Headline
CVE-2021-25062: Changeset 2643807 – WordPress Plugin Repository
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
woo-orders-tracking/trunk/CHANGELOG.txt
r2631178
r2643807
1
/\*\*v1.1.10 - 2021.12.14\*\*/
2
\- Fixed: Patched XSS vulnerability
3
1
4
/\*\*v1.1.9 - 2021.11.17\*\*/
2
5
\- Fixed: Tracking URL of Fedex and Portugal Post - CTT
woo-orders-tracking/trunk/assets/js/admin-custom-control.js
r2631178
r2643807
3
3
//set icon
4
4
$('.customize-control.customize-control-vi\_wot\_shipment\_icon .vi\_wot\_radio\_button\_img').buttonset();
5
$('.customize-control.customize-control-vi\_wot\_shipment\_icon .vi\_wot\_radio\_button\_img input:radio').change(function () {
5
$('.customize-control.customize-control-vi\_wot\_shipment\_icon .vi\_wot\_radio\_button\_img input:radio').on('change',function () {
6
6
var setting = $(this).attr('data-customize-setting-link');
7
7
var image = $(this).val();
woo-orders-tracking/trunk/assets/js/admin-edit-order.js
r2631178
r2643807
73
73
global\_tracking\_number = data\['tracking\_code'\];
74
74
if (data\['tracking\_url'\]) {
75
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').change();
75
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').trigger('change');
76
76
if (data\['carrier\_id'\]) {
77
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(data\['carrier\_id'\]).change();
77
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(data\['carrier\_id'\]).trigger('change');
78
78
} else {
79
79
if (vi\_wot\_edit\_order.shipping\_carrier\_default && data\['tracking\_url'\].indexOf(data\['tracking\_code'\]) !== -1) {
…
…
82
82
pattern = pattern.split('{tracking\_number}', 1)\[0\];
83
83
if (pattern === pattern\_url\_check) {
84
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(vi\_wot\_edit\_order.shipping\_carrier\_default).change();
84
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(vi\_wot\_edit\_order.shipping\_carrier\_default).trigger('change');
85
85
} else {
86
$('.woo-orders-tracking-edit-tracking-carrier').val('other').change();
86
$('.woo-orders-tracking-edit-tracking-carrier').val('other').trigger('change');
87
87
}
88
88
} else {
89
$('.woo-orders-tracking-edit-tracking-carrier').val('other').change();
90
$('.woo-orders-tracking-edit-tracking-other-carrier-name').val(data\['carrier\_name'\]).change();
89
$('.woo-orders-tracking-edit-tracking-carrier').val('other').trigger('change');
90
$('.woo-orders-tracking-edit-tracking-other-carrier-name').val(data\['carrier\_name'\]).trigger('change');
91
91
}
92
92
}
…
…
96
96
} else {
97
97
if (data\['tracking\_code'\]) {
98
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').change();
98
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').trigger('change');
99
99
if (data\['carrier\_id'\]) {
100
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(data\['carrier\_id'\]).change();
100
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(data\['carrier\_id'\]).trigger('change');
101
101
}
102
102
} else {
103
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').change();
103
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').trigger('change');
104
104
if (vi\_wot\_edit\_order.shipping\_carrier\_default) {
105
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(vi\_wot\_edit\_order.shipping\_carrier\_default).change();
105
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(vi\_wot\_edit\_order.shipping\_carrier\_default).trigger('change');
106
106
}
107
107
}
…
…
113
113
});
114
114
});
115
$('#woo-orders-tracking-edit-tracking-other-carrier-url').keyup(function () {
115
$('#woo-orders-tracking-edit-tracking-other-carrier-url').on('keyup', function () {
116
116
let carrier\_url = $(this).val();
117
117
if (carrier\_url.indexOf('{tracking\_number}') === -1) {
…
…
128
128
vi\_wotg\_edit\_tracking\_show();
129
129
130
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').change();
131
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(vi\_wot\_edit\_order.shipping\_carrier\_default).change();
130
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').trigger('change');
131
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(vi\_wot\_edit\_order.shipping\_carrier\_default).trigger('change');
132
132
let data = $(this).data();
133
133
$('.woo-orders-tracking-edit-tracking-save-all-item').attr({'data-order\_id': data\['order\_id'\]});
…
…
176
176
break;
177
177
default:
178
$(this).val('other').change();
178
$(this).val('other').trigger('change');
179
179
}
