Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-3277: flutter-user.php in mstore-api/trunk/controllers – WordPress Plugin Repository

The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user’s email address. We are disclosing this issue as the developer has not yet released a patch, but continues to release updates and we escalated this issue to the plugin’s team 30 days ago.

CVE
#sql#csrf#apple#google#js#git#wordpress#php#oauth#auth#sap#ssl

1<?php2require_once(__DIR__ . ‘/flutter-base.php’);3require_once(__DIR__ . ‘/helpers/apple-sign-in-helper.php’);45class FlutterUserController extends FlutterBaseController6{78 public function __construct()9 {10 $this->namespace = 'api/flutter_user’;11 }1213 public function register_routes()14 {15 register_rest_route($this->namespace, '/reset-password’, array(16 array(17 ‘methods’ => 'POST’,18 ‘callback’ => array($this, ‘reset_password’),19 ‘permission_callback’ => function () {20 return parent::checkApiPermission();21 }22 ),23 ));2425 register_rest_route($this->namespace, '/notification’, array(26 array(27 ‘methods’ => 'POST’,28 ‘callback’ => array($this, ‘chat_notification’),29 ‘permission_callback’ => function () {30 return parent::checkApiPermission();31 }32 ),33 ));3435 register_rest_route($this->namespace, '/sign_up’, array(36 array(37 ‘methods’ => 'POST’,38 ‘callback’ => array($this, ‘register’),39 ‘permission_callback’ => function () {40 return parent::checkApiPermission();41 }42 ),43 ));44 register_rest_route($this->namespace, '/sign_up_2’, array(45 array(46 ‘methods’ => 'POST’,47 ‘callback’ => array($this, ‘register’),48 ‘permission_callback’ => function () {49 return parent::checkApiPermission();50 }51 ),52 ));5354 register_rest_route($this->namespace, '/register’, array(55 array(56 ‘methods’ => 'POST’,57 ‘callback’ => array($this, ‘register’),58 ‘permission_callback’ => function () {59 return parent::checkApiPermission();60 }61 ),62 ));6364 register_rest_route($this->namespace, '/generate_auth_cookie’, array(65 array(66 ‘methods’ => 'POST’,67 ‘callback’ => array($this, ‘generate_auth_cookie’),68 ‘permission_callback’ => function () {69 return parent::checkApiPermission();70 }71 ),72 ));7374 register_rest_route($this->namespace, '/fb_connect’, array(75 array(76 ‘methods’ => 'GET’,77 ‘callback’ => array($this, ‘fb_connect’),78 ‘permission_callback’ => function () {79 return parent::checkApiPermission();80 }81 ),82 ));8384 register_rest_route($this->namespace, '/sms_login’, array(85 array(86 ‘methods’ => 'GET’,87 ‘callback’ => array($this, ‘sms_login’),88 ‘permission_callback’ => function () {89 return parent::checkApiPermission();90 }91 ),92 ));9394 register_rest_route($this->namespace, '/firebase_sms_login’, array(95 array(96 ‘methods’ => 'GET’,97 ‘callback’ => array($this, ‘firebase_sms_login’),98 ‘permission_callback’ => function () {99 return parent::checkApiPermission();100 }101 ),102 ));103104 register_rest_route($this->namespace, '/firebase_sms_login_v2’, array(105 array(106 ‘methods’ => 'GET’,107 ‘callback’ => array($this, ‘firebase_sms_login_v2’),108 ‘permission_callback’ => function () {109 return parent::checkApiPermission();110 }111 ),112 ));113114 register_rest_route($this->namespace, '/apple_login’, array(115 array(116 ‘methods’ => 'POST’,117 ‘callback’ => array($this, ‘apple_login’),118 ‘permission_callback’ => function () {119 return parent::checkApiPermission();120 }121 ),122 ));123124 register_rest_route($this->namespace, '/apple_login_2’, array(125 array(126 ‘methods’ => 'POST’,127 ‘callback’ => array($this, ‘apple_login_2’),128 ‘permission_callback’ => function () {129 return parent::checkApiPermission();130 }131 ),132 ));133134 register_rest_route($this->namespace, '/google_login’, array(135 array(136 ‘methods’ => 'GET’,137 ‘callback’ => array($this, ‘google_login’),138 ‘permission_callback’ => function () {139 return parent::checkApiPermission();140 }141 ),142 ));143144 register_rest_route($this->namespace, '/post_comment’, array(145 array(146 ‘methods’ => 'GET’,147 ‘callback’ => array($this, ‘post_comment’),148 ‘permission_callback’ => function () {149 return parent::checkApiPermission();150 }151 ),152 ));153154 register_rest_route($this->namespace, '/get_currentuserinfo’, array(155 array(156 ‘methods’ => 'GET’,157 ‘callback’ => array($this, ‘get_currentuserinfo’),158 ‘permission_callback’ => function () {159 return parent::checkApiPermission();160 }161 ),162 ));163164 register_rest_route($this->namespace, '/get_points’, array(165 array(166 ‘methods’ => 'GET’,167 ‘callback’ => array($this, ‘get_points’),168 ‘permission_callback’ => function () {169 return parent::checkApiPermission();170 }171 ),172 ));173174 register_rest_route($this->namespace, '/update_user_profile’, array(175 array(176 ‘methods’ => 'POST’,177 ‘callback’ => array($this, ‘update_user_profile’),178 ‘permission_callback’ => function () {179 return parent::checkApiPermission();180 }181 ),182 ));183184 register_rest_route($this->namespace, '/checkout’, array(185 array(186 ‘methods’ => 'POST’,187 ‘callback’ => array($this, ‘prepare_checkout’),188 ‘permission_callback’ => function () {189 return parent::checkApiPermission();190 }191 ),192 ));193194 register_rest_route($this->namespace, '/get_currency_rates’, array(195 array(196 ‘methods’ => 'GET’,197 ‘callback’ => array($this, ‘get_currency_rates’),198 ‘permission_callback’ => function () {199 return parent::checkApiPermission();200 }201 ),202 ));203204 register_rest_route($this->namespace, '/get_countries’, array(205 array(206 ‘methods’ => 'GET’,207 ‘callback’ => array($this, ‘get_countries’),208 ‘permission_callback’ => function () {209 return parent::checkApiPermission();210 }211 ),212 ));213214 register_rest_route($this->namespace, '/get_states’, array(215 array(216 ‘methods’ => 'GET’,217 ‘callback’ => array($this, ‘get_states’),218 ‘permission_callback’ => function () {219 return parent::checkApiPermission();220 }221 ),222 ));223224 register_rest_route($this->namespace, '/check-user’, array(225 array(226 ‘methods’ => 'GET’,227 ‘callback’ => array($this, ‘check_user’),228 ‘permission_callback’ => function () {229 return parent::checkApiPermission();230 }231 ),232 ));233234 register_rest_route($this->namespace, '/digits/register/check’, array(235 array(236 ‘methods’ => 'POST’,237 ‘callback’ => array($this, ‘digits_register_check’),238 ‘permission_callback’ => function () {239 return parent::checkApiPermission();240 }241 ),242 ));243244 register_rest_route($this->namespace, '/digits/register’, array(245 array(246 ‘methods’ => 'POST’,247 ‘callback’ => array($this, ‘digits_register’),248 ‘permission_callback’ => function () {249 return parent::checkApiPermission();250 }251 ),252 ));253254 register_rest_route($this->namespace, '/digits/login/check’, array(255 array(256 ‘methods’ => 'POST’,257 ‘callback’ => array($this, ‘digits_login_check’),258 ‘permission_callback’ => function () {259 return parent::checkApiPermission();260 }261 ),262 ));263 264 register_rest_route($this->namespace, '/digits/login’, array(265 array(266 ‘methods’ => 'POST’,267 ‘callback’ => array($this, ‘digits_login’),268 ‘permission_callback’ => function () {269 return parent::checkApiPermission();270 }271 ),272 ));273274 register_rest_route($this->namespace, '/digits/send_otp’, array(275 array(276 ‘methods’ => 'POST’,277 ‘callback’ => array($this, ‘digits_send_otp’),278 ‘permission_callback’ => function () {279 return parent::checkApiPermission();280 }281 ),282 ));283284 register_rest_route($this->namespace, '/digits/resend_otp’, array(285 array(286 ‘methods’ => 'POST’,287 ‘callback’ => array($this, ‘digits_resend_otp’),288 ‘permission_callback’ => function () {289 return parent::checkApiPermission();290 }291 ),292 ));293294 register_rest_route($this->namespace, '/delete_account’, array(295 array(296 ‘methods’ => WP_REST_Server::DELETABLE,297 ‘callback’ => array($this, ‘delete_account’),298 ‘permission_callback’ => array($this, ‘custom_delete_item_permissions_check’),299 ),300 ));301 }302303304 public function check_user($request)305 {306 $phone = $request[‘phone’];307 $username = $request[‘username’];308 if (isset($phone)) {309 $args = array(‘meta_key’ => 'registered_phone_number’, ‘meta_value’ => $phone);310 $search_users = get_users($args);311 if (empty($search_users)) {312 return false;313 }314 }315 if (isset($username)) {316 if (strpos($username, ‘@’)) {317 $user_data = get_user_by('email’, trim(wp_unslash($username)));318 } else {319 $login = trim($username);320 $user_data = get_user_by('login’, $login);321 }322 if (empty($user_data)) {323 return false;324 }325 }326327 return true;328 }329330331 public function reset_password()332 {333 $json = file_get_contents(‘php://input’);334 $params = json_decode($json, TRUE);335 $usernameReq = $params[“user_login”];336337 $errors = new WP_Error();338 if (empty($usernameReq) || !is_string($usernameReq)) {339 return parent::sendError("empty_username", "Enter a username or email address.", 400);340 } elseif (strpos($usernameReq, ‘@’)) {341 $user_data = get_user_by('email’, trim(wp_unslash($usernameReq)));342 if (empty($user_data)) {343 return parent::sendError("invalid_email", "There is no account with that username or email address.", 404);344 }345 } else {346 $login = trim($usernameReq);347 $user_data = get_user_by(‘login’, $login);348 }349 if (!$user_data) {350 return parent::sendError("invalid_email", "There is no account with that username or email address.", 404);351 }352353 $user_login = $user_data->user_login;354 $user_email = $user_data->user_email;355 $key = get_password_reset_key($user_data);356357 if (is_wp_error($key)) {358 return $key;359 }360361 if (is_multisite()) {362 $site_name = get_network()->site_name;363 } else {364 $site_name = wp_specialchars_decode(get_option(‘blogname’), ENT_QUOTES);365 }366367 $message = __(‘Someone has requested a password reset for the following account:’) . "\r\n\r\n";368 $message .= sprintf(__(‘Site Name: %s’), $site_name) . "\r\n\r\n";369 $message .= sprintf(__(‘Username: %s’), $user_login) . "\r\n\r\n";370 $message .= __(‘If this was a mistake, just ignore this email and nothing will happen.’) . "\r\n\r\n";371 $message .= __(‘To reset your password, visit the following address:’) . "\r\n\r\n";372 $message .= network_site_url(“wp-login.php?action=rp&key=$key&login=” . rawurlencode($user_login), ‘login’) . "\r\n";373 $title = sprintf(__('[%s] Password Reset’), $site_name);374 $title = apply_filters('retrieve_password_title’, $title, $user_login, $user_data);375 $message = apply_filters('retrieve_password_message’, $message, $key, $user_login, $user_data);376377 wp_mail($user_email, wp_specialchars_decode($title), $message);378379 return new WP_REST_Response(array(380 ‘status’ => 'success’,381 ), 200);;382 }383384 public function register()385 {386 $json = file_get_contents(‘php://input’);387 $params = json_decode($json, TRUE);388 $usernameReq = $params[“username”];389 $emailReq = $params[“email”];390 $userPassReq = $params[“user_pass”];391 $userLoginReq = $params[“user_login”];392 $userEmailReq = $params[“user_email”];393394 if(array_key_exists('role’, $params)){395 $role = $params[“role”];396 }397 if (isset($role)) {398 if (!in_array($role, ['subscriber’, 'wcfm_vendor’, 'seller’, 'wcfm_delivery_boy’, ‘driver’,’owner’], true)) {399 return parent::sendError("invalid_role", "Role is invalid.", 400);400 }401 }402 if( isset($params[‘dokan_enable_selling’])){403 $dokan_enable_selling = $params[‘dokan_enable_selling’];404 }405 if(isset($params[‘wcfm_membership_application_status’])){406 $wcfm_membership_application_status = $params[‘wcfm_membership_application_status’];407 }408 409 $username = sanitize_user($usernameReq);410 $email = sanitize_email($emailReq);411412 if ($username == $userEmailReq && $username == $userLoginReq) {413 $is_email = is_email($username);414 if ($is_email) {415 $email = $username;416 $user_name = explode("@", $email)[0];417 $params[“user_email”] = $email;418 $params[“user_login”] = $user_name;419 } else {420 $user_name = $username;421 $params[“user_login”] = $user_name;422 $params[“user_email”] = '’;423 }424 }425426 if (isset($params[“seconds”])) {427 $seconds = (int)$params[“seconds”];428 } else {429 $seconds = 1209600;430 }431432 if (!validate_username($username)) {433 return parent::sendError("invalid_username", "Username is invalid.", 400);434 } elseif (username_exists($username)) {435 return parent::sendError("existed_username", "Username already exists.", 400);436 } else {437 if (!is_email($email)) {438 return parent::sendError("invalid_email", "E-mail address is invalid.", 400);439 } elseif (email_exists($email)) {440 return parent::sendError("existed_email", "E-mail address is already in use.", 400);441 } else {442 if (!