Headline
CVE-2023-4283: Changeset 2950211 for embedpress – WordPress Plugin Repository
The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘embedpress_calendar’ shortcode in versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
embedpress/tags/3.8.3/EmbedPress/Ends/Back/Settings/templates/google-calendar.php
r2814852
r2950211
71
71
<br>
72
72
<form style="display:inline" method="post" action="<?php echo admin\_url('admin-post.php'); ?>">
73
<?php wp\_nonce\_field( 'epgc\_authorize', 'epgc\_authorize\_data' ); ?>
73
74
<input type="hidden" name="action" value="epgc\_authorize">
74
75
<?php submit\_button(\_\_('Authorize', 'embedpress'), 'primary', 'epgc\_authorize', false); ?>
…
…
76
77
77
78
<form style="display:inline" method="post" action="<?php echo admin\_url('admin-post.php'); ?>">
79
<?php wp\_nonce\_field( 'epgc\_remove\_private', 'epgc\_remove\_private\_data' ); ?>
78
80
<input type="hidden" name="action" value="epgc\_remove\_private">
79
81
<?php submit\_button(\_\_('Stop', 'embedpress'), '', 'epgc\_remove\_private', false); ?>
…
…
82
84
83
85
86
84
87
</div>
85
88
</div>
embedpress/tags/3.8.3/EmbedPress/Includes/Classes/EmbedPress_Plugin_Usage_Tracker.php
r2889048
r2950211
50
50
\*/
51
51
private static $\_instance = null;
52
53
private $disabled\_wp\_cron;
54
private $enable\_self\_cron;
55
private $require\_optin;
56
private $include\_goodbye\_form;
57
private $marketing;
58
private $options;
59
private $item\_id;
60
private $notice\_options;
61
52
62
/\*\*
53
63
\* Get Instance of EmbedPress\_Plugin\_Usage\_Tracker
embedpress/tags/3.8.3/EmbedPress/Includes/Classes/Helper.php
r2930523
r2950211
233
233
$client\_id = isset($\_POST\['client\_id'\]) ? $\_POST\['client\_id'\] : '';
234
234
$password = isset($\_POST\['password'\]) ? $\_POST\['password'\] : '';
235
$epbase64 = isset($\_POST\['epbase'\]) ? $\_POST\['epbase'\] : '';
236
$hash\_key = isset($\_POST\['hash\_key'\]) ? $\_POST\['hash\_key'\] : '';
235
$post\_id = isset($\_POST\['post\_id'\]) ? $\_POST\['post\_id'\] : 'sdfds';
236
237
// $epbase64 = isset($\_POST\['epbase'\]) ? $\_POST\['epbase'\] : '';
238
// $hash\_key = isset($\_POST\['hash\_key'\]) ? $\_POST\['hash\_key'\] : '';
239
240
$epbase64 = get\_post\_meta($post\_id, 'ep\_base\_' .$client\_id, false );
241
$hash\_key = get\_post\_meta( $post\_id, 'hash\_key\_' .$client\_id, false );
237
242
238
243
// Set the decryption key and initialization vector (IV)
…
…
263
268
'success' => true,
264
269
'password' => $password,
265
'embedHtml' => $embed
270
'embedHtml' => $embed,
266
271
);
267
272
…
…
295
300
// Base64 encode the encrypted cipher
296
301
$encrypted\_data = base64\_encode($cipher);
302
303
update\_post\_meta( get\_the\_ID( ), 'ep\_base\_' .$client\_id, $encrypted\_data );
304
update\_post\_meta( get\_the\_ID( ), 'hash\_key\_' .$client\_id, $wp\_hash\_key );
297
305
298
306
$lock\_icon = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64"><g fill="#6354a5" class="color134563 svgShape"><path d="M46.3 28.7h-3v-6.4C43.3 16.1 38.2 11 32 11c-6.2 0-11.3 5.1-11.3 11.3v6.4h-3v-6.4C17.7 14.4 24.1 8 32 8s14.3 6.4 14.3 14.3v6.4" fill="#6354a5" class="color000000 svgShape"></path><path d="M44.8 55.9H19.2c-2.6 0-4.8-2.2-4.8-4.8V31.9c0-2.6 2.2-4.8 4.8-4.8h25.6c2.6 0 4.8 2.2 4.8 4.8v19.2c0 2.7-2.2 4.8-4.8 4.8zM19.2 30.3c-.9 0-1.6.7-1.6 1.6v19.2c0 .9.7 1.6 1.6 1.6h25.6c.9 0 1.6-.7 1.6-1.6V31.9c0-.9-.7-1.6-1.6-1.6H19.2z" fill="#6354a5" class="color000000 svgShape"></path><path d="M35.2 36.7c0 1.8-1.4 3.2-3.2 3.2s-3.2-1.4-3.2-3.2 1.4-3.2 3.2-3.2 3.2 1.5 3.2 3.2" fill="#6354a5" class="color000000 svgShape"></path><path d="M32.8 36.7h-1.6l-1.6 9.6h4.8l-1.6-9.6" fill="#6354a5" class="color000000 svgShape"></path></g></svg>';
…
…
309
317
