Fixed XSS Vulneraibility

When showing user info from WGG users list, user IP was passed through URL without sanitization. After this commit the user IP is no longer needed in the URL as the screen will get the IP from WGG tables instead. Also $_GET['userID'] is now sanitized and casted to an integer to apply some more defensive programming, you know, just in case.
joseconti · Jan 18, 2017 · 8841495 · 8841495
1 parent a822d28
commit 8841495
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/wangguard-class-wp-users.php b/wangguard-class-wp-users.php
@@ -226,7 +226,7 @@ function single_row( $row_data, $style = '' , $numposts) {
 					} else {
 						$url = esc_url( network_admin_url( add_query_arg( array( 'page' => 'wangguard_users_info' ), 'admin.php' ) ) );
 					}
-					$arrayUrl = array ('userID' => $user_id, 'userIP' => $row_data->user_ip, '?TB_iframe' => 'true', 'width' => '900', 'height' => '550' );
+					$arrayUrl = array ('userID' => $user_id, '?TB_iframe' => 'true', 'width' => '900', 'height' => '550' );
 					$final_user_info_url = esc_url( add_query_arg(  $arrayUrl , $url ));
 					$cell_contents = "<a class='thickbox' title='" . __( 'Info about','wangguard') . " {$row_data->first_name} {$row_data->last_name}' href='" . $final_user_info_url . "'><img class='alignnone size-full wp-image-2055' alt='Info about {$row_data->first_name} {$row_data->last_name}' src='" . plugins_url( 'img/info-wgg.png' , __FILE__ ) . "' width='15' height='15' /> " . __('User Info', 'wangguard' ) . "</a>";
 					break;

diff --git a/wangguard-user-info.php b/wangguard-user-info.php
@@ -7,9 +7,12 @@ function wangguard_users_info() {
 	global $wpdb,$wangguard_nonce, $wangguard_api_key, $blog_id;
 	if ( !current_user_can('level_10') )
 		die(__('Cheatin&#8217; uh?', 'wangguard'));
-		$userID = $_GET["userID"];
-		$userIP = $_GET["userIP"];
+		$userID = absint( $_GET["userID"] );
 		$user_info = get_userdata($userID);
+
+		$table = $wpdb->base_prefix . 'wangguarduserstatus';
+		$userIP = $wpdb->get_var( $wpdb->prepare( "SELECT user_ip FROM $table WHERE ID = %d", $userID ) );
+		$userIP = $userIP ? $userIP : '';
 	//$blogID = $user_info->primary_blog;
 	//if ( function_exists( is_multisite() ) ) {
 	//$blog_details = get_blog_details( array( 'blog_id' => $blogID ) );