Fix exclusion term handling in search queries: strip prefix before sanitizing, separate negative clauses, and wrap positive expressions to prevent FULLTEXT bypass

ajaydsouza · ajaydsouza · commit d55fe059ed0a · 2026-05-01T00:34:17.000+04:00
- Check exclusion prefix BEFORE stripping operators so the prefix is still present
- Strip prefix before sanitizing term with preg_replace
- Skip empty terms after sanitization
- Collect negative clauses separately and append with AND to prevent FULLTEXT branch from bypassing exclusions
- Wrap positive expression before appending negations
diff --git a/includes/class-better-search-core-query.php b/includes/class-better-search-core-query.php
@@ -850,14 +850,21 @@ public function posts_search( $where, $query ) {
 			}
 
 			foreach ( (array) $search_terms as $term ) {
-				$term = preg_replace( '/[+\-*"~<>()@\']/', '', $term );
-
 				// If there is an $exclusion_prefix, terms prefixed with it should be excluded.
+				// Check BEFORE stripping operators so the prefix is still present.
 				$exclude = $exclusion_prefix && ( substr( $term, 0, 1 ) === $exclusion_prefix );
+				if ( $exclude ) {
+					$term = substr( $term, strlen( $exclusion_prefix ) );
+				}
+				$term = preg_replace( '/[+\-*"~<>()@\']/', '', $term );
+
+				if ( '' === $term ) {
+					continue;
+				}
+
 				if ( $exclude ) {
 					$like_op  = 'NOT LIKE';
 					$andor_op = 'AND';
-					$term     = substr( $term, 1 );
 				} else {
 					$like_op  = 'LIKE';
 					$andor_op = 'OR';
@@ -886,17 +893,25 @@ public function posts_search( $where, $query ) {
 		}
 
 		// Let's do a LIKE search for all other fields.
-		$searchand = '';
+		$searchand        = '';
+		$negative_clauses = array();
 		foreach ( (array) $search_terms as $term ) {
-			$term   = preg_replace( '/[+\-*"~<>()@\']/', '', $term );
+			// Check exclusion BEFORE stripping operators so the prefix is still present.
+			$exclude = $exclusion_prefix && ( substr( $term, 0, 1 ) === $exclusion_prefix );
+			if ( $exclude ) {
+				$term = substr( $term, strlen( $exclusion_prefix ) );
+			}
+			$term = preg_replace( '/[+\-*"~<>()@\']/', '', $term );
+
+			if ( '' === $term ) {
+				continue;
+			}
+
 			$clause = array();
 
-			// If there is an $exclusion_prefix, terms prefixed with it should be excluded.
-			$exclude = $exclusion_prefix && ( substr( $term, 0, 1 ) === $exclusion_prefix );
 			if ( $exclude ) {
 				$like_op  = 'NOT LIKE';
 				$andor_op = ' AND ';
-				$term     = substr( $term, 1 );
 			} else {
 				$like_op  = 'LIKE';
 				$andor_op = ' OR ';
@@ -963,15 +978,28 @@ public function posts_search( $where, $query ) {
 			$clause = apply_filters_ref_array( 'better_search_query_posts_search_clauses', array( $clause, $term, $like_op, $andor_op, $query, &$this ) );
 
 			if ( ! empty( $clause ) ) {
-				$search_clause .= " {$searchand} (" . implode( $andor_op, (array) $clause ) . ') ';
-				$searchand      = ' AND ';
+				if ( $exclude ) {
+					$negative_clauses[] = '(' . implode( $andor_op, (array) $clause ) . ')';
+				} else {
+					$search_clause .= " {$searchand} (" . implode( $andor_op, (array) $clause ) . ') ';
+					$searchand      = ' AND ';
+				}
 			}
 		}
 
 		if ( ! empty( $search_clause ) ) {
 			$search .= " OR ({$search_clause}) ";
 		}
 