</div>
310
318
<input type="hidden" name="ep\_client\_id" value="' . esc\_attr($client\_id) . '">
311
<input type="hidden" name="ep\_base\_' . esc\_attr($client\_id) . '" value="' . esc\_attr($encrypted\_data) . '">
312
<input type="hidden" name="hash\_key\_' . esc\_attr($client\_id) . '" value="' . esc\_attr($wp\_hash\_key ) . '">
319
<input type="hidden" name="post\_id" value="' . esc\_attr(get\_the\_ID( ) ) . '">
320
313
321
<input type="submit" name="password\_submit" value="'.esc\_attr( $button\_text ).'">
314
322
<div class="error-message hidden">'.esc\_html( $lock\_error\_message ).'</div>
embedpress/tags/3.8.3/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php
r2678221
r2950211
677
677
$filterHTML = '<div class="epgc-calendar-filter" ' . $dataUnchekedCalendarIds . '></div>';
678
678
679
return '<div class="epgc-calendar-wrapper epgc-calendar-page">' . ($userFilter === 'top' ? $filterHTML : '') . '<div '
680
. $dataCalendarIds . ' data-filter=\\'' . $userFilter . '\\' data-eventpopup=\\'' . $userEventPopup . '\\' data-eventlink=\\''
681
. $userEventLink . '\\' data-eventdescription=\\'' . $userEventDescription . '\\' data-eventlocation=\\''
682
. $userEventLocation . '\\' data-eventattachments=\\'' . $userEventAttachments . '\\' data-eventattendees=\\''
683
. $userEventAttendees . '\\' data-eventcreator=\\'' . $userEventCreator . '\\' data-eventcalendarname=\\''
684
. $userEventCalendarname . '\\' data-hidefuture=\\'' . $userHideFuture . '\\' data-hidepassed=\\''
685
. $userHidePassed . '\\' data-config=\\'' . json\_encode($userConfig) . '\\' data-locale="'
686
. get\_locale() . '" class="epgc-calendar"></div>' . ($userFilter === 'bottom' ? $filterHTML : '') . '</div>';
679
return '<div class="epgc-calendar-wrapper epgc-calendar-page">' . ($userFilter === 'top' ? wp\_kses\_post($filterHTML) : '') . '<div '
680
. esc\_attr($dataCalendarIds) . ' data-filter=\\''
681
. esc\_attr($userFilter) . '\\' data-eventpopup=\\''
682
. esc\_attr($userEventPopup) . '\\' data-eventlink=\\''
683
. esc\_attr($userEventLink) . '\\' data-eventdescription=\\''
684
. esc\_attr($userEventDescription) . '\\' data-eventlocation=\\''
685
. esc\_attr($userEventLocation) . '\\' data-eventattachments=\\''
686
. esc\_attr($userEventAttachments) . '\\' data-eventattendees=\\''
687
. esc\_attr($userEventAttendees) . '\\' data-eventcreator=\\''
688
. esc\_attr($userEventCreator) . '\\' data-eventcalendarname=\\''
689
. esc\_attr($userEventCalendarname) . '\\' data-hidefuture=\\''
690
. esc\_attr($userHideFuture) . '\\' data-hidepassed=\\''
691
. esc\_attr($userHidePassed) . '\\' data-config=\\''
692
. json\_encode($userConfig) . '\\' data-locale="'
693
. esc\_attr(get\_locale())
694
. '" class="epgc-calendar"></div>'
695
. ($userFilter === 'bottom' ? wp\_kses\_post($filterHTML) : '')
696
. '</div>';
687
697
}
688
698
…
…
727
737
}
728
738
public static function admin\_post\_deletecache() {
729
self::delete\_calendar\_cache();
730
self::add\_notice(PGC\_NOTICES\_CACHE\_DELETED, 'success', true);
731
exit;
739
if ( ! isset( $\_POST\['epgc\_deletecache\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_deletecache\_data'\], 'epgc\_deletecache' ) || !current\_user\_can('manage\_options')) {
740
print 'Sorry, your nonce did not verify.';
741
exit;
742
} else {
743
self::delete\_calendar\_cache();
744
self::add\_notice(PGC\_NOTICES\_CACHE\_DELETED, 'success', true);
745
exit;
746
}
732
747
}
733
748
public static function admin\_post\_verify() {
…
…
800
815
801
816
public static function remove\_private\_data() {
802
self::delete\_plugin\_data('private');
803
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
804
exit;
817
