From 25fe943a846f852fee95b157cff9fef436ecffb8 Mon Sep 17 00:00:00 2001 From: Ajay D'Souza Date: Tue, 31 Oct 2023 19:22:04 +0000 Subject: [PATCH] Nonce check Check nonce before editing post counts in the Admin area --- includes/admin/class-admin.php | 7 +++++++ includes/admin/js/admin-scripts.js | 3 ++- includes/admin/js/admin-scripts.min.js | 2 +- includes/class-counter.php | 2 ++ readme.txt | 3 +++ 5 files changed, 15 insertions(+), 2 deletions(-) diff --git a/includes/admin/class-admin.php b/includes/admin/class-admin.php index 09b7b1f..6fe5cd5 100644 --- a/includes/admin/class-admin.php +++ b/includes/admin/class-admin.php @@ -232,6 +232,13 @@ public function admin_enqueue_scripts() { TOP_TEN_VERSION, true ); + wp_localize_script( + 'top-ten-admin-js', + 'top_ten_admin', + array( + 'nonce' => wp_create_nonce( 'top_ten_admin_nonce' ), + ) + ); wp_register_style( 'tptn-admin-ui-css', TOP_TEN_PLUGIN_URL . 'includes/admin/css/top-10-admin.min.css', diff --git a/includes/admin/js/admin-scripts.js b/includes/admin/js/admin-scripts.js index 52f4ef5..d40bb9c 100644 --- a/includes/admin/js/admin-scripts.js +++ b/includes/admin/js/admin-scripts.js @@ -111,7 +111,8 @@ jQuery(document).ready(function ($) { action: 'tptn_edit_count_ajax', post_id: post_id, total_count: value, - total_count_original: count + total_count_original: count, + top_ten_admin_nonce: top_ten_admin.nonce }, success: function (response) { if (response === false) { diff --git a/includes/admin/js/admin-scripts.min.js b/includes/admin/js/admin-scripts.min.js index 0c6f799..ffcc65f 100644 --- a/includes/admin/js/admin-scripts.min.js +++ b/includes/admin/js/admin-scripts.min.js @@ -1 +1 @@ -function clearCache(){jQuery.post(ajaxurl,{action:"tptn_clear_cache",security:tptn_admin_data.security},(function(t,a,e){alert(t.message)}),"json")}jQuery(document).ready((function(t){var a=0;function e(){a=0}t("form *").change((function(){a=1})),window.onbeforeunload=function(){if(1==a)return!0},t("input[name='submit']").click(e),t("input[id='search-submit']").click(e),t("input[id='doaction']").click(e),t("input[id='doaction2']").click(e),t("input[name='filter_action']").click(e),t((function(){t("#post-body-content").tabs({create:function(a,e){t(e.tab.find("a")).addClass("nav-tab-active")},activate:function(a,e){t(e.oldTab.find("a")).removeClass("nav-tab-active"),t(e.newTab.find("a")).addClass("nav-tab-active")}})})),t((function(){var a="dd M yy",e=t("#datepicker-from").datepicker({changeMonth:!0,maxDate:0,dateFormat:a}).on("change",(function(){i.datepicker("option","minDate",n(this))})),i=t("#datepicker-to").datepicker({changeMonth:!0,maxDate:0,dateFormat:a}).on("change",(function(){e.datepicker("option","maxDate",n(this))}));function n(e){var i;try{i=t.datepicker.parseDate(a,e.value)}catch(t){i=null}return i}})),t(".live_edit").click((function(){t(this).addClass("live_edit_mode"),t(this).removeClass("live_edit_mode_success"),t(this).removeClass("live_edit_mode_error")})),t(".live_edit").on("focusout keypress",(function(a){if("focusout"===a.type||13===a.which){13==a.which&&a.preventDefault();var e=t(this),i=e.attr("data-wp-post-id"),n=e.attr("data-wp-count"),c=e.text();e.removeClass("live_edit_mode"),t.ajax({type:"POST",dataType:"json",url:ajaxurl,data:{action:"tptn_edit_count_ajax",post_id:i,total_count:c,total_count_original:n},success:function(t){!1===t?(e.addClass("live_edit_mode_error"),e.html(n)):t>0&&e.addClass("live_edit_mode_success")}})}}))})); \ No newline at end of file +function clearCache(){jQuery.post(ajaxurl,{action:"tptn_clear_cache",security:tptn_admin_data.security},(function(t,a,e){alert(t.message)}),"json")}jQuery(document).ready((function(t){var a=0;function e(){a=0}t("form *").change((function(){a=1})),window.onbeforeunload=function(){if(1==a)return!0},t("input[name='submit']").click(e),t("input[id='search-submit']").click(e),t("input[id='doaction']").click(e),t("input[id='doaction2']").click(e),t("input[name='filter_action']").click(e),t((function(){t("#post-body-content").tabs({create:function(a,e){t(e.tab.find("a")).addClass("nav-tab-active")},activate:function(a,e){t(e.oldTab.find("a")).removeClass("nav-tab-active"),t(e.newTab.find("a")).addClass("nav-tab-active")}})})),t((function(){var a="dd M yy",e=t("#datepicker-from").datepicker({changeMonth:!0,maxDate:0,dateFormat:a}).on("change",(function(){n.datepicker("option","minDate",i(this))})),n=t("#datepicker-to").datepicker({changeMonth:!0,maxDate:0,dateFormat:a}).on("change",(function(){e.datepicker("option","maxDate",i(this))}));function i(e){var n;try{n=t.datepicker.parseDate(a,e.value)}catch(t){n=null}return n}})),t(".live_edit").click((function(){t(this).addClass("live_edit_mode"),t(this).removeClass("live_edit_mode_success"),t(this).removeClass("live_edit_mode_error")})),t(".live_edit").on("focusout keypress",(function(a){if("focusout"===a.type||13===a.which){13==a.which&&a.preventDefault();var e=t(this),n=e.attr("data-wp-post-id"),i=e.attr("data-wp-count"),c=e.text();e.removeClass("live_edit_mode"),t.ajax({type:"POST",dataType:"json",url:ajaxurl,data:{action:"tptn_edit_count_ajax",post_id:n,total_count:c,total_count_original:i,top_ten_admin_nonce:top_ten_admin.nonce},success:function(t){!1===t?(e.addClass("live_edit_mode_error"),e.html(i)):t>0&&e.addClass("live_edit_mode_success")}})}}))})); \ No newline at end of file diff --git a/includes/class-counter.php b/includes/class-counter.php index 11e5261..f703d48 100644 --- a/includes/class-counter.php +++ b/includes/class-counter.php @@ -383,6 +383,8 @@ public static function delete_count( $post_id, $blog_id, $daily = false ) { * @since 2.9.0 */ public static function edit_count_ajax() { + // Security check. + check_ajax_referer( 'top_ten_admin_nonce', 'top_ten_admin_nonce' ); if ( ! isset( $_REQUEST['total_count'] ) || ! isset( $_REQUEST['post_id'] ) || ! isset( $_REQUEST['total_count_original'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended wp_die(); diff --git a/readme.txt b/readme.txt index 312ddec..cb4b5fa 100644 --- a/readme.txt +++ b/readme.txt @@ -156,6 +156,9 @@ Release post: [https://webberzone.com/announcements/top-10-v3-3-0/](https://webb * Check if `$wp_filters['the_content']` is set. Fixes a PHP warning for users running WordPress before 6.1 * `Import_Export` Class: Fix unnecessary check for `network_admin_menu` filter; Minor code fixes to set headers before outputting data +* Security fix: + * Check nonce before editing post counts in the Admin area + = 3.3.2 = * Enhancements: