+} - } ?>\ No newline at end of file
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - getcnpactivechannels.php [45-46]
Old Code:
```php
$displymsg = ($_REQUEST['slcamp'] == $key) ? "selected" : "";
$camrtrnval .= "<option value='" . $key . "' $displymsg>" . $value . " (" . $key . ")</option>";
```
Fixed Code:
```php
$displymsg = ($_REQUEST['slcamp'] == $key) ? "selected" : "";
$camrtrnval .= "<option value='" . esc_attr($key) . "' $displymsg>" . esc_html($value) . " (" . esc_html($key) . ")</option>";
```
Explanation:
User input from $_REQUEST['slcamp'] and $key (which comes from $_REQUEST['AccountId_val'] and $_REQUEST['AccountGUId_val']) is directly embedded into HTML output without sanitization. The $_REQUEST['slcamp'] value is used in the $displymsg variable which is inserted as an HTML attribute, and $key is used in both the value attribute and text content. An attacker can control these values to inject malicious scripts that execute when the HTML is rendered in a browser. The values flow directly from user input to HTML output without any validation or escaping.
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - getcnpactivechannels.php [52]
Old Code:
```php
echo "<option value=''>Error fetching channels: " . $e->getMessage() . "</option>";
```
Fixed Code:
```php
echo "<option value=''>Error fetching channels: " . esc_html($e->getMessage()) . "</option>";
```
Explanation:
The exception message from $e->getMessage() is directly output into HTML without sanitization. While exception messages typically contain system information rather than user input, they could potentially include user-controlled data if the SOAP service returns error messages containing user input. The message is embedded in HTML context without escaping, allowing script injection if the message contains malicious content.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/click-pledge-connect_2.24080000-WP6.6.1/getcnpditactivecampaigns.php 2025-11-20 22:13:36.787109586 +0000+++ cache/click-pledge-connect_2.24120000-WP6.7.1/getcnpditactivecampaigns.php 2025-11-20 22:19:32.277908626 +0000@@ -1,81 +1,93 @@ <?php define( 'CFCNP_PLUGIN_UID', "14059359-D8E8-41C3-B628-E7E030537905"); define( 'CFCNP_PLUGIN_SKY', "5DC1B75A-7EFA-4C01-BDCD-E02C536313A3");-$connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0);-$client = new SoapClient('https://resources.connect.clickandpledge.com/wordpress/Auth2.wsdl', $connect);+$connect = array('soap_version' => SOAP_1_1, 'trace' => 1, 'exceptions' => 0);+$client = new SoapClient('https://resources.connect.clickandpledge.com/wordpress/Auth2.wsdl', $connect); -if( !isset($_REQUEST['CampaignId']) && isset($_REQUEST['AccountId_val']) && - $_REQUEST['AccountId_val']!="" && - isset($_REQUEST['AccountGUId_val']) && $_REQUEST['AccountGUId_val']!=""- )-{- $accountid = $_REQUEST['AccountId_val'];- $accountguid = $_REQUEST['AccountGUId_val'];-$xmlr = new SimpleXMLElement("<GetActiveCampaignList2></GetActiveCampaignList2>");-$xmlr->addChild('accountId', $accountid);-$xmlr->addChild('AccountGUID', $accountguid);-$xmlr->addChild('username', CFCNP_PLUGIN_UID);-$xmlr->addChild('password', CFCNP_PLUGIN_SKY);-$response = $client->GetActiveCampaignList2($xmlr); -- $responsearr = $response->GetActiveCampaignList2Result->connectCampaign;- $cnporderRes = [];- if( !is_array($responsearr)){+if (isset($_REQUEST['AccountId_val']) && !empty($_REQUEST['AccountId_val']) && isset($_REQUEST['AccountGUId_val']) && !empty($_REQUEST['AccountGUId_val']) && !isset($_REQUEST['CampaignId'])) { - $cnporderRes[$responsearr->alias] = $responsearr->name;- }- else {- foreach ($responsearr as $obj) {- $cnporderRes[$obj->alias] = $obj->name;- }+ $accountid = $_REQUEST['AccountId_val'];+ $accountguid = $_REQUEST['AccountGUId_val'];++ $xmlr = new SimpleXMLElement("<GetActiveCampaignList2></GetActiveCampaignList2>");+ $xmlr->addChild('accountId', $accountid);+ $xmlr->addChild('AccountGUID', $accountguid);+ $xmlr->addChild('username', CFCNP_PLUGIN_UID);+ $xmlr->addChild('password', CFCNP_PLUGIN_SKY);++ try {+ $response = $client->GetActiveCampaignList2($xmlr);+ $responsearr = $response->GetActiveCampaignList2Result->connectCampaign;+ $cnporderRes = [];++ if (!is_array($responsearr)) {+ $cnporderRes[$responsearr->alias] = $responsearr->name;+ } else {+ foreach ($responsearr as $obj) {+ $cnporderRes[$obj->alias] = $obj->name;+ }+ }++ natcasesort($cnporderRes); + $camrtrnval = "<option value=''>Select Campaign Name</option>";++ + foreach ($cnporderRes as $cnpkey => $cnpvalue) {+ $selected = ($_REQUEST['slcamp'] == $cnpkey) ? "selected" : "";+ $camrtrnval .= "<option value='" . $cnpkey . "' $selected>" . $cnpvalue . " (" . $cnpkey . ")</option>";+ }++ echo $camrtrnval;++ } catch (Exception $e) {+ echo "<option value=''>Error fetching campaigns: " . esc_html($e->getMessage()) . "</option>"; }- natcasesort($cnporderRes);$displymsg ="";- $camrtrnval = "<option value=''>Select Campaign Name</option>";- - - foreach ($cnporderRes as $cnpkey => $cnpvalue) {- if($_REQUEST['slcamp'] == $cnpkey){$displymsg ="selected"; }else{$displymsg ="";}- $camrtrnval .= "<option value='" . $cnpkey . "' $displymsg>" . $cnpvalue . " (" . $cnpkey . ")</option>";- }- - -echo $camrtrnval;- }-if( isset($_REQUEST['AccountId_val']) && $_REQUEST['AccountId_val']!="" && - isset($_REQUEST['AccountGUId_val']) && $_REQUEST['AccountGUId_val']!="" && - isset($_REQUEST['CampaignId']) && $_REQUEST['CampaignId']!="" )-{-- $cnpaccountID = $_REQUEST['AccountId_val'];- $cnpaccountguidID = $_REQUEST['AccountGUId_val'];- $cnpcampaignId = $_REQUEST['CampaignId'];- $xmlr = new SimpleXMLElement("<GetActiveFormList2></GetActiveFormList2>");- $xmlr->addChild('accountId', $cnpaccountID);- $xmlr->addChild('AccountGUID', $cnpaccountguidID);- $xmlr->addChild('username', CFCNP_PLUGIN_UID);- $xmlr->addChild('password', CFCNP_PLUGIN_SKY);- $xmlr->addChild('campaignAlias', $cnpcampaignId);- $displymsg ="";- $frmresponse = $client->GetActiveFormList2($xmlr); - $frmresponsearr = $frmresponse->GetActiveFormList2Result->form; - $cnpforderRes = [];- if( !is_array($frmresponsearr)){- $cnpforderRes[$frmresponsearr->formGUID] = $frmresponsearr->formName;- }- else {- foreach ($frmresponsearr as $obj) {- $cnpforderRes[$obj->formGUID] = $obj->formName;- }- }- natcasesort($cnpforderRes);- $rtrnval = "<option value=''>Select Form Name</option>";-foreach ($cnpforderRes as $cnpkey => $cnpvalue) {- if($_REQUEST['sform'] == $cnpkey){$displymsg ="selected"; }else{$displymsg ="";}- $rtrnval .= "<option value='" . $cnpkey . "'$displymsg>" . $cnpvalue ."</option>";- } - - echo $rtrnval;++if (isset($_REQUEST['AccountId_val']) && !empty($_REQUEST['AccountId_val']) &&+ isset($_REQUEST['AccountGUId_val']) && !empty($_REQUEST['AccountGUId_val']) &&+ isset($_REQUEST['CampaignId']) && !empty($_REQUEST['CampaignId'])) {+++ $cnpaccountID = $_REQUEST['AccountId_val'];+ $cnpaccountguidID = $_REQUEST['AccountGUId_val'];+ $cnpcampaignId = $_REQUEST['CampaignId'];++ $xmlr = new SimpleXMLElement("<GetActiveFormList2></GetActiveFormList2>");+ $xmlr->addChild('accountId', $cnpaccountID);+ $xmlr->addChild('AccountGUID', $cnpaccountguidID);+ $xmlr->addChild('username', CFCNP_PLUGIN_UID);+ $xmlr->addChild('password', CFCNP_PLUGIN_SKY);+ $xmlr->addChild('campaignAlias', $cnpcampaignId);++ try {+ $frmresponse = $client->GetActiveFormList2($xmlr);+ $frmresponsearr = $frmresponse->GetActiveFormList2Result->form;+ $cnpforderRes = [];++ if (!is_array($frmresponsearr)) {+ $cnpforderRes[$frmresponsearr->formGUID] = $frmresponsearr->formName;+ } else {+ foreach ($frmresponsearr as $obj) {+ $cnpforderRes[$obj->formGUID] = $obj->formName;+ }+ }++ natcasesort($cnpforderRes); + $rtrnval = "<option value=''>Select Form Name</option>";++ + foreach ($cnpforderRes as $cnpkey => $cnpvalue) {+ $selected = ($_REQUEST['sform'] == $cnpkey) ? "selected" : "";+ $rtrnval .= "<option value='" . $cnpkey . "' $selected>" . $cnpvalue . "</option>";+ }++ echo $rtrnval;++ } catch (Exception $e) {+ echo "<option value=''>Error fetching forms: " . esc_html($e->getMessage()) . "</option>";+ } }+ ?>\ No newline at end of file
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - getcnpditactivecampaigns.php [33,80]
Old Code:
```php
$selected = ($_REQUEST['slcamp'] == $cnpkey) ? "selected" : "";
$camrtrnval .= "<option value='" . $cnpkey . "' $selected>" . $cnpvalue . " (" . $cnpkey . ")</option>";
```
Fixed Code:
```php
$selected = ($_REQUEST['slcamp'] == $cnpkey) ? "selected" : "";
$camrtrnval .= "<option value='" . esc_attr($cnpkey) . "' $selected>" . esc_html($cnpvalue) . " (" . esc_html($cnpkey) . ")</option>";
```
Explanation:
User input from $_REQUEST['slcamp'] and $cnpkey (which comes from SOAP response data) are directly concatenated into HTML output without escaping. The $_REQUEST['slcamp'] value is directly compared to $cnpkey and then used in HTML attribute context. Both $cnpkey and $cnpvalue values from the SOAP response are embedded directly into HTML without escaping, allowing attacker-controlled data to reach the echo sink unsanitized.
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - getcnpditactivecampaigns.php [80,33]
Old Code:
```php
$selected = ($_REQUEST['sform'] == $cnpkey) ? "selected" : "";
$rtrnval .= "<option value='" . $cnpkey . "' $selected>" . $cnpvalue . "</option>";
```
Fixed Code:
```php
$selected = ($_REQUEST['sform'] == $cnpkey) ? "selected" : "";
$rtrnval .= "<option value='" . esc_attr($cnpkey) . "' $selected>" . esc_html($cnpvalue) . "</option>";
```
Explanation:
User input from $_REQUEST['sform'] and $cnpkey (which comes from SOAP response data) are directly concatenated into HTML output without escaping. The $_REQUEST['sform'] value is directly compared to $cnpkey and then used in HTML attribute context. Both $cnpkey and $cnpvalue values from the SOAP response are embedded directly into HTML without escaping, allowing attacker-controlled data to reach the echo sink unsanitized.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect Plugin allows SQL Injection. This issue affects Click & Pledge Connect Plugin: from 2.24080000 through WP6.6.1.
--- cache/cost-calculator-builder_3.2.67/cost-calculator-builder.php 2025-11-20 22:13:16.204786601 +0000+++ cache/cost-calculator-builder_3.2.68/cost-calculator-builder.php 2025-11-20 22:13:27.701525586 +0000@@ -8,7 +8,7 @@ * License: GNU General Public License v2 or later * License URI: http://www.gnu.org/licenses/gpl-2.0.html * Text Domain: cost-calculator-builder- * Version: 3.2.67+ * Version: 3.2.68 */ if ( ! defined( 'ABSPATH' ) ) {@@ -17,7 +17,7 @@ define( 'CALC_DIR', __DIR__ ); define( 'CALC_FILE', __FILE__ );-define( 'CALC_VERSION', '3.2.67' );+define( 'CALC_VERSION', '3.2.68' ); define( 'CALC_WP_TESTED_UP', '6.7.1' ); define( 'CALC_DB_VERSION', '3.2.65' ); define( 'CALC_PATH', dirname( CALC_FILE ) );
Vulnerability Existed: no No specific vulnerability - No CWE ID - cost-calculator-builder.php [Lines 8,17] Old Code: ```php * Version: 3.2.67 define( 'CALC_VERSION', '3.2.67' ); ``` Fixed Code: ```php * Version: 3.2.68 define( 'CALC_VERSION', '3.2.68' ); ``` Explanation: The diff shows only version number updates from 3.2.67 to 3.2.68 in the plugin header comment and CALC_VERSION constant definition. These changes contain no user input handling, no security-related code modifications, and no vulnerability fixes. The version bump alone does not indicate any security vulnerability presence or remediation.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix Cost Calculator Builder allows SQL Injection. This issue affects Cost Calculator Builder: from n/a through 3.2.65.
--- cache/cost-calculator-builder_3.2.67/includes/classes/models/Payments.php 2025-11-20 22:13:16.396798944 +0000+++ cache/cost-calculator-builder_3.2.68/includes/classes/models/Payments.php 2025-11-20 22:13:27.874536707 +0000@@ -52,15 +52,29 @@ public static function update_payment_status_by_order_ids( $order_ids, $status = '' ) { global $wpdb; - return $wpdb->query(- $wpdb->prepare(- 'UPDATE `%1s` SET `status` = "%2s", `updated_at` = "%3s" WHERE order_id IN (%4s)', //phpcs:ignore- self::_table(),- $status,- wp_date( 'Y-m-d H:i:s' ),- implode( ',', $order_ids )- )+ $statuses = array( 'pending', 'cancelled', 'rejected', 'complete' );+ if ( ! in_array( $status, $statuses, true ) ) {+ wp_send_json(+ array(+ 'message' => 'Invalid status: ' . $status,+ 'success' => false,+ )+ );+ }++ $order_ids = array_map( 'intval', (array) $order_ids );+ $placeholders = implode( ',', array_fill( 0, count( $order_ids ), '%d' ) );++ $query = sprintf(+ "UPDATE `%s` SET `status` = %%s, `updated_at` = %%s WHERE order_id IN (%s)", //phpcs:ignore+ self::_table(),+ $placeholders );++ $args = array_merge( array( $query, $status, wp_date( 'Y-m-d H:i:s' ) ), $order_ids );+ $prepared_query = call_user_func_array( array( $wpdb, 'prepare' ), $args );++ return $wpdb->query( $prepared_query ); //phpcs:ignore } /**
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/classes/models/Payments.php 52-68
Old Code:
```php
return $wpdb->query(
$wpdb->prepare(
'UPDATE `%1s` SET `status` = "%2s", `updated_at` = "%3s" WHERE order_id IN (%4s)', //phpcs:ignore
self::_table(),
$status,
wp_date( 'Y-m-d H:i:s' ),
implode( ',', $order_ids )
)
);
```
Fixed Code:
```php
$statuses = array( 'pending', 'cancelled', 'rejected', 'complete' );
if ( ! in_array( $status, $statuses, true ) ) {
wp_send_json(
array(
'message' => 'Invalid status: ' . $status,
'success' => false,
)
);
}
$order_ids = array_map( 'intval', (array) $order_ids );
$placeholders = implode( ',', array_fill( 0, count( $order_ids ), '%d' ) );
$query = sprintf(
"UPDATE `%s` SET `status` = %%s, `updated_at` = %%s WHERE order_id IN (%s)", //phpcs:ignore
self::_table(),
$placeholders
);
$args = array_merge( array( $query, $status, wp_date( 'Y-m-d H:i:s' ) ), $order_ids );
$prepared_query = call_user_func_array( array( $wpdb, 'prepare' ), $args );
return $wpdb->query( $prepared_query ); //phpcs:ignore
```
Explanation:
The old code was vulnerable to SQL injection because it used `implode(',', $order_ids)` directly in the SQL query without proper parameterization. The `%4s` placeholder in `$wpdb->prepare()` was being used with a comma-separated list of order IDs, which meant that if an attacker could control the `$order_ids` array values, they could inject arbitrary SQL. The `$wpdb->prepare()` function with `%s` placeholders does not properly escape IN clause lists - it treats the entire comma-separated string as a single parameter value rather than individual integers. The fixed code properly validates the status against a whitelist, converts all order IDs to integers using `array_map('intval')`, and uses proper parameterized placeholders (`%d`) for each individual order ID in the IN clause.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix Cost Calculator Builder allows SQL Injection. This issue affects Cost Calculator Builder: from n/a through 3.2.65.
--- cache/majestic-support_1.1.0/includes/activation.php 2025-11-20 18:46:16.851105937 +0000+++ cache/majestic-support_1.1.1/includes/activation.php 2025-11-20 18:48:01.240815751 +0000@@ -196,8 +196,8 @@ ('tplink_faqs_user', '0', 'tplink', 'faq'), ('show_breadcrumbs', '1', 'default', NULL), ('productcode', 'mjsupport', 'default', NULL),- ('versioncode', '1.1.0', 'default', NULL),- ('productversion', '110', 'default', NULL),+ ('versioncode', '1.1.1', 'default', NULL),+ ('productversion', '111', 'default', NULL), ('producttype', 'free', 'default', NULL), ('tve_enabled', '2', 'default', NULL), ('tve_mailreadtype', '3', 'default', NULL),
Vulnerability Existed: no
No vulnerability - No CWE - includes/activation.php 196-204
Old Code:
('versioncode', '1.1.0', 'default', NULL),
('productversion', '110', 'default', NULL),
Fixed Code:
('versioncode', '1.1.1', 'default', NULL),
('productversion', '111', 'default', NULL),
Explanation:
The diff shows only version number updates from 1.1.0 to 1.1.1 and from 110 to 111. These are hardcoded values being inserted into the database configuration table. There is no user input involved in this code, no SQL query construction, and no dynamic content generation. The values are static strings and numbers that are part of the plugin's internal configuration.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Majestic Support Majestic Support allows SQL Injection. This issue affects Majestic Support: from n/a through 1.1.0.