+		if ( ! empty( $negative_clauses ) ) {
+			// Wrap the entire positive expression before appending negations, so that
+			// SQL AND-before-OR precedence does not let the FULLTEXT branch bypass the
+			// exclusion clauses (e.g. "-tiger" failing to exclude posts that pass FULLTEXT).
+			// When there are no positive terms, use 1=1 as a neutral base to avoid malformed SQL.
+			$search  = ! empty( $search ) ? '(' . $search . ')' : '1=1';
+			$search .= ' AND ' . implode( ' AND ', $negative_clauses );
+		}
+
 		if ( ! empty( $search ) ) {
 			$where = " AND ({$search}) ";
 
diff --git a/load-freemius.php b/load-freemius.php
@@ -23,22 +23,23 @@ function bsearch_freemius() {
 		require_once __DIR__ . '/vendor/freemius/start.php';
 		$bsearch_freemius = \fs_dynamic_init(
 			array(
-				'id'             => '17020',
-				'slug'           => 'better-search',
-				'premium_slug'   => 'better-search-pro',
-				'type'           => 'plugin',
-				'public_key'     => 'pk_40525301bca835d9836ec4d946693',
-				'is_premium'     => false,
-				'premium_suffix' => 'Pro',
-				'has_addons'     => false,
-				'has_paid_plans' => true,
-				'menu'           => array(
+				'id'               => '17020',
+				'slug'             => 'better-search',
+				'premium_slug'     => 'better-search-pro',
+				'type'             => 'plugin',
+				'public_key'       => 'pk_40525301bca835d9836ec4d946693',
+				'is_premium'       => false,
+				'premium_suffix'   => 'Pro',
+				'has_addons'       => false,
+				'has_paid_plans'   => true,
+				'menu'             => array(
 					'slug'    => 'bsearch_dashboard',
 					'contact' => false,
 					'support' => false,
 					'network' => true,
 				),
-				'is_live'        => true,
+				'is_live'          => true,
+				'is_org_compliant' => true,
 			)
 		);
 	}
diff --git a/readme.txt b/readme.txt
@@ -128,34 +128,50 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro
 = 4.3.0 =
 
 * Features:
+	* [Pro] New: WP-CLI support with comprehensive command-line interface (search, cache, db, stats, settings, tables, status, stopwords commands).
+	* [Pro] Dashboard chart drill-down: click any bar in the daily searches chart to view the popular searches for that day.
 	* [Pro] New InnoDB conversion tool: convert the custom table engine with automatic FULLTEXT index recreation.
 	* [Pro] Scheduled reconciliation cron: a twicedaily job automatically syncs any published posts missing from the custom search index table.
+	* [Pro] New exclusion options: Exclude Front page and Exclude Posts page settings to optionally remove these pages from search results.
+	* [Pro] Network dashboard with popular searches chart and statistics table for multisite networks, accessible from the network admin menu.
 
 * Enhancements:
+	* [Pro] Multisite admin select-all checkboxes and post-copy URL cleanup are now handled by an external JavaScript file (via `wp_enqueue_script`) instead of inline `<script>` blocks — improves compatibility with strict Content Security Policies.
+	* [Pro] Copy-to-clipboard buttons on the tools and custom tables pages are now initialized automatically; no per-block inline script needed.
 	* [Pro] Improved short-term (≤3 character) LIKE searches to score full-word matches higher and order results by relevance.
 	* [Pro] Refactored fuzzy query shaping so `Query_Modifier` owns score construction and request shaping, with `Fuzzy_Search` acting as the fuzzy scoring service.
 	* [Pro] Rewrote soundex function, removed multisite LIMIT cap, and added content scoring for fuzzy search.
 	* [Pro] Added filters for fuzzy search truncation parameters.
 	* [Pro] Centralized exclusion term parsing logic in Helpers class.
+	* [Pro] Custom tables search now supports a FULLTEXT toggle, with improved LIKE-only relevance scoring when FULLTEXT is disabled.
+	* [Pro] Improved multisite search query composition: correctly unwraps fuzzy subqueries before UNION assembly and strips only top-level ORDER BY clauses, preventing malformed SQL.
+	* [Pro] LIKE term matching in custom tables search now uses an EXISTS subquery to avoid unbounded JOINs when the terms table is not already in scope.
+	* [Pro] Database check results are now cached within a request, reducing redundant `SHOW TABLES` queries on pages that check table status multiple times.
+	* [Pro] Dashboard popular searches query result is now cached within a request to avoid repeated database hits.
+	* Refactored Media Handler with a strategy-based thumbnail resolution chain; now also supports ACF Image fields (Image Array, Image ID, Image URL) and plain text URL fields.
 	* Hardened search sanitization and boolean mode validation for more consistent results.
 	* Escaped output in settings forms for improved security.
 
