From 6b078b9e910fcd111e3a6b276d46d1d4469f506f Mon Sep 17 00:00:00 2001 From: Akshay Urankar <101685739+akshayurankar48@users.noreply.github.com> Date: Mon, 23 Feb 2026 16:01:17 +0530 Subject: [PATCH 1/4] fix: strengthen nonce verification across plugin - Replace generic 'ajax_nonce' action with 'bsf_meta_box_ajax_nonce' to prevent cross-plugin nonce collision - Replace basename(__FILE__) nonce action with explicit 'bsf_meta_box_nonce_action' string - Gate bsf_reset_options() behind $nonce_verified flag so it only executes after a per-option nonce check passes - Sanitize nonce and option values in reset handler Fixes #220 --- admin/index.php | 44 ++++++++++++++++++++++++++++---------------- init.php | 12 ++++++------ 2 files changed, 34 insertions(+), 22 deletions(-) diff --git a/admin/index.php b/admin/index.php index 7258714..c03e46d 100644 --- a/admin/index.php +++ b/admin/index.php @@ -1167,43 +1167,55 @@ function display_status( $status ) { } } if ( isset( $_GET['action'] ) ) { - if ( 'reset' == esc_attr( $_GET['action'] ) && isset( $_GET['nonce'] ) && current_user_can( 'manage_options' ) ) { - $option_to_reset = esc_attr( $_GET['options'] ); - if ( 'review' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_item_nonce' ) ) { + if ( 'reset' == sanitize_text_field( wp_unslash( $_GET['action'] ) ) && isset( $_GET['nonce'] ) && current_user_can( 'manage_options' ) ) { + $option_to_reset = sanitize_text_field( wp_unslash( $_GET['options'] ) ); + $nonce_value = sanitize_text_field( wp_unslash( $_GET['nonce'] ) ); + $nonce_verified = false; + + if ( 'review' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_item_nonce' ) ) { delete_option( 'bsf_review' ); + $nonce_verified = true; } - if ( 'event' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_event_nonce' ) ) { + if ( 'event' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_event_nonce' ) ) { delete_option( 'bsf_event' ); + $nonce_verified = true; } - if ( 'person' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_person_nonce' ) ) { + if ( 'person' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_person_nonce' ) ) { delete_option( 'bsf_person' ); + $nonce_verified = true; } - - if ( 'product' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_product_nonce' ) ) { + if ( 'product' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_product_nonce' ) ) { delete_option( 'bsf_product' ); + $nonce_verified = true; } - if ( 'recipe' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_recipe_nonce' ) ) { + if ( 'recipe' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_recipe_nonce' ) ) { delete_option( 'bsf_recipe' ); + $nonce_verified = true; } - if ( 'software' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_software_nonce' ) ) { + if ( 'software' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_software_nonce' ) ) { delete_option( 'bsf_software' ); + $nonce_verified = true; } - if ( 'video' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_video_nonce' ) ) { + if ( 'video' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_video_nonce' ) ) { delete_option( 'bsf_video' ); + $nonce_verified = true; } - - if ( 'article' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_article_nonce' ) ) { + if ( 'article' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_article_nonce' ) ) { delete_option( 'bsf_article' ); + $nonce_verified = true; } - if ( 'service' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_service_nonce' ) ) { + if ( 'service' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_service_nonce' ) ) { delete_option( 'bsf_service' ); + $nonce_verified = true; } - - if ( 'color' == $option_to_reset && wp_verify_nonce( $_GET['nonce'], 'aiosrs_color_nonce' ) ) { + if ( 'color' == $option_to_reset && wp_verify_nonce( $nonce_value, 'aiosrs_color_nonce' ) ) { delete_option( 'bsf_custom' ); + $nonce_verified = true; } - bsf_reset_options( $option_to_reset ); + if ( $nonce_verified ) { + bsf_reset_options( $option_to_reset ); + } } } /** diff --git a/init.php b/init.php index 8d5204e..e0a202c 100644 --- a/init.php +++ b/init.php @@ -179,7 +179,7 @@ public function add_for_page_template( $display, $meta_box ) { public function show() { global $post; // Use nonce for verification. - echo ''; + echo ''; echo ''; foreach ( $this->_meta_box['fields'] as $field ) { // Set up blank or default values for empty ones. @@ -452,7 +452,7 @@ public function show() { */ public function save( $post_id ) { // verify nonce. - if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( esc_attr( $_POST['wp_meta_box_nonce'] ), basename( __FILE__ ) ) ) { + if ( ! isset( $_POST['wp_meta_box_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['wp_meta_box_nonce'] ) ), 'bsf_meta_box_nonce_action' ) ) { return $post_id; } // check autosave. @@ -555,7 +555,7 @@ function bsf_scripts( $hook ) { 'bsf-scripts', 'bsf_ajax_data', array( - 'ajax_nonce' => wp_create_nonce( 'ajax_nonce' ), + 'bsf_meta_box_ajax_nonce' => wp_create_nonce( 'bsf_meta_box_ajax_nonce' ), 'post_id' => get_the_ID(), ) ); @@ -571,7 +571,7 @@ function bsf_scripts( $hook ) { */ function bsf_editor_footer_scripts() { ?> */ function bsf_force_send( $args ) { - if ( ! isset( $_GET['bsf_file_upload_nonce'] ) || ! wp_verify_nonce( $_GET['bsf_file_upload_nonce'], 'ajax_nonce' ) ) { + if ( ! isset( $_GET['bsf_file_upload_nonce'] ) || ! wp_verify_nonce( $_GET['bsf_file_upload_nonce'], 'bsf_meta_box_ajax_nonce' ) ) { return $args; } // if the Gallery tab is opened from a custom meta box field, add Insert Into Post button. @@ -644,7 +644,7 @@ function cmbGetParameterByNameInline(name) { */ function bsf_oembed_ajax_results() { // verify our nonce. - if ( ! ( isset( $_REQUEST['bsf_ajax_nonce'], $_REQUEST['oembed_url'] ) && wp_verify_nonce( $_REQUEST['bsf_ajax_nonce'], 'ajax_nonce' ) ) ) { + if ( ! ( isset( $_REQUEST['bsf_ajax_nonce'], $_REQUEST['oembed_url'] ) && wp_verify_nonce( $_REQUEST['bsf_ajax_nonce'], 'bsf_meta_box_ajax_nonce' ) ) ) { die(); } // sanitize our search string. From 91ead2eadd979a298d41e6c3b271a529892fcaa2 Mon Sep 17 00:00:00 2001 From: Akshay Urankar <101685739+akshayurankar48@users.noreply.github.com> Date: Tue, 24 Feb 2026 11:45:10 +0530 Subject: [PATCH 2/4] fix: align array arrows and equals signs per WPCS - Align 'post_id' double arrow with 'bsf_meta_box_ajax_nonce' in array - Align $return equals sign with $field_id assignment --- init.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/init.php b/init.php index 81cf552..35ad72e 100644 --- a/init.php +++ b/init.php @@ -556,7 +556,7 @@ function bsf_scripts( $hook ) { 'bsf_ajax_data', array( 'bsf_meta_box_ajax_nonce' => wp_create_nonce( 'bsf_meta_box_ajax_nonce' ), - 'post_id' => get_the_ID(), + 'post_id' => get_the_ID(), ) ); wp_enqueue_script( 'bsf-timepicker' ); @@ -670,7 +670,7 @@ function bsf_oembed_ajax_results() { if ( $check_embed && $check_embed != $fallback ) { // Embed data. $field_id = isset( $_REQUEST['field_id'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['field_id'] ) ) : ''; - $return = '
' . $check_embed . '' . __( 'Remove Embed', 'rich-snippets' ) . '
'; + $return = '
' . $check_embed . '' . __( 'Remove Embed', 'rich-snippets' ) . '
'; // set our response id. $found = 'found'; } else { From 3f106f98a8f6489b8efe58444a82bcebfa4c8381 Mon Sep 17 00:00:00 2001 From: Akshay Urankar <101685739+akshayurankar48@users.noreply.github.com> Date: Tue, 24 Feb 2026 11:46:13 +0530 Subject: [PATCH 3/4] addec changelog --- README.md | 3 +++ readme.txt | 3 +++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index 83af85a..e0d1959 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,9 @@ No, the plugin provides an easy-to-use interface where you can add schema markup 4. Test the post or page URL in Google Rich Snippets Testing ## Changelog ## +### 1.7.7 ### +- Improvement: Added Security fixes. + ### 1.7.6 ### - Improvement: Updated readme.txt. diff --git a/readme.txt b/readme.txt index 85e3dbf..fcc5bbd 100644 --- a/readme.txt +++ b/readme.txt @@ -97,6 +97,9 @@ No, the plugin provides an easy-to-use interface where you can add schema markup 4. Test the post or page URL in Google Rich Snippets Testing == Changelog == +### 1.7.7 ### +- Improvement: Added Security fixes. + ### 1.7.6 ### - Improvement: Updated readme.txt. From af8abbc2e8647d60bee1feb378ec6e52abfad169 Mon Sep 17 00:00:00 2001 From: Akshay Urankar <101685739+akshayurankar48@users.noreply.github.com> Date: Tue, 24 Feb 2026 11:47:57 +0530 Subject: [PATCH 4/4] fix: correct post_id array arrow alignment to 17 spaces --- init.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init.php b/init.php index 35ad72e..f235b8a 100644 --- a/init.php +++ b/init.php @@ -556,7 +556,7 @@ function bsf_scripts( $hook ) { 'bsf_ajax_data', array( 'bsf_meta_box_ajax_nonce' => wp_create_nonce( 'bsf_meta_box_ajax_nonce' ), - 'post_id' => get_the_ID(), + 'post_id' => get_the_ID(), ) ); wp_enqueue_script( 'bsf-timepicker' );