Headline
CVE-2023-0814: Changeset 2864329 for profile-builder – WordPress Plugin Repository
The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to sensitive information disclosure via the [user_meta] shortcode in versions up to, and including 3.9.0. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account. This does require the Usermeta shortcode be enabled to be exploited.
profile-builder/tags/3.9.1/admin/advanced-settings/includes/shortcodes/usermeta.php
r2555038
r2864329
21
21
}
22
22
23
if( in\_array( $atts\['key'\], array( 'user\_pass', 'user\_activation\_key' ) ) )
24
return;
23
25
24
$user = new WP\_User($atts\['user\_id'\]);
26
$user = new WP\_User( $atts\['user\_id'\] );
25
27
26
28
if ( !$user->exists() ) return;
…
…
37
39
38
40
if ( $user->has\_prop( $atts\['key'\] ) ){
41
39
42
if ($atts\['wpautop'\] == 'on'){
40
43
$value = wpautop( $user->get( $atts\['key'\] ) );
…
…
42
45
$value = $user->get( $atts\['key'\] );
43
46
}
47
44
48
}
45
49
profile-builder/tags/3.9.1/features/email-customizer/email-customizer.php
r2862446
r2864329
169
169
function wppb\_email\_customizer\_password\_reset\_content\_filter\_handler( $default\_string, $user\_id, $user\_login, $user\_email ) {
170
170
$email\_customizer\_option = get\_option( 'wppb\_user\_emailc\_reset\_email\_content', 'not\_found' );
171
$key = wppb\_retrieve\_activation\_key( $user\_login );
172
$url = add\_query\_arg( array( 'key' => $key ), wppb\_curpageurl() );
171
$user = new WP\_User( $user\_id );
172
$key = get\_password\_reset\_key( $user );
173
$url = add\_query\_arg( array( 'key' => $key, 'login' => $user->user\_login ), wppb\_curpageurl() );
173
174
174
175
if( $email\_customizer\_option != 'not\_found' ) {
profile-builder/tags/3.9.1/front-end/recover.php
r2801035
r2864329
24
24
}
25
25
26
/\*\*
27
\* Function that retrieves the unique user key from the database. If we don't have one we generate one and add it to the database
28
\*
29
\* @param string $requested\_user\_login the user login
30
\*
31
\*/
32
function wppb\_retrieve\_activation\_key( $requested\_user\_login ){
33
global $wpdb;
34
35
$key = $wpdb->get\_var( $wpdb->prepare( "SELECT user\_activation\_key FROM $wpdb->users WHERE user\_login = %s", $requested\_user\_login ) );
36
37
if ( empty( $key ) ) {
38
39
// Generate something random for a key...
40
$key = wp\_generate\_password( 20, false );
41
do\_action('wppb\_retrieve\_password\_key', $requested\_user\_login, $key);
42
43
// Now insert the new md5 key into the db
44
$wpdb->update($wpdb->users, array('user\_activation\_key' => $key), array('user\_login' => $requested\_user\_login));
45
}
46
47
return $key;
48
}
49
26
50
27
/\*\*
…
…
95
72
<input name="action2" type="hidden" id="action2" value="recover\_password2" />
96
73
<input name="key" type="hidden" id="key" value="<?php echo esc\_attr( isset( $\_GET\['key'\] ) ? sanitize\_text\_field( $\_GET\['key'\] ) : '' ) ?>" />
74
<input name="login" type="hidden" id="login" value="<?php echo esc\_attr( isset( $\_GET\['login'\] ) ? sanitize\_text\_field( $\_GET\['login'\] ) : '' ) ?>" />
97
75
</p><!-- .form-submit -->
98
76
<?php wp\_nonce\_field( 'verify\_true\_password\_recovery2\_'.$user->ID, 'password\_recovery\_nonce\_field2' ); ?>
…
…
172
150
return false;
173
151
174
$requested\_user\_id = $user->ID;
175
$requested\_user\_login = $user->user\_login;
176
$requested\_user\_email = $user->user\_email;
152
$user\_object = new WP\_User( $user->ID );
153
154
if( empty( $user\_object->ID ) )
155
return false;
156
157
$requested\_user\_id = $user\_object->ID;
158
$requested\_user\_login = $user\_object->user\_login;
159
$requested\_user\_email = $user\_object->user\_email;
177
160
178
161
//search if there is already an activation key present, if not create one
179
$key = wppb\_retrieve\_activation\_key( $requested\_user\_login );
162
$key = get\_password\_reset\_key( $user\_object );
180
163
181
164
$display\_username\_email = wppb\_get\_email\_display\_username($user);
182
165
183
166
//send primary email message
184