$userPassReq) {443 $params->user_pass = wp_generate_password();444 }445446 $allowed_params = array('user_login’, 'user_email’, 'user_pass’, 'display_name’, 'user_nicename’, 'user_url’, 'nickname’, 'first_name’,447 'last_name’, 'description’, 'rich_editing’, 'user_registered’, 'role’, 'jabber’, 'aim’, 'yim’,448 'comment_shortcuts’, 'admin_color’, 'use_ssl’, 'show_admin_bar_front’,449 );450451 $dataRequest = $params;452453 foreach ($dataRequest as $field => $value) {454 if (in_array($field, $allowed_params)) {455 $user[$field] = trim(sanitize_text_field($value));456 }457 }458459 $user[‘role’] = isset($params[“role”]) ? sanitize_text_field($params[“role”]) : get_option(‘default_role’);460 $_POST[‘user_role’] = $user[‘role’];//fix to register account with role in listeo461 $user_id = wp_insert_user($user);462463 if (is_wp_error($user_id)) {464 return parent::sendError($user_id->get_error_code(), $user_id->get_error_message(), 400);465 } elseif (isset($params[“phone”])) {466 update_user_meta($user_id, 'billing_phone’, $params[“phone”]);467 update_user_meta($user_id, 'registered_phone_number’, $params[“phone”]);468 }469 }470 }471 wp_new_user_notification($user_id, null, ‘both’);472 if(isset( $wcfm_membership_application_status) && $wcfm_membership_application_status == ‘pending’){473 update_user_meta($user_id,’store_name’, $user[‘display_name’]);474475 //fix crash when approve membership in WCFM476 $wcfmvm_static_infos = (array) get_user_meta( $member_id, 'wcfmvm_static_infos’, true );477 $wcfmvm_static_infos[‘phone’] = $params[“phone”] ?? '’;478 update_user_meta($user_id, 'wcfmvm_static_infos’, $wcfmvm_static_infos);479 update_user_meta($user_id, 'billing_phone’, $params[“phone”] ?? ‘’);480481 update_user_meta($user_id,’temp_wcfm_membership’, true);482 global $WCFMvm;483 $WCFMvm->send_approval_reminder_admin( $user_id );484 }485486 if(isset($dokan_enable_selling) && $dokan_enable_selling == false){487 update_user_meta($user_id,’dokan_enable_selling’,$dokan_enable_selling);488 }489 $cookie = generateCookieByUserId($user_id, $seconds);490491 return array(492 “cookie” => $cookie,493 “user_id” => $user_id,494 );495 }496497498 private function get_shipping_address($userId)499 {500 $shipping = [];501502 $shipping[“first_name”] = get_user_meta($userId, 'shipping_first_name’, true);503 $shipping[“last_name”] = get_user_meta($userId, 'shipping_last_name’, true);504 $shipping[“company”] = get_user_meta($userId, 'shipping_company’, true);505 $shipping[“address_1”] = get_user_meta($userId, 'shipping_address_1’, true);506 $shipping[“address_2”] = get_user_meta($userId, 'shipping_address_2’, true);507 $shipping[“city”] = get_user_meta($userId, 'shipping_city’, true);508 $shipping[“state”] = get_user_meta($userId, 'shipping_state’, true);509 $shipping[“postcode”] = get_user_meta($userId, 'shipping_postcode’, true);510 $shipping[“country”] = get_user_meta($userId, 'shipping_country’, true);511 $shipping[“email”] = get_user_meta($userId, 'shipping_email’, true);512 $shipping[“phone”] = get_user_meta($userId, 'shipping_phone’, true);513514 if (empty($shipping[“first_name”]) && empty($shipping[“last_name”]) && empty($shipping[“company”]) && empty($shipping[“address_1”]) && empty($shipping[“address_2”]) && empty($shipping[“city”]) && empty($shipping[“state”]) && empty($shipping[“postcode”]) && empty($shipping[“country”]) && empty($shipping[“email”]) && empty($shipping[“phone”])) {515 return null;516 }517 return $shipping;518 }519520 private function get_billing_address($userId)521 {522 $billing = [];523524 $billing[“first_name”] = get_user_meta($userId, 'billing_first_name’, true);525 $billing[“last_name”] = get_user_meta($userId, 'billing_last_name’, true);526 $billing[“company”] = get_user_meta($userId, 'billing_company’, true);527 $billing[“address_1”] = get_user_meta($userId, 'billing_address_1’, true);528 $billing[“address_2”] = get_user_meta($userId, 'billing_address_2’, true);529 $billing[“city”] = get_user_meta($userId, 'billing_city’, true);530 $billing[“state”] = get_user_meta($userId, 'billing_state’, true);531 $billing[“postcode”] = get_user_meta($userId, 'billing_postcode’, true);532 $billing[“country”] = get_user_meta($userId, 'billing_country’, true);533 $billing[“email”] = get_user_meta($userId, 'billing_email’, true);534 $billing[“phone”] = get_user_meta($userId, 'billing_phone’, true);535536 if (empty($billing[“first_name”]) && empty($billing[“last_name”]) && empty($billing[“company”]) && empty($billing[“address_1”]) && empty($billing[“address_2”]) && empty($billing[“city”]) && empty($billing[“state”]) && empty($billing[“postcode”]) && empty($billing[“country”]) && empty($billing[“email”]) && empty($billing[“phone”])) {537 return null;538 }539540 return $billing;541 }542543 function getResponseUserInfo($user)544 {545 $shipping = $this->get_shipping_address($user->ID);546 $billing = $this->get_billing_address($user->ID);547 $avatar = get_user_meta($user->ID, 'user_avatar’, true);548 if (!isset($avatar) || $avatar == “” || is_bool($avatar)) {549 $avatar = get_avatar_url($user->ID);550 } else {551 $avatar = $avatar[0];552 }553 $is_driver_available = false;554 if(is_plugin_active(‘delivery-drivers-for-woocommerce/delivery-drivers-for-woocommerce.php’)){555 $is_driver_available = get_user_meta( $user->ID, 'ddwc_driver_availability’, true );556 }else{557 $is_driver_available = in_array('administrator’,$user->roles) || in_array('wcfm_delivery_boy’,$user->roles);558 }559 return array(560 “id” => $user->ID,561 “username” => $user->user_login,562 “nicename” => $user->user_nicename,563 “email” => $user->user_email,564 “url” => $user->user_url,565 “registered” => $user->user_registered,566 “displayname” => $user->display_name,567 “firstname” => $user->user_firstname,568 “lastname” => $user->last_name,569 “nickname” => $user->nickname,570 “description” => $user->user_description,571 “capabilities” => $user->wp_capabilities,572 “role” => $user->roles,573 “shipping” => $shipping,574 “billing” => $billing,575 “avatar” => $avatar,576 “is_driver_available” => $is_driver_available,577 “dokan_enable_selling” => $user->dokan_enable_selling578 );579 }580581 public function generate_auth_cookie()582 {583 $json = file_get_contents(‘php://input’);584 $params = json_decode($json, TRUE);585 if (!isset($params[“username”]) || !isset($params[“password”])) {586 return parent::sendError("invalid_login", "Invalid params", 400);587 }588 $username = $params[“username”];589 $password = $params[“password”];590591592 if (isset($params[“seconds”])) {593 $seconds = (int)$params[“seconds”];594 } else {595 $seconds = 1209600;596 }597 $_POST[‘action’] = 'listeoajaxlogin’; //fix to return json if login error in listeo598 $user = wp_authenticate($username, $password);599600 if (is_wp_error($user)) {601 return parent::sendError($user->get_error_code(), "Invalid username/email and/or password.", 401);602 }603604 $cookie = generateCookieByUserId($user->ID, $seconds);605606 return array(607 “cookie” => $cookie,608 “cookie_name” => LOGGED_IN_COOKIE,609 “user” => $this->getResponseUserInfo($user),610 );611 }612613 function createSocialAccount($email, $name, $firstName, $lastName, $userName)614 {615 $email_exists = email_exists($email);616 if ($email_exists) {617 $user = get_user_by('email’, $email);618 $user_id = $user->ID;619 } else {620 $i = 0;621 while (username_exists($userName)) {622 $i++;623 $userName = strtolower($userName) . ‘.’ . $i;624 }625 $random_password = wp_generate_password($length = 12, $include_standard_special_chars = false);626 $userdata = array(627 ‘user_login’ => $userName,628 ‘user_email’ => $email,629 ‘user_pass’ => $random_password,630 ‘display_name’ => $name,631 ‘first_name’ => $firstName,632 ‘last_name’ => $lastName);633 $user_id = wp_insert_user($userdata);634 }635636 $cookie = generateCookieByUserId($user_id);637 $user = get_userdata($user_id);638639 $response[‘wp_user_id’] = $user_id;640 $response[‘cookie’] = $cookie;641 $response[‘user_login’] = $user->user_login;642 $response[‘user’] = $this->getResponseUserInfo($user);643 return $response;644 }645646 public function fb_connect($request)647 {648 $fields = 'id,name,first_name,last_name,email’;649 $enable_ssl = true;650 $access_token = $request[“access_token”];651 if (!isset($access_token)) {652 return parent::sendError("invalid_login", "You must include a ‘access_token’ variable. Get the valid access_token for this app from Facebook API.", 400);653 }654 $url = ‘https://graph.facebook.com/me/?fields=’ . $fields . ‘&access_token=’ . $access_token;655656 $result = wp_remote_retrieve_body(wp_remote_get($url));657658 $result = json_decode($result, true);659660 if (isset($result[“email”])) {661 $user_name = strtolower($result[‘first_name’] . ‘.’ . $result[‘last_name’]);662 return $this->createSocialAccount($result[“email”], $result[‘name’], $result[‘first_name’], $result[‘last_name’], $user_name);663 } else {664 return parent::sendError("invalid_login", "Your ‘access_token’ did not return email of the user. Without ‘email’ user can’t be logged in or registered. Get user email extended permission while joining the Facebook app.", 400);665 }666 }667668 public function sms_login($request)669 {670 $access_token = $request[“access_token”];671 if (!isset($access_token)) {672 return parent::sendError("invalid_login", "You must include a ‘access_token’ variable. Get the valid access_token for this app from Facebook API.", 400);673 }674 $url = ‘https://graph.accountkit.com/v1.3/me/?access_token=’ . $access_token;675676 $WP_Http_Curl = new WP_Http_Curl();677 $result = $WP_Http_Curl->request($url, array(678 ‘method’ => 'GET’,679 ‘timeout’ => 5,680 ‘redirection’ => 5,681 ‘httpversion’ => '1.0’,682 ‘blocking’ => true,683 ‘headers’ => array(),684 ‘body’ => null,685 ‘cookies’ => array(),686 ));687688 $result = json_decode($result, true);689690 if (isset($result[“phone”])) {691 $user_name = $result[“phone”][“number”];692 $user_email = $result[“phone”][“number”] . "@flutter.io";693 return $this->createSocialAccount($user_email, $user_name, $user_name, "", $user_name);694 } else {695 return parent::sendError("invalid_login", "Your ‘access_token’ did not return email of the user. Without ‘email’ user can’t be logged in or registered. Get user email extended permission while joining the Facebook app.", 400);696 }697 return $response;698699 }700701 public function firebase_sms_login($request)702 {703 $phone = $request[“phone”];704 if (!isset($phone)) {705 return parent::sendError("invalid_login", "You must include a ‘phone’ variable.", 400);706 }707 $domain = $_SERVER[‘SERVER_NAME’] == ‘default_server’ ? $_SERVER[‘HTTP_HOST’] : $_SERVER[‘SERVER_NAME’];708 if (count(explode(".", $domain)) == 1) {709 $domain = "flutter.io";710 }711 $user_name = $phone;712 $user_email = $phone . “@” . $domain;713 return $this->createSocialAccount($user_email, $user_name, $user_name, "", $user_name);714 }715716 public function firebase_sms_login_v2($request)717 {718 $phone = $request[“phone”];719 if (!isset($phone)) {720 return parent::sendError("invalid_login", "You must include a ‘phone’ variable.", 400);721 }722723 if (isset($phone)) {724 $args = array(‘meta_key’ => 'registered_phone_number’, ‘meta_value’ => $phone);725 $search_users = get_users($args);726 if (empty($search_users)) {727 $domain = $_SERVER[‘SERVER_NAME’] == ‘default_server’ ? $_SERVER[‘HTTP_HOST’] : $_SERVER[‘SERVER_NAME’];728 if (count(explode(".", $domain)) == 1) {729 $domain = "flutter.io";730 }731 $user_name = $phone;732 $user_email = $phone . “@” . $domain;733 $user = get_user_by(‘email’, $user_email);734 if (!