File: //wordpress/mu-plugins/atomic-platform-virtual-patches.php
<?php
/**
* This mu-plugin contains Virtual Patches for the Atomic platform.
*
* The file's source of truth is the wpcloud-virtual-patches repository.
*
* @author Bastion Team
*/
// Protection from accidental double loading.
//
// phpcs:disable Generic.CodeAnalysis.RequireExplicitBooleanOperatorPrecedence.MissingParentheses
// phpcs:disable WordPress.PHP.YodaConditions.NotYoda
// phpcs:disable WordPress.PHP.DevelopmentFunctions.error_log_print_r
// phpcs:disable WordPress.PHP.DevelopmentFunctions.error_log_error_log
if ( ! class_exists( 'Atomic_Platform_Virtual_Patches' ) ) {
class Atomic_Platform_Virtual_Patches {
/**
* Adds a log entry with the vuln UUID as the file (to be able to filter by it) and -403 as
* line number to filter those logs in Logstach
*/
public static function add_log( string $vuln_uuid, string $message = 'Blocked by vPatch', mixed $data = null ) {
if ( defined( 'ENABLE_VPATCH_LOGGING' ) && ENABLE_VPATCH_LOGGING === true ) {
if ( ! is_null( $data ) ) {
$message .= ': ' . print_r( $data, true );
}
error_log( "{$message} in {$vuln_uuid} on line -403" );
}
}
/**
* Determine the code triggering the generic vPatch by checking the stacktrace
*/
public static function determine_caller() {
// phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace
$trace = debug_backtrace();
$exclude_functions = [ 'apply_filters', 'determine_caller', 'add_exploratory_log' ];
foreach ( $trace as $caller ) {
if ( in_array( $caller['function'], $exclude_functions, true ) ) {
continue;
}
// TODO: better check here, to avoid skipping files in /<slug>/**wp-includes/** (quite rare but could happen)
if ( str_contains( $caller['file'], '/wp-includes/' ) || str_contains( $caller['file'], '/wp-admin/includes/' ) ) {
continue;
}
return $caller;
}
return $trace[0];
}
/**
* Adds an exploratory log entry and -418 as line number to filter those logs in Logstach
*/
public static function add_exploratory_log( $message, $data = null ) {
if ( defined( 'ENABLE_VPATCH_LOGGING' ) && ENABLE_VPATCH_LOGGING === true ) {
$caller = self::determine_caller();
if ( is_null( $data ) ) {
$data = [
'get' => $_GET,
'post' => $_POST,
'referer' => $_SERVER['HTTP_REFERER'] ?? 'n/a',
];
}
$message .= ': ' . print_r( $data, true );
error_log( "{$message} in {$caller['file']}:{$caller['line']} on line -418" );
}
}
/**
* Adds an exploratory error log entry and -4181 as line number to filter those logs in Logstach
* Those logs will contain exceptions raised by generic patches for us to investigate and fix
*/
public static function add_exploratory_error_log( $exception ) {
if ( defined( 'ENABLE_VPATCH_LOGGING' ) && ENABLE_VPATCH_LOGGING === true ) {
error_log( "{$exception} in {$exception->getFile()}:{$exception->getLine()} on line -4181" );
}
}
public function __construct() {
if ( ! defined( 'ENABLE_VPATCH_LOGGING' ) ) {
define( 'ENABLE_VPATCH_LOGGING', true );
}
self::register_generic_vpatch();
// Security: Monkeypatch for Elementor Pro.
add_action(
'wp_ajax_elementor_ajax',
function () {
if ( ! isset( $_REQUEST['actions'] ) ) {
return;
}
// https://wpscan.com/vulnerability/c2a7ac08-460e-4485-a1c6-d2066ee94920/ - Elementor Pro < 2.9.4 - Subscriber+ Arbitrary File Upload
if ( false !== strpos( $_REQUEST['actions'], 'pro_assets_manager_custom_icon_upload' ) ) {
// Icons_Manager::CAPABILITY
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'c2a7ac08-460e-4485-a1c6-d2066ee94920' );
wp_die( 'Access denied', 403 );
}
}
// https://wpscan.com/vulnerability/73e8e030-8e8b-43de-a602-c699ab2eafaf/ - Elementor Pro < 3.11.7 - Subscriber+ Arbitrary Options Update
if ( false !== strpos( $_REQUEST['actions'], 'pro_woocommerce_update_page_option' ) ) {
if ( ! current_user_can( 'manage_options' ) || ! current_user_can( 'manage_woocommerce' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '73e8e030-8e8b-43de-a602-c699ab2eafaf' );
wp_die( 'Access denied', 403 );
}
}
},
-1
);
// https://wpscan.com/vulnerability/1a075d62-b5d2-4b58-a74f-73a0166aee12/
if ( isset( $_POST['bbp-forums-role'] ) ) {
add_action(
'init',
function () {
if ( ! is_super_admin() ) {
$_POST['bbp-forums-role'] = function_exists( 'bbp_get_default_role' ) ? bbp_get_default_role() : null;
}
}
);
}
// https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89/
if ( isset( $_POST['tp_user_reg_role'] ) ) {
if ( 'administrator' === $_POST['tp_user_reg_role'] ) {
add_action(
'init',
function () {
Atomic_Platform_Virtual_Patches::add_log( 'c311feef-7041-4c21-9525-132b9bd32f89' );
wp_die( 'Access denied.' );
}
);
}
$_POST['tp_user_reg_role'] = 'subscriber';
}
if ( isset( $_POST['email'] ) ) {
add_action(
'plugins_loaded',
function () {
remove_action( 'wp_ajax_nopriv_theplus_ajax_login', 'theplus_ajax_login', 10 );
},
11
);
}
// https://wpscan.com/vulnerability/10528cb2-12a1-43f7-9b7d-d75d18fdf5bb/
// See https://wp.me/pbuNQi-1bO
if ( isset( $_POST['action'] ) && 'iva_bh_ajax_action' === $_POST['action'] ) {
add_action(
'init',
function () {
remove_action( 'wp_ajax_nopriv_iva_bh_ajax_action', 'iva_bh_update_plugin', 10 );
if ( ! current_user_can( 'manage_options' ) ) {
remove_action( 'wp_ajax_iva_bh_ajax_action', 'iva_bh_update_plugin', 10 );
}
}
);
}
// Security: Monkeypatch for kaswara
// See https://wp.me/paWMBk-iA
// See https://nvd.nist.gov/vuln/detail/CVE-2021-24284
if ( isset( $_POST['action'] ) && 'uploadFontIcon' === $_POST['action'] ) {
add_action(
'init',
function () {
remove_action( 'wp_ajax_uploadFontIcon', 'kaswara_uploadfonticon_handler_callback', 10 );
remove_action( 'wp_ajax_nopriv_uploadFontIcon', 'kaswara_uploadfonticon_handler_callback', 10 );
}
);
}
// Security: Monkeypatch for wp_die handler
// See: https://wp.me/p3btAN-1o6
add_filter(
'wp_die_jsonp_handler',
function ( $wp_die_handler ) {
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
return $wp_die_handler;
}
if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
return apply_filters( 'wp_die_xmlrpc_handler', '_xmlrpc_wp_die_handler' );
}
global $wp_query;
if ( wp_is_xml_request()
|| isset( $wp_query ) &&
( function_exists( 'is_feed' ) && is_feed()
|| function_exists( 'is_comment_feed' ) && is_comment_feed()
|| function_exists( 'is_trackback' ) && is_trackback() ) ) {
return apply_filters( 'wp_die_xml_handler', '_xml_wp_die_handler' );
}
return apply_filters( 'wp_die_handler', '_default_wp_die_handler' );
},
99
);
// See: https://wp.me/p3btAN-1ve
// See: https://wp.me/pbfA90-16T (PHP 8.1 compat)
add_filter(
'sanitize_taxonomy_name',
function ( $sanitized, $taxonomy ) {
$str = preg_replace( '/\x00|<[^>]*>?/', '', $sanitized );
return str_replace( [ "'", '"' ], [ ''', '"' ], $str );
},
11,
2
);
// See: https://wp.me/p3btAN-1AQ
add_action(
'init',
function () {
if ( class_exists( 'AIOSEO\Plugin\AIOSEO', false ) ) {
// https://wpscan.com/vulnerability/6de4a7de-6b71-4349-8e52-04c89c5e6d6c/
add_filter(
'rest_request_before_callbacks',
function ( $response, $handler, $request ) {
$route = $request->get_route();
$lowercased = strtolower( $route );
if ( strpos( $lowercased, '/aioseo/v1' ) === 0 && $lowercased !== $route ) {
$request->set_route( $lowercased );
}
return $response;
},
1,
3
);
// https://wpscan.com/vulnerability/4cd2a57b-3e1a-4acf-aecb-201ed9f4ee6d/
add_filter(
'rest_dispatch_request',
function ( $result, $request, $route ) {
$lowercased = strtolower( $route );
if ( strpos( $lowercased, '/aioseo/v1' ) === 0 ) {
switch ( untrailingslashit( $lowercased ) ) {
case '/aioseo/v1/objects':
global $wpdb;
$body = $request->get_json_params();
if ( ! empty( $body['query'] ) && ! empty( $body['type'] ) ) {
$query = $body['query'];
$raw = $wpdb->esc_like( $query );
$escaped = $wpdb->_real_escape( $raw );
if ( $raw !== $escaped ) {
Atomic_Platform_Virtual_Patches::add_log( '4cd2a57b-3e1a-4acf-aecb-201ed9f4ee6d', 'SQLi Blocked', $raw );
return new WP_Error(
'rest_forbidden',
'Sorry, you are not allowed to do that.',
[ 'status' => rest_authorization_required_code() ]
);
}
}
break;
default:
break;
}
}
return $result;
},
1,
3
);
}
}
);
// https://wpscan.com/vulnerability/2f0f1a32-0c7a-48e6-8617-e0b2dcf62727/
// See: https://wp.me/p3btAN-1Bi
add_action(
'init',
function () {
if ( ! empty( $_POST['all_options'] ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2f0f1a32-0c7a-48e6-8617-e0b2dcf62727', 'Option Blocked', $_POST['all_options'] );
die;
}
},
1
);
// https://wpscan.com/vulnerability/e387f08d-7c9c-4e54-9e2f-222def11216c/
// See: https://wp.me/p3btAN-1Bi
if ( isset( $_POST['action'] ) && 'kiwi_social_share_get_option' === $_POST['action'] ) {
add_action(
'init',
function () {
if ( ! current_user_can( 'edit_posts' ) ) {
remove_action( 'wp_ajax_kiwi_social_share_get_option', 'kiwi_social_share_get_option', 10 );
remove_action( 'wp_ajax_nopriv_kiwi_social_share_get_option', 'kiwi_social_share_get_option', 10 );
}
if ( isset( $_POST['args']['group'] ) && 'kiwi_social_identities' !== $_POST['args']['group'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'e387f08d-7c9c-4e54-9e2f-222def11216c', 'Option Blocked', $_POST['args']['group'] );
wp_die( 'Forbidden' );
}
}
);
}
// https://wpscan.com/vulnerability/5c65ba36-b6cb-4982-977a-0fbce8812ad3/
if ( isset( $_POST['action'] ) && 'kiwi_social_share_set_option' === $_POST['action'] ) {
add_action(
'init',
function () {
if ( ! current_user_can( 'manage_options' ) ) {
remove_action( 'wp_ajax_kiwi_social_share_set_option', 'kiwi_social_share_set_option', 10 );
remove_action( 'wp_ajax_nopriv_kiwi_social_share_set_option', 'kiwi_social_share_set_option', 10 );
}
if ( isset( $_POST['args']['group'] ) && 'kiwi_registration' !== $_POST['args']['group'] ) {
Atomic_Platform_Virtual_Patches::add_log( '5c65ba36-b6cb-4982-977a-0fbce8812ad3', 'Option Blocked', $_POST['args']['group'] );
wp_die( 'Forbidden' );
}
}
);
}
// https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1/
// See: https://wp.me/p3btAN-1Cb
if ( isset( $_POST['action'] ) && 'upload_ugc' === $_POST['action'] ) {
add_filter(
'fu_allowed_mime_types',
function ( $types ) {
unset( $types['htm|html'] );
unset( $types['js'] );
unset( $types['svg'] );
return $types;
}
);
}
// https://wpscan.com/vulnerability/8f72a636-52c0-4a63-b1b2-4af7e6825801/
// See: https://wp.me/p3btAN-2gW
add_action(
'wp',
function () {
// Check if WooCommerce is active.