$recovery\_email\_message = sprintf( \_\_('Someone requested that the password be reset for the following account: <b>%1$s</b><br/>If this was a mistake, just ignore this email and nothing will happen.<br/>To reset your password, visit the following link:%2$s', 'profile-builder'), $display\_username\_email, '<a href="'.esc\_url( add\_query\_arg( array( 'key' => $key ), wppb\_curpageurl() ) ).'">'.esc\_url( add\_query\_arg( array( 'key' => $key ), wppb\_curpageurl() ) ).'</a>' );
167
$recovery\_email\_message = sprintf( \_\_('Someone requested that the password be reset for the following account: <b>%1$s</b><br/>If this was a mistake, just ignore this email and nothing will happen.<br/>To reset your password, visit the following link:%2$s', 'profile-builder'), $display\_username\_email, '<a href="'.esc\_url( add\_query\_arg( array( 'key' => $key, 'login' => $requested\_user\_login ), wppb\_curpageurl() ) ).'">'.esc\_url( add\_query\_arg( array( 'key' => $key, 'login' => $requested\_user\_login ), wppb\_curpageurl() ) ).'</a>' );
185
168
$recovery\_email\_message = apply\_filters( 'wppb\_recover\_password\_message\_content\_sent\_to\_user1', $recovery\_email\_message, $requested\_user\_id, $requested\_user\_login, $requested\_user\_email );
186
169
…
…
367
350
}
368
351
369
$user\_object = $wpdb->get\_row( $wpdb->prepare( "SELECT \* FROM $wpdb->users WHERE user\_activation\_key = %s", $key ) );
370
if( empty( $user\_object ) || ( !empty( $user\_object ) && $user\_object->ID === absint( $\_POST\['userData'\] ) ) ){
352
if( isset( $\_POST\['login'\] ) )
353
$login = sanitize\_text\_field( $\_POST\['login'\] );
354
else
355
$login = '';
356
357
if( empty( $login ) ){
358
$password\_change\_message = \_\_('Login cannot be empty!', 'profile-builder');
359
$output .= wppb\_password\_recovery\_error( $password\_change\_message, 'wppb\_recover\_password\_password\_changed\_message2' );
360
}
361
362
$user = check\_password\_reset\_key( $key, $login );
363
364
if( is\_wp\_error( $user ) || empty( $user ) || ( !empty( $user ) && $user->ID != absint( $\_POST\['userData'\] ) ) ){
371
365
$password\_change\_message = \_\_('Invalid key!', 'profile-builder');
372
366
$output .= wppb\_password\_recovery\_error( $password\_change\_message, 'wppb\_recover\_password\_password\_changed\_message2' );
…
…
395
389
$password\_changed\_success = true;
396
390
397
398
399
$userID = absint( $\_POST\['userData'\] );
391
$userID = $user->ID;
400
392
$new\_pass = $\_POST\['passw1'\]; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
401
393
…
…
454
446
455
447
//this is the part that shows the forms
456
if( isset( $\_GET\['key'\] ) ){
457
458
$key = sanitize\_text\_field( $\_GET\['key'\] );
459
460
if( !empty( $key ) && !$password\_changed\_success ) {
461
462
//get the login name and key and verify if they match the ones in the database
463
$user = $wpdb->get\_row( $wpdb->prepare( "SELECT \* FROM $wpdb->users WHERE user\_activation\_key = %s", $key ) );
464
465
if( !empty( $user ) ) {
448
if( isset( $\_GET\['key'\] ) && isset( $\_GET\['login'\] ) ){
449
450
$key = sanitize\_text\_field( $\_GET\['key'\] );
451
$login = sanitize\_text\_field( $\_GET\['login'\] );
452
453
if( !empty( $key ) && !empty( $login ) && !$password\_changed\_success ) {
454
455
$user = check\_password\_reset\_key( $key, $login );
456
457
if( !is\_wp\_error( $user ) ){
458
466
459
ob\_start();
467
wppb\_create\_recover\_password\_form($user, $\_POST);
468
$output .= ob\_get\_contents();
460
wppb\_create\_recover\_password\_form( $user, $\_POST );
461
$output .= ob\_get\_contents();
469
462
ob\_end\_clean();
470
}
471
else {
463
464
} else {
472
465
$output .= wppb\_password\_recovery\_error('<b>' . \_\_('ERROR:', 'profile-builder') . '</b>' . \_\_('Invalid key!', 'profile-builder'), 'wppb\_recover\_password\_invalid\_key\_message');
473
466
}
profile-builder/tags/3.9.1/index.php
r2862446
r2864329
4
4
\* Plugin URI: https://www.cozmoslabs.com/wordpress-profile-builder/
5
5
\* Description: Login, registration and edit profile shortcodes for the front-end. Also you can choose what fields should be displayed or add new (custom) ones both in the front-end and in the dashboard.
