diff --git a/admin-management-xtended.php b/admin-management-xtended.php index 91364f9..6a7b7b1 100644 --- a/admin-management-xtended.php +++ b/admin-management-xtended.php @@ -1,7 +1,7 @@ WordPress 4.3+ only. Extends admin functionalities by introducing: toggling post/page visibility inline, changing page order with drag'n'drop, inline category management, inline tag management, changing publication date inline, changing post slug inline, toggling comment status open/closed, hide draft posts, change media order, change media description inline, toggling link visibility, changing link categories Author: Oliver Schlöbe @@ -10,7 +10,7 @@ Domain Path: /languages -Copyright 2008-2021 Oliver Schlöbe (email : scripts@schloebe.de) +Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -53,7 +53,7 @@ function ame_is_plugin_active( $plugin_filename ) { /** * Define the plugin version */ -define("AME_VERSION", "2.4.4"); +define("AME_VERSION", "2.4.5"); /** * Define the global var AMEISWP43, returning bool if WP 4.3 or higher is running diff --git a/css/styles.css b/css/styles.css index 0ce383e..1789906 100644 --- a/css/styles.css +++ b/css/styles.css @@ -1,7 +1,8 @@ -.status-draft, .status-future, .cannotdrop { - -moz-opacity: 0.4; +.cannotdrop { + opacity: 0.4; filter:Alpha(opacity=40, finishopacity=40, style=1); } + .ondragrow { background: #328AB2; color: #fff; @@ -11,6 +12,10 @@ color: #fff; } +#TB_ajaxContent { + overflow: hidden; +} + ul#categorychecklist { list-style: none; padding: 0; diff --git a/general-functions.php b/general-functions.php index 6363bcf..3a52d42 100644 --- a/general-functions.php +++ b/general-functions.php @@ -8,7 +8,7 @@ */ /* - * Copyright 2008-2020 Oliver Schlöbe (email : scripts@schloebe.de) + * Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -71,6 +71,8 @@ function return_function($output) { */ function ame_ajax_save_mediadesc() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['postid'] ); $new_mediadesc = $_POST['new_mediadesc']; @@ -96,6 +98,8 @@ function ame_ajax_save_mediadesc() { */ function ame_ajax_set_commentstatus() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['postid'] ); $q_status = intval( $_POST['comment_status'] ); @@ -127,6 +131,7 @@ function ame_ajax_set_commentstatus() { */ function ame_get_pageorder() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); if( !current_user_can( 'edit_pages' ) ) { die(); @@ -155,6 +160,8 @@ function ame_get_pageorder() { */ function ame_ajax_save_tags() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['postid'] ); $ame_tags = $_POST['new_tags']; @@ -200,6 +207,8 @@ function ame_ajax_save_tags() { */ function ame_ajax_get_categories() { global $wpdb, $post; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $ame_id = intval( $_POST['postid'] ); if( !current_user_can( 'edit_post', $ame_id ) ) { @@ -232,6 +241,8 @@ function ame_ajax_get_categories() { */ function ame_ajax_save_categories() { global $wpdb, $post; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['postid'] ); $ame_cats = $_POST['ame_cats']; @@ -272,6 +283,8 @@ function ame_ajax_save_categories() { */ function ame_toggle_showinvisposts() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $status = intval( $_POST['status'] ); update_option( "ame_toggle_showinvisposts", $status ); @@ -300,6 +313,8 @@ function ame_ajax_toggle_imageset() { */ function ame_toggle_orderoptions() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $status = intval( $_POST['status'] ); update_option( "ame_show_orderoptions", $status ); @@ -314,6 +329,8 @@ function ame_toggle_orderoptions() { */ function ame_slug_edit() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['category_id'] ); if( is_string( $_POST['posttype'] ) ) $posttype = $_POST['posttype']; @@ -342,6 +359,8 @@ function ame_slug_edit() { */ function ame_author_edit() { global $wpdb, $current_user; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['post_id'] ); if( !current_user_can( 'edit_post', $postid ) ) { @@ -396,6 +415,8 @@ function ame_author_edit() { */ function ame_save_order() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['category_id'] ); $neworderid = intval( $_POST['new_orderid'] ); @@ -416,6 +437,8 @@ function ame_save_order() { */ function ame_save_slug() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['category_id'] ); if( !current_user_can( 