if ( ! isset( $\_POST\['epgc\_remove\_private\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_remove\_private\_data'\], 'epgc\_remove\_private' ) || !current\_user\_can('manage\_options')) {
818
print 'Sorry, your nonce did not verify.';
819
exit;
820
} else {
821
self::delete\_plugin\_data('private');
822
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
823
exit;
824
}
805
825
}
806
826
807
827
public static function admin\_post\_remove() {
808
self::delete\_plugin\_data();
809
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
810
exit;
828
829
if ( ! isset( $\_POST\['epgc\_remove\_private\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_remove\_private\_data'\], 'epgc\_remove\_private' ) || !current\_user\_can('manage\_options')) {
830
print 'Sorry, your nonce did not verify.';
831
exit;
832
} else {
833
834
self::delete\_plugin\_data();
835
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
836
exit;
837
}
838
811
839
}
812
840
public static function admin\_post\_revoke() {
…
…
834
862
}
835
863
public static function admin\_post\_authorize() {
836
try {
837
$client = self::getGoogleClient();
838
$client->authorize();
839
exit;
840
} catch (Exception $ex) {
841
self::embedpress\_die($ex);
842
}
864
if ( ! isset( $\_POST\['epgc\_authorize\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_authorize\_data'\], 'epgc\_authorize' ) || !current\_user\_can('manage\_options')) {
865
print 'Sorry, your nonce did not verify.';
866
exit;
867
} else {
868
try {
869
$client = self::getGoogleClient();
870
$client->authorize();
871
exit;
872
} catch (Exception $ex) {
873
self::embedpress\_die($ex);
874
}
875
}
876
843
877
}
844
878
…
…
877
911
878
912
if (empty($clientSecret) || !empty($clientSecretError)) {
879
update\_option('epgc\_client\_secret', '', false);
880
913
update\_option('epgc\_selected\_calendar\_ids', \[\], false);
881
914
}
…
…
922
955
add\_action('admin\_post\_epgc\_colorlist', \[Embedpress\_Google\_Helper::class, 'admin\_post\_colorlist'\]);
923
956
add\_action('admin\_post\_epgc\_deletecache', \[Embedpress\_Google\_Helper::class, 'admin\_post\_deletecache'\]);
957
958
924
959
/\*\*
925
960
\* Admin post action to verify if we have valid access and refresh token.
…
…
931
966
932
967
add\_action('admin\_post\_epgc\_remove\_private', \[Embedpress\_Google\_Helper::class, 'remove\_private\_data'\]);
933
/\*\*
934
\* Admin post action to delete all plugin data.
935
\*/
936
add\_action('admin\_post\_epgc\_remove', \[Embedpress\_Google\_Helper::class,'admin\_post\_remove'\]);
937
938
968
939
969
/\*\*
embedpress/tags/3.8.3/Gutenberg/block-backend/block-embedpress.php
r2930523
r2950211
21
21
$client\_id = isset($\_POST\['client\_id'\]) ? $\_POST\['client\_id'\] : '';
22
22
$password = isset($\_POST\['password'\]) ? $\_POST\['password'\] : '';
23
$epbase64 = isset($\_POST\['epbase'\]) ? $\_POST\['epbase'\] : '';
24
$hash\_key = isset($\_POST\['hash\_key'\]) ? $\_POST\['hash\_key'\] : '';
25
26
// echo $client\_id;
27
23
$post\_id = isset($\_POST\['post\_id'\]) ? $\_POST\['post\_id'\] : '';
24
25
$epbase64 = get\_post\_meta( $post\_id, 'ep\_base\_' .$client\_id, true );
26
$hash\_key = get\_post\_meta( $post\_id, 'hash\_key\_' .$client\_id, true );
28
27
29
28
// Set the decryption key and initialization vector (IV)
…
…
57
56
'success' => true,
58
57
'password' => $password,
59
'embedHtml' => $embed
58
'embedHtml' => $embed,
59
'post\_id' => $post\_id
60
60
);
61
61
…
…
65
65
}
66
66
}
67
67
68
68
69
embedpress/tags/3.8.3/assets/js/front.js
r2930523
r2950211
325
325
var ep\_client\_id = jQuery(that).closest('form').find('input\[name="ep\_client\_id"\]').val();
326
326
var password = jQuery(\`input\[name="pass\_${ep\_client\_id}"\]\`).val();
327
var epbase = jQuery(\`input\[name="ep\_base\_${ep\_client\_id}"\]\`).val();