--- cache/majestic-support_1.1.0/majestic-support.php 2025-11-20 18:46:17.045118407 +0000+++ cache/majestic-support_1.1.1/majestic-support.php 2025-11-20 18:48:01.380824750 +0000@@ -3,14 +3,14 @@ /** * @package Majestic Support * @author Majestic Support- * @version 1.1.0+ * @version 1.1.1 */ /* Plugin Name: Majestic Support Plugin URI: https://www.majesticsupport.com Description: Majestic Support is a trusted open source ticket system. Majestic Support is a simple, easy to use, web-based customer support system. User can create ticket from front-end. Majestic Support comes packed with lot features than most of the expensive(and complex) support ticket system on market. Majestic Support provide you best industry Majestic Support system. Author: Majestic Support- Version: 1.1.0+ Version: 1.1.1 License: GPLv3 Text Domain: majestic-support @@ -66,7 +66,7 @@ self::$_data = array(); self::$_search = array(); self::$_captcha = array();- self::$_currentversion = '110';+ self::$_currentversion = '111'; self::$_addon_query = array('select'=>'','join'=>'','where'=>''); self::$_mjtcsession = MJTC_includer::MJTC_getObjectClass('wphdsession'); global $wpdb;@@ -1327,7 +1327,7 @@ // restore colors data end update_option('ms_currentversion', majesticsupport::$_currentversion); include_once MJTC_PLUGIN_PATH . 'includes/updates/updates.php';- MJTC_updates::MJTC_checkUpdates('110');+ MJTC_updates::MJTC_checkUpdates('111'); MJTC_includer::MJTC_getModel('majesticsupport')->updateColorFile(); // MJTC_includer::MJTC_getModel('majesticsupport')->MJTCAddonsAutoUpdate(); }
Vulnerability Existed: no
No specific vulnerability - N/A - majestic-support.php Lines 3-14, 66, 1327
Old Code: Various version number changes from 1.1.0 to 1.1.1
Fixed Code: Various version number changes from 1.1.0 to 1.1.1
Explanation:
The diff shows only version number updates (1.1.0 to 1.1.1) and internal version constant updates ('110' to '111'). These changes do not introduce or fix any security vulnerabilities. There are no user input entry points, data transformations, or security sinks in the modified code. The changes are purely administrative version updates with no security implications.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Majestic Support Majestic Support allows SQL Injection. This issue affects Majestic Support: from n/a through 1.1.0.
--- cache/majestic-support_1.1.0/modules/department/model.php 2025-11-20 18:46:17.046118471 +0000+++ cache/majestic-support_1.1.1/modules/department/model.php 2025-11-20 18:48:01.381824815 +0000@@ -82,7 +82,11 @@ MJTC_message::MJTC_setMessage(esc_html(__('You are not allowed', 'majestic-support')) . ' ' . esc_html(majesticsupport::MJTC_getVarValue($task_allow)), 'error'); return; }- }+ }else{+ if(!current_user_can('manage_options')){+ return false;+ }+ } if($data['sendmail'] == 1 && is_numeric($data['emailid'])){ if ( in_array('emailpiping',majesticsupport::$_active_addons)) {
Vulnerability Existed: no
CWE-862: Missing Authorization - CWE-862 - modules/department/model.php 82-88
Old Code:
}
if($data['sendmail'] == 1 && is_numeric($data['emailid'])){
if ( in_array('emailpiping',majesticsupport::$_active_addons)) {
Fixed Code:
}else{
if(!current_user_can('manage_options')){
return false;
}
}
if($data['sendmail'] == 1 && is_numeric($data['emailid'])){
if ( in_array('emailpiping',majesticsupport::$_active_addons)) {
Explanation:
The diff adds an authorization check using current_user_can('manage_options') for cases where the previous condition fails. This is a security improvement that prevents unauthorized access by requiring 'manage_options' capability (typically administrators only). The change adds proper authorization rather than introducing a vulnerability.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Majestic Support Majestic Support allows SQL Injection. This issue affects Majestic Support: from n/a through 1.1.0.
--- cache/majestic-support_1.1.0/modules/fieldordering/model.php 2025-11-20 18:46:17.048118600 +0000+++ cache/majestic-support_1.1.1/modules/fieldordering/model.php 2025-11-20 18:48:01.383824943 +0000@@ -224,7 +224,7 @@ } } - if (isset($data['visibleParent']) && $data['visibleParent'] != '' && isset($data['visibleValue']) && $data['visibleValue'] != '' && isset($data['visibleCondition']) && $data['visibleCondition'] != ''){+ if (isset($data['visibleParent']) && $data['visibleParent'] != '' && is_numeric($data['visibleParent']) && isset($data['visibleValue']) && $data['visibleValue'] != '' && isset($data['visibleCondition']) && $data['visibleCondition'] != ''){ $visible['visibleParentField'] = $fieldname; $visible['visibleParent'] = $data['visibleParent']; $visible['visibleCondition'] = $data['visibleCondition'];@@ -264,7 +264,7 @@ MJTC_includer::MJTC_getModel('systemerror')->addSystemError(); } - } else if($data['id'] != ''){+ } else if($data['id'] != '' && is_numeric($data['id'])){ $data['visibleparams'] = ''; $query = "SELECT visibleparams FROM " . majesticsupport::$_db->prefix . "mjtc_support_fieldsordering WHERE id = " . esc_sql($data['id']); $visibleparams = majesticsupport::$_db->get_var($query);
Vulnerability Existed: yes
FALSE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - modules/fieldordering/model.php 264-266
Old Code:
```php
} else if($data['id'] != ''){
$data['visibleparams'] = '';
$query = "SELECT visibleparams FROM " . majesticsupport::$_db->prefix . "mjtc_support_fieldsordering WHERE id = " . esc_sql($data['id']);
$visibleparams = majesticsupport::$_db->get_var($query);
```
Fixed Code:
```php
} else if($data['id'] != '' && is_numeric($data['id'])){
$data['visibleparams'] = '';
$query = "SELECT visibleparams FROM " . majesticsupport::$_db->prefix . "mjtc_support_fieldsordering WHERE id = " . esc_sql($data['id']);
$visibleparams = majesticsupport::$_db->get_var($query);
```
Explanation:
The vulnerability exists because user-controlled `$data['id']` flows directly into an SQL query via `esc_sql()` function. While `esc_sql()` provides escaping, it's insufficient for numeric contexts where the value should be validated as numeric. An attacker can control `$data['id']` and pass non-numeric values that bypass `esc_sql()` protection since escaping doesn't prevent SQL injection in numeric contexts. The fix adds `is_numeric()` validation before using the value in the SQL query, ensuring only numeric values reach the query.
Vulnerability Existed: yes
FALSE POSITIVE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - modules/fieldordering/model.php 224-228
Old Code:
```php
if (isset($data['visibleParent']) && $data['visibleParent'] != '' && isset($data['visibleValue']) && $data['visibleValue'] != '' && isset($data['visibleCondition']) && $data['visibleCondition'] != ''){
$visible['visibleParentField'] = $fieldname;
$visible['visibleParent'] = $data['visibleParent'];
$visible['visibleCondition'] = $data['visibleCondition'];
$visible['visibleValue'] = $data['visibleValue'];
```
Fixed Code:
```php
if (isset($data['visibleParent']) && $data['visibleParent'] != '' && is_numeric($data['visibleParent']) && isset($data['visibleValue']) && $data['visibleValue'] != '' && isset($data['visibleCondition']) && $data['visibleCondition'] != ''){
$visible['visibleParentField'] = $fieldname;
$visible['visibleParent'] = $data['visibleParent'];
$visible['visibleCondition'] = $data['visibleCondition'];
$visible['visibleValue'] = $data['visibleValue'];
```
Explanation:
The vulnerability exists because user-controlled `$data['visibleParent']` is stored in `$visible['visibleParent']` without numeric validation. While the code doesn't show the complete data flow, the addition of `is_numeric()` validation in the condition suggests this value was previously used in a numeric SQL context elsewhere in the codebase. The fix prevents non-numeric values from being stored and subsequently used in unsafe numeric SQL queries.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Majestic Support Majestic Support allows SQL Injection. This issue affects Majestic Support: from n/a through 1.1.0.
--- cache/persian-woocommerce-sms_7.0.10/WoocommerceIR_SMS.php 2025-11-20 14:24:52.615572005 +0000+++ cache/persian-woocommerce-sms_7.1.0/WoocommerceIR_SMS.php 2025-11-20 14:24:54.586697747 +0000@@ -3,11 +3,11 @@ * Plugin Name: پیامک حرفه ای ووکامرس * Plugin URI: https://woosupport.ir * Description: افزونه کامل و حرفه ای برای اطلاع رسانی پیامکی سفارشات و رویداد های محصولات ووکامرس. تمامی حقوق این افزونه متعلق به <a href="http://woosupport.ir" target="_blank">تیم ووکامرس پارسی</a> می باشد و هر گونه کپی برداری، فروش آن غیر مجاز می باشد.- * Version: 7.0.10+ * Version: 7.1.0 * Author: ووکامرس فارسی * Author URI: https://woosupport.ir * WC requires at least: 6.0.0- * WC tested up to: 9.5.2+ * WC tested up to: 9.8.5 */ if ( ! defined( 'ABSPATH' ) ) {@@ -18,7 +18,7 @@ require_once 'vendor/autoload.php'; if ( ! defined( 'PWSMS_VERSION' ) ) {- define( 'PWSMS_VERSION', '7.0.10' );+ define( 'PWSMS_VERSION', '7.1.0' ); } if ( ! defined( 'PWSMS_URL' ) ) {
Vulnerability Existed: no
No vulnerability detected - No CWE ID - WoocommerceIR_SMS.php 3-18
Old Code:
```php
* Version: 7.0.10
* WC tested up to: 9.5.2
if ( ! defined( 'PWSMS_VERSION' ) ) {
define( 'PWSMS_VERSION', '7.0.10' );
}
```
Fixed Code:
```php
* Version: 7.1.0
* WC tested up to: 9.8.5
if ( ! defined( 'PWSMS_VERSION' ) ) {
define( 'PWSMS_VERSION', '7.1.0' );
}
```
Explanation:
The diff shows only version number updates and compatibility version changes. There are no user input sources, no security-sensitive operations, no database queries, no file operations, and no code execution points. The changes are purely metadata updates without any security implications.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Gateways/Asanak.php 2025-11-20 14:24:52.584570028 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Gateways/Asanak.php 2025-11-20 14:24:54.551695514 +0000@@ -7,46 +7,66 @@ use SoapFault; class Asanak implements GatewayInterface {- use GatewayTrait;+ use GatewayTrait; - public static function id() {- return 'asanak';- }-- public static function name() {- return 'asanak.ir';- }-- public function send() {- $username = $this->username;- $password = $this->password;- $from = $this->senderNumber;- $to = $this->mobile;- $massage = $this->message;-- if ( empty( $username ) || empty( $password ) ) {- return false;- }-- $to = implode( '-', $to );- $to = str_ireplace( '+98', '0', $to );-- $data = [- 'username' => $username,- 'password' => $password,- 'destination' => $to,- 'source' => $from,- 'message' => $massage,- ];-- $remote = wp_remote_get( 'http://panel.asanak.ir/webservice/v1rest/sendsms?' . http_build_query( $data ) );-- $response = wp_remote_retrieve_body( $remote );-- if ( preg_match( '/\[.*\]/is', (string) $response ) ) {- return true; // Success- }+ public string $api_url = 'https://sms.asanak.ir/webservice/v2rest'; - return $response;- }+ public static function id() {+ return 'asanak';+ }++ public static function name() {+ return 'asanak.ir';+ }++ public function send() {+ $username = $this->username;+ $password = $this->password;+ $from = $this->senderNumber;+ $to = $this->mobile;+ $massage = $this->message;++ if ( empty( $username ) || empty( $password ) ) {+ return false;+ }++ $to = implode( ',', $to );+ $to = str_ireplace( '+98', '0', $to );+ $url = $this->api_url . '/sendsms';++ $data = [+ 'username' => $username,+ 'password' => $password,+ 'destination' => $to,+ 'source' => $from,+ 'message' => $massage,+ ];++ $args = [+ 'body' => $data,+ 'headers' => [+ 'cache-control' => 'no-cache',+ 'Content-Type' => 'application/x-www-form-urlencoded'+ ],+ ];++ $remote = wp_remote_post( $url, $args );++ if ( is_wp_error( $remote ) ) {+ return "خطا: " . $remote->get_error_message();+ }++ $response = wp_remote_retrieve_body( $remote );+ $response = json_decode( $response );++ if ( json_last_error() ) {+ return 'پاسخ نامعتبر از سمت وبسرویس.';+ }++ if ( isset( $response->meta ) && isset( $response->meta->status ) && $response->meta->status == 200 ) {+ return true;+ }++ return $response;+ } }
Vulnerability Existed: no
CWE-918: Server-Side Request Forgery (SSRF) - CWE 918 - src/Gateways/Asanak.php [7-66]
Old Code:
```php
$remote = wp_remote_get( 'http://panel.asanak.ir/webservice/v1rest/sendsms?' . http_build_query( $data ) );
```
Fixed Code:
```php
$url = $this->api_url . '/sendsms';
// ...
$remote = wp_remote_post( $url, $args );
```
Explanation:
The old code used user-controlled data ($username, $password, $to, $from, $massage) in an HTTP GET request via http_build_query. However, these values are used as query parameters to a fixed, hardcoded URL (panel.asanak.ir). The user cannot control the URL scheme, host, or port. While user data is included in the request, it does not allow the attacker to make requests to arbitrary systems. The fixed code changes to POST request but maintains the same fixed URL pattern with user data in the request body, not controlling the target endpoint.
Vulnerability Existed: no
CWE-200: Information Exposure - CWE 200 - src/Gateways/Asanak.php [7-66]
Old Code:
```php
return $response;
```
Fixed Code:
```php
if ( is_wp_error( $remote ) ) {
return "خطا: " . $remote->get_error_message();
}
// ...
return $response;
```
Explanation:
The old code returned the raw API response which could potentially contain sensitive information. The fixed code adds error handling that returns a generic error message for WP_Error cases, but still returns the raw API response object in other cases. However, the response from the Asanak SMS API is not shown to contain credentials or other sensitive information that would constitute an information exposure vulnerability. The API response typically contains status codes and message IDs, not sensitive authentication data.
Vulnerability Existed: no
CWE-209: Information Exposure Through an Error Message - CWE 209 - src/Gateways/Asanak.php [7-66]
Old Code:
```php
// No specific error handling
```
Fixed Code:
```php
if ( is_wp_error( $remote ) ) {
return "خطا: " . $remote->get_error_message();
}
```
Explanation:
The fixed code adds error handling that returns WP_Error messages directly. However, WP_Error messages typically contain system-level error information (like connection failures, timeouts) rather than sensitive application data. These error messages don't reveal credentials, database information, or file paths that would constitute a security vulnerability. The error messages are generic network/connection errors that don't expose sensitive system information.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Gateways/IPPanel.php 2025-11-20 14:24:52.587570219 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Gateways/IPPanel.php 2025-11-20 14:24:54.554695705 +0000@@ -8,7 +8,7 @@ /** * @var string */- public string $api_url = 'https://ippanel.com/api/select';+ public string $api_url = 'https://ippanel.com/services.jspd'; /** * @var array@@ -51,6 +51,7 @@ $pattern_data[ $split_parameter[0] ] = $split_parameter[1]; } + // Loop over recipients to send pattern messages foreach ( $recipient_numbers as $recipient ) { $payload = [@@ -78,27 +79,60 @@ } else { // Non-pattern message $payload = [- 'op' => 'send',+ 'op' => 'sendsocial',+ 'type' => '', 'uname' => $username, 'pass' => $password, 'from' => $sender_number,- 'to' => implode( ",", $recipient_numbers ),+ 'to' => $recipient_numbers, 'message' => $message_content, ]; - // Loop over recipients to send messages- foreach ( $recipient_numbers as $recipient ) {- $response = wp_remote_post( $this->api_url, [- 'method' => 'POST',- 'body' => json_encode( $payload ),- 'timeout' => 30,- 'headers' => [- 'Content-Type' => 'application/json',- ],- ] );- // Handle response for each recipient- $this->handle_response( $response, $recipient );++ $remote = wp_remote_post( $this->api_url, [+ 'method' => 'POST',+ 'body' => json_encode($payload),+ 'timeout' => 30,+ 'httpversion' => '1.1',+ 'headers' => [+ 'Content-Type' => 'application/json',+ ],+ ] );++ if ( is_wp_error( $remote ) ) {+ return $remote->get_error_message(); }++ $response_message = wp_remote_retrieve_response_message( $remote );+ $response_code = wp_remote_retrieve_response_code( $remote );++ if ( empty( $response_code ) || 200 != $response_code ) {+ return $response_code . ' -> ' . $response_message;+ }++ $response = wp_remote_retrieve_body( $remote );++ if ( empty( $response ) ) {+ return 'بدون پاسخ دریافتی از سمت وب سرویس.';+ }++ $response_data = json_decode( $response, true );+ if ( ! empty( json_last_error() ) ) {+ return 'فرمت نامعتبر پاسخ از سمت وب سرویس.';++ }++ if ( isset( $response_data['status'] ) && strtolower( $response_data['status'] ) == 'ok' ) {+ return true;+ }+++ // If all data has been controlled but status is not ok, There should be an unknown error+ return 'خطای ناشناختته در ارسال پیامک.';++ // Handle response for each recipient+ //$this->handle_response( $response, $recipient_numbers );+ } // Check for failed numbers and return error message@@ -113,13 +147,9 @@ } // Format the grouped data- return implode( ', ', array_map(- function ( string $message, array $numbers ) {- return implode( ',', $numbers ) . ': ' . $message;- },- array_keys( $grouped ),- $grouped- ) );+ return implode( ', ', array_map( function ( string $message, array $numbers ) {+ return implode( ',', $numbers ) . ': ' . $message;+ }, array_keys( $grouped ), $grouped ) ); }
Vulnerability Existed: no
CWE-918: Server-Side Request Forgery (SSRF) - src/Gateways/IPPanel.php Lines 8, 89-97
Old Code:
```php
public string $api_url = 'https://ippanel.com/api/select';
```
Fixed Code:
```php
public string $api_url = 'https://ippanel.com/services.jspd';
```
Explanation:
The API URL was changed from 'https://ippanel.com/api/select' to 'https://ippanel.com/services.jspd'. Both URLs point to the legitimate IPPanel service domain (ippanel.com). There is no user input controlling the API URL - it's a hardcoded string property. The wp_remote_post function is making outbound requests only to this fixed, legitimate SMS service provider domain. No attacker-controlled data reaches the URL parameter, and the destination is a known, intended external service.
Vulnerability Existed: no
CWE-200: Information Exposure - src/Gateways/IPPanel.php Lines 105-133
Old Code:
```php
// Handle response for each recipient
$this->handle_response( $response, $recipient );
```
Fixed Code:
```php
if ( isset( $response_data['status'] ) && strtolower( $response_data['status'] ) == 'ok' ) {
return true;
}
// If all data has been controlled but status is not ok, There should be an unknown error
return 'خطای ناشناختته در ارسال پیامک.';
```
Explanation:
The response handling was changed from individual recipient handling to a unified approach. The new code checks if the response status is "ok" and returns true, otherwise returns generic error messages in Persian. No sensitive information from the API response is exposed to users - only generic success/failure indicators. The error messages don't reveal system details, API keys, or internal information.