if ( ! class_exists( 'WooCommerce' ) ) {
return;
}
// Check if WCPay is active.
if ( ! class_exists( 'WC_Payments' ) ) {
return;
}
if ( ! ( function_exists( 'is_order_received_page' ) && is_order_received_page() ) ) {
return;
}
if ( ! isset( $_GET['wc_payment_method'] ) ) {
return;
}
if ( ! isset( $_REQUEST['_wpnonce'] ) ) {
return;
}
$is_nonce_valid = check_admin_referer( 'wcpay_process_redirect_order_nonce' );
if ( ! $is_nonce_valid || empty( $_GET['wc_payment_method'] ) ) {
return;
}
if ( ! empty( $_GET['payment_intent_client_secret'] ) ) {
$intent_id_received = isset( $_GET['payment_intent'] ) ? wc_clean( wp_unslash( $_GET['payment_intent'] ) ) : '';
} elseif ( ! empty( $_GET['setup_intent_client_secret'] ) ) {
$intent_id_received = isset( $_GET['setup_intent'] ) ? wc_clean( wp_unslash( $_GET['setup_intent'] ) ) : '';
} else {
return;
}
$order_id = isset( $_GET['order_id'] ) ? wc_clean( wp_unslash( $_GET['order_id'] ) ) : '';
if ( empty( $order_id ) ) {
return;
}
$order = wc_get_order( $order_id );
if ( ! is_object( $order ) ) {
return;
}
$intent_id_order_meta = $order->get_meta( '_intent_id', true );
if ( ! hash_equals( $intent_id_order_meta, $intent_id_received ) ) {
$message = __( "We're not able to process this payment. Please try again later.", 'woocommerce-payments' );
wc_add_notice( $message, 'error' );
Atomic_Platform_Virtual_Patches::add_log( '8f72a636-52c0-4a63-b1b2-4af7e6825801' );
do_action( 'wcpay_possible_pending_payment_exploit_attempt' );
wp_safe_redirect( wc_get_cart_url() );
exit;
}
},
9
);
// https://wpscan.com/vulnerability/0d02b222-e672-4ac0-a1d4-d34e1ecf4a95/
// See: https://wp.me/p3btAN-1DL
if ( isset( $_REQUEST['action'] ) && 'load_more' === $_REQUEST['action'] ) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'EAEL_PLUGIN_PATH' ) && ! defined( 'EAEL_PRO_PLUGIN_PATH' ) ) {
return;
}
if ( ! isset( $_REQUEST['template_info']['file_name'] ) ) {
return;
}
$plugin_path = isset( $_REQUEST['template_info']['dir'] ) && 'pro' === $_REQUEST['template_info']['dir'] ? EAEL_PRO_PLUGIN_PATH : EAEL_PLUGIN_PATH;
$plugin_path .= 'includes';
if ( isset( $_REQUEST['template_info']['dir'] ) && 'theme' === $_REQUEST['template_info']['dir'] ) {
$theme = wp_get_theme();
$plugin_path = sprintf( '%s/%s', $theme->theme_root, $theme->stylesheet );
}
$name = isset( $_REQUEST['template_info']['name'] ) ? $_REQUEST['template_info']['name'] : '';
$template = realpath(
sprintf( '%s/Template/%s/%s', $plugin_path, $name, $_REQUEST['template_info']['file_name'] )
);
if ( ! $template || 0 !== strpos( $template, $plugin_path ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0d02b222-e672-4ac0-a1d4-d34e1ecf4a95', 'Tpl Blocked', $_REQUEST['template_info'] );
wp_die( 'Invalid template', 'invalid_template', 400 );
}
}
);
}
// https://wpscan.com/vulnerability/d1480717-726d-4be2-95cb-1007a3f010bb/
// See: https://wp.me/p3btAN-1Gf
if ( isset( $_REQUEST['api_key'] ) && isset( $_REQUEST['id'] ) ) {
add_action(
'rest_api_init',
function () {
if ( defined( 'NOTIFICATIONX_FILE' ) ) {
if ( isset( $_GET['id'] ) ) {
$_GET['id'] = (int) $_GET['id'];
}
if ( isset( $_POST['id'] ) ) {
$_POST['id'] = (int) $_POST['id'];
}
}
},
0
);
}
// https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd/
// See: https://wp.me/p3btAN-1HI
if ( isset( $_REQUEST['action'] ) && 'add_custom_font' === $_REQUEST['action'] ) {
add_action(
'init',
function () {
if ( defined( 'TYPEHUB_VERSION' ) ) {
remove_all_actions( 'wp_ajax_nopriv_add_custom_font' );
}
},
10
);
}
// https://wpscan.com/vulnerability/df62d170-c7d1-43a4-b6dc-20512934c33e/
// See: https://wp.me/p3btAN-1Jo
$p3btan1jo = array(
'elementor_update_site_name',
'elementor_update_site_logo',
'elementor_upload_site_logo',
'elementor_update_data_sharing',
'elementor_activate_hello_theme',
'elementor_upload_and_install_pro',
'elementor_update_onboarding_option',
);
if ( isset( $_POST['action'] ) && in_array( $_POST['action'], $p3btan1jo, true ) ) {
add_action(
'admin_init',
function () {
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'df62d170-c7d1-43a4-b6dc-20512934c33e', 'Blocked Action', $_POST['action'] );
unset( $_POST['action'] );
}
},
9
);
}
// https://wpscan.com/vulnerability/8843d66b-e895-4336-afda-00b99442cdc1/
// See: https://wp.me/p3btAN-1Mi
if ( isset( $_REQUEST['action'] ) && 'nf_ajax_submit' === $_REQUEST['action'] ) {
add_action(
'init',
function () {
// phpcs:ignore WordPress.WP.AlternativeFunctions.parse_url_parse_url
$url_query = parse_url( wp_get_referer(), PHP_URL_QUERY );
if ( empty( $url_query ) ) {
return;
}
parse_str( $url_query, $query_args );
foreach ( $query_args as $key => $value ) {
if ( false !== strpos( $key, '::' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '8843d66b-e895-4336-afda-00b99442cdc1', 'Object Blocked', $key );
wp_die( '0', 400 );
}
}
},
1
);
}
// See: https://wpscan.com/vulnerability/574f7607-96d8-4ef8-b96c-0425ad7e7690
add_filter(
'shortcode_atts_yarpp',
function ( $atts ) {
$attributes = (array) $atts;
$sanitized_attributes = [];
foreach ( $attributes as $att_name => $att_value ) {
$normalized_name = trim( strtolower( $att_name ) );
if ( 'recent' === $normalized_name ) {
$regex_result = preg_match( '/\d+\s{1,}(month|week|day)+$/i', trim( $att_value ), $matches );
if ( 1 === $regex_result && ! empty( $matches[0] ) ) {
$sanitized_attributes[ $att_name ] = $matches[0];
}
} elseif ( 'limit' === $normalized_name ) {
$sanitized_attributes[ $att_name ] = (string) intval( $att_value );
} elseif ( 'template' === $normalized_name ) {
if ( 0 === validate_file( $att_value ) ) {
$sanitized_attributes[ $att_name ] = $att_value;
}
} else {
$sanitized_attributes[ $att_name ] = $att_value;
}
}
return $sanitized_attributes;
},
1
);
// https://wpscan.com/vulnerability/4855dbf0-d40c-46be-840b-aed1168e2191/
// See: https://wp.me/p3btAN-2c8
add_action(
'eael/login-register/before-processing-login-register',
function () {
if ( defined( 'EAEL_PLUGIN_VERSION' ) && isset( $_POST['eael-pass1'] ) && version_compare( EAEL_PLUGIN_VERSION, '5.7.2', '<' ) ) {
wp_die();
}
}
);
// https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7/
// See: https://wp.me/p3btAN-2km
add_action(
'muplugins_loaded',
function () {
if ( isset( $_SERVER['REQUEST_METHOD'] ) && 'POST' === $_SERVER['REQUEST_METHOD'] && isset( $_POST['um_request'] ) && isset( $_REQUEST['_wpnonce'] ) && isset( $_REQUEST['form_id'] ) ) {
$found = false;
foreach ( $_POST as $p ) {
if ( ! is_array( $p ) ) {
continue;
}
$post = implode( '', array_keys( $p ) );
foreach ( array( 'administrator', 'editor', 'author', 'contributor' ) as $s ) {
if ( false !== strpos( $post, $s ) ) {
$found = true;
break;
}
}
}
if ( $found ) {
Atomic_Platform_Virtual_Patches::add_log( '694235c7-4469-4ffd-a722-9225b19e98d7' );
wp_die( 'Access denied.', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/e6d8216d-ace4-48ba-afca-74da0dc5abb5/
// See: https://wp.me/p3btAN-2rw
add_filter(
'rest_dispatch_request',
function ( $dispatch_result, $request, $route ) {
if ( '/tdw/save_css' === $route ) {
if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e6d8216d-ace4-48ba-afca-74da0dc5abb5' );
return new WP_REST_Response( null, 403 );
}
}
return $dispatch_result;
},
10,
3
);
// See: https://wp.me/p9o2xV-47I
if ( isset( $_REQUEST ) && array_key_exists( 'wpcode_snippet_code', $_REQUEST ) && is_string( $_REQUEST['wpcode_snippet_code'] ) ) {
add_action(
'init',
function () {
if ( preg_match_all( '/(base64_decode|error_reporting|ini_set|eval)\s*\(/i', $_REQUEST['wpcode_snippet_code'], $matches ) ) {
if ( count( $matches[0] ) > 10 ) {
wp_die( esc_html__( 'You do not have permission to access this page.', 'insert-headers-and-footers' ) );
}
}
}
);
}
// https://wpscan.com/vulnerability/7835c8f9-701a-4eaa-924b-a27569a58124/
// See: https://wp.me/p3btAN-2QV
add_action(
'wpmuadminedit',
function () {
if ( ! function_exists( 'wp_stream_get_instance' ) ) {
return;
}
$instance = wp_stream_get_instance();
if ( ! is_object( $instance ) || ! method_exists( $instance, 'get_version' ) ) {
return;
}
if ( version_compare( $instance->get_version(), '4.0.1', '>' ) ) {
return;
}
$allowed_referrers = [ 'wp_stream_network_settings', 'wp_stream_default_settings' ];
if ( ! isset( $_GET['action'] ) || ! in_array( $_GET['action'], $allowed_referrers, true ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
wp_die( 'Access denied.' );
}
$options = isset( $_POST['option_page'] ) ? explode( ',', stripslashes( $_POST['option_page'] ) ) : [];
if ( count( $options ) !== 1 || $options[0] !== 'wp_stream_network' ) {