328
var hash\_key = jQuery(\`input\[name="hash\_key\_${ep\_client\_id}"\]\`).val();
327
var post\_id = jQuery(\`input\[name="post\_id"\]\`).val();
329
328
const buttonText = jQuery(that).closest('.password-form-container').find('input\[type="submit"\]').val();
330
329
const unlokingText = jQuery(that).data('unlocking-text');
…
…
335
334
'client\_id': ep\_client\_id,
336
335
'password': password,
337
'hash\_key': hash\_key,
338
'epbase': epbase
336
'post\_id': post\_id,
339
337
};
340
338
…
…
443
441
var ep\_client\_id = jQuery(that).closest('form').find('input\[name="ep\_client\_id"\]').val();
444
442
var password = jQuery(\`input\[name="pass\_${ep\_client\_id}"\]\`).val();
445
var epbase = jQuery(\`input\[name="ep\_base\_${ep\_client\_id}"\]\`).val();
446
var hash\_key = jQuery(\`input\[name="hash\_key\_${ep\_client\_id}"\]\`).val();
443
var post\_id = jQuery(\`input\[name="post\_id"\]\`).val();
447
444
const buttonText = jQuery(that).closest('.password-form-container').find('input\[type="submit"\]').val();
448
445
const unlokingText = jQuery(that).data('unlocking-text');
…
…
452
449
'client\_id': ep\_client\_id,
453
450
'password': password,
454
'hash\_key': hash\_key,
455
'epbase': epbase
451
'post\_id': post\_id,
456
452
};
457
453
embedpress/tags/3.8.3/embedpress.php
r2943389
r2950211
7
7
\* Author: WPDeveloper
8
8
\* Author URI: https://wpdeveloper.com
9
\* Version: 3.8.2
9
\* Version: 3.8.3
10
10
\* Text Domain: embedpress
11
11
\* Domain Path: /languages
…
…
39
39
40
40
if (!defined('EMBEDPRESS\_PLUGIN\_VERSION')) {
41
define('EMBEDPRESS\_PLUGIN\_VERSION', '3.8.2');
41
define('EMBEDPRESS\_PLUGIN\_VERSION', '3.8.3');
42
42
}
43
43
embedpress/tags/3.8.3/includes.php
r2943389
r2950211
23
23
24
24
if ( ! defined('EMBEDPRESS\_VERSION')) {
25
define('EMBEDPRESS\_VERSION', "3.8.2");
25
define('EMBEDPRESS\_VERSION', "3.8.3");
26
26
/\*\*
27
27
\* @deprecated 2.2.0
embedpress/tags/3.8.3/providers.php
r2934984
r2950211
16
16
17
17
$host\_url = parse\_url(site\_url());
18
19
18
20
$additionalServiceProviders = \[
19
21
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\GoogleMaps" => \["google.com", "google.com.\*", "maps.google.com", "goo.gl", "google.co.\*"\],
…
…
27
29
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\NRKRadio" => \["radio.nrk.no", "nrk.no"\],
28
30
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\GitHub" => \["gist.github.com", "github.com"\],
29
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\SelfHosted" => \[$host\_url\['host'\]\], // This is provider also uses for Wrapper
30
31
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\SelfHosted" => \[$host\_url\['host'\], "\*.com", "\*.net", "\*.org", "\*.edu", "\*.gov", "\*.mil", "\*.int", "\*.biz", "\*.info", "\*.jobs", "\*.mobi", "\*.name", "\*.aero", "\*.coop", "\*.travel", "\*.museum", "\*.cat", "\*.pro", "\*.tel", "\*.asia", "\*.xxx", "\*.post", "\*.geo", "\*.nato"\],
32
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\Gumroad" => \["\*.gumroad.com","gumroad.com"\],
31
33
\];
embedpress/tags/3.8.3/readme.txt
r2943389
r2950211
7
7
Tested up to: 6.2
8
8
Requires PHP: 5.6
9
Stable tag: 3.8.2
9
Stable tag: 3.8.3
10
10
License: GPLv3 or later
11
11
License URI: https://opensource.org/licenses/GPL-3.0
…
…
382
382
The format is based on \[Keep a Changelog\](http://keepachangelog.com/)
383
383
and this project adheres to \[Semantic Versioning\](http://semver.org/).
384
385
\= \[3.8.3\] - 2023-08-09 =
386
\- Added: Gumroad Embedding support.
387
\- Improved: Wrapper with any public page embedding support.
388
\- Improved: Updated security patch for better performance.
389
\- Fixed: PHP8.2 deprecated issues.
390
\- Few minor bug fixes & improvements.
