Merge pull request #2950 from gocodebox/dev

brianhogg · web-flow · commit ae6ae80c6efb · 2025-06-11T07:16:11.000-04:00
Release 8.0.7
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,14 @@
 LifterLMS Changelog
 ===================
 
+v8.0.7 - 2025-06-11
+-------------------
+
+##### Security Fixes
+
++ Additional sanitation of the voucher field.
+
+
 v8.0.6 - 2025-04-21
 -------------------
 
diff --git a/class-lifterlms.php b/class-lifterlms.php
@@ -34,7 +34,7 @@ final class LifterLMS {
 	 *
 	 * @var string
 	 */
-	public $version = '8.0.6';
+	public $version = '8.0.7';
 
 	/**
 	 * LLMS_Assets instance
diff --git a/includes/class.llms.voucher.php b/includes/class.llms.voucher.php
@@ -76,7 +76,6 @@ protected function get_codes_table_name() {
 		global $wpdb;
 
 		return $wpdb->prefix . $this->codes_table_name;
-
 	}
 
 	/**
@@ -90,7 +89,6 @@ protected function get_product_to_voucher_table_name() {
 
 		global $wpdb;
 		return $wpdb->prefix . $this->product_to_voucher_table;
-
 	}
 
 	/**
@@ -104,7 +102,6 @@ protected function get_redemptions_table_name() {
 
 		global $wpdb;
 		return $wpdb->prefix . $this->redemptions_table;
-
 	}
 
 	/**
@@ -151,14 +148,17 @@ public function get_voucher_by_code( $code ) {
 		$table          = $this->get_codes_table_name();
 		$redeemed_table = $this->get_redemptions_table_name();
 
-		$query = "SELECT c.*, count(r.id) as used
+		$sql = $wpdb->prepare(
+			"SELECT c.*, count(r.id) as used
                   FROM $table as c
                   LEFT JOIN $redeemed_table as r
                   ON c.`id` = r.`code_id`
-                  WHERE `code` = '$code' AND `is_deleted` = 0
-                  GROUP BY c.id
-                  LIMIT 1";
-		return $wpdb->get_row( $query );
+                  WHERE c.`code` = %s AND c.`is_deleted` = 0
+                  GROUP BY c.`id`
+                  LIMIT 1",
+			$code
+		);
+		return $wpdb->get_row( $sql );
 	}
 
 	/**
@@ -199,7 +199,7 @@ public function get_voucher_code_by_code_id( $code_id ) {
 
 		$table = $this->get_codes_table_name();
 
-		$query = "SELECT * FROM $table WHERE `id` = $code_id AND `is_deleted` = 0 LIMIT 1";
+		$query = $wpdb->prepare( 'SELECT * FROM $table WHERE `id` = %d AND `is_deleted` = 0 LIMIT 1', $code_id );
 		return $wpdb->get_row( $query );
 	}
 
@@ -365,7 +365,6 @@ public function use_voucher( $code, $user_id ) {
 			return $voucher;
 
 		}
-
 	}
 
 	/**
@@ -415,7 +414,6 @@ public function get_redemptions_for_code_by_user( $code_id, $user_id ) {
 				array( $user_id, $code_id )
 			)
 		);
-
 	}
 
 	/**
diff --git a/lifterlms.php b/lifterlms.php
@@ -10,7 +10,7 @@
  * Plugin Name: LifterLMS
  * Plugin URI: https://lifterlms.com/
  * Description: Complete e-learning platform to sell online courses, protect lessons, offer memberships, and quiz students. WP Learning Management System.
- * Version: 8.0.6
+ * Version: 8.0.7
  * Author: LifterLMS
  * Author URI: https://lifterlms.com/
  * Text Domain: lifterlms
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "lifterlms",
-  "version": "8.0.6",
+  "version": "8.0.7",
   "description": "LifterLMS by codeBOX",
   "repository": {
     "type": "git",

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ final class LifterLMS {`
`34`	`34`	`*`
`35`	`35`	`* @var string`
`36`	`36`	`*/`
`37`		`- public $version = '8.0.6';`
	`37`	`+ public $version = '8.0.7';`
`38`	`38`
`39`	`39`	`/**`
`40`	`40`	`* LLMS_Assets instance`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "lifterlms",`
`3`		`- "version": "8.0.6",`
	`3`	`+ "version": "8.0.7",`
`4`	`4`	`"description": "LifterLMS by codeBOX",`
`5`	`5`	`"repository": {`
`6`	`6`	`"type": "git",`