$user) {735 return parent::sendError("invalid_login", "User does not exist", 400);736 }737 $cookie = generateCookieByUserId($user->ID);738 $response[‘wp_user_id’] = $user->ID;739 $response[‘cookie’] = $cookie;740 $response[‘user_login’] = $user->user_login;741 $response[‘user’] = $this->getResponseUserInfo($user);742 return $response;743 }744 if (count($search_users) > 1) {745 return parent::sendError("invalid_login", "Too many users with the same phone number", 400);746 }747 $user = $search_users[0];748 $cookie = generateCookieByUserId($user->ID);749 $response[‘wp_user_id’] = $user->ID;750 $response[‘cookie’] = $cookie;751 $response[‘user_login’] = $user->user_login;752 $response[‘user’] = $this->getResponseUserInfo($user);753 return $response;754 }755 return parent::sendError("invalid_login", "Unknown Error", 400);756 }757758759 function jwtDecode($token)760 {761 $splitToken = explode(".", $token);762 $payloadBase64 = $splitToken[1]; // Payload is always the index 1763 $decodedPayload = json_decode(urldecode(base64_decode($payloadBase64)), true);764 return $decodedPayload;765 }766767 public function apple_login($request)768 {769 $json = file_get_contents(‘php://input’);770 $params = json_decode($json, TRUE);771 $token = $params[“token”];772 $firstName = $params[“first_name”];773 $lastName = $params[“last_name”];774 $decoded = $this->jwtDecode($token);775 $user_email = $decoded[“email”];776 if (!isset($user_email)) {777 return parent::sendError("invalid_login", "Can’t get the email to create account.", 400);778 }779 $display_name = explode("@", $user_email)[0];780 if(isset($firstName) && isset($lastName) && !empty($firstName)){781 $display_name = $firstName.’ ‘.$lastName;782 }else{783 $firstName = $display_name;784 $lastName = "";785 }786 $user_name = $display_name;787788 return $this->createSocialAccount($user_email, $display_name, $firstName, $lastName, $user_name);789 }790791 public function apple_login_2($request)792 {793 $json = file_get_contents(‘php://input’);794 $params = json_decode($json, TRUE);795 $authorization_code = $params[“authorization_code”];796 $firstName = $params[“first_name”];797 $lastName = $params[“last_name”];798 $teamId = $params[“team_id”];799 $bundleId = $params[“bundle_id”];800 if(!FlutterAppleSignInUtils::is_file_existed()){801 return parent::sendError("invalid_login", "You need to upload AuthKey_XXXX.p8 file to MStore Api plugin", 400);802 }803 $token = AppleSignInHelper::generate_token($bundleId,$teamId,$authorization_code);804 if($token == false || is_wp_error($token)){805 return is_wp_error($token) ? $token : parent::sendError("invalid_login", "Invalid authorization_code", 400);806 }807 $decoded = $this->jwtDecode($token);808 $user_email = $decoded[“email”];809 if (!isset($user_email)) {810 return parent::sendError("invalid_login", "Can’t get the email to create account.", 400);811 }812 $display_name = explode("@", $user_email)[0];813 if(isset($firstName) && isset($lastName) && !empty($firstName)){814 $display_name = $firstName.’ '.$lastName;815 }else{816 $firstName = $display_name;817 $lastName = "";818 }819 $user_name = $display_name;820821 return $this->createSocialAccount($user_email, $display_name, $firstName, $lastName, $user_name);822 }823824 public function google_login($request)825 {826 $access_token = $request[“access_token”];827 if (!isset($access_token)) {828 return parent::sendError("invalid_login", "You must include a ‘access_token’ variable. Get the valid access_token for this app from Google API.", 400);829 }830831 $url = ‘https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token=’ . $access_token;832833 $result = wp_remote_retrieve_body(wp_remote_get($url));834835 $result = json_decode($result, true);836 if (isset($result[“email”])) {837 $firstName = $result[“given_name”];838 $lastName = $result[“family_name”];839 $email = $result[“email”];840 $display_name = $firstName . " " . $lastName;841 $user_name = $firstName . “.” . $lastName;842 return $this->createSocialAccount($email, $display_name, $firstName, $lastName, $user_name);843 } else {844 return parent::sendError("invalid_login", "Your ‘token’ did not return email of the user. Without ‘email’ user can’t be logged in or registered. Get user email extended permission while joining the Google app.", 400);845 }846 }847848 /*849 * Post commment function850 */851 public function post_comment($request)852 {853 $cookie = $request[“cookie”];854 $user_id = validateCookieLogin($cookie);855 if (is_wp_error($user_id)) {856 return $user_id;857 }858 if (!$request[“post_id”]) {859 return parent::sendError("invalid_data", "No post specified. Include ‘post_id’ var in your request.", 400);860 } elseif (!$request[“content”]) {861 return parent::sendError("invalid_data", "Please include ‘content’ var in your request.", 400);862 }863864 $comment_approved = 0;865 $user_info = get_userdata($user_id);866 $time = current_time(‘mysql’);867 $agent = filter_has_var(INPUT_SERVER, ‘HTTP_USER_AGENT’) ? filter_input(INPUT_SERVER, ‘HTTP_USER_AGENT’) : 'Mozilla’;868 $ips = filter_has_var(INPUT_SERVER, ‘REMOTE_ADDR’) ? filter_input(INPUT_SERVER, ‘REMOTE_ADDR’) : '127.0.0.1’;869 $data = array(870 ‘comment_post_ID’ => $request[“post_id”],871 ‘comment_author’ => $user_info->user_login,872 ‘comment_author_email’ => $user_info->user_email,873 ‘comment_author_url’ => $user_info->user_url,874 ‘comment_content’ => $request[“content”],875 ‘comment_type’ => '’,876 ‘comment_parent’ => 0,877 ‘user_id’ => $user_info->ID,878 ‘comment_author_IP’ => $ips,879 ‘comment_agent’ => $agent,880 ‘comment_date’ => $time,881 ‘comment_approved’ => $comment_approved,882 );883 //print_r($data);884 $comment_id = wp_insert_comment($data);885 //add metafields886 $meta = json_decode(stripcslashes($request[“meta”]), true);887 //extra function888 add_comment_meta($comment_id, 'rating’, $meta[‘rating’]);889 add_comment_meta($comment_id, 'verified’, 0);890891 return array(892 “comment_id” => $comment_id,893 );894 }895896 public function get_currentuserinfo($request)897 {898 $cookie = $request[“cookie”];899 if (isset($request[“token”])) {900 $cookie = urldecode(base64_decode($request[“token”]));901 }902 $user_id = validateCookieLogin($cookie);903 if (is_wp_error($user_id)) {904 return $user_id;905 }906 $user = get_userdata($user_id);907 return array(908 “user” => $this->getResponseUserInfo($user)909 );910 }911912 /**913 * Get Point Reward by User ID914 *915 * @return void916 */917 function get_points($request)918 {919 global $wc_points_rewards;920 $user_id = (int)$request[‘user_id’];921 $current_page = (int)$request[‘page’];922923 $points_balance = WC_Points_Rewards_Manager::get_users_points($user_id);924 $points_label = $wc_points_rewards->get_points_label($points_balance);925 $count = apply_filters('wc_points_rewards_my_account_points_events’, 5, $user_id);926 $current_page = empty($current_page) ? 