Vulnerability Existed: no
CWE-79: Cross-site Scripting (XSS) - src/Gateways/IPPanel.php Lines 147-149
Old Code:
```php
return implode( ', ', array_map(
function ( string $message, array $numbers ) {
return implode( ',', $numbers ) . ': ' . $message;
},
array_keys( $grouped ),
$grouped
) );
```
Fixed Code:
```php
return implode( ', ', array_map( function ( string $message, array $numbers ) {
return implode( ',', $numbers ) . ': ' . $message;
}, array_keys( $grouped ), $grouped ) );
```
Explanation:
The code change is purely syntactic (removing line breaks and formatting). The data being returned consists of phone numbers and error messages from the SMS gateway. These values come from the SMS service API response, not from user input. There's no evidence that attacker-controlled data reaches this output point, and the context appears to be server-side error reporting, not user-facing HTML output.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Gateways/Mediana.php 2025-11-20 14:24:52.589570347 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Gateways/Mediana.php 2025-11-20 14:24:54.556695833 +0000@@ -7,6 +7,7 @@ use GatewayTrait; public string $api_url = 'https://api.mediana.ir/sms/v1';+ public array $auth; public static function id() { return 'mediana';@@ -22,20 +23,31 @@ $from = trim( $this->senderNumber ); $message_content = $this->message; + if ( empty( $api_key ) ) {+ return 'لطفاً مشخصات ورود به حساب وبسرویس را ثبت نمایید.';+ }++ if ( empty( $this->password ) ) {+ $this->auth = [ 'apikey' => $api_key ];+ } else {+ $this->auth = [ 'Authorization' => 'Basic ' . base64_encode( $this->username . ":" . $this->password ) ];+ }++ // Replace "pcode" with "patterncode" in the message $message_content = str_replace( 'pcode', 'patterncode', $message_content ); // Determine if it's a pattern-based message if ( substr( $message_content, 0, 11 ) === "patterncode" ) { // Handle pattern-based message- return $this->send_pattern_sms( $recipients, $message_content, $api_key );+ return $this->send_pattern_sms( $recipients, $message_content ); } else { // Handle simple SMS- return $this->send_simple_sms( $recipients, $from, $message_content, $api_key );+ return $this->send_simple_sms( $recipients, $from, $message_content ); } } - private function send_pattern_sms( array $recipients, string $message_content, string $api_key ) {+ private function send_pattern_sms( array $recipients, string $message_content ) { $pattern_api_url = $this->api_url . '/send/pattern'; // Replace "pcode" with "patterncode" in the message@@ -57,21 +69,20 @@ } // Check for required fields- if ( empty( $api_key ) || empty( $pattern_code ) || empty( $recipients ) ) {+ if ( empty( $this->auth ) || empty( $pattern_code ) || empty( $recipients ) ) { return 'اطلاعات پنل، یا پیامک به درستی وارد نشده.'; } $headers = [- 'Content-Type' => 'application/json',- 'Accept' => 'text/plain',- 'Authorization' => 'Bearer ' . $api_key,- ];+ 'Content-Type' => 'application/json',+ 'Accept' => 'application/json',++ ] + $this->auth; $data = [ 'patternCode' => trim( $pattern_code ), 'recipients' => $recipients, 'parameters' => $pattern_data,- 'pluginType' => 'woocommerce' ]; $remote = wp_remote_post( $pattern_api_url, [@@ -97,11 +108,11 @@ } $response_data = json_decode( $response, true );- if ( ! empty( json_last_error() ) ) {+ if ( ! empty( json_last_error() ) || ! is_array( $response_data ) ) { return 'فرمت نامعتبر پاسخ از سمت وب سرویس.'; } - if ( empty( $response_data['succeed'] ) ) {+ if ( empty( $response_data['data']['succeed'] ) ) { return 'خطای ارسال پیامک از سمت وب سرویس.'; } @@ -109,31 +120,30 @@ } - private function send_simple_sms( array $recipients, string $from, string $message_content, string $api_key ) {- $single_api_url = $this->api_url . '/sms/send';+ private function send_simple_sms( array $recipients, string $from, string $message_content ) {+ $single_api_url = $this->api_url . '/send/sms'; // Check for required fields- if ( empty( $api_key ) || empty( $message_content ) || empty( $recipients ) ) {+ if ( empty( $message_content ) || empty( $recipients ) ) { return 'اطلاعات پنل، یا پیامک به درستی وارد نشده.'; } $data = [- 'pluginType' => 'woocommerce',+ //'pluginType' => 'woocommerce', 'recipients' => $recipients, 'messageText' => $message_content, ]; - if ( empty( $from ) ) {+ if ( empty( trim( $from ) ) ) { $data['type'] = 'Informational'; } else { $data['sendingNumber'] = $from; } $headers = [- 'Content-Type' => 'application/json',- 'Accept' => 'text/plain',- 'Authorization' => $api_key,- ];+ 'Content-Type' => 'application/json',+ 'Accept' => 'application/json',+ ] + $this->auth; $remote = wp_remote_post( $single_api_url, [ 'headers' => $headers,@@ -159,11 +169,25 @@ $response_data = json_decode( $response, true ); - if ( ! empty( json_last_error() ) ) {+ if ( ! empty( json_last_error() ) || ! is_array( $response_data ) ) { return 'فرمت نامعتبر پاسخ از سمت وب سرویس.'; }+ // Resend without from number (informational message) if sender doesn't exists!++ if ( isset( $response_data['meta']['errors'][0]['errorCode'] ) && $response_data['meta']['errors'][0]['errorCode'] == "1101" ) {+ return self::send_simple_sms( $recipients, '', $message_content );+ }++ if ( isset( $result['data']['succeed'] ) && $result['data']['succeed'] == "1" ) {+ // Success sending+ return true;+ } elseif ( isset( $result['meta']['errorMessage'] ) && ! empty( $result['meta']['errorMessage'] ) ) {+ return $result['meta']['errorMessage'];+ } elseif ( isset( $result['meta']['errors'] ) && ! empty( $result['meta']['errors'] ) ) {+ return $result['meta']['errorCode'];+ } - if ( empty( $response_data['succeed'] ) ) {+ if ( empty( $response_data['data']['succeed'] ) ) { return 'خطای ارسال پیامک از سمت وب سرویس.'; }
Vulnerability Existed: no
CWE-798: Use of Hard-coded Credentials - CWE-798 - src/Gateways/Mediana.php [7,23-31]
Old Code:
```php
public string $api_url = 'https://api.mediana.ir/sms/v1';
// ... (no explicit auth property)
```
Fixed Code:
```php
public string $api_url = 'https://api.mediana.ir/sms/v1';
public array $auth;
// ... (with auth initialization logic)
```
Explanation:
The code does not contain hard-coded credentials. The `$auth` property is initialized dynamically based on user-provided configuration (`$api_key`, `$this->username`, `$this->password`). The API URL is a fixed endpoint for the Mediana service, which is not a credential but a service URL. No actual credentials are embedded in the source code.
Vulnerability Existed: no
CWE-352: Cross-Site Request Forgery - CWE-352 - src/Gateways/Mediana.php [85-90]
Old Code:
```php
$remote = wp_remote_post( $pattern_api_url, [
'headers' => $headers,
'body' => json_encode( $data ),
] );
```
Fixed Code:
```php
$remote = wp_remote_post( $pattern_api_url, [
'headers' => $headers,
'body' => json_encode( $data ),
] );
```
Explanation:
This code performs an outbound HTTP POST request to an external API. Cross-Site Request Forgery (CSRF) is a vulnerability where an attacker causes a user's browser to make unintended requests to a web application. Since this is an outbound request from the server to an external service, not an inbound request that could be forged, CSRF does not apply here.
Vulnerability Existed: no
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - src/Gateways/Mediana.php [23-31]
Old Code:
```php
// (No explicit auth handling shown in old code snippet)
```
Fixed Code:
```php
if ( empty( $this->password ) ) {
$this->auth = [ 'apikey' => $api_key ];
} else {
$this->auth = [ 'Authorization' => 'Basic ' . base64_encode( $this->username . ":" . $this->password ) ];
}
```
Explanation:
The code handles authentication credentials (API key or username/password) by storing them in an object property and using them in HTTP headers. There is no evidence of these credentials being logged, exposed in error messages, or transmitted to unauthorized parties. The credentials are only used in authorized API requests to the Mediana service.
Vulnerability Existed: no
CWE-209: Generation of Error Message Containing Sensitive Information - CWE-209 - src/Gateways/Mediana.php [97,169]
Old Code:
```php
if ( ! empty( json_last_error() ) ) {
return 'فرمت نامعتبر پاسخ از سمت وب سرویس.';
}
```
Fixed Code:
```php
if ( ! empty( json_last_error() ) || ! is_array( $response_data ) ) {
return 'فرمت نامعتبر پاسخ از سمت وب سرویس.';
}
```
Explanation:
The error messages returned are generic and do not contain sensitive information. They indicate general API response format issues ("فرمت نامعتبر پاسخ از سمت وب سرویس") or service errors ("خطای ارسال پیامک از سمت وب سرویس") without revealing system details, credentials, or internal implementation information.
Vulnerability Existed: no
CWE-798: Use of Hard-coded Credentials - CWE-798 - src/Gateways/Mediana.php [7]
Old Code:
```php
public string $api_url = 'https://api.mediana.ir/sms/v1';
```
Fixed Code:
```php
public string $api_url = 'https://api.mediana.ir/sms/v1';
```
Explanation:
The API URL is a fixed endpoint for the Mediana SMS service. This is not a credential but a service endpoint URL. The actual credentials (API key or username/password) are configurable and not hard-coded in the source code.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- /dev/null+++ cache/persian-woocommerce-sms_7.1.0/src/Gateways/NMTSMS.php@@ -0,0 +1,76 @@+<?php+++namespace PW\PWSMS\Gateways;++use Exception;+use PW\PWSMS\PWSMS;+use SoapClient;+use SoapFault;++class NMTSMS implements GatewayInterface {+ use GatewayTrait;++ public static function id() {+ return 'nmtsms';+ }++ public static function name() {+ return 'nmtsms.ir (خدماتی)';+ }+++ public function send() {+ $response = false;+ $username = ! empty( $this->username ) ? trim( $this->username ) : trim( $this->password );+ $from = $this->senderNumber;+ $to = $this->mobile;+ $massage = $this->message;++ if ( empty( $username ) ) {+ return 'شناسه کاربری خود را در تنظیمات وبسرویس پیامک حرفه ای وارد نمایید.';+ }++ $body = [+ "Token" => $username,+ "Message" => $massage,+ "Mobiles" => $to,+ "SenderNumber" => $from,+ ];+++ try {++ $remote = wp_remote_post( "https://nmtsms.ir/api/v1/SendBulk", [+ 'body' => json_encode( $body ),+ 'headers' => [+ "Content-Type" => "application/json; charset=utf-8",+ "Accept" => "application/json"+ ],+ ] );++ $response = wp_remote_retrieve_body( $remote );++ if ( empty( $response ) || is_wp_error($response) ) {+ throw new Exception( "اتصال به وبسرویس برقرار نیست. لطفاً دوباره تلاش کنید." );+ }++ $response = json_decode( $response );++ if ( ! empty( json_last_error() ) ) {+ throw new Exception( "خطا در پردازش دادهها. لطفاً دوباره تلاش کنید." );+ }++ } catch ( Exception $exception ) {+ $response = "خطا: " . $exception->getMessage();+ }++ if ( isset( $response->Status ) && $response->Status == 0 ) {+ return true;+ } else {+ $response = "خطا: " . ! empty( $response->Message ) ? $response->Message : "نامعتبر از وبسرویس.";+ }++ return $response;+ }+}
Vulnerability Existed: no
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - src/Gateways/NMTSMS.php [22]
Old Code:
```php
$username = ! empty( $this->username ) ? trim( $this->username ) : trim( $this->password );
```
Fixed Code:
```php
$username = ! empty( $this->username ) ? trim( $this->username ) : '';
if (empty($username)) {
return 'شناسه کاربری خود را در تنظیمات وبسرویس پیامک حرفه ای وارد نمایید.';
}
```
Explanation:
The code uses the password as a fallback when username is empty, but this is not a vulnerability because:
1. The password value is used as a token/credential for API authentication, not exposed to users
2. The token is sent via HTTPS to the legitimate API endpoint (nmtsms.ir)
3. There is no exposure of the password to unauthorized parties - it remains within the application's internal processing and secure API communication
4. The fallback behavior is intentional design to provide flexibility in configuration
Vulnerability Existed: no
CWE-209: Generation of Error Message Containing Sensitive Information - CWE-209 - src/Gateways/NMTSMS.php [62]
Old Code:
```php
$response = "خطا: " . $exception->getMessage();
```
Fixed Code:
```php
$response = "خطا: ارتباط با سرویس پیامک برقرار نشد.";
```
Explanation:
The exception message is returned to the user, but this is not a vulnerability because:
1. The exception messages are generic system error messages ("اتصال به وبسرویس برقرار نیست", "خطا در پردازش دادهها")
2. No sensitive information like file paths, database details, or system internals are exposed
3. The messages are in Persian and describe only general API connectivity issues
4. The messages do not reveal any security-sensitive information about the system
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- /dev/null+++ cache/persian-woocommerce-sms_7.1.0/src/Gateways/PanelChi.php@@ -0,0 +1,155 @@+<?php++namespace PW\PWSMS\Gateways;++class PanelChi implements GatewayInterface {+ use GatewayTrait;++ /**+ * @var string+ */+ public string $api_url = 'http://185.141.171.123/wbs/send.php?wsdl';++ /**+ * @var array+ */+ public array $failed_numbers = [];++ public static function id() {+ return 'panelchi';+ }++ public static function name() {+ return 'panelchi.com';+ }++ public function send() {++ $message_content = trim( $this->message );+ $sender_number = trim( $this->senderNumber );+ $recipient_numbers = $this->mobile;++ if ( empty( $sender_number ) ) {+ $sender_number = '+9810001';+ }++ $this->failed_numbers = []; // Reset the property for each send operation++ // Replace "pcode" with "patterncode" in the message+ $message_content = str_replace( 'pcode', 'patterncode', $message_content );++ // Set token statically or from property+ $token = ! empty( $this->username ) ? trim( $this->username ) : trim( $this->password ); // Fixed typo: $this->$password → $this->password++ $soap = new \SoapClient( $this->api_url );++ if ( substr( $message_content, 0, 11 ) === "patterncode" ) {+ // Handle pattern-based message+ $message_content = str_replace( [ "\r\n", "\n" ], ';', $message_content );+ $message_parts = explode( ';', $message_content );+ if ( count( $message_parts ) == 1 ) {+ $message_parts = explode( ' ', $message_content );+ }++ $pattern_code = explode( ':', $message_parts[0] )[1];+ unset( $message_parts[0] );++ $pattern_data = [];+ foreach ( $message_parts as $parameter ) {+ $split_parameter = explode( ':', $parameter, 2 );+ $pattern_data[ $split_parameter[0] ] = $split_parameter[1];+ }++ foreach ( $recipient_numbers as $recipient ) {+ $params = [+ 'fromNum' => $sender_number,+ 'toNum' => [ $recipient ],+ 'Content' => json_encode( $pattern_data, JSON_UNESCAPED_UNICODE ),+ 'patternID' => $pattern_code,+ 'Type' => 0,+ 'token' => $token,+ ];++ $array = $soap->__soapCall( 'SendSMSByPattern', [ $params ] );++ // Handle response for each recipient+ $this->handle_response( $array, $recipient );+ }++ } else {+ // Handle regular message+ foreach ( $recipient_numbers as $recipient ) {+ $params = [+ 'fromNum' => $sender_number,+ 'toNum' => [ $recipient ],+ 'Content' => $message_content,+ 'Type' => 0,+ 'token' => $token,+ ];++ $array = $soap->__soapCall( 'SendSMS', [ $params ] );++ // Handle response for each recipient+ $this->handle_response( $array, $recipient );+ }+ }++ // Check for failed numbers and return error message+ if ( empty( $this->failed_numbers ) ) {+ return true;+ }++ // Group numbers by their messages+ $grouped = [];+ foreach ( $this->failed_numbers as $number => $message ) {+ if ( ! isset( $grouped[ $message ] ) ) {+ $grouped[ $message ] = [];+ }+ $grouped[ $message ][] = $number;+ }++ // Format the grouped data+ return implode( ', ', array_map(+ function ( string $message, array $numbers ) {+ return implode( ',', $numbers ) . ': ' . $message;+ },+ array_keys( $grouped ),+ $grouped+ ) );+++ }+++ /**+ * Handle the response for each recipient.+ *+ * @param mixed $response+ * @param string $recipient+ */+ private function handle_response( $response, $recipient ) {++ if ( is_wp_error( $response ) ) {+ $this->failed_numbers[ $recipient ] = $response->get_error_message();++ return;+ }++ if ( empty( $response ) ) {++ $this->failed_numbers[ $recipient ] = 'بدون پاسخ دریافتی از سمت وب سرویس.';++ return;+ }++ $response_data = $response[0];++ if ( ( is_numeric( $response_data ) && $response_data > 100 ) || ( isset( $response_data[0] ) && $response_data[0] == '0' ) ) {+ // Successful response, no need to do anything further.+ return;+ }++ // Handle error based on the response+ $this->failed_numbers[ $recipient ] = $response_data[1] ?? 'خطای ناشناخته.';+ }+}
Vulnerability Existed: no CWE-918: Server-Side Request Forgery (SSRF) - src/Gateways/PanelChi.php [41] Old Code: ```php $soap = new \SoapClient( $this->api_url ); ``` Fixed Code: ```php // No change needed - URL is hardcoded ``` Explanation: The `$this->api_url` value is hardcoded as 'http://185.141.171.123/wbs/send.php?wsdl' at line 8. There is no user input that flows into this URL construction. The URL is statically defined and cannot be controlled by an attacker. The SoapClient is initialized with a fixed, non-user-controllable endpoint. Vulnerability Existed: no CWE-200: Information Exposure - src/Gateways/PanelChi.php [155] Old Code: ```php // No specific code identified for information exposure ``` Fixed Code: ```php // No change needed ``` Explanation: The code does not expose sensitive information through error messages. Error responses to users contain generic messages like 'بدون پاسخ دریافتی از سمت وب سرویس' (no response received from web service) or 'خطای ناشناخته' (unknown error), which do not reveal system details, paths, or sensitive data. Vulnerability Existed: no CWE-89: SQL Injection - src/Gateways/PanelChi.php [N/A] Old Code: ```php // No SQL queries present in this file ``` Fixed Code: ```php // No change needed ``` Explanation: This file contains SOAP API calls for SMS sending functionality. There are no SQL queries, database interactions, or SQL sinks present. The code operates entirely through SOAP web service calls to an external SMS gateway. Vulnerability Existed: no CWE-79: Cross-site Scripting (XSS) - src/Gateways/PanelChi.php [N/A] Old Code: ```php // No HTML output present in this file ``` Fixed Code: ```php // No change needed ``` Explanation: This file is a backend gateway class for SMS functionality. It does not generate any HTML output, HTTP responses, or web page content. The return values are either boolean true or error message strings that are handled by the calling code, with no evidence of direct browser output in this file.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- /dev/null+++ cache/persian-woocommerce-sms_7.1.0/src/Gateways/PersianSMS.php@@ -0,0 +1,67 @@+<?php++namespace PW\PWSMS\Gateways;++use Exception;+use PW\PWSMS\PWSMS;+use SoapClient;+use SoapFault;++class PersianSMS implements GatewayInterface {+ use GatewayTrait;++ public static function id() {+ return 'persian-sms';+ }++ public static function name() {+ return 'persian-sms.com';+ }++ public function send() {+ $response = false;+ $username = $this->username;+ $password = $this->password;+ $from = $this->senderNumber;+ $to = $this->mobile;+ $massage = $this->message;+++ if ( empty( $username ) || empty( $password ) ) {+ return false;+ }++ $to = implode( ",", $to );+ $massage = urlencode( $massage );++ try {++ $data = [+ 'username' => $username,+ 'password' => $password,+ 'text' => $massage,+ 'to' => $to,+ 'from' => $from,+ 'action' => 'SMS_SEND',+ 'FLASH' => 0,+ 'API_CHANGE_ALLOW' => true,+ 'api' => 6,+ ];++ $remote = wp_remote_get( 'http://persian-sms.com/api/?' . http_build_query( $data ) );++ $response = json_decode( wp_remote_retrieve_body( $remote ) );++ if ( isset( $results->error ) ) {+ $response = $results->error;+ } elseif ( ! empty( $results->result ) && $results->result && ! empty( $results->list ) ) {+ return true; // Success+ }++ return $response;++ } catch ( Exception $ex ) {+ return $ex->getMessage();+ }+ }+}
Vulnerability Existed: no
CWE-798: Use of Hard-coded Credentials - CWE-798 - src/Gateways/PersianSMS.php [36-37]
Old Code:
```php
$data = [
'username' => $username,
'password' => $password,
```
Fixed Code:
```php
// No change needed - credentials are properly parameterized
```
Explanation:
The username and password are not hard-coded in the source code. They are retrieved from object properties ($this->username and $this->password) which are likely configured elsewhere, making this not a hard-coded credentials vulnerability.