 * Bug fixes:
+	* [Pro] Fixed localized admin script data keys: removed erroneous `.strings.` nesting that caused the cache-clear confirmation and error dialogs to display `undefined`.
+	* Fixed spinner alignment inside action buttons (now displays inline rather than floating).
 	* [Pro] Fixed fuzzy LIKE query SQL issues that could generate duplicate `ID` fields in wrapped sub-queries.
 	* [Pro] Fixed fuzzy search bypassing FULLTEXT exclusions.
 	* [Pro] Fixed inconsistent indentation and table alias qualification in multisite query composition.
 	* [Pro] Disabled fuzzy search when boolean operators are present to prevent conflicts.
+	* Fixed duplicate search query being executed on every non-seamless search page load.
+	* Fixed relevance percentages on paginated search results by stabilizing topscore handling across pages, while reducing unnecessary topscore queries when minimum relevance filtering is not in use.
 	* Fixed placeholder attribute escaping in text field rendering.
 
 
 = 4.2.4 =
 
 * Features:
-	* Better Search form: The "any" post type option label can now be customised when the post type dropdown is enabled.
+	* Better Search form: The “any” post type option label can now be customised when the post type dropdown is enabled.
 	* Media Handler now detects featured images provided by the Featured Image from URL (FIFU) plugin.
 
 * Fixed:
-	* Fixed an issue where selecting "any" post type would search through all post types instead of respecting the configured post types from settings.
+	* Fixed an issue where selecting “any” post type would search through all post types instead of respecting the configured post types from settings.
 	* [Pro] Custom table searches now include post slug matching when “Search post slug” is enabled.
     * [Pro] Fixed SQL syntax error in multisite search queries when custom tables are disabled, caused by malformed GROUP BY clause stripping.
     * Fixed improper stripping of boolean mode operators in LIKE clauses, ensuring consistent behavior between FULLTEXT and LIKE searches.
@@ -232,5 +248,5 @@ For previous changelog entries, please refer to the separate changelog.txt file
 
 == Upgrade Notice ==
 
- = 4.3.0 =
-Fixes post type selection to respect configured settings when "any" is selected.
+= 4.3.0 =
+Adds WP-CLI support, dashboard chart drill-down, an InnoDB conversion tool, scheduled index reconciliation, and a network admin dashboard for multisite. Includes a fuzzy search refactor and a long list of stability fixes.
diff --git a/vendor/freemius/assets/js/pricing/freemius-pricing.js b/vendor/freemius/assets/js/pricing/freemius-pricing.js
diff --git a/vendor/freemius/includes/class-freemius.php b/vendor/freemius/includes/class-freemius.php
@@ -6558,10 +6558,7 @@ private function maybe_schedule_sync_cron() {
             $next_schedule = $this->next_sync_cron();
 
             // The event is properly scheduled, so no need to reschedule it.
-            if (
-                is_numeric( $next_schedule ) &&
-                $next_schedule > time()
-            ) {
+            if ( is_numeric( $next_schedule ) ) {
                 return;
             }
 
