From 06259aa0c64c035218162c16a4e78dd6cab768b1 Mon Sep 17 00:00:00 2001
From: Oleksandr Mykhailenko <mihaskep@gmail.com>
Date: Wed, 18 Jan 2023 23:20:20 +0200
Subject: [PATCH] De 933 check possible security issues for wordpress mailgun
 plugin (#156)

* Changed `Tested Up` version of WP

* Changed `Tested Up` version of WP

* Fix bug with wp_mail filter. release new version

* Fix possible security issues. In progress

* Sanitizing and escaping vars. Possible security issues

Fix possible security issues. In progress
---
 includes/admin.php        |  6 +++---
 includes/lists-page.php   | 10 +++++-----
 includes/mg-filter.php    |  2 +-
 includes/options-page.php | 24 ++++++++++++------------
 includes/widget.php       | 10 +++++-----
 mailgun.php               | 28 ++++++++++++++--------------
 readme.md                 |  5 ++++-
 readme.txt                |  5 ++++-
 8 files changed, 48 insertions(+), 42 deletions(-)

diff --git a/includes/admin.php b/includes/admin.php
index c0499f6..8519a91 100755
--- a/includes/admin.php
+++ b/includes/admin.php
@@ -67,7 +67,7 @@ public function __construct()
      */
     public function init()
     {
-        $sitename = strtolower($_SERVER['SERVER_NAME']);
+        $sitename = sanitize_text_field(strtolower($_SERVER['SERVER_NAME']));
         if (substr($sitename, 0, 4) === 'www.') {
             $sitename = substr($sitename, 4);
         }
@@ -166,7 +166,7 @@ public function admin_footer_js()
                         ajaxurl,
                         {
                             action: 'mailgun-test',
-                            _wpnonce: '<?php echo wp_create_nonce(); ?>'
+                            _wpnonce: '<?php echo esc_attr(wp_create_nonce()); ?>'
                         }
                     )
                         .complete(function () {
@@ -386,7 +386,7 @@ public function ajax_send_test()
         nocache_headers();
         header('Content-Type: application/json');
 
-        if (!current_user_can('manage_options') || !wp_verify_nonce($_GET['_wpnonce'])):
+        if (!current_user_can('manage_options') || !wp_verify_nonce(sanitize_text_field($_GET['_wpnonce']))):
             die(
             json_encode(array(
                 'message' => __('Unauthorized', 'mailgun'),
diff --git a/includes/lists-page.php b/includes/lists-page.php
index 1ca4dea..1719f79 100644
--- a/includes/lists-page.php
+++ b/includes/lists-page.php
@@ -46,7 +46,7 @@
 
     <span class="alignright">
         <a target="_blank" href="http://www.mailgun.com/">
-            <img src="<?php echo $icon?>" alt="Mailgun" style="width: 50px;"/>
+            <img src="<?php echo esc_attr($icon)?>" alt="Mailgun" style="width: 50px;"/>
         </a>
     </span>
 
@@ -54,7 +54,7 @@
 
     <?php settings_fields('mailgun'); ?>
 
-    <h3><?php _e('Available Mailing Lists', 'mailgun'); ?> | <a href="<?php echo admin_url('options-general.php?page=mailgun'); ?>">Back to settings</a></h3>
+    <h3><?php _e('Available Mailing Lists', 'mailgun'); ?> | <a href="<?php echo esc_attr(admin_url('options-general.php?page=mailgun')); ?>">Back to settings</a></h3>
 
     <p><?php _e("{$missing_error}You must use a valid Mailgun domain name and API key to access lists", 'mailgun'); ?></p>
 
@@ -73,10 +73,10 @@
                 <?php foreach ($lists_arr as $list) : ?>
 
                     <tr>
-                        <td><?php echo $list['address']; ?></td>
-                        <td><?php echo $list['description']; ?></td>
+                        <td><?php echo esc_textarea($list['address']); ?></td>
+                        <td><?php echo esc_textarea($list['description']); ?></td>
                         <td>
-                            [mailgun id="<?php echo $list['address']; ?>"]
+                            [mailgun id="<?php echo esc_textarea($list['address']); ?>"]
                         </td>
                     </tr>
 
