New version: 5.3.2

README.md

@@ -4,7 +4,7 @@
 - Tags: email, marketing, signup, newsletter, widget, smtp, woocommerce, contact form 7
 - Requires at least: 4.4
 - Tested up to: 6.1.1
-- Stable tag: 5.3.1
+- Stable tag: 5.3.2
 - Requires PHP: 5.6
 - License: GPLv2 or later
 - License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -205,6 +205,9 @@ find vendor/ -type d -name ".git" -exec rm -rf {} \;
 7. Configure abandoned cart notifications for WooCommerce
 
 ## Changelog
+##### 5.3.2
+* Fixed security issues according to plugin scanning. Sanitized some input args.
+
 ##### 5.3.1
 * Fixed security issues according to plugin scanning. Added escaping for shown strings.
 

readme.txt

@@ -4,7 +4,7 @@ Contributors: Mailjet
 Tags: email, marketing, signup, newsletter, widget, smtp, woocommerce, contact form 7
 Requires at least: 4.4
 Tested up to: 6.1.1
-Stable tag: 5.3.1
+Stable tag: 5.3.2
 Requires PHP: 5.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -196,6 +196,9 @@ find vendor/ -type d -name ".git" -exec rm -rf {} \;
 7. Configure abandoned cart notifications for WooCommerce
 
 == Upgrade notice ==
+= 5.3.2 =
+* Fixed security issues according to plugin scanning. Sanitized some input args.
+
 = 5.3.1 =
 * Fixed security issues according to plugin scanning. Added escaping for shown strings.
 

src/includes/MailjetSettings.php

@@ -308,7 +308,7 @@ public static function redirectJs($urlToRedirect)
         ?>';
         </script>
         <?php 
-        echo '<META HTTP-EQUIV="refresh" content="0;URL=' . $urlToRedirect . '">';
+        echo esc_attr('<META HTTP-EQUIV="refresh" content="0;URL=' . $urlToRedirect . '">');
         exit;
     }
     public static function getCryptoHash()

src/includes/SettingsPages/SubscriptionOptionsSettings.php

@@ -352,7 +352,7 @@ public function mailjet_subscribe_confirmation_from_widget($subscription_email,
         $test = sprintf(Mailjeti18n::getTranslationsFromFile($locale, 'To receive newsletters from %s please confirm your subscription by clicking the following button:'), $wpUrl);
         $email_main_text = !empty($instance[$locale]['email_content_main_text']) ? apply_filters('widget_email_content_main_text', \sprintf($instance[$locale]['email_content_main_text'], get_option('blogname'))) : $test;
         $email_content_after_button = !empty($instance[$locale]['email_content_after_button']) ? $instance[$locale]['email_content_after_button'] : Mailjeti18n::getTranslationsFromFile($locale, 'If you received this email by mistake or don\'t wish to subscribe anymore, simply ignore this message.');
-        $properties = isset($_POST['properties']) ? $_POST['properties'] : array();
+        $properties = array_map('sanitize_text_field', $_POST['properties'] ?? []);
         $preparedProperties = [];
         if (!empty($properties)) {
             foreach ($properties as $key => $val) {