1 : absint($current_page);927928 $args = array(929 ‘calc_found_rows’ => true,930 ‘orderby’ => array(931 ‘field’ => 'date’,932 ‘order’ => 'DESC’,933 ),934 ‘per_page’ => $count,935 ‘paged’ => $current_page,936 ‘user’ => $user_id,937 );938 $total_rows = WC_Points_Rewards_Points_Log::$found_rows;939 $events = WC_Points_Rewards_Points_Log::get_points_log_entries($args);940941 return array(942 ‘points_balance’ => $points_balance,943 ‘points_label’ => $points_label,944 ‘total_rows’ => $total_rows,945 ‘page’ => $current_page,946 ‘count’ => $count,947 ‘events’ => $events948 );949 }950951 function update_user_profile()952 {953 global $json_api;954 $json = file_get_contents(‘php://input’);955 $params = json_decode($json);956 $cookie = $params->cookie;957 $user_id = validateCookieLogin($cookie);958 if (is_wp_error($user_id)) {959 return $user_id;960 }961962 $user_update = array(‘ID’ => $user_id);963 if (isset($params->user_pass)) {964 $user_update[‘user_pass’] = $params->user_pass;965 }966 if (isset($params->user_nicename)) {967 $user_update[‘user_nicename’] = $params->user_nicename;968 }969 if (isset($params->user_email)) {970 $user_update[‘user_email’] = $params->user_email;971 }972 if (isset($params->user_url)) {973 $user_update[‘user_url’] = $params->user_url;974 }975 if (isset($params->display_name)) {976 $user_update[‘display_name’] = $params->display_name;977 }978 if (isset($params->first_name)) {979 $user_update[‘first_name’] = $params->first_name;980 update_user_meta($user_id, 'shipping_first_name’, $params->first_name, ‘’);981 update_user_meta($user_id, 'billing_first_name’, $params->first_name, ‘’);982 }983 if (isset($params->last_name)) {984 $user_update[‘last_name’] = $params->last_name;985 update_user_meta($user_id, 'shipping_last_name’, $params->last_name, ‘’);986 update_user_meta($user_id, 'billing_last_name’, $params->last_name, ‘’);987 }988 if (isset($params->shipping_company)) {989 update_user_meta($user_id, 'shipping_company’, $params->shipping_company, ‘’);990 update_user_meta($user_id, 'billing_company’, $params->shipping_company, ‘’);991 }992 if (isset($params->shipping_state)) {993 update_user_meta($user_id, 'shipping_state’, $params->shipping_state, ‘’);994 update_user_meta($user_id, 'billing_state’, $params->shipping_state, ‘’);995 }996 if (isset($params->shipping_address_1)) {997 update_user_meta($user_id, 'shipping_address_1’, $params->shipping_address_1, ‘’);998 update_user_meta($user_id, 'billing_address_1’, $params->shipping_address_1, ‘’);999 }1000 if (isset($params->shipping_address_2)) {1001 update_user_meta($user_id, 'shipping_address_2’, $params->shipping_address_2, ‘’);1002 update_user_meta($user_id, 'billing_address_2’, $params->shipping_address_2, ‘’);1003 }1004 if (isset($params->shipping_city)) {1005 update_user_meta($user_id, 'shipping_city’, $params->shipping_city, ‘’);1006 update_user_meta($user_id, 'billing_city’, $params->shipping_city, ‘’);1007 }1008 if (isset($params->shipping_country)) {1009 update_user_meta($user_id, 'shipping_country’, $params->shipping_country, ‘’);1010 update_user_meta($user_id, 'billing_country’, $params->shipping_country, ‘’);1011 }1012 if (isset($params->shipping_postcode)) {1013 update_user_meta($user_id, 'shipping_postcode’, $params->shipping_postcode, ‘’);1014 update_user_meta($user_id, 'billing_postcode’, $params->shipping_postcode, ‘’);1015 }1016 if (isset($params->meta_data) && is_array($params->meta_data)) {1017 foreach ($params->meta_data as $item) {1018 update_user_meta($user_id, $item->key, $item->value, ‘’);1019 }1020 }10211022 if (isset($params->avatar)) {1023 $count = 1;1024 require_once(ABSPATH . ‘wp-admin’ . ‘/includes/file.php’);1025 require_once(ABSPATH . ‘wp-admin’ . ‘/includes/image.php’);1026 $imgdata = $params->avatar;1027 $imgdata = trim($imgdata);1028 $imgdata = str_replace('data:image/png;base64,’, '’, $imgdata);1029 $imgdata = str_replace('data:image/jpg;base64,’, '’, $imgdata);1030 $imgdata = str_replace('data:image/jpeg;base64,’, '’, $imgdata);1031 $imgdata = str_replace('data:image/gif;base64,’, '’, $imgdata);1032 $imgdata = str_replace(' ', '+’, $imgdata);1033 $imgdata = base64_decode($imgdata);1034 $f = finfo_open();1035 $mime_type = finfo_buffer($f, $imgdata, FILEINFO_MIME_TYPE);1036 $type_file = explode('/’, $mime_type);1037 $avatar = time() . ‘_’ . $count . ‘.’ . $type_file[1];10381039 $uploaddir = wp_upload_dir();1040 $myDirPath = $uploaddir[“path”];1041 $myDirUrl = $uploaddir[“url”];10421043 file_put_contents($uploaddir[“path”] . ‘/’ . $avatar, $imgdata);10441045 $filename = $myDirUrl . ‘/’ . basename($avatar);1046 $wp_filetype = wp_check_filetype(basename($filename), null);1047 $uploadfile = $uploaddir[“path”] . ‘/’ . basename($filename);10481049 $attachment = array(1050 “post_mime_type” => $wp_filetype[“type”],1051 “post_title” => preg_replace("/\.[^.]+$/", "", basename($filename)),1052 “post_content” => "",1053 “post_author” => $user_id,1054 “post_status” => "inherit",1055 ‘guid’ => $myDirUrl . ‘/’ . basename($filename),1056 );10571058 $attachment_id = wp_insert_attachment($attachment, $uploadfile);1059 $attach_data = apply_filters('wp_generate_attachment_metadata’, $attachment, $attachment_id, ‘create’);1060 // $attach_data = wp_generate_attachment_metadata($attachment_id, $uploadfile);1061 wp_update_attachment_metadata($attachment_id, $attach_data);1062 $url = wp_get_attachment_image_src($attachment_id);1063 update_user_meta($user_id, 'user_avatar’, $url, ‘’);10641065 }106610671068 $user_data = wp_update_user($user_update);10691070 if (is_wp_error($user_data)) {1071 // There was an error; possibly this user doesn’t exist.1072 echo 'Error.’;1073 }1074 $user = get_userdata($user_id);10751076 if (isset($params->deviceToken)) {1077 if (isset($params->is_manager) && $params->is_manager) {1078 