Shared security patch analysis results
AI Used: claude_cli haikuComprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.
--- cache/cubewp-framework_1.1.26/cube.php 2026-01-18 00:19:20.643839818 +0000+++ cache/cubewp-framework_1.1.27/cube.php 2026-01-18 00:21:29.843868110 +0000@@ -3,7 +3,7 @@ * Plugin Name: CubeWP Framework * Plugin URI: https://cubewp.com/ * Description: CubeWP is an end-to-end dynamic content framework for WordPress to help you save up to 90% of your coding time.-* Version: 1.1.26+* Version: 1.1.27 * Author: CubeWP * Author URI: https://cubewp.com * Text Domain: cubewp-framework
I'll analyze the provided code diff for security vulnerabilities. Vulnerability Existed: no Explanation: The diff shows only a version number change from 1.1.26 to 1.1.27 in the plugin header comment. This is a benign metadata update with no security implications. There are no code changes, no new functions, no modifications to existing logic, and no alterations to input handling, output encoding, authentication, authorization, or any other security-sensitive areas. This is purely a version bump in the plugin documentation header, which does not introduce or fix any security vulnerabilities.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/classes/class-cubewp-add-ons.php 2026-01-18 00:19:20.619838326 +0000+++ cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-add-ons.php 2026-01-18 00:21:29.791864880 +0000@@ -174,6 +174,11 @@ $Lkey = CWP()->cubewp_options($slug . '_key'); $Lstatus = CWP()->cubewp_options($slug . '-status'); + if ($slug == 'cubewp-addon-woocommerce') {+ $Lkey = '96baf6be5cb40a29137cb7fd90441f64';+ $Lstatus = 'valid';+ }+ // Check if the transient exists if (get_transient($slug . '_update_check')) { continue; // Skip if transient exists
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
TRUE POSITIVE
Hardcoded Credentials / Sensitive Data Exposure - CWE-798 - cube/classes/class-cubewp-add-ons.php - Lines 177-180
Old Code:
```php
$Lkey = CWP()->cubewp_options($slug . '_key');
$Lstatus = CWP()->cubewp_options($slug . '-status');
// Check if the transient exists
```
Fixed Code:
```php
$Lkey = CWP()->cubewp_options($slug . '_key');
$Lstatus = CWP()->cubewp_options($slug . '-status');
if ($slug == 'cubewp-addon-woocommerce') {
$Lkey = '96baf6be5cb40a29137cb7fd90441f64';
$Lstatus = 'valid';
}
// Check if the transient exists
```
Explanation:
This diff introduces a hardcoded credential/license key for the WooCommerce add-on. The hash `96baf6be5cb40a29137cb7fd90441f64` appears to be a license key or authentication token that is now embedded directly in the source code. This is a critical security vulnerability because:
1. **Credential Exposure**: The key is visible in the source code repository, making it accessible to anyone with code access
2. **Unauthorized Access**: If this is an actual license key, it could be used to impersonate the legitimate addon or bypass authentication
3. **Supply Chain Risk**: If this code is in a public repository, the credential is exposed to attackers
4. **Maintenance Issue**: The hardcoded logic creates a special case that bypasses normal credential validation for one specific addon
This should be removed and the credential should be retrieved through the normal configuration mechanism (`CWP()->cubewp_options()`) or stored securely in environment variables/configuration files outside the codebase.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/classes/class-cubewp-builder-ui.php 2026-01-18 00:19:20.623838575 +0000+++ cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-builder-ui.php 2026-01-18 00:21:29.791864880 +0000@@ -1,4 +1,5 @@ <?php+ /** * Builder UI trait is contains all markup for cubeWP builder. *@@ -8,14 +9,15 @@ * */ -if ( ! defined( 'ABSPATH' ) ) {+if (! defined('ABSPATH')) { exit; } -trait CubeWp_Builder_Ui {+trait CubeWp_Builder_Ui+{ public static $tab_options = array();- + /** * Method CubeWp_Form_Builder *@@ -24,22 +26,23 @@ * @return string html * @since 1.0.0 */- protected static function CubeWp_Form_Builder(array $data) {+ protected static function CubeWp_Form_Builder(array $data)+ { if (empty($data['form_type'])) { return ''; } $form_type = $data['form_type']; $data = self::builder_fields_parameters($data);- + self::CubeWp_build_tab_options($data);- $builder_ui = '<div class="cubewp-content">';+ $builder_ui = '<div class="cubewp-content">'; $builder_ui .= self::builder_header($data['page_title']); $builder_ui .= '<section id="cwpform-builder" class="cwpform-builder cubewp-builder-' . $form_type . '">'; $builder_ui .= '<div class="cubewp-builder-sidebar">'; $builder_ui .= self::CubeWp_build_post_type_switcher($data); $builder_ui .= self::CubeWp_build_content_switcher($data); $builder_ui .= '<div class="cubewp-builder-sidebar-groups-widgets">';- $builder_ui .= self::cubewp_builder_widgets_ui($form_type);+ $builder_ui .= self::cubewp_builder_widgets_ui($form_type); $builder_ui .= '</div>'; $builder_ui .= '</div>'; $builder_ui .= '<div class="cubewp-builder-container">';@@ -56,7 +59,7 @@ return $builder_ui; }- + /** * Method cubewp_builder_widgets_ui *@@ -65,7 +68,8 @@ * @return string html * @since 1.0.0 */- public static function cubewp_builder_widgets_ui(string $form_type) {+ public static function cubewp_builder_widgets_ui(string $form_type)+ { $output = ''; $options = self::$tab_options; if (isset($options) && count($options) != 0) {@@ -77,13 +81,13 @@ $nested_Switcher[] = $id; } }- $output .= '<div class="cubewp-builder-widgets sidebar-type-'.$slug.' cubewp-tab-switcher-target cubewp-switcher-tab-' . $slug . '" data-form-type="' . $form_type . '" data-slug="' . $slug . '" data-child-switcher="' . implode(',',$nested_Switcher) . '">';- //$output .= self::cubewp_builder_widgets_display('',$form_type,$slug);+ $output .= '<div class="cubewp-builder-widgets sidebar-type-' . $slug . ' cubewp-tab-switcher-target cubewp-switcher-tab-' . $slug . '" data-form-type="' . $form_type . '" data-slug="' . $slug . '" data-child-switcher="' . implode(',', $nested_Switcher) . '">';+ //$output .= self::cubewp_builder_widgets_display('',$form_type,$slug); $output .= '</div>'; } }- return $output;- }+ return $output;+ } /** * Method cubewp_builder_widgets_display@@ -94,22 +98,22 @@ * @return string * @since 1.1.10 */- public static function cubewp_builder_widgets_display(string $switcher, string $form_type, string $slug) {+ public static function cubewp_builder_widgets_display(string $switcher, string $form_type, string $slug)+ { $output = ''; if (!empty($switcher)) {- $switcher = explode(',',$switcher);+ $switcher = explode(',', $switcher); foreach ($switcher as $id) {- $output .= '<div id="plan-' . $id . '" class="sidebar-plan-tab cubewp-tab-switcher-target cubewp-switcher-tab-' . $id . '" data-id="'.$id.'">';- $output .= self::cubewp_builder_widgets($form_type, $slug);+ $output .= '<div id="plan-' . $id . '" class="sidebar-plan-tab cubewp-tab-switcher-target cubewp-switcher-tab-' . $id . '" data-id="' . $id . '">';+ $output .= self::cubewp_builder_widgets($form_type, $slug); $output .= '</div>'; }- }- else {+ } else { $output .= self::cubewp_builder_widgets($form_type, $slug); } return $output;- }- + }+ /** * Method cubewp_builder_widgets *@@ -119,18 +123,20 @@ * @return html * @since 1.0.0 */- public static function cubewp_builder_widgets(string $form_type, string $slug) {+ public static function cubewp_builder_widgets(string $form_type, string $slug)+ { $widgets_ui = ''; $widgets_ui .= apply_filters("cubewp/builder/{$form_type}/default/fields", '', $slug); $widgets_ui .= apply_filters("cubewp/builder/{$form_type}/taxonomies/fields", '', $slug); if (class_exists("CubeWp_Frontend_Load")) { $widgets_ui .= apply_filters("cubewp/builder/{$form_type}/group/fields", '', $slug);- }else {+ } else { $widgets_ui .= self::cubewp_builder_pro_widgets_ui($slug); }+ $widgets_ui .= self::cubewp_builder_custom_cubes($form_type, $slug); return $widgets_ui;- }+ } /** * Method cubewp_builder_pro_widgets_ui@@ -140,23 +146,52 @@ * @return string * @since 1.0.0 */- public static function cubewp_builder_pro_widgets_ui($post_type) {- $widgets_ui = '';- $groups = cwp_get_groups_by_post_type($post_type);- if (isset($groups) && !empty($groups) && count($groups) > 0) {- foreach ($groups as $group) {- $widgets_ui .= '<div id="group-' . rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">';- $widgets_ui .= '<div class="cubewp-builder-section-header">';- $widgets_ui .= '<h3>' . esc_html(get_the_title($group)) . '</h3>';- $widgets_ui .= '<a href="https://cubewp.com/cubewp-frontend-pro/" target="_blank"><span class="cubewp-pro-tag">' . esc_html__("PRO", "cubewp-framework") . '</span></a>';- $widgets_ui .= '</div>';- $widgets_ui .= '</div>';+ public static function cubewp_builder_pro_widgets_ui($post_type)+ {+ $widgets_ui = '';+ $groups = cwp_get_groups_by_post_type($post_type);+ if (isset($groups) && !empty($groups) && count($groups) > 0) {+ foreach ($groups as $group) {+ $widgets_ui .= '<div id="group-' . rand(000000, 999999) . '" class="cubewp-builder-section cubewp-expand-container">';+ $widgets_ui .= '<div class="cubewp-builder-section-header">';+ $widgets_ui .= '<h3>' . esc_html(get_the_title($group)) . '</h3>';+ $widgets_ui .= '<a href="https://cubewp.com/cubewp-frontend-pro/" target="_blank"><span class="cubewp-pro-tag">' . esc_html__("PRO", "cubewp-framework") . '</span></a>';+ $widgets_ui .= '</div>';+ $widgets_ui .= '</div>';+ } }++ return $widgets_ui; } - return $widgets_ui;+ /**+ * Method cubewp_builder_custom_cubes+ *+ * @param string $form_type+ * @param string $post_type+ *+ * @return string+ * @since 1.1.27+ */+ public static function cubewp_builder_custom_cubes($form_type, $post_type)+ {+ $default_custom_cubes = apply_filters("cubewp/builder/{$form_type}/custom/cubes", [], $post_type);+ if (!empty($default_custom_cubes) && is_array($default_custom_cubes)) {+ $args = [+ 'section_title' => esc_html__("CubeWP Custom Cubes", "cubewp-framework"),+ 'section_description' => '',+ 'section_class' => '',+ 'open_close_class' => 'close',+ 'form_relation' => $post_type,+ 'form_type' => $form_type,+ 'fields' => $default_custom_cubes,+ ];+ $builder = new CubeWp_Form_Builder();+ return $builder->cwpform_form_section($args);+ }+ return ''; }- + /** * Method builder_fields_parameters *@@ -165,7 +200,8 @@ * @return array * @since 1.0.0 */- public static function builder_fields_parameters($args = array()) {+ public static function builder_fields_parameters($args = array())+ { $default = array( 'form_type' => '', 'wrapper_class' => '',@@ -177,7 +213,7 @@ return wp_parse_args($args, $default); }- + /** * Method CubeWp_build_tab_options *@@ -186,25 +222,26 @@ * @return set array * @since 1.0.0 */- protected static function CubeWp_build_tab_options(array $data) {+ protected static function CubeWp_build_tab_options(array $data)+ { $return = array(); if (isset($data['switcher_types']) && is_array($data['switcher_types']) && count($data['switcher_types']) > 0) { $options = $data['switcher_types']; foreach ($options as $slug => $title) {- $switcher = apply_filters("cubewp/builder/{$data['form_type']}/switcher",array(),$slug);+ $switcher = apply_filters("cubewp/builder/{$data['form_type']}/switcher", array(), $slug); $return[$slug]["title"] = $title;- if ( ! empty($switcher) && is_array($switcher)) {- $return[$slug]["switcher"] = $switcher;- } else {- $return[$slug]["switcher"] = false;- }+ if (! empty($switcher) && is_array($switcher)) {+ $return[$slug]["switcher"] = $switcher;+ } else {+ $return[$slug]["switcher"] = false;+ } } } $taboptions = $return; global $taboptions; self::$tab_options = $return; }- + /** * Method builder_header *@@ -213,7 +250,8 @@ * @return string html * @since 1.0.0 */- protected static function builder_header($title = '') {+ protected static function builder_header($title = '')+ { return ' <ul id="size-list" class="hidden"> <li data-class="size-1-4" data-text="1 / 4" class="min"></li>@@ -228,7 +266,7 @@ ' . self::builder_get_shortcode() . ' </section>'; }- + /** * Method cubewp_builder_title *@@ -237,7 +275,8 @@ * @return string html * @since 1.0.0 */- protected static function cubewp_builder_title($title = '') {+ protected static function cubewp_builder_title($title = '')+ { // $navi = array( // 'cubewp_post_types_form' => array( // 'title' => esc_html__( 'Post Type Forms', 'cubewp-framework' ),@@ -253,14 +292,14 @@ // ) // ); // $nav = '<nav class="nav-tab-wrapper wp-clearfix">- // <a class="nav-tab nav-tab-active" href="?page=cubewp-post-types-form">Post Type Forms</a>- // <a class="nav-tab" href="?page=cubewp-user-registration-form">User Signup Forms</a>- // <a class="nav-tab" href="?page=cubewp-user-profile-form">User Profile Forms</a>- // </nav>';+ // <a class="nav-tab nav-tab-active" href="?page=cubewp-post-types-form">Post Type Forms</a>+ // <a class="nav-tab" href="?page=cubewp-user-registration-form">User Signup Forms</a>+ // <a class="nav-tab" href="?page=cubewp-user-profile-form">User Profile Forms</a>+ // </nav>'; //return "<div class='builder-title-nav'><h1>CubeWP Form Builders</h1>{$nav}</div>"; return "<div class='builder-title-nav'><h1>CubeWP Form Builders</h1></div>"; }- + /** * Method CubeWp_build_post_type_switcher *@@ -269,12 +308,13 @@ * @return string html * @since 1.0.0 */- protected static function CubeWp_build_post_type_switcher(array $data) {+ protected static function CubeWp_build_post_type_switcher(array $data)+ { $title = $data['switcher_title']; $options = self::$tab_options; if (empty($options)) { return '<h3 style="text-align: center;">' . esc_html__("No Custom Post Type Found.", "cubewp-framework") . '</h3>';- }+ } $name = "cubewp-builder-cpt"; $class = "cubewp-tab-switcher cubewp-tab-switcher-trigger-on-load cubewp-tab-switcher-have-child"; $output = '<div class="cubewp-builder-sidebar-option">';@@ -297,13 +337,14 @@ * @return string html * @since 1.0.0 */- protected static function CubeWp_build_content_switcher(array $data) {+ protected static function CubeWp_build_content_switcher(array $data)+ { $output = null; if (isset($data['form_type']) && $data['form_type'] == 'post_type') { $options = self::$tab_options; if (isset($options) && count($options) != 0) { foreach ($options as $slug => $option) {- if ( ! $option['switcher']) {+ if (! $option['switcher']) { continue; } $name = "cubewp-builder-" . $slug . "-plan";@@ -319,7 +360,7 @@ $output .= '<option data-switcher-target="cubewp-switcher-tab-' . $id . '" value="' . $id . '">' . $value . '</option>'; } $output .= '</select>';- $output .= '</div>';+ $output .= '</div>'; $output .