Skip to content

Commit

Permalink
vulnerable to Cross Site Scripting (XSS) #1626
Browse files Browse the repository at this point in the history
  • Loading branch information
@ritakikani
ritakikani committed Feb 16, 2024
1 parent 7803410 commit 6fc9c9c
Show file tree
Hide file tree
Showing 8 changed files with 30 additions and 26 deletions.
2 changes: 1 addition & 1 deletion admin/wp-event-manager-cpt.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,7 @@ public function post_updated_messages($messages) {
2 => __('Custom field updated.', 'wp-event-manager'),
3 => __('Custom field deleted.', 'wp-event-manager'),
4 => sprintf(wp_kses('%s updated.', 'wp-event-manager'), $wp_post_types['event_listing']->labels->singular_name),
5 => isset($_GET['revision']) ? sprintf(wp_kses('%1$s restored to revision from %2$s', 'wp-event-manager'), $wp_post_types['event_listing']->labels->singular_name, wp_post_revision_title((int) $_GET['revision'], false)) : false,
5 => isset($_GET['revision']) ? sprintf(wp_kses('%1$s restored to revision from %2$s', 'wp-event-manager'), $wp_post_types['event_listing']->labels->singular_name, wp_post_revision_title((int) esc_attr($_GET['revision']), false)) : false,
6 => sprintf(wp_kses('%1$s published. <a href="%2$s">View</a>', 'wp-event-manager'), $wp_post_types['event_listing']->labels->singular_name, esc_url(get_permalink($post_ID))),
7 => sprintf('%s saved.', 'wp-event-manager'), $wp_post_types['event_listing']->labels->singular_name,
8 => sprintf(wp_kses('%1$s submitted. <a target="_blank" href="%2$s">Preview</a>', 'wp-event-manager'), $wp_post_types['event_listing']->labels->singular_name, esc_url(add_query_arg('preview', 'true', get_permalink($post_ID)))),
Expand Down
8 changes: 4 additions & 4 deletions admin/wp-event-manager-setup.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ public function __construct() {
add_action('admin_menu', array($this, 'admin_menu'), 12);
add_action('admin_head', array($this, 'admin_head'));
add_action('admin_init', array($this, 'redirect'));
if(isset($_GET['page']) && 'event-manager-setup' === $_GET['page']) {
if(isset($_GET['page']) && 'event-manager-setup' === esc_attr($_GET['page'])) {
add_action('admin_enqueue_scripts', array($this, 'admin_enqueue_scripts'), 12);
}
}
Expand Down Expand Up @@ -53,7 +53,7 @@ public function admin_head() {
public function redirect() {
global $pagenow;

if(isset($_GET['page']) && $_GET['page'] === 'event-manager-setup') {
if(isset($_GET['page']) && esc_attr($_GET['page']) === 'event-manager-setup') {
if(get_option('wpem_installation', false)) {
wp_redirect(admin_url('index.php'));
exit;
Expand All @@ -72,7 +72,7 @@ public function redirect() {
if(is_network_admin() || isset($_GET['activate-multi']) || defined('IFRAME_REQUEST')) {
return;
}
if((isset($_GET['action']) && 'upgrade-plugin' == $_GET['action']) && (isset($_GET['plugin']) && strstr($_GET['plugin'], 'wp-event-manager.php'))) {
if((isset($_GET['action']) && 'upgrade-plugin' == esc_attr($_GET['action'])) && (isset($_GET['plugin']) && strstr(esc_attr($_GET['plugin']), 'wp-event-manager.php'))) {
return;
}
wp_redirect(admin_url('index.php?page=event-manager-setup'));
Expand Down Expand Up @@ -114,7 +114,7 @@ public function create_page($title, $content, $option) {
* Output addons page.
*/
public function output() {
$step = !empty($_GET['step']) ? absint($_GET['step']) : 1;
$step = !empty($_GET['step']) ? absint(esc_attr($_GET['step'])) : 1;
if(isset($_GET['skip-event-manager-setup']) === 1) {
update_option('wpem_installation', 0);
update_option('wpem_installation_skip', 1);
Expand Down
2 changes: 1 addition & 1 deletion forms/wp-event-manager-form-submit-event.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ public function __construct() {
if( isset( $_POST['step'] ) ) {
$this->step = is_numeric( $_POST['step'] ) ? max( absint( $_POST['step'] ), 0 ) : array_search( $_POST['step'], array_keys( $this->steps ) );
} elseif ( !empty( $_GET['step'] ) ) {
$this->step = is_numeric( $_GET['step'] ) ? max( absint( $_GET['step'] ), 0 ) : array_search( $_GET['step'], array_keys( $this->steps ) );
$this->step = is_numeric( $_GET['step'] ) ? max( absint( esc_attr($_GET['step'] )), 0 ) : array_search( esc_attr($_GET['step']), array_keys( $this->steps ) );
}