6
\* Version: 3.9.0
6
\* Version: 3.9.1
7
7
\* Author: Cozmoslabs
8
8
\* Author URI: https://www.cozmoslabs.com/
…
…
10
10
\* Domain Path: /translation
11
11
\* License: GPL2
12
\* Elementor tested up to: 3.10.2
13
\* Elementor Pro tested up to: 3.10.2
12
\* Elementor tested up to: 3.11.0
13
\* Elementor Pro tested up to: 3.11.0
14
14
\*
15
15
\* == Copyright ==
…
…
397
397
\*
398
398
\*/
399
define('PROFILE\_BUILDER\_VERSION', '3.9.0' );
399
define('PROFILE\_BUILDER\_VERSION', '3.9.1' );
400
400
define('WPPB\_PLUGIN\_DIR', plugin\_dir\_path(\_\_FILE\_\_));
401
401
define('WPPB\_PLUGIN\_URL', plugin\_dir\_url(\_\_FILE\_\_));
profile-builder/tags/3.9.1/readme.txt
r2862446
r2864329
5
5
Requires at least: 3.1
6
6
Tested up to: 6.1
7
Stable tag: 3.9.0
7
Stable tag: 3.9.1
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
178
178
179
179
\== Changelog ==
180
\= 3.9.1 =
181
\* Fix: Improve security for password reset functionality. Thanks to Istvan Marton (Lana Codes)
182
\* Fix: Disallow retrieval of certain user keys through the optional usermeta shortcode. Thanks to Istvan Marton (Lana Codes)
183
180
184
\= 3.9.0 =
181
185
\* Fix: Issue with the Email From filter
profile-builder/tags/3.9.1/translation/profile-builder.catalog.php
r2836042
r2864329
903
903
<?php \_\_("The password must not be empty!", "profile-builder"); ?>
904
904
<?php \_\_("The key cannot be empty!", "profile-builder"); ?>
905
<?php \_\_("Login cannot be empty!", "profile-builder"); ?>
905
906
<?php \_\_("Invalid key!", "profile-builder"); ?>
906
907
<?php \_\_("The entered passwords don't match!", "profile-builder"); ?>
profile-builder/tags/3.9.1/translation/profile-builder.pot
r2861357
r2864329
850
850
msgstr ""
851
851
852
#: admin/general-settings.php:314, front-end/login.php:540, front-end/recover.php:118, add-ons/email-customizer/email-customizer.php:29, add-ons/user-listing/userlisting.php:119, add-ons/user-listing/userlisting.php:891, add-ons/user-listing/userlisting.php:2568, features/admin-approval/class-admin-approval.php:177, features/email-confirmation/class-email-confirmation.php:169, features/email-customizer/email-customizer.php:29, add-ons-free/gdpr-communication-preferences/admin/manage-fields.php:24, add-ons-free/gdpr-communication-preferences/front-end/gdpr-communication-preferences.php:9, admin/advanced-settings/includes/shortcodes/resend-activation.php:9
852
#: admin/general-settings.php:314, front-end/login.php:540, front-end/recover.php:96, add-ons/email-customizer/email-customizer.php:29, add-ons/user-listing/userlisting.php:119, add-ons/user-listing/userlisting.php:891, add-ons/user-listing/userlisting.php:2568, features/admin-approval/class-admin-approval.php:177, features/email-confirmation/class-email-confirmation.php:169, features/email-customizer/email-customizer.php:29, add-ons-free/gdpr-communication-preferences/admin/manage-fields.php:24, add-ons-free/gdpr-communication-preferences/front-end/gdpr-communication-preferences.php:9, admin/advanced-settings/includes/shortcodes/resend-activation.php:9
853
853
msgid "Email"
854
854
msgstr ""
…
…
1442
1442
msgstr ""
1443
1443
1444
#: admin/manage-fields.php:398, front-end/login.php:121, front-end/recover.php:72, add-ons/email-customizer/email-customizer.php:30, features/email-customizer/email-customizer.php:30
1444
#: admin/manage-fields.php:398, front-end/login.php:121, front-end/recover.php:49, add-ons/email-customizer/email-customizer.php:30, features/email-customizer/email-customizer.php:30
1445
1445
msgid "Password"
1446
1446
msgstr ""
…
…
1450
1450
msgstr ""
1451
1451
1452
#: admin/manage-fields.php:399, front-end/recover.php:73
1452
#: admin/manage-fields.php:399, front-end/recover.php:50
1453
1453
msgid "Repeat Password"
1454
1454
msgstr ""
…
…
3366
3366
msgstr ""
3367
3367
3368
#: features/functions.php:821, front-end/recover.php:386, front-end/default-fields/password/password.php:59
3368
#: features/functions.php:821, front-end/recover.php:380, front-end/default-fields/password/password.php:59
3369
3369
msgid "The password must have a minimum strength of %s"
3370
3370
msgstr ""
…
…
3539
3539
msgstr ""
3540
3540
3541
#: front-end/login.php:322, front-end/login.php:414, front-end/login.php:452, front-end/recover.php:18, front-end/recover.php:326, features/two-factor-authentication/class-two-factor-authentication.php:577, front-end/default-fields/fields-functions.php:62, front-end/extra-fields/extra-fields.php:118
3541
#: front-end/login.php:322, front-end/login.php:414, front-end/login.php:452, front-end/recover.php:18, front-end/recover.php:309, features/two-factor-authentication/class-two-factor-authentication.php:577, front-end/default-fields/fields-functions.php:62, front-end/extra-fields/extra-fields.php:118
3542
3542
msgid "ERROR"
3543
3543
msgstr ""
…
…
3603
3603
msgstr ""
3604
3604
3605
#: front-end/login.php:550, front-end/recover.php:122
3605
#: front-end/login.php:550, front-end/recover.php:100
3606
3606
msgid "Username or Email"
3607
3607
msgstr ""
…
…
3615
3615
msgstr ""
3616
3616
3617
#: front-end/recover.php:93
3617
#: front-end/recover.php:70
3618
3618
msgid "Reset Password"
3619
3619
msgstr ""
3620
3620
3621
#: front-end/recover.php:121
3621
#: front-end/recover.php:99
3622
3622
msgid "Please enter your username or email address."
3623
3623
msgstr ""
3624
3624
3625
#: front-end/recover.php:117
3625
#: front-end/recover.php:95
3626
3626
msgid "Please enter your email address."
3627
3627
msgstr ""
3628
3628
3629
#: front-end/recover.php:125
3629
#: front-end/recover.php:103
3630
3630
msgid "You will receive a link to create a new password via email."
