Enhanced security issue

pluginever · Jul 30, 2024 · 49f527b · 49f527b
1 parent 08eec4c
commit 49f527b
Show file tree

Hide file tree

Showing 8 changed files with 371 additions and 496 deletions.
diff --git a/composer.lock b/composer.lock
diff --git a/src/Admin/ListTables/ActivationsTable.php b/src/Admin/ListTables/ActivationsTable.php
@@ -123,7 +123,7 @@ protected function extra_tablenav( $which ) {
 	 * @since 1.4.6
 	 */
 	public function process_bulk_actions( $doaction ) {
-		if ( $doaction && check_ajax_referer( 'bulk-activations' ) ) {
+		if ( $doaction && check_ajax_referer( 'bulk-activations' ) && current_user_can( wcsn_get_manager_role() ) ) {
 			if ( isset( $_REQUEST['id'] ) ) {
 				$ids = wp_parse_id_list( wp_unslash( $_REQUEST['id'] ) );
 			} elseif ( isset( $_REQUEST['ids'] ) ) {

diff --git a/src/Admin/ListTables/KeysTable.php b/src/Admin/ListTables/KeysTable.php
@@ -210,7 +210,8 @@ public function no_items() {
 	 * @return array $views All the views sellable
 	 */
 	public function get_views() {
-		$current         = isset( $_GET['status'] ) ? sanitize_key( wp_unslash( $_GET['status'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		wp_verify_nonce( '_nonce' );
+		$current         = isset( $_GET['status'] ) ? sanitize_key( wp_unslash( $_GET['status'] ) ) : '';
 		$available_count = '&nbsp;<span class="count">(' . $this->available_count . ')</span>';
 		$pending_count   = '&nbsp;<span class="count">(' . $this->pending_count . ')</span>';
 		$sold_count      = '&nbsp;<span class="count">(' . $this->sold_count . ')</span>';
@@ -291,7 +292,7 @@ protected function extra_tablenav( $which ) {
 	 * @since 1.4.6
 	 */
 	public function process_bulk_actions( $doaction ) {
-		if ( $doaction && check_ajax_referer( 'bulk-' . $this->_args['plural'] ) ) {
+		if ( $doaction && check_ajax_referer( 'bulk-' . $this->_args['plural'] ) && current_user_can( wcsn_get_manager_role() ) ) {
 			if ( wp_unslash( isset( $_REQUEST['id'] ) ) ) {
 				$ids = wp_parse_id_list( wp_unslash( $_REQUEST['id'] ) );
 			} elseif ( isset( $_REQUEST['ids'] ) ) {

diff --git a/src/Admin/ListTables/ListTable.php b/src/Admin/ListTables/ListTable.php
@@ -36,7 +36,8 @@ class ListTable extends \WP_List_Table {
 	 * @return mixed Un-sanitized request var
 	 */
 	protected function get_request_var( $param = '', $fallback = false ) {
-		return isset( $_REQUEST[ $param ] ) ? sanitize_text_field( wp_unslash( $_REQUEST[ $param ] ) ) : $fallback; // phpcs:ignore WordPress.Security.NonceVerification
+		wp_verify_nonce( '_nonce' );
+		return isset( $_REQUEST[ $param ] ) ? sanitize_text_field( wp_unslash( $_REQUEST[ $param ] ) ) : $fallback;
 	}
 
 	/**

diff --git a/src/Admin/Menus.php b/src/Admin/Menus.php
@@ -44,7 +44,9 @@ public function __construct() {
 	 * @since 1.4.6
 	 */
 	public function setup_screen() {
-		if ( isset( $_GET['edit'] ) || isset( $_GET['delete'] ) || isset( $_GET['add'] ) || isset( $_GET['generate'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		wp_verify_nonce( '_nonce' );
+
+		if ( isset( $_GET['edit'] ) || isset( $_GET['delete'] ) || isset( $_GET['add'] ) || isset( $_GET['generate'] ) ) {
 			return;
 		}
 
@@ -201,8 +203,9 @@ public function promo_menu() {
 	 * @return void
 	 */
 	public function output_main_page() {
-		$add  = isset( $_GET['add'] ) ? true : false;  // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		$edit = isset( $_GET['edit'] ) ? absint( $_GET['edit'] ) : 0; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		wp_verify_nonce( '_nonce' );
+		$add  = isset( $_GET['add'] ) ? true : false;
+		$edit = isset( $_GET['edit'] ) ? absint( $_GET['edit'] ) : 0;
 		if ( $edit ) {
 			$key = new Key( $edit );
 			if ( ! $key->exists() ) {
@@ -239,6 +242,7 @@ public function output_activations_page() {
 	 * @return void
 	 */
 	public function output_tools_page() {
+		wp_verify_nonce( '_nonce' );
 		$tabs = array(
 			'generators' => __( 'Generators', 'wc-serial-numbers' ),
 			'api'        => __( 'API Toolkit', 'wc-serial-numbers' ),
@@ -253,8 +257,8 @@ public function output_tools_page() {
 