180
180
});
…
…
342
342
success: function (response) {
343
343
if (response.hasOwnProperty('change\_order\_status') && response.change\_order\_status) {
344
$('body').find('#order\_status').val(response.change\_order\_status).change();
344
$('body').find('#order\_status').val(response.change\_order\_status).trigger('change');
345
345
}
346
346
if (response.status === 'error') {
…
…
404
404
success: function (response) {
405
405
if (response.hasOwnProperty('change\_order\_status') && response.change\_order\_status) {
406
$('body').find('#order\_status').val(response.change\_order\_status).change();
406
$('body').find('#order\_status').val(response.change\_order\_status).trigger('change');
407
407
}
408
408
if (response.tracking\_service\_status === 'error') {
…
…
471
471
472
472
function vi\_wotg\_edit\_tracking\_hide() {
473
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').change();
473
$('.woo-orders-tracking-edit-tracking-carrier').val('shipping-carriers').trigger('change');
474
474
$('.woo-orders-tracking-button-edit').removeClass('woo-orders-tracking-button-editing');
475
475
$('.woo-orders-tracking-edit-tracking-button-save').removeAttr('class').attr('class', ' button button-primary woo-orders-tracking-edit-tracking-button-save');
…
…
511
511
512
512
$('.woo-orders-tracking-edit-tracking-shipping-carrier').html(html);
513
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(shipping\_carrier\_default).change();
513
$('.woo-orders-tracking-edit-tracking-shipping-carrier').val(shipping\_carrier\_default).trigger('change');
514
514
515
515
$('.woo-orders-tracking-edit-tracking-shipping-carrier').select2({
woo-orders-tracking/trunk/assets/js/admin-export.js
r2631178
r2643807
8
8
placeholder: 'wot-place-holder',
9
9
});
10
$('.vi-ui.dropdown').dropdown({fullTextSearch: true,forceSelection:false});
10
$('.vi-ui.dropdown').dropdown({fullTextSearch: true, forceSelection: false});
11
11
$('.woo-orders-tracking-export-datepicker').datepicker({dateFormat: 'yy-mm-dd'});
12
12
$('#woo-orders-tracking-export-filename').on('change', function () {
…
…
19
19
$(document).on('click', '.woo-orders-tracking-export-order-button-reset-settings', function () {
20
20
$('#woo-orders-tracking-export-filename').val('orders-%y-%m-%d\_%h-%i-%s.csv');
21
$('#woo-orders-tracking-export-filter-order-date').val('date\_created').change();
21
$('#woo-orders-tracking-export-filter-order-date').val('date\_created').trigger('change');
22
22
$('#woo-orders-tracking-export-filter-order-date-range-from').val(null);
23
23
$('#woo-orders-tracking-export-filter-order-date-range-to').val(null);
24
$('#woo-orders-tracking-export-filter-order-status').val(null).change();
25
$('#woo-orders-tracking-export-filter-order-billing-address-data').val(null).change();
26
$('#woo-orders-tracking-export-filter-order-shipping-address-data').val(null).change();
27
$('#woo-orders-tracking-export-filter-order-payment-method').val(null).change();
28
$('#woo-orders-tracking-export-filter-order-shipping-method').val(null).change();
24
$('#woo-orders-tracking-export-filter-order-status').val(null).trigger('change');
25
$('#woo-orders-tracking-export-filter-order-billing-address-data').val(null).trigger('change');
26
$('#woo-orders-tracking-export-filter-order-shipping-address-data').val(null).trigger('change');
27
$('#woo-orders-tracking-export-filter-order-payment-method').val(null).trigger('change');
28
$('#woo-orders-tracking-export-filter-order-shipping-method').val(null).trigger('change');
29
29
});
30
30
…
…
40
40
$('.woo-orders-tracking-export-filter-order-billing-country-wrap').removeClass('woo-orders-tracking-export-show').addClass('woo-orders-tracking-export-hidden');
41
41
}
42
$('#woo-orders-tracking-export-filter-order-billing-address').change(function () {
42
$('#woo-orders-tracking-export-filter-order-billing-address').on('change', function () {
43
43
if ($('#woo-orders-tracking-export-filter-order-billing-address').val() === '\_billing\_country') {
44
44
…
…
59
59
$('.woo-orders-tracking-export-filter-order-billing-list').find('input.select2-search\_\_field').prop('readonly', 'readonly');
60
60
61
$('.woo-orders-tracking-export-filter-order-billing-addition').click(function () {
61
$('.woo-orders-tracking-export-filter-order-billing-addition').on('click', function () {
62
62
let billing\_address\_id = $('#woo-orders-tracking-export-filter-order-billing-address').val();
63
63
let $billing\_country\_id = $('#woo-orders-tracking-export-filter-order-billing-country');