Atomic_Platform_Virtual_Patches::add_log( '7835c8f9-701a-4eaa-924b-a27569a58124', 'Option Blocked', $options );
wp_die( 'Access deined.' );
}
},
1
);
// https://wpscan.com/vulnerability/505aa04b-3969-4fea-a296-a6af7ef71409/
// See: https://wp.me/p3btAN-2Wh
add_action(
'admin_init',
function () {
if ( ! defined( 'WC_VERSION' ) || version_compare( WC_VERSION, '9.4.3', '>=' ) ) {
return;
}
global $pagenow;
if ( $pagenow !== 'admin.php' ) {
return;
}
$page = $_GET['page'] ?? '';
$path = $_GET['path'] ?? '';
if ( 'wc-admin' === $page && str_starts_with( $path, '/customize-store' ) ) {
add_action(
'admin_enqueue_scripts',
function () {
?><script type="text/javascript">
window.addEventListener( 'message', function( event ) {
if ( event.data.type === 'navigate' ) {
const allowedOrigins = [ '<?php echo esc_js( home_url() ); ?>' ];
if ( ! allowedOrigins.includes( event.origin ) ) {
event.stopPropagation();
event.stopImmediatePropagation();
return;
}
}
}, true );
</script>
<?php
},
-1
);
}
}
);
// https://wpscan.com/vulnerability/efdb562c-8015-496c-905a-db2ca802ffa1/
// See: https://wp.me/p3btAN-2Zo
add_filter(
'gform_get_field_value',
function ( $value, $entry, $field ) {
if ( ! class_exists( 'GFCommon' ) ) {
return $value;
}
if ( ! property_exists( 'GFCommon', 'version' ) ) {
return $value;
}
if ( version_compare( GFCommon::$version, '2.9.1', '>' ) ) {
return $value;
}
if ( $field && isset( $field->type ) && $field->type === 'post_image' ) {
$value = esc_attr( $value );
}
return $value;
},
10,
3
);
// https://wpscan.com/vulnerability/0339fd81-3f5a-4e05-bbd0-206f0e9cace1/
// See: https://wp.me/p3btAN-3eN
add_action(
'init',
function () {
if ( ! class_exists( 'GFForms' ) || ! isset( $_POST['gform_submit'] ) ) {
return;
}
if ( version_compare( GFForms::$version, '2.9.18', '<' ) || version_compare( GFForms::$version, '2.9.20', '>' ) ) {
return;
}
if ( isset( $_POST['gform_uploaded_files'] ) ) {
$uploaded_files = json_decode( stripslashes( $_POST['gform_uploaded_files'] ), true );
}
if ( empty( $uploaded_files ) ) {
return;
}
if ( is_array( $uploaded_files ) ) {
array_walk_recursive(
$uploaded_files,
function ( $value, $key ) {
if ( $key === 'url' && ! str_starts_with( $value, get_site_url() ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0339fd81-3f5a-4e05-bbd0-206f0e9cace1', 'File Blocked', $value );
wp_die( 'Access denied', 403 );
}
}
);
}
}
);
// https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/
// See https://wp.me/p3btAN-358
add_action(
'plugins_loaded',
function () {
if ( ! ( class_exists( 'order_delivery_date' ) && isset( $_FILES ) && isset( $_FILES['orddd-import-file'] ) ) ) {
return;
}
global $orddd_version;
if ( $orddd_version === null
|| ! version_compare( $orddd_version, '2.0', '>=' )
|| ! version_compare( $orddd_version, '12.3.1', '<' ) ) {
return;
}
if ( ! ( current_user_can( 'manage_options' ) || current_user_can( 'manage_woocommerce' ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2e513930-ec01-4dc6-8991-645c5267e14c', 'File Blocked', $_FILES['orddd-import-file'] );
unset( $_FILES['orddd-import-file'] );
}
},
10
);
// https://wpscan.com/vulnerability/31effe45-fe29-4e71-bcd4-c65f22a0dc81/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'POST_SMTP_VER' ) || ! version_compare( POST_SMTP_VER, '3.3.0', '<' ) ) {
return $result;
}
$route = strtolower( $request->get_route() );
if ( str_contains( $route, '/psd/v1/' ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '31effe45-fe29-4e71-bcd4-c65f22a0dc81' );
return new WP_Error(
'rest_forbidden',
'Access to this endpoint is restricted to administrators.',
array( 'status' => 403 )
);
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/46854e0d-b84e-4cd2-a435-60184bd3a6e1/
// See https://wp.me/p3btAN-3cD
add_action(
'plugins_loaded',
function () {
if ( class_exists( Tribe__Events__Main::class ) ) {
$reflection = new ReflectionClass( Tribe__Events__Main::class );
if ( $reflection->hasConstant( 'VERSION' ) ) {
$version = $reflection->getConstant( 'VERSION' );
if ( version_compare( $version, '6.15.1.1', '<' ) ) {
add_action(
'tec_events_custom_tables_v1_custom_tables_query_pre_get_posts',
function ( $q ) {
remove_filter( 'posts_orderby', [ $q, 'redirect_posts_orderby' ], 200 );
},
100
);
}
}
}
}
);
// https://wpscan.com/vulnerability/c99bd60f-63b7-4373-a935-3d2da70169ab/
add_filter(
'posts_orderby',
function ( $posts_orderby, $query ) {
if ( ! class_exists( 'Tribe__Events__Main' ) ) {
return $posts_orderby;
}
// Affected version: 6.15.1.1 - 6.15.9
if ( ! ( version_compare( \Tribe__Events__Main::VERSION, '6.15.1.1', '>=' ) &&
version_compare( \Tribe__Events__Main::VERSION, '6.15.9', '<=' ) ) ) {
return $posts_orderby;
}
if ( ! isset( $_GET['view_data']['tribe-bar-search'] ) &&
! isset( $_GET['tribe-events-views']['tribe-bar-search'] ) &&
! isset( $_GET['tribe-bar-search'] ) &&
! isset( $_GET['s'] ) ) {
return $posts_orderby;
}
if ( ! is_string( $posts_orderby ) || trim( $posts_orderby ) === '' ) {
return $posts_orderby;
}
$cleaned_orderbys = [];
$orderbys = explode( ',', $posts_orderby );
foreach ( $orderbys as $orderby_frag ) {
$trimmed_frag = trim( $orderby_frag );
if ( stripos( $trimmed_frag, 'rand' ) === 0 ) {
// Only allow the exact RAND() function to prevent SQL injection
if ( preg_match( '/^rand\s*\(\s*\)$/i', $trimmed_frag ) ) {
$cleaned_orderbys[] = 'RAND()';
}
} else {
$cleaned_orderbys[] = $trimmed_frag;
}
}
return implode( ', ', $cleaned_orderbys );
},
199,
2
);
// https://wpscan.com/vulnerability/476dae92-b86b-4acc-909d-28992438e404/
// See https://wp.me/p3btAN-3eL
add_filter(
'block_type_metadata_settings',
function ( $settings ) {
if ( defined( 'GUTENBERG_VERSION' ) && version_compare( GUTENBERG_VERSION, '21.9.0', '<' ) ) {
if ( ! empty( $settings['render_callback'] ) && $settings['render_callback'] === 'gutenberg_render_block_core_terms_query' ) {
$settings['render_callback'] = function ( $attributes, $content, $block ) {
return wp_kses_post( gutenberg_render_block_core_terms_query( $attributes, $content, $block ) );
};
}
}
return $settings;
}
);
add_filter(
'rest_endpoints',
function ( $endpoints ) {
// https://wpscan.com/vulnerability/036554f5-253a-45b5-8c2c-4e34094f5859/
if ( defined( 'SURE_TRIGGERS_REST_NAMESPACE' ) && defined( 'SURE_TRIGGERS_VER' ) ) {
$affected_endpoint = '/' . SURE_TRIGGERS_REST_NAMESPACE . '/connection/create-wp-connection';
if ( isset( $endpoints[ $affected_endpoint ] ) && version_compare( SURE_TRIGGERS_VER, '1.0.83', '<' ) ) {
unset( $endpoints[ $affected_endpoint ] );
}
}
// https://wpscan.com/vulnerability/c815babc-2a9d-4d2a-901e-13b4825526f1/
if ( defined( 'WP_STATISTICS_VERSION' ) && version_compare( WP_STATISTICS_VERSION, '14.15.5', '<' ) ) {
unset( $endpoints['/wp-statistics/v2/hit'] );
unset( $endpoints['/wp-statistics/v2/online'] );
}
// https://wpscan.com/vulnerability/f6e6b774-94a8-4571-9c40-cc6a454b442c/
// below 5.3.2, the version is set by define( 'FMA_VERSION', '5.3.1' . time() );, hence the substr below
if ( defined( 'FMA_VERSION' ) && version_compare( substr( FMA_VERSION, 0, 5 ), '5.3.2', '<' ) ) {
foreach ( $endpoints as $route => $handlers ) {
if ( $route === '/file-manager-advanced/v1/hide-banner' || $route === '/file-manager-advanced/v1/minimize-maximize-banner' ) {
foreach ( $handlers as $key => $handler ) {
if ( is_numeric( $key ) && is_array( $handler ) ) {
$handlers[ $key ]['permission_callback'] = function () {
return current_user_can( 'manage_options' );
};
}
}
$endpoints[ $route ] = $handlers;
}
}
}
return $endpoints;
}
);
// https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/
add_action(
'admin_init',
function () {
if ( defined( 'WPGMZA_FILE' ) ) {
$all_plugins = get_plugins();
if ( isset( $all_plugins['wp-google-maps/wpGoogleMaps.php'] ) ) {
if ( version_compare( $all_plugins['wp-google-maps/wpGoogleMaps.php']['Version'], '9.0.48', '<' ) ) {
remove_action( 'wp_ajax_wpgmza_store_nominatim_cache', 'WPGMZA\\store_nominatim_cache' );
remove_action( 'wp_ajax_nopriv_wpgmza_store_nominatim_cache', 'WPGMZA\\store_nominatim_cache' );
}
}
}
}
);
// https://wpscan.com/vulnerability/e654ece1-120e-4fe4-9923-180df20671bf/
add_action(
'login_init',
function () {
// Ensure the plugin exists
if ( ! class_exists( Login_And_Logout_Redirect::class ) ) {
return;
}
// Ensure the plugin would actually be in a vulnerable state
if ( empty( $_REQUEST['action'] ) || empty( $_REQUEST['redirect_to'] ) || $_REQUEST['action'] !== 'logout' ) {
return;
}
// The plugin is only vulnerable when a non-logged-in user visits a trapped URL
// So, if they are logged in, we don't need to do anything here.