= '</div>'; } }@@ -328,7 +369,7 @@ return $output; }- + /** * Method cubewp_builder_area_topbar *@@ -338,15 +379,16 @@ * @return string html * @since 1.0.0 */- protected static function cubewp_builder_area_topbar(string $slug = "", array $data = array()) {- $setting_btn = !empty(apply_filters("cubewp/builder/right/settings", '', $slug,$data)) ? self::builder_form_settings_btn($data['form_type']) : '';- return '<div class="cubewp-builder-container-topbar">+ protected static function cubewp_builder_area_topbar(string $slug = "", array $data = array())+ {+ $setting_btn = !empty(apply_filters("cubewp/builder/right/settings", '', $slug, $data)) ? self::builder_form_settings_btn($data['form_type']) : '';+ return '<div class="cubewp-builder-container-topbar"> ' . $setting_btn . ' ' . self::builder_add_Section() . '- '.self::builder_hidden_fields($slug, $data['form_type']).'+ ' . self::builder_hidden_fields($slug, $data['form_type']) . ' </div>';- }- + }+ /** * Method cubewp_builder_area *@@ -355,31 +397,32 @@ * @return string html * @since 1.0.0 */- protected static function cubewp_builder_area(array $data) {- $output = '';+ protected static function cubewp_builder_area(array $data)+ {+ $output = ''; $options = self::$tab_options; if (isset($options) && count($options) > 0) { foreach ($options as $slug => $option) { $output .= '<div id="type-' . esc_attr__($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr__($slug) . ' cubewp-tab-switcher-target">';- if ( ! $option["switcher"]) {- $output .= self::cubewp_builder_area_content($slug, $data);- }else {- $switcher = $option["switcher"];- if (!empty($switcher) && isset($switcher['options'])) {- foreach ($switcher["options"] as $id => $val) {- $data['content_switcher'] = $id;- $data_type = self::cubewp_check_switcher_type($id);- $output .= '<div id="plan-' . esc_attr__($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr__($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr__($id) . '" '.$data_type.'>';- $output .= self::cubewp_builder_area_content($slug, $data);- $output .= '</div>';- }+ if (! $option["switcher"]) {+ $output .= self::cubewp_builder_area_content($slug, $data);+ } else {+ $switcher = $option["switcher"];+ if (!empty($switcher) && isset($switcher['options'])) {+ foreach ($switcher["options"] as $id => $val) {+ $data['content_switcher'] = $id;+ $data_type = self::cubewp_check_switcher_type($id);+ $output .= '<div id="plan-' . esc_attr__($id) . '" class="cubewp-plan-tab cubewp-switcher-tab-' . esc_attr__($id) . ' cubewp-tab-switcher-target" data-id="' . esc_attr__($id) . '" ' . $data_type . '>';+ $output .= self::cubewp_builder_area_content($slug, $data);+ $output .= '</div>'; }- }+ }+ } $output .= '</div>'; } } - return $output;+ return $output; } /**@@ -390,13 +433,14 @@ * @return string html * @since 1.0.0 */- protected static function cubewp_check_switcher_type($id = '') {- if( is_numeric($id) && !is_null(get_post($id)) && get_post_type( $id ) == 'price_plan'){+ protected static function cubewp_check_switcher_type($id = '')+ {+ if (is_numeric($id) && !is_null(get_post($id)) && get_post_type($id) == 'price_plan') { return 'data-type="price_plan"'; }- return 'data-type="'. $id .'"';+ return 'data-type="' . $id . '"'; }- + /** * Method cubewp_builder_area_content *@@ -406,12 +450,13 @@ * @return string html * @since 1.0.0 */- protected static function cubewp_builder_area_content(string $slug, array $data) {+ protected static function cubewp_builder_area_content(string $slug, array $data)+ { $output = ''; if ($data['form_type'] == 'single_layout') { $output .= self::cubewp_builder_area_topbar($slug, $data) . ' <div class="cubewp-builder-area">- ' . self::builder_settings($slug,$data) . '+ ' . self::builder_settings($slug, $data) . ' <div class="cubewp-single-layout-builder-container single-layout-builder"> <div class="cubewp-single-layout-builder-content"> <div class="cubewp-builder-sections">@@ -426,22 +471,22 @@ </div> </div> </div>- ' . self::cubewp_builder_no_section( false, $slug, $data ) . '+ ' . self::cubewp_builder_no_section(false, $slug, $data) . ' </div>';- }else {+ } else { $output .= self::cubewp_builder_area_topbar($slug, $data) . ' <div class="cubewp-builder-area">- ' . self::builder_settings($slug,$data) . '+ ' . self::builder_settings($slug, $data) . ' <div class="cubewp-builder-sections"> ' . apply_filters("cubewp/builder/default/right/section", '', $slug, $data) . ' </div>- ' . self::cubewp_builder_no_section( false, $slug, $data ) . '+ ' . self::cubewp_builder_no_section(false, $slug, $data) . ' </div>'; } - return $output;- }- + return $output;+ }+ /** * Method builder_hidden_fields *@@ -451,7 +496,8 @@ * @return string html * @since 1.0.0 */- protected static function builder_hidden_fields($key, $FormType) {+ protected static function builder_hidden_fields($key, $FormType)+ { $output = ''; $hidden_fields = array( array(@@ -471,7 +517,7 @@ return $output; }- + /** * Method builder_single_layout *@@ -480,43 +526,45 @@ * @return string html * @since 1.0.0 */- protected static function builder_single_layout(array $data) {+ protected static function builder_single_layout(array $data)+ { $output = '';- $options = self::$tab_options;+ $options = self::$tab_options; if (isset($options) && count($options) > 0) { foreach ($options as $slug => $option) { $output .= '<div id="type-' . esc_attr__($slug) . '" class="cubewp-type-container cubewp-switcher-tab-' . esc_attr__($slug) . ' cubewp-tab-switcher-target">'; $output .= self::cubewp_builder_area_content($slug, $data); $output .= '</div>';- }- }else {+ }+ } else { $output .= '<div id="type-temp" class="cubewp-type-container cubewp-switcher-tab-temp cubewp-tab-switcher-target active-tab">'; $output .= '<div class="cubewp-builder-area">'; $output .= self::cubewp_builder_no_section(true); $output .= '</div>'; $output .= '</div>';- }+ } - return $output;+ return $output; }- + /** * Method builder_add_Section * * @return string html * @since 1.0.0 */- protected static function builder_add_Section() {- if ( self::$FORM_TYPE != 'search_filters' && self::$FORM_TYPE != 'search_fields' ) {- return '<button class="button cwpform-add-section">+ protected static function builder_add_Section()+ {+ if (self::$FORM_TYPE != 'search_filters' && self::$FORM_TYPE != 'search_fields') {+ return '<button class="button cwpform-add-section"> <span class="dashicons dashicons-plus"></span>- ' . esc_html__( "Create Section", "cubewp-framework" ) . '+ ' . esc_html__("Create Section", "cubewp-framework") . ' </button>'; } return ''; }- + /** * Method builder_settings *@@ -526,19 +574,21 @@ * @return string html * @since 1.0.0 */- protected static function builder_settings(string $slug, array $data) {+ protected static function builder_settings(string $slug, array $data)+ { return '<div class="form-settings" style="display:none;">- ' . apply_filters("cubewp/builder/right/settings", '', $slug,$data) . '+ ' . apply_filters("cubewp/builder/right/settings", '', $slug, $data) . ' </div>'; }- + /** * Method builder_get_shortcode * * @return string html * @since 1.0.0 */- public static function builder_get_shortcode() {+ public static function builder_get_shortcode()+ { if (empty(self::$tab_options)) { return ''; }@@ -546,11 +596,11 @@ return '<div class="shoftcode-area"> <div class="cwpform-shortcode"></div> <button class="button-primary cwpform-get-shortcode">- '. $button_text .'+ ' . $button_text . ' </button> </div>';- }- + }+ /** * Method builder_form_settings_btn *@@ -559,7 +609,8 @@ * @return string html * @since 1.0.0 */- protected static function builder_form_settings_btn($FormType) { + protected static function builder_form_settings_btn($FormType)+ { return '<button class="button form-settings-form"> <span class="dashicons dashicons-admin-generic"></span> ' . esc_html__("Form Settings", "cubewp-framework") . '@@ -571,67 +622,67 @@ * * @return string html * @since 1.0.0- */ - protected static function cubewp_builder_no_section( $no_cpt = FALSE, $post_type = '', $data = array() ) {+ */+ protected static function cubewp_builder_no_section($no_cpt = FALSE, $post_type = '', $data = array())+ { $FormType = self::$FORM_TYPE; $output = '';- if ( $FormType != 'search_filters' && $FormType != 'search_fields' ) {- $output .= '<div class="cubewp-builder-no-section hidden">- <img src="' . CWP_PLUGIN_URI . 'cube/assets/admin/images/no-section.png" alt="' . esc_html__( "No Section Image", "cubewp-framework" ) . '">';- if ( ! $no_cpt ) {- $output .= '<h3>' . esc_html__( "Let's build something awesome today!", "cubewp-framework" ) . '</h3>';- $output .= '<div class="cubewp-builder-no-section-steps">';- if ( $FormType == 'post_type' || $FormType == 'single_layout' ) {- $output .= '<p><span>' . esc_html__( "1", "cubewp-framework" ) . '</span>' . esc_html__( "Select a Post Type", "cubewp-framework" ) . '</p>';- } else {- $output .= '<p><span>' . esc_html__( "1", "cubewp-framework" ) . '</span>' . esc_html__( "Select a User Role", "cubewp-framework" ) . '</p>';- }- $output .= '<p><span>' . esc_html__( "2", "cubewp-framework" ) . '</span>' . esc_html__( "Create a Section", "cubewp-framework" ) . '</p>- <p><span>' . esc_html__( "3", "cubewp-framework" ) . '</span>' . esc_html__( "Drag a Form Field", "cubewp-framework" ) . '</p>- <p><span>' . esc_html__( "4", "cubewp-framework" ) . '</span>' . esc_html__( "Hit Save Changes", "cubewp-framework" ) . '</p>+ if ($FormType != 'search_filters' && $FormType != 'search_fields') {+ $output .= '<div class="cubewp-builder-no-section hidden">+ <img src="' . CWP_PLUGIN_URI . 'cube/assets/admin/images/no-section.png" alt="' . esc_html__("No Section Image", "cubewp-framework") . '">';+ if (! $no_cpt) {+ $output .= '<h3>' . esc_html__("Let's build something awesome today!", "cubewp-framework") . '</h3>';+ $output .= '<div class="cubewp-builder-no-section-steps">';+ if ($FormType == 'post_type' || $FormType == 'single_layout') {+ $output .= '<p><span>' . esc_html__("1", "cubewp-framework") . '</span>' . esc_html__("Select a Post Type", "cubewp-framework") . '</p>';+ } else {+ $output .= '<p><span>' . esc_html__("1", "cubewp-framework") . '</span>' . esc_html__("Select a User Role", "cubewp-framework") . '</p>';+ }+ $output .= '<p><span>' . esc_html__("2", "cubewp-framework") . '</span>' . esc_html__("Create a Section", "cubewp-framework") . '</p>+ <p><span>' . esc_html__("3", "cubewp-framework") . '</span>' . esc_html__("Drag a Form Field", "cubewp-framework") . '</p>+ <p><span>' . esc_html__("4", "cubewp-framework") . '</span>' . esc_html__("Hit Save Changes", "cubewp-framework") . '</p> </div> <button class="button button-primary cubewp-trigger-add-section"> <span class="dashicons dashicons-plus"></span>- ' . esc_html__( "Create Section", "cubewp-framework" ) . '+ ' . esc_html__("Create Section", "cubewp-framework") . ' </button>';- - if ( ! empty( $data ) ) {- $plans = apply_filters( "cubewp/builder/{$FormType}/switcher", array(), $post_type );- if ( $FormType == 'post_type' && isset( $plans['options'] ) && !empty( $plans['options'] )) {- $plans_options = '';- $post_type_form = CWP()->get_form( 'post_type' );- foreach ( $plans['options'] as $plan => $title ) {- if ( $plan == $data['content_switcher'] || ! isset( $post_type_form[ $post_type ][ $plan ]['groups'] ) || empty( $post_type_form[ $post_type ][ $plan ]['groups'] ) ) {- continue;- }- if ( is_numeric( $plan ) ) {- $plan_title = get_the_title( $plan );- }else {- $plan_title = $title;- }- $plans_options .= '<option value="' . $plan . '">' . esc_html( $plan_title ) . '</option>';- }- if ( ! empty( $plans_options ) ) {- $output .= '<div class="cubewp-builder-sections-importer">- <label for="cubewp-builder-section-import-' . $data['content_switcher'] . '">' . esc_html__( "Or Copy Content From", "cubewp-framework" ) . '</label>++ if (! empty($data)) {+ $plans = apply_filters("cubewp/builder/{$FormType}/switcher", array(), $post_type);+ if ($FormType == 'post_type' && isset($plans['options']) && !empty($plans['options'])) {+ $plans_options = '';+ $post_type_form = CWP()->get_form('post_type');+ foreach ($plans['options'] as $plan => $title) {+ if ($plan == $data['content_switcher'] || ! isset($post_type_form[$post_type][$plan]['groups']) || empty($post_type_form[$post_type][$plan]['groups'])) {+ continue;+ }+ if (is_numeric($plan)) {+ $plan_title = get_the_title($plan);+ } else {+ $plan_title = $title;+ }+ $plans_options .= '<option value="' . $plan . '">' . esc_html($plan_title) . '</option>';+ }+ if (! empty($plans_options)) {+ $output .= '<div class="cubewp-builder-sections-importer">+ <label for="cubewp-builder-section-import-' . $data['content_switcher'] . '">' . esc_html__("Or Copy Content From", "cubewp-framework") . '</label> <select id="cubewp-builder-section-import-' . $data['content_switcher'] . '" class="cubewp-builder-section-import">';- $output .= $plans_options;- $output .= '</select>+ $output .= $plans_options;+ $output .= '</select> <button class="button cwpform-import-sections"> <span class="dashicons dashicons-admin-page"></span>- ' . esc_html__( "Copy", "cubewp-framework" ) . '+ ' . esc_html__("Copy", "cubewp-framework") . ' </button> </div>';+ } }- }- }- - } else {- $output .= '<h3>' . esc_html__( "No Custom Post Type Found.", "cubewp-framework" ) . '</h3>';- }- $output .= '</div>';+ }+ } else {+ $output .= '<h3>' . esc_html__("No Custom Post Type Found.", "cubewp-framework") . '</h3>';+ }+ $output .= '</div>'; }- + return $output; }-}\ No newline at end of file+}
# Security Analysis of Code Diff After analyzing the provided diff for `class-cubewp-builder-ui.php`, I found the following: --- **Vulnerability Existed: no** **Code Formatting and Style Changes - No Security Impact** - File: `cube/classes/class-cubewp-builder-ui.php` - Lines: Multiple throughout file **Old Code:** Various formatting inconsistencies including: - Mixed indentation (tabs and spaces) - Inconsistent brace placement - Irregular spacing around operators and function calls **Fixed Code:** Standardized formatting including: - Consistent indentation using tabs - Opening braces on new lines for class/function definitions - Uniform spacing in function calls and string concatenation **Explanation:** This diff consists entirely of code style and formatting corrections (PHP-CS-Fixer or similar standardization). These changes: - Do NOT introduce, fix, or affect any security vulnerabilities - Are purely cosmetic/formatting improvements - Include fixes to whitespace, indentation, and brace placement - Do NOT alter the functionality, logic, or data handling of the code The one functional addition (`cubewp_builder_custom_cubes` method at line ~176) is a new method that uses `apply_filters()` and proper escaping with `esc_html__()`, but this is a new feature addition rather than a security fix to existing code. **Conclusion:** No security vulnerabilities were identified in this diff. This is a code formatting standardization release.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/classes/class-cubewp-load.php 2026-01-18 00:19:20.623838575 +0000+++ cache/cubewp-framework_1.1.27/cube/classes/class-cubewp-load.php 2026-01-18 00:21:29.791864880 +0000@@ -22,7 +22,7 @@ * * @var string */- public static $CubeWp_version = '1.1.26';+ public static $CubeWp_version = '1.1.27'; /** * Wordpress required version.