3631
3631
msgstr ""
3632
3632
3633
#: front-end/recover.php:138
3633
#: front-end/recover.php:116
3634
3634
msgid "Get New Password"
3635
3635
msgstr ""
3636
3636
3637
#: front-end/recover.php:184
3637
#: front-end/recover.php:167
3638
3638
msgid "Someone requested that the password be reset for the following account: <b>%1$s</b><br/>If this was a mistake, just ignore this email and nothing will happen.<br/>To reset your password, visit the following link:%2$s"
3639
3639
msgstr ""
3640
3640
3641
#: front-end/recover.php:187
3641
#: front-end/recover.php:170
3642
3642
msgid "Password Reset from %1$s"
3643
3643
msgstr ""
3644
3644
3645
#: front-end/recover.php:214
3645
#: front-end/recover.php:197
3646
3646
msgid "You have successfully reset your password."
3647
3647
msgstr ""
3648
3648
3649
#: front-end/recover.php:216
3649
#: front-end/recover.php:199
3650
3650
msgid "Password Successfully Reset for %1$s on %2$s"
3651
3651
msgstr ""
3652
3652
3653
#: front-end/recover.php:234
3653
#: front-end/recover.php:217
3654
3654
msgid "%1$s has requested a password change via the password reset feature.<br/>His/her new password is:%2$s"
3655
3655
msgstr ""
3656
3656
3657
#: front-end/recover.php:271
3657
#: front-end/recover.php:254
3658
3658
msgid "You are already logged in. You can change your password on the edit profile form."
3659
3659
msgstr ""
3660
3660
3661
#: front-end/recover.php:446
3661
#: front-end/recover.php:438
3662
3662
msgid "The password must not be empty!"
3663
3663
msgstr ""
3664
3664
3665
#: front-end/recover.php:365
3665
#: front-end/recover.php:348
3666
3666
msgid "The key cannot be empty!"
3667
3667
msgstr ""
3668
3668
3669
#: front-end/recover.php:371, front-end/recover.php:472
3669
#: front-end/recover.php:358
3670
msgid "Login cannot be empty!"
3671
msgstr ""
3672
3673
#: front-end/recover.php:365, front-end/recover.php:465
3670
3674
msgid "Invalid key!"
3671
3675
msgstr ""
3672
3676
3673
#: front-end/recover.php:376
3677
#: front-end/recover.php:370
3674
3678
msgid "The entered passwords don't match!"
3675
3679
msgstr ""
3676
3680
3677
#: front-end/recover.php:382, front-end/default-fields/password/password.php:55
3681
#: front-end/recover.php:376, front-end/default-fields/password/password.php:55
3678
3682
msgid "The password must have the minimum length of %s characters"
3679
3683
msgstr ""
3680
3684
3681
#: front-end/recover.php:393
3685
#: front-end/recover.php:387
3682
3686
msgid "Your password has been successfully changed!"
3683
3687
msgstr ""
3684
3688
3685
#: front-end/recover.php:299
3689
#: front-end/recover.php:282
3686
3690
msgid "The username entered wasn't found in the database!"
3687
3691
msgstr ""
3688
3692
3689
#: front-end/recover.php:299
3693
#: front-end/recover.php:282
3690
3694
msgid "Please check that you entered the correct username."
3691
3695
msgstr ""
3692
3696
3693
#: front-end/recover.php:342
3697
#: front-end/recover.php:325
3694
3698
msgid "The email address entered wasn't found in the database!"
3695
3699
msgstr ""
3696
3700
3697
#: front-end/recover.php:342
3701
#: front-end/recover.php:325
3698
3702
msgid "Please check that you entered the correct email address."
3699
3703
msgstr ""
3700
3704
3701
#: front-end/recover.php:312
3705
#: front-end/recover.php:295
3702
3706
msgid "Check your email for the confirmation link."
3703
3707
msgstr ""
3704
3708
3705
#: front-end/recover.php:326
3709
#: front-end/recover.php:309
3706
3710
msgid "There was an error while trying to send the activation link to %1$s!"
