security issue fixing

WPDevelopers · Feb 24, 2024 · d938194 · d938194
1 parent 929a4e7
commit d938194
Show file tree

Hide file tree

Showing 7 changed files with 63 additions and 3 deletions.
diff --git a/assets/gutenberg/social-share.js b/assets/gutenberg/social-share.js
@@ -129,6 +129,7 @@ const SocialShare = ( { is_pro_active } ) => {
             return;
           }
           profile.postid = postid;
+          profile.nonce = WPSchedulePostsFree?.nonce;
           let queryParams = profile;
           const apiUrl = '/wp-scheduled-posts/v1/instant-social-share';
           fetchSocialProfileData(apiUrl,queryParams).then( (res) => {

diff --git a/assets/js/wpsp-socialprofile.js b/assets/js/wpsp-socialprofile.js
@@ -63,9 +63,11 @@ jQuery(document).ready(function ($) {
                  */
                 $.each(response.profile, function (profile, profileKey) {
                     Object.keys(profileKey).forEach(function (key) {
+                        const nonce = wpscpSocialProfile?.nonce;
                         var data = {
                             action: 'wpscp_instant_social_single_profile_share',
                             platform: profile,
+                            nonce : nonce,
                             platformKey: key,
                             postid: postid,
                             pinterest_board_type: pinterestBoardType,

diff --git a/assets/js/wpspl-admin.min.js b/assets/js/wpspl-admin.min.js
diff --git a/includes/Admin/Settings/app/Settings/helper/helper.ts b/includes/Admin/Settings/app/Settings/helper/helper.ts
@@ -71,8 +71,11 @@ export const generateTabURL = () => {
 // Send API request for fetch url
 export const socialProfileRequestHandler = async (redirectURI, appID, appSecret, platform, openIDConnect = false) => {
     const account_type = localStorage.getItem('account_type');
+    // @ts-ignore 
+    const nonce = wpspSettingsGlobal?.api_nonce;
     const data = {
         action: 'wpsp_social_add_social_profile',
+        nonce: nonce,
         redirectURI: redirectURI,
         appId: appID,
         appSecret: appSecret,
@@ -102,8 +105,11 @@ export const socialProfileRequestHandler = async (redirectURI, appID, appSecret,
 };
 
 export const getProfileData = async (params) => {
+    // @ts-ignore 
+    const nonce = wpspSettingsGlobal?.api_nonce;
     const data = {
         action: "wpsp_social_profile_fetch_user_info_and_token",
+        nonce : nonce,
         type: params.get("type"),
         appId: params.get("appId"),
         appSecret: params.get("appSecret"),

diff --git a/includes/Assets.php b/includes/Assets.php
@@ -46,6 +46,7 @@ public function guten_scripts()
         wp_enqueue_style(WPSP_PLUGIN_SLUG.'-icon', WPSP_ADMIN_URL . 'Settings/assets/icon/style.css', array(), WPSP_VERSION );
         wp_enqueue_script('wps-publish-button', WPSP_ASSETS_URI . 'js/wpspl-admin.min.js', array('wp-components', 'wp-data', 'wp-edit-post', 'wp-editor', 'wp-element', 'wp-i18n', 'wp-plugins'), WPSP_VERSION, true);
         wp_localize_script('wps-publish-button', 'WPSchedulePostsFree', array(
+            'nonce'                               => wp_create_nonce('wpscp-pro-social-profile'),
             'publishImmediately'                  => __('Current Date', 'wp-scheduled-posts'),
             'publishFutureDate'                   => __('Future Date', 'wp-scheduled-posts'),
             'publish_button_off'                  => \WPSP\Helper::get_settings('show_publish_post_button'),