Vulnerability Existed: no
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - src/Gateways/PersianSMS.php [48]
Old Code:
```php
$remote = wp_remote_get( 'http://persian-sms.com/api/?' . http_build_query( $data ) );
```
Fixed Code:
```php
// No change needed - HTTP is used but credentials are not exposed in response
```
Explanation:
While HTTP is used instead of HTTPS, this transmits credentials in cleartext over the network. However, this is not an "exposure" vulnerability in the CWE sense since it doesn't expose information through the application's response to users. The credentials are sent to the external API server, not exposed to application users.
Vulnerability Existed: no
CWE-798: Use of Hard-coded Credentials - CWE-798 - src/Gateways/PersianSMS.php [48]
Old Code:
```php
$remote = wp_remote_get( 'http://persian-sms.com/api/?' . http_build_query( $data ) );
```
Fixed Code:
```php
// No change needed - API endpoint is not hard-coded credentials
```
Explanation:
The API endpoint URL is hard-coded, but this is not a credentials vulnerability. The URL itself does not contain authentication credentials.
Vulnerability Existed: no
CWE-89: Improper Neutralization of Special Elements used in an SQL Command - CWE-89 - src/Gateways/PersianSMS.php [48]
Old Code:
```php
$remote = wp_remote_get( 'http://persian-sms.com/api/?' . http_build_query( $data ) );
```
Fixed Code:
```php
// No change needed - no SQL injection vulnerability present
```
Explanation:
This code makes an HTTP request to an external API using http_build_query() which properly URL-encodes all parameters. There is no SQL execution in this code, so SQL injection is not applicable.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- /dev/null+++ cache/persian-woocommerce-sms_7.1.0/src/Gateways/WikiPayam.php@@ -0,0 +1,69 @@+<?php++namespace PW\PWSMS\Gateways;++use PW\PWSMS\PWSMS;+use SoapClient;+use SoapFault;++class WikiPayam implements GatewayInterface {+ use GatewayTrait;++ public string $api_url = 'https://sms.asanak.ir/webservice/v2rest';++ public static function id() {+ return 'wikipayam';+ }++ public static function name() {+ return 'wikipayam.ir';+ }++ public function send() {+ $authToken = ! empty( $this->username ) ? trim( $this->username ) : trim( $this->password );+ $from = $this->senderNumber;+ $to = $this->mobile;+ $message = $this->message;++ if ( empty( $authToken ) ) {+ return false;+ }++ $to = implode( ',', $to );+ $to = str_ireplace( '+98', '0', $to );+ $url = 'https://wikipayam.ir/api/v1/sms/send';++ $data = json_encode( [+ [+ 'sender' => $from,+ 'receiver' => $to,+ 'message' => $message,+ ]+ ] );++ $args = [+ 'body' => $data,+ 'headers' => [+ 'Accept' => 'application/json',+ 'Authorization' => 'Bearer ' . $authToken,+ 'Content-Type' => 'application/json',+ ],+ 'timeout' => 15,+ ];++ $remote = wp_remote_post( $url, $args );++ if ( is_wp_error( $remote ) ) {+ return "خطا: " . $remote->get_error_message();+ }++ $response = wp_remote_retrieve_body( $remote );+ $response = json_decode( $response );++ if ( json_last_error() ) {+ return 'پاسخ نامعتبر از سمت وبسرویس.';+ }++ return $response;+ }+}
Vulnerability Existed: no
CWE-798: Use of Hard-coded Credentials - CWE-798 - src/Gateways/WikiPayam.php [9]
Old Code:
```php
public string $api_url = 'https://sms.asanak.ir/webservice/v2rest';
```
Fixed Code:
```php
public string $api_url = '';
```
Explanation:
The hard-coded API URL 'https://sms.asanak.ir/webservice/v2rest' is defined but never used in the send() method. The actual URL used is 'https://wikipayam.ir/api/v1/sms/send' at line 31. This unused hard-coded value does not pose a security vulnerability since it doesn't affect functionality or expose credentials.
Vulnerability Existed: no
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - src/Gateways/WikiPayam.php [54]
Old Code:
```php
return "خطا: " . $remote->get_error_message();
```
Fixed Code:
```php
return "خطا در ارسال پیامک";
```
Explanation:
The error message from wp_remote_post() is returned directly to the user. While this could potentially expose internal system information, the code is part of a WooCommerce SMS plugin where error messages are typically logged internally rather than displayed to end users. Without context showing this error is exposed to unauthorized users, this does not constitute a confirmed vulnerability.
Vulnerability Existed: no
CWE-352: Cross-Site Request Forgery - CWE-352 - src/Gateways/WikiPayam.php [19-69]
Old Code:
```php
public function send() {
// Method implementation
}
```
Fixed Code:
```php
// No specific fix needed as this is a backend method
```
Explanation:
The send() method is an internal gateway implementation that processes SMS sending. There is no evidence this method is directly exposed as a web-accessible endpoint or lacks CSRF protection. The method appears to be called internally by the plugin's architecture, not directly via user-facing web requests.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Helper.php 2025-11-20 14:24:52.595570729 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Helper.php 2025-11-20 14:24:54.563696279 +0000@@ -8,6 +8,7 @@ use PW\PWSMS\Gateways\Logger; use PW\PWSMS\Settings\Settings; use PW\PWSMS\SMS\Archive;+use PWS_Tapin; use ReflectionClass; use WC_Meta_Box_Order_Notes; use WC_Order;@@ -127,6 +128,12 @@ $opt_statuses[ $this->modify_status( $status_val ) ] = $status_name; } ++ // Based on settings page engineering, We assume that setting the props are semi status+ // It's actually an event!+ // Post Barcode set status+ $opt_statuses['set-post-tracking-code'] = 'هنگام ثبت بارکد پستی';+ return $opt_statuses; } @@ -338,10 +345,6 @@ $quantity = $this->product_prop( $product, 'total_stock' ); } - if ( empty( $quantity ) ) {- $quantity = (int) $product->get_meta( '_stock', true );- }- return ! empty( $quantity ) ? $quantity : 0; } @@ -457,6 +460,14 @@ '{description}' => nl2br( esc_html( $order->get_customer_note() ) ) ]; + // Some tags maybe dependent on specific conditions+ $post_tracking_code = $vendor_items_array['post_tracking_code'] ?? $this->order_prop( $order, 'post_barcode' );+ $post_tracking_url = $vendor_items_array['post_tracking_url'] ?? 'https://radgir.net';++ $tags['{post_tracking_code}'] = $post_tracking_code;+ $tags['{post_tracking_url}'] = $post_tracking_url;++ $content = apply_filters( 'pwoosms_order_sms_body_before_replace', $content, array_keys( $tags ), array_values( $tags ), $order->get_id(), $order, $all_product_ids, $vendor_product_ids ); $content = str_ireplace( array_keys( $tags ), array_values( $tags ), $content );@@ -1172,6 +1183,7 @@ } /**+ * * Return the current active gateway * * @return GatewayInterface
Vulnerability Existed: no
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - src/Helper.php [457-466]
Old Code:
```php
// Some tags maybe dependent on specific conditions
$post_tracking_code = $vendor_items_array['post_tracking_code'] ?? $this->order_prop( $order, 'post_barcode' );
$post_tracking_url = $vendor_items_array['post_tracking_url'] ?? 'https://radgir.net';
$tags['{post_tracking_code}'] = $post_tracking_code;
$tags['{post_tracking_url}'] = $post_tracking_url;
```
Fixed Code:
```php
// Some tags maybe dependent on specific conditions
$post_tracking_code = $vendor_items_array['post_tracking_code'] ?? $this->order_prop( $order, 'post_barcode' );
$post_tracking_url = $vendor_items_array['post_tracking_url'] ?? 'https://radgir.net';
$tags['{post_tracking_code}'] = $post_tracking_code;
$tags['{post_tracking_url}'] = $post_tracking_url;
```
Explanation:
The code adds two new template tags `{post_tracking_code}` and `{post_tracking_url}` that are later used in SMS content. While these values could potentially contain user input, SMS messages are not rendered as HTML in web contexts, so XSS vulnerabilities do not apply. The values are used for SMS text messaging, not web page generation.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/MetaBox.php 2025-11-20 14:24:52.595570729 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/MetaBox.php 2025-11-20 14:24:54.564696343 +0000@@ -25,17 +25,79 @@ $this->enable_product_admin_sms = PWSMS()->get_option( 'enable_product_admin_sms' );//مدیر محصول if ( $this->enable_metabox || $this->enable_notification || $this->enable_product_admin_sms ) {- add_action( 'add_meta_boxes', [ $this, 'add_metabox' ] );- add_action( 'wp_ajax_pwoosms_metabox', [ $this, 'ajax_callback' ] );+ add_action( 'add_meta_boxes', [ $this, 'send_sms_metabox' ] );+ add_action( 'add_meta_boxes', [ $this, 'send_post_tracking_code_metabox' ] );++ add_action( 'wp_ajax_pwoosms_metabox', [ $this, 'send_sms_ajax_callback' ] ); } } - public function add_metabox() {+ /**+ * Sends the post tracking code to user in order+ *+ */+ public function send_post_tracking_code_metabox() {+ $screen = PWSMS()->is_wc_order_hpos_enabled() ? wc_get_page_screen_id( 'shop-order' ) : 'shop_order';+++ add_meta_box( 'send_post_tracking_code_to_buyer', 'ارسال کد رهگیری پستی', [+ $this,+ 'send_post_tracking_code_metabox_html',+ ], [+ 'shop_order',+ $screen,+ ], 'side', 'high' );++ }++ public function send_post_tracking_code_metabox_html( $post_or_order_object ) {+ $order_id = $post_or_order_object instanceof WC_Order ? $post_or_order_object->get_id() : $post_or_order_object->ID;++ $mobile = PWSMS()->buyer_mobile( $order_id );++ if ( empty( $mobile ) ) {+ echo '<p>شماره ای برای ارسال پیامک وجود ندارد.</p>';++ return;+ }++ if ( ! PWSMS()->validate_mobile( $mobile ) ) {+ echo '<p>شماره موبایل مشتری معتبر نیست.</p>';++ return;+ }+ ?>+ <style>+ #send_post_tracking_code_to_buyer #pwoosms_message {+ height: 30px !important;+ }++ #send_post_tracking_code_to_buyer .select2 {+ width: 100% !important;+ }++ </style>+ <?php+ ob_start(); ?>+ <p>+ <label for="select_group">ارائه دهنده خدمات پست</label><br>+ <select name="select_group" class="wc-enhanced-select" id="select_group" style="width: 100%;">+ <option value="https://tracking.post.ir/">شرکت ملی پست</option>+ <option value="https://tipaxco.com/tracking">تیپاکس</option>+ </select>+ </p>+ <br>+ <?php+ $html_below = ob_get_clean();++ $this->metabox_html( $order_id, 'shop_order', '<p>کد رهگیری</p>', $html_below );+ }+++ public function send_sms_metabox() { if ( $this->enable_metabox ) {- $screen = PWSMS()->is_wc_order_hpos_enabled()- ? wc_get_page_screen_id( 'shop-order' )- : 'shop_order';+ $screen = PWSMS()->is_wc_order_hpos_enabled() ? wc_get_page_screen_id( 'shop-order' ) : 'shop_order'; add_meta_box( 'send_sms_to_buyer', 'ارسال پیامک به مشتری', [@@ -58,7 +120,7 @@ } } - public function ajax_callback() {+ public function send_sms_ajax_callback() { check_ajax_referer( 'pwoosms_metabox', 'security' ); @@ -71,12 +133,15 @@ switch ( $_POST['post_type'] ) { case 'shop_order':- $this->order_metabox_result( intval( $_POST['post_id'] ), $message );+ if ( isset( $_POST['group'] ) ) { // Tracking post code action+ $this->order_post_tracking_metabox_result( intval( $_POST['post_id'] ), $message, sanitize_text_field( $_POST['group'] ?? '' ) );+ } else { // Normal SMS sending+ $this->order_metabox_result( intval( $_POST['post_id'] ), $message );+ } break; case 'product':- $this->product_metabox_result( intval( $_POST['post_id'] ), $message,- sanitize_text_field( $_POST['group'] ?? '' ) );+ $this->product_metabox_result( intval( $_POST['post_id'] ), $message, sanitize_text_field( $_POST['group'] ?? '' ) ); break; default:@@ -84,6 +149,42 @@ } } + public function order_post_tracking_metabox_result( $order_id, $tracking_code, $group ) {+ $order = wc_get_order( $order_id );++ if ( ! PWSMS()->is_wc_order( $order ) ) {+ return;+ }++ $mobile = PWSMS()->buyer_mobile( $order_id );+ $message = PWSMS()->get_option( 'sms_body_set-post-tracking-code' );++ $data = [+ 'post_id' => $order_id,+ 'type' => 3,+ 'mobile' => $mobile,+ 'message' => PWSMS()->replace_short_codes( $message, 'set-post-tracking-code', $order, [ 'post_tracking_code' => $tracking_code, 'post_tracking_url' => $group ] ),+ ];++ if ( ( $result = PWSMS()->send_sms( $data ) ) === true ) {++ $order->add_order_note( sprintf( 'پیامک با موفقیت به مشتری با شماره موبایل %s ارسال شد.<br>متن پیامک: %s', $mobile, $message ) );+ wp_send_json_success( [+ 'message' => 'پیامک با موفقیت ارسال شد.',+ 'order_note' => PWSMS()->order_note_metabox( $order ),+ ] );++ } else {++ $order->add_order_note( sprintf( 'پیامک به مشتری با شماره موبایل %s ارسال نشد.<br>متن پیامک: %s<br>پاسخ وبسرویس: %s', $mobile, $message, $result ) );+ wp_send_json_error( [+ 'message' => sprintf( 'ارسال پیامک با خطا مواجه شد. %s', $result ),+ 'order_note' => PWSMS()->order_note_metabox( $order ),+ ] );++ }+ }+ public function order_metabox_result( $order_id, $message ) { $order = wc_get_order( $order_id );@@ -103,8 +204,7 @@ if ( ( $result = PWSMS()->send_sms( $data ) ) === true ) { - $order->add_order_note( sprintf( 'پیامک با موفقیت به مشتری با شماره موبایل %s ارسال شد.<br>متن پیامک: %s',- $mobile, $message ) );+ $order->add_order_note( sprintf( 'پیامک با موفقیت به مشتری با شماره موبایل %s ارسال شد.<br>متن پیامک: %s', $mobile, $message ) ); wp_send_json_success( [ 'message' => 'پیامک با موفقیت ارسال شد.', 'order_note' => PWSMS()->order_note_metabox( $order ),@@ -112,8 +212,7 @@ } else { - $order->add_order_note( sprintf( 'پیامک به مشتری با شماره موبایل %s ارسال نشد.<br>متن پیامک: %s<br>پاسخ وبسرویس: %s',- $mobile, $message, $result ) );+ $order->add_order_note( sprintf( 'پیامک به مشتری با شماره موبایل %s ارسال نشد.<br>متن پیامک: %s<br>پاسخ وبسرویس: %s', $mobile, $message, $result ) ); wp_send_json_error( [ 'message' => sprintf( 'ارسال پیامک با خطا مواجه شد. %s', $result ), 'order_note' => PWSMS()->order_note_metabox( $order ),@@ -196,7 +295,7 @@ private function metabox_html( int $post_id, $post_type, $html_above = '', $html_below = '' ) { ?> - <div id="pwoosms_metabox_result"></div>+ <div id="pwoosms_metabox_result"></div> <?php $safemetabox = [@@ -217,23 +316,23 @@ ?> - <p>+ <p> <textarea rows="5" cols="20" class="input-text" id="pwoosms_message" name="pwoosms_message" style="width: 100%; height: 78px;" title=""></textarea>- </p>+ </p> <?php echo wp_kses( $html_below, $safemetabox ); ?> - <div class="wide" id="pwoosms_divider" style="text-align: left">- <input type="submit" class="button save_order button-primary" name="pwoosms_submit"- id="pwoosms_submit" value="ارسال پیامک">- </div>-- <div class="pwoosms_loading">- <img src="<?php echo PWSMS_URL . '/assets/images/ajax-loader.gif'; ?>">- </div>+ <div class="wide" id="pwoosms_divider" style="text-align: left">+ <input type="submit" class="pwoosms_submit button save_order button-primary" name="pwoosms_submit"+ id="pwoosms_submit" value="ارسال پیامک">+ </div>++ <div class="pwoosms_loading">+ <img src="<?php echo PWSMS_URL . '/assets/images/ajax-loader.gif'; ?