3707
3711
msgstr ""
3708
3712
3709
#: front-end/recover.php:472
3713
#: front-end/recover.php:465
3710
3714
msgid "ERROR:"
3711
3715
msgstr ""
…
…
4112
4116
msgstr ""
4113
4117
4114
#: add-ons/email-customizer/email-customizer.php:601, features/email-customizer/email-customizer.php:578
4118
#: add-ons/email-customizer/email-customizer.php:602, features/email-customizer/email-customizer.php:579
4115
4119
msgid "The users selected password at signup"
4116
4120
msgstr ""
4117
4121
4118
#: add-ons/email-customizer/email-customizer.php:609, add-ons/email-customizer/email-customizer.php:616, add-ons/email-customizer/email-customizer.php:630, features/email-confirmation/email-confirmation.php:618, features/email-customizer/email-customizer.php:586, features/email-customizer/email-customizer.php:593, features/email-customizer/email-customizer.php:607
4122
#: add-ons/email-customizer/email-customizer.php:610, add-ons/email-customizer/email-customizer.php:617, add-ons/email-customizer/email-customizer.php:631, features/email-confirmation/email-confirmation.php:618, features/email-customizer/email-customizer.php:587, features/email-customizer/email-customizer.php:594, features/email-customizer/email-customizer.php:608
4119
4123
msgid "Your selected password at signup"
4120
4124
msgstr ""
profile-builder/trunk/admin/advanced-settings/includes/shortcodes/usermeta.php
r2555038
r2864329
21
21
}
22
22
23
if( in\_array( $atts\['key'\], array( 'user\_pass', 'user\_activation\_key' ) ) )
24
return;
23
25
24
$user = new WP\_User($atts\['user\_id'\]);
26
$user = new WP\_User( $atts\['user\_id'\] );
25
27
26
28
if ( !$user->exists() ) return;
…
…
37
39
38
40
if ( $user->has\_prop( $atts\['key'\] ) ){
41
39
42
if ($atts\['wpautop'\] == 'on'){
40
43
$value = wpautop( $user->get( $atts\['key'\] ) );
…
…
42
45
$value = $user->get( $atts\['key'\] );
43
46
}
47
44
48
}
45
49
profile-builder/trunk/features/email-customizer/email-customizer.php
r2862446
r2864329
169
169
function wppb\_email\_customizer\_password\_reset\_content\_filter\_handler( $default\_string, $user\_id, $user\_login, $user\_email ) {
170
170
$email\_customizer\_option = get\_option( 'wppb\_user\_emailc\_reset\_email\_content', 'not\_found' );
171
$key = wppb\_retrieve\_activation\_key( $user\_login );
172
$url = add\_query\_arg( array( 'key' => $key ), wppb\_curpageurl() );
171
$user = new WP\_User( $user\_id );
172
$key = get\_password\_reset\_key( $user );
173
$url = add\_query\_arg( array( 'key' => $key, 'login' => $user->user\_login ), wppb\_curpageurl() );
173
174
174
175
if( $email\_customizer\_option != 'not\_found' ) {
profile-builder/trunk/front-end/recover.php
r2801035
r2864329
24
24
}
25
25
26
/\*\*
27
\* Function that retrieves the unique user key from the database. If we don't have one we generate one and add it to the database
28
\*
29
\* @param string $requested\_user\_login the user login
30
\*
31
\*/
32
function wppb\_retrieve\_activation\_key( $requested\_user\_login ){
33
global $wpdb;
34
35
$key = $wpdb->get\_var( $wpdb->prepare( "SELECT user\_activation\_key FROM $wpdb->users WHERE user\_login = %s", $requested\_user\_login ) );
36
37
if ( empty( $key ) ) {
38
39
// Generate something random for a key...
40
$key = wp\_generate\_password( 20, false );
41
do\_action('wppb\_retrieve\_password\_key', $requested\_user\_login, $key);
42
43
// Now insert the new md5 key into the db
44
$wpdb->update($wpdb->users, array('user\_activation\_key' => $key), array('user\_login' => $requested\_user\_login));
45
}
46
47
return $key;
48
}
49
26
50
27
/\*\*
…
…
95
72
<input name="action2" type="hidden" id="action2" value="recover\_password2" />
96
73
<input name="key" type="hidden" id="key" value="<?php echo esc\_attr( isset( $\_GET\['key'\] ) ? sanitize\_text\_field( $\_GET\['key'\] ) : '' ) ?>" />
74
<input name="login" type="hidden" id="login" value="<?php echo esc\_attr( isset( $\_GET\['login'\] ) ? sanitize\_text\_field( $\_GET\['login'\] ) : '' ) ?>" />
97
75
</p><!-- .form-submit -->
98
76
<?php wp\_nonce\_field( 'verify\_true\_password\_recovery2\_'.$user->ID, 'password\_recovery\_nonce\_field2' ); ?>
…
…
172
150
return false;
173
151
174
$requested\_user\_id = $user->ID;
175
$requested\_user\_login = $user->user\_login;
176
$requested\_user\_email = $user->user\_email;
152
$user\_object = new WP\_User( $user->ID );
153
154
if( empty( $user\_object->ID ) )
155
return false;
156
157
$requested\_user\_id = $user\_object->ID;
158
$requested\_user\_login = $user\_object->user\_login;
159
$requested\_user\_email = $user\_object->user\_email;
