Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3133: Changeset 2454670 – WordPress Plugin Repository

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

CVE
#sql#csrf#js#wordpress#php#auth#sap

r2187370 r2454670 66 * Description: A simple plugin to save contact form submissions in the database, designed for the Elementor Form Module 77 * Author: Sean Barton - Tortoise IT 8 * Version: 1.5 8 * Version: 1.6 99 * Author URI: http://www.sean-barton.co.uk 1010 * … … 3333 * - Vastly improved the speed of the exports. Better for databases of more than 1000 submissions. Tested on a DB of 37k 3434 * 35 * V1.6 (2021-01-12) 36 * - Added better handling of back end admin pages based on a report of a security exploit. Suggest update to a minimum of this plugin version asap 37 * 3538 */ 3639 37 if ( ! defined( ‘WPINC’ ) ) { 40if(!defined( ‘WPINC’ )) { 3841 die; 3942} 4043 4144define( 'SB_ELEM_CFD_DB_ITEM_NAME’, ‘Elementor Contact Form DB’ ); 42 define( 'SB_ELEM_CFD_DB_VERSION’, ‘1.5’ ); 45define( 'SB_ELEM_CFD_DB_VERSION’, ‘1.6’ ); 4346 4447add_action( 'plugins_loaded’, ‘sb_elem_cfd_init’ ); … … 6366 6467 $sb_elem_cfd = get_option( ‘sb_elem_cfd’ ); 65 $min_role = ( isset( $sb_elem_cfd[‘records_min_role’] ) ? $sb_elem_cfd[‘records_min_role’] : ‘administrator’ ); 66 67 add_submenu_page( 68 'edit.php?post_type=elementor_cf_db’, 69 'Export’, 70 'Export’, 71 $min_role, 72 'sb_elem_cfd’, 73 ‘sb_elem_cfd_submenu_cb’ ); 74 75 add_submenu_page( 76 'edit.php?post_type=elementor_cf_db’, 77 'Settings’, 78 'Settings’, 79 'manage_options’, 80 'sb_elem_cfd_settings’, 81 ‘sb_elem_cfd_settings_submenu_cb’ ); 68 $min_role = (isset( $sb_elem_cfd[‘records_min_role’] ) ? $sb_elem_cfd[‘records_min_role’] : ‘administrator’); 69 70 add_submenu_page( 'edit.php?post_type=elementor_cf_db’, 'Export’, 'Export’, $min_role, 'sb_elem_cfd’, ‘sb_elem_cfd_submenu_cb’ ); 71 add_submenu_page( 'edit.php?post_type=elementor_cf_db’, 'Settings’, 'Settings’, 'manage_options’, 'sb_elem_cfd_settings’, ‘sb_elem_cfd_settings_submenu_cb’ ); 8272 8373 sb_elem_cfd_disable_add_new(); 84 8574} 8675 … … 9281} 9382 94 function sb_elem_cfd_box_start( $title ) { 83function sb_elem_cfd_box_start($title) { 9584 return ‘<div class="postbox"> 9685 <h2 class="hndle">’ . $title . ‘</h2> … … 10089function sb_elem_cfd_download_csv() { 10190 102 if ( isset( $_REQUEST[‘download_csv’] ) ) { 103 if ( isset( $_REQUEST[‘form_name’] ) ) { 104 if ( $rows = sb_elem_cfd_get_export_rows( $_REQUEST[‘form_name’] ) ) { 105 106 header( ‘Content-Type: application/csv’ ); 107 header( ‘Content-Disposition: attachment; filename=’ . sanitize_title( $_REQUEST[‘form_name’] ) . ‘.csv’ ); 108 header( ‘Pragma: no-cache’ ); 109 echo implode( “\n", $rows ); 110 die; 111 } 112 } 113 114 if ( isset( $_REQUEST[‘form_id’] ) ) { 115 if ( $rows = sb_elem_cfd_get_export_rows_by_form_id( $_REQUEST[‘form_id’] ) ) { 116 117 header( ‘Content-Type: application/csv’ ); 118 header( ‘Content-Disposition: attachment; filename=’ . sanitize_title( $_REQUEST[‘form_id’] ) . ‘.csv’ ); 119 header( ‘Pragma: no-cache’ ); 120 echo implode( “\n", $rows ); 121 die; 91 if(isset( $_REQUEST[‘download_csv’] )) { 92 if(!empty( $_POST[‘sb_elem_cfd_export’] )) { 93 if(wp_verify_nonce( $_POST[‘sb_elem_cfd_export’], ‘sb_elem_cfd_export’ )) { 94 echo '<input name="sb_elem_cfd_export” type="hidden” value="’ . wp_create_nonce( ‘sb_elem_cfd_export’ ) . '" />’; 95 96 if(isset( $_REQUEST[‘form_name’] )) { 97 if($rows = sb_elem_cfd_get_export_rows( $_REQUEST[‘form_name’] )) { 98 99 header( ‘Content-Type: application/csv’ ); 100 header( ‘Content-Disposition: attachment; filename=’ . sanitize_title( $_REQUEST[‘form_name’] ) . ‘.csv’ ); 101 header( ‘Pragma: no-cache’ ); 102 echo implode( “\n", $rows ); 103 die; 104 } 105 } 106 107 if(isset( $_REQUEST[‘form_id’] )) { 108 if($rows = sb_elem_cfd_get_export_rows_by_form_id( $_REQUEST[‘form_id’] )) { 109 110 header( ‘Content-Type: application/csv’ ); 111 header( ‘Content-Disposition: attachment; filename=’ . sanitize_title( $_REQUEST[‘form_id’] ) . ‘.csv’ ); 112 header( ‘Pragma: no-cache’ ); 113 echo implode( “\n", $rows ); 114 die; 115 } 116 } 122117 } 123118 } … … 170165 echo '<p>Use this simple form to export your contact data to CSV file. This is fairly crude but we don\’t have names for forms but we do have the page it was submitted from. Elementor has the facility to give a form an ID (in the additional tab of the builder). If set then you can also export by Form ID which is perhaps more useful!</p>’; 171166 172 if ( $form_names = $wpdb->get_results( $sql ) ) { 173 foreach ( $form_names as $form_name ) { 174 $forms2[ $form_name->form_name ] = $form_name->form_name; 175 } 176 } 177 178 if ( $submitted_ids = $wpdb->get_results( $sql2 ) ) { 179 foreach ( $submitted_ids as $submitted_id ) { 180 $forms[ $submitted_id->submitted_id ] = get_the_title( $submitted_id->submitted_id ); 181 } 182 } 183 184 if ( get_posts( ‘post_type=elementor_cf_db&posts_per_page=1’ ) ) { //get one record only. we don’t need it but just to show there is a single submission 167 if($form_names = $wpdb->get_results( $sql )) { 168 foreach($form_names as $form_name) { 169 $forms2[$form_name->form_name] = $form_name->form_name; 170 } 171 } 172 173 if($submitted_ids = $wpdb->get_results( $sql2 )) { 174 foreach($submitted_ids as $submitted_id) { 175 $forms[$submitted_id->submitted_id] = get_the_title( $submitted_id->submitted_id ); 176 } 177 } 178 179 if(get_posts( ‘post_type=elementor_cf_db&posts_per_page=1’ )) { //get one record only. we don’t need it but just to show there is a single submission 185180 186181 set_time_limit( 0 ); … … 188183 189184 //updating old data for a faster structure 190 if ( ! get_option( ‘sb_elem_cfd_record_update_v15’ ) ) { 191 if ( $posts = get_posts( ‘post_type=elementor_cf_db&posts_per_page=4000&meta_key=sb_elem_cfd_submitted_on_id&meta_compare=NOT EXISTS’ ) ) { 185 if(!get_option( ‘sb_elem_cfd_record_update_v15’ )) { 186 if($posts = get_posts( ‘post_type=elementor_cf_db&posts_per_page=4000&meta_key=sb_elem_cfd_submitted_on_id&meta_compare=NOT EXISTS’ )) { 192187 echo 'Found ' . count( $posts ) . ' Items to convert.<br />’; 193188 194 foreach ( $posts as $post ) { 195 if ( $data = sb_elem_cfd_get_meta( $post->ID ) ) { 196 $forms[ $data[‘extra’][‘submitted_on_id’] ] = $data[‘extra’][‘submitted_on’]; 189 foreach($posts as $post) { 190 if($data = sb_elem_cfd_get_meta( $post->ID )) { 191 $forms[$data[‘extra’][‘submitted_on_id’]] = $data[‘extra’][‘submitted_on’]; 197192 update_post_meta( $post->ID, 'sb_elem_cfd_submitted_on_id’, $data[‘extra’][‘submitted_on_id’] ); 198193 } … … 213208 214209 ksort( $forms ); 215 foreach ( $forms as $form => $label ) { 216 echo ‘<option ' . ( isset( $_REQUEST[‘form_name’] ) && $_REQUEST[‘form_name’] == $form ? ‘selected="selected"’ : ‘’ ) . ' value="’ . $form . ‘">’ . $label . '</option>’; 210 foreach($forms as $form => $label) { 211 echo ‘<option ' . (isset( $_REQUEST[‘form_name’] ) && $_REQUEST[‘form_name’] == $form ? ‘selected="selected"’ : ‘’) . ' value="’ . $form . ‘">’ . $label . '</option>’; 217212 } 218213 219214 echo '</select>’; 220215 echo '<input type="submit” name="” class="button-primary" value="Export Form" />’; 216 echo ‘<input name="sb_elem_cfd_export" type="hidden" value="’ . wp_create_nonce( ‘sb_elem_cfd_export’ ) . '" />’; 221217 echo '</form>’; 222218 … … 226222 227223 ksort( $forms2 ); 228 foreach ( $forms2 as $form ) { 229 echo ‘<option ' . ( isset( $_REQUEST[‘form_id’] ) && $_REQUEST[‘form_id’] == $form ? ‘selected="selected"’ : ‘’ ) . ' value="’ . $form . ‘">’ . $form . '</option>’; 224 foreach($forms2 as $form) { 225 echo ‘<option ' . (isset( $_REQUEST[‘form_id’] ) && $_REQUEST[‘form_id’] == $form ? ‘selected="selected"’ : ‘’) . ' value="’ . $form . ‘">’ . $form . '</option>’; 230226 } 231227 232228 echo '</select>’; 233229 echo '<input type="submit" name="" class="button-primary" value="Export Form" />’; 230 echo ‘<input name="sb_elem_cfd_export" type="hidden" value="’ . wp_create_nonce( ‘sb_elem_cfd_export’ ) . '" />’; 234231 echo '</form>’; 235232 236233 echo '<div style="clear: both;"> </div>’; 237234 238 if ( isset( $_REQUEST[‘form_name’] ) ) { 235 if(isset( $_REQUEST[‘form_name’] )) { 239236 240237 $rows = sb_elem_cfd_get_export_rows( $_REQUEST[‘form_name’], 50 ); … … 247244 echo ‘<input type="hidden" name="form_name" value="’ . $_REQUEST[‘form_name’] . '" />’; 248245 echo '<input type="submit" name="download_csv" class="button-primary" value="Download CSV File" />’; 246 echo ‘<input name="sb_elem_cfd_export" type="hidden" value="’ . wp_create_nonce( ‘sb_elem_cfd_export’ ) . '" />’; 249247 echo '</form>’; 250 } else if ( isset( $_REQUEST[‘form_id’] ) ) { 248 } elseif(isset( $_REQUEST[‘form_id’] )) { 251249 252250 $rows = sb_elem_cfd_get_export_rows_by_form_id( $_REQUEST[‘form_id’], 50 ); … … 259257 echo ‘<input type="hidden" name="form_id" value="’ . $_REQUEST[‘form_id’] . '" />’; 260258 echo '<input type="submit" name="download_csv" class="button-primary" value="Download CSV File" />’; 259 echo ‘<input name="sb_elem_cfd_export" type="hidden" value="’ . wp_create_nonce( ‘sb_elem_cfd_export’ ) . '" />’; 261260 echo '</form>’; 262261 } … … 283282 echo '<div id="post-body" class="metabox-holder columns-2">’; 284283 285 if ( isset( $_POST[‘sb_elem_cfd_save’] ) ) { 286 //echo 'updating’; 287 288 update_option( 'sb_elem_cfd’, array_map( 'sanitize_text_field’, @$_POST[‘sb_elem_cfd’] ) ); 289 290 echo '<div id="message" class="updated fade"><p>Settings saved successfully</p></div>’; 284 if(isset( $_POST[‘sb_elem_cfd_save’] )) { 285 if(!empty( $_POST[‘sb_elem_cfd_save_settings’] )) { 286 if(wp_verify_nonce( $_POST[‘sb_elem_cfd_save_settings’], ‘sb_elem_cfd_save_settings’ )) { 287 update_option( 'sb_elem_cfd’, array_map( 'sanitize_text_field’, @$_POST[‘sb_elem_cfd’] ) ); 288 echo '<div id="message" class="updated fade"><p>Settings saved successfully</p></div>’; 289 } 290 } 291291 } 292292 … … 304304 <td>Disable Admin Nag?</td> 305305 <td> 306 <input type="checkbox" name="sb_elem_cfd[disable_admin_nag]" ' . checked( 1, ( isset( $sb_elem_cfd[‘disable_admin_nag’] ) ? 1 : 0 ), false ) . ' value="1" /> 306 <input type="checkbox" name="sb_elem_cfd[disable_admin_nag]" ' . checked( 1, (isset( $sb_elem_cfd[‘disable_admin_nag’] ) ? 