Merge pull request #865 from wpdev10/master

Fix security issue in register form builder reorder fields

Author: wpdev10

admin/assets/js/uwp-form-builder.js

@@ -206,9 +206,10 @@
          */
         updateFieldOrder: function ($sortable) {
             const manageFieldType = $sortable.closest('#uwp-selected-fields').find(".manage_field_type").val();
+            const nonce = $sortable.closest('#uwp-selected-fields').find(".uwp_create_field_nonce").val();
             const order = $sortable.sortable("serialize") + '&update=update&manage_field_type=' + manageFieldType;
             const formId = $('[name="manage_field_form_id"]').val();
-            const formIdParam = '&form_id=' + formId;
+            const formIdParam = '&form_id=' + formId + '&_wpnonce=' + nonce;
             const actionType = UWP.Form_Builder.getActionType(manageFieldType);
             const action = actionType.action;
 

admin/assets/js/uwp-form-builder.min.js

@@ -1107,6 +1107,7 @@ public function custom_selected_fields( $form_type ) {
 		?>
         <input type="hidden" name="form_type" id="form_type" value="<?php echo esc_attr( $form_type ); ?>"/>
         <input type="hidden" name="manage_field_type" class="manage_field_type" value="custom_fields">
+        <input type="hidden" name="uwp_create_field_nonce" class="uwp_create_field_nonce" value="<?php echo wp_create_nonce( 'uwp_create_field_nonce' ); ?>"/>
         <ul class="core uwp-tabs-selected uwp_form_extras ps-0 list-group">
 			<?php
 			// Retrieve fields saved with form id 0.
@@ -1852,6 +1853,7 @@ public function register_selected_fields( $form_type ) {
 		$form_id           = self::get_form_id()
 		?>
         <input type="hidden" name="manage_field_type" class="manage_field_type" value="register">
+        <input type="hidden" name="uwp_create_field_nonce" class="uwp_create_field_nonce" value="<?php echo wp_create_nonce( 'uwp_create_field_nonce' ); ?>"/>
         <ul class="core uwp_form_extras uwp-tabs-selected  ps-0 list-group ">
         <?php
 
@@ -2522,7 +2524,10 @@ public function create_field() {
 
 		/* ------- check nonce field ------- */
 		if ( isset( $_REQUEST['update'] ) && $_REQUEST['update'] == 'update' && isset( $_REQUEST['create_field'] ) && isset( $_REQUEST['manage_field_type'] ) && $_REQUEST['manage_field_type'] == 'custom_fields' ) {
-			echo $this->set_field_order( $field_ids, $form_id ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
+            if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'uwp_create_field_nonce' ) ) {
+                return;
+            }
+            echo $this->set_field_order( $field_ids, $form_id ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped
 		}
 
 		/* ---- Show field form in admin ---- */
@@ -3211,8 +3216,12 @@ public function register_ajax_handler() {
 			$field_id     = isset( $_REQUEST['field_id'] ) ? trim( sanitize_text_field( $_REQUEST['field_id'] ), '_' ) : '';
 			$field_action = isset( $_REQUEST['field_ins_upd'] ) ? sanitize_text_field( $_REQUEST['field_ins_upd'] ) : '';
 
-			/* ------- check nonce field ------- */
-			if ( isset( $_REQUEST['update'] ) && $_REQUEST['update'] == 'update' ) {
+			/* ------- update order of fields ------- */
+			if ( isset( $_REQUEST['update'] ) && $_REQUEST['update'] == 'update' && isset( $_REQUEST['_wpnonce'] )) {
+                if ( ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'uwp_create_field_nonce' ) ) {
+                    return;
+                }
+
 				$field_ids = array();
 				if ( ! empty( $_REQUEST['licontainer'] ) && is_array( $_REQUEST['licontainer'] ) ) {
 					foreach ( $_REQUEST['licontainer'] as $lic_id ) {

admin/settings/class-formbuilder.php

@@ -15,7 +15,7 @@
 if ( ! class_exists( 'UsersWP_Settings_User_Sorting', false ) ) {
 
 	/**
-	 * UsersWP_Settings_Email.
+	 * UsersWP_Settings_User_Sorting.
 	 */
 	class UsersWP_Settings_User_Sorting {