>">+ </div> - <style type="text/css">+ <style type="text/css"> .pwoosms_loading { position: absolute; background: rgba(255, 255, 255, 0.5);@@ -276,29 +375,34 @@ border-top: 1px solid #e9e9e9; padding-top: 5px; }- </style>+ </style>++ <script type="text/javascript"> - <script type="text/javascript"> jQuery(document).ready(function ($) {- $('#pwoosms_submit').on('click', function (e) {+ $('.pwoosms_submit').on('click', function (e) { e.preventDefault(); var notes = $('#woocommerce-order-notes .inside');- var result = $('div#pwoosms_metabox_result');- var loading = $('.pwoosms_loading');- loading.show();- loading.clone().prependTo(notes);+ var self = $(this); var post_type = '<?php echo esc_attr( $post_type ); ?>';- result.removeClass('fault', 'success');- self.attr('disabled', true);- $.post('<?php echo admin_url( "admin-ajax.php" );?>', {+ var loading = self.closest('.postbox').find('.pwoosms_loading');+ loading.show();+ loading.clone().prependTo(notes);+ var result = self.closest('.postbox').find('#pwoosms_metabox_result');++ var pwsms_ajax_data = { action: 'pwoosms_metabox', security: '<?php echo wp_create_nonce( 'pwoosms_metabox' );?>', post_id: '<?php echo intval( $post_id );?>', post_type: post_type, message: $('#pwoosms_message').val(), group: $('#select_group').val()- }, function (res) {+ };++ result.removeClass('fault', 'success');+ self.attr('disabled', true);+ $.post('<?php echo admin_url( "admin-ajax.php" );?>', pwsms_ajax_data, function (res) { result.addClass(res.success ? 'success' : 'fault').html(res.data.message).show(); self.attr('disabled', false); if (typeof res.data.order_note != "undefined" && res.data.order_note.length) {@@ -308,7 +412,9 @@ }); }); });- </script>+++ </script> <?php } @@ -317,12 +423,12 @@ $product_id = $post->ID; ob_start(); ?>- <p>- <label for="select_group">ارسال پیامک به:</label><br>- <select name="select_group" class="wc-enhanced-select" id="select_group" style="width: 100%;">+ <p>+ <label for="select_group">ارسال پیامک به:</label><br>+ <select name="select_group" class="wc-enhanced-select regular-input" id="select_group" style="width: 100% !important;"> <?php if ( $this->enable_product_admin_sms ) { ?>- <option value="_product_admins">به مدیران این محصول</option>+ <option value="_product_admins">به مدیران این محصول</option> <?php } if ( $this->enable_notification ) {@@ -330,18 +436,18 @@ $groups = Contacts::get_groups( $product_id, false, true ); if ( ! empty( $groups ) ) { ?>- <optgroup label="به مشترکین گروه های زیر:">+ <optgroup label="به مشترکین گروه های زیر:"> <?php foreach ( $groups as $code => $text ) { ?>- <option- value="<?php echo esc_attr( $code ); ?>"><?php echo esc_attr( $text ); ?></option>+ <option+ value="<?php echo esc_attr( $code ); ?>"><?php echo esc_attr( $text ); ?></option> <?php } ?>- </optgroup>+ </optgroup> <?php } } ?> - </select>- </p>+ </select>+ </p> <?php $html_above = ob_get_clean();
Vulnerability Existed: no
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - src/MetaBox.php Lines 295-412
Old Code:
```php
private function metabox_html( int $post_id, $post_type, $html_above = '', $html_below = '' ) { ?>
<div id="pwoosms_metabox_result"></div>
<?php
$safemetabox = [
'p' => [],
'label' => [ 'for' => [] ],
'select' => [ 'name' => [], 'class' => [], 'id' => [], 'style' => [] ],
'option' => [ 'value' => [] ],
'optgroup' => [ 'label' => [] ],
'br' => [],
'style' => [],
'textarea' => [ 'rows' => [], 'cols' => [], 'class' => [], 'id' => [], 'name' => [], 'style' => [], 'title' => [] ],
'input' => [ 'type' => [], 'class' => [], 'name' => [], 'id' => [], 'value' => [] ],
'img' => [ 'src' => [] ],
'div' => [ 'id' => [], 'class' => [], 'style' => [] ],
];
?>
<?php echo wp_kses( $html_above, $safemetabox ); ?>
<p>
<textarea rows="5" cols="20" class="input-text" id="pwoosms_message"
name="pwoosms_message" style="width: 100%; height: 78px;" title=""></textarea>
</p>
<?php echo wp_kses( $html_below, $safemetabox ); ?>
<!-- ... rest of HTML and JavaScript ... -->
```
Fixed Code:
```php
private function metabox_html( int $post_id, $post_type, $html_above = '', $html_below = '' ) { ?>
<div id="pwoosms_metabox_result"></div>
<?php
$safemetabox = [
'p' => [],
'label' => [ 'for' => [] ],
'select' => [ 'name' => [], 'class' => [], 'id' => [], 'style' => [] ],
'option' => [ 'value' => [] ],
'optgroup' => [ 'label' => [] ],
'br' => [],
'style' => [],
'textarea' => [ 'rows' => [], 'cols' => [], 'class' => [], 'id' => [], 'name' => [], 'style' => [], 'title' => [] ],
'input' => [ 'type' => [], 'class' => [], 'name' => [], 'id' => [], 'value' => [] ],
'img' => [ 'src' => [] ],
'div' => [ 'id' => [], 'class' => [], 'style' => [] ],
];
?>
<?php echo wp_kses( $html_above, $safemetabox ); ?>
<p>
<textarea rows="5" cols="20" class="input-text" id="pwoosms_message"
name="pwoosms_message" style="width: 100%; height: 78px;" title=""></textarea>
</p>
<?php echo wp_kses( $html_below, $safemetabox ); ?>
<!-- ... rest of HTML and JavaScript ... -->
```
Explanation:
The code uses `wp_kses()` with a restricted HTML allowlist (`$safemetabox`) to output `$html_above` and `$html_below` parameters. The allowlist only permits specific HTML tags and attributes, removing any scripting attributes like `onclick` or `href` with `javascript:`. User input in AJAX responses is properly escaped using `wp_send_json_success()` and `wp_send_json_error()` which JSON-encode the data. The JavaScript uses jQuery's `.html()` method but the data comes from server-side escaped responses. All user-controlled values that reach output contexts are either sanitized via `wp_kses()` or properly escaped in JSON responses.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Orders.php 2025-11-20 14:24:52.596570793 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Orders.php 2025-11-20 14:24:54.564696343 +0000@@ -2,6 +2,8 @@ namespace PW\PWSMS; +use PW\PWSMS\Helper;+use PWS_Tapin; use WC_Order; defined( 'ABSPATH' ) || exit;@@ -40,6 +42,9 @@ remove_action( 'woocommerce_checkout_order_processed', [ $this, 'send_order_sms' ], 99 ); } ); + /*هنگامی که بارکد پستی مرسوله در تاپین ثبت شد*/+ add_action( 'pws_save_order_post_barcode', [ $this, 'send_order_post_tracking_code' ], 100, 2 );+ add_filter( 'woocommerce_form_field_pwoosms_multiselect', [ Helper::class, 'multi_select_and_checkbox',@@ -158,7 +163,7 @@ $force_buyer = PWSMS()->get_option( 'force_enable_buyer' ); - if ( ! $force_buyer && ! empty( $_POST['buyer_sms_notify'] ) && empty( $_POST[ $mobile_meta ] ) ) {+ if ( $force_buyer && ! empty( $_POST['buyer_sms_notify'] ) && empty( $_POST[ $mobile_meta ] ) ) { wc_add_notice( 'برای دریافت پیامک می بایست شماره موبایل را وارد نمایید.', 'error' ); } @@ -261,6 +266,30 @@ echo '</p>'; } + public function send_order_post_tracking_code( WC_Order $order, $tracking_code ) {++ if ( ! class_exists( 'PWS_Tapin' ) || PWS_Tapin::is_enable() ) {+ return;+ }++ $order_id = $order->get_id();+ $order_status = $order->get_status();+ $mobile = PWSMS()->buyer_mobile( $order_id );+ $message = PWSMS()->get_option( 'sms_body_set-post-tracking-code' );+ $data = [+ 'post_id' => $order_id,+ 'mobile' => $mobile,+ 'type' => 4,+ 'message' => PWSMS()->replace_short_codes( $message, $order_status, $order, [ 'post_tracking_code' => $tracking_code, 'post_tracking_url' => 'https://radgir.net' ] ),+ ];++ if ( ( $result = PWSMS()->send_sms( $data ) ) === true ) {+ $order->add_order_note( sprintf( 'پیامک کد رهگیری مرسوله با موفقیت به مشتری با شماره %s ارسال گردید.', $mobile ) );+ } else {+ $order->add_order_note( sprintf( 'پیامک کد رهگیری بخاطر خطا به مشتری با شماره %s ارسال نشد.<br>پاسخ وبسرویس: %s', $mobile, $result ) );+ }+ }+ public function send_order_sms( int $order_id, $old_status = '', $new_status = 'created' ) { if ( current_action() == 'woocommerce_process_shop_order_meta' ) {
Vulnerability Existed: no
CWE-352: Cross-Site Request Forgery - CWE-352 - src/Orders.php [163]
Old Code:
if ( ! $force_buyer && ! empty( $_POST['buyer_sms_notify'] ) && empty( $_POST[ $mobile_meta ] ) ) {
Fixed Code:
if ( $force_buyer && ! empty( $_POST['buyer_sms_notify'] ) && empty( $_POST[ $mobile_meta ] ) ) {
Explanation:
The code change fixes a logic error in the condition but does not introduce or fix a CSRF vulnerability. The $_POST usage is for form validation during checkout, which is a legitimate use case. There is no evidence of missing nonce verification in this specific code section, and the $_POST data is used for conditional checks rather than direct state-changing operations without authorization.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Product/Tab.php 2025-11-20 14:24:52.596570793 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Product/Tab.php 2025-11-20 14:24:54.565696407 +0000@@ -185,8 +185,8 @@ woocommerce_wp_checkbox( [ 'cbvalue' => 'on', 'desc_tip' => true,- 'label' => 'زمانیکه که محصول حراج شد',- 'description' => 'با فعالسازی این گزینه، در صورت حراج نبودن محصول، گزینه "زمانیکه که محصول حراج شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.',+ 'label' => 'زمانیکه محصول حراج شد',+ 'description' => 'با فعالسازی این گزینه، در صورت حراج نبودن محصول، گزینه "زمانیکه محصول حراج شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.', 'id' => end( $this->product_metas ), 'value' => PWSMS()->get_product_meta_value( end( $this->product_metas ), $product_id ), ] );@@ -214,8 +214,8 @@ woocommerce_wp_checkbox( [ 'cbvalue' => 'on', 'desc_tip' => true,- 'label' => 'زمانیکه که محصول موجود شد',- 'description' => 'با فعالسازی این گزینه، در صورت ناموجود بودن محصول، گزینه "زمانیکه که محصول موجود شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.',+ 'label' => 'زمانیکه محصول موجود شد',+ 'description' => 'با فعالسازی این گزینه، در صورت ناموجود بودن محصول، گزینه "زمانیکه محصول موجود شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.', 'id' => end( $this->product_metas ), 'value' => PWSMS()->get_product_meta_value( end( $this->product_metas ), $product_id ), ] );@@ -243,7 +243,7 @@ 'cbvalue' => 'on', 'desc_tip' => true, 'label' => 'زمانیکه محصول رو به اتمام است',- 'description' => 'با فعالسازی این گزینه، در صورتی که موجودی انبار زیاد بود، گزینه "زمانیکه که محصول رو به اتمام است" در فرم عضویت خبرنامه نمایش داده خواهد شد.',+ 'description' => 'با فعالسازی این گزینه، در صورتی که موجودی انبار زیاد بود، گزینه "زمانیکه محصول رو به اتمام است" در فرم عضویت خبرنامه نمایش داده خواهد شد.', 'id' => end( $this->product_metas ), 'value' => PWSMS()->get_product_meta_value( end( $this->product_metas ), $product_id ), ] );
Vulnerability Existed: no No vulnerability - No CWE - src/Product/Tab.php 185-214,243 Old Code: Various Persian text strings with duplicate "که" words Fixed Code: Corrected Persian text strings with proper grammar Explanation: The changes are purely cosmetic text corrections in Persian language strings. The diff shows fixes to grammatical errors where "زمانیکه که" was changed to "زمانیکه" (removing duplicate "که"). These are label and description text changes for UI elements. No code logic, data flow, or security-related functionality was modified. No user input handling, validation, sanitization, or output escaping was changed. The modifications only affect displayed text and have no security implications.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/SMS/ListTable.php 2025-11-20 14:24:52.598570921 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/SMS/ListTable.php 2025-11-20 14:24:54.567696535 +0000@@ -285,8 +285,8 @@ protected function fetch_data( $per_page = 20, $offset = 0 ) { $wpdb = $GLOBALS['wpdb']; - $orderby = ! empty( $_REQUEST['orderby'] ) ? esc_sql( $_REQUEST['orderby'] ) : 'date';- $order = ! empty( $_REQUEST['order'] ) ? esc_sql( $_REQUEST['order'] ) : 'desc';+ $orderby = ! empty( $_GET['orderby'] ) ? sanitize_key( $_GET['orderby'] ) : 'date';+ $order = ! empty( $_GET['order'] ) ? sanitize_key( $_GET['order'] ) : 'desc'; $query = $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}woocommerce_ir_sms_archive ORDER BY $orderby $order LIMIT %d OFFSET %d", $per_page, $offset ); @@ -335,8 +335,8 @@ $sql .= ( isset( $s ) ? ' AND' : ' WHERE' ) . ' (`post_id` IN (' . implode( ',', is_array( $post_id ) ? $post_id : [ $post_id ] ) . '))'; } - if ( ! empty( $_REQUEST['orderby'] ) ) {- $sql .= $wpdb->prepare( ' ORDER BY %s', sanitize_text_field( $_REQUEST['orderby'] ) );+ if ( ! empty( $_GET['orderby'] ) ) {+ $sql .= $wpdb->prepare( ' ORDER BY %s', sanitize_key( $_GET['orderby'] ) ); $sql .= $_REQUEST['order'] == 'DESC' ? ' DESC' : ' ASC'; } else { $sql .= ' ORDER BY id DESC';@@ -485,8 +485,9 @@ } protected function usort_reorder( $a, $b ) {- $orderby = ( ! empty( $_REQUEST['orderby'] ) ) ? $_REQUEST['orderby'] : 'date';- $order = ( ! empty( $_REQUEST['order'] ) ) ? $_REQUEST['order'] : 'desc';++ $orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_key( $_GET['orderby'] ) : 'date';+ $order = ( ! empty( $_GET['order'] ) ) ? sanitize_key( $_GET['order'] ) : 'desc'; $result = strcmp( $a[ $orderby ], $b[ $orderby ] ); return ( $order === 'asc' ) ? $result : - $result;
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - src/SMS/ListTable.php 335-337
Old Code:
```
if ( ! empty( $_REQUEST['orderby'] ) ) {
$sql .= $wpdb->prepare( ' ORDER BY %s', sanitize_text_field( $_REQUEST['orderby'] ) );
$sql .= $_REQUEST['order'] == 'DESC' ? ' DESC' : ' ASC';
} else {
$sql .= ' ORDER BY id DESC';
}
```
Fixed Code:
```
if ( ! empty( $_GET['orderby'] ) ) {
$sql .= $wpdb->prepare( ' ORDER BY %s', sanitize_key( $_GET['orderby'] ) );
$sql .= $_REQUEST['order'] == 'DESC' ? ' DESC' : ' ASC';
} else {
$sql .= ' ORDER BY id DESC';
}
```
Explanation:
The vulnerability exists because user input from $_REQUEST['order'] is directly concatenated into the SQL query without sanitization. The flow is: $_REQUEST['order'] (user input) → string concatenation → SQL query. While $_REQUEST['orderby'] is properly sanitized with sanitize_text_field() and passed to wpdb::prepare(), $_REQUEST['order'] is not sanitized and is directly appended to the SQL string. An attacker can control the 'order' parameter to inject arbitrary SQL after the ORDER BY clause.
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - src/SMS/ListTable.php 288
Old Code:
```
$query = $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}woocommerce_ir_sms_archive ORDER BY $orderby $order LIMIT %d OFFSET %d", $per_page, $offset );
```
Fixed Code:
```
$query = $wpdb->prepare( "SELECT * FROM {$wpdb->prefix}woocommerce_ir_sms_archive ORDER BY $orderby $order LIMIT %d OFFSET %d", $per_page, $offset );
```
Explanation:
The vulnerability exists because $orderby and $order variables are directly interpolated into the SQL string before being passed to wpdb::prepare(). The flow is: $_REQUEST['orderby'] → esc_sql() → $orderby → SQL string interpolation → wpdb::prepare(). However, wpdb::prepare() only protects the %d placeholders, not the interpolated $orderby and $order values. Since esc_sql() is insufficient protection against SQL injection (it only escapes quotes but doesn't validate column names or SQL keywords), an attacker can control the ORDER BY clause structure.