1 : 0), false ) . ' value="1" /> 307307 </td> 308308 <td> … … 326326 327327 echo '<p>’; 328 echo ‘<input name="sb_elem_cfd_save_settings" type="hidden" value="’ . wp_create_nonce( ‘sb_elem_cfd_save_settings’ ) . '" />’; 328329 echo '<input type="submit" name="sb_elem_cfd_save" class="button-primary" value="Save Settings" />’; 329330 echo '</p>’; … … 339340} 340341 341 function sb_elem_cfd_get_export_rows( $submitted_id, $limit = - 1 ) { 342function sb_elem_cfd_get_export_rows($submitted_id, $limit = - 1) { 342343 $rows = array(); 343344 $args = ‘post_type=elementor_cf_db&meta_key=sb_elem_cfd_submitted_on_id&posts_per_page=’ . $limit . ‘&meta_value=’ . $submitted_id; 344345 345 if ( $posts = get_posts( $args ) ) { 346 if($posts = get_posts( $args )) { 346347 347348 $first_post = current( $posts ); … … 350351 $row .= '"Date","Submitted On","Form ID","Submitted By",’; 351352 352 if ( $data = sb_elem_cfd_get_meta( $first_post->ID ) ) { 353 foreach ( $data[‘data’] as $field ) { 353 if($data = sb_elem_cfd_get_meta( $first_post->ID )) { 354 foreach($data[‘data’] as $field) { 354355 $row .= ‘"’ . $field[‘label’] . '",’; 355356 } … … 358359 $rows[] = rtrim( $row, ‘,’ ); 359360 360 foreach ( $posts as $post ) { 361 if ( $data = sb_elem_cfd_get_meta( $post->ID ) ) { 361 foreach($posts as $post) { 362 if($data = sb_elem_cfd_get_meta( $post->ID )) { 362363 $row = '’; 363364 … … 365366 $row .= ‘"’ . $post->post_date . ‘","’ . $data[‘extra’][‘submitted_on’] . ‘","’ . $form_id . ‘","’ . $data[‘extra’][‘submitted_by’] . '",’; 366367 367 foreach ( $data[‘data’] as $field ) { 368 foreach($data[‘data’] as $field) { 368369 $row .= ‘"’ . addslashes( $field[‘value’] ) . '",’; 369370 } … … 377378} 378379 379 function sb_elem_cfd_get_meta( $sub_id ) { 380function sb_elem_cfd_get_meta($sub_id) { 380381 global $wpdb; 381382 … … 388389 AND post_id = ' . $sub_id; 389390 390 if ( $meta = $wpdb->get_var( $sql ) ) { 391 if($meta = $wpdb->get_var( $sql )) { 391392 $return = unserialize( $meta ); 392393 } … … 395396} 396397 397 function sb_elem_cfd_get_export_rows_by_form_id( $form_id, $limit = - 1 ) { 398 398function sb_elem_cfd_get_export_rows_by_form_id($form_id, $limit = - 1) { 399399 400400 $rows = array(); 401401 402 if ( $posts = get_posts( ‘post_type=elementor_cf_db&posts_per_page=’ . $limit . ‘&meta_key=sb_elem_cfd_form_id&meta_value=’ . $form_id ) ) { 402 if($posts = get_posts( ‘post_type=elementor_cf_db&posts_per_page=’ . $limit . ‘&meta_key=sb_elem_cfd_form_id&meta_value=’ . $form_id )) { 403403 $row = '’; 404404 $row .= '"Date","Submitted On","Form ID","Submitted By",’; … … 408408 $data = sb_elem_cfd_get_meta( $first_post->ID ); 409409 410 foreach ( $data[‘data’] as $field ) { 410 foreach($data[‘data’] as $field) { 411411 $row .= ‘"’ . $field[‘label’] . '",’; 412412 } … … 415415 416416 //fields 417 foreach ( $posts as $post ) { 417 foreach($posts as $post) { 418418 $data = sb_elem_cfd_get_meta( $post->ID ); 419419 … … 421421 $row .= ‘"’ . $post->post_date . ‘","’ . $data[‘extra’][‘submitted_on’] . ‘","’ . $form_id . ‘","’ . $data[‘extra’][‘submitted_by’] . '",’; 422422 423 foreach ( $data[‘data’] as $field ) { 423 foreach($data[‘data’] as $field) { 424424 $row .