…
…
90
90
billing\_address\_data.push(append\_id);
91
91
}
92
$('#woo-orders-tracking-export-filter-order-billing-address-data').val(billing\_address\_data).change();
92
$('#woo-orders-tracking-export-filter-order-billing-address-data').val(billing\_address\_data).trigger('change');
93
93
return false;
94
94
}
…
…
96
96
97
97
billing\_address\_data.push(append\_id);
98
$('#woo-orders-tracking-export-filter-order-billing-address-data').val(billing\_address\_data).change();
98
$('#woo-orders-tracking-export-filter-order-billing-address-data').val(billing\_address\_data).trigger('change');
99
99
});
100
100
…
…
110
110
$('.woo-orders-tracking-export-filter-order-shipping-country-wrap').removeClass('woo-orders-tracking-export-show').addClass('woo-orders-tracking-export-hidden');
111
111
}
112
$('#woo-orders-tracking-export-filter-order-shipping-address').change(function () {
112
$('#woo-orders-tracking-export-filter-order-shipping-address').on('change', function () {
113
113
if ($('#woo-orders-tracking-export-filter-order-shipping-address').val() === '\_shipping\_country') {
114
114
…
…
126
126
$('#woo-orders-tracking-export-filter-order-shipping-address-data').select2();
127
127
$('.woo-orders-tracking-export-filter-order-shipping-list').find('input.select2-search\_\_field').prop('readonly', 'readonly');
128
$('.woo-orders-tracking-export-filter-order-shipping-addition').click(function () {
128
$('.woo-orders-tracking-export-filter-order-shipping-addition').on('click', function () {
129
129
let shipping\_address\_id = $('#woo-orders-tracking-export-filter-order-shipping-address').val();
130
130
let $shipping\_country\_id = $('#woo-orders-tracking-export-filter-order-shipping-country');
…
…
158
158
shipping\_address\_data.push(append\_id);
159
159
}
160
$('#woo-orders-tracking-export-filter-order-shipping-address-data').val(shipping\_address\_data).change();
160
$('#woo-orders-tracking-export-filter-order-shipping-address-data').val(shipping\_address\_data).trigger('change');
161
161
return false;
162
162
}
…
…
164
164
165
165
shipping\_address\_data.push(append\_id);
166
$('#woo-orders-tracking-export-filter-order-shipping-address-data').val(shipping\_address\_data).change();
166
$('#woo-orders-tracking-export-filter-order-shipping-address-data').val(shipping\_address\_data).trigger('change');
167
167
});
168
168
169
169
//set file name
170
$('#woo-orders-tracking-export-filename').keyup(function () {
170
$('#woo-orders-tracking-export-filename').on('keyup', function () {
171
171
let text = $(this).val().replace(/(\\\\|\]|{|}|\\/|\\\*|\\<|\\>)/g, '');
172
172
setTimeout(function () {
…
…
175
175
});
176
176
//set date range to export
177
$('#woo-orders-tracking-export-filter-order-date-range-to').change(function () {
177
$('#woo-orders-tracking-export-filter-order-date-range-to').on('change', function () {
178
178
if ($('#woo-orders-tracking-export-filter-order-date-range-from').val()) {
179
179
let date\_from = new Date($('#woo-orders-tracking-export-filter-order-date-range-from').val());
…
…
185
185
}
186
186
});
187
$('#woo-orders-tracking-export-filter-order-date-range-from').change(function () {
187
$('#woo-orders-tracking-export-filter-order-date-range-from').on('change', function () {
188
188
let date\_from = new Date($(this).val());
189
189
let date\_now = new Date($.now());
…
…
202
202
export preview
203
203
\*/
204
$('.woo-orders-tracking-export-order-button-preview').click(function () {
204
$('.woo-orders-tracking-export-order-button-preview').on('click', function () {
205
205
let export\_settings = JSON.stringify($('#vi\_wot\_export').serializeJSON());
206
206
let data = {
woo-orders-tracking/trunk/assets/js/admin-setting.js
r2631178
r2643807
1
'use strict';
2
1
jQuery(document).ready(function ($) {
3
console.log(vi\_wot\_admin\_settings)
2
'use strict';
4
3
let type\_carrier,
5
4
shipping\_country\_carrier;
6
5
/\*\*/
7
$('.woo-orders-tracking-setting-service-carrier-type').on('change',function () {
8
let $api\=$('.woo-orders-tracking-tracking-service-api');
9
if($(this).val()==='cainiao'){
6
$('.woo-orders-tracking-setting-service-carrier-type').on('change', function () {
7
let $api = $('.woo-orders-tracking-tracking-service-api');
8
if ($(this).val() === 'cainiao') {
10
9
$api.addClass('woo-orders-tracking-hidden');
11
}else{
10
} else {
12
11
$api.removeClass('woo-orders-tracking-hidden');
13
12
}
…
…
21
20
});
22
21
$('.vi-ui.vi-ui-shipment.menu .item').vi\_tab();