'edit_post', $postid ) ) { @@ -451,6 +474,8 @@ function ame_save_slug() { */ function ame_save_author() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['category_id'] ); if( !current_user_can( 'edit_post', $postid ) ) { @@ -480,6 +505,8 @@ function ame_save_author() { */ function ame_save_title() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['category_id'] ); $new_title = $_POST['new_title']; $new_title = apply_filters( 'the_title', $new_title ); @@ -504,6 +531,8 @@ function ame_save_title() { */ function ame_set_date() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( substr( $_POST['category_id'], 10, 5 ) ); if( !current_user_can( 'edit_post', $postid ) ) { @@ -542,6 +571,8 @@ function ame_set_date() { */ function ame_toggle_visibility() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['category_id'] ); if( !current_user_can( 'edit_post', $postid ) ) { @@ -584,6 +615,8 @@ function ame_toggle_visibility() { */ function ame_toggle_sticky() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $postid = intval( $_POST['post_id'] ); if( !current_user_can( 'edit_post', $postid ) ) { @@ -612,6 +645,8 @@ function ame_toggle_sticky() { * @link http://plugins.trac.wordpress.org/browser/exclude-pages/trunk/exclude_pages.php#L162 */ function ame_toggle_excludestatus() { + check_ajax_referer( 'ame_ajax_validation', 'security' ); + if( !current_user_can( 'edit_pages' ) ) { die(); return; @@ -955,9 +990,20 @@ function ame_enqueue_stuff_edit() { wp_enqueue_script( 'ame_gui-modificators', AME_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME_VERSION ); - wp_enqueue_script( 'ame_miscscripts', AME_PLUGINFULLURL . "js/functions.js", array( - 'sack' - ), AME_VERSION ); + wp_register_script( + 'ame_miscscripts', + AME_PLUGINFULLURL . "js/functions.js", + array( 'jquery', 'sack' ), + AME_VERSION + ); + wp_enqueue_script( 'ame_miscscripts' ); + wp_localize_script( + 'ame_miscscripts', + 'ameAjaxSec', + array( + 'ajaxnonce' => wp_create_nonce( 'ame_ajax_validation' ) + ) + ); } add_action( 'admin_head', 'ame_css_admin_header' ); @@ -1000,9 +1046,20 @@ function ame_enqueue_stuff_linkmanager() { wp_enqueue_script( 'ame_gui-modificators', AME_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME_VERSION ); - wp_enqueue_script( 'ame_miscscripts', AME_PLUGINFULLURL . "js/functions.js", array( - 'sack' - ), AME_VERSION ); + wp_register_script( + 'ame_miscscripts', + AME_PLUGINFULLURL . "js/functions.js", + array( 'jquery', 'sack' ), + AME_VERSION + ); + wp_enqueue_script( 'ame_miscscripts' ); + wp_localize_script( + 'ame_miscscripts', + 'ameAjaxSec', + array( + 'ajaxnonce' => wp_create_nonce( 'ame_ajax_validation' ) + ) + ); } add_action( 'admin_print_scripts', 'ame_js_admin_header' ); @@ -1015,9 +1072,20 @@ function ame_enqueue_stuff_upload() { wp_enqueue_script( 'ame_gui-modificators', AME_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME_VERSION ); - wp_enqueue_script( 'ame_miscscripts', AME_PLUGINFULLURL . "js/functions.js", array( - 'sack' - ), AME_VERSION ); + wp_register_script( + 'ame_miscscripts', + AME_PLUGINFULLURL . "js/functions.js", + array( 'jquery', 'sack' ), + AME_VERSION + ); + wp_enqueue_script( 'ame_miscscripts' ); + wp_localize_script( + 'ame_miscscripts', + 'ameAjaxSec', + array( + 'ajaxnonce' => wp_create_nonce( 'ame_ajax_validation' ) + ) + ); } add_action( 'admin_print_scripts', 'ame_js_admin_header' ); diff --git a/js/functions.js b/js/functions.js index eaf6577..0c86f81 100644 --- a/js/functions.js +++ b/js/functions.js @@ -25,6 +25,7 @@ function mediadescSpanFadeOut( postid, ame_mediadesc ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_ajax_save_mediadesc" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "postid", postid ); ame_sack.setVar( "new_mediadesc", ame_mediadesc ); ame_sack.onError = function() { alert('Ajax error on saving media description'); }; @@ -45,7 +46,6 @@ function ame_ajax_form_tags( postid, posttags ) { var new_tags = jQuery('input#ame-new-tags' + postid).val(); tagSpanFadeOut( postid, new_tags ); }); - ame_setupSuggest( postid ); } function tagSpanFadeOut( postid, ame_tags ) { @@ -56,6 +56,7 @@ function tagSpanFadeOut( postid, ame_tags ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_ajax_save_tags" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "postid", postid ); ame_sack.setVar( "new_tags", ame_tags ); ame_sack.onError = function() { alert('Ajax error on saving tags'); }; @@ -73,6 +74,7 @@ function catSpanFadeOut( postid, ame_cats ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_ajax_save_categories" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "postid", postid ); ame_sack.setVar( "ame_cats", ame_cats ); ame_sack.onError = function() { alert('Ajax error on saving categories'); }; @@ -89,6 +91,7 @@ function ame_ajax_get_categories( postid ) { ame_sack.execute = 0; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_ajax_get_categories" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "postid", postid ); ame_sack.onError = function() { alert('Ajax error on getting categories') }; ame_sack.onCompletion = function() { @@ -118,6 +121,7 @@ function linkcatSpanFadeOut( linkid, ame_linkcats ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_ajax_save_linkcategories" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "linkid", linkid ); ame_sack.setVar( "ame_linkcats", ame_linkcats ); ame_sack.onError = function() { alert('Ajax error on saving link categories'); }; @@ -143,6 +147,7 @@ function ame_ajax_set_commentstatus( postid, status, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_ajax_set_commentstatus" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "postid", postid ); ame_sack.setVar( "comment_status", status ); ame_sack.setVar( "posttype", posttype ); @@ -155,6 +160,7 @@ function ame_ajax_get_pageorder( pageordertable ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_get_pageorder" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "pageordertable2", pageordertable ); ame_sack.onError = function() { alert('Ajax error on getting page order') }; ame_sack.runAJAX(); @@ -165,6 +171,7 @@ function ame_ajax_toggle_imageset( setid ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_ajax_toggle_imageset" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "setid", setid ); ame_sack.onError = function() { alert('Ajax error on toggling image set') }; ame_sack.runAJAX(); @@ -176,6 +183,7 @@ function ame_ajax_toggle_showinvisposts( status ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_toggle_showinvisposts" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "status", status ); ame_sack.onError = function() { alert('Ajax error on toggling post visibility') }; ame_sack.runAJAX(); @@ -187,6 +195,7 @@ function ame_ajax_toggle_orderoptions( status ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_toggle_orderoptions" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "status", status ); ame_sack.onError = function() { alert('Ajax error on toggling page order column') }; ame_sack.runAJAX(); @@ -199,6 +208,7 @@ function ame_ajax_order_save( cat_id, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_save_order" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "category_id", cat_id ); ame_sack.setVar( "new_orderid", neworderid ); ame_sack.setVar( "posttype", posttype ); @@ -212,6 +222,7 @@ function ame_slug_edit( cat_id, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_slug_edit" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "col_no", jQuery('.widefat thead tr th').length ); ame_sack.setVar( "category_id", cat_id ); ame_sack.setVar( "posttype", posttype ); @@ -224,6 +235,7 @@ function ame_ajax_set_visibility( post_id, status, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_toggle_visibility" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "category_id", post_id ); ame_sack.setVar( "vis_status", status ); ame_sack.setVar( "posttype", posttype ); @@ -236,6 +248,7 @@ function ame_ajax_set_sticky( post_id, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_toggle_sticky" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "post_id", post_id ); ame_sack.onError = function() { alert('Ajax error on toggling sticky') }; ame_sack.runAJAX(); @@ -246,6 +259,7 @@ function ame_ajax_set_postdate( post_id, pickedDate, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_set_date" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "category_id", post_id ); ame_sack.setVar( "pickedDate", pickedDate ); ame_sack.setVar( "posttype", posttype ); @@ -270,6 +284,7 @@ function