diff --git a/includes/mg-filter.php b/includes/mg-filter.php
index b9272ef..95e7ba4 100755
--- a/includes/mg-filter.php
+++ b/includes/mg-filter.php
@@ -152,7 +152,7 @@ function mg_detect_from_address($from_addr_header = null): string
             if (function_exists('get_current_site')) {
                 $sitedomain = get_current_site()->domain;
             } else {
-                $sitedomain = strtolower($_SERVER['SERVER_NAME']);
+                $sitedomain = strtolower(sanitize_text_field($_SERVER['SERVER_NAME']));
                 if (substr($sitedomain, 0, 4) === 'www.') {
                     $sitedomain = substr($sitedomain, 4);
                 }
diff --git a/includes/options-page.php b/includes/options-page.php
index bdfe998..502b3fb 100755
--- a/includes/options-page.php
+++ b/includes/options-page.php
@@ -57,7 +57,7 @@
     <div id="icon-options-general" class="icon32"><br/></div>
     <span class="alignright">
 				<a target="_blank" href="http://www.mailgun.com/">
-					<img src="<?php echo $icon ?>" alt="Mailgun" style="width:50px;"/>
+					<img src="<?php echo esc_attr($icon) ?>" alt="Mailgun" style="width:50px;"/>
 				</a>
 			</span>
     <h2><?php _e('Mailgun', 'mailgun'); ?></h2>
@@ -75,7 +75,7 @@
                 )
             ), esc_url($url), '_blank'
         );
-        echo $link;
+        echo wp_kses_data($link);
         ?>
     </p>
 
@@ -92,7 +92,7 @@
                 )
             ), esc_url($url), '_blank'
         );
-        echo $link;
+        echo wp_kses_data($link);
         ?>
     </p>
 
@@ -107,11 +107,11 @@
                 </th>
                 <td>
                     <?php if ($mailgun_region_const): ?>
-                        <input type="hidden" name="mailgun[region]" value="<?php echo $mailgun_region ?>">
+                        <input type="hidden" name="mailgun[region]" value="<?php echo esc_attr($mailgun_region) ?>">
                     <?php endif ?>
 
                     <select id="mailgun-region"
-                            name="mailgun[region]" <?php echo $mailgun_region_const ? 'disabled="disabled"' : '' ?>>
+                            name="mailgun[region]" <?php echo esc_attr($mailgun_region_const) ? 'disabled="disabled"' : '' ?>>
                         <option value="us"<?php selected('us', $mailgun_region); ?>><?php _e('U.S./North America', 'mailgun') ?></option>
                         <option value="eu"<?php selected('eu', $mailgun_region); ?>><?php _e('Europe', 'mailgun') ?></option>
                     </select>
@@ -128,7 +128,7 @@
                 </th>
                 <td>
                     <?php if (!is_null($mailgun_use_api_const)): ?>
-                        <input type="hidden" name="mailgun[useAPI]" value="<?php echo $mailgun_use_api ?>">
+                        <input type="hidden" name="mailgun[useAPI]" value="<?php echo esc_attr($mailgun_use_api) ?>">
                     <?php endif ?>
 
                     <select id="mailgun-api"
@@ -218,7 +218,7 @@
                 </th>
                 <td>
                     <?php if (!is_null($mailgun_secure_const)): ?>
-                        <input type="hidden" name="mailgun[secure]" value="<?php echo $mailgun_secure ?>">
+                        <input type="hidden" name="mailgun[secure]" value="<?php echo esc_attr($mailgun_secure) ?>">
                     <?php endif ?>
 
                     <select name="mailgun[secure]" <?php echo !is_null($mailgun_secure_const) ? 'disabled="disabled"' : '' ?>>
@@ -238,7 +238,7 @@
                 </th>
                 <td>
                     <?php if ($mailgun_sectype_const): ?>
-                        <input type="hidden" name="mailgun[sectype]" value="<?php echo $mailgun_sectype ?>">
+                        <input type="hidden" name="mailgun[sectype]" value="<?php echo esc_attr($mailgun_sectype) ?>">
                     <?php endif ?>
 