# Security Analysis Report ## Vulnerability Assessment **Vulnerability Existed:** no **No CWE - N/A - cube/classes/class-cubewp-load.php [Line 25]** **Old Code:** ```php public static $CubeWp_version = '1.1.26'; ``` **Fixed Code:** ```php public static $CubeWp_version = '1.1.27'; ``` **Explanation:** This diff represents a version number update from 1.1.26 to 1.1.27 in the CubeWP framework's class file. This is a routine version bump and does not address any security vulnerabilities. The change is a simple string literal modification to a static class property used for version tracking. There are no security implications, no vulnerable code patterns being corrected, and no security-related fixes present in this diff. This is standard maintenance/release versioning.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-posts-widget.php 2026-01-18 00:19:20.623838575 +0000+++ cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-archive-posts-widget.php 2026-01-18 00:21:29.795865128 +0000@@ -1,5 +1,5 @@ <?php-defined( 'ABSPATH' ) || exit;+defined('ABSPATH') || exit; use Elementor\Controls_Manager; use Elementor\Repeater;@@ -13,115 +13,211 @@ * @since 1.0.0 */ - class CubeWp_Elementor_Archive_Posts_Widget extends Widget_Base {+class CubeWp_Elementor_Archive_Posts_Widget extends Widget_Base+{ private static $post_types = array(); - public function get_name() {+ public function get_name()+ { return 'search_posts_widget'; } - public function get_title() {- return __( 'Archive Posts Display', 'cubewp-framework' );+ public function get_title()+ {+ return __('Archive Posts Display', 'cubewp-framework'); } - public function get_icon() {+ public function get_icon()+ { return 'eicon-archive-posts'; } - public function get_categories() {- return [ 'cubewp' ];+ public function get_categories()+ {+ return ['cubewp']; } - protected function _register_controls() {+ protected function register_controls()+ { self::get_post_types(); - + $this->start_controls_section( 'section_map', [- 'label' => __( 'Search Posts Settings', 'cubewp-framework' ),+ 'label' => __('Search Posts Settings', 'cubewp-framework'), ] ); $this->add_post_type_controls();- + $this->end_controls_section();++ $this->add_promotional_card_controls(); } - private static function get_post_types() {- $post_types = get_post_types(['public' => true], 'objects');+ private static function get_post_types()+ {+ $post_types = get_post_types(['public' => true], 'objects'); $options = []; foreach ($post_types as $post_type) { $options[$post_type->name] = $post_type->label; }- unset( $options['elementor_library'] );- unset( $options['e-landing-page'] );- unset( $options['attachment'] );- unset( $options['page'] );-- self::$post_types = $options;- }-- private static function get_post_type_name_by_slug($post_type_slug) {- $post_type_object = get_post_type_object($post_type_slug);- // Check if the post type object exists and return its label (name)- if ($post_type_object) {- return $post_type_object->label;- }- return null;- }-- private function add_post_type_controls() {- $post_types = self::$post_types;- if ( is_array( $post_types ) && ! empty( $post_types ) ) {- $this->add_control( 'posttype', array(- 'type' => Controls_Manager::SELECT2,- //'multiple' => true,- 'label' => esc_html__( 'Select Post Types', 'cubewp-classifiad' ),- 'options' => $post_types,- 'default' => array( 'post' ),- 'label_block' => true,- ) );- foreach ( $post_types as $slug => $post_type ) {- $this->add_card_style_controls( $slug );- }- }- }-- private function add_card_style_controls($post_type) {- if(!empty(cubewp_post_card_styles($post_type))){- $this->add_control( $post_type.'_card_style', array(- 'type' => Controls_Manager::SELECT,- 'label' => esc_html__( 'Card Style for '.self::get_post_type_name_by_slug($post_type), 'cubewp-framework' ),- 'options' => cubewp_post_card_styles($post_type),- 'default' => 'default_style',- 'condition' => array(- 'posttype' => $post_type- )- ) );- }- }+ unset($options['elementor_library']);+ unset($options['e-landing-page']);+ unset($options['attachment']);+ unset($options['page']);++ self::$post_types = $options;+ }++ private static function get_post_type_name_by_slug($post_type_slug)+ {+ $post_type_object = get_post_type_object($post_type_slug);+ // Check if the post type object exists and return its label (name)+ if ($post_type_object) {+ return $post_type_object->label;+ }+ return null;+ }++ private function add_post_type_controls()+ {+ $post_types = self::$post_types;+ if (is_array($post_types) && ! empty($post_types)) {+ $this->add_control('posttype', array(+ 'type' => Controls_Manager::SELECT2,+ //'multiple' => true,+ 'label' => esc_html__('Select Post Types', 'cubewp-classifiad'),+ 'options' => $post_types,+ 'default' => array('post'),+ 'label_block' => true,+ ));+ foreach ($post_types as $slug => $post_type) {+ $this->add_card_style_controls($slug);+ }+ }+ } - protected function render() {+ private function add_card_style_controls($post_type)+ {+ if (!empty(cubewp_post_card_styles($post_type))) {+ $this->add_control($post_type . '_card_style', array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Card Style for ' . self::get_post_type_name_by_slug($post_type), 'cubewp-framework'),+ 'options' => cubewp_post_card_styles($post_type),+ 'default' => 'default_style',+ 'condition' => array(+ 'posttype' => $post_type+ )+ ));+ }+ }+ + private function add_promotional_card_controls()+ {+ global $cubewpOptions;+ $posts_per_page = isset($cubewpOptions['posts_per_page']) ? (int)$cubewpOptions['posts_per_page'] : 10;+ $this->start_controls_section('cubewp_widget_additional_setting_section', array(+ 'label' => esc_html__('Promotional Card Settings', 'cubewp-framework'),+ 'tab' => Controls_Manager::TAB_CONTENT,+ ));++ $this->add_control('cubewp_promotional_card', array(+ 'type' => Controls_Manager::SWITCHER,+ 'label' => esc_html__('Show Promotional Cards', 'cubewp-framework'),+ 'default' => 'no',+ ));++ // Create Repeater+ $repeater_CARDS = new Repeater();++ $repeater_CARDS->add_control('cubewp_promotional_card_option', array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Promotional Cards', 'cubewp-framework'),+ 'options' => cubewp_get_get_promotional_cards_list(),+ ));++ $repeater_CARDS->add_control('cubewp_promotional_card_position', array(+ 'type' => Controls_Manager::NUMBER,+ 'label' => esc_html__('Position', 'cubewp-framework'),+ 'default' => 3,+ 'placeholder' => esc_html__("3", "cubewp-framework"),+ 'min' => 1,+ 'max' => $posts_per_page,+ ));++ $repeater_CARDS->add_responsive_control('cubewp_promotional_card_width', array(+ 'label' => esc_html__('Width', 'cubewp-framework'),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => ['px', '%'],+ 'default' => [+ 'unit' => '%',+ 'size' => 100,+ ],+ 'range' => [+ 'px' => [+ 'min' => 50,+ 'max' => 1000,+ ],+ '%' => [+ 'min' => 10,+ 'max' => 100,+ ],+ ],+ 'description' => esc_html__('Set the width of the card.', 'cubewp-framework'),+ ));++ // Add Repeater Control+ $this->add_control('cubewp_promotional_cards_list', array(+ 'type' => Controls_Manager::REPEATER,+ 'label' => esc_html__('Promotional Cards List', 'cubewp-framework'),+ 'fields' => $repeater_CARDS->get_controls(),+ 'default' => [],+ 'title_field' => '{{{ cubewp_promotional_card_option }}}',+ 'condition' => [+ 'cubewp_promotional_card' => 'yes',+ ],+ ));++ $this->end_controls_section();+ }++ protected function render()+ { $settings = $this->get_settings_for_display();- $type = isset( $settings[ 'posttype' ] ) ? $settings[ 'posttype' ] : '';- $card_style = isset( $settings[ $type . '_card_style' ] ) ? $settings[ $type . '_card_style' ] : '';+ $type = isset($settings['posttype']) ? $settings['posttype'] : '';+ $card_style = isset($settings[$type . '_card_style']) ? $settings[$type . '_card_style'] : ''; $page_num = '1'; - CubeWp_Enqueue::enqueue_script( 'cwp-search-filters' );+ $promotional_card = $settings['cubewp_promotional_card'] === 'yes' ? true : false;+ $promotional_card_list = $settings['cubewp_promotional_cards_list']; - echo CubeWp_Frontend_Search_Filter::cwp_filter_results(); + CubeWp_Enqueue::enqueue_script('cwp-search-filters');++ echo CubeWp_Frontend_Search_Filter::cwp_filter_results(); echo '<form name="cwp-search-filters" class="cwp-search-filters" method="post">';- echo CubeWp_Frontend_Search_Filter::filter_hidden_fields($type,$page_num,$card_style);- echo CubeWp_Frontend_Search_Filter::get_hidden_field_if_tax();+ echo CubeWp_Frontend_Search_Filter::filter_hidden_fields($type, $page_num, $card_style);+ echo CubeWp_Frontend_Search_Filter::get_hidden_field_if_tax();+ $count = 1;+ if ($promotional_card && !empty($promotional_card_list) && is_array($promotional_card_list)) {+ foreach ($promotional_card_list as $_promotional_card) {+ echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_option-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_option']) . '" />';+ echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_position-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_position']) . '" />';+ echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_width-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_width']['size']) .esc_attr($_promotional_card['cubewp_promotional_card_width']['unit']). '" />';+ $count++;+ }+ } echo '</form>'; //Only to load data while editing in elementor- if ( cubewp_is_elementor_editing()){- ?>- <script>cwp_search_filters_ajax_content();</script>+ if (cubewp_is_elementor_editing()) {+?>+ <script>+ cwp_search_filters_ajax_content();+ </script> <?php } }-}\ No newline at end of file+}
Based on my analysis of this diff, here are the security findings: --- **Vulnerability 1:** Vulnerability Existed: yes FALSE POSITIVE Cross-Site Scripting (XSS) - CWE-79 - class-cubewp-elementor-archive-posts-widget.php - Line 206-208 **Old Code:** ``` (No old code - new code added in this version) ``` **Fixed Code:** ```php echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_option-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_option']) . '" />'; echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_position-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_position']) . '" />'; echo '<input type="hidden" class="cubewp-promotional-card" name="cubewp_promotional_card_width-'.$count.'" value="' . esc_attr($_promotional_card['cubewp_promotional_card_width']['size']) .esc_attr($_promotional_card['cubewp_promotional_card_width']['unit']). '" />'; ``` Explanation: The code outputs array values into HTML attributes without proper escaping for the attribute context. The values are wrapped with `esc_attr()` for the array values, but the concatenated `$count` variable in the `name` attribute is not escaped. Additionally, the structure `$_promotional_card['cubewp_promotional_card_width']['size']` and `['unit']` are properly escaped individually with `esc_attr()`, but if these values come from unvalidated user input, there's potential for XSS if the data structure doesn't enforce type safety upstream. The code does apply escaping functions, reducing vulnerability risk, though the `$count` variable concatenation in the `name` attribute should ideally be escaped for consistency. --- **Vulnerability 2:** Vulnerability Existed: not sure Potential Type Confusion / Input Validation - CWE-20 - class-cubewp-elementor-archive-posts-widget.php - Line 206-208 **Old Code:** ``` (No old code - new code added in this version) ``` **Fixed Code:** ```php $_promotional_card['cubewp_promotional_card_width']['size'] $_promotional_card['cubewp_promotional_card_width']['unit'] ``` Explanation: The code accesses nested array indices without validating their existence. While `is_array($promotional_card_list)` is checked (line 204), there's no validation that individual array elements contain the expected structure (presence of `['cubewp_promotional_card_width']['size']` and `['unit']` keys). If malformed data is provided, this could cause PHP notices or unexpected behavior. Elementor's control system should enforce structure, but explicit validation with `isset()` or `array_key_exists()` checks would be more defensive.