Skip to content

Commit 97b9b5f

Browse files
committed
chore: validate orderby param for payment query
1 parent 6adb2e7 commit 97b9b5f

File tree

1 file changed

+20
-0
lines changed

1 file changed

+20
-0
lines changed

Diff for: includes/payments/class-payments-query.php

+20
Original file line numberDiff line numberDiff line change
@@ -815,6 +815,26 @@ public function gateway_filter() {
815815
private function get_sql() {
816816
global $wpdb;
817817

818+
$allowed_keys = array(
819+
'post_name',
820+
'post_author',
821+
'post_date',
822+
'post_title',
823+
'post_status',
824+
'post_modified',
825+
'post_parent',
826+
'post_type',
827+
'menu_order',
828+
'comment_count',
829+
);
830+
831+
$this->args['orderby'] = 'post_parent__in';
832+
833+
// Whitelist orderby.
834+
if( ! in_array( $this->args['orderby'], $allowed_keys ) ) {
835+
$this->args['orderby'] = 'ID';
836+
}
837+
818838
$where = "WHERE {$wpdb->posts}.post_type = 'give_payment'";
819839
$where .= " AND {$wpdb->posts}.post_status IN ('" . implode( "','", $this->args['post_status'] ) . "')";
820840

0 commit comments

Comments
 (0)