update_user_meta($user_id, "mstore_manager_device_token", $params->deviceToken);1079 } else if (isset($params->is_delivery) && $params->is_delivery) {1080 update_user_meta($user_id, "mstore_delivery_device_token", $params->deviceToken);1081 }1082 if (!isset($params->is_delivery) && !isset($params->is_manager)) {1083 update_user_meta($user_id, "mstore_device_token", $params->deviceToken);1084 }1085 if(in_array('wcfm_delivery_boy’, (array)$user->roles) || in_array('driver’,(array)$user->roles)){1086 update_user_meta($user_id, "mstore_delivery_device_token", $params->deviceToken);1087 }1088 }10891090 return $this->getResponseUserInfo($user);1091 }10921093 function prepare_checkout()1094 {1095 global $json_api;1096 $json = file_get_contents(‘php://input’);1097 $params = json_decode($json);1098 $order = $params->order;1099 if (!isset($order)) {1100 return parent::sendError("invalid_checkout", "You must include a ‘order’ var in your request", 400);1101 }1102 global $wpdb;1103 $table_name = $wpdb->prefix . "mstore_checkout";11041105 $code = md5(mt_rand() . strtotime(“now”));1106 $success = $wpdb->insert($table_name, array(1107 ‘code’ => $code,1108 ‘order’ => $order1109 )1110 );1111 if ($success) {1112 return $code;1113 } else {1114 return parent::sendError("error_insert_database", "Can’t insert to database", 400);1115 }1116 }11171118 public function get_currency_rates()1119 {1120 global $woocommerce_wpml;11211122 if (!empty($woocommerce_wpml->multi_currency) && !empty($woocommerce_wpml->settings[‘currencies_order’])) {1123 return $woocommerce_wpml->settings[‘currency_options’];1124 }1125 return parent::sendError("not_install_woocommerce_wpml", "WooCommerce WPML hasn’t been installed yet.", 404);1126 }11271128 public function get_countries()1129 {1130 $wc_countries = new WC_Countries();1131 $array = $wc_countries->get_countries();1132 $keys = array_keys($array);1133 $countries = array();1134 for ($i = 0; $i < count($keys); $i++) {1135 $countries[] = [“code” => $keys[$i], “name” => $array[$keys[$i]]];1136 }1137 return $countries;1138 }11391140 public function get_states($request)1141 {1142 $wc_countries = new WC_Countries();1143 $array = $wc_countries->get_states($request[“country_code”]);1144 if ($array) {1145 $keys = array_keys($array);1146 $states = array();1147 for ($i = 0; $i < count($keys); $i++) {1148 $states[] = [“code” => $keys[$i], “name” => $array[$keys[$i]]];1149 }1150 return $states;1151 } else {1152 return [];1153 }1154 }11551156 function chat_notification()1157 {1158 $json = file_get_contents(‘php://input’);1159 $params = json_decode($json, TRUE);1160 $token = $params[‘token’];1161 if (isset($token)) {1162 $cookie = urldecode(base64_decode($token));1163 } else {1164 return parent::sendError("unauthorized", "You are not allowed to do this", 401);1165 }1166 $user_id = validateCookieLogin($cookie);1167 if (is_wp_error($user_id)) {1168 return $user_id;1169 }1170 $receiver_email = $params[‘receiver’];1171 $sender_name = $params[‘sender’];1172 if (is_email($sender_name)) {1173 $sender = get_user_by('email’, $sender_name);1174 $sender_name = $sender->display_name;1175 }1176 $receiver = get_user_by('email’, $receiver_email);11771178 if (!$receiver) {1179 return parent::sendError("invalid_user", "User does not exist in this world. Please re-check user’s existence with the Creator :)", 401);1180 }11811182 $message = $params[‘message’];11831184 $deviceToken = get_user_meta($receiver->ID, 'mstore_device_token’, true);1185 $manager_device_token = get_user_meta($receiver->ID, 'mstore_manager_device_token’, true);1186 pushNotification($sender_name, $message, $deviceToken);1187 pushNotification($sender_name, $message, $manager_device_token);1188 }11891190 function mstore_digrest_set_variables()1191 {1192 $json = file_get_contents(‘php://input’);1193 $params = json_decode($json, TRUE);11941195 $_POST[‘digits’] = 1;11961197 if (dig_isWhatsAppEnabled() && $params[‘whatsapp’] == true) {1198 $_POST[‘whatsapp’] = 1;1199 }12001201 if (isset($params[‘type’])) {1202 $type = $params[‘type’];1203 if ($type == ‘login’) {1204 $_REQUEST[‘login’] = 1;1205 }1206 if ($type == ‘register’) {1207 $_REQUEST[‘login’] = 2;1208 } else if ($type == ‘resetpass’) {1209 $_REQUEST[‘login’] = 3;1210 } else if ($type == ‘update’) {1211 $_REQUEST[‘login’] = 11;1212 }1213 }else{1214 $_REQUEST[‘login’] = 2;1215 }12161217 if (isset($params[‘mobile’])) {1218 $_POST[‘digits_reg_mail’] = $params[‘mobile’];1219 }1220 if (isset($params[‘email’])) {1221 $_POST[‘dig_reg_mail’] = $params[‘email’];1222 }1223 if (isset($params[‘username’])) {1224 $_POST[‘digits_reg_username’] = $params[‘username’];1225 $_POST[‘digits_reg_name’] = $params[‘username’];1226 }1227 if (isset($params[‘name’])) {1228 $_POST[‘digits_reg_name’] = $params[‘name’];1229 }1230 if (isset($params[‘last_name’])) {1231 $_POST[‘digits_reg_lastname’] = $params[‘last_name’];1232 }1233 if (isset($params[‘country_code’])) {1234 $_POST[‘digregcode’] = $params[‘country_code’];1235 }1236 if (isset($params[‘otp’])) {1237 $_POST[‘dig_otp’] = $params[‘otp’];1238 }1239 $_POST[‘ftoken’] = $params[‘ftoken’];1240 $_REQUEST[‘ftoken’] = $params[‘ftoken’];12411242 $_REQUEST[‘csrf’] = wp_create_nonce(‘crsf-otp’);1243 $_POST[‘csrf’] = wp_create_nonce(‘crsf-otp’);12441245 $_POST[‘dig_nounce’] = wp_create_nonce(‘dig_form’);1246 $_POST[‘crsf-otp’] = wp_create_nonce(‘crsf-otp’);12471248 $_POST[‘digits_reg_password’] = wp_generate_password();1249 $_REQUEST[‘json’] = 1;1250 }12511252 function digits_register_check()1253 {1254 if(!function_exists(‘digits_create_user’)) { 1255 return parent::sendError("plugin_not_found", "Please install the DIGITS: Wordpress Mobile Number Signup and Login plugin", 400);1256 }12571258 $json = file_get_contents(‘php://input’);1259 $params = json_decode($json, TRUE);12601261 if(empty($params[‘email’])){1262 return parent::sendError("invalid_email", 'Email is required’, 400);1263 }1264 if (!empty($params[‘email’]) && email_exists($params[‘email’])) {1265 return parent::sendError("invalid_email", 'Email already in use!’, 400);1266 }12671268 if(empty($params[‘username’])){1269 return parent::sendError("invalid_username", 'Username is required’, 400);1270 }1271 if (!empty($params[‘username’]) && username_exists($params[‘username’])) {1272 return parent::sendError("invalid_username", 'Username already in use!’, 400);1273 }12741275 if(empty($params[‘country_code’])){1276 return parent::sendError("invalid_country_code", 'Country code is required’, 400);1277 }12781279 if(empty($params[‘mobile’])){1280 return parent::sendError("invalid_mobile", 'Mobile is required’, 400);1281 }12821283 $mob = $params[‘country_code’].