WPCasa 1.4.2

Author: codestylist

README.txt

@@ -6,7 +6,7 @@ Tags: listings, property, real-estate, rental, realtor
 Requires at least: 6.2
 Requires PHP: 7.2
 Tested up to: 6.8
-Stable tag: 1.4.1
+Stable tag: 1.4.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -231,6 +231,12 @@ Andrea Manzato
 [Simon Rimkus](https://github.com/simonrimkus)
 
 == Changelog ==
+= 1.4.2 =
+* FIX: Vulnerable to cross site scripting (XSS) with shortcodes 'wpsight_listings_map' reported by Muhammad Yudha - DJ on Patchstack - Thank you for that!
+* FIX: Vulnerable to API code injection reported by mikemyers from Wordfence - Thank you for that!
+* FIX: Deprecated message "Creation of dynamic property"
+* FIX: "Trying to access array offset on false" on settings page
+
 = 1.4.1 =
 * FIX: The license page may show an error under certain circumstances
 

includes/admin/class-wpsight-admin-page-about.php

@@ -110,14 +110,35 @@ public function output() : void {
                             </style>
 
                             <ul class="tabs" data-tabgroup="first-tab-group">
-                                <li class="tab"><a href="#version-1-4-1" class="active">v1.4.1</a></li>
+                                <li class="tab"><a href="#version-1-4-2" class="active">v1.4.2</a></li>
+                                <li class="tab"><a href="#version-1-4-1">v1.4.1</a></li>
                                 <li class="tab"><a href="#version-1-4-0">v1.4.0</a></li>
                                 <li class="tab"><a href="#version-1-3-1">v1.3.1</a></li>
-                                <li class="tab"><a href="#version-1-3-0" >v1.3.0</a></li>
                                 <li><a href="https://wordpress.org/plugins/wpcasa/#developers" target="_blank"><?php echo esc_html__( 'More', 'wpcasa' ); ?></a></li>
                             </ul>
 
                             <section id="first-tab-group" class="tabgroup">
+                                <div id="version-1-4-2">
+                                    <p>Version: 1.4.2</p>
+                                    <table>
+                                        <tr>
+                                            <td><span class="changelog-entry-fix">Hotfix</span></td>
+                                            <td>Vulnerable to cross site scripting (XSS) with shortcodes 'wpsight_listings_map' reported by Muhammad Yudha - DJ at Patchstack</td>
+                                        </tr>
+                                        <tr>
+                                            <td><span class="changelog-entry-fix">Hotfix</span></td>
+                                            <td>Vulnerable to API code injection reported by mikemyers from Wordfence</td>
+                                        </tr>
+                                        <tr>
+                                            <td><span class="changelog-entry-fix">Fix</span></td>
+                                            <td>Deprecated message "Creation of dynamic property"</td>
+                                        </tr>
+                                        <tr>
+                                            <td><span class="changelog-entry-fix">Fix</span></td>
+                                            <td>"Trying to access array offset on false" on settings page</td>
+                                        </tr>
+                                    </table>
+                                </div>
                                 <div id="version-1-4-1">
                                     <p>Version: 1.4.1</p>
                                     <table>
@@ -186,6 +207,29 @@ public function output() : void {
                                     </table>
                                 </div>
 
+                            </section>
+
+                            <script type="text/javascript">
+                            jQuery(document).ready(function($) {                      
+                                $('.tabgroup > div').hide();
+                                $('.tabgroup > div:first-of-type').show();
+                                $('.tabs .tab a').click(function(e){
+                                    e.preventDefault();
+                                    var $this = $(this),
+                                    tabgroup = '#'+$this.parents('.tabs').data('tabgroup'),
+                                    others = $this.closest('.tab').siblings().children('a'),
+                                    target = $this.attr('href');
+                                    others.removeClass('active');
+                                    $this.addClass('active');
+                                    $(tabgroup).children('div').hide();
+                                    $(target).show();
+                                })
+                            });
+                            </script>
+
+                        </div>
+
+                        <?php /*?>
                                 <div id="version-1-3-0">
                                     <p>Version: 1.3.0</p>
                                     <table>
@@ -224,29 +268,6 @@ public function output() : void {
                                     </table>
                                 </div>
 
