From c32fcc40cf0e9fc24011bbcb63fd07028c9be76b Mon Sep 17 00:00:00 2001 From: Codebard Date: Wed, 29 Nov 2023 01:06:18 +0000 Subject: [PATCH] Patched minor vulnerability. Added Patchstack program info. --- classes/patreon_wordpress.php | 12 +++++++++--- patreon.php | 4 ++-- readme.txt | 14 +++++++++++++- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/classes/patreon_wordpress.php b/classes/patreon_wordpress.php index 397aa92..1633bef 100644 --- a/classes/patreon_wordpress.php +++ b/classes/patreon_wordpress.php @@ -2016,7 +2016,7 @@ public static function setup_wizard() { echo ''; $patreon_wordpress_nonce_save_post_sync_options = wp_create_nonce(); - echo '

How should posts be synced?

' . $api_version_warning . $setup_message . '
Sync posts to this category
'. PATREON_POST_SYNC_5 .'
Author for imported posts
'. PATREON_POST_SYNC_6 .'
Update local posts from the ones at Patreon
'. PATREON_POST_SYNC_2 .'
Delete local post when Patreon post is deleted
'. PATREON_POST_SYNC_3 .'

'; + echo '

How should posts be synced?

' . $api_version_warning . $setup_message . '
Sync posts to this category
'. PATREON_POST_SYNC_5 .'
Author for imported posts
'. PATREON_POST_SYNC_6 .'
Update local posts from the ones at Patreon
'. PATREON_POST_SYNC_2 .'
Delete local post when Patreon post is deleted
'. PATREON_POST_SYNC_3 .'

'; echo '
'; @@ -2025,7 +2025,13 @@ public static function setup_wizard() { $setup_message = PATREON_POST_SYNC_4; - // Check if any post sync field + // Check if any post sync field + + + if ( !isset($_POST['patreon_wordpress_nonce_save_post_sync_options']) OR !wp_verify_nonce( $_POST['patreon_wordpress_nonce_save_post_sync_options']) ) { + echo '
Form security field expired - please refresh the page and try again
'; + exit; + } if ( isset( $_REQUEST['patreon_message'] ) AND $_REQUEST['patreon_message'] != '' ) { $setup_message = Patreon_Frontend::$messages_map[$_REQUEST['patreon_message']]; @@ -2281,7 +2287,7 @@ public static function populate_patreon_level_select_from_ajax() { } if ( !isset($_POST['patreon_wordpress_nonce_populate_tier_dropdown']) OR !wp_verify_nonce( $_POST['patreon_wordpress_nonce_populate_tier_dropdown'], 'patreon_wordpress_nonce_populate_tier_dropdown') ) { - 'Form security field expired - please refresh the page and try again'; + echo 'Form security field expired - please refresh the page and try again'; exit; } diff --git a/patreon.php b/patreon.php index a921178..9201280 100644 --- a/patreon.php +++ b/patreon.php @@ -4,7 +4,7 @@ Plugin Name: Patreon Wordpress Plugin URI: https://www.patreon.com/apps/wordpress Description: Patron-only content, directly on your website. -Version: 1.8.7 +Version: 1.8.8 Author: Patreon Author URI: https://patreon.com */ @@ -68,7 +68,7 @@ define( "PATREON_CREATOR_BYPASSES_FILTER_MESSAGE", 'This content is for Patrons only, it\'s not locked for you because you are logged in as the Patreon creator' ); define( "PATREON_NO_LOCKING_LEVEL_SET_FOR_THIS_POST", 'Post is already public. If you would like to lock this post, please set a pledge level for it' ); define( "PATREON_NO_POST_ID_TO_UNLOCK_POST", 'Sorry - could not get the post id for this locked post' ); -define( "PATREON_WORDPRESS_VERSION", '1.8.7' ); +define( "PATREON_WORDPRESS_VERSION", '1.8.8' ); define( "PATREON_WORDPRESS_BETA_STRING", '' ); define( "PATREON_WORDPRESS_PLUGIN_SLUG", plugin_basename( __FILE__ ) ); define( "PATREON_PRIVACY_POLICY_ADDENDUM", '

Patreon features in this website

In order to enable you to use this website with Patreon services, we save certain functionally important Patreon information about you in this website if you log in with Patreon. diff --git a/readme.txt b/readme.txt index 89373a6..5366863 100644 --- a/readme.txt +++ b/readme.txt @@ -4,7 +4,7 @@ Tags: patreon, membership, members Requires at least: 4.0 Requires PHP: 5.4 Tested up to: 6.4.1 -Stable tag: 1.8.7 +Stable tag: 1.8.8 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html @@ -79,6 +79,10 @@ It is difficult to protect videos due the intensive bandwidth requirements of h == Upgrade Notice == += 1.8.8 = + +* Minor CSRF vulnerability fixed + = 1.8.7 = * Issue with not being able to save some options in the options page was fixed. (Post sync options etc) @@ -482,8 +486,16 @@ Not at all - you can post different content totally independently at your site a Nothing will be changed at your site - the plugin will just connect your site to Patreon to allow communication in between your site and Patreon. +How can I report security bugs? + +You can report security bugs through the Patchstack Vulnerability Disclosure Program. The Patchstack team help validate, triage and handle any security vulnerabilities. [Report a security vulnerability.](https://patchstack.com/database/vdp/patreon-connect) + == Changelog == += 1.8.8 = + +* Minor CSRF vulnerability fixed + = 1.8.7 = * Issue with not being able to save some options in the options page was fixed. (Post sync options etc)