= ‘"’ . addslashes( $field[‘value’] ) . '",’; 425425 } … … 435435 global $current_screen; 436436 437 if ( $current_screen->id == ‘elementor_cf_db’ ) { 437 if($current_screen->id == ‘elementor_cf_db’) { 438438 wp_enqueue_script( 'sb_elem_cfd_js’, plugins_url( '/script.js’, __FILE__ ) ); 439439 } 440440} 441441 442 function sb_elem_cfd_columns_head( $defaults ) { 442function sb_elem_cfd_columns_head($defaults) { 443443 unset( $defaults[‘date’] ); 444444 //unset($defaults[‘cb’]); … … 457457 458458// SHOW THE FEATURED IMAGE 459 function sb_elem_cfd_columns_content( $column_name, $post_id ) { 459function sb_elem_cfd_columns_content($column_name, $post_id) { 460460 $contact = get_post( $post_id ); 461461 $data = get_post_meta( $post_id, 'sb_elem_cfd’, true ); 462462 463 if ( $column_name == ‘cf_elementor_title’ ) { 463 if($column_name == ‘cf_elementor_title’) { 464464 echo ‘<a href="’ . admin_url( ‘post.php?action=edit&post=’ . $post_id ) . '">View Submission</a>’; 465 } else if ( $column_name == ‘read’ ) { 466 if ( $read = get_post_meta( $post_id, 'sb_elem_cfd_read’, true ) ) { 465 } elseif($column_name == ‘read’) { 466 if($read = get_post_meta( $post_id, 'sb_elem_cfd_read’, true )) { 467467 echo ‘<span style="color: green;">’ . $read[‘by_name’] . ‘<br />’ . date( 'Y-m-d H:i’, $read[‘on’] ) . '</span>’; 468468 } else { 469469 echo '<span class="dashicons dashicons-email-alt"></span>’; 470470 } 471 } else if ( $column_name == ‘sub_on’ ) { 472 if ( $data[‘extra’][‘submitted_on’] ) { 471 } elseif($column_name == ‘sub_on’) { 472 if($data[‘extra’][‘submitted_on’]) { 473473 echo ‘<a href="’ . get_permalink( $data[‘extra’][‘submitted_on_id’] ) . ‘">’ . $data[‘extra’][‘submitted_on’] . '</a>’; 474474 } 475 } else if ( $column_name == ‘sub_date’ ) { 475 } elseif($column_name == ‘sub_date’) { 476476 echo $contact->post_date; 477 } else if ( $column_name == ‘cloned’ ) { 478 if ( $cloned = get_post_meta( $post_id, 'sb_elem_cfd_cloned’, true ) ) { 477 } elseif($column_name == ‘cloned’) { 478 if($cloned = get_post_meta( $post_id, 'sb_elem_cfd_cloned’, true )) { 479479 $cloned_count = count( $cloned ); 480480 … … 483483 echo '<span class="dashicons dashicons-no-alt"></span>’; 484484 } 485 } else if ( $column_name == ‘email’ ) { 486 if ( $email = get_post_meta( $post_id, 'sb_elem_cfd_email’, true ) ) { 485 } elseif($column_name == ‘email’) { 486 if($email = get_post_meta( $post_id, 'sb_elem_cfd_email’, true )) { 487487 $email = ‘<a href="mailto:’ . $email . ‘" target="_blank">’ . $email . '</a>’; 488488 } else { … … 490490 } 491491 echo $email; 492 } else if ( $column_name == ‘form_id’ ) { 493 if ( ! $form_id = get_post_meta( $post_id, 'sb_elem_cfd_form_id’, true ) ) { 492 } elseif($column_name == ‘form_id’) { 493 if(!$form_id = get_post_meta( $post_id, 'sb_elem_cfd_form_id’, true )) { 494494 $form_id = '-'; 495495 } … … 503503 504504 // Hide link on listing page 505 if ( ( isset( $_GET[‘post_type’] ) && $_GET[‘post_type’] == ‘elementor_cf_db’ ) || ( isset( $_GET[‘post’] ) && get_post_type( $_GET[‘post’] ) == ‘elementor_cf_db’ ) ) { 505 if((isset( $_GET[‘post_type’] ) && $_GET[‘post_type’] == ‘elementor_cf_db’) || (isset( $_GET[‘post’] ) && get_post_type( $_GET[‘post’] ) == ‘elementor_cf_db’)) { 506506 echo '<style type="text/css"> 507507 .page-title-action, #favorite-actions, .add-new-h2 { display:none; } … … 509509 } 510510 511 if ( isset( $_GET[‘sb-action’] ) ) { 511 if(isset( $_GET[‘sb-action’] )) { 512512 $action = $_GET[‘sb-action’]; 513513 514 if ( $action == ‘mark-all-read’ ) { 514 if($action == ‘mark-all-read’) { 515515 $args = array( 516516 ‘posts_per_page’ => - 1, … … 521521 ); 522522 523 if ( $other_contacts = get_posts( $args ) ) { 524 foreach ( $other_contacts as $other_contact ) { 523 if($other_contacts = get_posts( $args )) { 524 foreach($other_contacts as $other_contact) { 525525 $read = array( 526526 ‘by_name’ => $current_user->display_name, … … 536536 537537function sb_elem_cfd_admin_notice() { 538 if ( ! current_user_can( ‘administrator’ ) ) { 538 if(!current_user_can( ‘administrator’ )) { 539539 return; 540540 } … … 542542 $sb_elem_cfd = get_option( ‘sb_elem_cfd’ ); 543543 544 if ( isset( $sb_elem_cfd[‘disable_admin_nag’] ) && $sb_elem_cfd[‘disable_admin_nag’] ) { 544 if(isset( $sb_elem_cfd[‘disable_admin_nag’] ) && $sb_elem_cfd[‘disable_admin_nag’]) { 545545 return; 546546 } … … 554554 ); 555555 556 if ( $other_contacts = get_posts( $args ) ) { 556 if($other_contacts = get_posts( $args )) { 557557 //Use notice-warning for a yellow/orange, and notice-info for a blue left border. 558558 $class = 'notice notice-error is-dismissible’; … … 578578 $submission = get_post( get_the_ID() ); 579579 580 if ( ! $read = get_post_meta( get_the_ID(), 'sb_elem_cfd_read’, true ) ) { 581 $read = array( ‘by_name’ => $current_user->display_name, ‘by’ => $current_user->ID, ‘on’ => time() ); 580 if(!$read = get_post_meta( get_the_ID(), 'sb_elem_cfd_read’, true )) { 581 $read = array(‘by_name’ => $current_user->display_name, ‘by’ => $current_user->ID, ‘on’ => time()); 582582 update_post_meta( get_the_ID(), 'sb_elem_cfd_read’, $read ); 583583 } … … 587587 printf( '<div class="%1$s"><p>%2$s</p></div>’, $class, $message ); 588588 589 if ( $data = get_post_meta( get_the_ID(), 'sb_elem_cfd’, true ) ) { 590 591 if ( $fields = $data[‘data’] ) { 589 if($data = get_post_meta( get_the_ID(), 'sb_elem_cfd’, true )) { 590 591 if($fields = $data[‘data’]) { 592592 echo '<table class="widefat"> 593593 <thead> … … 599599 <tbody>’; 600600 601 foreach ( $fields as $field ) { 601 foreach($fields as $field) { 602602 $value = $field[‘value’]; 603603 604 if ( is_email( $value ) ) { 604 if(is_email( $value )) { 605605 $value = ‘<a href="mailto:’ . $value . ‘" target="_blank">’ . $value . '</a>’; 606606 } … … 627627 $other_submissions = '’; 628628 629 if ( $data = get_post_meta( get_the_ID(), 'sb_elem_cfd’, true ) ) { 630 if ( $extra = $data[‘extra’] ) { 629 if($data = get_post_meta( get_the_ID(), 'sb_elem_cfd’, true )) { 630 if($extra = $data[‘extra’]) { 631631 echo '<table class="widefat"> 632632 <thead> … … 638638 <tbody>’; 639639 640 foreach ( $extra as $key => $value ) { 641 642 switch ( $key ) { 640 foreach($extra as $key => $value) { 641 642 switch($key) { 643643 case 'submitted_on_id’: 644644 case 'submitted_by_id’: 645 continue( 2 ); //we don’t really care about these ones 645 continue(2); //we don’t really care about these ones 646646 break; 647647 case ‘submitted_on’: 648 if ( $extra[‘submitted_on_id’] ) { 648 if($extra[‘submitted_on_id’]) { 649649 $value = $value . ' (<a href="’ . get_permalink( $extra[‘submitted_on_id’] ) . ‘" target="_blank">View Page</a> | <a href="’ . admin_url( ‘post.php?action=edit&post=’ . $extra[‘submitted_on_id’] ) . '" target="_blank">Edit Page</a>)'; 650650 } else { … … 653653 break; 654654 case ‘submitted_by’: 655 if ( $extra[‘submitted_by_id’] ) { 655 if($extra[‘submitted_by_id’]) { 656656 $value = $value . ' (<a href="’ . admin_url( ‘user-edit.php?user_id=’ . $extra[‘submitted_by_id’] ) . ‘" target="_blank">View User Profiile</a>’; 657657 … … 664664 ); 665665 666 if ( $other_contacts = get_posts( $args ) ) { 666 if($other_contacts = get_posts( $args )) { 667667 $value .