Merge pull request #151 from rchmura/release242

Ted sync code with version 242 from wordpress

lib/admin/controllers/gallery/edit.php

@@ -170,6 +170,7 @@ private static function _set_active_theme($theme_name)
    */
   public function vimeography_refresh_gallery_cache()
   {
+    $this->nonceSecurityCheck("nonce_refresh_gallery_cache");
     if ($this->_cache->exists()) {
       $this->_cache->delete();
     }
@@ -180,6 +181,27 @@ public function vimeography_refresh_gallery_cache()
       'message' => __('Your videos have been refreshed.', 'vimeography')
     );
   }
+
+  /**
+   * nonceSecurityCheck
+   * Check nonce value in the session.
+   *
+   * @param  mixed $nonceKey
+   * @return void
+   */
+  private function nonceSecurityCheck($nonceKey){
+        // Vérifier que le nonce existe dans la session
+        if (!isset($_SESSION[$nonceKey])) {
+          wp_die(__('Security check failed.', 'vimeography'));
+      }
+
+      // Vérifier le nonce avec wp_verify_nonce pour plus de sécurité
+      if (!wp_verify_nonce($_SESSION[$nonceKey], $nonceKey)) {
+          wp_die(__('Security check failed.', 'vimeography'));
+      }
+
+      unset($_SESSION[$nonceKey]);
+  }
 
   /**
    * Removes the custom CSS file associated with
@@ -189,6 +211,7 @@ public function vimeography_refresh_gallery_cache()
    */
   public function vimeography_refresh_gallery_appearance()
   {
+    $this->nonceSecurityCheck("nonce_refresh_gallery_appearance");
     if (
       file_exists(
         VIMEOGRAPHY_CUSTOMIZATIONS_PATH .
@@ -231,6 +254,7 @@ public function gallery()
    */
   public function vimeography_set_gallery_theme($input)
   {
+    $this->nonceSecurityCheck("nonce_set_gallery_theme");
     // if this fails, check_admin_referer() will automatically print a "failed" page and die.
     if (
       check_admin_referer(

lib/admin/menu.php

@@ -266,14 +266,31 @@ public function vimeography_render_template()
    */
   public static function vimeography_process_actions()
   {
+
     if (isset($_POST['vimeography-action'])) {
+      self::setActionNonce($_POST['vimeography-action']);
       do_action('vimeography_action_' . $_POST['vimeography-action'], $_POST);
     }
 
     if (isset($_GET['vimeography-action'])) {
+      self::setActionNonce($_GET['vimeography-action']);
       do_action('vimeography_action_' . $_GET['vimeography-action'], $_GET);
     }
   }
+
+  /**
+   * setActionNonce create and save nonce in the session
+   *
+   * @param  mixed $key
+   * @return void
+   */
+  private static function setActionNonce($key){
+    $key = "nonce_$key";
+    // Générer le nonce
+    $nonce = wp_create_nonce($key);
+    // Stocker le nonce dans la session
+    $_SESSION[$key] = $nonce;
+  }
 
   /**
    * Sets the galleries per page in the screen options on the gallery list page.

readme.txt

@@ -3,7 +3,7 @@ Contributors: iamdavekiss, videogallery
 Tags: video gallery, gallery, video, vimeo, vimeo gallery
 Requires at least: 4.7
 Tested up to: 6.4
-Stable tag: 2.4.1
+Stable tag: 2.4.2
 License: GPL-3.0
 
 The easiest way to create beautiful Vimeo video galleries on your WordPress site.
@@ -139,6 +139,10 @@ Vimeography will load your template for the defined module instead of the defaul
 
 == Changelog ==
 
+= 2.4.2
+* [Fix] Vulnerability issue: Fix vulnerability to Cross Site Request Forgery (CSRF). 
+* [Update] Adding Nonce Verification in vimeography_action_ Hooks
+
 = 2.4.1
 * [Fix] Vulnerability issue: Fix the vulnerability in lodash. 
 * [Update] Installation of Patched versions version ^4.17.21 and regeneration of directories located in vimeography-harvestone/.

vimeography.php

@@ -3,7 +3,7 @@
 Plugin Name: Vimeography
 Plugin URI: https://vimeography.com
 Description: Vimeography is the easiest way to set up a custom Vimeo gallery on your site.
-Version: 2.4.1
+Version: 2.4.2
 Requires PHP: 5.3
 Author: Dave Kiss
 Author URI: https://davekiss.com