23
/\*Setup tab\*/
24
let tabs,
25
tabEvent = false,
26
initialTab = 'shipping\_carriers',
27
navSelector = '.vi-ui.vi-ui-main.menu',
28
panelSelector = '.vi-ui.vi-ui-main.tab',
29
navSelectorSecond = '.vi-ui.vi-ui-shipment.menu',
30
panelFilter = function () {
31
$(panelSelector + ' a').filter(function () {
32
return $(navSelector + ' a\[title=' + $(this).attr('title') + '\]').size() != 0;
33
});
34
};
35
// Initializes plugin features
36
$.address.strict(false).wrap(true);
37
38
if ($.address.value() == '') {
39
$.address.history(false).value(initialTab).history(true);
40
}
41
// Address handler
42
$.address.init(function (event) {
43
44
// Adds the ID in a lazy manner to prevent scrolling
45
$(panelSelector).attr('id', initialTab);
46
47
panelFilter();
48
49
// Tabs setup
50
tabs = $('.vi-ui.vi-ui-main.menu')
51
.vi\_tab({
52
history: true,
53
historyType: 'hash'
54
});
55
56
// Enables the plugin for all the tabs
57
$(navSelector + ' a').click(function (event) {
58
if ($(this).attr('data-tab') === 'design') {
59
window.open($(this).attr('data-href'), '\_blank');
60
}
61
tabEvent = true;
62
63
tabEvent = false;
64
return true;
65
});
66
$(navSelectorSecond + ' a').click(function (event) {
67
$(navSelectorSecond + ' a').removeClass('header');
68
$(this).addClass('header');
69
return true;
70
});
71
72
});
73
74
22
$('.vi-ui.dropdown').dropdown();
75
23
$('.vi-ui.checkbox').checkbox();
…
…
223
171
$(document).on('click', '.woo-orders-tracking-overlay , .add-new-shipping-carrier-html-content-close, .add-new-shipping-carrier-html-btn-cancel ,.edit-shipping-carrier-html-content-close, .edit-shipping-carrier-html-btn-cancel', function () {
224
172
if ($(this).closest('.woo-orders-tracking-footer-container').hasClass('add-new-shipping-carrier-html-container')) {
225
$('#woo-orders-tracking-setting-shipping-carriers-filter-type').val('all').change();
173
$('#woo-orders-tracking-setting-shipping-carriers-filter-type').val('all').trigger('change');
226
174
}
227
175
$('.woo-orders-tracking-footer-container').addClass('woo-orders-tracking-hidden');
…
…
239
187
shipping\_country: $('#add-new-shipping-carrier-html-content-body-country').val(),
240
188
tracking\_url: $('#add-new-shipping-carrier-html-content-body-carrier-url').val(),
241
digital\_delivery : $('.add-new-shipping-carrier-is-digital-delivery').prop('checked') ? 1 : 0
189
digital\_delivery: $('.add-new-shipping-carrier-is-digital-delivery').prop('checked') ? 1 : 0
242
190
};
243
191
$.ajax({
…
…
296
244
}
297
245
});
298
$('#edit-shipping-carrier-html-content-body-carrier-url').keyup(function () {
246
$('#edit-shipping-carrier-html-content-body-carrier-url').on('keyup', function () {
299
247
let carrier\_url = $(this).val();
300
248
let $digital\_delivery = $('.edit-shipping-carrier-is-digital-delivery');
…
…
307
255
}
308
256
});
309
$('#add-new-shipping-carrier-html-content-body-carrier-url').keyup(function () {
257
$('#add-new-shipping-carrier-html-content-body-carrier-url').on('keyup', function () {
310
258
let carrier\_url = $(this).val();
311
259
let $digital\_delivery = $('.add-new-shipping-carrier-is-digital-delivery');
…
…
330
278
digital\_delivery = shipping\_carrier\_data\['digital\_delivery'\];
331
279
$('#edit-shipping-carrier-html-content-body-carrier-name').val(carrier\_name);
332
$('#edit-shipping-carrier-html-content-body-country').val(shipping\_country).change();
280
$('#edit-shipping-carrier-html-content-body-country').val(shipping\_country).trigger('change');
333
281
$('#edit-shipping-carrier-html-content-body-carrier-url').val(carrier\_url);
334
282
$('.edit-shipping-carrier-is-digital-delivery').prop('checked', digital\_delivery == 1);
…
…
341
289
});
342
290
$(this).closest('.woo-orders-tracking-setting-shipping-carriers-wrap').addClass('woo-orders-tracking-setting-shipping-carriers-wrap-editing');
343
if (carrier\_url.indexOf('{tracking\_number}') === -1&&digital\_delivery!=1) {
291
if (carrier\_url.indexOf('{tracking\_number}') === -1 && digital\_delivery != 1) {
344
292
$('.edit-shipping-carrier-html-container .wotv-error-tracking-url').removeClass('woo-orders-tracking-hidden');
345
293
} else {
…
…
487
435
$(this).closest('.wot-paypal-app-content').find('.woo-orders-tracking-setting-paypal-sandbox-wrap').addClass('woo-orders-tracking-hidden');
488
436
}
489
$(this).change(function () {
437
$(this).on('change', function () {
490
438
if ($(this).prop('checked')) {
491
439
$(this).parent().parent().find('.woo-orders-tracking-setting-paypal-sandbox-enable').val('1');