384
391
385
392
\= \[3.8.2\] - 2023-07-26 =
embedpress/tags/3.8.3/vendor/priyomukul/wp-notice/src/Dismiss.php
r2751250
r2950211
14
14
private $app = null;
15
15
private $hook = null;
16
private $classes;
17
private $recurrence;
18
private $screens;
19
private $type;
20
private $start;
21
private $dismissible;
22
private $refresh;
23
private $do\_action;
24
private $display\_if;
25
private $capability;
26
27
16
28
17
29
public function \_\_construct( $id, $options, $app ){
embedpress/tags/3.8.3/vendor/priyomukul/wp-notice/src/Notices.php
r2750342
r2950211
22
22
23
23
private $scripts = null;
24
25
private $dev\_mode;
26
24
27
25
28
public function \_\_get( $name ){
embedpress/trunk/EmbedPress/Ends/Back/Settings/templates/google-calendar.php
r2814852
r2950211
71
71
<br>
72
72
<form style="display:inline" method="post" action="<?php echo admin\_url('admin-post.php'); ?>">
73
<?php wp\_nonce\_field( 'epgc\_authorize', 'epgc\_authorize\_data' ); ?>
73
74
<input type="hidden" name="action" value="epgc\_authorize">
74
75
<?php submit\_button(\_\_('Authorize', 'embedpress'), 'primary', 'epgc\_authorize', false); ?>
…
…
76
77
77
78
<form style="display:inline" method="post" action="<?php echo admin\_url('admin-post.php'); ?>">
79
<?php wp\_nonce\_field( 'epgc\_remove\_private', 'epgc\_remove\_private\_data' ); ?>
78
80
<input type="hidden" name="action" value="epgc\_remove\_private">
79
81
<?php submit\_button(\_\_('Stop', 'embedpress'), '', 'epgc\_remove\_private', false); ?>
…
…
82
84
83
85
86
84
87
</div>
85
88
</div>
embedpress/trunk/EmbedPress/Includes/Classes/EmbedPress_Plugin_Usage_Tracker.php
r2889048
r2950211
50
50
\*/
51
51
private static $\_instance = null;
52
53
private $disabled\_wp\_cron;
54
private $enable\_self\_cron;
55
private $require\_optin;
56
private $include\_goodbye\_form;
57
private $marketing;
58
private $options;
59
private $item\_id;
60
private $notice\_options;
61
52
62
/\*\*
53
63
\* Get Instance of EmbedPress\_Plugin\_Usage\_Tracker
embedpress/trunk/EmbedPress/Includes/Classes/Helper.php
r2930523
r2950211
233
233
$client\_id = isset($\_POST\['client\_id'\]) ? $\_POST\['client\_id'\] : '';
234
234
$password = isset($\_POST\['password'\]) ? $\_POST\['password'\] : '';
235
$epbase64 = isset($\_POST\['epbase'\]) ? $\_POST\['epbase'\] : '';
236
$hash\_key = isset($\_POST\['hash\_key'\]) ? $\_POST\['hash\_key'\] : '';
235
$post\_id = isset($\_POST\['post\_id'\]) ? $\_POST\['post\_id'\] : 'sdfds';
236
237
// $epbase64 = isset($\_POST\['epbase'\]) ? $\_POST\['epbase'\] : '';
238
// $hash\_key = isset($\_POST\['hash\_key'\]) ? $\_POST\['hash\_key'\] : '';
239
240
$epbase64 = get\_post\_meta($post\_id, 'ep\_base\_' .$client\_id, false );
241
$hash\_key = get\_post\_meta( $post\_id, 'hash\_key\_' .$client\_id, false );
237
242
238
243
// Set the decryption key and initialization vector (IV)
…
…
263
268
'success' => true,
264
269
'password' => $password,
265
'embedHtml' => $embed
270
'embedHtml' => $embed,
266
271
);
267
272
…
…
295
300
// Base64 encode the encrypted cipher
296
301
$encrypted\_data = base64\_encode($cipher);
302
303
update\_post\_meta( get\_the\_ID( ), 'ep\_base\_' .$client\_id, $encrypted\_data );
304
update\_post\_meta( get\_the\_ID( ), 'hash\_key\_' .$client\_id, $wp\_hash\_key );
297
305
298
306
$lock\_icon = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64"><g fill="#6354a5" class="color134563 svgShape"><path d="M46.3 28.7h-3v-6.4C43.3 16.1 38.2 11 32 11c-6.2 0-11.3 5.1-11.3 11.3v6.4h-3v-6.4C17.7 14.4 24.1 8 32 8s14.3 6.4 14.3 14.3v6.4" fill="#6354a5" class="color000000 svgShape"></path><path d="M44.8 55.9H19.2c-2.6 0-4.8-2.2-4.8-4.8V31.9c0-2.6 2.2-4.8 4.8-4.8h25.6c2.6 0 4.8 2.2 4.8 4.8v19.2c0 2.7-2.2 4.8-4.8 4.8zM19.2 30.3c-.9 0-1.6.7-1.6 1.6v19.2c0 .9.7 1.6 1.6 1.6h25.6c.9 0 1.6-.7 1.6-1.6V31.9c0-.9-.7-1.6-1.6-1.6H19.2z" fill="#6354a5" class="color000000 svgShape"></path><path d="M35.2 36.7c0 1.8-1.4 3.2-3.2 3.2s-3.2-1.4-3.2-3.2 1.4-3.2 3.2-3.2 3.2 1.5 3.2 3.2" fill="#6354a5" class="color000000 svgShape"></path><path d="M32.8 36.7h-1.6l-1.6 9.6h4.8l-1.6-9.6" fill="#6354a5" class="color000000 svgShape"></path></g></svg>';