177
160
178
161
//search if there is already an activation key present, if not create one
179
$key = wppb\_retrieve\_activation\_key( $requested\_user\_login );
162
$key = get\_password\_reset\_key( $user\_object );
180
163
181
164
$display\_username\_email = wppb\_get\_email\_display\_username($user);
182
165
183
166
//send primary email message
184
$recovery\_email\_message = sprintf( \_\_('Someone requested that the password be reset for the following account: <b>%1$s</b><br/>If this was a mistake, just ignore this email and nothing will happen.<br/>To reset your password, visit the following link:%2$s', 'profile-builder'), $display\_username\_email, '<a href="'.esc\_url( add\_query\_arg( array( 'key' => $key ), wppb\_curpageurl() ) ).'">'.esc\_url( add\_query\_arg( array( 'key' => $key ), wppb\_curpageurl() ) ).'</a>' );
167
$recovery\_email\_message = sprintf( \_\_('Someone requested that the password be reset for the following account: <b>%1$s</b><br/>If this was a mistake, just ignore this email and nothing will happen.<br/>To reset your password, visit the following link:%2$s', 'profile-builder'), $display\_username\_email, '<a href="'.esc\_url( add\_query\_arg( array( 'key' => $key, 'login' => $requested\_user\_login ), wppb\_curpageurl() ) ).'">'.esc\_url( add\_query\_arg( array( 'key' => $key, 'login' => $requested\_user\_login ), wppb\_curpageurl() ) ).'</a>' );
185
168
$recovery\_email\_message = apply\_filters( 'wppb\_recover\_password\_message\_content\_sent\_to\_user1', $recovery\_email\_message, $requested\_user\_id, $requested\_user\_login, $requested\_user\_email );
186
169
…
…
367
350
}
368
351
369
$user\_object = $wpdb->get\_row( $wpdb->prepare( "SELECT \* FROM $wpdb->users WHERE user\_activation\_key = %s", $key ) );
370
if( empty( $user\_object ) || ( !empty( $user\_object ) && $user\_object->ID === absint( $\_POST\['userData'\] ) ) ){
352
if( isset( $\_POST\['login'\] ) )
353
$login = sanitize\_text\_field( $\_POST\['login'\] );
354
else
355
$login = '';
356
357
if( empty( $login ) ){
358
$password\_change\_message = \_\_('Login cannot be empty!', 'profile-builder');
359
$output .= wppb\_password\_recovery\_error( $password\_change\_message, 'wppb\_recover\_password\_password\_changed\_message2' );
360
}
361
362
$user = check\_password\_reset\_key( $key, $login );
363
364
if( is\_wp\_error( $user ) || empty( $user ) || ( !empty( $user ) && $user->ID != absint( $\_POST\['userData'\] ) ) ){
371
365
$password\_change\_message = \_\_('Invalid key!', 'profile-builder');
372
366
$output .= wppb\_password\_recovery\_error( $password\_change\_message, 'wppb\_recover\_password\_password\_changed\_message2' );
…
…
395
389
$password\_changed\_success = true;
396
390
397
398
399
$userID = absint( $\_POST\['userData'\] );
391
$userID = $user->ID;
400
392
$new\_pass = $\_POST\['passw1'\]; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
401
393
…
…
454
446
455
447
//this is the part that shows the forms
456
if( isset( $\_GET\['key'\] ) ){
457
458
$key = sanitize\_text\_field( $\_GET\['key'\] );
459
460
if( !empty( $key ) && !$password\_changed\_success ) {
461
462
//get the login name and key and verify if they match the ones in the database
463
$user = $wpdb->get\_row( $wpdb->prepare( "SELECT \* FROM $wpdb->users WHERE user\_activation\_key = %s", $key ) );
464
465
if( !empty( $user ) ) {
448
if( isset( $\_GET\['key'\] ) && isset( $\_GET\['login'\] ) ){
449
450
$key = sanitize\_text\_field( $\_GET\['key'\] );
451
$login = sanitize\_text\_field( $\_GET\['login'\] );
452
453
if( !empty( $key ) && !empty( $login ) && !$password\_changed\_success ) {
454
455
$user = check\_password\_reset\_key( $key, $login );
456
457
if( !is\_wp\_error( $user ) ){
458
466
459
ob\_start();
467
wppb\_create\_recover\_password\_form($user, $\_POST);
468
$output .= ob\_get\_contents();
460
wppb\_create\_recover\_password\_form( $user, $\_POST );
461
$output .= ob\_get\_contents();
469
462
ob\_end\_clean();
470
}
471
else {
463
464
} else {
472
465
$output .= wppb\_password\_recovery\_error('<b>' . \_\_('ERROR:', 'profile-builder') . '</b>' . \_\_('Invalid key!', 'profile-builder'), 'wppb\_recover\_password\_invalid\_key\_message');
473
466
}
profile-builder/trunk/index.php
r2862446
r2864329
4
4
\* Plugin URI: https://www.cozmoslabs.com/wordpress-profile-builder/
5
5
\* Description: Login, registration and edit profile shortcodes for the front-end. Also you can choose what fields should be displayed or add new (custom) ones both in the front-end and in the dashboard.
