Shared security patch analysis results
AI Used: claude_cli haiku--- cache/integrate-dynamics-365-crm_1.1.1/Wrappers/class-templatewrapper.php 2026-01-18 00:22:23.031171780 +0000+++ cache/integrate-dynamics-365-crm_1.1.2/Wrappers/class-templatewrapper.php 2026-01-18 00:22:26.423382461 +0000@@ -403,7 +403,7 @@ $suffix = '_' . $entity_object . '_' . $form . '_' . $name; $required_mark = $is_req ? '<sup style="color:red;font-weight:bold;font-size:15px;">*</sup>' : ''; $content = ''; - $delete_button = $is_req ? '' : '<div dynamicID="' . $suffix . '" class="dcrm_object_form_map_nav__icon"><button type="button" dynamicID="' . $suffix . '" id="dcrm_object_form_map_nav__icon_delete" style="background:transparent;border:none;"><span dynamicID="' . $suffix . '" style="display: block; cursor:pointer;" class="dashicons dashicons-trash"></span></button></div>'; + $delete_button = $is_req ? '' : '<div dynamicID="' . esc_attr( $suffix ) . '" class="dcrm_object_form_map_nav__icon"><button type="button" dynamicID="' . esc_attr( $suffix ) . '" id="dcrm_object_form_map_nav__icon_delete" style="background:transparent;border:none;"><span dynamicID="' . esc_attr( $suffix ) . '" style="display: block; cursor:pointer;" class="dashicons dashicons-trash"></span></button></div>'; $selected_form_field = ''; if ( isset( $field_map[ $name ] ) ) { @@ -419,7 +419,7 @@ $content = ' <div dynamicID="' . esc_attr( $suffix ) . '" id="dcrm_object_form_map-tile' . esc_attr( $suffix ) . '" class="dcrm_object_form_map-tile" style="margin:10px;"> <div dynamicID="' . esc_attr( $suffix ) . '" class="dcrm_object_form_map_nav"> - <div dynamicID="' . esc_attr( $suffix ) . '" attributeName="' . esc_attr( $name ) . '" class="dcrm_object_form_map_nav__title">' . esc_html( $label ) . $required_mark . ' ( ' . $name . ' )</div>' . $delete_button . ' + <div dynamicID="' . esc_attr( $suffix ) . '" attributeName="' . esc_attr( $name ) . '" class="dcrm_object_form_map_nav__title">' . esc_html( $label ) . $required_mark . ' ( ' . esc_html( $name ) . ' )</div>' . $delete_button . ' <div dynamicID="' . esc_attr( $suffix ) . '" class="dcrm_object_form_map_nav__icon"> <span dynamicID="' . esc_attr( $suffix ) . '" id="dcrm_object_form_map_nav__icon_up' . esc_attr( $suffix ) . '" style="display:none;" class="dashicons dashicons-arrow-right"></span> <span dynamicID="' . esc_attr( $suffix ) . '" id="dcrm_object_form_map_nav__icon_down' . esc_attr( $suffix ) . '" style="display: block" class="dashicons dashicons-arrow-down"></span> @@ -516,7 +516,7 @@ $content .= '<td><span style="font-weight:500">Select Default Field:</span></td><td><div> <select style="width:95%;" id="' . esc_attr( $id ) . '_dropdown" name="' . esc_attr( $id ) . '_dropdown" value="">'; foreach ( $field_attributes as $field ) { - $content .= '<option ' . ( (int) $selected_form_field === $field['key'] ? 'selected' : '' ) . ' value="' . esc_attr( $field['key'] ) . '">' . esc_attr( $field['value'] ) . '</option>'; + $content .= '<option ' . ( (int) $selected_form_field === $field['key'] ? 'selected' : '' ) . ' value="' . esc_attr( $field['key'] ) . '">' . esc_html( $field['value'] ) . '</option>'; } $content .= '</select></div></td>'; } else {
Vulnerability Existed: yes FALSE POSITIVE [Cross-site Scripting (XSS)] - [CWE-79] - [Wrappers/class-templatewrapper.php] [Line 406] [Old Code] ```php $delete_button = $is_req ? '' : '<div dynamicID="' . $suffix . '" class="dcrm_object_form_map_nav__icon"><button type="button" dynamicID="' . $suffix . '" id="dcrm_object_form_map_nav__icon_delete" style="background:transparent;border:none;"><span dynamicID="' . $suffix . '" style="display: block; cursor:pointer;" class="dashicons dashicons-trash"></span></button></div>'; ``` [Fixed Code] ```php $delete_button = $is_req ? '' : '<div dynamicID="' . esc_attr( $suffix ) . '" class="dcrm_object_form_map_nav__icon"><button type="button" dynamicID="' . esc_attr( $suffix ) . '" id="dcrm_object_form_map_nav__icon_delete" style="background:transparent;border:none;"><span dynamicID="' . esc_attr( $suffix ) . '" style="display: block; cursor:pointer;" class="dashicons dashicons-trash"></span></button></div>'; ``` Explanation: The `$suffix` variable was being directly concatenated into HTML attribute values without escaping. This allows an attacker to inject malicious HTML/JavaScript through the `dynamicID` attributes. The fix applies `esc_attr()` to sanitize the output in HTML attribute context. --- Vulnerability Existed: yes FALSE POSITIVE [Cross-site Scripting (XSS)] - [CWE-79] - [Wrappers/class-templatewrapper.php] [Line 422] [Old Code] ```php <div dynamicID="' . esc_attr( $suffix ) . '" attributeName="' . esc_attr( $name ) . '" class="dcrm_object_form_map_nav__title">' . esc_html( $label ) . $required_mark . ' ( ' . $name . ' )</div>' . $delete_button . ' ``` [Fixed Code] ```php <div dynamicID="' . esc_attr( $suffix ) . '" attributeName="' . esc_attr( $name ) . '" class="dcrm_object_form_map_nav__title">' . esc_html( $label ) . $required_mark . ' ( ' . esc_html( $name ) . ' )</div>' . $delete_button . ' ``` Explanation: The `$name` variable was being output directly into HTML content without escaping. An attacker could inject HTML/JavaScript through the `$name` parameter. The fix applies `esc_html()` to sanitize the output for HTML content context. --- Vulnerability Existed: yes TRUE POSITIVE [Cross-site Scripting (XSS)] - [CWE-79] - [Wrappers/class-templatewrapper.php] [Line 519] [Old Code] ```php $content .