@@ -7098,7 +7095,6 @@ private function add_sticky_optin_admin_notice() {
          */
         function _enqueue_connect_essentials() {
             wp_enqueue_script( 'jquery' );
-            wp_enqueue_script( 'json2' );
 
             fs_enqueue_local_script( 'postmessage', 'nojquery.ba-postmessage.js' );
             fs_enqueue_local_script( 'fs-postmessage', 'postmessage.js' );
@@ -17436,7 +17432,7 @@ function setup_network_account(
                 FS_User_Lock::instance()->unlock();
             }
 
-            if ( 1 < count( $installs ) ) {
+            if ( 1 < count( $installs ) || fs_is_network_admin() ) {
                 // Only network level opt-in can have more than one install.
                 $is_network_level_opt_in = true;
             }
diff --git a/vendor/freemius/includes/class-fs-plugin-updater.php b/vendor/freemius/includes/class-fs-plugin-updater.php
@@ -540,9 +540,32 @@ function pre_set_site_transient_update_plugins_filter( $transient_data ) {
                 return $transient_data;
             }
 
+            // Alias.
+            $basename = $this->_fs->premium_plugin_basename();
+
             global $wp_current_filter;
 
-            if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+            /**
+             * During bulk updates, avoid re-injecting update data for the plugin itself once it has already been updated.
+             *
+             * If the custom package is re-added to the transient after the plugin update, WordPress may detect the package again and incorrectly report "The plugin is at the latest version" for a pending update, since the custom package version matches the currently installed version.
+             *
+             * Behavior differs depending on how the bulk update is triggered. Please refer to the inline comments for each flow below for details.
+             */
+            if (
+                ! empty( $wp_current_filter ) && (
+                    /**
+                     * update-core.php and other upgrader pages:
+                     * The `upgrader_process_complete` action fires only once after all updates have finished. In this case, it is the current action (`$wp_current_filter[0]`), while `self::$_upgrade_basename` may contain any plugin basename.
+                     */
+                    'upgrader_process_complete' === $wp_current_filter[0] ||
+                    /**
+                     * AJAX bulk updates (e.g., from the Plugins page):
+                     * The `upgrader_process_complete` action fires multiple times — once for each plugin after it finishes updating. In this flow, it is not the current action (`$wp_current_filter[0]`) because it is triggered from another action. Instead, we compare `self::$_upgrade_basename` with the basename of the plugin currently being updated, since the `upgrader_process_complete` action runs separately for each plugin.
+                     */
+                    ( in_array( 'upgrader_process_complete', $wp_current_filter ) && self::$_upgrade_basename === $basename )
+                )
+            ) {
                 return $transient_data;
             }
 
@@ -566,9 +589,6 @@ function pre_set_site_transient_update_plugins_filter( $transient_data ) {
                 }
             }
 
-            // Alias.
-            $basename = $this->_fs->premium_plugin_basename();
-
             if ( is_object( $this->_update_details ) ) {
                 if ( isset( $transient_data->no_update ) ) {
                     unset( $transient_data->no_update[ $basename ] );
diff --git a/vendor/freemius/includes/fs-essential-functions.php b/vendor/freemius/includes/fs-essential-functions.php
@@ -10,6 +10,9 @@
 	 * @license     https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
 	 * @since       1.1.5
 	 */
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
 
 	if ( ! function_exists( 'fs_normalize_path' ) ) {
 		if ( function_exists( 'wp_normalize_path' ) ) {
diff --git a/vendor/freemius/includes/managers/class-fs-contact-form-manager.php b/vendor/freemius/includes/managers/class-fs-contact-form-manager.php
@@ -77,7 +77,7 @@ public function get_standalone_link( Freemius $fs ) {
 			$query_params = $this->get_query_params( $fs );
 
