Skip to content

Release#1334

Merged
vytisbulkevicius merged 4 commits into
masterfrom
development
Jul 10, 2026
Merged

Release#1334
vytisbulkevicius merged 4 commits into
masterfrom
development

Conversation

@vytisbulkevicius

Copy link
Copy Markdown
Contributor
  • Enhanced security

pirate-bot and others added 4 commits June 30, 2026 13:29
The `getJsonRoots()` and `getJsonData()` AJAX handlers verified only a
nonce before fetching a user-supplied URL server-side, and the fetch used
the unsafe `wp_remote_request()`. A Contributor (edit_posts) could read the
nonce from the chart editor and make WordPress fetch arbitrary internal
URLs, with the response reflected back (non-blind SSRF).

- Add a `current_user_can( 'edit_posts' )` guard to both handlers, matching
  the sibling AJAX handlers in the file.
- Switch `Visualizer_Source_Json::connect()` to `wp_safe_remote_request()`,
  matching the SSRF-safe transport already used by the CSV/remote path.
- Add regression tests covering the capability guard and safe transport.

Fixes Codeinwp/visualizer-pro#591

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
fix: prevent SSRF via JSON import handlers
@pirate-bot

Copy link
Copy Markdown
Contributor

Plugin build for 5c3946e is ready 🛎️!

@vytisbulkevicius vytisbulkevicius merged commit 73770b6 into master Jul 10, 2026
8 of 9 checks passed
@pirate-bot

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 4.0.5 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@pirate-bot pirate-bot added the released Indicate that an issue has been resolved and released in a particular version of the product. label Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

compatibility-reviewed released Indicate that an issue has been resolved and released in a particular version of the product.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants