Headline
CVE-2022-2117: Changeset 2743833 for give/tags/2.21.0/includes/api/class-give-api-v2.php – WordPress Plugin Repository
The GiveWP plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 2.20.2 via the /donor-wall REST-API endpoint which provides unauthenticated users with donor information even when the donor wall is not enabled. This functionality has been completely removed in version 2.20.2.
Timestamp:
06/17/2022 12:03:35 AM (5 weeks ago)
jason_the_adams
Message:
Update to version 2.21.0 from GitHub
Location:
give/tags/2.21.0
Files:
- . (copied from give/trunk)
- includes/api/class-give-api-v2.php (2 diffs)
Legend:
Unmodified
Added
Removed
give/tags/2.21.0/includes/api/class-give-api-v2.php
r2373345
r2743833
115
115
\]
116
116
);
117
118
register\_rest\_route(
119
$this->rest\_base,
120
'/donor-wall',
121
\[
122
'methods' => 'GET',
123
'callback' => \[ $this, 'get\_donor\_wall' \],
124
'permission\_callback' => '\_\_return\_true',
125
\]
126
);
127
117
}
128
118
…
…
180
170
181
171
/\*\*
182
\* Rest fetch form data callback
183
\*
184
\* @param WP\_REST\_Request $request
185
\*
186
\* @access public
187
\* @return array|mixed|object
188
\*/
189
public function get\_donor\_wall( $request ) {
190
$parameters = $request->get\_params();
191
192
return Give\_Donor\_Wall::get\_instance()->render\_shortcode( $parameters );
193
}
194
195
/\*\*
196
172
\* Get api reset url
197
173
\*
Note: See TracChangeset for help on using the changeset viewer.