Fix nonce bypass issue and tested plugin with WordPress version 6.4.4 (…

…#133) * WIP * WIP * Fix nonce bypass issue & Tested with WordPress version 6.4.4 * Fix Style CI
glowlogix · Mar 9, 2024 · d8eb353 · d8eb353
1 parent 5ad2662
commit d8eb353
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 41 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,10 +4,14 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased]
 
-## [1.3.3] - 2023-01-29
+## [1.3.4] - 2024-02-23
+- Tested with WordPress version 6.4.4 #132
+- Fix nonce bypass issue
+
+## [1.3.3] - 2024-01-29
 - Fix WP nonce verification issue   #130
 
-## [1.3.2] - 2023-01-06
+## [1.3.2] - 2024-01-06
 - Tested with WordPress version 6.4.2
 - fix logout issue from frontend #123
 - Fix vulnerable to privilege escalation #124

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 > WP Frontend Profile allows users to edit/view their profile and register/login without going into the dashboard to do so.
 
-[![Release Version](https://img.shields.io/github/release/glowlogix/wp-frontend-profile.svg)](https://github.com/glowlogix/wp-frontend-profile/releases/latest) [![GitHub Issues](https://img.shields.io/github/issues/glowlogix/wp-frontend-profile)](#github-issues) ![WordPress tested up to version](https://img.shields.io/badge/WordPress-v5.9%20tested-success.svg) [![GPLv2 License](https://img.shields.io/github/license/glowlogix/wp-frontend-profile.svg)](https://github.com/glowlogix/wp-frontend-profile/blob/master/LICENSE.md) [![Build Status](https://travis-ci.com/glowlogix/wp-frontend-profile.svg?branch=master)](https://travis-ci.com/glowlogix/wp-frontend-profile)
+[![Release Version](https://img.shields.io/github/release/glowlogix/wp-frontend-profile.svg)](https://github.com/glowlogix/wp-frontend-profile/releases/latest) [![GitHub Issues](https://img.shields.io/github/issues/glowlogix/wp-frontend-profile)](#github-issues) ![WordPress tested up to version](https://img.shields.io/badge/WordPress-v6.4%20tested-success.svg) [![GPLv2 License](https://img.shields.io/github/license/glowlogix/wp-frontend-profile.svg)](https://github.com/glowlogix/wp-frontend-profile/blob/master/LICENSE.md) [![Build Status](https://travis-ci.com/glowlogix/wp-frontend-profile.svg?branch=master)](https://travis-ci.com/glowlogix/wp-frontend-profile)
 
 WP Frontend Profile gives you the ability to add a extensible user profile section to the frontend of your WordPress website. By default the plugin adds two tabs to the frontend profile. One of these tabs, titled profile, allows a user to edit their user data including email, first and last names, URL and bio (description). The password tab allows a user to change their password for the site.
 

diff --git a/functions/wpfep-functions.php b/functions/wpfep-functions.php
@@ -567,17 +567,20 @@ function wpfep_decryption($id)
  */
 function wpfep_hide_review_ask()
 {
-    if (isset($_POST['_wpnonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_feedback_action')) {
-        $ask_review_date = isset($_POST['Ask_Review_Date']) ? sanitize_text_field(wp_unslash($_POST['Ask_Review_Date'])) : '';
+    if (isset($_POST['_wpnonce'])) {
+        if (wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_feedback_action')) {
+            $ask_review_date = isset($_POST['Ask_Review_Date']) ? sanitize_text_field(wp_unslash($_POST['Ask_Review_Date'])) : '';
 
-        if (get_option('wpfep_Ask_Review_Date') < time() + 3600 * 24 * $ask_review_date) {
-            update_option('wpfep_Ask_Review_Date', time() + 3600 * 24 * $ask_review_date);
+            if (get_option('wpfep_Ask_Review_Date') < time() + 3600 * 24 * $ask_review_date) {
+                update_option('wpfep_Ask_Review_Date', time() + 3600 * 24 * $ask_review_date);
+            }
+        } else {
+            wp_die('Nonce verification failed.');
         }
     } else {
-        wp_die();
+        wp_die('Nonce value not set.');
     }
 
-    die();
 }
 add_action('wp_ajax_wpfep_hide_review_ask', 'wpfep_hide_review_ask');
 
@@ -586,16 +589,20 @@ function wpfep_hide_review_ask()
  */
 function wpfep_send_feedback()
 {
-    if (isset($_POST['_wpnonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_feedback_action')) {
-        $headers   = 'Content-type: text/html;charset=utf-8' . "\r\n";
-        $feedback  = 'Feedback: <br>';
-        $feedback .= isset($_POST['Feedback']) ? sanitize_text_field(wp_unslash($_POST['Feedback'])) : '';
-        $feedback .= '<br /><br /> site url: <a href=' . site_url() . '>' . site_url() . '</a>';
-        $feedback .= '<br />Email Address: ';
-        $feedback .= isset($_POST['EmailAddress']) ? sanitize_text_field(wp_unslash($_POST['EmailAddress'])) : '';
-        wp_mail('[email protected]', 'WP Frontend Profile Plugin Feedback', $feedback, $headers);
+    if (isset($_POST['_wpnonce'])) {
+        if (wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_feedback_action')) {
+            $headers   = 'Content-type: text/html;charset=utf-8' . "\r\n";
+            $feedback  = 'Feedback: <br>';
+            $feedback .= isset($_POST['Feedback']) ? sanitize_text_field(wp_unslash($_POST['Feedback'])) : '';
+            $feedback .= '<br /><br /> site url: <a href=' . site_url() . '>' . site_url() . '</a>';
+            $feedback .= '<br />Email Address: ';
+            $feedback .= isset($_POST['EmailAddress']) ? sanitize_text_field(wp_unslash($_POST['EmailAddress'])) : '';
+            wp_mail('[email protected]', 'WP Frontend Profile Plugin Feedback', $feedback, $headers);
+        } else {
+            wp_die('Nonce verification failed.');
+        }
     } else {
-        wp_die();
+        wp_die('Nonce value not set.');
     }
 }
 add_action('wp_ajax_wpfep_send_feedback', 'wpfep_send_feedback');