…
…
309
317
</div>
310
318
<input type="hidden" name="ep\_client\_id" value="' . esc\_attr($client\_id) . '">
311
<input type="hidden" name="ep\_base\_' . esc\_attr($client\_id) . '" value="' . esc\_attr($encrypted\_data) . '">
312
<input type="hidden" name="hash\_key\_' . esc\_attr($client\_id) . '" value="' . esc\_attr($wp\_hash\_key ) . '">
319
<input type="hidden" name="post\_id" value="' . esc\_attr(get\_the\_ID( ) ) . '">
320
313
321
<input type="submit" name="password\_submit" value="'.esc\_attr( $button\_text ).'">
314
322
<div class="error-message hidden">'.esc\_html( $lock\_error\_message ).'</div>
embedpress/trunk/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php
r2678221
r2950211
677
677
$filterHTML = '<div class="epgc-calendar-filter" ' . $dataUnchekedCalendarIds . '></div>';
678
678
679
return '<div class="epgc-calendar-wrapper epgc-calendar-page">' . ($userFilter === 'top' ? $filterHTML : '') . '<div '
680
. $dataCalendarIds . ' data-filter=\\'' . $userFilter . '\\' data-eventpopup=\\'' . $userEventPopup . '\\' data-eventlink=\\''
681
. $userEventLink . '\\' data-eventdescription=\\'' . $userEventDescription . '\\' data-eventlocation=\\''
682
. $userEventLocation . '\\' data-eventattachments=\\'' . $userEventAttachments . '\\' data-eventattendees=\\''
683
. $userEventAttendees . '\\' data-eventcreator=\\'' . $userEventCreator . '\\' data-eventcalendarname=\\''
684
. $userEventCalendarname . '\\' data-hidefuture=\\'' . $userHideFuture . '\\' data-hidepassed=\\''
685
. $userHidePassed . '\\' data-config=\\'' . json\_encode($userConfig) . '\\' data-locale="'
686
. get\_locale() . '" class="epgc-calendar"></div>' . ($userFilter === 'bottom' ? $filterHTML : '') . '</div>';
679
return '<div class="epgc-calendar-wrapper epgc-calendar-page">' . ($userFilter === 'top' ? wp\_kses\_post($filterHTML) : '') . '<div '
680
. esc\_attr($dataCalendarIds) . ' data-filter=\\''
681
. esc\_attr($userFilter) . '\\' data-eventpopup=\\''
682
. esc\_attr($userEventPopup) . '\\' data-eventlink=\\''
683
. esc\_attr($userEventLink) . '\\' data-eventdescription=\\''
684
. esc\_attr($userEventDescription) . '\\' data-eventlocation=\\''
685
. esc\_attr($userEventLocation) . '\\' data-eventattachments=\\''
686
. esc\_attr($userEventAttachments) . '\\' data-eventattendees=\\''
687
. esc\_attr($userEventAttendees) . '\\' data-eventcreator=\\''
688
. esc\_attr($userEventCreator) . '\\' data-eventcalendarname=\\''
689
. esc\_attr($userEventCalendarname) . '\\' data-hidefuture=\\''
690
. esc\_attr($userHideFuture) . '\\' data-hidepassed=\\''
691
. esc\_attr($userHidePassed) . '\\' data-config=\\''
692
. json\_encode($userConfig) . '\\' data-locale="'
693
. esc\_attr(get\_locale())
694
. '" class="epgc-calendar"></div>'
695
. ($userFilter === 'bottom' ? wp\_kses\_post($filterHTML) : '')
696
. '</div>';
687
697
}
688
698
…
…
727
737
}
728
738
public static function admin\_post\_deletecache() {
729
self::delete\_calendar\_cache();
730
self::add\_notice(PGC\_NOTICES\_CACHE\_DELETED, 'success', true);
731
exit;
739
if ( ! isset( $\_POST\['epgc\_deletecache\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_deletecache\_data'\], 'epgc\_deletecache' ) || !current\_user\_can('manage\_options')) {
740
print 'Sorry, your nonce did not verify.';
741
exit;
742
} else {
743
self::delete\_calendar\_cache();
744
self::add\_notice(PGC\_NOTICES\_CACHE\_DELETED, 'success', true);
745
exit;
746
}
732
747
}
733
748
public static function admin\_post\_verify() {
…
…
800
815
801
816
public static function remove\_private\_data() {
802
self::delete\_plugin\_data('private');
803
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
804
exit;
817
if ( ! isset( $\_POST\['epgc\_remove\_private\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_remove\_private\_data'\], 'epgc\_remove\_private' ) || !current\_user\_can('manage\_options')) {