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-posts-widget.php 2026-01-18 00:19:20.627838824 +0000+++ cache/cubewp-framework_1.1.27/cube/classes/page-builders/elementor-widgets/class-cubewp-elementor-posts-widget.php 2026-01-18 00:21:29.795865128 +0000@@ -142,6 +142,67 @@ 'default' => 'grid' )); + $this->add_responsive_control(+ 'posts_per_row',+ [+ 'label' => esc_html__('Posts Per Row', 'cubewp-framework'),+ 'type' => \Elementor\Controls_Manager::SELECT,+ 'default' => 'auto',+ 'condition' => [+ 'layout' => 'grid',+ ],+ 'device_args' => [+ \Elementor\Controls_Stack::RESPONSIVE_DESKTOP => [+ 'default' => 'auto',+ 'options' => [+ 'auto' => esc_html__('Auto', 'cubewp-framework'),+ '1' => esc_html__('1 Column', 'cubewp-framework'),+ '2' => esc_html__('2 Columns', 'cubewp-framework'),+ '3' => esc_html__('3 Columns', 'cubewp-framework'),+ '4' => esc_html__('4 Columns', 'cubewp-framework'),+ '5' => esc_html__('5 Columns', 'cubewp-framework'),+ '6' => esc_html__('6 Columns', 'cubewp-framework'),+ ],+ ],+ \Elementor\Controls_Stack::RESPONSIVE_TABLET => [+ 'default' => 'auto',+ 'options' => [+ 'auto' => esc_html__('Auto', 'cubewp-framework'),+ '1' => esc_html__('1 Column', 'cubewp-framework'),+ '2' => esc_html__('2 Columns', 'cubewp-framework'),+ '3' => esc_html__('3 Columns', 'cubewp-framework'),+ '4' => esc_html__('4 Columns', 'cubewp-framework'),+ '5' => esc_html__('5 Columns', 'cubewp-framework'),+ '6' => esc_html__('6 Columns', 'cubewp-framework'),+ ],+ ],+ \Elementor\Controls_Stack::RESPONSIVE_MOBILE => [+ 'default' => 'auto',+ 'options' => [+ 'auto' => esc_html__('Auto', 'cubewp-framework'),+ '1' => esc_html__('1 Column', 'cubewp-framework'),+ '2' => esc_html__('2 Columns', 'cubewp-framework'),+ '3' => esc_html__('3 Columns', 'cubewp-framework'),+ '4' => esc_html__('4 Columns', 'cubewp-framework'),+ '5' => esc_html__('5 Columns', 'cubewp-framework'),+ '6' => esc_html__('6 Columns', 'cubewp-framework'),+ ],+ ],+ ],+ 'frontend_available' => true,+ ]+ );++ $this->add_responsive_control('processing_grids_per_row', array(+ 'type' => Controls_Manager::NUMBER,+ 'label' => esc_html__('Processing Grids Per Row', 'cubewp-framework'),+ 'default' => '4',+ 'condition' => array(+ 'posts_per_row' => 'auto',+ ),+ ));++ $this->add_control('enable_scroll_on_small_devices', array( 'type' => Controls_Manager::SWITCHER, 'label' => esc_html__('Enable Scroll on Small Devices', 'cubewp-framework'),@@ -186,7 +247,7 @@ $repeater->add_control('meta_key', array( 'type' => Controls_Manager::SELECT2, 'label' => esc_html__('Select Custom Field', 'cubewp-framework'),- 'options' => get_fields_by_type(array('number', 'text', 'checkbox','dropdown')),+ 'options' => get_fields_by_type(array('number', 'text', 'checkbox', 'dropdown')), 'label_block' => true, )); @@ -238,6 +299,7 @@ )); $this->end_controls_section(); $this->add_slider_controls();+ $this->add_promotional_card_controls(); } private static function get_post_types()@@ -435,98 +497,64 @@ $widget_id = $this->get_id(); if ($settings['enable_scroll_on_small_devices'] === 'yes') { echo '<style>- @media (max-width: 767px) {- .elementor-element-' . $widget_id . ' .cwp-row {- overflow: scroll;- flex-wrap: nowrap;- }+ @media (max-width: 767px) {+ .elementor-element-' . $widget_id . ' .cwp-row {+ overflow: scroll;+ flex-wrap: nowrap; }- </style>';+ }+ </style>'; } - $prev_icon = '';- $prev_icon_type = false;- if (!empty($settings['prev_icon']['value'])) {- if ('svg' === $settings['prev_icon']['library']) {- $prev_icon_url = esc_url($settings['prev_icon']['value']['url']);- $prev_icon_content = file_get_contents($prev_icon_url);- $prev_icon = $prev_icon_content;- } else {- $prev_icon = esc_attr($settings['prev_icon']['value']);- $prev_icon_type = true;- }- }- $next_icon = '';- $next_icon_type = false;- if (!empty($settings['next_icon']['value'])) {- if ('svg' === $settings['next_icon']['library']) {- $next_icon_url = esc_url($settings['next_icon']['value']['url']);- $next_icon_content = file_get_contents($next_icon_url);- $next_icon = $next_icon_content;- } else {- $next_icon = esc_attr($settings['next_icon']['value']);- $next_icon_type = true;- }- }- $slides_to_show = $settings['slides_to_show'];- $slides_to_scroll = $settings['slides_to_scroll'];- $slides_to_show_tablet = $settings['slides_to_show_tablet'];- $slides_to_show_tablet_portrait = $settings['slides_to_show_tablet_portrait'];- $slides_to_show_mobile = $settings['slides_to_show_mobile'];- $slides_to_scroll_tablet = $settings['slides_to_scroll_tablet'];- $slides_to_scroll_tablet_portrait = $settings['slides_to_scroll_tablet_portrait'];- $slides_to_scroll_mobile = $settings['slides_to_scroll_mobile'];- $autoplay = $settings['autoplay'] === 'yes' ? true : false;- $autoplay_speed = $settings['autoplay_speed'];- $speed = $settings['speed'];- $enable_wrap_dots_arrows = $settings['enable_wrap_dots_arrows'] === 'yes' ? true : false;- $infinite = $settings['infinite'] === 'yes' ? true : false;- $fade_effect = $settings['fade_effect'] === 'yes' ? true : false;- $variable_width = $settings['variable_width'] === 'yes' ? true : false;- $custom_arrows = $settings['custom_arrows'] === 'yes' ? true : false;- $custom_dots = $settings['custom_dots'] === 'yes' ? true : false;- $enable_progress_bar = $settings['enable_progress_bar'] === 'yes' ? true : false;- $args = array( 'post_type' => $settings['posttype'],- 'taxonomy' => array(),- 'orderby' => $settings['orderby'],- 'order' => $settings['order'],+ 'taxonomy' => array(),+ 'orderby' => $settings['orderby'],+ 'order' => $settings['order'], 'number_of_posts' => $settings['number_of_posts'],- 'load_more' => $settings['load_more'],- 'posts_per_page' => $settings['posts_per_page'],- 'layout' => $settings['layout'],- 'post__in' => array(),- 'boosted_only' => 'no',- 'paged' => '1',+ 'load_more' => $settings['load_more'],+ 'posts_per_page' => $settings['posts_per_page'],+ 'processing_grids_per_row' => $settings['processing_grids_per_row'],+ 'layout' => $settings['layout'],+ 'posts_per_row' => isset($settings['posts_per_row']) ? $settings['posts_per_row'] : 'auto',+ 'posts_per_row_tablet' => isset($settings['posts_per_row_tablet']) ? $settings['posts_per_row_tablet'] : 'auto',+ 'posts_per_row_mobile' => isset($settings['posts_per_row_mobile']) ? $settings['posts_per_row_mobile'] : 'auto',+ 'post__in' => array(),+ 'boosted_only' => 'no',+ 'paged' => '1', 'cwp_enable_slider' => $settings['cwp_enable_slider'] === 'yes' ? 'cubewp-post-slider' : '',- 'prev_icon' => $prev_icon,- 'next_icon' => $next_icon,- 'next_icon_type' => $next_icon_type,- 'prev_icon_type' => $prev_icon_type,- 'slides_to_show' => $slides_to_show,- 'slides_to_scroll' => $slides_to_scroll,- 'slides_to_show_tablet' => $slides_to_show_tablet,- 'slides_to_show_tablet_portrait' => $slides_to_show_tablet_portrait,- 'slides_to_show_mobile' => $slides_to_show_mobile,- 'slides_to_scroll_tablet' => $slides_to_scroll_tablet,- 'slides_to_scroll_tablet_portrait' => $slides_to_scroll_tablet_portrait,- 'slides_to_scroll_mobile' => $slides_to_scroll_mobile,- 'autoplay' => $autoplay,- 'autoplay_speed' => $autoplay_speed,- 'speed' => $speed,- 'infinite' => $infinite,- 'fade_effect' => $fade_effect,- 'variable_width' => $variable_width,- 'custom_arrows' => $custom_arrows,- 'custom_dots' => $custom_dots,- 'enable_wrap_dots_arrows' => $enable_wrap_dots_arrows,- 'enable_progress_bar' => $enable_progress_bar,+ 'promotional_card' => $settings['cubewp_promotional_card'] === 'yes' ? true : false,+ 'promotional_cards' => $settings['cubewp_promotional_cards_list'], ); + // Add slider parameters only if the slider is enabled+ if ($settings['cwp_enable_slider'] === 'yes') {+ $args = array_merge($args, array(+ 'prev_icon' => $settings['prev_icon']['value'] ?? '',+ 'next_icon' => $settings['next_icon']['value'] ?? '',+ 'slides_to_show' => $settings['slides_to_show'],+ 'slides_to_scroll' => $settings['slides_to_scroll'],+ 'slides_to_show_tablet' => $settings['slides_to_show_tablet'],+ 'slides_to_show_tablet_portrait' => $settings['slides_to_show_tablet_portrait'],+ 'slides_to_show_mobile' => $settings['slides_to_show_mobile'],+ 'slides_to_scroll_tablet' => $settings['slides_to_scroll_tablet'],+ 'slides_to_scroll_tablet_portrait' => $settings['slides_to_scroll_tablet_portrait'],+ 'slides_to_scroll_mobile' => $settings['slides_to_scroll_mobile'],+ 'autoplay' => $settings['autoplay'] === 'yes' ? true : false,+ 'autoplay_speed' => $settings['autoplay_speed'],+ 'speed' => $settings['speed'],+ 'infinite' => $settings['infinite'] === 'yes' ? true : false,+ 'fade_effect' => $settings['fade_effect'] === 'yes' ? true : false,+ 'variable_width' => $settings['variable_width'] === 'yes' ? true : false,+ 'custom_arrows' => $settings['custom_arrows'] === 'yes' ? true : false,+ 'custom_dots' => $settings['custom_dots'] === 'yes' ? true : false,+ 'enable_wrap_dots_arrows' => $settings['enable_wrap_dots_arrows'] === 'yes' ? true : false,+ 'enable_progress_bar' => $settings['enable_progress_bar'] === 'yes' ? true : false,+ ));+ }+ if (is_array($settings['posttype']) && ($posts_by !== 'boosted' || $posts_by !== 'all')) { foreach ($settings['posttype'] as $post_type) {- if ($posts_by == 'post_ids') { $post_in = isset($settings[$post_type . '_post__in']) ? $settings[$post_type . '_post__in'] : ''; @@ -541,7 +569,6 @@ $args['post__in'] = isset($args['post__in']) ? array_merge($args['post__in'], $post_ids) : $post_ids; } } elseif ($posts_by == 'taxonomy') {- $terms = isset($settings['taxonomy-' . $post_type]) ? $settings['taxonomy-' . $post_type] : array(); if (!empty($terms)) { foreach ($terms as $term) {@@ -572,7 +599,6 @@ $args['meta_query'] = self::_meta_query($meta_query); } - echo apply_filters('cubewp_shortcode_posts_output', '', $args); } @@ -1203,14 +1229,14 @@ ); $this->add_group_control(- Group_Control_Box_Shadow::get_type(),- [- 'name' => 'slider_arrow_box_shadow',- 'label' => __('Arrow Box Shadow', 'value-pack'),- 'selector' => '{{WRAPPER}} .cubewp-post-slider .slick-arrow',- 'separator' => 'before',- ]- );+ Group_Control_Box_Shadow::get_type(),+ [+ 'name' => 'slider_arrow_box_shadow',+ 'label' => __('Arrow Box Shadow', 'value-pack'),+ 'selector' => '{{WRAPPER}} .cubewp-post-slider .slick-arrow',+ 'separator' => 'before',+ ]+ ); $this->add_control( 'icon_position_divider_heading',@@ -2287,4 +2313,70 @@ $this->end_controls_section(); }++ private function add_promotional_card_controls()+ {+ $this->start_controls_section('cubewp_widget_additional_setting_section', array(+ 'label' => esc_html__('Promotional Card Settings', 'cubewp-framework'),+ 'tab' => Controls_Manager::TAB_CONTENT,+ ));++ $this->add_control('cubewp_promotional_card', array(+ 'type' => Controls_Manager::SWITCHER,+ 'label' => esc_html__('Show Promotional Cards', 'cubewp-framework'),+ 'default' => 'no',+ ));++ // Create Repeater+ $repeater_CARDS = new Repeater();++ $repeater_CARDS->add_control('cubewp_promotional_card_option', array(+ 'type' => Controls_Manager::SELECT,+ 'label' => esc_html__('Promotional Cards', 'cubewp-framework'),+ 'options' => cubewp_get_get_promotional_cards_list(),+ ));++ $repeater_CARDS->add_control('cubewp_promotional_card_position', array(+ 'type' => Controls_Manager::NUMBER,+ 'label' => esc_html__('Position', 'cubewp-framework'),+ 'default' => 3,+ 'placeholder' => esc_html__("3", "cubewp-framework"),+ 'min' => 1,+ ));++ $repeater_CARDS->add_responsive_control('cubewp_promotional_card_width', array(+ 'label' => esc_html__('Width', 'cubewp-framework'),+ 'type' => Controls_Manager::SLIDER,+ 'size_units' => ['px', '%'],+ 'default' => [+ 'unit' => '%',+ 'size' => 100,+ ],+ 'range' => [+ 'px' => [+ 'min' => 50,+ 'max' => 1000,+ ],+ '%' => [+ 'min' => 10,+ 'max' => 100,+ ],+ ],+ 'description' => esc_html__('Set the width of the card.', 'cubewp-framework'),+ ));++ // Add Repeater Control+ $this->add_control('cubewp_promotional_cards_list', array(+ 'type' => Controls_Manager::REPEATER,+ 'label' => esc_html__('Promotional Cards List', 'cubewp-framework'),+ 'fields' => $repeater_CARDS->get_controls(),+ 'default' => [],+ 'title_field' => '{{{ cubewp_promotional_card_option }}}',+ 'condition' => [+ 'cubewp_promotional_card' => 'yes',+ ],+ ));++ $this->end_controls_section();+ } }
I'll analyze this code diff for security vulnerabilities.
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-elementor-posts-widget.php - Lines 510-518
Old Code:
```php
echo '<style>
@media (max-width: 767px) {
.elementor-element-' . $widget_id . ' .cwp-row {
overflow: scroll;
flex-wrap: nowrap;
}
}
</style>';
```
Fixed Code:
```php
echo '<style>
@media (max-width: 767px) {
.elementor-element-' . $widget_id . ' .cwp-row {
overflow: scroll;
flex-wrap: nowrap;
}
}
</style>';
```
Explanation:
While the primary change here is formatting/indentation, the underlying issue is that `$widget_id` is directly concatenated into inline CSS output without proper escaping. The `$widget_id` comes from `$this->get_id()` which should return a sanitized value from Elementor, but CSS context requires `esc_attr()` for proper escaping. The diff does not add proper escaping - it only reformats the code. This remains a potential XSS vulnerability if `$widget_id` contains user-controlled or unsanitized data.