 			$query_params['is_standalone'] = 'true';
-			$query_params['parent_url']    = admin_url( add_query_arg( null, null ) );
+			$query_params['parent_url']    = admin_url( add_query_arg( '', '' ) );
 
 			return WP_FS__ADDRESS . '/contact/?' . http_build_query( $query_params );
 		}
diff --git a/vendor/freemius/includes/managers/class-fs-debug-manager.php b/vendor/freemius/includes/managers/class-fs-debug-manager.php
@@ -6,6 +6,9 @@
      * @package   Freemius
      * @since     2.6.2
      */
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
 
     class FS_DebugManager {
 
diff --git a/vendor/freemius/start.php b/vendor/freemius/start.php
@@ -15,7 +15,7 @@
 	 *
 	 * @var string
 	 */
-	$this_sdk_version = '2.13.0';
+	$this_sdk_version = '2.13.1';
 
 	#region SDK Selection Logic --------------------------------------------------------------------
 
diff --git a/vendor/freemius/templates/account.php b/vendor/freemius/templates/account.php
@@ -252,6 +252,8 @@
     $available_license_paid_plan = is_object( $available_license ) ?
         $fs->_get_plan_by_id( $available_license->plan_id ) :
         null;
+
+    $is_dev_mode = ( defined( 'WP_FS__DEV_MODE' ) && WP_FS__DEV_MODE );
 ?>
 	<div class="wrap fs-section">
 		<?php if ( ! $has_tabs && ! $fs->apply_filters( 'hide_account_tabs', false ) ) : ?>
@@ -787,7 +789,7 @@ class="fs-tag fs-<?php echo $fs->can_use_premium_code() ? 'success' : 'warn' ?>"
 											<th><?php echo esc_html( $plan_text ) ?></th>
 											<th><?php fs_esc_html_echo_x_inline( 'License', 'as software license', 'license', $slug ) ?></th>
 											<th></th>
-											<?php if ( defined( 'WP_FS__DEV_MODE' ) && WP_FS__DEV_MODE ) : ?>
+											<?php if ( $is_dev_mode ) : ?>
 												<th></th>
 											<?php endif ?>
 										</tr>
@@ -853,10 +855,20 @@ class="fs-tag fs-<?php echo $fs->can_use_premium_code() ? 'success' : 'warn' ?>"
                                                     'is_whitelabeled'                => ( $is_whitelabeled && ! $is_data_debug_mode )
 												);
 
-												fs_require_template(
-													'account/partials/addon.php',
-													$addon_view_params
-												);
+												if ( ! empty($addon_view_params['addon_info'] ) ) {
+													fs_require_template(
+														'account/partials/addon.php',
+														$addon_view_params
+													);
+												} else {
+													// If we are here it means there is an activation of an unreleased add-on and yet the SDK is not in development mode.
+													echo '<tr>';
+													echo '<td style="text-align: right;">' . esc_html( $addon_id ) . '</td>';
+													echo '<td colspan="' . ( $is_dev_mode ? 6 : 5 ) . '" style="text-align: left;">';
+													echo 'The add-on you have activated is no longer <a href="https://freemius.com/help/documentation/wordpress/selling-add-ons-extensions/#preparing-the-add-on-for-sale" rel="noreferrer noopener" target="_blank">listed</a> by the product owner, or the SDK is not running in <a href="https://freemius.com/help/documentation/wordpress-sdk/testing/" rel="noreferrer noopener" target="_blank">test mode</a>. Please <a href="' . esc_url( $fs->contact_url() ) . '">contact support</a> if you need further assistance.';
+													echo '</td>';
+													echo '</tr>';
+												}
 