818
print 'Sorry, your nonce did not verify.';
819
exit;
820
} else {
821
self::delete\_plugin\_data('private');
822
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
823
exit;
824
}
805
825
}
806
826
807
827
public static function admin\_post\_remove() {
808
self::delete\_plugin\_data();
809
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
810
exit;
828
829
if ( ! isset( $\_POST\['epgc\_remove\_private\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_remove\_private\_data'\], 'epgc\_remove\_private' ) || !current\_user\_can('manage\_options')) {
830
print 'Sorry, your nonce did not verify.';
831
exit;
832
} else {
833
834
self::delete\_plugin\_data();
835
self::add\_notice(EPGC\_NOTICES\_REMOVE\_SUCCESS, 'success', true);
836
exit;
837
}
838
811
839
}
812
840
public static function admin\_post\_revoke() {
…
…
834
862
}
835
863
public static function admin\_post\_authorize() {
836
try {
837
$client = self::getGoogleClient();
838
$client->authorize();
839
exit;
840
} catch (Exception $ex) {
841
self::embedpress\_die($ex);
842
}
864
if ( ! isset( $\_POST\['epgc\_authorize\_data'\] ) || ! wp\_verify\_nonce( $\_POST\['epgc\_authorize\_data'\], 'epgc\_authorize' ) || !current\_user\_can('manage\_options')) {
865
print 'Sorry, your nonce did not verify.';
866
exit;
867
} else {
868
try {
869
$client = self::getGoogleClient();
870
$client->authorize();
871
exit;
872
} catch (Exception $ex) {
873
self::embedpress\_die($ex);
874
}
875
}
876
843
877
}
844
878
…
…
877
911
878
912
if (empty($clientSecret) || !empty($clientSecretError)) {
879
update\_option('epgc\_client\_secret', '', false);
880
913
update\_option('epgc\_selected\_calendar\_ids', \[\], false);
881
914
}
…
…
922
955
add\_action('admin\_post\_epgc\_colorlist', \[Embedpress\_Google\_Helper::class, 'admin\_post\_colorlist'\]);
923
956
add\_action('admin\_post\_epgc\_deletecache', \[Embedpress\_Google\_Helper::class, 'admin\_post\_deletecache'\]);
957
958
924
959
/\*\*
925
960
\* Admin post action to verify if we have valid access and refresh token.
…
…
931
966
932
967
add\_action('admin\_post\_epgc\_remove\_private', \[Embedpress\_Google\_Helper::class, 'remove\_private\_data'\]);
933
/\*\*
934
\* Admin post action to delete all plugin data.
935
\*/
936
add\_action('admin\_post\_epgc\_remove', \[Embedpress\_Google\_Helper::class,'admin\_post\_remove'\]);
937
938
968
939
969
/\*\*
embedpress/trunk/Gutenberg/block-backend/block-embedpress.php
r2930523
r2950211
21
21
$client\_id = isset($\_POST\['client\_id'\]) ? $\_POST\['client\_id'\] : '';
22
22
$password = isset($\_POST\['password'\]) ? $\_POST\['password'\] : '';
23
$epbase64 = isset($\_POST\['epbase'\]) ? $\_POST\['epbase'\] : '';
24
$hash\_key = isset($\_POST\['hash\_key'\]) ? $\_POST\['hash\_key'\] : '';
25
26
// echo $client\_id;
27
23
$post\_id = isset($\_POST\['post\_id'\]) ? $\_POST\['post\_id'\] : '';
24
25
$epbase64 = get\_post\_meta( $post\_id, 'ep\_base\_' .$client\_id, true );
26
$hash\_key = get\_post\_meta( $post\_id, 'hash\_key\_' .$client\_id, true );
28
27
29
28
// Set the decryption key and initialization vector (IV)
…
…
57
56
'success' => true,
58
57
'password' => $password,
59
'embedHtml' => $embed
58
'embedHtml' => $embed,
59
'post\_id' => $post\_id
60
60
);
61
61
…
…
65
65
}
66
66
}
67
67
68
68
69
embedpress/trunk/assets/js/front.js
r2930523
r2950211
325
325
var ep\_client\_id = jQuery(that).closest('form').find('input\[name="ep\_client\_id"\]').val();
326
326
var password = jQuery(\`input\[name="pass\_${ep\_client\_id}"\]\`).val();
327
var epbase = jQuery(\`input\[name="ep\_base\_${ep\_client\_id}"\]\`).val();
328
var hash\_key = jQuery(\`input\[name="hash\_key\_${ep\_client\_id}"\]\`).val();
327
var post\_id = jQuery(\`input\[name="post\_id"\]\`).val();
329
328
const buttonText = jQuery(that).closest('.password-form-container').find('input\[type="submit"\]').val();
330
329
const unlokingText = jQuery(that).data('unlocking-text');
…
…
335
334