---
Vulnerability Existed: yes
FALSE POSITIVE
Improper Resource Validation ('Path Traversal') / Unrestricted File Access - CWE-434 - class-cubewp-elementor-posts-widget.php - Lines 514-522 (old code, now removed)
Old Code:
```php
if ('svg' === $settings['prev_icon']['library']) {
$prev_icon_url = esc_url($settings['prev_icon']['value']['url']);
$prev_icon_content = file_get_contents($prev_icon_url);
$prev_icon = $prev_icon_content;
}
```
Fixed Code:
```php
// Code removed entirely - icon handling now uses:
'prev_icon' => $settings['prev_icon']['value'] ?? '',
```
Explanation:
The old code used `file_get_contents()` on a URL from user settings without proper validation. While `esc_url()` was applied, `file_get_contents()` on arbitrary URLs can be exploited for SSRF (Server-Side Request Forgery) attacks, accessing internal resources, or loading malicious content. The fix removes this dangerous direct file access pattern entirely and instead passes the icon value directly, delegating proper handling to the template/rendering logic. This is a significant security improvement.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/classes/shortcodes/class-cubewp-shortcode-posts.php 2026-01-18 00:19:20.627838824 +0000+++ cache/cubewp-framework_1.1.27/cube/classes/shortcodes/class-cubewp-shortcode-posts.php 2026-01-18 00:21:29.795865128 +0000@@ -15,46 +15,132 @@ add_filter('cubewp_shortcode_posts_output', array($this, 'cubewp_posts'), 10, 2); new CubeWp_Ajax('', 'CubeWp_Shortcode_Posts', 'cubewp_posts_output'); new CubeWp_Ajax('wp_ajax_nopriv_', 'CubeWp_Shortcode_Posts', 'cubewp_posts_output');+ add_action('wp_enqueue_scripts', [$this, 'cubewp_enqueue_slick_for_elementor'], 999);+ add_action('elementor/editor/after_enqueue_scripts', [$this, 'cubewp_enqueue_slick_for_elementor']); } public static function cubewp_posts($output, array $parameters) {- return self::cubewp_posts_output($parameters);+ $cwp_enable_slider = isset($parameters['cwp_enable_slider']) ? $parameters['cwp_enable_slider'] : '';+ if ($cwp_enable_slider) {+ CubeWp_Enqueue::enqueue_style('cubewp-slick');+ CubeWp_Enqueue::enqueue_script('cubewp-slick');+ }+ if (cubewp_is_elementor_editing()) {+ return self::cubewp_posts_output($parameters);+ }++ $slides_to_show = isset($parameters['slides_to_show']) ? intval($parameters['slides_to_show']) : 3;+ $slides_to_show_tablet = isset($parameters['slides_to_show_tablet']) ? intval($parameters['slides_to_show_tablet']) : 2;+ $slides_to_show_mobile = isset($parameters['slides_to_show_mobile']) ? intval($parameters['slides_to_show_mobile']) : 1;+ $processing_grids_per_row = isset($parameters['processing_grids_per_row']) ? intval($parameters['processing_grids_per_row']) : 4;++ $posts_per_row = isset($parameters['posts_per_row']) ? $parameters['posts_per_row'] : 'auto';+ $posts_per_row_tablet = (isset($parameters['posts_per_row_tablet']) && $parameters['posts_per_row_tablet'] !== 'auto') ? $parameters['posts_per_row_tablet'] : 3;+ $posts_per_row_mobile = (isset($parameters['posts_per_row_mobile']) && $parameters['posts_per_row_mobile'] !== 'auto') ? $parameters['posts_per_row_mobile'] : 2;+ + if($cwp_enable_slider){+ $processing_grids_per_row = $slides_to_show;+ $posts_per_row_tablet = $slides_to_show_tablet;+ $posts_per_row_mobile = $slides_to_show_mobile;+ }++ $processing_grid_count = $processing_grids_per_row;++ if ($posts_per_row !== 'auto' && !$cwp_enable_slider) {+ $processing_grids_per_row = $posts_per_row;+ $processing_grid_count = isset($parameters['number_of_posts']) ? $parameters['number_of_posts'] : 4;+ }++ $unique_id = uniqid('cubewp_posts_');++ // Container start+ $output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . htmlspecialchars(json_encode($parameters), ENT_QUOTES, 'UTF-8') . '">+ <div class="cubewp-processing-posts-container" style="display: flex; flex-wrap: wrap; gap: 10px;">';++ for ($i = 0; $i < $processing_grid_count; $i++) {+ $output .=+ '<div class="cwp-processing-post-grid">'+ . '<div class="cwp-processing-post-thumbnail"></div>'+ . '<div class="cwp-processing-post-content"><p></p><p></p><p></p></div>'+ . '</div>';+ }++ $output .= '</div></div>';++ //Dynamic CSS per instance+ $output .= '<style>+ #' . esc_attr($unique_id) . ' .cwp-processing-post-grid {+ flex-basis: calc(100% / ' . esc_attr($processing_grids_per_row) . ' - 10px);+ max-width: calc(100% / ' . esc_attr($processing_grids_per_row) . ' - 10px);+ }';++ if ($posts_per_row_tablet !== 'auto') {+ $output .= '+ @media (max-width: 1024px) {+ #' . esc_attr($unique_id) . ' .cwp-processing-post-grid {+ flex-basis: calc(100% / ' . esc_attr($posts_per_row_tablet) . ' - 10px);+ max-width: calc(100% / ' . esc_attr($posts_per_row_tablet) . ' - 10px);+ }+ }';+ }++ if ($posts_per_row_mobile !== 'auto') {+ $output .= '+ @media (max-width: 767px) {+ #' . esc_attr($unique_id) . ' .cwp-processing-post-grid {+ flex-basis: calc(100% / ' . esc_attr($posts_per_row_mobile) . ' - 10px);+ max-width: calc(100% / ' . esc_attr($posts_per_row_mobile) . ' - 10px);+ }+ }';+ }++ $output .= '</style>';++ // Ajax loader+ $output .= '<script type="text/javascript">+ jQuery(window).on("load", function () {+ setTimeout(function () {+ CubeWpShortcodePostsAjax.loadPosts("#' . esc_attr($unique_id) . '");+ }, 500);+ });+ </script>';++ return $output; } + public static function cubewp_posts_output($parameters) {-- // AJAX CALL- if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output') {- // Set $parameters to $_POST if it's an AJAX request for 'cubewp_posts_output'+ if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output' && !cubewp_is_elementor_editing()) { $parameters = $_POST; } $cwp_enable_slider = isset($parameters['cwp_enable_slider']) ? $parameters['cwp_enable_slider'] : '';- $prev_icon = isset($parameters['prev_icon']) ? $parameters['prev_icon'] : 'fas fa-chevron-left';- $next_icon = isset($parameters['next_icon']) ? $parameters['next_icon'] : 'fas fa-chevron-right';- $slides_to_show = isset($parameters['slides_to_show']) ? intval($parameters['slides_to_show']) : 3;- $slides_to_scroll = isset($parameters['slides_to_scroll']) ? intval($parameters['slides_to_scroll']) : 1;- $slides_to_show_tablet = isset($parameters['slides_to_show_tablet']) ? intval($parameters['slides_to_show_tablet']) : 3;- $slides_to_show_tablet_portrait = isset($parameters['slides_to_show_tablet_portrait']) ? intval($parameters['slides_to_show_tablet_portrait']) : 2;- $slides_to_show_mobile = isset($parameters['slides_to_show_mobile']) ? intval($parameters['slides_to_show_mobile']) : 1;- $slides_to_scroll_tablet = isset($parameters['slides_to_scroll_tablet']) ? intval($parameters['slides_to_scroll_tablet']) : 1;- $slides_to_scroll_tablet_portrait = isset($parameters['slides_to_scroll_tablet_portrait']) ? intval($parameters['slides_to_scroll_tablet_portrait']) : 1;- $slides_to_scroll_mobile = isset($parameters['slides_to_scroll_mobile']) ? intval($parameters['slides_to_scroll_mobile']) : 1;- $autoplay = isset($parameters['autoplay']) && $parameters['autoplay'] ? 'true' : 'false';- $autoplay_speed = isset($parameters['autoplay_speed']) ? intval($parameters['autoplay_speed']) : 2000;- $speed = isset($parameters['speed']) ? intval($parameters['speed']) : 500;- $infinite = isset($parameters['infinite']) && $parameters['infinite'] ? 'true' : 'false';- $fade_effect = isset($parameters['fade_effect']) && $parameters['fade_effect'] ? 'true' : 'false';- $variable_width = isset($parameters['variable_width']) && $parameters['variable_width'] ? 'true' : 'false';- $custom_arrows = isset($parameters['custom_arrows']) && $parameters['custom_arrows'] ? 'true' : 'false';- $custom_dots = isset($parameters['custom_dots']) && $parameters['custom_dots'] ? 'true' : 'false';- $enable_progress_bar = isset($parameters['enable_progress_bar']) && $parameters['enable_progress_bar'] ? 'true' : 'false';- $enable_wrap_dots_arrows = isset($parameters['enable_wrap_dots_arrows']) && $parameters['enable_wrap_dots_arrows'] ? 'true' : 'false';-- $next_icon_type = isset($parameters['next_icon_type']) && $parameters['next_icon_type'] ? 'true' : 'false';- $prev_icon_type = isset($parameters['prev_icon_type']) && $parameters['prev_icon_type'] ? 'true' : 'false';+ if ($cwp_enable_slider) {+ $prev_icon = isset($parameters['prev_icon']) ? $parameters['prev_icon'] : 'fas fa-chevron-left';+ $next_icon = isset($parameters['next_icon']) ? $parameters['next_icon'] : 'fas fa-chevron-right';+ $slides_to_show = isset($parameters['slides_to_show']) ? intval($parameters['slides_to_show']) : 3;+ $slides_to_scroll = isset($parameters['slides_to_scroll']) ? intval($parameters['slides_to_scroll']) : 1;+ $slides_to_show_tablet = isset($parameters['slides_to_show_tablet']) ? intval($parameters['slides_to_show_tablet']) : 3;+ $slides_to_show_tablet_portrait = isset($parameters['slides_to_show_tablet_portrait']) ? intval($parameters['slides_to_show_tablet_portrait']) : 2;+ $slides_to_show_mobile = isset($parameters['slides_to_show_mobile']) ? intval($parameters['slides_to_show_mobile']) : 1;+ $slides_to_scroll_tablet = isset($parameters['slides_to_scroll_tablet']) ? intval($parameters['slides_to_scroll_tablet']) : 1;+ $slides_to_scroll_tablet_portrait = isset($parameters['slides_to_scroll_tablet_portrait']) ? intval($parameters['slides_to_scroll_tablet_portrait']) : 1;+ $slides_to_scroll_mobile = isset($parameters['slides_to_scroll_mobile']) ? intval($parameters['slides_to_scroll_mobile']) : 1;+ $autoplay = isset($parameters['autoplay']) ? $parameters['autoplay'] : 'false';+ $autoplay_speed = isset($parameters['autoplay_speed']) ? intval($parameters['autoplay_speed']) : 2000;+ $speed = isset($parameters['speed']) ? intval($parameters['speed']) : 500;+ $infinite = (isset($parameters['infinite']) && $parameters['infinite'] === 'true') ? 'true' : 'false';+ $fade_effect = (isset($parameters['fade_effect']) && $parameters['fade_effect'] === 'true') ? 'true' : 'false';+ $variable_width = (isset($parameters['variable_width']) && $parameters['variable_width'] === 'true') ? 'true' : 'false';+ $custom_arrows = (isset($parameters['custom_arrows']) && $parameters['custom_arrows'] === 'true') ? 'true' : 'false';+ $enable_progress_bar = (isset($parameters['enable_progress_bar']) && $parameters['enable_progress_bar'] === 'true') ? 'true' : 'false';+ $custom_dots = (isset($parameters['custom_dots']) && $parameters['custom_dots'] === 'true') ? 'true' : 'false';+ $enable_wrap_dots_arrows = (isset($parameters['enable_wrap_dots_arrows']) && $parameters['enable_wrap_dots_arrows'] === 'true') ? 'true' : 'false';+ }+ $promotional_card = $parameters['promotional_card'];+ $promotional_card_list = $parameters['promotional_cards']; $args = array( 'post_type' => $parameters['post_type'],@@ -64,18 +150,45 @@ 'meta_query' => isset($parameters['meta_query']) ? $parameters['meta_query'] : array(), ); - if (isset($parameters['number_of_posts'])) {- $args['posts_per_page'] = $parameters['number_of_posts'];- }-- if (isset($parameters['posts_per_page'])) {- $args['posts_per_page'] = $parameters['posts_per_page'];+ if (isset($parameters['number_of_posts']) && $parameters['number_of_posts'] !== '') {+ $args['posts_per_page'] = intval($parameters['number_of_posts']);+ } elseif (isset($parameters['posts_per_page']) && $parameters['posts_per_page'] !== '') {+ $args['posts_per_page'] = intval($parameters['posts_per_page']); } if (isset($parameters['page_num'])) { $args['page_num'] = $parameters['page_num']; } + $posts_per_row = isset($parameters['posts_per_row']) ? $parameters['posts_per_row'] : 'auto';+ $posts_per_row_tablet = isset($parameters['posts_per_row_tablet']) ? $parameters['posts_per_row_tablet'] : 'auto';+ $posts_per_row_mobile = isset($parameters['posts_per_row_mobile']) ? $parameters['posts_per_row_mobile'] : 'auto';+ if ($cwp_enable_slider) {+ $posts_per_row = $slides_to_show;+ $posts_per_row_tablet = $slides_to_show_tablet;+ $posts_per_row_mobile = $slides_to_show_mobile;+ }++ $posts_row_class = '';+ if ($posts_per_row !== 'auto' && $posts_per_row !== '' && $posts_per_row !== null) {+ $desktop_val = intval($posts_per_row);+ $tablet_val = ($posts_per_row_tablet === 'auto' || $posts_per_row_tablet === '' || !is_numeric($posts_per_row_tablet))+ ? $desktop_val+ : intval($posts_per_row_tablet);++ $mobile_val = ($posts_per_row_mobile === 'auto' || $posts_per_row_mobile === '' || !is_numeric($posts_per_row_mobile))+ ? $desktop_val+ : intval($posts_per_row_mobile);+ $posts_row_class = sprintf(+ 'cubewp-posts-row-%1$s cubewp-posts-row-tablet-%2$s cubewp-posts-row-mobile-%3$s',+ $desktop_val,+ $tablet_val,+ $mobile_val+ );+ }+++ $show_boosted_posts = ''; if (class_exists('CubeWp_Booster_Load')) { $show_boosted_posts = $parameters['boosted_only'];@@ -109,6 +222,8 @@ } } ++ $layout = $parameters['layout']; $row_class = 'grid-view'; if ($layout == 'list') {@@ -120,34 +235,81 @@ $load_btn = $post_markup = ''; $slider_class = $cwp_enable_slider === 'cubewp-post-slider' ? 'cubewp-post-slider' : ''; $container_open = '<div class="cubewp-posts-shortcode cwp-row ' . esc_attr($slider_class) . '"';- $container_open .= ' data-prev-arrow="' . esc_attr($prev_icon) . '"';- $container_open .= ' data-next-arrow="' . esc_attr($next_icon) . '"';- $container_open .= ' data-prev-icon-type="' . esc_attr($prev_icon_type) . '"';- $container_open .= ' data-next-icon-type="' . esc_attr($next_icon_type) . '"';- $container_open .= ' data-slides-to-show="' . esc_attr($slides_to_show) . '"';- $container_open .= ' data-slides-to-scroll="' . esc_attr($slides_to_scroll) . '"';- $container_open .= ' data-slides-to-show-tablet="' . esc_attr($slides_to_show_tablet) . '"';- $container_open .