if ( is_user_logged_in() ) {
return;
}
$redirect = '';
if ( is_multisite() && is_plugin_active_for_network( 'login-and-logout-redirect/login-and-logout-redirect.php' ) ) {
$redirect = get_site_option( 'logout_redirect_url' );
}
if ( ! $redirect ) {
$redirect = get_option( 'logout_redirect_url' );
}
// If the redirect is not the one the plugin expects,
// rely on wp_safe_redirect() to make things safer
if ( $redirect && $redirect !== $_REQUEST['redirect_to'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'e654ece1-120e-4fe4-9923-180df20671bf', 'Redirect Blocked', $_REQUEST['redirect_to'] );
wp_safe_redirect( $_REQUEST['redirect_to'] );
exit;
}
// Hook at priority one, before the plugin hooks
},
1
);
$et_sp6_harden_json_import = function () {
if ( empty( $_FILES['file'] ) ) {
return;
}
if ( ! isset( $_FILES['file']['name'] ) || substr( sanitize_file_name( $_FILES['file']['name'] ), -5 ) !== '.json' ) {
//Atomic_Platform_Virtual_Patches::add_log();
die();
}
};
add_action( 'wp_ajax_et_core_portability_import', $et_sp6_harden_json_import, 0 );
add_action( 'wp_ajax_et_theme_builder_api_import_theme_builder', $et_sp6_harden_json_import, 0 );
// See https://wp.me/p3btAN-3gm / https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/
add_action(
'admin_init',
function () {
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'wpd_login_callback' ) {
return;
}
// The plugin does not have its version in a constant or attribute, only in their main file header/readme
$all_plugins = get_plugins();
$slug = 'wpdiscuz/class.WpdiscuzCore.php';
if ( ! isset( $all_plugins[ $slug ], $all_plugins[ $slug ]['Version'] ) || ! version_compare( $all_plugins[ $slug ]['Version'], '7.6.40', '<' ) ) {
return;
}
// Don't use $_REQUEST below, otherwise it will be bypassable
if ( isset( $_GET['provider'] ) && sanitize_text_field( $_GET['provider'] ) === 'disqus' ) {
Atomic_Platform_Virtual_Patches::add_log( '21bc9b41-a967-42dc-9916-bb993b05709c' );
wp_die( 'Disqus Provider Disabled', 403 );
}
if ( isset( $_POST['provider'] ) && sanitize_text_field( $_POST['provider'] ) === 'disqus' ) {
Atomic_Platform_Virtual_Patches::add_log( '21bc9b41-a967-42dc-9916-bb993b05709c' );
wp_die( 'Disqus Provider Disabled', 403 );
}
}
);
// https://wpscan.com/vulnerability/4b19a333-eb19-4903-aa96-1fe871dd0f9f/
add_filter(
'rest_pre_dispatch',
function ( $val, $rest_server, $request ) {
if ( ! class_exists( 'Ninja_Forms' ) ) {
return $val;
}
if ( empty( Ninja_Forms::VERSION ) ) {
return $val;
}
if ( ! in_array( Ninja_Forms::VERSION, [ '3.13.1', '3.13.2', '3.13.3' ], true ) ) {
return $val;
}
if ( ! preg_match( '#^/ninja-forms-views/token/refresh#i', $request->get_route(), $matches ) ) {
return $val;
}
$referer = wp_get_referer();
if ( ! $referer ) {
return new WP_Error( 403, 'Invalid Referer.', [ 'status' => 403 ] );
}
$formIds = [];
if ( isset( $request['formIds'] ) && is_array( $request['formIds'] ) ) {
$formIds = $request['formIds'];
}
if ( ! empty( $request['formId'] ) ) {
$formIds[] = $request['formId'];
}
$formIds = array_map( 'absint', $formIds );
// Sanity check that this won't DOS the server
if ( count( $formIds ) > 5 ) {
return new WP_Error( 403, 'Too many formIds.', [ 'status' => 403 ] );
}
$post = get_post( url_to_postid( $referer ) );
if ( ! $post ) {
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
if ( ! has_block( 'ninja-forms/submissions-table', $post ) ) {
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
foreach ( $formIds as $formId ) {
if ( ! str_contains( $post->post_content, 'ninja-forms/submissions-table {"formID":"' . $formId . '"' ) ) {
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
}
// If post is public _and_ password-protected, but user hasn't provided a valid password
$is_public = is_post_publicly_viewable( $post );
if ( $is_public && post_password_required( $post ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4b19a333-eb19-4903-aa96-1fe871dd0f9f' );
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
// If post is private or just generally not public, and logged-in user cannot read it
if ( ! $is_public && ! current_user_can( 'read_post', $post ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4b19a333-eb19-4903-aa96-1fe871dd0f9f' );
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
return $val;
},
0,
3
);
// See: https://wpscan.com/vulnerability/11bb6d7a-38e5-4d4d-9f4b-04ad05b13425/
add_filter(
'surerank_search_title',
function ( $title, $search_query ) {
if ( ! defined( 'SURERANK_VERSION' ) || version_compare( SURERANK_VERSION, '1.4.0', '>=' ) ) {
return $title;
}
$escaped = get_search_query();
return str_replace( $search_query, $escaped, $title );
},
100,
2
);
// https://wpscan.com/vulnerability/8fef9fe6-dee2-4f98-8cfe-8445622eb53b/
add_action(
'admin_init',
function () {
if ( ! defined( 'WOOLENTOR_VERSION' ) || ! version_compare( WOOLENTOR_VERSION, '3.2.5', '<=' ) ) {
return;
}
remove_all_actions( 'wp_ajax_woolentor_load_more_products' );
remove_all_actions( 'wp_ajax_nopriv_woolentor_load_more_products' );
}
);
// https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
// https://wpscan.com/vulnerability/8e67c9fa-4b3e-4485-9535-916dfb794f07/
add_action(
'admin_init',
function () {
if ( ! defined( 'SNEEIT_PLUGIN_VERSION' ) || ! version_compare( SNEEIT_PLUGIN_VERSION, '8.4', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'sneeit_articles_pagination' ) {
return;
}
if ( isset( $_GET['callback'] ) && $_GET['callback'] !== 'fn_block_pagination' ) {
Atomic_Platform_Virtual_Patches::add_log( '8e67c9fa-4b3e-4485-9535-916dfb794f07', 'Callback Blocked', $_GET['callback'] );
wp_die( 'Denied', 403 );
}
if ( isset( $_POST['callback'] ) && $_POST['callback'] !== 'fn_block_pagination' ) {
Atomic_Platform_Virtual_Patches::add_log( '8e67c9fa-4b3e-4485-9535-916dfb794f07', 'Callback Blocked', $_POST['callback'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/
// https://wp.me/p3btAN-3hn-p2
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! ( defined( 'WC_VERSION' ) && version_compare( WC_VERSION, '8.1.0', '>=' ) && version_compare( WC_VERSION, '10.4.3', '<' ) ) ) {
return $result;
}
$route = $request->get_route();
// Only target the order endpoint.
if ( ! preg_match( '#^/wc/store(/v1)?/order/(\d+)$#i', $route, $matches ) ) {
return $result;
}
$order_id = absint( $matches[2] );
$order = wc_get_order( $order_id );
if ( ! $order ) {
return new WP_Error( 'woocommerce_rest_invalid_order', 'Invalid order ID.', array( 'status' => 404 ) );
}
$order_customer_id = (int) $order->get_customer_id();
$current_user_id = (int) get_current_user_id();
// Customer order: only owner can access.
if ( $order_customer_id > 0 ) {
if ( $current_user_id !== $order_customer_id ) {
return new WP_Error( 'woocommerce_rest_invalid_user', 'This order belongs to a different customer.', array( 'status' => 403 ) );
}
return $result; // Owner - allow.
}
// Guest order: require key + email.
$order_key = sanitize_text_field( wp_unslash( $request->get_param( 'key' ) ) );
$billing_email = sanitize_text_field( wp_unslash( $request->get_param( 'billing_email' ) ) );
if ( ! $order_key || $order->get_order_key() !== $order_key ) {
return new WP_Error( 'woocommerce_rest_invalid_order_key', 'Invalid order key.', array( 'status' => 401 ) );
}
$order_email = $order->get_billing_email();
if ( ! $billing_email && ! empty( $order_email ) ) {
return new WP_Error( 'woocommerce_rest_invalid_billing_email', 'Billing email required.', array( 'status' => 401 ) );
}
if ( 0 !== strcasecmp( (string) $order_email, (string) $billing_email ) ) {
return new WP_Error( 'woocommerce_rest_invalid_billing_email', 'Invalid billing email.', array( 'status' => 401 ) );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/
// https://wp.me/p3btAN-3hC-p2
// https://wpscan.com/vulnerability/a1403186-51aa-4eae-a3fe-0c559570eb93/
// https://wp.me/p3btAN-3hr-p2
add_action(
'init',
function () {
if (
( defined( 'PROFILE_BUILDER_VERSION' ) && version_compare( PROFILE_BUILDER_VERSION, '1.1.27', '>=' ) && version_compare( PROFILE_BUILDER_VERSION, '3.15.2', '<' ) )
// LOGINCUST_FREE_VERSION is at https://plugins.trac.wordpress.org/browser/login-customizer/trunk/src/Essentials.php?marks=29.53#L29
// The login-customizer issue was introduced in 2.1.1 however the plugin forgot to update the constant and it stayed at 2.1.0 for quite some time
// See https://plugins.trac.wordpress.org/browser/login-customizer/tags/2.1.1/src/Essentials.php
|| ( defined( 'LOGINCUST_FREE_VERSION' ) && version_compare( LOGINCUST_FREE_VERSION, '2.1.0', '>=' ) && version_compare( LOGINCUST_FREE_VERSION, '2.5.4', '<' ) )
) {
add_filter(
'random_password',
function ( $password ) {
if ( isset( $_POST['user_pass'] ) ) {
$uuid = defined( 'PROFILE_BUILDER_VERSION' ) ? '344cb1b1-342e-44b2-ae4a-3bb31be56b22' : 'a1403186-51aa-4eae-a3fe-0c559570eb93';
Atomic_Platform_Virtual_Patches::add_log( $uuid );
unset( $_POST['user_pass'] );
}
return $password;
},
1
);
}
}
);
// https://wpscan.com/vulnerability/e28e37b0-b11d-489c-bc77-12410cc91e24/
add_action(
'admin_init',
function () {
if ( ! defined( 'LS_PLUGIN_VERSION' ) ) {
return;
}
if ( version_compare( LS_PLUGIN_VERSION, '7.9.11', '<' ) || version_compare( LS_PLUGIN_VERSION, '7.10.1', '>' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'ls_get_popup_markup' ) {
return;
}
if ( isset( $_GET['id'] ) && ! is_scalar( $_GET['id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e28e37b0-b11d-489c-bc77-12410cc91e24' );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/b0d583a2-14e1-40bc-b875-3b48e992b803/
add_filter(
'rest_endpoints',
function ( $endpoints ) {
if ( ! defined( 'MWAI_VERSION' ) || ! version_compare( MWAI_VERSION, '3.1.4', '<' ) ) {
return $endpoints;
}
foreach ( $endpoints as $route => $handlers ) {
if ( preg_match( '#^/mcp/v1/[^/]+/(?:sse|messages)$#', $route ) ) {
foreach ( $handlers as $key => $handler ) {
if ( is_numeric( $key ) && is_array( $handler ) ) {
$handlers[ $key ]['show_in_index'] = false;
}
}
$endpoints[ $route ] = $handlers;
}
}
return $endpoints;
},
999
);
// https://wpscan.com/vulnerability/3ccaa0fd-b11c-4f9f-bab5-644a53b11035/
add_action(
'init',
function () {
if ( ! defined( 'MODULAR_CONNECTOR_VERSION' ) ) {
return;
}
if ( version_compare( MODULAR_CONNECTOR_VERSION, '1.5.0', '<' ) || version_compare( MODULAR_CONNECTOR_VERSION, '2.5.1', '>' ) ) {
return;
}
// routes are case sensitive
if ( ! isset( $_SERVER['REQUEST_URI'] ) || ! isset( $_GET['type'] ) || strpos( $_SERVER['REQUEST_URI'], '/api/modular-connector/' ) === false ) {
return;
}
// To exploit the issue, the GET['type'] must be set (any value and is checked above),
// then the origin must === 'mo' OR the User-Agent be "ModularConnector/* (Linux)" (case sensitive)
if ( ( isset( $_GET['origin'] ) && $_GET['origin'] === 'mo' ) || ( isset( $_SERVER['HTTP_USER_AGENT'] ) && strpos( $_SERVER['HTTP_USER_AGENT'], 'ModularConnector' ) !== false ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3ccaa0fd-b11c-4f9f-bab5-644a53b11035', 'Route Blocked', $_SERVER['REQUEST_URI'] . $_SERVER['QUERY_STRING'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/691b01af-a6cc-47bc-b473-cfbde662d461/
add_action(
'acfe/form/validate_user',
function ( $form, $action ) {
if ( ! defined( 'ACFE_VERSION' ) ) {
return;
}
if ( version_compare( ACFE_VERSION, '0.9', '<' ) || version_compare( ACFE_VERSION, '0.9.2.2', '>=' ) ) {
return;
}
if ( ! isset( $action['action'] ) || $action['action'] !== 'user' ) {
return;
}
if ( ! isset( $action['type'] ) ||
( $action['type'] !== 'insert_user' && $action['type'] !== 'update_user' ) ) {
return;
}
if ( empty( $action['save']['role'] ) ) {
return;
}
$role = $action['save']['role'];
// Check if role is tied to a user-facing field (indicated by starting with '{')
if ( is_string( $role ) && strpos( $role, '{' ) === 0 ) {
if ( ! current_user_can( 'promote_users' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '691b01af-a6cc-47bc-b473-cfbde662d461', 'Blocked Role', $role );
// Return validation error
wp_die( 'Access denied', 403 );
}
}
},
0, // priority
2 // accepted_args
);
// https://wpscan.com/vulnerability/501a3352-7597-409a-aa30-0a2dd6e1592f/
add_action(
'init',
function () {
if ( ! defined( 'WCML_VERSION' ) || ! version_compare( WCML_VERSION, '5.3.9', '<' ) || current_user_can( 'manage_options' ) ) {
return;
}
if ( isset( $_POST['icl_ajx_action'] ) && 'icl_custom_tax_sync_options' === $_POST['icl_ajx_action'] ) {
Atomic_Platform_Virtual_Patches::add_log( '501a3352-7597-409a-aa30-0a2dd6e1592f' );
wp_die( 'Access Denied', 403 );
}
}
);
/**
* The logging and protection are separated because:
* - if both were hooked to get_comment_text, we would have log everytime a malicious comment is displayed
* - if both were hooked to preprocess_comment, existing payloads would not be processed, and we would modify comments before they are saved,
* which could cause some issue (ie the original comment data is lost and replaced with a sanitized one).