src/includes/SettingsPages/UserAccessSettings.php

@@ -49,12 +49,12 @@ public function mailjet_user_access_cb($args)
             $hasAccess = isset($role['capabilities'][self::ACCESS_CAP_NAME]) && $role['capabilities'][self::ACCESS_CAP_NAME];
             ?>
                 <label class="checkboxLabel" for="<?php 
-            echo self::PREFIX_ACCESS_INPUT_NAME . $roleKey;
+            echo esc_attr(self::PREFIX_ACCESS_INPUT_NAME . $roleKey);
             ?>">
                     <input name="<?php 
-            echo self::PREFIX_ACCESS_INPUT_NAME . $roleKey;
+            echo esc_attr(self::PREFIX_ACCESS_INPUT_NAME . $roleKey);
             ?>" type="checkbox" id="<?php 
-            echo self::PREFIX_ACCESS_INPUT_NAME . $roleKey;
+            echo esc_attr(self::PREFIX_ACCESS_INPUT_NAME . $roleKey);
             ?>" value="1" <?php 
             echo esc_attr($hasAccess) ? ' checked="checked"' : '';
             echo esc_attr($roleKey) === 'administrator' ? 'disabled' : '';
@@ -74,7 +74,7 @@ public function mailjet_user_access_cb($args)
     }
     public function user_access_post_handler()
     {
-        $postData = $_POST;
+        $postData = array_map('sanitize_text_field', $_POST);
         if (!isset($postData['custom_nonce']) || !wp_verify_nonce($postData['custom_nonce'], 'mailjet_user_access_page_html')) {
             add_settings_error('mailjet_messages', 'mailjet_message', __('Your permissions don\'t match! Please refresh your session and if the problem persists, contact our support team.', 'mailjet-for-wordpress'), 'error');
             settings_errors('mailjet_messages');

src/includes/SettingsPages/WooCommerceSettings.php

@@ -605,7 +605,7 @@ public function send_order_status_completed($orderId)
     }
     public function orders_automation_settings_post()
     {
-        $data = $_POST;
+        $data = array_map('sanitize_text_field', $_POST);
         if (!wp_verify_nonce($data['custom_nonce'], 'mailjet_order_notifications_settings_page_html')) {
             update_option('mailjet_post_update_message', ['success' => \false, 'message' => 'Invalid credentials!']);
             wp_redirect(add_query_arg(array('page' => 'mailjet_order_notifications_page'), admin_url('admin.php')));
@@ -643,7 +643,7 @@ private function prepareAutomationHooks($data)
     }
     public function abandoned_cart_settings_post()
     {
-        $data = $_POST;
+        $data = array_map('sanitize_text_field', $_POST);
         if (!wp_verify_nonce($data['custom_nonce'], 'mailjet_order_notifications_settings_page_html')) {
             update_option('mailjet_post_update_message', ['success' => \false, 'message' => 'Invalid credentials!']);
             wp_redirect(add_query_arg(array('page' => 'mailjet_abandoned_cart_page'), admin_url('admin.php')));
@@ -812,7 +812,7 @@ public function enqueueFrontScripts()
     }
     public function subscribeViaAjax()
     {
-        $post = $_POST;
+        $post = array_map('sanitize_text_field', $_POST);
         if (isset($post['orderId'])) {
             $orderId = sanitize_text_field($post['orderId']);
             $order = wc_get_order($orderId);

src/widget/WP_Mailjet_Subscribe_Widget.php

@@ -132,7 +132,7 @@ public function sendSubscriptionEmail(): void
             echo wp_json_encode(['prop_errors' => $errors]);
             wp_die();
         }
-        $properties = isset($_POST['properties']) ? $_POST['properties'] : array();
+        $properties = array_map('sanitize_text_field', $_POST['properties'] ?? []);
         $isValueTypeIncorrect = false;
         if (!empty($properties) && is_array($this->mailjetContactProperties) && !empty($this->mailjetContactProperties)) {
             foreach ($properties as $propertyId => $propertyValue) {

wp-mailjet.php

@@ -14,7 +14,7 @@
  * Plugin Name:       Mailjet for WordPress
  * Plugin URI:        https://www.mailjet.com/partners/wordpress/
  * Description:       The Best WordPress Plugin For Email Newsletters.
- * Version:           5.3.1
+ * Version:           5.3.2
  * Tested up to:      6.1.1
  * Author:            Mailjet SAS
  * Author URI:        http://mailjet.com
@@ -55,7 +55,7 @@
 /**
  * Mailjet plugin version.
  */
-define('MAILJET_VERSION', '5.3.1');
+define('MAILJET_VERSION', '5.3.2');
 
 /**
  * Mailjet Plugid dir.