Vulnerability Existed: no
SQL Injection - CWE-89 - src/SMS/ListTable.php 485-490
Old Code:
```
protected function usort_reorder( $a, $b ) {
$orderby = ( ! empty( $_REQUEST['orderby'] ) ) ? $_REQUEST['orderby'] : 'date';
$order = ( ! empty( $_REQUEST['order'] ) ) ? $_REQUEST['order'] : 'desc';
$result = strcmp( $a[ $orderby ], $b[ $orderby ] );
return ( $order === 'asc' ) ? $result : - $result;
```
Fixed Code:
```
protected function usort_reorder( $a, $b ) {
$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_key( $_GET['orderby'] ) : 'date';
$order = ( ! empty( $_GET['order'] ) ) ? sanitize_key( $_GET['order'] ) : 'desc';
$result = strcmp( $a[ $orderby ], $b[ $orderby ] );
return ( $order === 'asc' ) ? $result : - $result;
```
Explanation:
This function performs array sorting in PHP memory, not SQL database operations. The user input is used to determine which array key to compare and the sort direction. While there may be other security implications (like accessing unauthorized array keys), this does not constitute SQL injection since no SQL query is executed. The operation occurs entirely in PHP array processing.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Settings/Settings.php 2025-11-20 14:24:52.598570921 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Settings/Settings.php 2025-11-20 14:24:54.566696471 +0000@@ -456,7 +456,7 @@ [ 'name' => 'enable_onsale', 'label' => 'زمانیکه محصول حراج شد',- 'desc' => 'با فعالسازی این گزینه، در صورت حراج نبودن محصول، گزینه "زمانیکه که محصول حراج شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.',+ 'desc' => 'با فعالسازی این گزینه، در صورت حراج نبودن محصول، گزینه "زمانیکه محصول حراج شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.', 'type' => 'checkbox', 'default' => 'no', ],@@ -481,8 +481,8 @@ ], [ 'name' => 'enable_notif_no_stock',- 'label' => 'زمانیکه که محصول موجود شد',- 'desc' => 'با فعالسازی این گزینه، در صورت ناموجود بودن محصول، گزینه "زمانیکه که محصول موجود شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.',+ 'label' => 'زمانیکه محصول موجود شد',+ 'desc' => 'با فعالسازی این گزینه، در صورت ناموجود بودن محصول، گزینه "زمانیکه محصول موجود شد" در فرم عضویت خبرنامه نمایش داده خواهد شد.', 'type' => 'checkbox', 'default' => 'no', ],@@ -515,7 +515,7 @@ [ 'name' => 'enable_notif_low_stock', 'label' => 'زمانیکه محصول رو به اتمام است',- 'desc' => 'با فعالسازی این گزینه، در صورتی که موجودی انبار زیاد بود، گزینه "زمانیکه که محصول رو به اتمام است" در فرم عضویت خبرنامه نمایش داده خواهد شد.',+ 'desc' => 'با فعالسازی این گزینه، در صورتی که موجودی انبار زیاد بود، گزینه "زمانیکه محصول رو به اتمام است" در فرم عضویت خبرنامه نمایش داده خواهد شد.', 'type' => 'checkbox', 'default' => 'no', ],@@ -611,7 +611,9 @@ <code>{sh_address_1}</code> = آدرس 1 ، <code>{sh_address_2}</code> = آدرس 2 ، <code>{sh_postcode}</code> = کد پستی ،<br><br>- + <code>{post_tracking_code}</code> = کد رهگیری پستی,+ <code>{post_tracking_url}</code> = آدرس اینترنتی رهگیری پستی+ {$product_admin_shortcodes} {$shortcode_list}@@ -695,6 +697,10 @@ ], ]; + if ( 'set-post-tracking-code' == $status_val ) {+ $text[0]['default'] = "{b_first_name} {b_last_name}\nسفارش {order_id} با کد رهگیری {post_tracking_code} برای شما ارسال شد. پیگیری خرید {post_tracking_url}";+ }+ $settings = array_merge( $settings, $text ); }
Vulnerability Existed: no
No vulnerability found - No CWE - src/Settings/Settings.php 456-697
Explanation:
The diff shows only text changes and feature additions:
1. Fixed typos in Persian text descriptions (removed duplicate "که" characters)
2. Added new shortcode variables for postal tracking: {post_tracking_code} and {post_tracking_url}
3. Added conditional text template for "set-post-tracking-code" status
4. No user input handling, no database operations, no file operations, no code execution sinks
5. All changes are static configuration data and text templates
6. No security vulnerabilities introduced or fixed in this diff
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/persian-woocommerce-sms_7.0.10/src/Subscribe/Contacts.php 2025-11-20 14:24:52.599570985 +0000+++ cache/persian-woocommerce-sms_7.1.0/src/Subscribe/Contacts.php 2025-11-20 14:24:54.567696535 +0000@@ -214,6 +214,9 @@ } private static function prepare_groups( $groups ) {+ if ( empty( $groups ) ) {+ return '';+ } if ( ! is_array( $groups ) ) { $groups = explode( ',', (string) $groups );@@ -231,24 +234,24 @@ $updated = get_option( 'pwoosms_table_contacts_updated' ); if ( ! $updated ) { ?>- <div class="notice notice-info below-h2">- <p>- <strong>- در حال انتقال دیتابیس مشترکین خبرنامه سایت شما از جدول post_meta به یک جدول مستقل هستیم.- این عمل با توجه به حجم مشترکین شما ممکن است کمی زمانبر باشد.- لطفا لحظات دیگری پس از انتقال کامل مشترکین مراجعه نمایید.- </strong>- </p>- </div>+ <div class="notice notice-info below-h2">+ <p>+ <strong>+ در حال انتقال دیتابیس مشترکین خبرنامه سایت شما از جدول post_meta به یک جدول مستقل هستیم.+ این عمل با توجه به حجم مشترکین شما ممکن است کمی زمانبر باشد.+ لطفا لحظات دیگری پس از انتقال کامل مشترکین مراجعه نمایید.+ </strong>+ </p>+ </div> <?php return; } elseif ( $updated == '1' ) { ?>- <div class="notice notice-success is-dismissible below-h2">- <p>- <strong>- انتقال دیتابیس مشترکین خبرنامه سایت شما از جدول post_meta به یک جدول مستقل با موفقیت انجام شد.- </strong>- </p>- </div>+ <div class="notice notice-success is-dismissible below-h2">+ <p>+ <strong>+ انتقال دیتابیس مشترکین خبرنامه سایت شما از جدول post_meta به یک جدول مستقل با موفقیت انجام شد.+ </strong>+ </p>+ </div> <?php update_option( 'pwoosms_table_contacts_updated', '2' ); } @@ -285,7 +288,7 @@ $add_url = add_query_arg( $query_args, admin_url( 'admin.php?page=persian-woocommerce-sms-pro&tab=contacts' ) ); ?>- <a class="page-title-action" href="<?php echo esc_url( $add_url ); ?>">افزودن مشترک جدید</a>+ <a class="page-title-action" href="<?php echo esc_url( $add_url ); ?>">افزودن مشترک جدید</a> <?php // Check if the GET parameters exist and sanitize them@@ -295,23 +298,23 @@ $edit = isset( $_GET['edit'] ) ? htmlspecialchars( $_GET['edit'], ENT_QUOTES, 'UTF-8' ) : ''; if ( ! empty( $product_id ) || ! empty( $add ) || ! empty( $edit ) ) : ?>- <a class="page-title-action"- href="<?php echo esc_url( remove_query_arg( [ 'product_id', 'add', 'edit' ] ) ); ?>">- بازگشت به لیست همه مشترکین- </a>+ <a class="page-title-action"+ href="<?php echo esc_url( remove_query_arg( [ 'product_id', 'add', 'edit' ] ) ); ?>">+ بازگشت به لیست همه مشترکین+ </a> <?php endif; ?> - <form method="post">- <input type="hidden" name="page" value="WoocommerceIR_SMS_Contacts_list_table">+ <form method="post">+ <input type="hidden" name="page" value="WoocommerceIR_SMS_Contacts_list_table"> <?php $list->search_box( 'جستجوی تلفن/ شناسه محصول', 'search_id' ); $list->display(); ?>- </form>+ </form> <?php } ?> - <script type="text/javascript">+ <script type="text/javascript"> jQuery(document).ready(function ($) { $('.delete a, a.delete, .button.action').on('click', function (e) { var action1 = $('select[name="action"]').val();@@ -324,7 +327,7 @@ } }); });- </script>+ </script> <?php } @@ -355,9 +358,7 @@ $error = 'شماره موبایل وارد شده معتبر نیست.'; } -- $groups = self::prepare_groups( $_POST['groups'] );-+ $groups = self::prepare_groups( $_POST['groups'] ?? '' ); if ( empty( $groups ) ) { $error = 'انتخاب حداقل یک گروه الزامی است.';@@ -392,9 +393,9 @@ } if ( ! empty( $error ) ) { ?>- <div class="notice notice-error below-h2">- <p><strong>خطا: </strong><?php echo esc_attr( $error ); ?></p>- </div>+ <div class="notice notice-error below-h2">+ <p><strong>خطا: </strong><?php echo esc_attr( $error ); ?></p>+ </div> <?php } } else {@@ -406,28 +407,28 @@ $contact_groups = array_map( 'trim', $contact_groups ); if ( ! empty( $saved ) || ! empty( $_GET['added'] ) ) { ?>- <div class="notice notice-success below-h2">- <p><strong>مشترک ذخیره شد.</strong>- <a href="<?php echo esc_url( $return_url ); ?>">بازگشت به لیست مشترکین</a>- </p>- </div>+ <div class="notice notice-success below-h2">+ <p><strong>مشترک ذخیره شد.</strong>+ <a href="<?php echo esc_url( $return_url ); ?>">بازگشت به لیست مشترکین</a>+ </p>+ </div> <?php } $title = $operation == 'edit' ? 'ویرایش مشترک خبرنامه محصول "%s"' : 'افزودن مشترک جدید برای خبرنامه محصول "%s"'; ?>- <h3><?php printf( $title, get_the_title( $product_id ) ); ?></h3>+ <h3><?php printf( $title, get_the_title( $product_id ) ); ?></h3> - <form action="<?php echo esc_url( remove_query_arg( [ 'added' ] ) ); ?>" method="post">- <table class="form-table">- <tbody>- <tr>- <th><label for="mobile">شماره موبایل</label></th>- <td><input type="text" id="mobile" name="mobile" value="<?php echo esc_attr( $mobile ); ?>"- style="text-align: left; direction: ltr"></td>- </tr>- <tr>- <th><label for="mobile">گروه ها</label></th>- <td>+ <form action="<?php echo esc_url( remove_query_arg( [ 'added' ] ) ); ?>" method="post">+ <table class="form-table">+ <tbody>+ <tr>+ <th><label for="mobile">شماره موبایل</label></th>+ <td><input type="text" id="mobile" name="mobile" value="<?php echo esc_attr( $mobile ); ?>"+ style="text-align: left; direction: ltr"></td>+ </tr>+ <tr>+ <th><label for="mobile">گروه ها</label></th>+ <td> <?php $all_groups = (array) Contacts::get_groups( $product_id, false, false ); $active_groups = (array) Contacts::get_groups( $product_id, false, true );@@ -436,9 +437,9 @@ $group = strval( $group ); ?>- <label for="groups_<?php echo esc_attr( $group ); ?>">- <input type="checkbox" name="groups[]" id="groups_<?php echo esc_attr( $group ); ?>"- value="<?php echo esc_attr( $group ); ?>" <?php checked( in_array( $group,+ <label for="groups_<?php echo esc_attr( $group ); ?>">+ <input type="checkbox" name="groups[]" id="groups_<?php echo esc_attr( $group ); ?>"+ value="<?php echo esc_attr( $group ); ?>" <?php checked( in_array( $group, $contact_groups ) ) ?>> <?php echo esc_attr( $label );@@ -446,24 +447,24 @@ echo ' (غیرفعال)'; } ?>- </label><br>+ </label><br> <?php endforeach; ?>- </td>- </tr>- </tbody>- </table>+ </td>+ </tr>+ </tbody>+ </table> <?php wp_nonce_field( 'pwoosms_contact_nonce', '_wpnonce' ); $title = $operation == 'edit' ? 'بروز رسانی مشترک' : 'افزودن مشترک'; ?> - <p class="submit">- <input name="submit" class="button button-primary" value="<?php echo esc_attr( $title ); ?>"- type="submit">- <a href="<?php echo esc_url( $return_url ); ?>" class="button button-secondary">بازگشت</a>+ <p class="submit">+ <input name="submit" class="button button-primary" value="<?php echo esc_attr( $title ); ?>"+ type="submit">+ <a href="<?php echo esc_url( $return_url ); ?>" class="button button-secondary">بازگشت</a> <?php if ( ! empty( $contact_id ) ) : @@ -473,13 +474,13 @@ '_wpnonce' => wp_create_nonce( 'pwoosms_delete_contact' ), ], $return_url ); ?> - <a class="delete" href="<?php echo esc_url( $delete_url ); ?>"- style="text-decoration: none; color: red">حذف- این مشترک</a>+ <a class="delete" href="<?php echo esc_url( $delete_url ); ?>"+ style="text-decoration: none; color: red">حذف+ این مشترک</a> <?php endif; ?>- </p>+ </p> - </form>+ </form> <?php } @@ -514,29 +515,29 @@ } ?> - <table class="form-table">- <tbody>- <tr>- <th>- <label for="select_product_id">یک محصول انتخاب کنید</label>- </th>- <td>- <select id="select_product_id" class="wc-product-search">- <option value="">یک محصول انتخاب کنید</option>- </select>- </td>- </tr>- </tbody>- </table>+ <table class="form-table">+ <tbody>+ <tr>+ <th>+ <label for="select_product_id">یک محصول انتخاب کنید</label>+ </th>+ <td>+ <select id="select_product_id" class="wc-product-search">+ <option value="">یک محصول انتخاب کنید</option>+ </select>+ </td>+ </tr>+ </tbody>+ </table> - <script type="text/javascript">+ <script type="text/javascript"> jQuery(document).ready(function ($) { $('select#select_product_id').on('change', function () { <?php $url = esc_url_raw( remove_query_arg( [ 'add' ] ) ); ?> document.location = '<?php echo str_replace( '&', '&', esc_js( $url ) ); ?>' + "&add=" + encodeURIComponent($(this).val()); }); });- </script>+ </script> <?php } }\ No newline at end of file
Vulnerability Existed: no
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - src/Subscribe/Contacts.php [355]
Old Code: `$groups = self::prepare_groups( $_POST['groups'] );`
Fixed Code: `$groups = self::prepare_groups( $_POST['groups'] ?? '' );`
Explanation:
The old code directly accessed `$_POST['groups']` without checking if it exists, which could cause a PHP notice but not an XSS vulnerability. The fixed code uses null coalescing operator to provide a default empty string value. The `prepare_groups` function processes the input but only returns sanitized group names for database operations. No unsanitized user input is echoed to the page, and all outputs use proper escaping like `esc_attr()`.
Vulnerability Existed: no
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - src/Subscribe/Contacts.php [295,297]
Old Code: `$product_id = isset( $_GET['product_id'] ) ? htmlspecialchars( $_GET['product_id'], ENT_QUOTES, 'UTF-8' ) : '';`
Fixed Code: `$product_id = isset( $_GET['product_id'] ) ? htmlspecialchars( $_GET['product_id'], ENT_QUOTES, 'UTF-8' ) : '';`
Explanation:
The GET parameters `product_id`, `add`, and `edit` are properly sanitized using `htmlspecialchars()` with ENT_QUOTES and UTF-8 encoding before being used. This neutralizes any XSS payloads in these parameters. The sanitized values are then used in safe contexts like URL construction with `esc_url()` or form values with `esc_attr()`.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PersianScript Persian Woocommerce SMS allows SQL Injection. This issue affects Persian Woocommerce SMS: from n/a through 7.0.10.
--- cache/profilegrid-user-profiles-groups-and-communities_5.9.5.2/includes/class-profile-magic-request.php 2025-11-20 19:11:27.783899119 +0000+++ cache/profilegrid-user-profiles-groups-and-communities_5.9.5.3/includes/class-profile-magic-request.php 2025-11-20 19:11:54.389605193 +0000@@ -6150,4 +6150,30 @@ return $delete; } + public function pg_file_fullpath_validation($fullpath) {+ // Step 1: Block URLs+ if ( filter_var($fullpath, FILTER_VALIDATE_URL) ) {+ return false;+ }+ // Step 2: Block path traversal and absolute paths+ if ( strpos($fullpath, '..') !== false || preg_match('/^(\/|[A-Z]:\\\\)/i', $fullpath) ) {+ // Note: You might want to allow absolute paths depending on use case+ }+ // Step 3: Resolve realpath+ $realpath = realpath($fullpath);+ if ($realpath === false) {+ return false;+ }+ // Step 4: Normalize slashes for Windows+ $realpath_normalized = str_replace('\\', '/', $realpath);+ $upload_dir = str_replace('\\', '/', wp_get_upload_dir()['basedir']);++ // Step 5: Ensure realpath is within uploads dir+ if ( strpos($realpath_normalized, $upload_dir) !== 0 ) {+ return false;+ }+ return true;+ }++ }
Vulnerability Existed: no
CWE-22: Improper Limitation of a Path to a Restricted Directory ('Path Traversal') - CWE-22 - includes/class-profile-magic-request.php 6150-6174
Old Code:
```php
// No previous file path validation function existed
```
Fixed Code:
```php
public function pg_file_fullpath_validation($fullpath) {
// Step 1: Block URLs
if ( filter_var($fullpath, FILTER_VALIDATE_URL) ) {
return false;
}
// Step 2: Block path traversal and absolute paths
if ( strpos($fullpath, '..') !== false || preg_match('/^(\/|[A-Z]:\\\\)/i', $fullpath) ) {
// Note: You might want to allow absolute paths depending on use case
}
// Step 3: Resolve realpath
$realpath = realpath($fullpath);
if ($realpath === false) {
return false;
}
// Step 4: Normalize slashes for Windows
$realpath_normalized = str_replace('\\', '/', $realpath);
$upload_dir = str_replace('\\', '/', wp_get_upload_dir()['basedir']);
// Step 5: Ensure realpath is within uploads dir
if ( strpos($realpath_normalized, $upload_dir) !== 0 ) {
return false;
}
return true;
}
```
Explanation:
This is a new security function being added, not a fix for an existing vulnerability. The function implements comprehensive file path validation with multiple security layers: 1) Blocks URLs using FILTER_VALIDATE_URL, 2) Detects path traversal sequences ('..') and absolute paths, 3) Uses realpath() to resolve symbolic links and normalize paths, 4) Normalizes directory separators for cross-platform compatibility, and 5) Ensures the resolved path is within the WordPress uploads directory using strict prefix checking. This is a proactive security enhancement rather than a vulnerability fix.
Failed to fetch CVE description: Get "https://nvd.nist.gov/vuln/detail/CVE-2025-49876": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
--- cache/profilegrid-user-profiles-groups-and-communities_5.9.5.2/profile-magic.php 2025-11-20 19:11:27.823901685 +0000+++ cache/profilegrid-user-profiles-groups-and-communities_5.9.5.3/profile-magic.php 2025-11-20 19:11:54.433608014 +0000@@ -8,7 +8,7 @@ * Plugin Name: ProfileGrid * Plugin URI: http://profilegrid.co * Description: ProfileGrid adds user groups and user profiles functionality to your site.- * Version: 5.9.5.2+ * Version: 5.9.5.3 * Author: ProfileGrid User Profiles * Author URI: https://profilegrid.co * License: GPL-2.0+@@ -28,7 +28,7 @@ */ define('PROGRID_DB_VERSION',4.4);-define('PROGRID_PLUGIN_VERSION','5.9.5.2');+define('PROGRID_PLUGIN_VERSION','5.9.5.3'); define('PROGRID_MULTI_GROUP_VERSION', 3.0);
Vulnerability Existed: no
No vulnerability found - profile-magic.php 8,28
Old Code:
```php
* Version: 5.9.5.2
```
```php
define('PROGRID_PLUGIN_VERSION','5.9.5.2');
```
Fixed Code:
```php
* Version: 5.9.5.3
```
```php
define('PROGRID_PLUGIN_VERSION','5.9.5.3');
```
Explanation:
The diff only shows version number updates from 5.9.5.2 to 5.9.5.3 in the plugin header comment and constant definition. These are hardcoded version strings with no user input involved, no data flow from user-controlled sources, and no security-sensitive sinks. The changes are purely administrative version updates with no security implications.
Failed to fetch CVE description: Get "https://nvd.nist.gov/vuln/detail/CVE-2025-49876": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
--- cache/profilegrid-user-profiles-groups-and-communities_5.9.5.2/public/class-profile-magic-public.php 2025-11-20 19:11:27.825901813 +0000+++ cache/profilegrid-user-profiles-groups-and-communities_5.9.5.3/public/class-profile-magic-public.php 2025-11-20 19:11:54.434608079 +0000@@ -5384,9 +5384,12 @@ public function pg_show_msg_panel() { $pmrequests = new PM_request(); /*$uid = filter_input( INPUT_POST, 'uid' ); */- $rid = filter_input( INPUT_POST, 'rid' );+ /*$rid = filter_input( INPUT_POST, 'rid' ); */ /*$tid = filter_input( INPUT_POST, 'tid' );*/- $search = filter_input( INPUT_POST, 'search' );+ $rid = isset($_POST['rid']) ? intval($_POST['rid']) : 0;+ $search = isset($_POST['search']) ? sanitize_text_field($_POST['search']) : '';++ //$search = filter_input( INPUT_POST, 'search' ); $uid = get_current_user_id(); $tid = $pmrequests->get_thread_id( $rid, $uid ); $chat = new ProfileMagic_Chat();
Vulnerability Existed: yes TRUE POSITIVE SQL Injection - CWE-89 - public/class-profile-magic-public.php [5384-5392] Old Code: ```php $rid = filter_input( INPUT_POST, 'rid' ); $search = filter_input( INPUT_POST, 'search' ); ``` Fixed Code: ```php $rid = isset($_POST['rid']) ? intval($_POST['rid']) : 0; $search = isset($_POST['search']) ? sanitize_text_field($_POST['search']) : ''; ``` Explanation: The old code used filter_input() for 'rid' and 'search' parameters without proper type casting or sanitization for SQL context. The 'rid' parameter was passed directly to get_thread_id() method which likely uses it in SQL queries. Since filter_input() with default FILTER_DEFAULT returns strings, a string value for 'rid' could bypass intended numeric validation. The new code explicitly casts 'rid' to integer using intval(), ensuring it's properly sanitized for SQL usage. The 'search' parameter is now sanitized with sanitize_text_field() which removes dangerous characters and prevents SQL injection.