* Furthermore, the plugin actually modifies the comment before it is displayed, and then it becomes injected.
* When saved, the comment is not actually malicious.
*
* That way, we log when a comment is added/updated and protect it via sanitization when the comment is displayed
*
* Logging for
* https://wpscan.com/vulnerability/a45c74b7-b174-479f-9681-464601b082df/
* https://wpscan.com/vulnerability/fa3a84b6-6d5d-4e10-8587-ae49c127483b/
*/
add_filter(
'preprocess_comment',
function ( $comment_data ) {
if ( defined( 'RESPONSIVE_LIGHTBOX_URL' ) ) {
if ( ! isset( $comment_data['comment_content'] ) || stripos( $comment_data['comment_content'], 'data-rel' ) === false ) {
return $comment_data;
}
$all_plugins = get_plugins();
$slug = 'responsive-lightbox/responsive-lightbox.php';
if (
isset( $all_plugins[ $slug ] ) &&
version_compare( $all_plugins[ $slug ]['Version'], '1.7.0', '>=' ) &&
version_compare( $all_plugins[ $slug ]['Version'], '2.6.1', '<' )
) {
if ( $comment_data['comment_content'] !== wp_kses_post( $comment_data['comment_content'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'fa3a84b6-6d5d-4e10-8587-ae49c127483b', 'Sanitized Comment', $comment_data );
}
}
}
return $comment_data;
},
999
);
/** vPatch Sanitization for
* https://wpscan.com/vulnerability/a45c74b7-b174-479f-9681-464601b082df/
* https://wpscan.com/vulnerability/fa3a84b6-6d5d-4e10-8587-ae49c127483b/
*/
add_filter(
'get_comment_text',
function ( $comment_content ) {
if ( defined( 'RESPONSIVE_LIGHTBOX_URL' ) && stripos( $comment_content, 'data-rel' ) !== false ) {
$all_plugins = get_plugins();
$slug = 'responsive-lightbox/responsive-lightbox.php';
if (
isset( $all_plugins[ $slug ] ) &&
version_compare( $all_plugins[ $slug ]['Version'], '1.7.0', '>=' ) &&
version_compare( $all_plugins[ $slug ]['Version'], '2.6.1', '<' )
) {
return wp_kses_post( $comment_content );
}
}
return $comment_content;
},
999
);
// https://wpscan.com/vulnerability/78b2042a-683f-4a80-8b7a-c4c06aadca01
add_action(
'init',
function () {
if ( ! defined( 'SCCP_NAME_VERSION' ) || ! version_compare( SCCP_NAME_VERSION, '4.4.5', '<' ) || empty( $_POST ) ) {
return;
}
foreach ( $_POST as $post_key => $post_value ) {
if ( stripos( $post_key, 'ays_sb_name_field_' ) === 0 && str_contains( $post_value, '<' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '78b2042a-683f-4a80-8b7a-c4c06aadca01', 'Blocked XSS', $post_value );
wp_die( 'Denied', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/26d5963e-63bf-468c-877e-fd376e491773/
add_action(
'admin_init',
function () {
if ( ! defined( 'BDP_VERSION' ) || ! version_compare( BDP_VERSION, '4.0.1', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'bdp_load_more_posts' || ! isset( $_POST['shrt_param'] ) ) {
return;
}
$params = json_decode( wp_unslash( $_POST['shrt_param'] ), true );
if ( isset( $params['design'] ) && str_contains( $params['design'], '..' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '26d5963e-63bf-468c-877e-fd376e491773', 'LFI Blocked', $params['design'] );
wp_die( 'Access Denied', 403 );
}
}
);
add_filter(
'rest_request_before_callbacks',
function ( $response, $handler, $request ) {
$route = strtolower( $request->get_route() );
// https://wpscan.com/vulnerability/42f7ac2a-7b2a-4b03-a84b-058f254cf15a/
if ( defined( 'PRFI_VERSION' ) ) { // don't rely on its value as it's not updated
// phpcs:ignore WordPress.WP.Capabilities.RoleFound
if ( strpos( $route, '/stocktend/v1/stocktend_object' ) === 0 && ! current_user_can( 'administrator' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '42f7ac2a-7b2a-4b03-a84b-058f254cf15a', 'REST Blocked', $request->get_body() );
return new WP_Error(
'rest_forbidden',
'Sorry, you are not allowed to do that.',
[ 'status' => 401 ]
);
}
}
return $response;
},
1,
3
);
// https://wpscan.com/vulnerability/3f9147f7-9aec-4dd8-be6e-cd7448dbe6dc
add_action(
'init',
function () {
if ( ! class_exists( 'excellikepricechangeforwoocommerceandwpecommercelight' ) ) {
return;
}
if ( isset( $_REQUEST['scemail'] ) && ! current_user_can( 'edit_users' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3f9147f7-9aec-4dd8-be6e-cd7448dbe6dc', 'PRIVESC Blocked', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/bfcb8c41-1ccd-4f21-bf13-c2398e1948fc
add_action(
'admin_init',
function () {
if ( ! defined( 'EASYSTRIPE_VERSION' ) || ! version_compare( EASYSTRIPE_VERSION, '1.2', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['function'] ) || $_REQUEST['action'] !== 'easystripe_load_function' ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'bfcb8c41-1ccd-4f21-bf13-c2398e1948fc', 'Function Call Blocked', $_POST['function'] );
wp_die( 'Denied', 403 );
}
// User is an admin so we need to check if the function called is in the whitelist below
$allowed_functions = [ 'easystripe_report_overview', 'easystripe_earnings_report_callback' ];
if ( ! in_array( $_POST['function'], $allowed_functions, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'bfcb8c41-1ccd-4f21-bf13-c2398e1948fc', 'Function Call Blocked (Admin)', $_POST['function'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/d37954b2-63bb-4a12-8bdf-46d9bd3d8842/
// https://wpscan.com/vulnerability/9f8cf6c8-1cb8-4c8f-aa92-3d5221687e70/
add_action(
'init',
function () {
if ( ! class_exists( 'CleverReach\WordPress\Controllers\Clever_Reach_Article_Search_Controller' ) || ! isset( $_REQUEST['cleverreach_wp_controller'] ) ) {
return;
}
// Plugin does not have a constant with its version, so let's go old school
$all_plugins = get_plugins();
$slug = 'cleverreach-wp/cleverreach-wp.php';
if ( ! isset( $all_plugins[ $slug ] ) || ! isset( $all_plugins[ $slug ]['Version'] ) ) {
return;
}
$version = $all_plugins[ $slug ]['Version'];
// https://wpscan.com/vulnerability/d37954b2-63bb-4a12-8bdf-46d9bd3d8842/
if ( version_compare( $version, '1.5.21', '<' ) ) {
if ( isset( $_REQUEST['title'] ) ) {
global $wpdb;
$escaped = esc_sql( $wpdb->esc_like( $_REQUEST['title'] ) );
if ( $escaped !== $_REQUEST['title'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'd37954b2-63bb-4a12-8bdf-46d9bd3d8842', 'SQLi', $_REQUEST['title'] );
wp_die( 'Denied', 403 );
}
}
}
// https://wpscan.com/vulnerability/9f8cf6c8-1cb8-4c8f-aa92-3d5221687e70/
if ( version_compare( $version, '1.5.22', '<' ) ) {
if ( isset( $_REQUEST['id'] ) && ! ctype_digit( $_REQUEST['id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '9f8cf6c8-1cb8-4c8f-aa92-3d5221687e70', 'SQLi', $_REQUEST['id'] );
wp_die( 'Denied', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/2ae77b48-30b4-4863-a4be-32ca379c1028/
add_action(
'admin_init',
function () {
if ( ! class_exists( 'DTLMSCore' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'dtlms_register_user_front_end' ) {
return;
}
if ( isset( $_POST['userrole'] ) && ! in_array( $_POST['userrole'], array( 'student', 'subscriber' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2ae77b48-30b4-4863-a4be-32ca379c1028', 'PRIVESC Blocked', $_POST['userrole'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/fe76a111-998e-469c-aaab-da17e911d23b/
add_action(
'init',
function () {
if ( ! defined( 'LATEPOINT_VERSION' ) || ! version_compare( LATEPOINT_VERSION, '5.2.0', '<' ) ) {
return;
}
if ( ! isset( $_POST['params'] ) && ! isset( $_GET['customer'] ) ) {