diff --git a/includes/Social/InstantShare.php b/includes/Social/InstantShare.php
@@ -268,7 +268,7 @@ public function instant_share_metabox_data_save($post_id, $post)
      */
     public function instant_share_fetch_profile()
     {
-        if( !current_user_can('edit_post') ) {
+        if( !current_user_can('manage_options') ) {
             wp_send_json_error( [ 'message' => __('You are unauthorized to access social profiles.', 'wp-scheduled-posts') ], 401 );
             wp_die();
         }
@@ -343,6 +343,19 @@ public function instant_share_fetch_profile()
 
     public function instant_social_single_profile_share($params)
     {
+        // Verify nonce
+        $nonce = sanitize_text_field($_GET['nonce']);
+        if (!wp_verify_nonce($nonce, 'wpscp-pro-social-profile')) {
+            wp_send_json_error(['message' => __('Invalid nonce.', 'wp-scheduled-posts')], 401);
+            die();
+        }
+
+        // Check user capability
+        if( !current_user_can('manage_options') ) {
+            wp_send_json_error( [ 'message' => __('You are unauthorized to access social profiles.', 'wp-scheduled-posts') ], 401 );
+            wp_die();
+        }
+
         $postid = intval($_GET['postid']);
         $platform = (isset($_GET['platform']) ? $_GET['platform'] : '');
         $profileID = (isset($_GET['id']) ? $_GET['id'] : '');

diff --git a/includes/Social/SocialProfile.php b/includes/Social/SocialProfile.php
@@ -139,8 +139,19 @@ public function facebookGetGroupDetails($access_token)
     public function social_profile_fetch_pinterest_section($params)
     {
        if( wp_doing_ajax() ) {
-        $params = $_POST;
+            $params = $_POST;
+            // Verify nonce
+            $nonce = sanitize_text_field($_POST['_wpnonce']);
+            if (!wp_verify_nonce($nonce, 'wp_rest')) {
+                wp_send_json_error(['message' => __('Invalid nonce.', 'wp-scheduled-posts')], 401);
+                die();
+            }
+            if( !current_user_can('manage_options') ) {
+                wp_send_json_error( [ 'message' => __('You are unauthorized to access social profiles.', 'wp-scheduled-posts') ], 401 );
+                wp_die();
+            }
        }
+
         $defaultBoard = (isset($params['defaultBoard']) ? $params['defaultBoard'] : '');
         $profile = (isset($params['profile']) ? $params['profile'] : '');
         if(!is_array($profile)){
@@ -166,6 +177,19 @@ public function social_profile_fetch_pinterest_section($params)
      */
     public function social_profile_fetch_user_info_and_token()
     {
+        // Verify nonce
+        $nonce = sanitize_text_field($_POST['nonce']);
+        if (!wp_verify_nonce($nonce, 'wp_rest')) {
+            wp_send_json_error(['message' => __('Invalid nonce.', 'wp-scheduled-posts')], 401);
+            die();
+        }
+
+        // Check user capability
+        if( !current_user_can('manage_options') ) {
+            wp_send_json_error( [ 'message' => __('You are unauthorized to access social profiles.', 'wp-scheduled-posts') ], 401 );
+            wp_die();
+        }
+
         $type          = (isset($_POST['type']) ? $_POST['type'] : '');
         $code          = (isset($_POST['code']) ? $_POST['code'] : '');
         $app_id        = (isset($_POST['appId']) ? $_POST['appId'] : '');
@@ -441,6 +465,19 @@ public function social_profile_fetch_user_info_and_token()
      */
     public function add_social_profile()
     {
+         // Verify nonce
+        $nonce = sanitize_text_field($_POST['nonce']);
+        if (!wp_verify_nonce($nonce, 'wp_rest')) {
+            wp_send_json_error(['message' => __('Invalid nonce.', 'wp-scheduled-posts')], 401);
+            die();
+        }
+
+        // Check user capability
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error(['message' => __('You are unauthorized to access social profiles.', 'wp-scheduled-posts')], 401);
+            die();
+        }
+
         $request = $_POST;
         $type = (isset($_POST['type']) ? $_POST['type'] : '');
         $app_id = (isset($_POST['appId']) ? $_POST['appId'] : '');