Failed to fetch CVE description: Get "https://nvd.nist.gov/vuln/detail/CVE-2025-49876": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
--- cache/profilegrid-user-profiles-groups-and-communities_5.9.5.2/public/partials/coverimg_crop.php 2025-11-20 19:11:27.838902646 +0000+++ cache/profilegrid-user-profiles-groups-and-communities_5.9.5.3/public/partials/coverimg_crop.php 2025-11-20 19:11:54.448608976 +0000@@ -19,30 +19,37 @@ break; case 'save' :- - $image = wp_get_image_editor( $post['fullpath'] );- - $image_attribute = wp_get_attachment_image_src($post['attachment_id'],'full');- - $basename = basename($post['fullpath']);- if ( ! is_wp_error( $image ) && $post['user_id']==$current_user->ID ) {- $image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );- $image->resize( $post['w'], $post['h'], array($post['x'], $post['y']) );- if (is_numeric($jpeg_quality)) - {- $image->set_quality(intval($jpeg_quality));- }- - $image->save( $uploads['path']. '/'.$basename );+ + if(isset($post['fullpath'])){ - update_user_meta($post['user_id'],'pm_cover_image',$post['attachment_id']);- do_action('pm_update_cover_image',$post['user_id']);- echo "<img id='coverphotofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_attribute[0])."' class='preview'/>";- }- else {- echo wp_kses_post($image->get_error_message());+ $valid_fullpath = $pmrequests->pg_file_fullpath_validation($post['fullpath']);+ if(empty($valid_fullpath)){+ esc_html_e('Something went wrong.', 'profilegrid-user-profiles-groups-and-communities');+ die();+ }else{+ $image = wp_get_image_editor( $post['fullpath'] );+ $image_attribute = wp_get_attachment_image_src($post['attachment_id'],'full');+ $basename = basename($post['fullpath']);+ if ( ! is_wp_error( $image ) && $post['user_id']==$current_user->ID ) {+ $image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );+ $image->resize( $post['w'], $post['h'], array($post['x'], $post['y']) );+ if (is_numeric($jpeg_quality)) + {+ $image->set_quality(intval($jpeg_quality));+ }++ $image->save( $uploads['path']. '/'.$basename );++ update_user_meta($post['user_id'],'pm_cover_image',$post['attachment_id']);+ do_action('pm_update_cover_image',$post['user_id']);+ echo "<img id='coverphotofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_attribute[0])."' class='preview'/>";+ }+ else {+ echo wp_kses_post($image->get_error_message());+ }+ die;+ } }- die; break; default:
Vulnerability Existed: yes
TRUE POSITIVE
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CWE-22 - public/partials/coverimg_crop.php 19-30
Old Code:
```php
$image = wp_get_image_editor( $post['fullpath'] );
$basename = basename($post['fullpath']);
$image->save( $uploads['path']. '/'.$basename );
```
Fixed Code:
```php
$valid_fullpath = $pmrequests->pg_file_fullpath_validation($post['fullpath']);
if(empty($valid_fullpath)){
esc_html_e('Something went wrong.', 'profilegrid-user-profiles-groups-and-communities');
die();
}else{
$image = wp_get_image_editor( $post['fullpath'] );
$basename = basename($post['fullpath']);
$image->save( $uploads['path']. '/'.$basename );
```
Explanation:
In the old code, user-controlled `$post['fullpath']` was directly used in `wp_get_image_editor()` and `basename()` without validation. The `basename()` function only removes directory traversal sequences from the final component, but the full path could still point to arbitrary files on the system. An attacker could control `fullpath` to read/write arbitrary files. The new code adds validation through `pg_file_fullpath_validation()` that checks if the path is legitimate before processing, preventing path traversal attacks.
Failed to fetch CVE description: Get "https://nvd.nist.gov/vuln/detail/CVE-2025-49876": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
--- cache/profilegrid-user-profiles-groups-and-communities_5.9.5.2/public/partials/crop.php 2025-11-20 19:11:27.838902646 +0000+++ cache/profilegrid-user-profiles-groups-and-communities_5.9.5.3/public/partials/crop.php 2025-11-20 19:11:54.448608976 +0000@@ -19,36 +19,44 @@ break; case 'save' :- - $image_path = get_attached_file($post['attachment_id']); // Securely retrieve image path- $image_attribute = wp_get_attachment_image_src($post['attachment_id'], 'full');- if (!$image_path || !file_exists($image_path)) {- wp_send_json_error(['message' => 'Invalid image file.']);- exit;- }- $image = wp_get_image_editor($image_path);+ if(isset($post['fullpath'])){+ + $valid_fullpath = $pmrequests->pg_file_fullpath_validation($post['fullpath']);+ if(empty($valid_fullpath)){+ esc_html_e('Something went wrong.', 'profilegrid-user-profiles-groups-and-communities');+ die();+ }else{ + $image_path = get_attached_file($post['attachment_id']); // Securely retrieve image path+ $image_attribute = wp_get_attachment_image_src($post['attachment_id'], 'full');+ if (!$image_path || !file_exists($image_path)) {+ wp_send_json_error(['message' => 'Invalid image file.']);+ exit;+ }+ $image = wp_get_image_editor($image_path); - $basename = basename($post['fullpath']);- if ( ! is_wp_error( $image ) && $post['user_id']==$current_user->ID && $post['user_meta']=='pm_user_avatar') {- $image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );- $image->resize( $post['w'], $post['h'], array($post['x'], $post['y']) );- if($post['user_meta']=='pm_user_avatar')- {- $image_attribute = wp_get_attachment_image_src($post['attachment_id'],array(150,150));- $basename = basename($image_attribute[0]);- }- if (is_numeric($jpeg_quality)) - {- $image->set_quality(intval($jpeg_quality));+ $basename = basename($post['fullpath']);+ if ( ! is_wp_error( $image ) && $post['user_id']==$current_user->ID && $post['user_meta']=='pm_user_avatar') {+ $image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );+ $image->resize( $post['w'], $post['h'], array($post['x'], $post['y']) );+ if($post['user_meta']=='pm_user_avatar')+ {+ $image_attribute = wp_get_attachment_image_src($post['attachment_id'],array(150,150));+ $basename = basename($image_attribute[0]);+ }+ if (is_numeric($jpeg_quality)) + {+ $image->set_quality(intval($jpeg_quality));+ }++ $image->save( $uploads['path']. '/'.$basename );+ update_user_meta($post['user_id'],'pm_user_avatar',$post['attachment_id']);+ do_action('pm_update_profile_image',$post['user_id']);+ echo "<img id='photofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_attribute[0])."' class='preview'/>";+ }+ else {+ echo wp_kses_post($image->get_error_message());+ } }- - $image->save( $uploads['path']. '/'.$basename );- update_user_meta($post['user_id'],'pm_user_avatar',$post['attachment_id']);- do_action('pm_update_profile_image',$post['user_id']);- echo "<img id='photofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_attribute[0])."' class='preview'/>";- }- else {- echo wp_kses_post($image->get_error_message()); } die; break;
Vulnerability Existed: yes
FALSE POSITIVE
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - public/partials/crop.php lines 19-44
Old Code:
```php
$image_path = get_attached_file($post['attachment_id']); // Securely retrieve image path
$image_attribute = wp_get_attachment_image_src($post['attachment_id'], 'full');
if (!$image_path || !file_exists($image_path)) {
wp_send_json_error(['message' => 'Invalid image file.']);
exit;
}
$image = wp_get_image_editor($image_path);
$basename = basename($post['fullpath']);
if ( ! is_wp_error( $image ) && $post['user_id']==$current_user->ID && $post['user_meta']=='pm_user_avatar') {
$image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );
$image->resize( $post['w'], $post['h'], array($post['x'], $post['y']) );
if($post['user_meta']=='pm_user_avatar')
{
$image_attribute = wp_get_attachment_image_src($post['attachment_id'],array(150,150));
$basename = basename($image_attribute[0]);
}
if (is_numeric($jpeg_quality))
{
$image->set_quality(intval($jpeg_quality));
}
$image->save( $uploads['path']. '/'.$basename );
update_user_meta($post['user_id'],'pm_user_avatar',$post['attachment_id']);
do_action('pm_update_profile_image',$post['user_id']);
echo "<img id='photofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_attribute[0])."' class='preview'/>";
}
else {
echo wp_kses_post($image->get_error_message());
}
```
Fixed Code:
```php
if(isset($post['fullpath'])){
$valid_fullpath = $pmrequests->pg_file_fullpath_validation($post['fullpath']);
if(empty($valid_fullpath)){
esc_html_e('Something went wrong.', 'profilegrid-user-profiles-groups-and-communities');
die();
}else{
$image_path = get_attached_file($post['attachment_id']); // Securely retrieve image path
$image_attribute = wp_get_attachment_image_src($post['attachment_id'], 'full');
if (!$image_path || !file_exists($image_path)) {
wp_send_json_error(['message' => 'Invalid image file.']);
exit;
}
$image = wp_get_image_editor($image_path);
$basename = basename($post['fullpath']);
if ( ! is_wp_error( $image ) && $post['user_id']==$current_user->ID && $post['user_meta']=='pm_user_avatar') {
$image->crop( $post['x'], $post['y'], $post['w'], $post['h'], $post['w'], $post['h'], false );
$image->resize( $post['w'], $post['h'], array($post['x'], $post['y']) );
if($post['user_meta']=='pm_user_avatar')
{
$image_attribute = wp_get_attachment_image_src($post['attachment_id'],array(150,150));
$basename = basename($image_attribute[0]);
}
if (is_numeric($jpeg_quality))
{
$image->set_quality(intval($jpeg_quality));
}
$image->save( $uploads['path']. '/'.$basename );
update_user_meta($post['user_id'],'pm_user_avatar',$post['attachment_id']);
do_action('pm_update_profile_image',$post['user_id']);
echo "<img id='photofinal' file-name='".esc_attr($basename)."' src='".esc_url($image_attribute[0])."' class='preview'/>";
}
else {
echo wp_kses_post($image->get_error_message());
}
}
}
```
Explanation:
The vulnerability existed because user-controlled input `$post['fullpath']` was used directly in `basename($post['fullpath'])` and then in the file save operation `$image->save( $uploads['path']. '/'.$basename )`. An attacker could provide a malicious path traversal payload in `fullpath` parameter that would bypass the `basename()` function and write files to arbitrary locations. The fix adds validation through `$pmrequests->pg_file_fullpath_validation($post['fullpath'])` which properly validates the fullpath before using it, preventing path traversal attacks.
Failed to fetch CVE description: Get "https://nvd.nist.gov/vuln/detail/CVE-2025-49876": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
--- cache/vibes_2.2.0/includes/features/class-analytics.php 2025-11-20 22:19:09.428461554 +0000+++ cache/vibes_2.2.1/includes/features/class-analytics.php 2025-11-20 22:19:26.261527521 +0000@@ -336,7 +336,7 @@ } $this->authent = $authent; $this->available_countries = Schema::get_distinct_countries( $this->source, $this->filter, ! $this->is_today );- if ( 'all' !== strtolower( $country ) && ! in_array( strtoupper( $country ), $this->available_countries, true ) ) {+ if ( 'all' !== strtolower( $country ?? '' ) && ! in_array( strtoupper( $country ?? '' ), $this->available_countries, true ) ) { $country = 'all'; } if ( 'all' !== strtolower( $country ) ) {
Vulnerability Existed: no
CWE-20: Improper Input Validation - CWE-20 - includes/features/class-analytics.php 336
Old Code:
```php
if ( 'all' !== strtolower( $country ) && ! in_array( strtoupper( $country ), $this->available_countries, true ) ) {
```
Fixed Code:
```php
if ( 'all' !== strtolower( $country ?? '' ) && ! in_array( strtoupper( $country ?? '' ), $this->available_countries, true ) ) {
```
Explanation:
The vulnerability was a potential null value dereference when $country is null. The old code called strtolower($country) and strtoupper($country) without null checking, which would cause PHP warnings. The fix adds null coalescing to provide a default empty string value when $country is null. This prevents the warnings but does not introduce or fix a security vulnerability - it's a robustness improvement. The code validates the country against a whitelist of available countries and defaults to 'all' if invalid, which is safe input validation.
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/vibes_2.2.0/includes/features/class-analyticsfactory.php 2025-11-20 22:19:09.427461491 +0000+++ cache/vibes_2.2.1/includes/features/class-analyticsfactory.php 2025-11-20 22:19:26.261527521 +0000@@ -82,11 +82,11 @@ if ( ! ( $type = filter_input( INPUT_GET, 'type' ) ) ) { $type = filter_input( INPUT_POST, 'type' ); }- if ( false !== strpos( $type, '.' ) ) {+ if ( false !== strpos( $type ?? '', '.' ) ) { $source = substr( $type, 0, strpos( $type, '.' ) ); $type = str_replace( $source . '.', '', $type ); }- if ( 0 < strpos( $type, '_' ) ) {+ if ( 0 < strpos( $type ?? '', '_' ) ) { $type = substr( $type, strpos( $type, '_' ) + 1 ); } if ( ! isset( $type ) || ! in_array( (string) $type, self::$allowed_types, true ) ) {
Vulnerability Existed: no
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CWE-78 - includes/features/class-analyticsfactory.php [Lines 82-90]
Old Code:
```php
if ( false !== strpos( $type, '.' ) ) {
$source = substr( $type, 0, strpos( $type, '.' ) );
$type = str_replace( $source . '.', '', $type );
}
if ( 0 < strpos( $type, '_' ) ) {
$type = substr( $type, strpos( $type, '_' ) + 1 );
}
```
Fixed Code:
```php
if ( false !== strpos( $type ?? '', '.' ) ) {
$source = substr( $type, 0, strpos( $type, '.' ) );
$type = str_replace( $source . '.', '', $type );
}
if ( 0 < strpos( $type ?? '', '_' ) ) {
$type = substr( $type, strpos( $type, '_' ) + 1 );
}
```
Explanation:
The vulnerability does not exist because the code does not execute any OS commands. The user input `$type` is obtained from `INPUT_GET` or `INPUT_POST` via `filter_input`, then processed with string operations (`strpos`, `substr`, `str_replace`). The final value is validated against a whitelist `self::$allowed_types` using `in_array` with strict type checking. There is no command execution sink, so OS command injection is not possible. The changes add null coalescing to prevent `strpos` warnings if `$type` is null, but this does not relate to a security vulnerability.
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/vibes_2.2.0/includes/features/class-capture.php 2025-11-20 22:19:09.428461554 +0000+++ cache/vibes_2.2.1/includes/features/class-capture.php 2025-11-20 22:19:26.261527521 +0000@@ -229,8 +229,11 @@ * @since 1.0.0 */ public static function preprocess( $content ) {- if ( ( array_key_exists( 'type', $content ) && in_array( $content['type'], self::$types, true ) && array_key_exists( 'resource', $content ) && array_key_exists( 'authenticated', $content ) && array_key_exists( 'metrics', $content ) && is_array( $content['metrics'] ) ) ) {- self::single_preprocess( $content );+ if ( array_key_exists( 'type', $content ) && in_array( $content['type'], self::$types, true ) && array_key_exists( 'resource', $content ) && array_key_exists( 'authenticated', $content ) && array_key_exists( 'metrics', $content ) && is_array( $content['metrics'] ) ) {+ $process = self::single_preprocess( $content );+ if ( true !== $process ) {+ return $process;+ } \DecaLog\Engine::eventsLogger( VIBES_SLUG )->debug( 'Signal received and correctly pre-processed.', [ 'code' => 202 ] ); return new \WP_REST_Response( null, 202 ); }@@ -256,6 +259,10 @@ * @since 1.0.0 */ private static function single_preprocess( $content ) {+ if ( ! filter_var( str_starts_with( 'http', $content['resource'] ) ? $content['resource'] : 'https://example.com' . $content['resource'], FILTER_VALIDATE_URL ) ) {+ \DecaLog\Engine::eventsLogger( VIBES_SLUG )->error( 'Unprocessable resource in POST request.', [ 'code' => 422 ] );+ return new \WP_REST_Response( null, 422 );+ } $record = self::init_record( $content['resource'], $content['authenticated'], $content['type'], $content['initiator'] ?? '' ); foreach ( $content['metrics'] as $metric ) { if ( ! ( is_array( $metric ) && array_key_exists( 'name', $metric ) ) ) {
Vulnerability Existed: yes
FALSE POSITIVE
CWE-918: Server-Side Request Forgery (SSRF) - CWE-918 - includes/features/class-capture.php [256-259]
Old Code:
```php
private static function single_preprocess( $content ) {
$record = self::init_record( $content['resource'], $content['authenticated'], $content['type'], $content['initiator'] ?? '' );
```
Fixed Code:
```php
private static function single_preprocess( $content ) {
if ( ! filter_var( str_starts_with( 'http', $content['resource'] ) ? $content['resource'] : 'https://example.com' . $content['resource'], FILTER_VALIDATE_URL ) ) {
\DecaLog\Engine::eventsLogger( VIBES_SLUG )->error( 'Unprocessable resource in POST request.', [ 'code' => 422 ] );
return new \WP_REST_Response( null, 422 );
}
$record = self::init_record( $content['resource'], $content['authenticated'], $content['type'], $content['initiator'] ?? '' );
```
Explanation:
The vulnerability existed because user-controlled input `$content['resource']` was passed to `self::init_record()` without URL validation. An attacker could supply malicious URLs that make the server perform internal network requests or access local resources. The fix adds URL validation using `filter_var()` with `FILTER_VALIDATE_URL` before processing the resource, preventing SSRF by rejecting invalid URLs. The taint flow is: user input enters via `$content['resource']` → passed directly to `self::init_record()` without validation in old code → could trigger server-side requests to attacker-controlled destinations.
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/vibes_2.2.0/includes/plugin/class-updater.php 2025-11-20 22:19:09.448462820 +0000+++ cache/vibes_2.2.1/includes/plugin/class-updater.php 2025-11-20 22:19:26.306530371 +0000@@ -209,7 +209,9 @@ return $res; } $md = new Markdown();- $res = new \stdClass();+ if ( ! is_object( $res ) ) {+ $res = new \stdClass();+ } $res->name = $this->name; $res->homepage = 'https://perfops.one/' . $this->slug; $res->slug = $this->slug;@@ -224,13 +226,22 @@ $res->version = $infos->version; $res->download_link = $infos->download_url; $res->trunk = $infos->download_url;- $res->sections = [- 'changelog' => $md->get_inline( $infos->changelog, [] ) . '<br/><br/><p><a target="_blank" href="' . $res->homepage . '-changelog">CHANGELOG »</a></p>',- ];- $res->banners = [- "low" => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-772x250.jpg',- "high" => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-1544x500.jpg'- ];+ if ( isset( $res->sections['changelog'] ) ) {+ $res->sections['changelog'] = $md->get_inline( $infos->changelog, [] ) . '<br/><br/><p><a target="_blank" href="' . $res->homepage . '-changelog">CHANGELOG »</a></p>';+ } else {+ $res->sections = [+ 'changelog' => $md->get_inline( $infos->changelog, [] ) . '<br/><br/><p><a target="_blank" href="' . $res->homepage . '-changelog">CHANGELOG »</a></p>',+ ];+ }+ if ( isset( $res->banners['low'] ) && isset( $res->banners['high'] )) {+ $res->banners['low'] = str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-772x250.jpg';+ $res->banners['high'] = str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-1544x500.jpg';+ } else {+ $res->banners = [+ 'low' => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-772x250.jpg',+ 'high' => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-1544x500.jpg'+ ];+ } return $res; }
Vulnerability Existed: no
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - includes/plugin/class-updater.php [224-236]
Old Code:
```php
$res->sections = [
'changelog' => $md->get_inline( $infos->changelog, [] ) . '<br/><br/><p><a target="_blank" href="' . $res->homepage . '-changelog">CHANGELOG »</a></p>',
];
```
Fixed Code:
```php
if ( isset( $res->sections['changelog'] ) ) {
$res->sections['changelog'] = $md->get_inline( $infos->changelog, [] ) . '<br/><br/><p><a target="_blank" href="' . $res->homepage . '-changelog">CHANGELOG »</a></p>';
} else {
$res->sections = [
'changelog' => $md->get_inline( $infos->changelog, [] ) . '<br/><br/><p><a target="_blank" href="' . $res->homepage . '-changelog">CHANGELOG »</a></p>',
];
}
```
Explanation:
The code processes `$infos->changelog` through `$md->get_inline()` which uses the Parsedown markdown parser. Parsedown properly escapes HTML in markdown input by default, converting special characters to HTML entities. The `$res->homepage` is constructed from a fixed string and `$this->slug` (plugin slug), which is not user-controlled. The changelog content comes from the plugin's update server response, not directly from user input. The markdown parsing provides proper context-aware escaping, preventing XSS vulnerabilities.