= ' | <a style="cursor: pointer;" onclick="jQuery(\’.other_submissions\’).slideToggle();">View ' . count( $other_contacts ) . ' more submissions by this user</a>’; 668668 $other_submissions .= '<div style="display: none;" class="other_submissions"> … … 670670 $other_submissions .= '<table class="widefat">’; 671671 672 foreach ( $other_contacts as $other_contact ) { 672 foreach($other_contacts as $other_contact) { 673673 $other_submissions .= ‘<tr><td><a href="’ . admin_url( ‘post.php?action=edit&post=’ . $other_contact->ID ) . ‘">’ . $other_contact->post_title . '</a></td></tr>’; 674674 } … … 707707 $data = get_post_meta( get_the_ID(), 'sb_elem_cfd’, true ); 708708 709 if ( isset( $_POST[‘sb_elem_cfd_map_to’] ) ) { 709 if(isset( $_POST[‘sb_elem_cfd_map_to’] )) { 710710 $map_to = $_POST[‘sb_elem_cfd_map_to’]; 711711 $map_to_other = $_POST[‘sb_elem_cfd_map_to_other’]; 712712 713 if ( $fields = $data[‘data’] ) { 713 if($fields = $data[‘data’]) { 714714 $mapped_fields = array(); 715715 $custom_fields = array(); 716716 717 foreach ( $fields as $field ) { 718 $mapped_fields[ $field[‘label’] ] = $field[‘value’]; 717 foreach($fields as $field) { 718 $mapped_fields[$field[‘label’]] = $field[‘value’]; 719719 } 720720 … … 726726 ); 727727 728 if ( isset( $_POST[‘sb_elem_cfd_date’] ) ) { 728 if(isset( $_POST[‘sb_elem_cfd_date’] )) { 729729 $db_ins[‘post_date’] = $_POST[‘sb_elem_cfd_date’]; 730730 } … … 732732 $found = 0; 733733 734 foreach ( $map_to as $key => $field ) { 735 if ( $field ) { 734 foreach($map_to as $key => $field) { 735 if($field) { 736736 $found ++; 737737 738 if ( $field == ‘custom_field’ ) { 739 if ( $map_to_other[ $key ] ) { 740 $custom_fields[ $map_to_other[ $key ] ] = $mapped_fields[ $key ]; 738 if($field == ‘custom_field’) { 739 if($map_to_other[$key]) { 740 $custom_fields[$map_to_other[$key]] = $mapped_fields[$key]; 741741 } 742742 } else { 743 $db_ins[ $field ] = $mapped_fields[ $key ]; 743 $db_ins[$field] = $mapped_fields[$key]; 744744 } 745745 } 746746 } 747747 748 if ( $found ) { 748 if($found) { 749749 // Insert the post into the database 750 if ( $post_id = wp_insert_post( $db_ins ) ) { 751 if ( ! is_wp_error( $post_id ) ) { 752 foreach ( $custom_fields as $key => $value ) { 750 if($post_id = wp_insert_post( $db_ins )) { 751 if(!is_wp_error( $post_id )) { 752 foreach($custom_fields as $key => $value) { 753753 update_post_meta( $post_id, $key, $value ); 754754 } … … 758758 </div>’; 759759 760 if ( ! $cloned = get_post_meta( $_GET[‘post’], 'sb_elem_cfd_cloned’, true ) ) { 760 if(!$cloned = get_post_meta( $_GET[‘post’], 'sb_elem_cfd_cloned’, true )) { 761761 $cloned = array(); 762762 } 763763 764 $cloned[ $post_id ] = time(); 764 $cloned[$post_id] = time(); 765765 766766 update_post_meta( $_GET[‘post’], 'sb_elem_cfd_cloned’, $cloned ); … … 789789 $map_to_options = array(); 790790 $maps = array( 791 ‘post_title’ => ‘Title’ 792 , 793 ‘post_content’ => ‘Content’ 794 , 791 ‘post_title’ => 'Title’, 792 ‘post_content’ => 'Content’, 795793 ‘custom_field’ => ‘Custom Field’ 796794 ); 797795 798 foreach ( $maps as $key => $value ) { 796 foreach($maps as $key => $value) { 799797 $map_to_options[] = ‘<option value="’ . $key . ‘">’ . $value . '</option>’; 800798 } … … 803801 $type_options = array(); 804802 805 foreach ( $types as $type2 ) { 803 foreach($types as $type2) { 806804 $type_obj2 = get_post_type_object( $type2 ); 807805 808 if ( ! $type_obj2->public ) { 806 if(!