6
\* Version: 3.9.0
6
\* Version: 3.9.1
7
7
\* Author: Cozmoslabs
8
8
\* Author URI: https://www.cozmoslabs.com/
…
…
10
10
\* Domain Path: /translation
11
11
\* License: GPL2
12
\* Elementor tested up to: 3.10.2
13
\* Elementor Pro tested up to: 3.10.2
12
\* Elementor tested up to: 3.11.0
13
\* Elementor Pro tested up to: 3.11.0
14
14
\*
15
15
\* == Copyright ==
…
…
397
397
\*
398
398
\*/
399
define('PROFILE\_BUILDER\_VERSION', '3.9.0' );
399
define('PROFILE\_BUILDER\_VERSION', '3.9.1' );
400
400
define('WPPB\_PLUGIN\_DIR', plugin\_dir\_path(\_\_FILE\_\_));
401
401
define('WPPB\_PLUGIN\_URL', plugin\_dir\_url(\_\_FILE\_\_));
profile-builder/trunk/readme.txt
r2862446
r2864329
5
5
Requires at least: 3.1
6
6
Tested up to: 6.1
7
Stable tag: 3.9.0
7
Stable tag: 3.9.1
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
178
178
179
179
\== Changelog ==
180
\= 3.9.1 =
181
\* Fix: Improve security for password reset functionality. Thanks to Istvan Marton (Lana Codes)
182
\* Fix: Disallow retrieval of certain user keys through the optional usermeta shortcode. Thanks to Istvan Marton (Lana Codes)
183
180
184
\= 3.9.0 =
181
185
\* Fix: Issue with the Email From filter
profile-builder/trunk/translation/profile-builder.catalog.php
r2836042
r2864329
903
903
<?php \_\_("The password must not be empty!", "profile-builder"); ?>
904
904
<?php \_\_("The key cannot be empty!", "profile-builder"); ?>
905
<?php \_\_("Login cannot be empty!", "profile-builder"); ?>
905
906
<?php \_\_("Invalid key!", "profile-builder"); ?>
906
907
<?php \_\_("The entered passwords don't match!", "profile-builder"); ?>
profile-builder/trunk/translation/profile-builder.pot
r2861357
r2864329
850
850
msgstr ""
851
851
852
#: admin/general-settings.php:314, front-end/login.php:540, front-end/recover.php:118, add-ons/email-customizer/email-customizer.php:29, add-ons/user-listing/userlisting.php:119, add-ons/user-listing/userlisting.php:891, add-ons/user-listing/userlisting.php:2568, features/admin-approval/class-admin-approval.php:177, features/email-confirmation/class-email-confirmation.php:169, features/email-customizer/email-customizer.php:29, add-ons-free/gdpr-communication-preferences/admin/manage-fields.php:24, add-ons-free/gdpr-communication-preferences/front-end/gdpr-communication-preferences.php:9, admin/advanced-settings/includes/shortcodes/resend-activation.php:9
852
#: admin/general-settings.php:314, front-end/login.php:540, front-end/recover.php:96, add-ons/email-customizer/email-customizer.php:29, add-ons/user-listing/userlisting.php:119, add-ons/user-listing/userlisting.php:891, add-ons/user-listing/userlisting.php:2568, features/admin-approval/class-admin-approval.php:177, features/email-confirmation/class-email-confirmation.php:169, features/email-customizer/email-customizer.php:29, add-ons-free/gdpr-communication-preferences/admin/manage-fields.php:24, add-ons-free/gdpr-communication-preferences/front-end/gdpr-communication-preferences.php:9, admin/advanced-settings/includes/shortcodes/resend-activation.php:9
853
853
msgid "Email"
854
854
msgstr ""
…
…
1442
1442
msgstr ""
1443
1443
1444
#: admin/manage-fields.php:398, front-end/login.php:121, front-end/recover.php:72, add-ons/email-customizer/email-customizer.php:30, features/email-customizer/email-customizer.php:30
1444
#: admin/manage-fields.php:398, front-end/login.php:121, front-end/recover.php:49, add-ons/email-customizer/email-customizer.php:30, features/email-customizer/email-customizer.php:30
1445
1445
msgid "Password"
1446
1446
msgstr ""
…
…
1450
1450
msgstr ""
1451
1451
1452
#: admin/manage-fields.php:399, front-end/recover.php:73
1452
#: admin/manage-fields.php:399, front-end/recover.php:50
1453
1453
msgid "Repeat Password"
1454
1454
msgstr ""
…
…
3366
3366
msgstr ""
3367
3367
3368
#: features/functions.php:821, front-end/recover.php:386, front-end/default-fields/password/password.php:59
3368
#: features/functions.php:821, front-end/recover.php:380, front-end/default-fields/password/password.php:59
3369
3369
msgid "The password must have a minimum strength of %s"
3370
3370
msgstr ""
…
…
3539
3539
msgstr ""
3540
3540
3541
#: front-end/login.php:322, front-end/login.php:414, front-end/login.php:452, front-end/recover.php:18, front-end/recover.php:326, features/two-factor-authentication/class-two-factor-authentication.php:577, front-end/default-fields/fields-functions.php:62, front-end/extra-fields/extra-fields.php:118
3541
#: front-end/login.php:322, front-end/login.php:414, front-end/login.php:452, front-end/recover.php:18, front-end/recover.php:309, features/two-factor-authentication/class-two-factor-authentication.php:577, front-end/default-fields/fields-functions.php:62, front-end/extra-fields/extra-fields.php:118
3542
3542
msgid "ERROR"
3543
3543
msgstr ""
…
…
3603
3603
msgstr ""
3604
3604
3605
#: front-end/login.php:550, front-end/recover.php:122
3605
#: front-end/login.php:550, front-end/recover.php:100
3606
3606
msgid "Username or Email"
3607
3607
msgstr ""
…
…
3615
3615
msgstr ""
3616
3616
3617
#: front-end/recover.php:93
3617
#: front-end/recover.php:70
3618
3618
msgid "Reset Password"
3619
3619
msgstr ""
3620
3620
3621
#: front-end/recover.php:121
3621
#: front-end/recover.php:99
3622
3622
msgid "Please enter your username or email address."
3623
3623
msgstr ""
3624
3624
3625
#: front-end/recover.php:117
3625
#: front-end/recover.php:95
3626
3626
msgid "Please enter your email address."
3627
3627
msgstr ""
3628
3628
3629
#: front-end/recover.php:125
3629
#: front-end/recover.php:103
3630
3630
msgid "You will receive a link to create a new password via email."