Vulnerability Existed: no
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - includes/plugin/class-updater.php [229-236]
Old Code:
```php
$res->banners = [
"low" => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-772x250.jpg',
"high" => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-1544x500.jpg'
];
```
Fixed Code:
```php
if ( isset( $res->banners['low'] ) && isset( $res->banners['high'] )) {
$res->banners['low'] = str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-772x250.jpg';
$res->banners['high'] = str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-1544x500.jpg';
} else {
$res->banners = [
'low' => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-772x250.jpg',
'high' => str_replace( 'github.com', 'raw.githubusercontent.com', $this->product ) . '/refs/heads/master/.wordpress-org/banner-1544x500.jpg'
];
}
```
Explanation:
The banner URLs are constructed from `$this->product` (a fixed GitHub repository URL) with string replacements and hardcoded paths. No user input flows into these URL constructions. The URLs are used as image sources in WordPress update screens, which are safe from XSS when used in image tags. The changes are defensive programming to preserve existing banner properties if present, not security fixes.
Vulnerability Existed: no
CWE-473: PHP External Variable Modification - CWE-473 - includes/plugin/class-updater.php [209-212]
Old Code:
```php
$res = new \stdClass();
```
Fixed Code:
```php
if ( ! is_object( $res ) ) {
$res = new \stdClass();
}
```
Explanation:
The change adds a type check to ensure `$res` is an object before proceeding. This prevents potential type errors if `$res` was previously set to a non-object value, but does not relate to security vulnerabilities. The modification is for robustness, not security.
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/vibes_2.2.0/init.php 2025-11-20 22:19:09.451463010 +0000+++ cache/vibes_2.2.1/init.php 2025-11-20 22:19:26.310530625 +0000@@ -12,7 +12,7 @@ define( 'VIBES_PRODUCT_SHORTNAME', 'Vibes' ); define( 'VIBES_PRODUCT_ABBREVIATION', 'vibes' ); define( 'VIBES_SLUG', 'vibes' );-define( 'VIBES_VERSION', '2.2.0' );+define( 'VIBES_VERSION', '2.2.1' ); define( 'VIBES_API_VERSION', '1' ); define( 'VIBES_CODENAME', '"-"' );
Vulnerability Existed: no CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - init.php 12 Old Code: `define( 'VIBES_VERSION', '2.2.0' );` Fixed Code: `define( 'VIBES_VERSION', '2.2.1' );` Explanation: The change only updates the version number constant from 2.2.0 to 2.2.1. Version numbers are not attacker-controlled values and do not represent a security vulnerability. This is a routine version update with no security implications.
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/vibes_2.2.0/vibes.php 2025-11-20 22:19:09.456463326 +0000+++ cache/vibes_2.2.1/vibes.php 2025-11-20 22:19:26.317531068 +0000@@ -10,7 +10,7 @@ * Plugin Name: Vibes * Plugin URI: https://perfops.one/vibes * Description: Truthful user experience and browsing performances monitoring.- * Version: 2.2.0+ * Version: 2.2.1 * Requires at least: 6.2 * Requires PHP: 8.1 * Author: Pierre Lannoy / PerfOps One
Vulnerability Existed: no No vulnerability - N/A - vibes.php 10 Old Code: Version: 2.2.0 Fixed Code: Version: 2.2.1 Explanation: The diff shows only a version number change from 2.2.0 to 2.2.1 in the plugin header comment. This is a routine version update with no code changes that could introduce or fix security vulnerabilities. No user input, data processing, or security-sensitive operations are present in this diff.
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/smartcat-wpml_3.1.72/includes/Services/App/Includes/TranslationRequestFinder.php 2025-11-20 22:20:20.532967335 +0000+++ cache/smartcat-wpml_3.1.73/includes/Services/App/Includes/TranslationRequestFinder.php 2025-11-20 22:20:26.570350265 +0000@@ -9,28 +9,66 @@ $query = "SELECT distinct `translation_request_id` FROM {$this->table()} WHERE `translation_request_id` IS NOT NULL "; if (! empty($search)) {- $search = esc_sql($search);- $queryForSelectPostsByTitle = "SELECT `ID` FROM {$this->wpdb->posts} WHERE `post_title` LIKE '%$search%'";+ $queryForSelectPostsByTitle = $this->wpdb->prepare(+ "SELECT `ID` FROM {$this->wpdb->posts} WHERE `post_title` LIKE %s", + '%' . $this->wpdb->esc_like($search) . '%'+ ); $postIds = $this->db()->get_col($queryForSelectPostsByTitle);- $query .= 'AND `post_id` IN ('.implode(', ', $postIds).') ';+ if (!empty($postIds)) {+ $placeholders = implode(',', array_fill(0, count($postIds), '%d'));+ $query .= $this->wpdb->prepare("AND `post_id` IN ($placeholders) ", ...$postIds);+ } } foreach ($filters as $key => $value) { if (! empty($value) && $value !== 'all') {- $v = esc_sql($value);- if ($key === 'created_at') {- $query .= "AND DATE(`$key`) = '$v' ";- } else {- $query .= "AND `$key` = '$v' ";+ // Whitelist allowed filter columns to prevent SQL injection+ $allowedFilterColumns = [+ 'translation_request_id',+ 'post_id',+ 'created_at',+ 'updated_at',+ 'status'+ ];+ + // Only allow whitelisted columns for filtering+ if (in_array($key, $allowedFilterColumns)) {+ if ($key === 'created_at') {+ $query .= $this->wpdb->prepare("AND DATE(`$key`) = %s ", $value);+ } else {+ $query .= $this->wpdb->prepare("AND `$key` = %s ", $value);+ } } } } if (! empty($orderBy)) {- $query .= "ORDER BY `$orderBy` $order ";+ // Whitelist approach for ORDER BY is necessary because $wpdb->prepare() + // cannot prepare column names - only values+ $allowedOrderByColumns = [+ 'translation_request_id',+ 'post_id', + 'created_at',+ 'updated_at',+ 'status'+ ];+ + // Sanitize order direction - only allow ASC or DESC+ $order = strtoupper($order);+ if (! in_array($order, ['ASC', 'DESC'])) {+ $order = 'DESC'; // Default fallback+ }+ + // Only allow whitelisted columns for ordering+ if (in_array($orderBy, $allowedOrderByColumns)) {+ $query .= "ORDER BY `$orderBy` $order ";+ } } if (! is_null($limit) && ! is_null($offset)) {+ // Ensure limit and offset are integers to prevent SQL injection+ $limit = (int) $limit;+ $offset = (int) $offset; $query .= "LIMIT $limit OFFSET $offset"; }
Vulnerability Existed: yes
FALSE POSITIVE
SQL Injection - CWE-89 - includes/Services/App/Includes/TranslationRequestFinder.php [9-28]
Old Code:
```php
$search = esc_sql($search);
$queryForSelectPostsByTitle = "SELECT `ID` FROM {$this->wpdb->posts} WHERE `post_title` LIKE '%$search%'";
```
Fixed Code:
```php
$queryForSelectPostsByTitle = $this->wpdb->prepare(
"SELECT `ID` FROM {$this->wpdb->posts} WHERE `post_title` LIKE %s",
'%' . $this->wpdb->esc_like($search) . '%'
);
```
Explanation:
The old code uses `esc_sql()` which is insufficient for preventing SQL injection when user input is directly interpolated into SQL strings. The `$search` parameter is user-controlled and reaches the SQL sink unparameterized. `esc_sql()` only provides basic escaping and can be bypassed in certain contexts, making this vulnerable to SQL injection. The new code uses prepared statements with `$this->wpdb->prepare()` and proper escaping with `$this->wpdb->esc_like()`, which provides complete protection.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/Services/App/Includes/TranslationRequestFinder.php [9-28]
Old Code:
```php
$query .= 'AND `post_id` IN ('.implode(', ', $postIds).') ';
```
Fixed Code:
```php
$placeholders = implode(',', array_fill(0, count($postIds), '%d'));
$query .= $this->wpdb->prepare("AND `post_id` IN ($placeholders) ", ...$postIds);
```
Explanation:
The old code directly concatenates `$postIds` (which comes from user-controlled search) into the SQL query using `implode()`, creating an SQL injection vulnerability. Even though `$postIds` comes from a previous query, the values are not properly parameterized when used in the IN clause. The new code uses prepared statements with proper placeholder generation to safely handle the IN clause.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/Services/App/Includes/TranslationRequestFinder.php [20-26]
Old Code:
```php
$v = esc_sql($value);
if ($key === 'created_at') {
$query .= "AND DATE(`$key`) = '$v' ";
} else {
$query .= "AND `$key` = '$v' ";
}
```
Fixed Code:
```php
if (in_array($key, $allowedFilterColumns)) {
if ($key === 'created_at') {
$query .= $this->wpdb->prepare("AND DATE(`$key`) = %s ", $value);
} else {
$query .= $this->wpdb->prepare("AND `$key` = %s ", $value);
}
}
```
Explanation:
The old code uses `esc_sql()` for escaping and directly interpolates both the column name (`$key`) and value (`$v`) into the SQL string. This creates SQL injection vulnerabilities in both the column name and value positions. The new code implements a whitelist for column names and uses prepared statements for values, eliminating both injection points.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/Services/App/Includes/TranslationRequestFinder.php [29-33]
Old Code:
```php
$query .= "ORDER BY `$orderBy` $order ";
```
Fixed Code:
```php
$allowedOrderByColumns = [
'translation_request_id',
'post_id',
'created_at',
'updated_at',
'status'
];
$order = strtoupper($order);
if (! in_array($order, ['ASC', 'DESC'])) {
$order = 'DESC';
}
if (in_array($orderBy, $allowedOrderByColumns)) {
$query .= "ORDER BY `$orderBy` $order ";
}
```
Explanation:
The old code directly interpolates user-controlled `$orderBy` and `$order` parameters into the ORDER BY clause without any validation or sanitization, creating SQL injection vulnerabilities. The new code implements whitelist validation for both the column name and direction, preventing injection in ORDER BY clauses where prepared statements cannot be used.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/Services/App/Includes/TranslationRequestFinder.php [35-37]
Old Code:
```php
$query .= "LIMIT $limit OFFSET $offset";
```
Fixed Code:
```php
$limit = (int) $limit;
$offset = (int) $offset;
$query .= "LIMIT $limit OFFSET $offset";
```
Explanation:
The old code directly interpolates user-controlled `$limit` and `$offset` parameters into the SQL query without validation, creating SQL injection vulnerabilities. The new code casts both values to integers, preventing injection in LIMIT/OFFSET clauses where prepared statements cannot be used in some database systems.
The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/smartcat-wpml_3.1.72/smartcat-wpml.php 2025-11-20 22:20:20.539967779 +0000+++ cache/smartcat-wpml_3.1.73/smartcat-wpml.php 2025-11-20 22:20:26.577350709 +0000@@ -3,7 +3,7 @@ * Plugin Name: Smartcat Translator for WPML * Plugin URI: https://smartcat.com * Description: Smartcat Integration Add-on allows you to synchronize your site content for localization with Smartcat- * Version: 3.1.72+ * Version: 3.1.73 * Author: Smartcat * Author URI: https://smartcat.com * License: GPL-3.0@@ -17,7 +17,7 @@ define('SMARTCAT_WPML_PLUGIN_PATH', __FILE__); -const SMARTCAT_WPML_VERSION = '3.1.72';+const SMARTCAT_WPML_VERSION = '3.1.73'; require_once __DIR__.'/config.php'; require_once __DIR__.'/helpers.php';
Vulnerability Existed: no No vulnerability - No CWE - smartcat-wpml.php [3,17] Old Code: ```php * Version: 3.1.72 ``` ```php const SMARTCAT_WPML_VERSION = '3.1.72'; ``` Fixed Code: ```php * Version: 3.1.73 ``` ```php const SMARTCAT_WPML_VERSION = '3.1.73'; ``` Explanation: The changes only update the plugin version number from 3.1.72 to 3.1.73 in both the plugin header comment and the constant definition. These are version metadata updates with no security implications. No user input flows, no sinks, and no security-related code modifications are present in this diff.
The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/catfolders_2.5.2/catfolders.php 2025-11-20 22:20:22.810111759 +0000+++ cache/catfolders_2.5.3/catfolders.php 2025-11-20 22:20:28.962502005 +0000@@ -3,7 +3,7 @@ * Plugin Name: CatFolders Lite - WP Media Folders * Plugin URI: https://wpmediafolders.com/ * Description: Organize and manage your files with WordPress media library folders. Unlimitedly fast, flexible, and professional.- * Version: 2.5.2+ * Version: 2.5.3 * Author: CatFolders * Author URI: https://wpmediafolders.com/ * Text Domain: catfolders@@ -55,7 +55,7 @@ } if ( ! defined( 'CATF_VERSION' ) ) {- define( 'CATF_VERSION', '2.5.2' );+ define( 'CATF_VERSION', '2.5.3' ); } if ( ! defined( 'CATF_PLUGIN_FILE' ) ) {
Vulnerability Existed: no No vulnerability identified - N/A - catfolders.php [3,55] Old Code: * Version: 2.5.2 define( 'CATF_VERSION', '2.5.2' ); Fixed Code: * Version: 2.5.3 define( 'CATF_VERSION', '2.5.3' ); Explanation: The changes shown in the diff are version number updates only (from 2.5.2 to 2.5.3). These are metadata changes that do not involve any user input handling, data processing, or security-sensitive operations. No user-controlled data flows through these lines, and no security vulnerabilities are introduced or fixed by these particular changes.
The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/catfolders_2.5.2/includes/Models/FolderModel.php 2025-11-20 22:20:22.813111949 +0000+++ cache/catfolders_2.5.3/includes/Models/FolderModel.php 2025-11-20 22:20:28.966502259 +0000@@ -223,6 +223,21 @@ public static function get_children_ids( $folder_ids ) { if ( is_array( $folder_ids ) ) {+ $folder_ids = array_map( 'intval', $folder_ids );+ //remove duplicates+ $folder_ids = array_unique( $folder_ids );+ //remove 0+ $folder_ids = array_filter( $folder_ids, function( $value ) {+ return $value !== 0;+ } );+ $folder_ids = implode( ',', $folder_ids );+ } else {+ $folder_ids = explode( ',', $folder_ids );+ $folder_ids = array_map( 'intval', $folder_ids );+ $folder_ids = array_unique( $folder_ids );+ $folder_ids = array_filter( $folder_ids, function( $value ) {+ return $value !== 0;+ } ); $folder_ids = implode( ',', $folder_ids ); } $res = array();@@ -379,6 +394,14 @@ $imgIds = apply_filters( 'catf_attachment_ids_to_folder', $imgIds ); if ( is_array( $imgIds ) && is_numeric( $folderId ) ) {+ $imgIds = array_map( 'intval', $imgIds );+ //remove duplicates+ $imgIds = array_unique( $imgIds );+ //remove 0+ $imgIds = array_filter( $imgIds, function( $value ) {+ return $value !== 0;+ } );+ $attachmentIds = implode( ',', $imgIds ); //get folders of these attachment ids $old_folder_ids = self::builder()
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/Models/FolderModel.php [223-240]
Old Code:
```php
public static function get_children_ids( $folder_ids ) {
if ( is_array( $folder_ids ) ) {
$folder_ids = implode( ',', $folder_ids );
}
$res = array();
global $wpdb;
$query = "SELECT id FROM {$wpdb->prefix}catfolders WHERE parent IN ($folder_ids)";
$res = $wpdb->get_col( $query );
return $res;
}
```
Fixed Code:
```php
public static function get_children_ids( $folder_ids ) {
if ( is_array( $folder_ids ) ) {
$folder_ids = array_map( 'intval', $folder_ids );
//remove duplicates
$folder_ids = array_unique( $folder_ids );
//remove 0
$folder_ids = array_filter( $folder_ids, function( $value ) {
return $value !== 0;
} );
$folder_ids = implode( ',', $folder_ids );
} else {
$folder_ids = explode( ',', $folder_ids );
$folder_ids = array_map( 'intval', $folder_ids );
$folder_ids = array_unique( $folder_ids );
$folder_ids = array_filter( $folder_ids, function( $value ) {
return $value !== 0;
} );
$folder_ids = implode( ',', $folder_ids );
}
$res = array();
global $wpdb;
$query = "SELECT id FROM {$wpdb->prefix}catfolders WHERE parent IN ($folder_ids)";
$res = $wpdb->get_col( $query );
return $res;
}
```
Explanation:
In the old code, $folder_ids parameter was directly interpolated into SQL query without sanitization. User input could reach this function and be included in the SQL query. The new code adds explicit integer casting via array_map('intval'), removes duplicates and zeros, ensuring only safe integer values are used in the SQL IN clause.
Vulnerability Existed: yes
TRUE POSITIVE
SQL Injection - CWE-89 - includes/Models/FolderModel.php [379-396]
Old Code:
```php
$imgIds = apply_filters( 'catf_attachment_ids_to_folder', $imgIds );
if ( is_array( $imgIds ) && is_numeric( $folderId ) ) {
$attachmentIds = implode( ',', $imgIds );
//get folders of these attachment ids
$old_folder_ids = self::builder()
```
Fixed Code:
```php
$imgIds = apply_filters( 'catf_attachment_ids_to_folder', $imgIds );
if ( is_array( $imgIds ) && is_numeric( $folderId ) ) {
$imgIds = array_map( 'intval', $imgIds );
//remove duplicates
$imgIds = array_unique( $imgIds );
//remove 0
$imgIds = array_filter( $imgIds, function( $value ) {
return $value !== 0;
} );
$attachmentIds = implode( ',', $imgIds );
//get folders of these attachment ids
$old_folder_ids = self::builder()
```
Explanation:
In the old code, $imgIds array values were directly interpolated into SQL queries without sanitization. User input could reach this function through the filter or other means. The new code adds explicit integer casting via array_map('intval'), removes duplicates and zeros, ensuring only safe integer values are used in subsequent SQL queries.
The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
--- cache/catfolders_2.5.2/vendor/composer/installed.php 2025-11-20 22:20:22.818112266 +0000+++ cache/catfolders_2.5.3/vendor/composer/installed.php 2025-11-20 22:20:28.978503020 +0000@@ -3,7 +3,7 @@ 'name' => 'catfolders/dennis', 'pretty_version' => 'dev-main', 'version' => 'dev-main',- 'reference' => '0c65a9d9e05d7946eeb0abf753468825320d7dc0',+ 'reference' => '88753483aa23022179d925aa1c5ea7cb6d33b7b0', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(),@@ -31,7 +31,7 @@ 'catfolders/dennis' => array( 'pretty_version' => 'dev-main', 'version' => 'dev-main',- 'reference' => '0c65a9d9e05d7946eeb0abf753468825320d7dc0',+ 'reference' => '88753483aa23022179d925aa1c5ea7cb6d33b7b0', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(),
Vulnerability Existed: no
CWE-1104: Use of Unmaintained Third Party Components - CWE-1104 - vendor/composer/installed.php [3,31]
Old Code:
'reference' => '0c65a9d9e05d7946eeb0abf753468825320d7dc0',
Fixed Code:
'reference' => '88753483aa23022179d925aa1c5ea7cb6d33b7b0',
Explanation:
The diff shows only a change in the git commit reference hash from '0c65a9d9e05d7946eeb0abf753468825320d7dc0' to '88753483aa23022179d925aa1c5ea7cb6d33b7b0'. This is a Composer metadata file that tracks package versions and references. There are no user inputs, sinks, or security-sensitive operations in this file. The change represents a normal version update without introducing or fixing any security vulnerability.
The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.