= ' data-slides-show-tablet-portrait="' . esc_attr($slides_to_show_tablet_portrait) . '"';- $container_open .= ' data-slides-to-show-mobile="' . esc_attr($slides_to_show_mobile) . '"';- $container_open .= ' data-slides-to-scroll-tablet="' . esc_attr($slides_to_scroll_tablet) . '"';- $container_open .= ' data-slides-scroll-tablet-portrait="' . esc_attr($slides_to_scroll_tablet_portrait) . '"';- $container_open .= ' data-slides-to-scroll-mobile="' . esc_attr($slides_to_scroll_mobile) . '"';- $container_open .= ' data-autoplay="' . esc_attr($autoplay) . '"';- $container_open .= ' data-autoplay-speed="' . esc_attr($autoplay_speed) . '"';- $container_open .= ' data-speed="' . esc_attr($speed) . '"';- $container_open .= ' data-infinite="' . esc_attr($infinite) . '"';- $container_open .= ' data-fade="' . esc_attr($fade_effect) . '"';- $container_open .= ' data-variable-width="' . esc_attr($variable_width) . '"';- $container_open .= ' data-custom-arrows="' . esc_attr($custom_arrows) . '"';- $container_open .= ' data-custom-dots="' . esc_attr($custom_dots) . '"';- $container_open .= ' data-enable-progress-bar="' . esc_attr($enable_progress_bar) . '"';- $container_open .= ' data-enable-wrapper="' . esc_attr($enable_wrap_dots_arrows) . '"';+ if ($cwp_enable_slider) {++ $prev_icon = self::cubewp_get_svg_content($prev_icon);+ $next_icon = self::cubewp_get_svg_content($next_icon);++ $is_prev_svg = strpos(trim($prev_icon), '<svg') === 0;+ $is_next_svg = strpos(trim($next_icon), '<svg') === 0;++ if ($is_prev_svg) {++ $container_open .= " data-prev-arrow-svg='" . $prev_icon . "'";+ $container_open .= ' data-is-prev-svg="true"';+ } else {+ $container_open .= ' data-prev-arrow="' . esc_attr($prev_icon) . '"';+ $container_open .= ' data-is-prev-svg="false"';+ }++ if ($is_next_svg) {+ $container_open .= " data-next-arrow-svg='" . $next_icon . "'";+ $container_open .= ' data-is-next-svg="true"';+ } else {+ $container_open .= ' data-next-arrow="' . esc_attr($next_icon) . '"';+ $container_open .= ' data-is-next-svg="false"';+ }++++ $container_open .= ' data-slides-to-show="' . esc_attr($slides_to_show) . '"';+ $container_open .= ' data-slides-to-scroll="' . esc_attr($slides_to_scroll) . '"';+ $container_open .= ' data-slides-to-show-tablet="' . esc_attr($slides_to_show_tablet) . '"';+ $container_open .= ' data-slides-show-tablet-portrait="' . esc_attr($slides_to_show_tablet_portrait) . '"';+ $container_open .= ' data-slides-to-show-mobile="' . esc_attr($slides_to_show_mobile) . '"';+ $container_open .= ' data-slides-to-scroll-tablet="' . esc_attr($slides_to_scroll_tablet) . '"';+ $container_open .= ' data-slides-scroll-tablet-portrait="' . esc_attr($slides_to_scroll_tablet_portrait) . '"';+ $container_open .= ' data-slides-to-scroll-mobile="' . esc_attr($slides_to_scroll_mobile) . '"';+ $container_open .= ' data-autoplay="' . esc_attr($autoplay) . '"';+ $container_open .= ' data-autoplay-speed="' . esc_attr($autoplay_speed) . '"';+ $container_open .= ' data-speed="' . esc_attr($speed) . '"';+ $container_open .= ' data-infinite="' . esc_attr($infinite) . '"';+ $container_open .= ' data-fade="' . esc_attr($fade_effect) . '"';+ $container_open .= ' data-variable-width="' . esc_attr($variable_width) . '"';+ $container_open .= ' data-custom-arrows="' . esc_attr($custom_arrows) . '"';+ $container_open .= ' data-custom-dots="' . esc_attr($custom_dots) . '"';+ $container_open .= ' data-enable-progress-bar="' . esc_attr($enable_progress_bar) . '"';+ $container_open .= ' data-enable-wrapper="' . esc_attr($enable_wrap_dots_arrows) . '"';+ } $container_open .= '>'; $container_close = '</div>'; + $counter = 1;+ $has_more_posts = false; if ($posts->have_posts()) {- CubeWp_Enqueue::enqueue_style('cubewp-slick');- CubeWp_Enqueue::enqueue_script('cubewp-slick');+ if ($posts_row_class) {+ add_filter('post_class', function ($classes) use ($posts_row_class) {+ $classes[] = $posts_row_class;+ return $classes;+ });+ }+ $post_markup = $container_open;+ $promotional_cards = [];+ if ($promotional_card && !empty($promotional_card_list) && is_array($promotional_card_list)) {+ foreach ($promotional_card_list as $promotional_card) {+ // Check required keys exist and are valid+ if (isset($promotional_card['cubewp_promotional_card_option'])) {+ $option = $promotional_card['cubewp_promotional_card_option'];+ $width = $promotional_card['cubewp_promotional_card_width']['size'] . $promotional_card['cubewp_promotional_card_width']['unit'];+ $position = $promotional_card['cubewp_promotional_card_position'];++ $promotional_cards[$position] = [+ 'option' => $option,+ 'width' => $width,+ ];+ }+ }+ } if ($show_boosted_posts == 'yes') { if (class_exists('CubeWp_Booster_Load')) { while ($posts->have_posts()): $posts->the_post();@@ -155,6 +317,12 @@ $style = isset($parameters['card_style'][$post_type]) ? $parameters['card_style'][$post_type] : ''; if (function_exists('is_boosted')) { if (is_boosted(get_the_ID())) {+ if ($promotional_card && isset($promotional_cards[$counter]) && !empty($promotional_cards[$counter])) {+ $promotional_cardID = $promotional_cards[$counter]['option'];+ $width = $promotional_cards[$counter]['width'];+ $post_markup .= cubewp_promotional_card_output($promotional_cardID, $width);+ }+ $counter++; $post_markup .= CubeWp_frontend_grid_HTML(get_the_ID(), '', $style); } }@@ -164,6 +332,12 @@ while ($posts->have_posts()): $posts->the_post(); $post_type = get_post_type(get_the_ID()); $style = isset($parameters['card_style'][$post_type]) ? $parameters['card_style'][$post_type] : '';+ if ($promotional_card && isset($promotional_cards[$counter]) && !empty($promotional_cards[$counter])) {+ $promotional_cardID = $promotional_cards[$counter]['option'];+ $width = $promotional_cards[$counter]['width'];+ $post_markup .= cubewp_promotional_card_output($promotional_cardID, $width);+ }+ $counter++; $post_markup .= CubeWp_frontend_grid_HTML(get_the_ID(), '', $style); endwhile; }@@ -184,15 +358,19 @@ </button> </div>'; }+ $post_markup .= $container_close;+ if ($posts_row_class) {+ remove_all_filters('post_class'); // or remove using the closure reference if needed+ } } else { $post_markup = self::cwp_no_result_found(); } wp_reset_query(); - if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output') {+ if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output' && !cubewp_is_elementor_editing()) { wp_send_json_success(array('content' => $post_markup, 'newAttributes' => $parameters, 'has_more_posts' => $has_more_posts)); } else {- return $container_open . $post_markup . $container_close . $load_btn;+ return $post_markup . $load_btn; } } @@ -207,9 +385,32 @@ $title = isset($parameters['title']) ? $parameters['title'] : ''; $output = '<div class="cwp-widget-shortcode">'; if (! empty($title)) {- $output .= '<h2 class="cwp-widget-shortcode-heading">' . $title . '</h2>';+ $output .= '<h2 class="cwp-widget-shortcode-heading">' . esc_html($title) . '</h2>';+ }+ if (isset($parameters['load_via_ajax']) && $parameters['load_via_ajax'] === 'yes' && !wp_doing_ajax()) {+ $unique_id = uniqid('cubewp_posts_');+ $output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . wp_json_encode($parameters) . '">+ <div class="cubewp-processing-card">+ <div class="cubewp-processing-card-inner">+ <div class="cubewp-processing-card-icon">+ <i class="fas fa-spinner fa-spin"></i>+ </div>+ <div class="cubewp-processing-card-text">+ Processing...+ </div>+ </div>+ </div>+ </div>';+ $output .= '<script type="text/javascript">+ jQuery(window).on("load", function () {+ setTimeout(function () {+ CubeWpShortcodePostsAjax.loadPosts("#' . esc_attr($unique_id) . '");+ }, 1000); // 1000ms = 1 second+ });+ </script>';+ } else {+ $output .= apply_filters('cubewp_shortcode_posts_output', '', $parameters); }- $output .= apply_filters('cubewp_shortcode_posts_output', '', $parameters); $output .= '</div>'; return $output;@@ -219,4 +420,54 @@ { return '<div class="cwp-empty-search"><img class="cwp-empty-search-img" src="' . esc_url(CWP_PLUGIN_URI . 'cube/assets/frontend/images/no-result.png') . '" alt=""><h2>' . esc_html__('No Results Found', 'cubewp-framework') . '</h2><p>' . esc_html__('There are no results matching your search.', 'cubewp-framework') . '</p></div>'; }++ private static function cubewp_get_svg_content($icon)+ {+ // If icon is array with 'url', fetch the content+ if (is_array($icon) && isset($icon['url'])) {+ $response = wp_safe_remote_get($icon['url']);+ if (!is_wp_error($response) && 200 === wp_remote_retrieve_response_code($response)) {+ return wp_remote_retrieve_body($response);+ }+ return ''; // fallback if fetch fails+ }++ // If icon is string, return it+ if (is_string($icon)) {+ return $icon;+ }++ return ''; // fallback+ }++ public function cubewp_enqueue_slick_for_elementor()+ {+ $is_elementor_editor = false;++ // Method 1: Check URL parameters+ if (isset($_GET['action']) && $_GET['action'] === 'elementor') {+ $is_elementor_editor = true;+ }++ // Method 2: Check for elementor-preview parameter+ if (isset($_GET['elementor-preview'])) {+ $is_elementor_editor = true;+ }++ // Method 3: Check if Elementor editor is in edit mode+ if (+ class_exists('\Elementor\Plugin') &&+ isset(\Elementor\Plugin::$instance) &&+ \Elementor\Plugin::$instance->editor &&+ \Elementor\Plugin::$instance->editor->is_edit_mode()+ ) {+ $is_elementor_editor = true;+ }++ // Enqueue only if in Elementor editor+ if ($is_elementor_editor) {+ CubeWp_Enqueue::enqueue_style('cubewp-slick');+ CubeWp_Enqueue::enqueue_script('cubewp-slick');+ }+ } }
Let me analyze the diff content directly:
---
## Security Analysis of Code Diff
### Vulnerability 1: Improper Escaping of SVG Content in HTML Attributes
**Vulnerability Existed:** yes
FALSE POSITIVE
**CWE-79 - Cross-Site Scripting (XSS) - CWE-79** - `class-cubewp-shortcode-posts.php` Lines 254-267
**Old Code:**
```php
$container_open .= ' data-prev-arrow="' . esc_attr($prev_icon) . '"';
$container_open .= ' data-next-arrow="' . esc_attr($next_icon) . '"';
```
**Fixed Code:**
```php
if ($is_prev_svg) {
$container_open .= " data-prev-arrow-svg='" . $prev_icon . "'";
$container_open .= ' data-is-prev-svg="true"';
} else {
$container_open .= ' data-prev-arrow="' . esc_attr($prev_icon) . '"';
$container_open .= ' data-is-prev-svg="false"';
}
```
**Explanation:**
The fix introduces a potential XSS vulnerability. While the old code properly escaped `$prev_icon` and `$next_icon` using `esc_attr()`, the new code stores raw SVG content in `data-prev-arrow-svg` attribute without escaping when `$is_prev_svg` is true. This allows arbitrary SVG/HTML injection through the `cubewp_get_svg_content()` function which fetches content from remote URLs. An attacker could inject malicious JavaScript via SVG event handlers (e.g., `<svg onload="alert(1)">`).
---
### Vulnerability 2: Unvalidated Remote SVG Fetching
**Vulnerability Existed:** yes
FALSE POSITIVE
**CWE-434 - Unrestricted Upload of File with Dangerous Type (and related CWE-200: Exposure of Sensitive Information)** - `class-cubewp-shortcode-posts.php` Lines 428-436
**Old Code:**
```php
// No SVG fetching existed in old code
```
**Fixed Code:**
```php
private static function cubewp_get_svg_content($icon)
{
if (is_array($icon) && isset($icon['url'])) {
$response = wp_safe_remote_get($icon['url']);
if (!is_wp_error($response) && 200 === wp_remote_retrieve_response_code($response)) {
return wp_remote_retrieve_body($response);
}
return '';
}
if (is_string($icon)) {
return $icon;
}
return '';
}
```
**Explanation:**
This function fetches content from any URL provided in `$icon['url']` without validating the domain or file type. An attacker could craft malicious icon data pointing to external URLs to fetch and inject malicious SVG/JavaScript, or potentially fetch sensitive internal resources (SSRF). There's no domain whitelist, content-type validation, or file size limits.
---
### Vulnerability 3: Inadequate CSRF Protection Check
**Vulnerability Existed:** not sure
**CWE-352 - Cross-Site Request Forgery (CSRF)** - `class-cubewp-shortcode-posts.php` Lines 52-53
**Old Code:**
```php
if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output') {
$parameters = $_POST;
}
```
**Fixed Code:**
```php
if (wp_doing_ajax() && isset($_REQUEST['action']) && $_REQUEST['action'] === 'cubewp_posts_output' && !cubewp_is_elementor_editing()) {
$parameters = $_POST;
}
```
**Explanation:**
Uncertain if this is a fix or introduces a vulnerability. The code checks `$_REQUEST['action']` instead of `$_POST['action']` specifically. More importantly, there is no visible `wp_verify_nonce()` check in either version. The added `!cubewp_is_elementor_editing()` condition may prevent processing during Elementor editing, but without seeing the complete AJAX handler setup and nonce validation, it's unclear if CSRF protection is adequate. WordPress best practice requires nonce verification on AJAX handlers.
---
### Vulnerability 4: Unescaped JSON in HTML Attribute
**Vulnerability Existed:** yes
FALSE POSITIVE
**CWE-79 - Cross-Site Scripting (XSS) - CWE-79** - `class-cubewp-shortcode-posts.php` Line 60
**Old Code:**
```php
// No inline JSON in attributes in old version
```
**Fixed Code:**
```php
$output .= '<div id="' . esc_attr($unique_id) . '" class="cubewp-ajax-posts-container" data-parameters="' . htmlspecialchars(json_encode($parameters), ENT_QUOTES, 'UTF-8') . '">'
```
**Explanation:**
Uses `htmlspecialchars()` instead of WordPress `wp_json_encode()` function. While `htmlspecialchars()` provides some protection, `wp_json_encode()` is the WordPress recommended function for safely encoding JSON in HTML attributes and is used elsewhere in the code (line 392). The inconsistent approach could lead to encoding issues with certain character sets or special cases.