diff --git a/inc/class-wpfep-login.php b/inc/class-wpfep-login.php
@@ -258,8 +258,8 @@ public function login_form()
          */
         public function process_login()
         {
-            if (! empty($_POST['wpfep_login']) && ! empty($_POST['_wpnonce'])) {
-                if (!wp_verify_nonce(sanitize_key($_POST['_wpnonce']), 'wpfep_login_action')) {
+            if (!empty($_POST['wpfep_login'])) {
+                if (empty($_POST['_wpnonce']) || !wp_verify_nonce(sanitize_key($_POST['_wpnonce']), 'wpfep_login_action')) {
                     wp_die();
                 }
                 $creds                 = array();
@@ -433,7 +433,9 @@ public function process_reset_password()
                     $args['key']   = $_POST['key'];
                     $args['login'] = sanitize_text_field(wp_unslash($_POST['login']));
 
-                    if (isset($_POST['_wpnonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_reset_pass')) {
+                    if (!isset($_POST['_wpnonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_reset_pass')) {
+                        wp_die();
+                    } else {
                         if (empty($_POST['pass1']) || empty($_POST['pass2'])) {
                             $this->login_errors[] = __('Please enter your password.', 'wpfep');
                             return;
@@ -491,10 +493,6 @@ public function process_reset_password()
                             wp_redirect(add_query_arg('reset', 'true', remove_query_arg(array('key', 'login'))));
                             exit;
                         }
-                    } else {
-                        // Nonce is not valid, handle the error or exit
-                        $this->login_errors[] = __('Invalid nonce.', 'wpfep');
-                        return;
                     }
                 }
             }
@@ -511,7 +509,9 @@ public function retrieve_password()
         {
             global $wpdb, $wp_hasher;
 
-            if (isset($_POST['_wpnonce']) && wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_lost_pass')) {
+            if (!isset($_POST['_wpnonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_lost_pass')) {
+                wp_die();
+            } else {
                 if (empty($_POST['user_login'])) {
                     $this->login_errors[] = __('Enter a username or e-mail address.', 'wpfep');
                     return;
@@ -527,6 +527,9 @@ public function retrieve_password()
                 }
             }
 
+            do_action('lostpassword_post');
+
+
             do_action('lostpassword_post');
 
             if ($this->login_errors) {

diff --git a/inc/class-wpfep-registration.php b/inc/class-wpfep-registration.php
@@ -105,11 +105,10 @@ public function registration_form()
         public function process_registration()
         {
             if (! empty($_POST['wpfep_registration']) && ! empty($_POST['_wpnonce'])) {
-                if (isset($_POST['_wpnonce'])) {
-                    $nonce_action = 'wpfep_registration_action';
-                    if (!wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), $nonce_action)) {
-                        wp_die();
-                    }
+                $nonce_action = 'wpfep_registration_action';
+
+                if (!isset($_POST['_wpnonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), $nonce_action)) {
+                    wp_die();
                 }
 
                 $userdata = array();
@@ -430,15 +429,13 @@ public function show_errors()
         public function get_post_value($key)
         {
             // Check if the nonce is set in the POST request
-            if (isset($_POST['_wpnonce'])) {
-                // Verify the nonce
-                $nonce_verified = wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), 'wpfep_registration_action');
+            $nonce_action = 'wpfep_registration_action';
 
-                if (!$nonce_verified) {
-                    return '';
-                }
+            if (!isset($_POST['_wpnonce']) || !wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['_wpnonce'])), $nonce_action)) {
+                return '';
             }
 
+
             // Check if the key is set in the POST request
             if (isset($_POST[$key])) {
                 return esc_attr(sanitize_text_field(wp_unslash($_POST[$key])));

diff --git a/readme.txt b/readme.txt
@@ -4,8 +4,8 @@ Contributors: glowlogix, wpmarkuk
 Donate link: https://www.glowlogix.com
 Tags: profile, users, user meta, register, login
 Requires at least: 4.0.1
-Tested up to: 6.4.2
-Stable tag: 1.3.3
+Tested up to: 6.4.4
+Stable tag: 1.3.4
 Requires PHP: 5.2.17
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html

diff --git a/wp-frontend-profile.php b/wp-frontend-profile.php
@@ -3,7 +3,7 @@
  * Plugin Name: WP Frontend Profile
  * Plugin URI: https://wordpress.org/plugins/wp-front-end-profile/
  * Description: This plugin allows users to easily edit their profile information on the frontend rather than having to go into the dashboard to make changes to password, email address and other user meta data.
- * Version:     1.3.3
+ * Version:     1.3.4
  * @package wp-front-end-profile
  * Author:      Glowlogix
  * Author URI:  https://www.glowlogix.com
@@ -17,7 +17,7 @@
  * Main class for WP Frontend Profile.
  */
 if (! defined('WPFEP_VERSION')) {
-    define('WPFEP_VERSION', '1.3.3');
+    define('WPFEP_VERSION', '1.3.4');
 }
 if (! defined('WPFEP_PATH')) {
     define('WPFEP_PATH', plugin_dir_path(__FILE__));