return;
}
$post_params = [];
// Do not change this, otherwise bypasses will be possible
if ( ! empty( $_POST['params'] ) ) {
if ( is_string( $_POST['params'] ) ) {
parse_str( $_POST['params'], $post_params );
} elseif ( is_array( $_POST['params'] ) ) {
$post_params = $_POST['params'];
}
}
$params = stripslashes_deep( array_merge( $post_params, $_GET ) );
if ( empty( $params['current_step_code'] ) || empty( $params['customer'] ) ) {
return;
}
if ( $params['current_step_code'] === 'customer' && ! empty( $params['customer']['email'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'fe76a111-998e-469c-aaab-da17e911d23b', 'Auth Bypass Blocked', $params );
wp_die( 'Access Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/adc51414-6090-46df-9407-e5bc682147fa/
add_action(
'admin_init',
function () {
if ( ! defined( 'LOCAL_SYNC_VERSION' ) || ! version_compare( LOCAL_SYNC_VERSION, '1.1.9', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'process_add_site' || ! isset( $_POST['data'] ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) || ! check_ajax_referer( 'ls_revmakx', 'security', false ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'adc51414-6090-46df-9407-e5bc682147fa', 'Prod Key Blocked', $_POST['data'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/6a77aa5f-b1dc-4d8f-b0b0-5b7d7280a09c
add_action(
'init',
function () {
// All versions are affected at the time of writing (2.1.1)
if ( defined( 'SOCIAL_LOGIN_VERSION' ) ) {
remove_all_actions( 'wp_ajax_atbdp_social_login' );
remove_all_actions( 'wp_ajax_nopriv_atbdp_social_login' );
}
},
20
);
// https://wpscan.com/vulnerability/876d9d29-4705-4c75-b151-8140b2709155/
// https://wpscan.com/vulnerability/762530ae-80a5-4ff8-9725-6adab9498c33/
add_action(
'admin_init',
function () {
if ( ! defined( 'TRX_ADDONS_VERSION' ) || ! isset( $_FILES ) ) {
return;
}
if ( version_compare( TRX_ADDONS_VERSION, '2.34.0', '<' ) ) {
$indexes_to_check = [ 'upload_audio', 'upload_voice', 'upload_image', 'upload_music', 'upload_nusic' ];
$vuln_uuid = '876d9d29-4705-4c75-b151-8140b2709155';
} else {
$indexes_to_check = [ 'upload_voice' ];
$vuln_uuid = '762530ae-80a5-4ff8-9725-6adab9498c33';
}
foreach ( $indexes_to_check as $index ) {
if ( isset( $_FILES[ $index ] ) ) {
$validate = wp_check_filetype( $_FILES[ $index ]['name'] );
if ( $validate['type'] === false ) {
Atomic_Platform_Virtual_Patches::add_log( $vuln_uuid, 'File Blocked', $_FILES[ $index ] );
wp_die( 'Denied', 403 );
}
}
}
}
);
// https://wpscan.com/vulnerability/93e83da0-1784-4d94-87ba-ba902325f834/
add_action(
'admin_init',
function () {
if ( ! defined( 'WPFORMS_GOOGLESHEET_VERSION' ) || ! version_compare( WPFORMS_GOOGLESHEET_VERSION, '4.0.2', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || 'gscwpform_install_plugin' !== $_REQUEST['action'] ) {
return;
}
if ( ! isset( $_POST['plugin_slug'], $_POST['download_url'] ) ) {
return;
}
if ( ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '93e83da0-1784-4d94-87ba-ba902325f834', 'Plugin Blocked', $_POST['download_url'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/b72c539b-4d56-4c54-8b24-fcae0e891e54/
add_filter(
'ninja_forms_submit_data',
function ( $form_data ) {
if ( ! class_exists( 'Ninja_Forms' ) ) {
return $form_data;
}
if ( version_compare( \Ninja_Forms::VERSION, '3.14.1', '>=' ) ) {
return $form_data;
}
if ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) {
return $form_data;
}
if ( empty( $_REQUEST['action'] ) || 'nf_ajax_submit' !== $_REQUEST['action'] ) {
return $form_data;
}
$fields = $form_data['fields'];
// Iterate over all fields in the form.
foreach ( $fields as $field_data ) {
// Skip non‑repeater fields.
if ( ! isset( $field_data['key'] ) || ! preg_match( '/^repeater/', $field_data['key'] ) ) {
continue;
}
$repeater_rows = isset( $field_data['value'] ) ? $field_data['value'] : [];
if ( ! is_array( $repeater_rows ) ) {
continue;
}
// Scan each row for merge tags.
foreach ( $repeater_rows as $row ) {
foreach ( $row as $sub_val ) {
// Only strings can contain merge tags.
if ( ! is_string( $sub_val ) ) {
continue;
}
// Basic merge‑tag pattern: {something}
if ( preg_match( '/\{((?:post|user)_meta|wp|form|other|querystring|submission|(?:all)?fields_table)/i', $sub_val ) ) {
// Attack detected, die early
Atomic_Platform_Virtual_Patches::add_log( 'b72c539b-4d56-4c54-8b24-fcae0e891e54', 'Tag Blocked', $sub_val );
wp_die( 'Invalid merge tags', 403 );
}
}
}
}
return $form_data;
},
999,
);
// https://wpscan.com/vulnerability/9973615c-7af8-44e7-8cae-8e45ccd362e6/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'WPVIVID_PLUGIN_VERSION' ) || ! version_compare( WPVIVID_PLUGIN_VERSION, '0.9.124', '<' ) ) {
return;
}
if ( ! isset( $_POST['wpvivid_action'] ) ) {
return;
}
$vulnerable_actions = array( 'send_to_site', 'send_to_site_file_status' );
if ( in_array( $_POST['wpvivid_action'], $vulnerable_actions, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '9973615c-7af8-44e7-8cae-8e45ccd362e6', 'Action Blocked', $_POST );
wp_die( 'Denied', 403 );
}
},
1
);
// https://wpscan.com/vulnerability/370b1c37-4183-4496-83dc-786290b71367/
// https://wpscan.com/vulnerability/5f808149-1181-4e8c-9c1d-ef5e50cbe1b1/ (duplicate of the above one)
add_action(
'admin_init',
function () {
if ( ! defined( 'SRM_VERSION' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || 'starfish-execute-restore-default-options' !== $_REQUEST['action'] ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '370b1c37-4183-4496-83dc-786290b71367', 'Options Blocked', $_POST['options'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/1007861b-cf54-4f5e-b2eb-92b4b7029475/
// Hooked on `init` (after wp_magic_quotes rebuilds $_REQUEST) and before PixelYourSite reads these values.
add_action(
'init',
function () {
$fixed_version = '11.2.0.2';
$plugin_version = defined( 'PYS_FREE_VERSION' ) ? PYS_FREE_VERSION : '';
if ( empty( $plugin_version ) || version_compare( $plugin_version, $fixed_version, '>=' ) ) {
return;
}
$blocked = [];
// Sanitize cookie values PixelYourSite reads.
foreach ( array( 'pysTrafficSource', 'last_pysTrafficSource' ) as $cookie_key ) {
if ( isset( $_COOKIE[ $cookie_key ] ) ) {
$original = $_COOKIE[ $cookie_key ];
$_COOKIE[ $cookie_key ] = sanitize_text_field( $original );
if ( $original !== $_COOKIE[ $cookie_key ] ) {
$blocked[ $cookie_key ] = $original;
}
}
}
foreach ( array( 'pys_landing_page', 'last_pys_landing_page' ) as $cookie_key ) {
if ( isset( $_COOKIE[ $cookie_key ] ) ) {
$original = $_COOKIE[ $cookie_key ];
$_COOKIE[ $cookie_key ] = sanitize_url( $original );
if ( $original !== $_COOKIE[ $cookie_key ] ) {
$blocked[ $cookie_key ] = $original;
}
}
}
// Sanitize session values PixelYourSite uses as fallback.
if ( isset( $_SESSION['TrafficSource'] ) ) {
$original = $_SESSION['TrafficSource'];
$_SESSION['TrafficSource'] = sanitize_text_field( $original );
if ( $original !== $_SESSION['TrafficSource'] ) {
$blocked['TrafficSource'] = $original;
}
}
if ( isset( $_SESSION['LandingPage'] ) ) {
$original = $_SESSION['LandingPage'];
$_SESSION['LandingPage'] = sanitize_url( $original );
if ( $original !== $_SESSION['LandingPage'] ) {
$blocked['LandingPage'] = $original;
}
}
// Sanitize request keys that end up in `pys_enrich_data`.