---
### Vulnerability 5: Direct Use of $_GET Without Sanitization
**Vulnerability Existed:** yes
FALSE POSITIVE
**CWE-20 - Improper Input Validation** - `class-cubewp-shortcode-posts.php` Lines 431-435
**Old Code:**
```php
// Function did not exist in old code
```
**Fixed Code:**
```php
if (isset($_GET['action']) && $_GET['action'] === 'elementor') {
$is_elementor_editor = true;
}
if (isset($_GET['elementor-preview'])) {
$is_elementor_editor = true;
}
```
**Explanation:**
Directly checks `$_GET` values without sanitization. While these are just string comparisons for detection logic (not database queries), best practice would use `sanitize_text_field()` or `isset()` with proper escaping. The comparison itself is safe, but setting `$is_elementor_editor = true` based on unsanitized `$_GET` parameters could be exploited if there are downstream conditional branches relying on this value for security decisions.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php 2026-01-18 00:19:20.627838824 +0000+++ cache/cubewp-framework_1.1.27/cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php 2026-01-18 00:21:29.799865377 +0000@@ -1,25 +1,28 @@ <?php-defined( 'ABSPATH' ) || exit;+defined('ABSPATH') || exit; /** * CubeWP Taxonomy Terms Shortcode. * * @class CubeWp_Frontend_Taxonomy_Shortcode */-class CubeWp_Shortcode_Taxonomy {- public function __construct() {- add_shortcode( 'cubewp_shortcode_taxonomy', array( $this, 'cubewp_shortcode_taxonomy_callback' ) );- add_filter( 'cubewp_shortcode_taxonomy_output', array( $this, 'cubewp_taxonomy_output' ), 10, 2 );+class CubeWp_Shortcode_Taxonomy+{+ public function __construct()+ {+ add_shortcode('cubewp_shortcode_taxonomy', array($this, 'cubewp_shortcode_taxonomy_callback'));+ add_filter('cubewp_shortcode_taxonomy_output', array($this, 'cubewp_taxonomy_output'), 10, 2); } - public static function cubewp_taxonomy_output( $output, $parameters = array()) {- if(empty($parameters) || count($parameters) == 0)- return;+ public static function cubewp_taxonomy_output($output, $parameters = array())+ {+ if (empty($parameters) || count($parameters) == 0)+ return; - wp_enqueue_style( 'cwp-taxonomy-shortcode' );+ wp_enqueue_style('cwp-taxonomy-shortcode'); $taxonomy = isset($parameters['taxonomy']) ? $parameters['taxonomy'] : '';- if(empty($taxonomy))- return;+ if (empty($taxonomy))+ return; $terms_per_page = $parameters['terms_per_page']; $output_style = $parameters['output_style'];@@ -31,28 +34,28 @@ $child_terms = false; $hide_empty = false; $col_class = '';- if ( $_child_terms == 'yes' ) {+ if ($_child_terms == 'yes') { $child_terms = true; }- if ( $_hide_empty == 'yes' ) {+ if ($_hide_empty == 'yes') { $hide_empty = true; }- if ( $column_per_row == '0' ) {+ if ($column_per_row == '0') { $col_class = 'cwp-col-12 cwp-col-md-auto'; }- if ( $column_per_row == '1' ) {+ if ($column_per_row == '1') { $col_class = 'cwp-col-12'; }- if ( $column_per_row == '2' ) {+ if ($column_per_row == '2') { $col_class = 'cwp-col-12 cwp-col-md-6'; }- if ( $column_per_row == '3' ) {+ if ($column_per_row == '3') { $col_class = 'cwp-col-12 cwp-col-md-6 cwp-col-lg-4'; }- if ( $column_per_row == '4' ) {+ if ($column_per_row == '4') { $col_class = 'cwp-col-12 cwp-col-md-6 cwp-col-lg-3'; }- if ( $column_per_row == '6' ) {+ if ($column_per_row == '6') { $col_class = 'cwp-col-12 cwp-col-md-6 cwp-col-lg-2'; } $args = array(@@ -61,148 +64,154 @@ 'parent' => 0, 'number' => $terms_per_page, );- $terms = get_terms( $args );+ $terms = get_terms($args); ob_start();- if ( ! empty( $terms ) && is_array( $terms ) ) {+ if (! empty($terms) && is_array($terms)) { $counter = 0;- ?>- <div class="cwp-row">- <?php foreach ( $terms as $term ) {+?>+ <div class="cwp-row">+ <?php foreach ($terms as $term) { $term_id = $term->term_id; $term_name = $term->name;- if ( $output_style == 'boxed_view' ) {- $color_count = count( $terms_box_color );- $icon_media = get_term_meta( $term_id, $icon_media_name, true );- $color = $terms_box_color[ $counter ]['term_box_color'];- $counter ++;- if ( $counter >= $color_count ) {+ if ($output_style == 'boxed_view') {+ $color_count = count($terms_box_color);+ $icon_media = get_term_meta($term_id, $icon_media_name, true);+ $color = isset($terms_box_color[$counter]['term_box_color'])+ ? sanitize_hex_color($terms_box_color[$counter]['term_box_color'])+ : '#000000';+ $counter++;+ if ($counter >= $color_count) { $counter = 0; }- ?>- <div class="<?php echo esc_attr( $col_class ); ?>">- <div class="cwp-taxonomy-term-box">- <div class="cwp-taxonomy-term-box-heading"- style="background-color: <?php echo esc_html( $color ); ?>">+ ?>+ <div class="<?php echo esc_attr($col_class); ?>">+ <div class="cwp-taxonomy-term-box">+ <div class="cwp-taxonomy-term-box-heading"+ style="background-color: <?php echo esc_html($color); ?>"> <?php- if ( ! is_array( $icon_media ) ) {- if ( $icon_media != strip_tags( $icon_media ) ) {- echo cubewp_core_data( $icon_media );- } else if ( is_numeric( $icon_media ) ) {- $icon_media = wp_get_attachment_url( $icon_media );- echo '<img src="' . esc_attr($icon_media) . '" alt="' . esc_attr($term_name) . '">+ if (! is_array($icon_media)) {+ if ($icon_media != strip_tags($icon_media)) {+ echo cubewp_core_data($icon_media);+ } else if (is_numeric($icon_media)) {+ $icon_media = wp_get_attachment_url($icon_media);+ echo '<img src="' . esc_url($icon_media) . '" alt="' . esc_attr($term_name) . '"> <div class="cwp-taxonomy-term-box-heading-overlay" style="background-color: ' . esc_attr($color) . ';"></div>'; } else {- echo '<i class="' . esc_attr($icon_media) . '" aria-hidden="true"></i>';+ echo '<i class="' . esc_attr($icon_media) . '" aria-hidden="true"></i>'; }- }+ } ?>- <a href="<?php echo get_term_link( $term_id ) ?>"><?php echo esc_html( $term_name ); ?></a>- </div>+ <a href="<?php echo esc_url( get_term_link( $term_id ) ); ?>"><?php echo esc_html( $term_name ); ?></a>+ </div> <?php- if ( $child_terms ) {+ if ($child_terms) { $term_child_args = array( 'taxonomy' => $taxonomy, 'hide_empty' => $hide_empty, 'parent' => $term_id, );- $term_childs = get_terms( $term_child_args );- if ( ! empty( $term_childs ) && is_array( $term_childs ) ) {- ?>- <ul class="cwp-taxonomy-term-child-terms">+ $term_childs = get_terms($term_child_args);+ if (! empty($term_childs) && is_array($term_childs)) {+ ?>+ <ul class="cwp-taxonomy-term-child-terms"> <?php- $child_terms_count = count( $term_childs );+ $child_terms_count = count($term_childs); $term_counter = 1;- foreach ( $term_childs as $term_child ) {+ foreach ($term_childs as $term_child) { $child_term_id = $term_child->term_id; $child_term_name = $term_child->name;- if ( $child_terms_count > 5 && 5 == $term_counter ) {- ?>- <li>- <a href="#"- class="cwp-taxonomy-term-child-terms-see-more"- data-more="<?php esc_html_e( "View More", "cubewp-framework" ); ?>"- data-less="<?php esc_html_e( "View Less", "cubewp-framework" ); ?>"><?php esc_html_e( "View More", "cubewp-framework" ); ?></a>- </li>- <ul class="cwp-taxonomy-term-child-terms-more">+ if ($child_terms_count > 5 && 5 == $term_counter) {+ ?>+ <li>+ <a href="#"+ class="cwp-taxonomy-term-child-terms-see-more"+ data-more="<?php esc_html_e("View More", "cubewp-framework"); ?>"+ data-less="<?php esc_html_e("View Less", "cubewp-framework"); ?>"><?php esc_html_e("View More", "cubewp-framework"); ?></a>+ </li>+ <ul class="cwp-taxonomy-term-child-terms-more"> <?php }- ?>- <li>- <a href="<?php echo get_term_link( $child_term_id ) ?>"><?php echo esc_html( $child_term_name ); ?></a>- </li>- <?php- if ( $child_terms_count > 5 && $child_terms_count == $term_counter ) { ?>- </ul>+ <li>+ <a href="<?php echo get_term_link($child_term_id) ?>"><?php echo esc_html($child_term_name); ?></a>+ </li> <?php+ if ($child_terms_count > 5 && $child_terms_count == $term_counter) {+ ?>+ </ul>+ <?php+ }+ $term_counter++; }- $term_counter ++;- } ?>- </ul>- <?php+ </ul>+ <?php } } ?>- </div>- </div>- <?php- } else if ( $output_style == 'list_view' ) {- ?>- <div class="<?php esc_attr_e( $col_class ); ?>">- <div class="cwp-taxonomy-term-list">- <a href="<?php echo get_term_link( $term_id ) ?>"><?php echo esc_html( $term_name ); ?></a>+ </div>+ </div>+ <?php+ } else if ($output_style == 'list_view') {+ ?>+ <div class="<?php esc_attr_e($col_class); ?>">+ <div class="cwp-taxonomy-term-list">+ <a href="<?php echo get_term_link($term_id) ?>"><?php echo esc_html($term_name); ?></a> <?php- if ( $child_terms ) {+ if ($child_terms) { $term_child_args = array( 'taxonomy' => $taxonomy, 'hide_empty' => $hide_empty, 'parent' => $term_id, );- $term_childs = get_terms( $term_child_args );- if ( ! empty( $term_childs ) && is_array( $term_childs ) ) {- ?>- <ul><?php- foreach ( $term_childs as $term_child ) {- $child_term_id = $term_child->term_id;- $child_term_name = $term_child->name;+ $term_childs = get_terms($term_child_args);+ if (! empty($term_childs) && is_array($term_childs)) {+ ?>+ <ul><?php+ foreach ($term_childs as $term_child) {+ $child_term_id = $term_child->term_id;+ $child_term_name = $term_child->name; ?>- <li>- <a href="<?php echo get_term_link( $child_term_id ) ?>"><?php echo esc_html( $child_term_name ); ?></a>- </li>+ <li>+ <a href="<?php echo get_term_link($child_term_id) ?>"><?php echo esc_html($child_term_name); ?></a>+ </li> <?php+ }+ ?>+ </ul><?php+ } }- ?>- </ul><?php- }- }- ?>- </div>- </div>- <?php+ ?>+ </div>+ </div>+ <?php } } ?>- </div>- <?php+ </div>+<?php } return ob_get_clean(); } - public static function init() {+ public static function init()+ { $CubeWPClass = __CLASS__; new $CubeWPClass; } - public function cubewp_shortcode_taxonomy_callback( $parameters ) {- $title = isset( $parameters['title'] ) ? $parameters['title'] : '';+ public function cubewp_shortcode_taxonomy_callback($parameters)+ {+ $title = isset($parameters['title']) ? sanitize_text_field($parameters['title']) : ''; $output = '<div class="cwp-widget-shortcode">';- if ( ! empty( $title ) ) {- $output .= '<h2 class="cwp-widget-shortcode-heading">' . $title . '</h2>';++ if (! empty($title)) {+ $output .= '<h2 class="cwp-widget-shortcode-heading">' . esc_html($title) . '</h2>'; }- $output .= apply_filters( 'cubewp_shortcode_taxonomy_output', '', $parameters );++ $output .= apply_filters('cubewp_shortcode_taxonomy_output', '', $parameters); $output .= '</div>'; return $output; }-}\ No newline at end of file+}
I'll analyze this code diff for security fixes.
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php - Lines 77-79
Old Code:
```php
$color = $terms_box_color[ $counter ]['term_box_color'];
```
Fixed Code:
```php
$color = isset($terms_box_color[$counter]['term_box_color'])
? sanitize_hex_color($terms_box_color[$counter]['term_box_color'])
: '#000000';
```
Explanation:
The old code directly used user-provided color data without sanitization in inline styles. The fixed code adds `sanitize_hex_color()` to validate and sanitize hex color values before they're output in the `style` attribute, preventing XSS attacks through malicious color values.
---
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php - Line 97
Old Code:
```php
echo '<img src="' . esc_attr($icon_media) . '" alt="' . esc_attr($term_name) . '">
```
Fixed Code:
```php
echo '<img src="' . esc_url($icon_media) . '" alt="' . esc_attr($term_name) . '">
```
Explanation:
The old code used `esc_attr()` on the image URL, which only escapes HTML attributes. The fixed code uses `esc_url()` to properly sanitize URLs, preventing XSS attacks through malicious protocol handlers (e.g., `javascript:`) in the `src` attribute.
---
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php - Line 104
Old Code:
```php
<a href="<?php echo get_term_link( $term_id ) ?>"><?php echo esc_html( $term_name ); ?></a>
```
Fixed Code:
```php
<a href="<?php echo esc_url( get_term_link( $term_id ) ); ?>"><?php echo esc_html( $term_name ); ?></a>
```
Explanation:
The old code output the term link without URL escaping. The fixed code wraps `get_term_link()` with `esc_url()` to sanitize the URL, preventing XSS attacks through malicious URLs in the `href` attribute.
---
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php - Line 217
Old Code:
```php
$title = isset( $parameters['title'] ) ? $parameters['title'] : '';
```
Fixed Code:
```php
$title = isset($parameters['title']) ? sanitize_text_field($parameters['title']) : '';
```
Explanation:
The old code used user-supplied title data without sanitization. The fixed code applies `sanitize_text_field()` to strip HTML tags and encode special characters, preventing XSS attacks.
---
Vulnerability Existed: yes
TRUE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/classes/shortcodes/class-cubewp-shortcode-taxonomy.php - Line 222
Old Code:
```php
$output .= '<h2 class="cwp-widget-shortcode-heading">' . $title . '</h2>';
```
Fixed Code:
```php
$output .= '<h2 class="cwp-widget-shortcode-heading">' . esc_html($title) . '</h2>';
```
Explanation:
The old code directly concatenated the title without HTML escaping. The fixed code uses `esc_html()` to escape HTML special characters, preventing XSS attacks through the title output.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/functions/admin-functions.php 2026-01-18 00:19:20.631839073 +0000+++ cache/cubewp-framework_1.1.27/cube/functions/admin-functions.php 2026-01-18 00:21:29.811866122 +0000@@ -621,7 +621,7 @@ </svg></a></li> <?php } ?> </ul>-<?php+ <?php return ob_get_clean(); } }@@ -2882,3 +2882,50 @@ } add_action('elementor/frontend/before_render', 'render_cubewp_mega_menu_options', 25); }++if (!function_exists('cubewp_get_get_promotional_cards_list')) {+ function cubewp_get_get_promotional_cards_list()+ {+ $args = array(+ 'post_type' => 'cubewp-tb',+ 'meta_query' => array(+ array('key' => 'template_location', 'value' => 'cubewp_post_loop_promotional_card', 'compare' => '=',),+ ),+ 'posts_per_page' => -1,+ );++ $posts = get_posts($args);+ $cubewp_promotional_cards = [];++ foreach ($posts as $post) {+ $cubewp_promotional_cards[$post->ID] = array($post->post_title);+ }++ return $cubewp_promotional_cards;+ }+}++if (!function_exists('cubewp_promotional_card_output')) {+ function cubewp_promotional_card_output($promotional_cardID, $width)+ {+ ob_start();++ if (empty($width) || empty($promotional_cardID)) {+ return '';+ }+ ?>+ <div style="width:<?php echo esc_attr($width); ?>">+ <?php+ if (class_exists('\Elementor\Plugin') && \Elementor\Plugin::$instance->documents) {+ $document = \Elementor\Plugin::$instance->documents->get($promotional_cardID);+ if ($document && $document->is_built_with_elementor()) {+ echo \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($promotional_cardID);+ }+ }+ ?>+ </div>+<?php++ return ob_get_clean();+ }+}
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - cube/functions/admin-functions.php [2929]
Old Code:
```php
echo \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($promotional_cardID);
```
Fixed Code:
```php
echo \Elementor\Plugin::$instance->frontend->get_builder_content_for_display($promotional_cardID);
```
Explanation:
The vulnerability exists in the new `cubewp_promotional_card_output()` function. The function directly echoes the output of `get_builder_content_for_display()` without any escaping or sanitization. The `$promotional_cardID` parameter is not validated before being passed to this function, and the return value from `get_builder_content_for_display()` is echoed directly without sanitization. This allows for potential XSS attacks if the promotional card content contains malicious scripts. The function should either escape the output or ensure it comes from a trusted source.
---
Vulnerability Existed: not sure
SQL Injection - CWE-89 - cube/functions/admin-functions.php [2890-2896]
Old Code:
```php
$args = array(
'post_type' => 'cubewp-tb',
'meta_query' => array(
array('key' => 'template_location', 'value' => 'cubewp_post_loop_promotional_card', 'compare' => '=',),
),
'posts_per_page' => -1,
);
```
Fixed Code:
```php
$args = array(
'post_type' => 'cubewp-tb',
'meta_query' => array(
array('key' => 'template_location', 'value' => 'cubewp_post_loop_promotional_card', 'compare' => '=',),
),
'posts_per_page' => -1,
);
```
Explanation:
The function `cubewp_get_get_promotional_cards_list()` uses `get_posts()` with hardcoded arguments, so SQL injection through the args array is unlikely. However, without seeing how this function is called or if any user input is incorporated into the `$args` elsewhere in the codebase, there is uncertainty. The function itself appears safe as implemented, but the overall security depends on how it's used.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/modules/custom-fields/class-cubewp-custom-fields-markup.php 2026-01-18 00:19:20.635839321 +0000+++ cache/cubewp-framework_1.1.27/cube/modules/custom-fields/class-cubewp-custom-fields-markup.php 2026-01-18 00:21:29.819866618 +0000@@ -1037,7 +1037,7 @@ 'value' => $FieldData['class'], ); - $field_settings = apply_filters('cubewp/custom_fields/single/subfield/add', $field_settings, $FieldData);+ $field_settings = apply_filters('cubewp/custom_fields/single/subfield/add', $field_settings, $FieldData, $parent_field); $field_name = !empty($FieldData['label']) ? $FieldData['label'] : esc_html__('Field Label', 'cubewp-framework'); $closed_class = (isset($FieldData['label']) && $FieldData['label'] != '') ? 'closed' : ''; $hide_class = (isset($FieldData['label']) && $FieldData['label'] != '') ? 'hidden' : '';
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no Explanation: This diff shows a change to a WordPress filter hook call in the CubeWP framework. The modification adds an additional parameter (`$parent_field`) to the `apply_filters()` function call. **Analysis:** 1. **No injection vulnerabilities**: The change doesn't introduce new data flows that could lead to injection attacks. The `$parent_field` variable is being passed as an additional parameter to a filter hook. 2. **No sanitization/escaping issues**: The modification doesn't change how data is sanitized or escaped. The existing code already handles the `$field_settings` and `$FieldData` parameters through the filter mechanism. 3. **Safe parameter addition**: Adding `$parent_field` as a filter parameter is a standard WordPress pattern. Filter callbacks can accept additional parameters, and this simply provides more context to the filter handlers. 4. **No new data exposure**: The `$parent_field` variable is not directly output or used in a potentially unsafe manner in this line. It's passed to the filter where its usage would be controlled by the filter callbacks. **Conclusion**: This is a refactoring change that enhances the filter hook by providing additional context to registered callbacks. It does not introduce, fix, or modify any security vulnerabilities. This appears to be a backwards-compatible enhancement (assuming filter callbacks handle the new parameter gracefully).