-                            </section>
-
-                            <script type="text/javascript">
-                            jQuery(document).ready(function($) {                      
-                                $('.tabgroup > div').hide();
-                                $('.tabgroup > div:first-of-type').show();
-                                $('.tabs .tab a').click(function(e){
-                                    e.preventDefault();
-                                    var $this = $(this),
-                                    tabgroup = '#'+$this.parents('.tabs').data('tabgroup'),
-                                    others = $this.closest('.tab').siblings().children('a'),
-                                    target = $this.attr('href');
-                                    others.removeClass('active');
-                                    $this.addClass('active');
-                                    $(tabgroup).children('div').hide();
-                                    $(target).show();
-                                })
-                            });
-                            </script>
-
-                        </div>
-
-                        <?php /*?>
                                  <div id="version-1-2-13">
                                     <p>Version: 1.2.13</p>
                                     <table>

includes/admin/views/option-measurement.php

@@ -16,12 +16,18 @@
     $value = wpsight_get_option( $option['id'] );
     if( !isset( $value ) && isset( $option['default'] ) ) $value = $option['default'];
     $measurement = $value;
-
+	if( ! isset( $measurement['label'] ) ) {
+	  $measurement['label'] = '';
+	}
+    if( ! isset( $measurement['unit'] ) ) {
+		$measurement['label'] = '';
+	  $measurement['unit'] = '';
+    }
     $placeholder = isset( $option['placeholder'] ) ? 'placeholder="' . $option['placeholder'] . '"'	: '';
 ?>
 
   <div class="wpsight-settings-field wpsight-settings-field-text">
-    <input id="setting-<?php echo esc_attr( $option_css ); ?>_label" class="regular-text" type="text" name="<?php echo esc_attr( $option_id ) . '[label]'; ?>" value="<?php echo esc_attr( $measurement['label'] ); ?>" <?php echo esc_attr( implode( ' ', $attributes ) ); ?> <?php echo esc_attr( $placeholder ); ?> />
+    <input id="setting-<?php echo esc_attr( $option_css ); ?>_label" class="regular-text" type="text" name="<?php echo esc_attr( $option_id ) . '[label]'; ?>" value="<?php echo esc_attr($measurement['label'] ); ?>" <?php echo esc_attr(implode(' ', $attributes ) ); ?> <?php echo esc_attr($placeholder ); ?> />
   </div>
 
   <div class="wpsight-settings-field wpsight-settings-field-radio">
@@ -30,7 +36,6 @@
 
     foreach ( wpsight_measurements() as $key => $unit ) {
       $id = $option_css .'-'. $key;
-
       ?>
 
       <input id="setting-<?php echo esc_attr( $id ); ?>" name="<?php echo esc_attr( $option_id ); ?>[unit]" type="radio" value="<?php echo esc_attr( $key ); ?>" <?php echo esc_html( implode( ' ', $attributes ) ); ?> <?php checked( esc_attr( $measurement['unit'] ), esc_attr( $key ) ); ?> />

includes/class-wpsight-api.php

@@ -1,75 +1,134 @@
 <?php
+/**
+ * Secure WPSight API Handler.
+ *
+ * Hardened version of the original WPSight_API class.
+ *
+ * @package WPCasa
+ * @since 1.0.0
+ * @updated 1.4.2
+ */
+
 // Exit if accessed directly
 if ( ! defined( 'ABSPATH' ) ) exit;
 
-/**
- * WPSight_API class
- */
 class WPSight_API {
 
 	/**
-	 * Constructor
+	 * Constructor.
 	 */
 	public function __construct() {
-		add_filter( 'query_vars', array( $this, 'add_query_vars'), 0 );
-		add_action( 'parse_request', array( $this, 'api_requests'), 0 );
+		// Ensure query var is registered early.
+		add_filter( 'query_vars', array( $this, 'add_query_vars' ), 0 );
+
+		// Register API request handler.
+		add_action( 'parse_request', array( $this, 'api_requests' ), 0 );
 	}
 