3631
3631
msgstr ""
3632
3632
3633
#: front-end/recover.php:138
3633
#: front-end/recover.php:116
3634
3634
msgid "Get New Password"
3635
3635
msgstr ""
3636
3636
3637
#: front-end/recover.php:184
3637
#: front-end/recover.php:167
3638
3638
msgid "Someone requested that the password be reset for the following account: <b>%1$s</b><br/>If this was a mistake, just ignore this email and nothing will happen.<br/>To reset your password, visit the following link:%2$s"
3639
3639
msgstr ""
3640
3640
3641
#: front-end/recover.php:187
3641
#: front-end/recover.php:170
3642
3642
msgid "Password Reset from %1$s"
3643
3643
msgstr ""
3644
3644
3645
#: front-end/recover.php:214
3645
#: front-end/recover.php:197
3646
3646
msgid "You have successfully reset your password."
3647
3647
msgstr ""
3648
3648
3649
#: front-end/recover.php:216
3649
#: front-end/recover.php:199
3650
3650
msgid "Password Successfully Reset for %1$s on %2$s"
3651
3651
msgstr ""
3652
3652
3653
#: front-end/recover.php:234
3653
#: front-end/recover.php:217
3654
3654
msgid "%1$s has requested a password change via the password reset feature.<br/>His/her new password is:%2$s"
3655
3655
msgstr ""
3656
3656
3657
#: front-end/recover.php:271
3657
#: front-end/recover.php:254
3658
3658
msgid "You are already logged in. You can change your password on the edit profile form."
3659
3659
msgstr ""
3660
3660
3661
#: front-end/recover.php:446
3661
#: front-end/recover.php:438
3662
3662
msgid "The password must not be empty!"
3663
3663
msgstr ""
3664
3664
3665
#: front-end/recover.php:365
3665
#: front-end/recover.php:348
3666
3666
msgid "The key cannot be empty!"
3667
3667
msgstr ""
3668
3668
3669
#: front-end/recover.php:371, front-end/recover.php:472
3669
#: front-end/recover.php:358
3670
msgid "Login cannot be empty!"
3671
msgstr ""
3672
3673
#: front-end/recover.php:365, front-end/recover.php:465
3670
3674
msgid "Invalid key!"
3671
3675
msgstr ""
3672
3676
3673
#: front-end/recover.php:376
3677
#: front-end/recover.php:370
3674
3678
msgid "The entered passwords don't match!"
3675
3679
msgstr ""
3676
3680
3677
#: front-end/recover.php:382, front-end/default-fields/password/password.php:55
3681
#: front-end/recover.php:376, front-end/default-fields/password/password.php:55
3678
3682
msgid "The password must have the minimum length of %s characters"
3679
3683
msgstr ""
3680
3684
3681
#: front-end/recover.php:393
3685
#: front-end/recover.php:387
3682
3686
msgid "Your password has been successfully changed!"
3683
3687
msgstr ""
3684
3688
3685
#: front-end/recover.php:299
3689
#: front-end/recover.php:282
3686
3690
msgid "The username entered wasn't found in the database!"
3687
3691
msgstr ""
3688
3692
3689
#: front-end/recover.php:299
3693
#: front-end/recover.php:282
3690
3694
msgid "Please check that you entered the correct username."
3691
3695
msgstr ""
3692
3696
3693
#: front-end/recover.php:342
3697
#: front-end/recover.php:325
3694
3698
msgid "The email address entered wasn't found in the database!"
3695
3699
msgstr ""
3696
3700
3697
#: front-end/recover.php:342
3701
#: front-end/recover.php:325
3698
3702
msgid "Please check that you entered the correct email address."
3699
3703
msgstr ""
3700
3704
3701
#: front-end/recover.php:312
3705
#: front-end/recover.php:295
3702
3706
msgid "Check your email for the confirmation link."
3703
3707
msgstr ""
3704
3708
3705
#: front-end/recover.php:326
3709
#: front-end/recover.php:309
3706
3710
msgid "There was an error while trying to send the activation link to %1$s!"
3707
3711
msgstr ""
3708
3712
3709
#: front-end/recover.php:472
3713
#: front-end/recover.php:465
3710
3714
msgid "ERROR:"
3711
3715
msgstr ""
…
…
4112
4116
msgstr ""
4113
4117
4114
#: add-ons/email-customizer/email-customizer.php:601, features/email-customizer/email-customizer.php:578
4118
#: add-ons/email-customizer/email-customizer.php:602, features/email-customizer/email-customizer.php:579
4115
4119
msgid "The users selected password at signup"
4116
4120
msgstr ""
4117
4121
4118
#: add-ons/email-customizer/email-customizer.php:609, add-ons/email-customizer/email-customizer.php:616, add-ons/email-customizer/email-customizer.php:630, features/email-confirmation/email-confirmation.php:618, features/email-customizer/email-customizer.php:586, features/email-customizer/email-customizer.php:593, features/email-customizer/email-customizer.php:607
4122
#: add-ons/email-customizer/email-customizer.php:610, add-ons/email-customizer/email-customizer.php:617, add-ons/email-customizer/email-customizer.php:631, features/email-confirmation/email-confirmation.php:618, features/email-customizer/email-customizer.php:587, features/email-customizer/email-customizer.php:594, features/email-customizer/email-customizer.php:608
4119
4123
msgid "Your selected password at signup"
4120
4124
msgstr ""Related news
WordPress Profile Builder 3.9.0 Missing Authorization
WordPress Profile Builder plugin versions 3.9.0 and below suffer from a missing authorization vulnerability in wppb_toolbox_usermeta_handler().