4.0.2 Security Fixes.

Author: krugazul

includes/classes/class-helpers.php

@@ -189,6 +189,11 @@ public function get_payments_by_id( $form_id = 0, $args = array() ) {
 		$current_version = get_bloginfo('version');
 		if ( version_compare( '6.2', $current_version, '<=' ) ) {
 
+			// Make sure $order only handles 2 possible values.
+			if ( 'ASC' !== $order ) {
+				$order = 'DESC';
+			}
+
 			// phpcs:disable WordPress.DB -- Start ignoring
 			$results = $wpdb->get_results(
 				$wpdb->prepare(
@@ -200,7 +205,7 @@ public function get_payments_by_id( $form_id = 0, $args = array() ) {
 					$table,
 					$form_id,
 					$args['paid'],
-					$args['orderby'],
+					$args['orderby']
 				)
 			);
 			// phpcs:enable -- Stop ignoring
@@ -214,11 +219,12 @@ public function get_payments_by_id( $form_id = 0, $args = array() ) {
 					FROM `%s` 
 					WHERE post_id = '%d'
 					AND paid = '%s'
-					ORDER BY '%s' $order",
+					ORDER BY '%s' %s",
 					$table,
 					$form_id,
 					$args['paid'],
 					$args['orderby'],
+					$order
 				)
 			);
 			// phpcs:enable -- Stop ignoring

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pff-paystack",
-  "version": "4.0.1",
+  "version": "4.0.2",
   "description": "Paystack Payment forms for WordPress",
   "main": "gulpfile.js",
   "scripts": {

paystack-forms.php

@@ -3,7 +3,7 @@
   Plugin Name:  Payment Forms for Paystack
   Plugin URI:   https://github.com/PaystackHQ/Wordpress-Payment-forms-for-Paystack
   Description:  Payment Forms for Paystack allows you create forms that will be used to bill clients for goods and services via Paystack.
-  Version:      4.0.1
+  Version:      4.0.2
   Author:       Paystack
   Author URI:   http://paystack.com
   License:      GPL-2.0+
@@ -16,7 +16,7 @@
 define( 'PFF_PAYSTACK_PLUGIN_PATH', plugin_dir_path( __FILE__ ) );
 define( 'PFF_PAYSTACK_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 define( 'PFF_PAYSTACK_MAIN_FILE', __FILE__ );
-define( 'PFF_PAYSTACK_VERSION', '4.0.1' );
+define( 'PFF_PAYSTACK_VERSION', '4.0.2' );
 define( 'PFF_PAYSTACK_TABLE', 'paystack_forms_payments' );
 define( 'PFF_PLUGIN_BASENAME', plugin_basename(__FILE__) );
 define( 'PFF_PLUGIN_NAME', 'pff-paystack' );

readme.txt

@@ -4,7 +4,7 @@ Donate link: https://paystack.com/demo
 Tags: paystack, recurrent payments, donation, forms, payments
 Requires at least: 5.0
 Tested up to: 6.7
-Stable tag: 4.0.1
+Stable tag: 4.0.2
 Requires PHP: 7.4
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -91,6 +91,9 @@ If you get stuck, you can ask for help in the [Payment Forms for Paystack Plugin
 Yes you can! Join in on our [GitHub repository](https://github.com/PaystackOSS/plugin-payment-forms-for-wordpress) :)
 
 == Changelog ==
+= 4.0.2 =
+* Security Update - Adding in sanitization to the Payments List order variable.
+
 = 4.0.1 =
 * Updating the class initiation to be 7.4 compatible and additional 7.4 fixes
 * Fixing the split transaction field