'client\_id': ep\_client\_id,
336
335
'password': password,
337
'hash\_key': hash\_key,
338
'epbase': epbase
336
'post\_id': post\_id,
339
337
};
340
338
…
…
443
441
var ep\_client\_id = jQuery(that).closest('form').find('input\[name="ep\_client\_id"\]').val();
444
442
var password = jQuery(\`input\[name="pass\_${ep\_client\_id}"\]\`).val();
445
var epbase = jQuery(\`input\[name="ep\_base\_${ep\_client\_id}"\]\`).val();
446
var hash\_key = jQuery(\`input\[name="hash\_key\_${ep\_client\_id}"\]\`).val();
443
var post\_id = jQuery(\`input\[name="post\_id"\]\`).val();
447
444
const buttonText = jQuery(that).closest('.password-form-container').find('input\[type="submit"\]').val();
448
445
const unlokingText = jQuery(that).data('unlocking-text');
…
…
452
449
'client\_id': ep\_client\_id,
453
450
'password': password,
454
'hash\_key': hash\_key,
455
'epbase': epbase
451
'post\_id': post\_id,
456
452
};
457
453
embedpress/trunk/embedpress.php
r2943389
r2950211
7
7
\* Author: WPDeveloper
8
8
\* Author URI: https://wpdeveloper.com
9
\* Version: 3.8.2
9
\* Version: 3.8.3
10
10
\* Text Domain: embedpress
11
11
\* Domain Path: /languages
…
…
39
39
40
40
if (!defined('EMBEDPRESS\_PLUGIN\_VERSION')) {
41
define('EMBEDPRESS\_PLUGIN\_VERSION', '3.8.2');
41
define('EMBEDPRESS\_PLUGIN\_VERSION', '3.8.3');
42
42
}
43
43
embedpress/trunk/includes.php
r2943389
r2950211
23
23
24
24
if ( ! defined('EMBEDPRESS\_VERSION')) {
25
define('EMBEDPRESS\_VERSION', "3.8.2");
25
define('EMBEDPRESS\_VERSION', "3.8.3");
26
26
/\*\*
27
27
\* @deprecated 2.2.0
embedpress/trunk/providers.php
r2934984
r2950211
16
16
17
17
$host\_url = parse\_url(site\_url());
18
19
18
20
$additionalServiceProviders = \[
19
21
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\GoogleMaps" => \["google.com", "google.com.\*", "maps.google.com", "goo.gl", "google.co.\*"\],
…
…
27
29
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\NRKRadio" => \["radio.nrk.no", "nrk.no"\],
28
30
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\GitHub" => \["gist.github.com", "github.com"\],
29
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\SelfHosted" => \[$host\_url\['host'\]\], // This is provider also uses for Wrapper
30
31
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\SelfHosted" => \[$host\_url\['host'\], "\*.com", "\*.net", "\*.org", "\*.edu", "\*.gov", "\*.mil", "\*.int", "\*.biz", "\*.info", "\*.jobs", "\*.mobi", "\*.name", "\*.aero", "\*.coop", "\*.travel", "\*.museum", "\*.cat", "\*.pro", "\*.tel", "\*.asia", "\*.xxx", "\*.post", "\*.geo", "\*.nato"\],
32
EMBEDPRESS\_NAMESPACE . "\\\\Providers\\\\Gumroad" => \["\*.gumroad.com","gumroad.com"\],
31
33
\];
embedpress/trunk/readme.txt
r2943389
r2950211
7
7
Tested up to: 6.2
8
8
Requires PHP: 5.6
9
Stable tag: 3.8.2
9
Stable tag: 3.8.3
10
10
License: GPLv3 or later
11
11
License URI: https://opensource.org/licenses/GPL-3.0
…
…
382
382
The format is based on \[Keep a Changelog\](http://keepachangelog.com/)
383
383
and this project adheres to \[Semantic Versioning\](http://semver.org/).
384
385
\= \[3.8.3\] - 2023-08-09 =
386
\- Added: Gumroad Embedding support.
387
\- Improved: Wrapper with any public page embedding support.
388
\- Improved: Updated security patch for better performance.
389
\- Fixed: PHP8.2 deprecated issues.
390
\- Few minor bug fixes & improvements.
384
391
385
392
\= \[3.8.2\] - 2023-07-26 =
embedpress/trunk/vendor/priyomukul/wp-notice/src/Dismiss.php
r2751250
r2950211
14
14
private $app = null;
15
15
private $hook = null;
16
private $classes;
17
private $recurrence;
18
private $screens;
19
private $type;
20
private $start;
21
private $dismissible;
22
private $refresh;
23
private $do\_action;
24
private $display\_if;
25
private $capability;
26
27
16
28
17
29
public function \_\_construct( $id, $options, $app ){
embedpress/trunk/vendor/priyomukul/wp-notice/src/Notices.php
r2750342
r2950211
22
22
23
23
private $scripts = null;
24
25
private $dev\_mode;
26
24
27
25
28
public function \_\_get( $name ){