Merge pull request #8 from HelloAsso/sec/broken-access-control

fix broken access control

Author: rockynox

README.txt

@@ -5,7 +5,7 @@ Tags: helloasso, paiement, association, crowdfunding, don
 Requires at least: 4.0
 Tested up to: 6.4.3
 Requires PHP: 7.2.34
-Stable tag: 1.1.10
+Stable tag: 1.1.11
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -81,6 +81,9 @@ https://www.youtube.com/watch?v=Bjaqc_Yun8g
 
 == Changelog ==
 
+= 1.1.11 =
+* Correction d'une faille Broken Access Control
+
 = 1.1.10 =
 * Correction d'une faille XSS possible sur l'insertion de l'iframe
 

admin/class-hello-asso-admin.php

@@ -456,6 +456,10 @@ function sanitizeArray($data = array()) {
 
 		function ha_ajax() {
 			check_ajax_referer('helloassosecuritytoken11', 'security');
+		
+			if ( ! is_user_logged_in() || ! current_user_can('manage_options') ) {
+				wp_die('Vous n’avez pas les droits nécessaires pour exécuter cette action.');
+			}
 
 			if (!isset($_POST['campaign']) or $_POST['campaign'] == '') {
 				$campaign = array();

hello-asso.php

@@ -16,7 +16,7 @@
  * Plugin Name:       HelloAsso
  * Plugin URI:        https://centredaide.helloasso.com/s/article/paiement-en-ligne-wordpress-integrer-vos-campagnes-helloasso
  * Description:       HelloAsso est la solution gratuite des associations pour collecter des paiements et des dons sur internet.
- * Version:           1.1.10
+ * Version:           1.1.11
  * Author:            HelloAsso
  * Author URI:        https://helloasso.com
  * License:           GPL-2.0+
@@ -36,7 +36,7 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define('HELLO_ASSO_VERSION', '1.1.10');
+define('HELLO_ASSO_VERSION', '1.1.11');
 
 /**
  * The code that runs during plugin activation.