                     <select name="mailgun[sectype]" <?php echo $mailgun_sectype_const ? 'disabled="disabled"' : '' ?>>
@@ -275,7 +275,7 @@
                                 )
                             ), esc_url($url), '_blank'
                         );
-                        echo $link;
+                        echo wp_kses_data($link);
                         ?>
                     </p>
                 </td>
@@ -302,7 +302,7 @@
                                 )
                             ), esc_url($url), '_blank'
                         );
-                        echo $link;
+                        echo wp_kses_data($link);
                         ?>
                     </p>
                 </td>
@@ -387,7 +387,7 @@ class="regular-text"
                                 )
                             ), esc_url($url1), esc_url($url2), '_blank'
                         );
-                        echo $link;
+                        echo wp_kses_data($link);
                         ?>
                     </p>
                 </td>
@@ -429,7 +429,7 @@ class="regular-text"
                             )
                         ), esc_url($url)
                     );
-                    echo $link;
+                    echo wp_kses_data($link);
                     ?>
                 </td>
             </tr>
diff --git a/includes/widget.php b/includes/widget.php
index af56dfa..6d361ab 100644
--- a/includes/widget.php
+++ b/includes/widget.php
@@ -82,20 +82,20 @@ public function form($instance)
         ?>
         <div class="mailgun-list-widget-back">
             <p>
-                <label for="<?php echo $this->get_field_id('list_title'); ?>"><?php _e('Title (optional):'); ?></label> 
-                <input class="widefat" id="<?php echo $this->get_field_id('list_title'); ?>" name="<?php echo $this->get_field_name('list_title'); ?>" type="text" value="<?php echo esc_attr($list_title); ?>" />
+                <label for="<?php echo esc_attr($this->get_field_id('list_title')); ?>"><?php _e('Title (optional):'); ?></label>
+                <input class="widefat" id="<?php echo esc_attr($this->get_field_id('list_title')); ?>" name="<?php echo esc_attr($this->get_field_name('list_title')); ?>" type="text" value="<?php echo esc_attr($list_title); ?>" />
             </p>
             <p>
                 <label for="<?php echo $this->get_field_id('list_description'); ?>"><?php _e('Description (optional):'); ?></label> 
-                <input class="widefat" id="<?php echo $this->get_field_id('list_description'); ?>" name="<?php echo $this->get_field_name('list_description'); ?>" type="text" value="<?php echo esc_attr($list_description); ?>" />
+                <input class="widefat" id="<?php echo esc_attr($this->get_field_id('list_description')); ?>" name="<?php echo esc_attr($this->get_field_name('list_description')); ?>" type="text" value="<?php echo esc_attr($list_description); ?>" />
             </p>
             <p>
                 <label for="<?php echo $this->get_field_id('list_address'); ?>"><?php _e('List addresses (required):'); ?></label> 
-                <input class="widefat" id="<?php echo $this->get_field_id('list_address'); ?>" name="<?php echo $this->get_field_name('list_address'); ?>" type="text" value="<?php echo esc_attr($list_address); ?>" />
+                <input class="widefat" id="<?php echo esc_attr($this->get_field_id('list_address')); ?>" name="<?php echo esc_attr($this->get_field_name('list_address')); ?>" type="text" value="<?php echo esc_attr($list_address); ?>" />
             </p>
             <p>
                 <label for="<?php echo $this->get_field_id('collect_name'); ?>"><?php _e('Collect name:'); ?></label> 
-                <input class="widefat" id="<?php echo $this->get_field_id('collect_name'); ?>" name="<?php echo $this->get_field_name('collect_name'); ?>" type="checkbox" <?php echo esc_attr($collect_name); ?> />
+                <input class="widefat" id="<?php echo esc_attr($this->get_field_id('collect_name')); ?>" name="<?php echo esc_attr($this->get_field_name('collect_name')); ?>" type="checkbox" <?php echo esc_attr($collect_name); ?> />
             </p>
         </div>
         <?php 
diff --git a/mailgun.php b/mailgun.php
index 97bbb36..30b68db 100755
--- a/mailgun.php
+++ b/mailgun.php
@@ -3,7 +3,7 @@
  * Plugin Name:  Mailgun
  * Plugin URI:   http://wordpress.org/extend/plugins/mailgun/
  * Description:  Mailgun integration for WordPress
- * Version:      1.8.10
+ * Version:      1.9
  * Tested up to: 6.1
  * Author:       Mailgun
  * Author URI:   http://www.mailgun.com/
@@ -301,10 +301,10 @@ public function get_lists(): array
      */
     public function add_list()
     {
-        $name = $_POST['name'] ?? null;
-        $email = $_POST['email'] ?? null;
+        $name = sanitize_text_field($_POST['name'] ?? null);
+        $email = sanitize_text_field($_POST['email'] ?? null);
 
-        $list_addresses = $_POST['addresses'];
+        $list_addresses = sanitize_text_field($_POST['addresses']);
 