 		$tabs        = apply_filters( 'wc_serial_numbers_tools_tabs', $tabs );
 		$tab_ids     = array_keys( $tabs );
-		$current_tab = isset( $_GET['tab'] ) ? sanitize_key( wp_unslash( $_GET['tab'] ) ) : reset( $tab_ids ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		$page        = isset( $_GET['page'] ) ? sanitize_key( wp_unslash( $_GET['page'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$current_tab = isset( $_GET['tab'] ) ? sanitize_key( wp_unslash( $_GET['tab'] ) ) : reset( $tab_ids );
+		$page        = isset( $_GET['page'] ) ? sanitize_key( wp_unslash( $_GET['page'] ) ) : '';
 
 		Admin::view(
 			'html-tools.php',
@@ -273,14 +277,15 @@ public function output_tools_page() {
 	 * @return void
 	 */
 	public function output_reports_page() {
+		wp_verify_nonce( '_nonce' );
 		$tabs = array(
 			'stock' => __( 'Stock', 'wc-serial-numbers' ),
 		);
 
 		$tabs        = apply_filters( 'wc_serial_numbers_reports_tabs', $tabs );
 		$tab_ids     = array_keys( $tabs );
-		$current_tab = isset( $_GET['tab'] ) ? sanitize_key( wp_unslash( $_GET['tab'] ) ) : reset( $tab_ids ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		$page        = isset( $_GET['page'] ) ? sanitize_key( wp_unslash( $_GET['page'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		$current_tab = isset( $_GET['tab'] ) ? sanitize_key( wp_unslash( $_GET['tab'] ) ) : reset( $tab_ids );
+		$page        = isset( $_GET['page'] ) ? sanitize_key( wp_unslash( $_GET['page'] ) ) : '';
 
 		Admin::view(
 			'html-reports.php',
@@ -299,8 +304,9 @@ public function output_reports_page() {
 	 * @return void
 	 */
 	public function go_pro_redirect() {
-		if ( isset( $_GET['page'] ) && 'go_wcsn_pro' === $_GET['page'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			wp_redirect( 'https://pluginever.com/plugins/woocommerce-serial-numbers-pro/?utm_source=admin-menu&utm_medium=link&utm_campaign=upgrade&utm_id=wc-serial-numbers' ); // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect
+		wp_verify_nonce( '_nonce' );
+		if ( isset( $_GET['page'] ) && 'go_wcsn_pro' === $_GET['page'] ) {
+			wp_safe_redirect( 'https://pluginever.com/plugins/woocommerce-serial-numbers-pro/?utm_source=admin-menu&utm_medium=link&utm_campaign=upgrade&utm_id=wc-serial-numbers' );
 			die;
 		}
 	}

diff --git a/src/Admin/Metaboxes.php b/src/Admin/Metaboxes.php
@@ -168,6 +168,12 @@ public static function product_save_data() {
 		if ( ! isset( $_POST['woocommerce_meta_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['woocommerce_meta_nonce'] ) ), 'woocommerce_save_data' ) ) {
 			return;
 		}
+
+		// Must have WC Serial Numbers manager role to access this endpoint.
+		if ( ! current_user_can( wcsn_get_manager_role() ) ) {
+			return;
+		}
+
 		$status = isset( $_POST['_is_serial_number'] ) ? 'yes' : 'no';
 		$source = isset( $_POST['_serial_key_source'] ) ? sanitize_text_field( wp_unslash( $_POST['_serial_key_source'] ) ) : 'custom_source';
 		update_post_meta( $post->ID, '_is_serial_number', $status );

diff --git a/src/Admin/Notices.php b/src/Admin/Notices.php
@@ -112,6 +112,12 @@ public function output_notices() {
 	 */
 	public function dismiss_notice() {
 		check_ajax_referer( 'wc_serial_numbers_dismiss_notice', 'nonce' );
+
+		// Must have WC Serial Numbers manager role to access this endpoint.
+		if ( ! current_user_can( wcsn_get_manager_role() ) ) {
+			wp_die();
+		}
+
 		$notice_id = isset( $_POST['notice_id'] ) ? sanitize_text_field( wp_unslash( $_POST['notice_id'] ) ) : '';
 		if ( $notice_id ) {
 			update_option( 'wc_serial_numbers_dismissed_notices', array_merge( get_option( 'wc_serial_numbers_dismissed_notices', array() ), array( $notice_id ) ) );

diff --git a/src/Admin/views/html-list-keys.php b/src/Admin/views/html-list-keys.php
@@ -37,7 +37,8 @@
 
 	<form id="wcsn-keys-table" method="get">
 		<?php
-		$status = isset( $_GET['status'] ) ? sanitize_text_field( wp_unslash( $_GET['status'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		wp_verify_nonce( '_nonce' );
+		$status = isset( $_GET['status'] ) ? sanitize_text_field( wp_unslash( $_GET['status'] ) ) : '';
 		$list_table->prepare_items();
 		$list_table->views();
 		$list_table->search_box( __( 'Search key', 'wc-serial-numbers' ), 'key' );