$params[‘mobile’];1284 $mobuser = getUserFromPhone($mob);1285 if ($mobuser != null || username_exists($mob)) {1286 return parent::sendError("invalid_mobile", 'Mobile Number already in use!’, 400);1287 } 12881289 return true;1290 }12911292 function digits_register()1293 {1294 if(!function_exists(‘digits_create_user’)) { 1295 return parent::sendError("plugin_not_found", "Please install the DIGITS: Wordpress Mobile Number Signup and Login plugin", 400);1296 }12971298 define( 'REST_REQUEST’, true );1299 $this->mstore_digrest_set_variables();1300 $userId = null;1301 add_filter('digits_user_created_response’, function($data, $user_id){1302 $data[‘user_id’] = $user_id;1303 return $data;1304 },10, 2);1305 $data = digits_create_user();1306 define( 'REST_REQUEST’, false );1307 remove_filter('digits_user_created_response’,’__return_false’, 10);13081309 if ($data[‘success’] === false) {1310 return parent::sendError("invalid_data", explode("<br />", $data[‘data’][‘msg’])[0], 400);1311 } else {1312 $user_id = $data[‘user_id’];1313 $cookie = generateCookieByUserId($user_id);1314 $user = get_userdata($user_id);13151316 $response[‘wp_user_id’] = $user_id;1317 $response[‘cookie’] = $cookie;1318 $response[‘user_login’] = $user->user_login;1319 $response[‘user’] = $this->getResponseUserInfo($user);1320 return $response;1321 }1322 }13231324 function digits_login_check()1325 {1326 if(!function_exists(‘digits_create_user’)) { 1327 return parent::sendError("plugin_not_found", "Please install the DIGITS: Wordpress Mobile Number Signup and Login plugin", 400);1328 }13291330 $json = file_get_contents(‘php://input’);1331 $params = json_decode($json, TRUE);13321333 if(empty($params[‘country_code’])){1334 return parent::sendError("invalid_country_code", 'Country code is required’, 400);1335 }13361337 if(empty($params[‘mobile’])){1338 return parent::sendError("invalid_mobile", 'Mobile is required’, 400);1339 }13401341 $mob = $params[‘country_code’].$params[‘mobile’];1342 $mobuser = getUserFromPhone($mob);1343 if ($mobuser == null) {1344 return parent::sendError("invalid_mobile", 'Phone number is not registered!’, 400);1345 } 13461347 return true;1348 }13491350 function digits_login()1351 {1352 if(!function_exists(‘dig_validateMobileNumber’)) { 1353 return parent::sendError("plugin_not_found", "Please install the DIGITS: Wordpress Mobile Number Signup and Login plugin", 400);1354 }13551356 $this->mstore_digrest_set_variables();1357 1358 $otp = $_POST[‘dig_otp’];1359 $validateMob = dig_validateMobileNumber($_POST[‘digregcode’], $_POST[‘digits_reg_mail’], $otp, null, 1, null, false);1360 1361 if ($validateMob[‘success’] === false) {1362 return parent::sendError("invalid_data",$validateMob[‘msg’], 400);1363 }1364 1365 $user = getUserFromPhone($validateMob[‘countrycode’] . $validateMob[‘mobile’]);1366 $cookie = generateCookieByUserId($user->ID);1367 $response[‘wp_user_id’] = $user->ID;1368 $response[‘cookie’] = $cookie;1369 $response[‘user_login’] = $user->user_login;1370 $response[‘user’] = $this->getResponseUserInfo($user);1371 return $response;1372 }13731374 function digits_send_otp()1375 {1376 if(!function_exists(‘digits_create_user’)) { 1377 return parent::sendError("plugin_not_found", "Please install the DIGITS: Wordpress Mobile Number Signup and Login plugin", 400);1378 }13791380 $json = file_get_contents(‘php://input’);1381 $params = json_decode($json, TRUE);13821383 if(empty($params[‘country_code’])){1384 return parent::sendError("invalid_country_code", 'Country code is required’, 400);1385 }13861387 if(empty($params[‘mobile’])){1388 return parent::sendError("invalid_mobile", 'Mobile is required’, 400);1389 }13901391 $_REQUEST[‘countrycode’] = $params[‘country_code’];1392 $_REQUEST[‘mobileNo’] = $params[‘mobile’];1393 $_REQUEST[‘type’] = $params[‘type’];1394 1395 $this->mstore_digrest_set_variables();1396 1397 1398 $_REQUEST[‘csrf’] = wp_create_nonce(‘dig_form’);1399 $_POST[‘csrf’] = wp_create_nonce(‘dig_form’);1400 1401 do_action(‘wp_ajax_nopriv_digits_check_mob’);1402 }14031404 function digits_resend_otp()1405 {1406 if(!function_exists(‘digits_resendotp’)) { 1407 return parent::sendError("plugin_not_found", "Please install the DIGITS: Wordpress Mobile Number Signup and Login plugin", 400);1408 }14091410 $json = file_get_contents(‘php://input’);1411 $params = json_decode($json, TRUE);14121413 if(empty($params[‘country_code’])){1414 return parent::sendError("invalid_country_code", 'Country code is required’, 400);1415 }14161417 if(empty($params[‘mobile’])){1418 return parent::sendError("invalid_mobile", ‘Mobile is required’, 400);1419 }14201421 $_REQUEST[‘countrycode’] = $params[‘country_code’];1422 $_REQUEST[‘mobileNo’] = $params[‘mobile’];1423 $_REQUEST[‘type’] = $params[‘type’];1424 1425 $this->mstore_digrest_set_variables();1426 1427 1428 $_REQUEST[‘csrf’] = wp_create_nonce(‘dig_form’);1429 $_POST[‘csrf’] = wp_create_nonce(‘dig_form’);1430 1431 digits_resendotp();1432 }14331434 1435 function custom_delete_item_permissions_check($request)1436 {1437 $cookie = $request->get_header(“User-Cookie”);1438 if (isset($cookie) && $cookie != null && parent::checkApiPermission()) {1439 $user_id = validateCookieLogin($cookie);1440 if (is_wp_error($user_id)) {1441 return false;1442 }1443 $request[“id”] = $user_id;1444 return true;1445 } else {1446 return false;1447 }1448 }14491450 function delete_account($request)1451 {1452 if(checkWhiteListAccounts($request[“id”])){1453 return parent::sendError("invalid_account", "This account can’t delete", 400);1454 }else{1455 require_once(ABSPATH.’wp-admin/includes/user.php’);1456 return wp_delete_user($request[“id”]);1457 }1458 }1459}

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907