         if (!empty($list_addresses)) {
             $result = [];
@@ -360,20 +360,20 @@ public function list_form(string $list_address, array $args = [], array $instanc
         // All list info from the API; used for list info when more than one list is available to subscribe to
         $all_list_addresses = $this->get_lists();
     ?>
-        <div class="mailgun-list-widget-front <?php echo $widget_class_id; ?> widget">
-            <form class="list-form <?php echo $form_class_id; ?>">
+        <div class="mailgun-list-widget-front <?php echo esc_attr($widget_class_id); ?> widget">
+            <form class="list-form <?php echo esc_attr($form_class_id); ?>">
                 <div class="mailgun-list-widget-inputs">
                     <?php if (isset($args[ 'list_title' ])): ?>
                         <div class="mailgun-list-title">
                             <h4 class="widget-title">
-                                <span><?php echo $args[ 'list_title' ]; ?></span>
+                                <span><?php echo wp_kses_data($args[ 'list_title' ]); ?></span>
                             </h4>
                         </div>
                     <?php endif; ?>
                     <?php if (isset($args[ 'list_description' ])): ?>
                         <div class="mailgun-list-description">
                             <p class="widget-description">
-                                <span><?php echo $args[ 'list_description' ]; ?></span>
+                                <span><?php echo wp_kses_data($args[ 'list_description' ]); ?></span>
                             </p>
                         </div>
                     <?php endif; ?>
@@ -399,15 +399,15 @@ public function list_form(string $list_address, array $args = [], array $instanc
                         ?>
                                 <li>
                                     <input type="checkbox" class="mailgun-list-name"
-                                           name="addresses[<?php echo $la[ 'address' ]; ?>]"/> <?php echo ($la[ 'name' ] ?: $la[ 'address' ]); ?>
+                                           name="addresses[<?php echo esc_attr($la[ 'address' ]); ?>]"/> <?php echo esc_attr($la[ 'name' ] ?: $la[ 'address' ]); ?>
                                 </li>
                         <?php endforeach; ?>
                     </ul>
                 <?php else: ?>
-                    <input type="hidden" name="addresses[<?php echo $list_addresses[ 0 ]; ?>]" value="on"/>
+                    <input type="hidden" name="addresses[<?php echo esc_attr($list_addresses[ 0 ]); ?>]" value="on"/>
                 <?php endif; ?>
 
-                <input class="mailgun-list-submit-button" data-form-id="<?php echo $form_class_id; ?>" type="button"
+                <input class="mailgun-list-submit-button" data-form-id="<?php echo esc_attr($form_class_id); ?>" type="button"
                        value="Subscribe"/>
                 <input type="hidden" name="mailgun-submission" value="1"/>
 
@@ -454,9 +454,9 @@ public function list_form(string $list_address, array $args = [], array $instanc
 
                   // success
                   if ((data.status === 200)) {
-                    jQuery('.<?php echo $widget_class_id; ?> .widget-list-panel').css('display', 'none')
-                    jQuery('.<?php echo $widget_class_id; ?> .list-form').css('display', 'none')
-                    jQuery('.<?php echo $widget_class_id; ?> .result-panel').css('display', 'block')
+                    jQuery('.<?php echo esc_attr($widget_class_id); ?> .widget-list-panel').css('display', 'none')
+                    jQuery('.<?php echo esc_attr($widget_class_id); ?> .list-form').css('display', 'none')
+                    jQuery('.<?php echo esc_attr($widget_class_id); ?> .result-panel').css('display', 'block')
                     // error
                   } else {
                     alert(data_msg)
diff --git a/readme.md b/readme.md
index 6395407..53604b0 100755
--- a/readme.md
+++ b/readme.md
@@ -5,7 +5,7 @@ Contributors: mailgun, sivel, lookahead.io, m35dev
 Tags: mailgun, smtp, http, api, mail, email
 Requires at least: 3.3
 Tested up to: 6.1.1
-Stable tag: 1.8.10
+Stable tag: 1.9
 Requires PHP: 5.6
 License: GPLv2 or later
 
@@ -130,6 +130,9 @@ MAILGUN_FROM_ADDRESS Type: string
 
 
 == Changelog ==
+= 1.9 (2023-01-18): =
+- Sanitizing and escaping vars. Possible security issues
+
 = 1.8.10 (2022-12-26): =
 - Fixed bug with not overriding `from name` for Woocommerce
 
diff --git a/readme.txt b/readme.txt
index b4696e0..9f981d4 100755
--- a/readme.txt
+++ b/readme.txt
@@ -5,7 +5,7 @@ Contributors: mailgun, sivel, lookahead.io, m35dev
 Tags: mailgun, smtp, http, api, mail, email
 Requires at least: 4.4
 Tested up to: 6.1.1
-Stable tag: 1.8.10
+Stable tag: 1.9
 Requires PHP: 5.6
 License: GPLv2 or later
 
@@ -128,6 +128,9 @@ MAILGUN_FROM_ADDRESS Type: string
 
 
 == Changelog ==
+= 1.9 (2023-01-18): =
+- Sanitizing and escaping vars. Possible security issues
+
 = 1.8.10 (2022-12-26): =
 - Fixed bug with not overriding `from name` for Woocommerce