 	/**
-	 * add_query_vars()
-	 *
-	 * @access public
+	 * Register custom query vars.
 	 *
-	 * @since 1.0.0
+	 * @param array $vars List of public query vars.
+	 * @return array
 	 */
 	public function add_query_vars( $vars ) {
 		$vars[] = 'wpsight-api';
 		return $vars;
 	}
 
 	/**
-	 * add_endpoint()
-	 *
-	 * @access public
-	 *
-	 * @since 1.0.0
-	 */
-	public function add_endpoint() {
-		add_rewrite_endpoint( 'wpsight-api', EP_ALL );
-	}
-
-	/**
-	 * api_requests()
-	 *
-	 * @access public
+	 * Securely handle API requests.
 	 *
-	 * @since 1.0.0
+	 * @return void
 	 */
 	public function api_requests() {
 		global $wp;
 
-		if ( ! empty( $_GET['wpsight-api'] ) )
-			$wp->query_vars['wc-api'] = sanitize_text_field( $_GET['wpsight-api'] );
+		// 1) Preferred getter.
+		$raw = get_query_var( 'wpsight-api' );
 
-		if ( ! empty( $wp->query_vars['wc-api'] ) ) {
-			// Buffer, we won't want any output here
-			ob_start();
+		// 2) Fallback: directly from $wp->query_vars.
+		if ( empty( $raw ) && isset( $wp->query_vars['wpsight-api'] ) ) {
+			$raw = $wp->query_vars['wpsight-api'];
+		}
 
-			// Get API trigger
-			$api = strtolower( esc_attr( $wp->query_vars['wpsight-api'] ) );
+		// 3) Last resort: direct $_GET.
+		if ( empty( $raw ) && ! empty( $_GET['wpsight-api'] ) ) {
+			$raw = sanitize_text_field( wp_unslash( $_GET['wpsight-api'] ) );
+		}
 
-			// Load class if exists
-			if ( class_exists( $api ) )
-				$api_class = new $api();
+		// No request found → exit early.
+		if ( empty( $raw ) ) {
+			return;
+		}
 
-			// Trigger actions
-			do_action( 'wpsight_api_' . $api );
+		// Sanitize to a valid key.
+		$api = sanitize_key( $raw );
 
-			// Done, clear buffer and exit
+		if ( empty( $api ) ) {
+			return;
+		}
+
+		/**
+		 * Build allow-list of allowed API endpoints.
+		 *
+		 * IMPORTANT: Replace or extend this list in your theme or plugin
+		 * using the 'wpsight_api_allowed_endpoints' filter.
+		 *
+		 * Example:
+		 *
+		 * add_filter( 'wpsight_api_allowed_endpoints', function( $allowed ) {
+		 *     $allowed['ping'] = array( 'class' => null );
+		 *     return $allowed;
+		 * } );
+		 */
+		$allowed = apply_filters(
+			'wpsight_api_allowed_endpoints',
+			array()
+		);
+
+		// If API is not allowed, block access.
+		if ( ! isset( $allowed[ $api ] ) ) {
+			wp_die(
+				sprintf(
+				/* translators: %s: API endpoint slug */
+					esc_html__( 'Endpoint "%s" not allowed.', 'wpcasa' ),
+					$api
+				),
+				esc_html__( 'Forbidden', 'wpcasa' ),
+				array( 'response' => 403 )
+			);
+		}
+
+		// Start output buffering.
+		ob_start();
+
+		// Optional: safe class instantiation if explicitly allowed.
+		if ( ! empty( $allowed[ $api ]['class'] ) && class_exists( $allowed[ $api ]['class'] ) ) {
+			new $allowed[ $api ]['class']();
+		}
+
+		/**
+		 * Trigger API action hook.
+		 *
+		 * Example usage:
+		 * add_action( 'wpsight_api_ping', function() {
+		 *     echo 'pong';
+		 * } );
+		 */
+		do_action( 'wpsight_api_' . $api );
+
+		// In development mode, allow buffer output for easier testing.
+		if ( defined( 'WP_DEBUG' ) && WP_DEBUG ) {
+			ob_end_flush();
+		} else {
 			ob_end_clean();
-			die('1');
 		}
+
+		// Maintain old behaviour for backward compatibility.
+		die( '1' );
 	}
 }
 
+// Instantiate the class.
 new WPSight_API();