$this->event_id = !empty( $_REQUEST['event_id'] ) ? absint( $_REQUEST[ 'event_id' ] ) : 0;
Expand Down
2 changes: 1 addition & 1 deletion forms/wp-event-manager-form-submit-organizer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ public function __construct() {
if(isset($_POST['step'])) {
$this->step = is_numeric($_POST['step']) ? max(absint($_POST['step']), 0) : array_search($_POST['step'], array_keys($this->steps));
} elseif(!empty($_GET['step'])) {
$this->step = is_numeric($_GET['step']) ? max(absint($_GET['step']), 0) : array_search($_GET['step'], array_keys($this->steps));
$this->step = is_numeric($_GET['step']) ? max(absint(esc_attr($_GET['step'])), 0) : array_search(esc_attr($_GET['step']), array_keys($this->steps));
}

$this->organizer_id =!empty($_REQUEST['organizer_id']) ? absint($_REQUEST[ 'organizer_id' ]) : 0;
Expand Down
2 changes: 1 addition & 1 deletion forms/wp-event-manager-form-submit-venue.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ public function __construct() {
if(isset($_POST['step'])) {
$this->step = is_numeric($_POST['step']) ? max(absint($_POST['step']), 0) : array_search($_POST['step'], array_keys($this->steps));
} elseif(!empty($_GET['step'])) {
$this->step = is_numeric($_GET['step']) ? max(absint($_GET['step']), 0) : array_search($_GET['step'], array_keys($this->steps));
$this->step = is_numeric(esc_attr($_GET['step'])) ? max(absint(esc_attr($_GET['step'])), 0) : array_search(esc_attr($_GET['step']), array_keys($this->steps));
}
$this->venue_id = !empty($_REQUEST['venue_id']) ? absint($_REQUEST[ 'venue_id' ]) : 0;
if(!event_manager_user_can_edit_event($this->venue_id)) {
Expand Down
30 changes: 17 additions & 13 deletions includes/wp-event-manager-post-types.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,23 +458,24 @@ public function event_feed() {
'post_type' => 'event_listing',
'post_status' => $post_status,
'ignore_sticky_posts' => 1,
'posts_per_page' => isset($_GET['posts_per_page']) ? absint($_GET['posts_per_page']) : -1,
'posts_per_page' => isset($_GET['posts_per_page']) ? absint(esc_attr($_GET['posts_per_page'])) : -1,
'tax_query' => array(),
'meta_query' => array()
);
if(!empty($_GET['search_location'])) {
$search_location = esc_html($_GET['search_location']);
$location_meta_keys = array('geolocation_formatted_address', '_event_location', 'geolocation_state_long');
$location_search = array('relation' => 'OR');
foreach($location_meta_keys as $meta_key) {
$location_search[] = array(
'key' => $meta_key,
'value' => $_GET['search_location'],
'value' => $search_location,
'compare' => 'like',
'type' => 'char',
);
$location_search[] = array(
'key' => $meta_key,
'value' => trim(preg_replace("/[^a-zA-Z,\s]/", "", $_GET['search_location']), ','),
'value' => trim(preg_replace("/[^a-zA-Z,\s]/", "", $search_location), ','),
'compare' => 'like',
'type' => 'char',
);
Expand Down Expand Up @@ -515,11 +516,11 @@ public function event_feed() {
}

if(!empty($_GET['search_ticket_prices'])) {

if($_GET['search_ticket_prices'] =='ticket_price_paid') {
$ticket_price_value='paid';
} else if($_GET['search_ticket_prices'] =='ticket_price_free') {
$ticket_price_value='free';
$search_ticket_prices = esc_attr($_GET['search_ticket_prices']);
if($search_ticket_prices =='ticket_price_paid') {
$ticket_price_value='paid';
} else if($search_ticket_prices =='ticket_price_free') {
$ticket_price_value='free';
}
$ticket_search[] = array(
'key' => '_event_ticket_options',
Expand All @@ -530,9 +531,10 @@ public function event_feed() {
}

