Merge pull request #122 from TycheSoftwares/Fix-#security

Fixed Cross Site Request Forgery (CSRF) vulnerability.
TycheSoftwares · Mar 13, 2024 · 9479f61 · 9479f61
2 parents 446d4ab + 544b60f
commit 9479f61
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 5 deletions.
diff --git a/includes/component/tracking-data/assets/js/dismiss-notice.js b/includes/component/tracking-data/assets/js/dismiss-notice.js
@@ -28,7 +28,8 @@ jQuery(document).ready( function() {
 				jQuery(this).slideUp( 100, function() {
 					jQuery(this).remove();
 					var data = {
-						action: ts_dismiss_notice.ts_prefix_of_plugin + "_admin_notices"
+						action: ts_dismiss_notice.ts_prefix_of_plugin + "_admin_notices",
+						tracking_notice : ts_dismiss_notice.tracking_notice
 					};
 					var admin_url = ts_dismiss_notice.ts_admin_url;
 

diff --git a/includes/component/tracking-data/ts-tracking.php b/includes/component/tracking-data/ts-tracking.php
@@ -277,7 +277,7 @@ public static function ts_schedule_cron_job () {
 	 * @access public
 	 */
 	public static function ts_admin_notices_scripts() {
-
+		$nonce = wp_create_nonce( 'tracking_notice' );
         wp_enqueue_script(
             'ts_dismiss_notice',
 			self::$ts_file_path . '/assets/js/dismiss-notice.js',
@@ -300,6 +300,10 @@ public static function ts_admin_notices_scripts() {
 	 */
 
     public static function ts_admin_notices() {
+		$nonce = $_POST['tracking_notice'];//phpcs:ignore
+		if ( ! wp_verify_nonce( $nonce, 'tracking_notice' ) ) {
+			return;
+		}
         update_option( self::$plugin_prefix . '_allow_tracking', 'dismissed' );
         FAQ_TS_Tracker::ts_send_tracking_data( false );
         die();

diff --git a/plugin.php b/plugin.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://www.tychesoftwares.com/
  * Description: Plugin to handle the display of FAQs
  *
- * Version: 1.9.2
+ * Version: 1.9.3
  *
  * Author: Tyche Softwares
  * Author URI: https://www.tychesoftwares.com/
@@ -44,7 +44,7 @@ class Arconix_FAQ {
 	 * @since   1.6.0
 	 */
 	public function __construct() {
-		$this->version = '1.9.2';
+		$this->version = '1.9.3';
 		$this->inc     = trailingslashit( plugin_dir_path( __FILE__ ) . '/includes' );
 		$this->load_dependencies();
 		$this->load_admin();

diff --git a/readme.txt b/readme.txt
@@ -2,7 +2,7 @@
 Contributors: jgardner03, tychesoftwares, shasvat
 Tags: arconix, faq, toggle, accordion, faq plugin, frequently asked questions
 Requires at least: 3.8
-Tested up to: 5.7
+Tested up to: 6.4.3
 Stable tag: trunk
 
 Arconix FAQ provides an easy way to add FAQ items to your website.
@@ -101,6 +101,9 @@ That's fantastic! Feel free to open an issue or submit a pull request over at [G
 
 == Changelog ==
 
+= 1.9.3 =
+* Fix - Cross Site Request Forgery (CSRF) vulnerability.
+
 = 1.9.2 =
 * Compatibility with WordPress 5.5