SECURITY PATCH: Fixes to Cross Site Scripting vulnerabilities in the …

…PMPro settings pages in the WordPress dashboard. [Advisory ID HTB23264](https://www.htbridge.com/advisory/HTB23264). (Thanks, High-Tech Bridge Security Research Lab)
strangerstudios · Jul 6, 2015 · add03e3 · add03e3
1 parent ceafce6
commit add03e3
Show file tree

Hide file tree

Showing 9 changed files with 73 additions and 70 deletions.
diff --git a/adminpages/advancedsettings.php b/adminpages/advancedsettings.php
@@ -227,10 +227,10 @@
 				<th scope="row" valign="top">&nbsp;</th>
 				<td>
 					<label for="recaptcha_publickey"><?php _e('reCAPTCHA Public Key', 'pmpro');?>:</label>
-					<input type="text" name="recaptcha_publickey" size="60" value="<?php echo $recaptcha_publickey?>" />
+					<input type="text" name="recaptcha_publickey" size="60" value="<?php echo esc_attr($recaptcha_publickey);?>" />
 					<br /><br />
 					<label for="recaptcha_privatekey"><?php _e('reCAPTCHA Private Key', 'pmpro');?>:</label>
-					<input type="text" name="recaptcha_privatekey" size="60" value="<?php echo $recaptcha_privatekey?>" />
+					<input type="text" name="recaptcha_privatekey" size="60" value="<?php echo esc_attr($recaptcha_privatekey);?>" />
 				</td>
 			</tr>
 			<tr>
@@ -296,14 +296,14 @@
                             <input id="<?php _e($field['field_name'], 'pmpro'); ?>"
                                    name="<?php _e($field['field_name'], 'pmpro'); ?>"
                                    type="<?php _e($field['field_type'], 'pmpro'); ?>"
-                                   value="<?php echo pmpro_getOption($field['field_name']); ?> ">
+                                   value="<?php echo esc_attr(pmpro_getOption($field['field_name'])); ?> ">
                             <?php
                             break;
                         case 'textarea':
                             ?>
                             <textarea id="<?php _e($field['field_name'], 'pmpro'); ?>"
                                       name="<?php _e($field['field_name'], 'pmpro'); ?>">
-                                <?php echo pmpro_getOption($field['field_name']); ?>
+                                <?php echo esc_textarea(pmpro_getOption($field['field_name'])); ?>
                             </textarea>
                             <?php
                             break;

diff --git a/adminpages/discountcodes.php b/adminpages/discountcodes.php
@@ -9,31 +9,31 @@
 	global $wpdb, $pmpro_currency_symbol;
 
 	if(isset($_REQUEST['edit']))	
-		$edit = $_REQUEST['edit'];
+		$edit = intval($_REQUEST['edit']);
 	else
 		$edit = false;
 
 	if(isset($_REQUEST['delete']))
-		$delete = $_REQUEST['delete'];
+		$delete = intval($_REQUEST['delete']);
 	else
 		$delete = false;
 
 	if(isset($_REQUEST['saveid']))
-		$saveid = $_POST['saveid'];
+		$saveid = intval($_POST['saveid']);
 	else
 		$saveid = false;			
 
 	if($saveid)
 	{
 		//get vars
-		$code = $_POST['code'];
-		$starts_month = $_POST['starts_month'];
-		$starts_day = $_POST['starts_day'];
-		$starts_year = $_POST['starts_year'];
-		$expires_month = $_POST['expires_month'];
-		$expires_day = $_POST['expires_day'];
-		$expires_year = $_POST['expires_year'];
-		$uses = $_POST['uses'];
+		$code = sanitize_text_field($_POST['code']);
+		$starts_month = intval($_POST['starts_month']);
+		$starts_day = intval($_POST['starts_day']);
+		$starts_year = intval($_POST['starts_year']);
+		$expires_month = intval($_POST['expires_month']);
+		$expires_day = intval($_POST['expires_day']);
+		$expires_year = intval($_POST['expires_year']);
+		$uses = intval($_POST['uses']);
 
 		//fix up dates		
 		$starts = date("Y-m-d", strtotime($starts_month . "/" . $starts_day . "/" . $starts_year, current_time("timestamp")));
@@ -110,7 +110,7 @@
 				{
 					//get the values ready
 					$n = array_search($level_id, $all_levels_a); 	//this is the key location of this level's values
-					$initial_payment = $initial_payment_a[$n];
+					$initial_payment = sanitize_text_field($initial_payment_a[$n]);
 
 					//is this recurring?
 					if(!empty($recurring_a))
@@ -125,10 +125,10 @@
 
 					if(!empty($recurring))
 					{
-						$billing_amount = $billing_amount_a[$n];
-						$cycle_number = $cycle_number_a[$n];
-						$cycle_period = $cycle_period_a[$n];
-						$billing_limit = $billing_limit_a[$n];
+						$billing_amount = sanitize_text_field($billing_amount_a[$n]);
+						$cycle_number = intval($cycle_number_a[$n]);
+						$cycle_period = sanitize_text_field($cycle_period_a[$n]);
+						$billing_limit = intval($billing_limit_a[$n]);
 