foreach ( array( 'pys_source', 'last_pys_source' ) as $req_key ) {
if ( isset( $_REQUEST[ $req_key ] ) ) {
$original = $_REQUEST[ $req_key ];
$_REQUEST[ $req_key ] = sanitize_text_field( $original );
if ( $original !== $_REQUEST[ $req_key ] ) {
$blocked[ $req_key ] = $original;
}
}
}
foreach ( array( 'pys_landing', 'last_pys_landing' ) as $req_key ) {
if ( isset( $_REQUEST[ $req_key ] ) ) {
$original = $_REQUEST[ $req_key ];
$_REQUEST[ $req_key ] = sanitize_url( $original );
if ( $original !== $_REQUEST[ $req_key ] ) {
$blocked[ $req_key ] = $original;
}
}
}
if ( ! empty( $blocked ) ) {
Atomic_Platform_Virtual_Patches::add_log( '1007861b-cf54-4f5e-b2eb-92b4b7029475', 'XSS Blocked', $blocked );
}
},
0
);
// https://wpscan.com/vulnerability/005aa0d5-2bec-4b56-8dfb-7ef7dc3fa05e/
add_action(
'admin_init',
function () {
if ( ! defined( 'REVENUE_VER' ) || ! version_compare( REVENUE_VER, '2.1.4', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'revx_install' ) {
return;
}
if ( isset( $_POST['install_plugin'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '005aa0d5-2bec-4b56-8dfb-7ef7dc3fa05e', 'Plugin Blocked', $_POST['install_plugin'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/dda88031-50fd-49b7-a6b1-dc92b487e124/
add_action(
'init',
function () {
if ( ! class_exists( 'EcwidPlatform' ) || ! isset( $_POST['ec_store_admin_access'] ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'ecwid-shopping-cart/ecwid-shopping-cart.php';
if ( ! isset( $all_plugins[ $slug ] ) || ! version_compare( $all_plugins[ $slug ]['Version'], '7.0.8', '<' ) ) {
return;
}
if ( ! current_user_can( 'edit_users' ) && ! current_user_can( 'ec_store_can_grant_access' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'dda88031-50fd-49b7-a6b1-dc92b487e124' );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/
add_action(
'init',
function () {
if ( ! defined( 'BOOSTER_VERSION' ) || ! version_compare( BOOSTER_VERSION, '5.0.2', '<' ) ) {
return;
}
if ( isset( $_FILES['uploaded_file'] ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'c8f5e821-1788-419f-a00c-cfd4306d0fa5',
'File Blocked',
[
'file' => $_FILES['uploaded_file'],
'content' => @gzdecode( @file_get_contents( $_FILES['uploaded_file']['tmp_name'] ) ),
]
);
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/3c18c3ba-44fd-4769-a877-04e1571a016b/
add_action(
'admin_init',
function () {
if ( ! has_action( 'wp_ajax_pxlart_upload_demo_manual' ) ) {
return;
}
add_action(
'wp_ajax_pxlart_upload_demo_manual',
function () {
if ( isset( $_FILES['file'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'3c18c3ba-44fd-4769-a877-04e1571a016b',
'File Blocked',
[
'file' => $_FILES['file'],
'content' => @file_get_contents( $_FILES['file']['tmp_name'] ),
]
);
wp_die( 'Denied', 403 );
}
},
-1
);
},
999
);
// https://wpscan.com/vulnerability/998dbbf2-3b31-47aa-be3f-1d8806f6abe0/
add_action(
'init',
function () {
if ( ! defined( 'WPBDP_VERSION' ) ) {
return;
}
if ( version_compare( WPBDP_VERSION, '6.4.22', '>=' ) ) {
return;
}
$view = '';
if ( isset( $_REQUEST['wpbdp_view'] ) ) {
$view = $_REQUEST['wpbdp_view'];
// Normalize (same logic as the plugin's normalization function)
$view = strtolower( $view );
$view = remove_accents( $view );
$view = preg_replace( '/\s+/', '_', $view );
$view = preg_replace( '/[^a-zA-Z0-9_-]+/', '', $view );
}
if ( 'checkout' !== $view || ! isset( $_REQUEST['payment'] ) ) {
return;
}
if ( is_array( $_REQUEST['payment'] ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'998dbbf2-3b31-47aa-be3f-1d8806f6abe0',
'SQLi Blocked',
$_REQUEST['payment']
);
wp_die( esc_html__( 'Invalid Payment ID/key', 'business-directory-plugin' ), 403 );
}
}
);
// https://wpscan.com/vulnerability/7d815d93-e691-44be-813e-e187b3efd752/
add_action(
'init',
function () {
if ( ! defined( 'ORDERABLE_VERSION' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || 'iconic_onboard_orderable_install_plugin' !== $_REQUEST['action'] ) {
return;
}
if ( isset( $_POST['plugin_data'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7d815d93-e691-44be-813e-e187b3efd752', 'Blocked Plugin', $_POST['plugin_data'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/7c3e9405-8b40-4eb3-91aa-11eb778ca9d5/
if ( isset( $_REQUEST['action'] ) && 'newsblogger_install_activate_plugin' === $_REQUEST['action'] ) {
add_action(
'wp_ajax_newsblogger_install_activate_plugin',
function () {
$theme = wp_get_theme();
if ( ! str_contains( $theme->get_stylesheet(), 'newsblogger' ) ) {
return;
}
if ( ! version_compare( $theme->get( 'Version' ), '0.2.6', '<' ) ) {
return;
}
if ( ! isset( $_POST['_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_ajax_nonce'] ) ), 'plugin_installer_nonce' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7c3e9405-8b40-4eb3-91aa-11eb778ca9d5', 'CSRF Blocked' );
wp_send_json_error( esc_html__( 'Nonce verification failed.', 'newsblogger' ), 403 );
}
},
1
);
}
// https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'WC_VERSION' ) || ! version_compare( WC_VERSION, '5.4.0', '>=' ) || ! version_compare( WC_VERSION, '10.5.3', '<' ) ) {
return $result;
}
$route = strtolower( $request->get_route() );
if ( '/wc/store/batch' !== $route && '/wc/store/v1/batch' !== $route ) {
return $result;
}
$sub_requests = $request->get_param( 'requests' );
if ( ! is_array( $sub_requests ) ) {
return $result;
}
foreach ( $sub_requests as $args ) {
$path = wp_parse_url( $args['path'] ?? '', PHP_URL_PATH );
if ( ! $path || strpos( $path, '/wc/store' ) !== 0 ) {
Atomic_Platform_Virtual_Patches::add_log(
'53ded097-274d-4850-82ee-620bf02f7553',
'Batch Blocked',
[
'params' => $request->get_params(),
'referer' => $_SERVER['HTTP_REFERER'] ?? 'n/a',
],
);
return new WP_Error(
'woocommerce_rest_invalid_path',
'Invalid path provided.',
array( 'status' => 400 )
);
}
}
return $result;
},
5,
3
);
// https://wpscan.com/vulnerability/6c263002-7d06-412c-81e3-393a7321e85f/
add_action(
'admin_init',
function () {
if ( ! has_action( 'wp_ajax_nopriv_wwlc_create_user' ) ) {
return;
}
$callback = function () {
$allowed_roles = array( 'customer', 'subscriber', 'wholesale_customer' );
// PHP auto-parses bracket notation (user_data[wwlc_role]) into nested arrays.
if ( ! empty( $_POST['user_data']['wwlc_role'] ) && ! in_array( $_POST['user_data']['wwlc_role'], $allowed_roles, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6c263002-7d06-412c-81e3-393a7321e85f', 'Blocked Role', $_POST['user_data']['wwlc_role'] );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wwlc_create_user', $callback, -1 );
add_action( 'wp_ajax_nopriv_wwlc_create_user', $callback, -1 );
},
999
);
// https://wpscan.com/vulnerability/a3cc250e-abec-4c6f-bbbd-4e5cb2b468df/
add_action(
'admin_init',
function () {
if ( ! has_action( 'wp_ajax_nopriv_wwlc_file_upload_handler' ) ) {
return;
}
$callback = function () {
if ( ! isset( $_FILES['uploaded_file']['tmp_name'], $_FILES['uploaded_file']['name'] ) ) {
return;
}
$file_check = wp_check_filetype_and_ext( $_FILES['uploaded_file']['tmp_name'], $_FILES['uploaded_file']['name'] );
if ( false === $file_check['ext'] || false === $file_check['type'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'a3cc250e-abec-4c6f-bbbd-4e5cb2b468df', 'Blocked File Type', $_FILES['uploaded_file']['name'] );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wwlc_file_upload_handler', $callback, -1 );
add_action( 'wp_ajax_nopriv_wwlc_file_upload_handler', $callback, -1 );
},
999
);
add_filter(
'pre_http_request',
function ( $pre, $args, $url ) {
$blocked_domains = [
'hacklinkpanel.app',
'hacklinkmarket.com',
];
$host = wp_parse_url( $url, PHP_URL_HOST );
if ( ! $host ) {
return $pre;
}
$host = strtolower( $host );
foreach ( $blocked_domains as $blocked ) {
if ( $host === $blocked || str_ends_with( $host, '.' . $blocked ) ) {
$message = 'Blocked Outgoing Request to %s (in %s:%d)';
$caller = Atomic_Platform_Virtual_Patches::determine_caller();
Atomic_Platform_Virtual_Patches::add_log( 'Malware', sprintf( $message, $url, $caller['file'], $caller['line'] ), $args );
return array(
'headers' => array(),
'body' => '',
'response' => array(
'code' => 200,
'message' => 'OK',
),
'cookies' => array(),
'filename' => null,
);
}
}
return $pre;
},
5,
3
);
// https://wpscan.com/vulnerability/69f36598-590f-4047-9d1e-4aaaacede409/
add_action(
'admin_init',
function () {
if (
defined( 'JLTMA_VER' ) &&
defined( 'JLTMA_VER_PRO' ) &&
version_compare( JLTMA_VER, '2.1.4', '>=' ) &&
version_compare( JLTMA_VER_PRO, '2.1.4', '>=' )
) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'jltma_widget_render_preview' ) {
return;
}
if ( ! current_user_can( 'edit_files' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '69f36598-590f-4047-9d1e-4aaaacede409', 'RCE Blocked', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/e27c6505-e32f-49cc-8890-77362fe8e76b/
add_action(
'init',
function () {
if ( ! isset( $_REQUEST['id_token'] ) ) {
return;
}
if ( ! str_contains( sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ), '/oauthcallback' ) && ! isset( $_REQUEST['code'] ) ) {
return;
}
if ( ! class_exists( 'MOAzure_Handler' ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'login-with-azure/mo_oauth_settings.php';
if ( ! isset( $all_plugins[ $slug ] ) ) {
return;
}
if ( version_compare( $all_plugins[ $slug ]['Version'], '2.2.6', '>=' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'e27c6505-e32f-49cc-8890-77362fe8e76b', 'Auth Bypass Blocked', $_REQUEST );
wp_die( 'Denied', 403 );
},
1
);
// https://wpscan.com/vulnerability/a78d6c18-97af-4789-8106-7d0de3845730
add_action(
'admin_init',
function () {
if ( ! defined( 'REALESTATE7_SL_THEME_VERSION' ) || ! version_compare( REALESTATE7_SL_THEME_VERSION, '3.5.2', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'ct_add_new_member' ) {
return;
}
$allowed_roles = [ 'subscriber', 'agent', 'broker', 'buyer', 'seller' ];
if ( isset( $_POST['ct_user_role'] ) && ! in_array( $_POST['ct_user_role'], $allowed_roles, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'a78d6c18-97af-4789-8106-7d0de3845730', 'Privesc Blocked', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/e91c0901-ac93-4a06-8237-8e89aced7832/
add_action(
'admin_init',
function () {
// Only proceed if WowOptin is loaded and version is vulnerable
if ( ! defined( 'OPTN_VERSION' ) || ! version_compare( OPTN_VERSION, '1.4.25', '<' ) ) {
return;
}
// Only proceed if this is the vulnerable AJAX action
if ( ! isset( $_REQUEST['action'] ) || 'optn_install' !== $_REQUEST['action'] ) {
return;
}
// Block users without install_plugins capability
if ( isset( $_POST['install_plugin'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'e91c0901-ac93-4a06-8237-8e89aced7832',
'Plugin Blocked',
$_POST['install_plugin']
);
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/06c5dfc9-8726-40bd-81fc-3e0ab19a238a/
// https://wpscan.com/vulnerability/252a4518-d9d0-45bc-9560-ab5caf29efdc/
add_action(
'init',
function () {
$get_action = isset( $_GET['action'] ) ? $_GET['action'] : '';
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
if ( 'dt_paypal_cancel' !== $get_action && 'update-user' !== $action && 'ultimate_booking_pro_new_reservation' !== $action ) {
return;
}
$all_plugins = get_plugins();
$slug = 'wedesigntech-ultimate-booking-addon/wedesigntech-ultimate-booking-addon.php';
if ( ! isset( $all_plugins[ $slug ] ) ) {
return;
}
// Auth bypass
if ( 'update-user' === $action && isset( $_REQUEST['hiduserid'] ) ) {
if ( ! current_user_can( 'edit_user', absint( $_REQUEST['hiduserid'] ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '06c5dfc9-8726-40bd-81fc-3e0ab19a238a', 'Blocked auth bypass', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
// Arbitrary option deletion
if ( 'dt_paypal_cancel' === $get_action && isset( $_GET['res'] ) ) {
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '252a4518-d9d0-45bc-9560-ab5caf29efdc', 'Blocked arbitrary option deletion', $_GET );
wp_die( 'Denied', 403 );
}
}
// Unauthenticated auth bypass
if ( 'ultimate_booking_pro_new_reservation' === $action && ! is_user_logged_in() && isset( $_REQUEST['email'] ) && email_exists( $_REQUEST['email'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '252a4518-d9d0-45bc-9560-ab5caf29efdc', 'Blocked unauthenticated auth bypass', $_REQUEST );
wp_die( 'Denied', 403 );
}
},
1
);
// https://wpscan.com/vulnerability/d64f04aa-c11c-4137-a05a-8037340da965/ - Unlimited Elements for Elementor < 2.0.6 - Unauthenticated Stored XSS
add_action(
'init',
function () {
$plugin_version = '';
if ( defined( 'UNLIMITED_ELEMENTS_VERSION' ) ) {
$plugin_version = (string) UNLIMITED_ELEMENTS_VERSION;
}
if ( '' === $plugin_version || version_compare( $plugin_version, '2.0.6', '>=' ) ) {
return;
}
$action_raw = null;
// This matches the `UniteFunctionsUC::getPostGetVariable()` behavior
if ( isset( $_POST['ucfrontajaxaction'] ) ) {
$action_raw = $_POST['ucfrontajaxaction'];
} elseif ( isset( $_GET['ucfrontajaxaction'] ) ) {
$action_raw = $_GET['ucfrontajaxaction'];
}
if ( ! is_string( $action_raw ) ) {
return;
}
$action = sanitize_key( $action_raw );
if ( 'submitform' !== $action ) {
return;
}
$formData = null;
if ( isset( $_POST['formData'] ) ) {
$formData = &$_POST['formData'];
} elseif ( isset( $_GET['formData'] ) ) {
$formData = &$_GET['formData'];
}
if ( ! is_array( $formData ) ) {
return;
}
$sanitized_fields = array();
foreach ( $formData as $key => $fields ) {
if ( is_array( $fields ) && isset( $fields['value'] ) && is_string( $fields['value'] ) ) {
$original_value = $fields['value'];
$sanitized_value = wp_kses_post( wp_unslash( $fields['value'] ) );
$formData[ $key ]['value'] = wp_slash( $sanitized_value );
if ( $original_value !== $formData[ $key ]['value'] ) {
$sanitized_fields[ $key ] = array(
'original' => $original_value,
'sanitized' => $formData[ $key ]['value'],
);
}
}
}
if ( ! empty( $sanitized_fields ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'd64f04aa-c11c-4137-a05a-8037340da965',
'Sanitized form field values',
$sanitized_fields
);
}
$_REQUEST['formData'] = $formData;
},
0
);
// https://wpscan.com/vulnerability/530312f1-9138-4b56-a256-49f2c2c196d1/
$tutor_lms_pro_vpatch = function () {
// Early parameter checks before running get_plugins() to avoid overhead on every request.