…
…
501
449
502
450
503
$('.wot-paypal-app-content-action-test-api').click(function () {
451
$('.wot-paypal-app-content-action-test-api').on('click', function () {
504
452
let data, div, parent, btnt\_test;
505
453
btnt\_test = $(this);
…
…
562
510
});
563
511
564
$('#woo-orders-tracking-setting-paypal-guide').click(function () {
512
$('#woo-orders-tracking-setting-paypal-guide').on('click', function () {
565
513
$('.woo-orders-tracking-setting-paypal-guide').click();
566
514
});
…
…
600
548
if (custom\_carrier === 'yes') {
601
549
let digital\_delivery = 0;
602
if (data.hasOwnProperty('digital\_delivery') && data.digital\_delivery\==1) {
550
if (data.hasOwnProperty('digital\_delivery') && data.digital\_delivery == 1) {
603
551
digital\_delivery = 1;
604
552
}
…
…
634
582
custom\_carriers\_list,
635
583
carrier;
636
shipping\_carriers\_define\_list = $.parseJSON(vi\_wot\_admin\_settings.shipping\_carriers\_define\_list);
637
custom\_carriers\_list = $.parseJSON(vi\_wot\_admin\_settings.custom\_carriers\_list);
584
shipping\_carriers\_define\_list = JSON.parse(vi\_wot\_admin\_settings.shipping\_carriers\_define\_list);
585
custom\_carriers\_list = JSON.parse(vi\_wot\_admin\_settings.custom\_carriers\_list);
638
586
carrier = shipping\_carriers\_define\_list.concat(custom\_carriers\_list);
639
587
let html = '';
woo-orders-tracking/trunk/assets/js/carrier-functions.js
r2631178
r2643807
1
'use strict';
2
1
function wot\_sort\_carriers(data) {
2
'use strict';
3
3
let n = data.length;
4
4
for (let i = 0; i < n - 1; i++) {
woo-orders-tracking/trunk/includes/admin/import_csv.php
r2631178
r2643807
50
50
wp\_die( esc\_html\_\_( 'No log file selected.', 'woo-orders-tracking' ) );
51
51
}
52
$file = urldecode( wp\_unslash( $\_GET\['vi\_wot\_file'\] ) );
52
$file = wp\_unslash( wc\_clean( urldecode( $\_GET\['vi\_wot\_file'\] ) ) );
53
53
if ( ! is\_file( $file ) ) {
54
54
wp\_die( esc\_html\_\_( 'Log file not found.', 'woo-orders-tracking' ) );
…
…
103
103
if ( $pagenow === 'admin.php' && $page === 'woo-orders-tracking-import-csv' ) {
104
104
$this->step = isset( $\_REQUEST\['step'\] ) ? sanitize\_text\_field( $\_REQUEST\['step'\] ) : '';
105
$this->file\_url = isset( $\_REQUEST\['file\_url'\] ) ? urldecode\_deep( wp\_unslash( $\_REQUEST\['file\_url'\] ) ) : '';
105
$this->file\_url = isset( $\_REQUEST\['file\_url'\] ) ? urldecode( wc\_clean( wp\_unslash( $\_REQUEST\['file\_url'\] ) ) ) : '';
106
106
if ( $this->step == 'mapping' ) {
107
107
if ( is\_file( $this->file\_url ) ) {
…
…
1453
1453
<div class="vi-ui segment">
1454
1454
<div class="vi-ui steps fluid">
1455
<div class="step <?php esc\_attr\_e( $steps\_state\['start'\] ) ?>">
1455
<div class="step <?php echo esc\_attr( $steps\_state\['start'\] ) ?>">
1456
1456
<i class="upload icon"></i>
1457
1457
<div class="content">
…
…
1459
1459
</div>
1460
1460
</div>
1461
<div class="step <?php esc\_attr\_e( $steps\_state\['mapping'\] ) ?>">
1461
<div class="step <?php echo esc\_attr( $steps\_state\['mapping'\] ) ?>">
1462
1462
<i class="exchange icon"></i>
1463
1463
<div class="content">
…
…
1465
1465
</div>
1466
1466
</div>
1467
<div class="step <?php esc\_attr\_e( $steps\_state\['import'\] ) ?>">
1468
<i class="refresh icon <?php esc\_attr\_e( self::set( 'import-icon' ) ) ?>"></i>
1467
<div class="step <?php echo esc\_attr( $steps\_state\['import'\] ) ?>">
1468
<i class="refresh icon <?php echo esc\_attr( self::set( 'import-icon' ) ) ?>"></i>
1469
1469
<div class="content">
1470
1470
<div class="title"><?php esc\_html\_e( 'Import', 'woo-orders-tracking' ); ?></div>
…
…
1474
1474
<?php
1475
1475
if ( isset( $\_REQUEST\['vi\_wot\_error'\] ) ) {
1476
$file\_url = isset( $\_REQUEST\['file\_url'\] ) ? urldecode( $\_REQUEST\['file\_url'\] ) : '';
1476
$file\_url = isset( $\_REQUEST\['file\_url'\] ) ? urldecode( wp\_unslash( wc\_clean( $\_REQUEST\['file\_url'\] ) ) ) : '';
1477
1477
?>
1478
1478
<div class="vi-ui negative message">
…
…
1485
1485
case 2:
1486
1486
if ( $file\_url ) {
1487
\_e( "Can not open file: <strong>{$file\_url}</strong>", 'woo-orders-tracking' );
1487
wp\_kses\_post( \_\_( "Can not open file: <strong>{$file\_url}</strong>", 'woo-orders-tracking' ) );
1488
1488
} else {
1489
1489
esc\_html\_e( 'Can not open file', 'woo-orders-tracking' );
…
…
1492
1492
default:
1493
1493
if ( $file\_url ) {
1494
\_e( "File not exists: <strong>{$file\_url}</strong>", 'woo-orders-tracking' );
1494