 												$odd = ! $odd;
 											} ?>
diff --git a/vendor/freemius/templates/checkout.php b/vendor/freemius/templates/checkout.php
@@ -5,7 +5,9 @@
 	 * @license     https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
 	 * @since       2.9.0
 	 */
-
+    if ( ! defined( 'ABSPATH' ) ) {
+        exit;
+    }
 	/**
 	 * @var array    $VARS
 	 * @var Freemius $fs
diff --git a/vendor/freemius/templates/checkout/frame.php b/vendor/freemius/templates/checkout/frame.php
@@ -35,7 +35,6 @@
 	}
 
 	wp_enqueue_script( 'jquery' );
-	wp_enqueue_script( 'json2' );
 	fs_enqueue_local_script( 'postmessage', 'nojquery.ba-postmessage.js' );
 	fs_enqueue_local_script( 'fs-postmessage', 'postmessage.js' );
 	fs_enqueue_local_script( 'fs-form', 'jquery.form.js', array( 'jquery' ) );
diff --git a/vendor/freemius/templates/checkout/process-redirect.php b/vendor/freemius/templates/checkout/process-redirect.php
@@ -25,7 +25,6 @@
 	$fs_checkout->verify_checkout_redirect_nonce( $fs );
 
 	wp_enqueue_script( 'jquery' );
-	wp_enqueue_script( 'json2' );
 	fs_enqueue_local_script( 'fs-form', 'jquery.form.js', array( 'jquery' ) );
 
 	$action = fs_request_get( '_fs_checkout_action' );
diff --git a/vendor/freemius/templates/contact.php b/vendor/freemius/templates/contact.php
@@ -44,7 +44,6 @@
 	}
 
 	wp_enqueue_script( 'jquery' );
-	wp_enqueue_script( 'json2' );
 	fs_enqueue_local_script( 'postmessage', 'nojquery.ba-postmessage.js' );
 	fs_enqueue_local_script( 'fs-postmessage', 'postmessage.js' );
 	fs_enqueue_local_style( 'fs_checkout', '/admin/common.css' );
diff --git a/vendor/freemius/templates/debug.php b/vendor/freemius/templates/debug.php
@@ -257,6 +257,10 @@ function stopCountdownManually() {
             'key' => 'WP_FS__DIR',
             'val' => WP_FS__DIR,
         ),
+        array(
+            'key' => 'DISABLE_WP_CRON',
+            'val' => defined( 'DISABLE_WP_CRON' ) ? ( DISABLE_WP_CRON ? 'true' : 'false' ) : 'Not defined',
+        ),
         array(
             'key' => 'wp_using_ext_object_cache()',
             'val' => wp_using_ext_object_cache() ? 'true' : 'false',
@@ -282,7 +286,11 @@ function stopCountdownManually() {
                 echo ' class="alternate"';
             } ?>>
                 <td><?php echo $p['key'] ?></td>
-                <td><?php echo $p['val'] ?></td>
+                <td><?php echo $p['val'] ?><?php
+                    if ( 'DISABLE_WP_CRON' === $p['key'] && 'true' === $p['val'] ) {
+                        echo '<p><small><strong>Freemius SDK’s sync cron jobs will not run unless an alternative server-side cron is set up.</strong></small></p>';
+                    }
+                ?></td>
             </tr>
             <?php $alternate = ! $alternate ?>
         <?php endforeach ?>
diff --git a/vendor/freemius/templates/pricing.php b/vendor/freemius/templates/pricing.php

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ public function get_standalone_link( Freemius $fs ) {`
`77`	`77`	`$query_params = $this->get_query_params( $fs );`
`78`	`78`
`79`	`79`	`$query_params['is_standalone'] = 'true';`
`80`		`- $query_params['parent_url'] = admin_url( add_query_arg( null, null ) );`
	`80`	`+ $query_params['parent_url'] = admin_url( add_query_arg( '', '' ) );`
`81`	`81`
`82`	`82`	`return WP_FS__ADDRESS . '/contact/?' . http_build_query( $query_params );`
`83`	`83`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@`
`15`	`15`	`*`
`16`	`16`	`* @var string`
`17`	`17`	`*/`
`18`		`- $this_sdk_version = '2.13.0';`
	`18`	`+ $this_sdk_version = '2.13.1';`
`19`	`19`
`20`	`20`	`#region SDK Selection Logic --------------------------------------------------------------------`
`21`	`21`