$auth_provider = isset( $_POST['auth'] ) ? sanitize_text_field( wp_unslash( $_POST['auth'] ) ) : '';
if ( ! in_array( $auth_provider, array( 'google', 'facebook' ), true ) ) {
return;
}
$token = isset( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : '';
$submitted_email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';
if ( empty( $token ) || empty( $submitted_email ) ) {
return;
}
// Version check: Only patch vulnerable versions (< 3.9.6).
$all_plugins = get_plugins();
$slug = 'tutor-pro/tutor-pro.php';
if ( ! isset( $all_plugins[ $slug ] ) ) {
return;
}
if ( version_compare( $all_plugins[ $slug ]['Version'], '3.9.6', '>=' ) ) {
return;
}
$verified_email = null;
// Verify the token and get the ACTUAL email from the OAuth provider.
if ( 'google' === $auth_provider ) {
$response = wp_remote_get( 'https://oauth2.googleapis.com/tokeninfo?id_token=' . rawurlencode( $token ) );
if ( ! is_wp_error( $response ) && 200 === wp_remote_retrieve_response_code( $response ) ) {
$body = json_decode( wp_remote_retrieve_body( $response ), true );
// Check if email is verified and get it.
// Note: Google returns email_verified as a string "true" or "false", not a boolean.
// Handle both string and boolean values explicitly.
if ( isset( $body['email'], $body['email_verified'] ) && ( $body['email_verified'] === 'true' || $body['email_verified'] === true ) ) {
$verified_email = $body['email'];
}
}
} elseif ( 'facebook' === $auth_provider ) {
$response = wp_remote_get( 'https://graph.facebook.com/me?fields=email&access_token=' . rawurlencode( $token ) );
if ( ! is_wp_error( $response ) && 200 === wp_remote_retrieve_response_code( $response ) ) {
$body = json_decode( wp_remote_retrieve_body( $response ), true );
if ( isset( $body['email'] ) ) {
$verified_email = $body['email'];
}
}
}
// FAIL CLOSED: If verification failed, block the request.
// This prevents attacks with invalid/forged tokens.
if ( $verified_email === null ) {
Atomic_Platform_Virtual_Patches::add_log( '530312f1-9138-4b56-a256-49f2c2c196d1', 'OAuth verification failed', $_POST );
wp_send_json_error( 'Authentication failed. Please try again.', 403 );
}
// Case-insensitive comparison (emails are case-insensitive per RFC 5321)
if ( strtolower( $verified_email ) !== strtolower( $submitted_email ) ) {
// EMAIL MISMATCH - This is an attack!
Atomic_Platform_Virtual_Patches::add_log(
'530312f1-9138-4b56-a256-49f2c2c196d1',
'Blocked auth bypass attempt',
array(
'provider' => $auth_provider,
'submitted' => $submitted_email,
'verified' => $verified_email,
)
);
wp_send_json_error( 'Authentication failed. Please try again.', 403 );
}
// Emails match - request is safe to proceed to original handler
};
add_action( 'wp_ajax_nopriv_tutor_pro_social_authentication', $tutor_lms_pro_vpatch, 1 );
add_action( 'wp_ajax_tutor_pro_social_authentication', $tutor_lms_pro_vpatch, 1 );
}
/**
* Generic vPatches - Exploratory Mode. They do not block, only log. Exceptions are caught and logged as well
*/
protected static function register_generic_vpatch() {
// Don't run when it's a cron job or a done via CLI
if ( ( defined( 'DOING_CRON' ) && DOING_CRON ) || ( defined( 'WP_CLI' ) && WP_CLI ) ) {
return;
}
// JP Helper Script
if ( defined( 'JP_SECRET' ) && defined( 'JP_EXPIRES' ) ) {
return;
}
// Run only for 15% of Atomic Sites
if ( defined( 'ATOMIC_SITE_ID' ) && ATOMIC_SITE_ID % 100 >= 15 ) {
return;
}
add_filter(
'pre_update_option',
function ( $new_value, $option_name, $old_value ) {
try {
global $wpdb;
$protected_options = [ 'default_role', 'users_can_register', 'admin_email' ]; //, $wpdb->prefix . 'user_roles' ]; user_roles is a bit more complex as it triggers when capabilities are added to a role
// option_name, normalized_option_name, option_value
$error_msg = 'Unauthorized Option Update: %s (%s) with value %s';
if ( ! function_exists( 'wp_get_current_user' ) ) {
include_once ABSPATH . 'wp-includes/pluggable.php';
}
if ( current_user_can( 'manage_options' ) ) {
return $new_value;
}
$normalized_option_name = sanitize_key( remove_accents( $option_name ) );
// Basic check, to avoid making a DB request if the payload is a simple one
if ( in_array( $normalized_option_name, $protected_options, true ) ) {
Atomic_Platform_Virtual_Patches::add_exploratory_log( sprintf( $error_msg, $option_name, $normalized_option_name, print_r( $new_value, true ) ) );
} else {
// Make sure we also check exotic payloads
// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
$normalized_option_name = $wpdb->get_var( $wpdb->prepare( "SELECT `option_name` FROM {$wpdb->prefix}options WHERE `option_name` = %s", trim( $option_name ) ) );
if ( in_array( $normalized_option_name, $protected_options, true ) ) {
Atomic_Platform_Virtual_Patches::add_exploratory_log( sprintf( $error_msg, $option_name, $normalized_option_name, print_r( $new_value, true ) ) );
}
}
return $new_value;
} catch ( Exception $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $new_value;
}
},
5, // Priority
3 // args
);
add_filter(
'wp_pre_insert_user_data',
function ( $data, $update, $id, $userdata ) {
try {
$new_roles = (array) ( $userdata['role'] ?? [] );
// Note: when the default_role is admin and users can register, the userdata does not contain the role, so this code won't block such case (because of https://github.com/WordPress/wordpress-develop/blob/6.8.3/src/wp-includes/user.php#L2572)
// This is handled via the update_user_metadata filter (code above)
if ( ! function_exists( 'wp_get_current_user' ) ) {
include_once ABSPATH . 'wp-includes/pluggable.php';
}
if ( in_array( 'administrator', $new_roles, true ) && ! current_user_can( 'edit_users' ) ) {
Atomic_Platform_Virtual_Patches::add_exploratory_log(
sprintf(
'Unauthorized Admin Creation (%s / %d), by user ID %d (%s)',
$data['user_login'] ?? $userdata['user_login'] ?? 'n/a',
$id,
get_current_user_id(),
wp_get_current_user()->user_login
)
);
}
return $data;
} catch ( Exception $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $data;
}
},
5, // Priority
4 // args
);
// Run only for 5% of Atomic Sites
if ( defined( 'ATOMIC_SITE_ID' ) && ATOMIC_SITE_ID % 100 >= 5 ) {
return;
}
add_filter(
'upgrader_source_selection',
function ( $source, $remote_source, $upgrader, $hook_extra ) {
try {
if ( empty( $hook_extra['type'] ) || empty( $hook_extra['action'] ) ) {
return $source;
}
$type = $hook_extra['type']; // plugin | theme
$action = $hook_extra['action']; // install | update
// Only handle plugin/theme install
if ( ! in_array( $type, [ 'plugin', 'theme' ], true ) || $action !== 'install' ) {
return $source;
}
if ( ! current_user_can( "{$action}_{$type}s" ) ) {
Atomic_Platform_Virtual_Patches::add_exploratory_log( "Unauthorized {$type} {$action} - " . basename( $source ) );
}
return $source;
} catch ( Exception $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $source;
}
},
5, // Priority
4 // args
);
/*
add_filter(
'update_user_metadata',
function ( $check, $object_id, $meta_key, $meta_value, $prev_value ) {
try {
global $wpdb;
if ( ! function_exists( 'wp_get_current_user' ) ) {
include_once ABSPATH . 'wp-includes/pluggable.php';
}
if ( current_user_can( 'edit_users' ) ) {
return $check;
}
// MS handled as well
$protected_meta_key = $wpdb->get_blog_prefix() . 'capabilities';
$normalized_meta_key_query = $wpdb->prepare( "SELECT `meta_key` FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id = %d", $meta_key, $object_id );
// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared
if ( sanitize_key( remove_accents( $meta_key ) ) === $protected_meta_key || $wpdb->get_var( $normalized_meta_key_query ) === $protected_meta_key ) {
$old_caps = is_array( $prev_value ) ? $prev_value : [];
$new_caps = is_array( $meta_value ) ? $meta_value : [];
// $prev_value does not always contains the previous values ... because reason.
if ( empty( $old_caps ) ) {
$old_caps = get_user_meta( $object_id, $protected_meta_key, true );
}
$had_admin = ! empty( $old_caps['administrator'] );
$gets_admin = ! empty( $new_caps['administrator'] );
if ( ! $had_admin && $gets_admin ) {
Atomic_Platform_Virtual_Patches::add_exploratory_log(
sprintf(
'Unauthorized Metadata Update (%s set to administrator) by User ID %d (%s) on User ID %d',
$protected_meta_key,
get_current_user_id(),
wp_get_current_user()->user_login,
$object_id
)
);
}
}
return $check;
} catch ( Exception $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $check;
}
},
5, // Priority
5 // args
);
*/
}
}
new Atomic_Platform_Virtual_Patches();
}