wp\_kses\_post( \_\_( "File not exists: <strong>{$file\_url}</strong>", 'woo-orders-tracking' ) );
1495
1495
} else {
1496
1496
esc\_html\_e( 'File not exists', 'woo-orders-tracking' );
…
…
1514
1514
case 'mapping':
1515
1515
?>
1516
<form class="<?php esc\_attr\_e( self::set( 'import-container-form' ) ) ?> vi-ui form"
1516
<form class="<?php echo esc\_attr( self::set( 'import-container-form' ) ) ?> vi-ui form"
1517
1517
method="post"
1518
1518
enctype="multipart/form-data"
…
…
1532
1532
<tr>
1533
1533
<th>
1534
<label for="<?php esc\_attr\_e( self::set( 'orders\_per\_request' ) ) ?>"><?php esc\_html\_e( 'Orders per step', 'woo-orders-tracking' ); ?></label>
1534
<label for="<?php echo esc\_attr( self::set( 'orders\_per\_request' ) ) ?>"><?php esc\_html\_e( 'Orders per step', 'woo-orders-tracking' ); ?></label>
1535
1535
</th>
1536
1536
<td>
1537
1537
<input type="number"
1538
class="<?php esc\_attr\_e( self::set( 'orders\_per\_request' ) ) ?>"
1539
id="<?php esc\_attr\_e( self::set( 'orders\_per\_request' ) ) ?>"
1540
name="<?php esc\_attr\_e( self::set( 'orders\_per\_request', true ) ) ?>"
1538
class="<?php echo esc\_attr( self::set( 'orders\_per\_request' ) ) ?>"
1539
id="<?php echo esc\_attr( self::set( 'orders\_per\_request' ) ) ?>"
1540
name="<?php echo esc\_attr( self::set( 'orders\_per\_request', true ) ) ?>"
1541
1541
min="1"
1542
value="<?php esc\_attr\_e( $this->settings->get\_params( 'orders\_per\_request' ) ) ?>">
1542
value="<?php echo esc\_attr( $this->settings->get\_params( 'orders\_per\_request' ) ) ?>">
1543
1543
</td>
1544
1544
</tr>
1545
1545
<tr>
1546
1546
<th>
1547
<label for="<?php esc\_attr\_e( self::set( 'custom\_start' ) ) ?>"><?php esc\_html\_e( 'Start line', 'woo-orders-tracking' ); ?></label>
1547
<label for="<?php echo esc\_attr( self::set( 'custom\_start' ) ) ?>"><?php esc\_html\_e( 'Start line', 'woo-orders-tracking' ); ?></label>
1548
1548
</th>
1549
1549
<td>
1550
1550
<input type="number"
1551
class="<?php esc\_attr\_e( self::set( 'custom\_start' ) ) ?>"
1552
id="<?php esc\_attr\_e( self::set( 'custom\_start' ) ) ?>"
1553
name="<?php esc\_attr\_e( self::set( 'custom\_start', true ) ) ?>"
1551
class="<?php echo esc\_attr( self::set( 'custom\_start' ) ) ?>"
1552
id="<?php echo esc\_attr( self::set( 'custom\_start' ) ) ?>"
1553
name="<?php echo esc\_attr( self::set( 'custom\_start', true ) ) ?>"
1554
1554
min="2"
1555
1555
value="2">
…
…
1559
1559
<tr>
1560
1560
<th>
1561
<label for="<?php esc\_attr\_e( self::set( 'setting-email-enable' ) ) ?>">
1561
<label for="<?php echo esc\_attr( self::set( 'setting-email-enable' ) ) ?>">
1562
1562
<?php
1563
1563
esc\_html\_e( 'Send email', 'woo-orders-tracking' );
…
…
1568
1568
<div class="vi-ui toggle checkbox">
1569
1569
<input type="checkbox"
1570
class="<?php esc\_attr\_e( self::set( 'email\_enable' ) ) ?>"
1571
id="<?php esc\_attr\_e( self::set( 'email\_enable' ) ) ?>"
1572
name="<?php esc\_attr\_e( self::set( 'email\_enable', true ) ) ?>"
1570
class="<?php echo esc\_attr( self::set( 'email\_enable' ) ) ?>"
1571
id="<?php echo esc\_attr( self::set( 'email\_enable' ) ) ?>"
1572
name="<?php echo esc\_attr( self::set( 'email\_enable', true ) ) ?>"
1573
1573
value="1" <?php checked( $this->settings->get\_params( 'email\_enable' ), '1' ) ?>>
1574
1574
<label></label>
…
…
1612
1612
<tr>
1613
1613
<th>
1614
<label for="<?php esc\_attr\_e( self::set( 'paypal\_enable' ) ) ?>">
1614
<label for="<?php echo esc\_attr( self::set( 'paypal\_enable' ) ) ?>">
1615
1615
<?php
1616
1616
esc\_html\_e( 'Add to PayPal', 'woo-orders-tracking' );
…
…
1635
1635
<tr>
1636
1636
<th>
1637
<label for="<?php esc\_attr\_e( self::set( 'paypal\_enable' ) ) ?>">
1637
<label for="<?php echo esc\_attr( self::set( 'paypal\_enable' ) ) ?>">
1638
1638
<?php
1639
1639
esc\_html\_e( 'Add to PayPal', 'woo-orders-tracking' );
…
…
1644
1644
<div class="vi-ui toggle checkbox">
1645
1645
<input type="checkbox"
1646
class="<?php esc\_attr\_e( self::set( 'paypal\_enable' ) ) ?>"
1647
id="<?php esc\_attr\_e( self::set( 'paypal\_enable' ) ) ?>"
1648
name="<?php esc\_attr\_e( self::set( 'paypal\_enable', true ) ) ?>"
1646
class="<?php echo esc\_attr( self::set( 'paypal\_enable' ) ) ?>"
1647
id="<?php echo esc\_attr( self::set( 'paypal\_enable' ) ) ?>"
1648
name="<?php echo esc\_attr( self::set( 'paypal\_enable', true ) ) ?>"
1649
1649
value="1" <?php checked( $this->settings->get\_params( 'paypal\_enable' ), '1' ) ?>>
1650
1650
<label></label>
…
…
1663
1663
<tr>
1664
1664
<th>
1665