$type_obj2->public) { 809807 continue; 810808 } … … 815813 echo '<p>’; 816814 817 if ( $email = get_post_meta( get_the_ID(), 'sb_elem_cfd_email’, true ) ) { 815 if($email = get_post_meta( get_the_ID(), 'sb_elem_cfd_email’, true )) { 818816 echo ‘<a style="margin-right: 10px;" class="button-primary" target="_blank" href="mailto:’ . $email . '">Reply via Email</a>’; 819817 } … … 834832 echo '<table class="widefat">’; 835833 836 foreach ( $data[‘fields_original’][‘form_fields’] as $field ) { 834 foreach($data[‘fields_original’][‘form_fields’] as $field) { 837835 echo ‘<tr> 838836 <td>’ . $field[‘field_label’] . '</td> … … 855853 echo '</div>’; 856854 857 if ( $cloned = get_post_meta( $_GET[‘post’], 'sb_elem_cfd_cloned’, true ) ) { 855 if($cloned = get_post_meta( $_GET[‘post’], 'sb_elem_cfd_cloned’, true )) { 858856 echo '<h3>Clone History</h3>’; 859857 … … 868866 </thead>’; 869867 870 foreach ( $cloned as $cloned_id => $date ) { 871 if ( $cloned_post = get_post( $cloned_id ) ) { 868 foreach($cloned as $cloned_id => $date) { 869 if($cloned_post = get_post( $cloned_id )) { 872870 $type_obj = get_post_type_object( $cloned_post->post_type ); 873871 $type_name = $type_obj->labels->name; … … 889887function sb_elem_cfd_meta_box_callback_debug() { 890888 891 if ( $data = get_post_meta( get_the_ID(), 'sb_elem_cfd’, true ) ) { 889 if($data = get_post_meta( get_the_ID(), 'sb_elem_cfd’, true )) { 892890 echo '<div style="display: none; overflow: scroll;" class="sb_elem_cfd_debug">’; 893891 … … 935933 ‘menu_position’ => null, 936934 ‘menu_icon’ => 'dashicons-admin-comments’, 937 ‘supports’ => array( ‘title’ ) 935 ‘supports’ => array(‘title’) 938936 ); 939937 … … 941939} 942940 943 function sb_elem_cfd_new_record( $record, $form_class ) { 944 945 if ( $fields = $record->get_formatted_data() ) { 941function sb_elem_cfd_new_record($record, $form_class) { 942 943 if($fields = $record->get_formatted_data()) { 946944 $data = array(); 947945 $email = false; 948946 949 foreach ( $fields as $label => $value ) { 950 951 if ( stripos( $label, ‘email’ ) !== false ) { 947 foreach($fields as $label => $value) { 948 949 if(stripos( $label, ‘email’ ) !== false) { 952950 $email = $value; 953951 } 954952 955 $data[] = array( ‘label’ => $label, ‘value’ => sanitize_text_field( $value ) ); 953 $data[] = array(‘label’ => $label, ‘value’ => sanitize_text_field( $value )); 956954 } 957955 … … 960958 $current_user = get_current_user_id(); 961959 962 if ( $this_user_id = ( $current_user ? $current_user : 0 ) ) { 963 if ( $this_user = get_userdata( $this_user_id ) ) { 960 if($this_user_id = ($current_user ? $current_user : 0)) { 961 if($this_user = get_userdata( $this_user_id )) { 964962 $this_user = $this_user->display_name; 965963 } … … 980978 981979 // Insert the post into the database 982 if ( $post_id = wp_insert_post( $db_ins ) ) { 980 if($post_id = wp_insert_post( $db_ins )) { 983981 update_post_meta( $post_id, 'sb_elem_cfd’, array( 984982 ‘data’ => $data, 985983 ‘extra’ => $extra, 986 ‘fields_original’ => array( ‘form_fields’ => $record->get_form_settings( ‘form_fields’ ) ), 984 ‘fields_original’ => array(‘form_fields’ => $record->get_form_settings( ‘form_fields’ )), 987985 ‘record_original’ => $record, 988986 ‘post’ => array_map( 'sanitize_text_field’, $_POST ), … … 990988 ) ); 991989 992 if ( $this_user_id ) { 990 if($this_user_id) { 993991 update_post_meta( $post_id, 'sb_elem_cfd_submitted_by’, $this_user_id ); 994992 }

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907