if(!empty($_GET['search_event_types'])) {
$cats = explode(',', esc_attr($_GET['search_event_types'])) + array(0);
$search_event_types = esc_attr($_GET['search_event_types']);
$cats = explode(',', $search_event_types) + array(0);
$field = is_numeric($cats) ? 'term_id' : 'slug';
$operator = 'all' === get_option('event_manager_event_type_filter_type', 'all') && sizeof($args['search_event_types']) > 1 ? 'AND' : 'IN';
$operator = 'all' === get_option('event_manager_event_type_filter_type', 'all') && sizeof($search_event_types) > 1 ? 'AND' : 'IN';
$query_args['tax_query'][] = array(
'taxonomy' => 'event_listing_type',
'field' => $field,
Expand All @@ -543,9 +545,10 @@ public function event_feed() {
}

if(!empty($_GET['search_categories'])) {
$cats = explode(',', esc_attr($_GET['search_categories'])) + array(0);
$search_categories = esc_attr($_GET['search_categories']);
$cats = explode(',', $search_categories) + array(0);
$field = is_numeric($cats) ? 'term_id' : 'slug';
$operator = 'all' === get_option('event_manager_category_filter_type', 'all') && sizeof($args['search_categories']) > 1 ? 'AND' : 'IN';
$operator = 'all' === get_option('event_manager_category_filter_type', 'all') && sizeof($search_categories) > 1 ? 'AND' : 'IN';
$query_args['tax_query'][] = array(
'taxonomy' => 'event_listing_category',
'field' => $field,
Expand All @@ -554,7 +557,8 @@ public function event_feed() {
'operator' => $operator
);
}
if($event_manager_keyword = esc_attr($_GET['search_keywords'])) {
if(!empty($_GET['search_keywords'])) {
$event_manager_keyword = esc_attr($_GET['search_keywords']);
$query_args['s'] = $event_manager_keyword;
add_filter('posts_search', 'get_event_listings_keyword_search');
}
Expand Down
4 changes: 2 additions & 2 deletions shortcodes/wp-event-manager-shortcodes.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -663,11 +663,11 @@ public function output_events($atts){
}

if(!empty($_GET['search_location'])) {
$location = esc_attr($_GET['search_location']);
$location = esc_html($_GET['search_location']);
}

if(!empty($_GET['search_datetime'])) {
$selected_datetime = esc_attr($_GET['search_datetime']);
$selected_datetime = esc_html($_GET['search_datetime']);
}

if(!empty($_GET['search_category'])) {
Expand Down
6 changes: 3 additions & 3 deletions templates/event-dashboard.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
<div class="wpem-main-vmenu-dashboard-nav" id="wpem-main-vmenu-dashboard-nav">
<ul class="wpem-main-vmenu-dashboard-ul">
<?php
$current_action = isset($_GET['action']) ? sanitize_title( $_GET['action'] ): 'event_dashboard';
$event_id = isset($_GET['event_id']) ? absint($_GET['event_id']) : '';
$current_action = isset($_GET['action']) ? esc_attr( $_GET['action'] ): 'event_dashboard';
$event_id = isset($_GET['event_id']) ? absint(esc_attr($_GET['event_id'])) : '';
$menus = [
'event_dashboard' => [
'title' => __('Events', 'wp-event-manager'),
Expand Down Expand Up @@ -124,7 +124,7 @@
<div class="wpem-events-filter">
<?php do_action('event_manager_event_dashboard_event_filter_start'); ?>
<div class="wpem-events-filter-block">
<?php $search_keywords = isset($_GET['search_keywords']) ? $_GET['search_keywords'] : ''; ?>
<?php $search_keywords = isset($_GET['search_keywords']) ? esc_attr($_GET['search_keywords']) : ''; ?>
<div class="wpem-form-group"><input name="search_keywords" id="search_keywords" type="text" value="<?php echo esc_attr($search_keywords); ?>" placeholder="<?php _e('Keywords', 'wp-event-manager'); ?>"></div>
</div>
<div class="wpem-events-filter-block">
Expand Down

0 comments on commit 6fc9c9c

Please sign in to comment.