<label for="<?php esc\_attr\_e( self::set( 'order\_status' ) ) ?>"><?php esc\_html\_e( 'Change order status', 'woo-orders-tracking' ) ?></label>
1665
<label for="<?php echo esc\_attr( self::set( 'order\_status' ) ) ?>"><?php esc\_html\_e( 'Change order status', 'woo-orders-tracking' ) ?></label>
1666
1666
</th>
1667
1667
<td>
1668
<select name="<?php esc\_attr\_e( self::set( 'order\_status', true ) ) ?>"
1669
id="<?php esc\_attr\_e( self::set( 'order\_status' ) ) ?>"
1668
<select name="<?php echo esc\_attr( self::set( 'order\_status', true ) ) ?>"
1669
id="<?php echo esc\_attr( self::set( 'order\_status' ) ) ?>"
1670
1670
class="vi-ui fluid dropdown">
1671
1671
<option value=""><?php esc\_html\_e( 'Not Change', 'woo-orders-tracking' ) ?></option>
…
…
1674
1674
foreach ( $all\_order\_statuses as $status\_id => $status\_name ) {
1675
1675
?>
1676
<option value="<?php esc\_attr\_e( $status\_id ) ?>" <?php selected( $this->settings->get\_params( 'order\_status' ), $status\_id ) ?> ><?php echo $status\_name ?></option>
1676
<option value="<?php echo esc\_attr( $status\_id ) ?>" <?php selected( $this->settings->get\_params( 'order\_status' ), $status\_id ) ?> ><?php echo $status\_name ?></option>
1677
1677
<?php
1678
1678
}
…
…
1716
1716
<tr>
1717
1717
<td>
1718
<select id="<?php esc\_attr\_e( self::set( $header\_k ) ) ?>"
1718
<select id="<?php echo esc\_attr( self::set( $header\_k ) ) ?>"
1719
1719
class="vi-ui fluid dropdown"
1720
1720
name="<?php echo self::set( 'map\_to', true ) ?>\[<?php echo $header\_k ?>\]">
…
…
1727
1727
}
1728
1728
?>
1729
<option value="<?php echo urlencode( $file\_header ) ?>"<?php esc\_attr\_e( $selected ) ?>><?php echo $file\_header ?></option>
1729
<option value="<?php echo urlencode( $file\_header ) ?>"<?php echo esc\_attr( $selected ) ?>><?php echo $file\_header ?></option>
1730
1730
<?php
1731
1731
}
…
…
1740
1740
}
1741
1741
?>
1742
<label for="<?php esc\_attr\_e( self::set( $header\_k ) ) ?>"><?php echo $label; ?></label>
1742
<label for="<?php echo esc\_attr( self::set( $header\_k ) ) ?>"><?php echo $label; ?></label>
1743
1743
</td>
1744
1744
</tr>
…
…
1761
1761
</div>
1762
1762
<input type="hidden" name="woo\_orders\_tracking\_file\_url"
1763
value="<?php esc\_attr\_e( $this->file\_url ) ?>">
1763
value="<?php echo esc\_attr( $this->file\_url ) ?>">
1764
1764
<p>
1765
1765
<input type="submit" name="woo\_orders\_tracking\_import"
1766
class="vi-ui primary button <?php esc\_attr\_e( self::set( 'import-continue' ) ) ?>"
1766
class="vi-ui primary button <?php echo esc\_attr( self::set( 'import-continue' ) ) ?>"
1767
1767
value="<?php esc\_attr\_e( 'Import', 'woo-orders-tracking' ); ?>">
1768
1768
</p>
…
…
1773
1773
?>
1774
1774
<div>
1775
<div class="vi-ui indicating progress standard <?php esc\_attr\_e( self::set( 'import-progress' ) ) ?>">
1775
<div class="vi-ui indicating progress standard <?php echo esc\_attr( self::set( 'import-progress' ) ) ?>">
1776
1776
<div class="label"><?php esc\_html\_e( 'Import tracking numbers', 'woo-orders-tracking' ) ?></div>
1777
1777
<div class="bar">
…
…
1780
1780
</div>
1781
1781
<div style="display: none;"
1782
class="vi-ui indicating progress standard <?php esc\_attr\_e( self::set( 'paypal-progress' ) ) ?>">
1782
class="vi-ui indicating progress standard <?php echo esc\_attr( self::set( 'paypal-progress' ) ) ?>">
1783
1783
<div class="label"><?php esc\_html\_e( 'Add tracking numbers to PayPal(for orders paid with PayPal Standard)', 'woo-orders-tracking' ) ?></div>
1784
1784
<div class="bar">
…
…
1787
1787
</div>
1788
1788
<div style="display: none;"
1789
class="vi-ui indicating progress standard <?php esc\_attr\_e( self::set( 'ppec\_paypal-progress' ) ) ?>">
1789
class="vi-ui indicating progress standard <?php echo esc\_attr( self::set( 'ppec\_paypal-progress' ) ) ?>">
1790
1790
<div class="label"><?php esc\_html\_e( 'Add tracking numbers to PayPal(for orders paid with PayPal Checkout)', 'woo-orders-tracking' ) ?></div>
1791
1791
<div class="bar">
…
…
1794
1794
</div>
1795
1795
<div style="display: none"
1796
class="vi-ui indicating progress standard <?php esc\_attr\_e( self::set( 'send-email-progress' ) ) ?>">
1796
class="vi-ui indicating progress standard <?php echo esc\_attr( self::set( 'send-email-progress' ) ) ?>">
1797
1797
<div class="label"><?php esc\_html\_e( 'Schedule to send emails', 'woo-orders-tracking' ) ?></div>
1798
1798
<div class="bar">
…
…
1805
1805
default:
1806
1806
?>
1807
<form class="<?php esc\_attr\_e( self::set( 'import-container-form' ) ) ?> vi-ui form"
