Merge commit from fork

Fix: CSRF Vulnerability on `save_default_avatar_file_id` function
10up · Jul 18, 2024 · 91c21a0 · 91c21a0
2 parents 469865d + 4620c19
commit 91c21a0
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/includes/class-simple-local-avatars.php b/includes/class-simple-local-avatars.php
@@ -1476,6 +1476,7 @@ public function add_avatar_default_field( $defaults ) {
 		?>
 		<input type="hidden" name="simple-local-avatar-file-id" id="simple-local-avatar-file-id" value="<?php echo ! empty( $default_avatar_file_id ) ? esc_attr( $default_avatar_file_id ) : ''; ?>"/>
 		<input type="hidden" name="simple-local-avatar-file-url" id="simple-local-avatar-file-url" value="<?php echo ! empty( $default_avatar_file_url ) ? esc_url( $default_avatar_file_url ) : ''; ?>"/>
+		<?php wp_nonce_field( 'simple_local_avatar_default', 'simple-local-avatar-file-wpnonce' ); ?>
 		<input type="button" name="simple-local-avatar" id="simple-local-avatar-default" class="button-secondary" value="<?php esc_attr_e( 'Choose Default Avatar', 'simple-local-avatar' ); ?>"/>
 		<p class="description" style="margin-left: 23px;"><?php esc_html_e( 'Note that this avatar needs to be publicly available or a broken image will be shown.', 'simple-local-avatar' ); ?></p>
 		<?php
@@ -1490,6 +1491,11 @@ public function add_avatar_default_field( $defaults ) {
 	private function save_default_avatar_file_id() {
 		global $pagenow;
 
+		// Check if nonce is set.
+		if ( ! isset( $_POST['simple-local-avatar-file-wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['simple-local-avatar-file-wpnonce'] ) ), 'simple_local_avatar_default' ) ) {
+			return;
+		}
+
 		$file_id = filter_input( INPUT_POST, 'simple-local-avatar-file-id', FILTER_SANITIZE_NUMBER_INT );
 
 		// check for uploaded files