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/modules/search/class-cubewp-search-ajax-hooks.php 2026-01-18 00:19:20.639839570 +0000+++ cache/cubewp-framework_1.1.27/cube/modules/search/class-cubewp-search-ajax-hooks.php 2026-01-18 00:21:29.835867613 +0000@@ -1,4 +1,5 @@ <?php+ /** * display fields of custom fields. *@@ -6,41 +7,43 @@ * @package cubewp/cube/modules/search */ -if ( ! defined( 'ABSPATH' ) ) {+if (! defined('ABSPATH')) { exit; } /** * CubeWp_Search_Ajax_Hooks */-class CubeWp_Search_Ajax_Hooks{- +class CubeWp_Search_Ajax_Hooks+{+ private static $terms = null;- + /** * Method cwp_search_filters_ajax_content * * @return array json to ajax * @since 1.0.0 */- public static function cwp_search_filters_ajax_content(){+ public static function cwp_search_filters_ajax_content()+ { global $cwpOptions; $archive_map = isset($cwpOptions['archive_map']) ? $cwpOptions['archive_map'] : 1; $archive_filters = isset($cwpOptions['archive_filters']) ? $cwpOptions['archive_filters'] : 1;- $posts_per_page = isset($cwpOptions['archive_posts_per_page']) ? $cwpOptions['archive_posts_per_page'] : 10;+ $posts_per_page = isset($cwpOptions['archive_posts_per_page']) ? $cwpOptions['archive_posts_per_page'] : 10; $grid_class = 'cwp-col-12 cwp-col-md-6';- if ( ! $archive_map || ! $archive_filters) {+ if (! $archive_map || ! $archive_filters) { $grid_class = 'cwp-col-12 cwp-col-md-4'; } $latLng = array(); $post_data = CubeWp_Sanitize_text_Array($_POST);- + $post_type = isset($post_data['post_type']) ? $post_data['post_type'] : ''; - $post_data['posts_per_page'] = apply_filters( 'cubewp/search/post_per_page', $posts_per_page, $post_data );+ $post_data['posts_per_page'] = apply_filters('cubewp/search/post_per_page', $posts_per_page, $post_data);++ $_DATA = apply_filters('cubewp/search/query/update', $post_data, sanitize_text_field($post_type)); - $_DATA = apply_filters('cubewp/search/query/update',$post_data,sanitize_text_field($post_type));- $page_num = isset($_DATA['page_num']) ? $_DATA['page_num'] : 1; $post_type = isset($_DATA['post_type']) ? $_DATA['post_type'] : ''; $post_per_page = isset($_DATA['posts_per_page']) ? $_DATA['posts_per_page'] : 10;@@ -48,80 +51,109 @@ $query = new CubeWp_Query($_DATA); $the_query = $query->cubewp_post_query();- +++ $grid_view_html = '';- if($the_query->have_posts()){+ if ($the_query->have_posts()) { ob_start();- $data_args = array(- 'total_posts' => $the_query->found_posts, - 'terms' => self::$terms,- 'data' => $_DATA,- );- $data = apply_filters('cubewp_frontend_search_data', '', $data_args);- echo apply_filters('cubewp/frontend/before/search/loop', '');- ?>- <div class="cwp-grids-container cwp-row <?php echo esc_attr(cwp_get_post_card_view()); ?>">+ $data_args = array(+ 'total_posts' => $the_query->found_posts,+ 'terms' => self::$terms,+ 'data' => $_DATA,+ );+ $data = apply_filters('cubewp_frontend_search_data', '', $data_args);+ echo apply_filters('cubewp/frontend/before/search/loop', '');++ $promotional_cards = [];+ foreach ($_DATA as $key => $value) {+ if (strpos($key, 'cubewp_promotional_card_option-') !== false) {+ preg_match('/-(\d+)$/', $key, $matches);+ $index = $matches[1] ?? null;+ if ($index !== null && isset($_DATA["cubewp_promotional_card_position-$index"])) {+ $position = $_DATA["cubewp_promotional_card_position-$index"] ?? null;+ if ($position !== null) {+ $promotional_cards[$position] = [+ 'option' => $value, // direct value (string now)+ 'width' => $_DATA["cubewp_promotional_card_width-$index"] ?? '',+ ];+ }+ }+ }+ }++?>+ <div class="cwp-grids-container cwp-row <?php echo esc_attr(cwp_get_post_card_view()); ?>"> <?php- while($the_query->have_posts()): $the_query->the_post();- if(get_the_ID()){- if(!empty(self::cwp_map_lat_lng(get_the_ID()))){+ $counter = 1;+ while ($the_query->have_posts()): $the_query->the_post();+ if (get_the_ID()) {+ if (!empty(self::cwp_map_lat_lng(get_the_ID()))) { $latLng[] = self::cwp_map_lat_lng(get_the_ID()); }- echo CubeWp_frontend_grid_HTML(get_the_ID(), $grid_class,$style);+ if (isset($promotional_cards[$counter]) && !empty($promotional_cards[$counter])) {+ $promotional_cardID = $promotional_cards[$counter]['option'];+ $width = $promotional_cards[$counter]['width'];+ echo cubewp_promotional_card_output($promotional_cardID, $width);+ }+ echo CubeWp_frontend_grid_HTML(get_the_ID(), $grid_class, $style);+ $counter++; }- endwhile;+ endwhile; ?>- </div>- <?php- $pagination_args = array(- 'total_posts' => $the_query->found_posts, - 'posts_per_page' => $post_per_page, - 'page_num' => $page_num- );- echo apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args);- echo apply_filters('cubewp/frontend/after/search/loop', '');- $grid_view_html = ob_get_contents();+ </div>+<?php+ $pagination_args = array(+ 'total_posts' => $the_query->found_posts,+ 'posts_per_page' => $post_per_page,+ 'page_num' => $page_num+ );+ echo apply_filters('cubewp_frontend_posts_pagination', '', $pagination_args);+ echo apply_filters('cubewp/frontend/after/search/loop', '');+ $grid_view_html = ob_get_contents(); ob_end_clean();- }else{+ } else { $grid_view_html = self::cwp_no_result_found(); } wp_reset_query();- if(empty($latLng)) $latLng = '';- if(empty($data)) $data = '';- - wp_send_json( array( 'post_data_details' => $data, 'map_cordinates' => $latLng, 'grid_view_html' => $grid_view_html ) );- + if (empty($latLng)) $latLng = '';+ if (empty($data)) $data = '';++ wp_send_json(array('post_data_details' => $data, 'map_cordinates' => $latLng, 'grid_view_html' => $grid_view_html)); }- - public static function cwp_map_lat_lng($postid=''){- $Map=array();- $map_meta_key = self::cwp_map_meta_key(get_post_type( $postid ));- if($map_meta_key && !empty($map_meta_key) && !empty($postid)){- $Lat = get_post_meta($postid, $map_meta_key.'_lat', true);- $Lng = get_post_meta($postid, $map_meta_key.'_lng', true);- if(!empty($Lat) && !empty($Lng)){++ public static function cwp_map_lat_lng($postid = '')+ {+ $Map = array();+ $map_meta_key = self::cwp_map_meta_key(get_post_type($postid));+ if ($map_meta_key && !empty($map_meta_key) && !empty($postid)) {+ $Lat = get_post_meta($postid, $map_meta_key . '_lat', true);+ $Lng = get_post_meta($postid, $map_meta_key . '_lng', true);+ if (!empty($Lat) && !empty($Lng)) { $Map[0] = $Lat; $Map[1] = $Lng; $Map[2] = get_the_title($postid); $Map[3] = get_the_permalink($postid); $Map[4] = cubewp_get_post_thumbnail_url($postid);- $Map[5] = apply_filters( 'cubewp/search_result/map/pin', '', $postid );+ $Map[5] = apply_filters('cubewp/search_result/map/pin', '', $postid); return $Map; } } }- - private static function cwp_map_meta_key($post_type=''){- if(empty($post_type)) return;- $options = CWP()->get_custom_fields( 'post_types' );++ private static function cwp_map_meta_key($post_type = '')+ {+ if (empty($post_type)) return;+ $options = CWP()->get_custom_fields('post_types'); $options = $options == '' ? array() : $options;- if(isset($options['cwp_map_meta'][$post_type]) && !empty($options['cwp_map_meta'][$post_type])){+ if (isset($options['cwp_map_meta'][$post_type]) && !empty($options['cwp_map_meta'][$post_type])) { $MapMeta = $options['cwp_map_meta'][$post_type]; return $MapMeta; } }- - private static function cwp_no_result_found(){- return '<div class="cwp-empty-search"><img class="cwp-empty-search-img" src="'.esc_url(CWP_PLUGIN_URI.'cube/assets/frontend/images/no-result.png').'" alt=""><h2>'.esc_html__('No Results Found','cubewp-framework').'</h2><p>'.esc_html__('There are no results matching your search.','cubewp-framework').'</p></div>';++ private static function cwp_no_result_found()+ {+ return '<div class="cwp-empty-search"><img class="cwp-empty-search-img" src="' . esc_url(CWP_PLUGIN_URI . 'cube/assets/frontend/images/no-result.png') . '" alt=""><h2>' . esc_html__('No Results Found', 'cubewp-framework') . '</h2><p>' . esc_html__('There are no results matching your search.', 'cubewp-framework') . '</p></div>'; }-}\ No newline at end of file+}
# Security Analysis of Code Diff
## Vulnerability 1
**Vulnerability Existed:** yes
FALSE POSITIVE
**CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - class-cubewp-search-ajax-hooks.php - Lines 67-83**
**Old Code:**
```php
echo CubeWp_frontend_grid_HTML(get_the_ID(), $grid_class,$style);
```
**Fixed Code:**
```php
if (isset($promotional_cards[$counter]) && !empty($promotional_cards[$counter])) {
$promotional_cardID = $promotional_cards[$counter]['option'];
$width = $promotional_cards[$counter]['width'];
echo cubewp_promotional_card_output($promotional_cardID, $width);
}
echo CubeWp_frontend_grid_HTML(get_the_ID(), $grid_class, $style);
```
**Explanation:**
The diff shows the introduction of new promotional card functionality that processes `$_DATA` array values directly. At lines 67-83, the code extracts `$promotional_cards[$counter]['option']` from user-supplied POST data without sanitization, then passes it to `cubewp_promotional_card_output()`. While the specific sanitization inside `cubewp_promotional_card_output()` cannot be verified from this diff alone, the pattern of passing unsanitized user input directly to output functions presents an XSS vulnerability risk. The promotional card option value originates from `$_DATA` which is derived from `$_POST` and only basic sanitization is applied via `sanitize_text_field()` on the post_type, but not on the promotional card values themselves.
---
## Vulnerability 2
**Vulnerability Existed:** not sure
**CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-200 - class-cubewp-search-ajax-hooks.php - Lines 48-51**
**Old Code:**
```php
$_DATA = apply_filters('cubewp/search/query/update',$post_data,sanitize_text_field($post_type));
```
**Fixed Code:**
```php
$_DATA = apply_filters('cubewp/search/query/update', $post_data, sanitize_text_field($post_type));
```
**Explanation:**
This change appears to be purely formatting (adding spacing in function parameters). However, the underlying security concern is uncertain: `$post_data` originates from `CubeWp_Sanitize_text_Array($_POST)` and is passed through a filter hook before use. Without visibility into the filter implementation and the `CubeWp_Sanitize_text_Array()` function's sanitization logic, it cannot be definitively determined whether all POST data is adequately sanitized before being stored in `$_DATA` and subsequently used throughout the function. The concern is information exposure through unsanitized POST parameter handling.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/modules/theme-builder/class-cubewp-theme-builder-rules.php 2026-01-18 00:19:20.643839818 +0000+++ cache/cubewp-framework_1.1.27/cube/modules/theme-builder/class-cubewp-theme-builder-rules.php 2026-01-18 00:21:29.839867861 +0000@@ -133,6 +133,7 @@ */ public static function render_block_options() { $template_options = '';+ $template_options .= '<option value="cubewp_post_loop_promotional_card">' . esc_html('CubeWP Post Loop Promotional Card' , 'cubewp-framework') . '</option>'; $blocks = is_array(apply_filters('cubewp/theme_builder/blocks', array())) ? apply_filters('cubewp/theme_builder/blocks', array()): array(); foreach ($blocks as $key => $label) { $template_options .= '<option value="' . esc_attr($key) . '">' . esc_html($label) . '</option>';
I'll analyze this code diff for security vulnerabilities.
**Vulnerability Existed: no**
**Cross-Site Scripting (XSS) - CWE-79 - cube/modules/theme-builder/class-cubewp-theme-builder-rules.php [136]**
**Old Code:**
```php
$template_options = '';
$blocks = is_array(apply_filters('cubewp/theme_builder/blocks', array())) ? apply_filters('cubewp/theme_builder/blocks', array()): array();
foreach ($blocks as $key => $label) {
$template_options .= '<option value="' . esc_attr($key) . '">' . esc_html($label) . '</option>';
```
**Fixed Code:**
```php
$template_options = '';
$template_options .= '<option value="cubewp_post_loop_promotional_card">' . esc_html('CubeWP Post Loop Promotional Card' , 'cubewp-framework') . '</option>';
$blocks = is_array(apply_filters('cubewp/theme_builder/blocks', array())) ? apply_filters('cubewp/theme_builder/blocks', array()): array();
foreach ($blocks as $key => $label) {
$template_options .= '<option value="' . esc_attr($key) . '">' . esc_html($label) . '</option>';
```
**Explanation:**
This code addition does NOT introduce a new vulnerability. The new line being added follows proper security practices:
1. The hardcoded value `"cubewp_post_loop_promotional_card"` is wrapped in `esc_attr()` implicitly (it's a static string)
2. The display text `'CubeWP Post Loop Promotional Card'` is properly escaped using `esc_html()`
3. The second parameter to `esc_html()` appears to be a textdomain for translation purposes
The fix maintains consistency with the existing foreach loop pattern below it, where `$key` is escaped with `esc_attr()` and `$label` is escaped with `esc_html()`. No XSS vulnerability exists in this change because output is properly sanitized with appropriate WordPress escaping functions.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/cubewp-framework_1.1.26/cube/modules/theme-builder/class-cubewp-theme-builder.php 2026-01-18 00:19:20.643839818 +0000+++ cache/cubewp-framework_1.1.27/cube/modules/theme-builder/class-cubewp-theme-builder.php 2026-01-18 00:21:29.839867861 +0000@@ -271,6 +271,10 @@ if ($existing_posts->have_posts()) { foreach ($existing_posts->posts as $existing_post_id) { if ($existing_post_id != $post_id && $template_type != 'mega-menu') {+ continue;+ } elseif ($existing_post_id != $post_id && $template_type != 'cubewp_post_promotional_card') {+ continue;+ } else { wp_update_post(array( 'ID' => $existing_post_id, 'post_status' => 'inactive'
## Security Analysis
**Vulnerability Existed: no**
**Logic Error - No CWE** - cube/modules/theme-builder/class-cubewp-theme-builder.php [lines 273-282]
**Old Code:**
```php
if ($existing_post_id != $post_id && $template_type != 'mega-menu') {
wp_update_post(array(
'ID' => $existing_post_id,
'post_status' => 'inactive'
));
}
```
**Fixed Code:**
```php
if ($existing_post_id != $post_id && $template_type != 'mega-menu') {
continue;
} elseif ($existing_post_id != $post_id && $template_type != 'cubewp_post_promotional_card') {
continue;
} else {
wp_update_post(array(
'ID' => $existing_post_id,
'post_status' => 'inactive'
));
}
```
**Explanation:**
This diff does not address a security vulnerability. The change modifies the business logic to add an additional condition that skips updating posts when `$template_type` equals `'cubewp_post_promotional_card'`. The refactoring inverts the logic flow by using `continue` statements instead of a direct conditional block, but this is a logic change, not a security fix. No input validation, sanitization, or access control issues are present. The `wp_update_post()` function is a standard WordPress API that handles its own security internally.
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.