1807
<form class="<?php echo esc\_attr( self::set( 'import-container-form' ) ) ?> vi-ui form"
1808
1808
method="post"
1809
1809
enctype="multipart/form-data">
…
…
1811
1811
wp\_nonce\_field( 'woo\_orders\_tracking\_import\_action\_nonce', '\_woo\_orders\_tracking\_import\_nonce' );
1812
1812
?>
1813
<div class="vi-ui positive message <?php esc\_attr\_e( self::set( 'import-container' ) ) ?>">
1813
<div class="vi-ui positive message <?php echo esc\_attr( self::set( 'import-container' ) ) ?>">
1814
1814
<div class="header">
1815
<label for="<?php esc\_attr\_e( self::set( 'import-file' ) ) ?>"><?php \_e( 'Select csv file to import', 'woo-orders-tracking' ); ?></label>
1815
<label for="<?php echo esc\_attr( self::set( 'import-file' ) ) ?>"><?php \_e( 'Select csv file to import', 'woo-orders-tracking' ); ?></label>
1816
1816
</div>
1817
1817
<ul class="list">
…
…
1834
1834
</ul>
1835
1835
</div>
1836
<table class="vi-ui celled table center aligned <?php esc\_attr\_e( self::set( 'order-statuses' ) ) ?>">
1836
<table class="vi-ui celled table center aligned <?php echo esc\_attr( self::set( 'order-statuses' ) ) ?>">
1837
1837
<thead>
1838
1838
<tr>
…
…
1859
1859
1860
1860
</form>
1861
<form class="<?php esc\_attr\_e( self::set( 'import-container-form' ) ) ?> vi-ui form"
1861
<form class="<?php echo esc\_attr( self::set( 'import-container-form' ) ) ?> vi-ui form"
1862
1862
method="post"
1863
1863
enctype="multipart/form-data">
…
…
1866
1866
1867
1867
?>
1868
<div class="<?php esc\_attr\_e( self::set( 'import-container' ) ) ?>">
1868
<div class="<?php echo esc\_attr( self::set( 'import-container' ) ) ?>">
1869
1869
<div>
1870
1870
<input type="file" name="woo\_orders\_tracking\_file"
1871
id="<?php esc\_attr\_e( self::set( 'import-file' ) ) ?>"
1872
class="<?php esc\_attr\_e( self::set( 'import-file' ) ) ?>"
1871
id="<?php echo esc\_attr( self::set( 'import-file' ) ) ?>"
1872
class="<?php echo esc\_attr( self::set( 'import-file' ) ) ?>"
1873
1873
accept=".csv"
1874
1874
required>
…
…
1876
1876
</div>
1877
1877
<p><input type="submit" name="woo\_orders\_tracking\_select\_file"
1878
class="vi-ui primary button <?php esc\_attr\_e( self::set( 'import-continue' ) ) ?>"
1878
class="vi-ui primary button <?php echo esc\_attr( self::set( 'import-continue' ) ) ?>"
1879
1879
value="<?php esc\_attr\_e( 'Continue', 'woo-orders-tracking' ); ?>">
1880
1880
</p>
woo-orders-tracking/trunk/readme.txt
r2631178
r2643807
5
5
Requires at least: 4.4
6
6
Tested up to: 5.8
7
Stable tag: 1.1.9
7
Stable tag: 1.1.10
8
8
License: GPLv2 or later
9
9
…
…
66
66
\- \*\*Lifetime update\*\*
67
67
68
\- \*\*Support More PayPal plugins\*\*: While the free version only supports PayPal standard and PayPal Express checkout, the pro version supports the new WooCommerce PayPal payments plugin and a lot of other PayPal plugin from other authors
69
70
\- \*\*Default track info\*\*: No more "tracking info not available" message by adding default track info when ever a new order is placed. This helps reduce a lot of support emails from your customers asking about their packets.
71
68
72
\- \*\*Input fields\*\*: You can track with email and/or order ID and/or tracking number
69
73
…
…
95
99
96
100
\### MAY BE YOU NEED
101
102
\[EXMAGE - WordPress Image Links\](https://bit.ly/exmage): Save storage by using external image URLs
103
104
\[REDIS - WooCommerce Dynamic Pricing and Discounts\](https://bit.ly/redis-woo-dynamic-pricing-and-discounts): Create flexible pricing rules for products
97
105
98
106
\[Pofily – WooCommerce Product Filters\](https://bit.ly/pofily-woo-product-filters): Advanced filters for WooCommerce
…
…
171
179
172
180
\== Changelog ==
181
/\*\*v1.1.10 - 2021.12.14\*\*/
182
\- Fixed: Patched XSS vulnerability
183
173
184
/\*\*v1.1.9 - 2021.11.17\*\*/
174
185
\- Fixed: Tracking URL of Fedex and Portugal Post - CTT
woo-orders-tracking/trunk/woo-orders-tracking.php
r2631178
r2643807
4
4
\* Plugin URI: https://villatheme.com/extensions/woo-orders-tracking
5
5
\* Description: Import orders tracking number and send tracking info to customers
6
\* Version: 1.1.9
6
\* Version: 1.1.10
7
7
\* Author: VillaTheme
8
8
\* Author URI: https://villatheme.com
…
…
17
17
exit;
18
18
}
19
define( 'VI\_WOO\_ORDERS\_TRACKING\_VERSION', '1.1.9' );
19
define( 'VI\_WOO\_ORDERS\_TRACKING\_VERSION', '1.1.10' );
20
20
define( 'VI\_WOO\_ORDERS\_TRACKING\_PATH\_FILE', \_\_FILE\_\_ );
21
21
include\_once( ABSPATH . 'wp-admin/includes/plugin.php' );