ame_ajax_title_save( cat_id, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_save_title" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "category_id", cat_id ); ame_sack.setVar( "new_title", newtitle ); ame_sack.setVar( "posttype", posttype ); @@ -287,6 +302,7 @@ function ame_ajax_slug_save( cat_id, typenumber ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_save_slug" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "category_id", cat_id ); ame_sack.setVar( "new_slug", newslug ); ame_sack.setVar( "typenumber", typenumber ); @@ -300,6 +316,7 @@ function ame_ajax_author_save( cat_id, typenumber ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_save_author" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "category_id", cat_id ); ame_sack.setVar( "newauthor", newauthor ); ame_sack.setVar( "typenumber", typenumber ); @@ -312,6 +329,7 @@ function ame_author_edit( post_id, posttype ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_author_edit" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "post_id", post_id ); ame_sack.setVar( "col_no", jQuery('.widefat thead tr th').length ); ame_sack.setVar( "posttype", posttype ); @@ -324,6 +342,7 @@ function ame_ajax_set_linkvisibility( link_id ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_toggle_linkvisibility" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "link_id", link_id ); ame_sack.onError = function() { alert('Ajax error on toggling link visibility') }; ame_sack.runAJAX(); @@ -339,6 +358,7 @@ function ame_ajax_set_excludestatus( page_id, status_id ) { ame_sack.execute = 1; ame_sack.method = 'POST'; ame_sack.setVar( "action", "ame_toggle_excludestatus" ); + ame_sack.setVar( "security", ameAjaxSec.ajaxnonce ); ame_sack.setVar( "pageid", page_id ); ame_sack.setVar( "statusid", status_id ); ame_sack.onError = function() { alert('Ajax error on toggling image set') }; diff --git a/link-functions.php b/link-functions.php index 37b4272..dd804e4 100644 --- a/link-functions.php +++ b/link-functions.php @@ -7,7 +7,7 @@ */ /* -Copyright 2008-2015 Oliver Schlöbe (email : scripts@schloebe.de) +Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -129,6 +129,8 @@ function ame_custom_column_link_categories( $ame_column_name, $ame_id ) { */ function ame_toggle_linkvisibility() { global $wpdb; + check_ajax_referer( 'ame_ajax_validation', 'security' ); + $posttype = 'link'; $linkid = intval( $_POST['link_id'] ); @@ -153,6 +155,8 @@ function ame_toggle_linkvisibility() { */ function ame_ajax_save_linkcategories() { global $wpdb; + check_ajax_referer( 'ame_ajax_save_linkcategories' ); + $linkid = (int) $_POST['linkid']; $ame_linkcats = $_POST['ame_linkcats']; diff --git a/media-functions.php b/media-functions.php index 2a5af9e..6626d41 100644 --- a/media-functions.php +++ b/media-functions.php @@ -7,7 +7,7 @@ */ /* -Copyright 2008-2015 Oliver Schlöbe (email : webmaster@schloebe.de) +Copyright 2008-2022 Oliver Schlöbe (email : webmaster@schloebe.de) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/page-functions.php b/page-functions.php index 7d61a8a..31caa8e 100644 --- a/page-functions.php +++ b/page-functions.php @@ -7,7 +7,7 @@ */ /* -Copyright 2008-2020 Oliver Schlöbe (email : scripts@schloebe.de) +Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/post-functions.php b/post-functions.php index ada10b6..c0f3263 100644 --- a/post-functions.php +++ b/post-functions.php @@ -7,7 +7,7 @@ */ /* -Copyright 2008-2020 Oliver Schlöbe (email : scripts@schloebe.de) +Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/readme.txt b/readme.txt index 56829c7..490dbb1 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: Alphawolf Donate link: https://www.schloebe.de/donate/ Tags: admin, ajax, management, cms, post, pages, category, inline, media, revision, link, bookmark, drag-and-drop, drag drop, Requires at least: 4.3 -Tested up to: 6.9.9999 +Tested up to: 6.1 Stable tag: trunk License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html @@ -104,6 +104,10 @@ Please visit [the official website](https://www.schloebe.de/wordpress/admin-mana == Changelog == += 2.4.5 = +* FIXED: WordPress 6.0 compatibility +* FIXED: CSRF vulnerabilities fixed (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29450) + = 2.4.4 = * FIXED: WordPress 5.5 compatibility