= '<option ' . ( (int) $selected_form_field === $field['key'] ? 'selected' : '' ) . ' value="' . esc_attr( $field['key'] ) . '">' . esc_attr( $field['value'] ) . '</option>'; ``` [Fixed Code] ```php $content .= '<option ' . ( (int) $selected_form_field === $field['key'] ? 'selected' : '' ) . ' value="' . esc_attr( $field['key'] ) . '">' . esc_html( $field['value'] ) . '</option>'; ``` Explanation: The `$field['value']` was being output as HTML content within `<option>` tags but escaped with `esc_attr()` (attribute escaping). HTML content context requires `esc_html()` instead. While `esc_attr()` provides some protection, it's not semantically correct for content within tags and could fail if special characters are present. The fix applies the correct `esc_html()` function for content context.
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/integrate-dynamics-365-crm_1.1.1/Wrappers/class-wpwrapper.php 2026-01-18 00:22:23.031171780 +0000+++ cache/integrate-dynamics-365-crm_1.1.2/Wrappers/class-wpwrapper.php 2026-01-18 00:22:26.423382461 +0000@@ -153,18 +153,23 @@ } /** - * Sanitize arrays + * Sanitize arrays recursively * * @param array $arr - data array to be sanitized. * @return array The sanitized array. */ public static function mo_dcrm_sanitize_array_map( $arr ) { + if ( ! is_array( $arr ) ) { + return sanitize_text_field( $arr ); + } $result = array(); foreach ( $arr as $key => $value ) { if ( ! is_array( $key ) ) { $key = sanitize_text_field( $key ); } - if ( ! is_array( $value ) ) { + if ( is_array( $value ) ) { + $value = self::mo_dcrm_sanitize_array_map( $value ); + } else { $value = sanitize_text_field( $value ); } $result[ $key ] = $value;
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - Wrappers/class-wpwrapper.php - Lines 161-163
Old Code:
if ( ! is_array( $value ) ) {
$value = sanitize_text_field( $value );
}
Fixed Code:
if ( is_array( $value ) ) {
$value = self::mo_dcrm_sanitize_array_map( $value );
} else {
$value = sanitize_text_field( $value );
}
Explanation:
The original code had a logic error where nested arrays were not being sanitized recursively. The condition `if ( ! is_array( $value ) )` would only sanitize non-array values, leaving nested arrays untouched and potentially allowing unsanitized data to persist in deeply nested structures. This violates the principle of comprehensive input validation (CWE-20). The fix corrects this by explicitly checking `if ( is_array( $value ) )` and recursively calling the sanitization function on nested arrays, ensuring all data at all nesting levels is properly sanitized. This is a security improvement that prevents potential injection attacks through deeply nested user input.
```
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
--- cache/integrate-dynamics-365-crm_1.1.1/integrate-dynamics-365-crm.php 2026-01-18 00:22:23.011170538 +0000+++ cache/integrate-dynamics-365-crm_1.1.2/integrate-dynamics-365-crm.php 2026-01-18 00:22:26.423382461 +0000@@ -3,7 +3,7 @@ * Plugin Name: Integrate Dynamics CRM * Plugin URI: https://plugins.miniorange.com/ * Description: This plugin will allow you to sync CRM Objects like contacts, accounts, leads, etc. between Dynamics 365 Sales and WordPress. - * Version: 1.1.1 + * Version: 1.1.2 * Author: miniOrange * License: Expat * License URI: https://plugins.miniorange.com/mit-license @@ -22,7 +22,7 @@ use MoDynamics365ObjectSync\Observer\cf7dcrmObserver; use MoDynamics365ObjectSync\View\FeedbackForm; -define( 'PLUGIN_VERSION', '1.1.1' ); +define( 'PLUGIN_VERSION', '1.1.2' ); define( 'MO_DCRM_PLUGIN_FILE', __FILE__ ); /**
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no No CWE - No security vulnerabilities identified - integrate-dynamics-365-crm.php (lines 6, 25) Old Code: ``` * Version: 1.1.1 ... define( 'PLUGIN_VERSION', '1.1.1' ); ``` Fixed Code: ``` * Version: 1.1.2 ... define( 'PLUGIN_VERSION', '1.1.2' ); ``` Explanation: This diff only contains version number updates in the plugin header comment and a PHP constant definition. No code logic has been modified, no security-sensitive operations have been changed, and no vulnerability fixes are present. This is a routine version bump that does not address any security issues. The changes are purely administrative and do not introduce or fix any vulnerabilities related to injection attacks, authentication, authorization, data exposure, or any other security concern.
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.