Merge pull request #1023 from WPChill/gallery-export-security

2.9.2
WPChill · Aug 29, 2024 · bb54461 · bb54461
2 parents 71a1784 + 09000e9
commit bb54461
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 4 deletions.
diff --git a/Modula.php b/Modula.php
@@ -4,7 +4,7 @@
 * Plugin URI:               https://wp-modula.com/
 * Description:              Modula is the most powerful, user-friendly WordPress gallery plugin. Add galleries, masonry grids and more in a few clicks.
 * Author:                   WPChill
-* Version:                  2.9.1
+* Version:                  2.9.2
 * Author URI:               https://www.wpchill.com/
 * License:                  GPLv3 or later
 * License URI:              http://www.gnu.org/licenses/gpl-3.0.html
@@ -47,7 +47,7 @@
  * @since    2.0.2
  */
 
-define( 'MODULA_LITE_VERSION', '2.9.1' );
+define( 'MODULA_LITE_VERSION', '2.9.2' );
 define( 'MODULA_PATH', plugin_dir_path( __FILE__ ) );
 define( 'MODULA_URL', plugin_dir_url( __FILE__ ) );
 defined( 'MODULA_PRO_STORE_URL' ) || define( 'MODULA_PRO_STORE_URL', 'https://wp-modula.com' );

diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,6 @@
+= 2.9.2 - 29.08.2024 =
+Fixed: Security fix for Gallery CPT export
+
 = 2.9.1 - 14.08.2024 =
 Fixed: PHP warning: undefined key. ( [#1018]( https://github.com/WPChill/modula-lite/issues/1018) )
 Added: RTL elements orientation option added to isotope script. ( [#987]( https://github.com/WPChill/modula-lite/issues/987) )

diff --git a/includes/admin/class-modula-debug.php b/includes/admin/class-modula-debug.php
@@ -142,6 +142,18 @@ public function modula_debug_information( $info ) {
 	 * @since 2.5.0
 	 */
 	public function modula_export_gallery() {
+		// Check if nonce is set.
+		if ( ! isset( $_GET['nonce'] ) ) {
+			return;
+		}
+		// Check if nonce is valid.
+		if ( ! wp_verify_nonce( $_GET['nonce'], 'download_single_gallery' ) ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
+			return;
+		}
+		// Check if user has edit permissions.
+		if ( ! current_user_can( 'edit_posts' ) ) {
+			return;
+		}
 
 		if ( isset( $_GET['modula_single_download'] ) ) {
 
@@ -347,6 +359,7 @@ public function output_debug_meta() {
 							add_query_arg(
 								array(
 									'modula_single_download' => absint( get_the_ID() ),
+									'nonce'                  => wp_create_nonce( 'download_single_gallery' ),
 								)
 							)
 						);

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "modula-best-grid-gallery",
-	"version": "2.9.1",
+	"version": "2.9.2",
 	"description": "Modula Image Gallery build tools",
 	"author": "WPChill",
 	"license": "GPL-2.0-or-later",

diff --git a/readme.txt b/readme.txt
@@ -4,7 +4,7 @@ Tags: best gallery plugin, image gallery, video gallery, free gallery, wordpress
 Requires at least: 5.3
 Tested up to: 6.6
 Requires PHP: 5.6
-Stable tag: 2.9.1
+Stable tag: 2.9.2
 
 License: GNU General Public License v3.0 or later
 The WordPress gallery plugin that's highly customizable & you can use to impress your clients. Create beautiful image galleries in minutes.
@@ -154,6 +154,9 @@ Free support is included only with a PRO license: [Buy Modula PRO](https://wp-mo
 4. Responsive galleries created with Modula
 
 == Changelog ==
+= 2.9.2 - 29.08.2024 =
+Fixed: Security fix for Gallery CPT export
+
 = 2.9.1 - 14.08.2024 =
 Fixed: PHP warning: undefined key. ( [#1018]( https://github.com/WPChill/modula-lite/issues/1018) )
 Added: RTL elements orientation option added to isotope script. ( [#987]( https://github.com/WPChill/modula-lite/issues/987) )