 						//custom trial
 						if(!empty($custom_trial_a))
@@ -143,8 +143,8 @@
 
 						if(!empty($custom_trial))
 						{
-							$trial_amount = $trial_amount_a[$n];
-							$trial_limit = $trial_limit_a[$n];
+							$trial_amount = sanitize_text_field($trial_amount_a[$n]);
+							$trial_limit = intval($trial_limit_a[$n]);
 						}
 						else
 						{
@@ -175,8 +175,8 @@
 
 					if(!empty($expiration))
 					{
-						$expiration_number = $expiration_number_a[$n];
-						$expiration_period = $expiration_period_a[$n];
+						$expiration_number = intval($expiration_number_a[$n]);
+						$expiration_period = sanitize_text_field($expiration_period_a[$n]);
 					}
 					else
 					{

diff --git a/adminpages/membershiplevels.php b/adminpages/membershiplevels.php
@@ -14,28 +14,28 @@
 	global $pmpro_stripe_error, $pmpro_braintree_error, $pmpro_payflow_error, $pmpro_twocheckout_error, $wp_version;
 
 	if(isset($_REQUEST['edit']))
-		$edit = $_REQUEST['edit'];	
+		$edit = intval($_REQUEST['edit']);
 	else
 		$edit = false;
 	if(isset($_REQUEST['copy']))
-		$copy = $_REQUEST['copy'];
+		$copy = intval($_REQUEST['copy']);
 	if(isset($_REQUEST['s']))
-		$s = $_REQUEST['s'];
+		$s = sanitize_text_field($_REQUEST['s']);
 	else
 		$s = "";
 
 	if(isset($_REQUEST['action']))
-		$action = $_REQUEST['action'];
+		$action = sanitize_text_field($_REQUEST['action']);
 	else
 		$action = false;
 
 	if(isset($_REQUEST['saveandnext']))
-		$saveandnext = $_REQUEST['saveandnext'];
+		$saveandnext = intval($_REQUEST['saveandnext']);
 
 	if(isset($_REQUEST['saveid']))
-		$saveid = $_REQUEST['saveid'];
+		$saveid = intval($_REQUEST['saveid']);
 	if(isset($_REQUEST['deleteid']))
-		$deleteid = $_REQUEST['deleteid'];
+		$deleteid = intval($_REQUEST['deleteid']);
 
 	if($action == "save_membershiplevel")
 	{
@@ -155,7 +155,7 @@
 	{
 		global $wpdb;
 
-		$ml_id = $_REQUEST['deleteid'];
+		$ml_id = intval($_REQUEST['deleteid']);
 
 		if($ml_id > 0)
 		{	  
@@ -280,7 +280,7 @@
 
 		?>
 		<form action="" method="post" enctype="multipart/form-data">
-			<input name="saveid" type="hidden" value="<?php echo $edit?>" />
+			<input name="saveid" type="hidden" value="<?php echo esc_attr($edit); ?>" />
 			<input type="hidden" name="action" value="save_membershiplevel" />
 			<table class="form-table">
 			<tbody>
@@ -571,7 +571,7 @@ function update_level_order(event, ui) {
 		<p class="search-box">
 			<label class="screen-reader-text" for="post-search-input"><?php _e('Search Levels', 'pmpro');?>:</label>
 			<input type="hidden" name="page" value="pmpro-membershiplevels" />
-			<input id="post-search-input" type="text" value="<?php echo $s?>" name="s" size="30" />
+			<input id="post-search-input" type="text" value="<?php echo esc_attr($s); ?>" name="s" size="30" />
 			<input class="button" type="submit" value="<?php _e('Search Levels', 'pmpro');?>" id="search-submit" />
 		</p>
 	</form>	

diff --git a/adminpages/memberslist-csv.php b/adminpages/memberslist-csv.php
@@ -9,12 +9,12 @@
 
 	//get users
 	if(isset($_REQUEST['s']))
-		$s = $_REQUEST['s'];
+		$s = sanitize_text_field($_REQUEST['s']);
 	else
 		$s = "";
 
 	if(isset($_REQUEST['l']))
-		$l = $_REQUEST['l'];
+		$l = intval($_REQUEST['l']);
 	else
 		$l = false;
 

diff --git a/adminpages/memberslist.php b/adminpages/memberslist.php
@@ -8,12 +8,12 @@
 	//vars
 	global $wpdb;
 	if(isset($_REQUEST['s']))
-		$s = trim($_REQUEST['s']);
+		$s = sanitize_text_field(trim($_REQUEST['s']));
 	else
 		$s = "";
 
 	if(isset($_REQUEST['l']))
-		$l = $_REQUEST['l'];
+		$l = intval($_REQUEST['l']);
 	else
 		$l = false;
 
@@ -23,7 +23,7 @@
 	<form id="posts-filter" method="get" action="">
 	<h2>
 		<?php _e('Members List', 'pmpro');?>
-		<a target="_blank" href="<?php echo admin_url('admin-ajax.php');?>?action=memberslist_csv&s=<?php echo $s?>&l=<?php echo $l?>" class="add-new-h2"><?php _e('Export to CSV', 'pmpro');?></a>
+		<a target="_blank" href="<?php echo admin_url('admin-ajax.php');?>?action=memberslist_csv&s=<?php echo esc_attr($s);?>&l=<?php echo $l?>" class="add-new-h2"><?php _e('Export to CSV', 'pmpro');?></a>
 	</h2>
 	<ul class="subsubsub">
 		<li>
@@ -48,7 +48,7 @@
 	<p class="search-box">
 		<label class="hidden" for="post-search-input"><?php _e('Search Members', 'pmpro');?>:</label>
 		<input type="hidden" name="page" value="pmpro-memberslist" />
-		<input id="post-search-input" type="text" value="<?php echo $s?>" name="s"/>
+		<input id="post-search-input" type="text" value="<?php echo esc_attr($s);?>" name="s"/>
 		<input class="button" type="submit" value="<?php _e('Search Members', 'pmpro');?>"/>
 	</p>
 	<?php
@@ -211,7 +211,7 @@
 							</td>
 							<td><?php echo $theuser->first_name?></td>
 							<td><?php echo $theuser->last_name?></td>
-							<td><a href="mailto:<?php echo $theuser->user_email?>"><?php echo $theuser->user_email?></a></td>
+							<td><a href="mailto:<?php echo esc_attr($theuser->user_email)?>"><?php echo $theuser->user_email?></a></td>
 							<?php do_action("pmpro_memberslist_extra_cols_body", $theuser);?>
 							<td>
 								<?php
@@ -248,7 +248,7 @@
 				{
 				?>
 				<tr>
-					<td colspan="9"><p><?php _e("No members found.", "pmpro");?> <?php if($l) { ?><a href="?page=pmpro-memberslist&s=<?php echo $s?>"><?php _e("Search all levels", "pmpro");?></a>.<?php } ?></p></td>
+					<td colspan="9"><p><?php _e("No members found.", "pmpro");?> <?php if($l) { ?><a href="?page=pmpro-memberslist&s=<?php echo esc_attr($s);?>"><?php _e("Search all levels", "pmpro");?></a>.<?php } ?></p></td>
 				</tr>
 				<?php
 				}

diff --git a/adminpages/orders-csv.php b/adminpages/orders-csv.php
@@ -9,52 +9,52 @@
 
 	//get users
 	if(isset($_REQUEST['s']))
-		$s = $_REQUEST['s'];
+		$s = sanitize_text_field($_REQUEST['s']);
 	else
 		$s = "";
 
 	if(isset($_REQUEST['l']))
-		$l = $_REQUEST['l'];
+		$l = intval($_REQUEST['l']);
 	else
 		$l = false;
 
 	if(isset($_REQUEST['start-month']))
-		$start_month = $_REQUEST['start-month'];
+		$start_month = intval($_REQUEST['start-month']);
 	else
 		$start_month = "1";
 
 	if(isset($_REQUEST['start-day']))
-		$start_day = $_REQUEST['start-day'];
+		$start_day = intval($_REQUEST['start-day']);
 	else
 		$start_day = "1";
 
 	if(isset($_REQUEST['start-year']))
-		$start_year = $_REQUEST['start-year'];
+		$start_year = intval($_REQUEST['start-year']);
 	else
 		$start_year = date("Y");
 
 	if(isset($_REQUEST['end-month']))
-		$end_month = $_REQUEST['end-month'];
+		$end_month = intval($_REQUEST['end-month']);
 	else
 		$end_month = date("n");
 
 	if(isset($_REQUEST['end-day']))
-		$end_day = $_REQUEST['end-day'];
+		$end_day = intval($_REQUEST['end-day']);
 	else
 		$end_day = date("j");
 
 	if(isset($_REQUEST['end-year']))
-		$end_year = $_REQUEST['end-year'];
+		$end_year = intval($_REQUEST['end-year']);
 	else
 		$end_year = date("Y");
 
 	if(isset($_REQUEST['predefined-date']))
-		$predefined_date = $_REQUEST['predefined-date'];
+		$predefined_date = sanitize_text_field($_REQUEST['predefined-date']);
 	else
 		$predefined_date = "This Month";
 
 	if(isset($_REQUEST['status']))
-		$status = $_REQUEST['status'];
+		$status = sanitize_text_field($_REQUEST['status']);
 	else
 		$status = "";