Merge pull request #707 from Melapress/20250304-sync

Sync from 2025-03-04

classes/Controllers/class-cron-jobs.php

@@ -91,6 +91,15 @@ class Cron_Jobs {
 		 */
 		public const CRON_JOBS_SETTINGS_NAME = 'cron_jobs_options';
 
+		/**
+		 * Class cache for initialization
+		 *
+		 * @var boolean
+		 *
+		 * @since 5.3.2
+		 */
+		private static $initialized = false;
+
 		/**
 		 * Inits the class and its hooks.
 		 *
@@ -101,18 +110,15 @@ class Cron_Jobs {
 		public static function init() {
 			\add_filter( 'doing_it_wrong_trigger_error', array( __CLASS__, 'maybe_prevent_error' ), -1 );
 			// Add custom schedules for WSAL early otherwise they won't work.
-			\add_filter( 'cron_schedules', array( __CLASS__, 'recurring_schedules' ) );
+			\add_filter( 'cron_schedules', array( __CLASS__, 'recurring_schedules' ), PHP_INT_MAX );
 			\add_filter( 'wsal_cron_hooks', array( __CLASS__, 'settings_hooks' ) );
+			\add_filter( 'after_setup_theme', array( __CLASS__, 'initialize_hooks' ) );
 
 			if ( Settings_Helper::get_boolean_option_value( 'pruning-date-e', false ) ) {
 				\add_action( 'wsal_cleanup', array( Occurrences_Entity::class, 'prune_records' ) );
 			}
 
-			\wp_get_schedules();
-
 			\remove_filter( 'doing_it_wrong_trigger_error', array( __CLASS__, 'maybe_prevent_error' ) );
-
-			self::initialize_hooks();
 		}
 
 		/**
@@ -404,7 +410,7 @@ public static function maybe_prevent_error( $trigger ) {
 		 *
 		 * @since 5.0.0
 		 */
-		private static function initialize_hooks() {
+		public static function initialize_hooks() {
 			$hooks_array = self::CRON_JOBS_NAMES;
 
 			if ( WP_Helper::is_multisite() || 'free' === \WpSecurityAuditLog::get_plugin_version() ) {
@@ -428,7 +434,7 @@ private static function initialize_hooks() {
 				}
 			}
 
-			if ( WP_Helper::is_multisite() || 'free' !== \WpSecurityAuditLog::get_plugin_version() ) {
+			if ( WP_Helper::is_multisite() ) {
 				if ( ! \is_main_site() || 'free' !== \WpSecurityAuditLog::get_plugin_version() ) {
 					$per_site_report = ( isset( Notifications::get_global_notifications_setting()['notification_summary_multisite_individual_site'] ) ? Notifications::get_global_notifications_setting()['notification_summary_multisite_individual_site'] : true );
 

classes/Entities/class-abstract-entity.php

@@ -1211,7 +1211,7 @@ public static function build_query(
 					$logic_join = $clause;
 				}
 				$string_clause = \rtrim( $string_clause, $logic_join . ' ' );
-				if ( ! \is_int( $sub_clause ) ) {
+				if ( isset( $sub_clause ) && ! \is_int( $sub_clause ) ) {
 					$sub_join_clause = $sub_clause;
 					$string_clause  .= ' ) ';
 				}

classes/Migration/class-migration.php

@@ -1077,6 +1077,21 @@ public static function migrate_up_to_5320() {
 				Settings_Helper::set_option_value( Notifications::BUILT_IN_NOTIFICATIONS_SETTINGS_NAME, $options );
 			}
 		}
+		/**
+		 * Migration for version upto 5.3.3
+		 *
+		 * Migrates notification settings
+		 *
+		 * Note: The migration methods need to be in line with the @see WSAL\Utils\Abstract_Migration::$pad_length
+		 *
+		 * @return void
+		 *
+		 * @since 5.3.3
+		 */
+		public static function migrate_up_to_5330() {
+
+			Cron_Jobs::remove_cron_option( 'wsal_daily_summary_report' );
+		}
 
 		/**
 		 * Previous version of the plugin do not store username or user_id consistently, that method fixed that (in the best way possible) - if there is no user with that username 0 is stored as user_id, if user with that id does not exist anymore 'Deleted' is stored as username (check update_user_name_and_user_id method)

classes/WPSensors/class-wp-system-sensor.php

@@ -754,7 +754,7 @@ public static function event_admin_init() {
 			$is_permalink_page   = 'options-permalink' === $actype;
 
 			// WordPress URL changed.
-			if ( $is_option_page
+			if ( $is_option_page && isset( $post_array['_wpnonce'] )
 			&& \wp_verify_nonce( $post_array['_wpnonce'], 'general-options' )
 			&& ! empty( $post_array['siteurl'] ) ) {
 				$old_siteurl = \get_option( 'siteurl' );
@@ -772,7 +772,7 @@ public static function event_admin_init() {
 			}
 
 			// Site URL changed.
-			if ( $is_option_page
+			if ( $is_option_page && isset( $post_array['_wpnonce'] )
 			&& \wp_verify_nonce( $post_array['_wpnonce'], 'general-options' )
 			&& ! empty( $post_array['home'] ) ) {
 				$old_url = \get_option( 'home' );
@@ -789,7 +789,7 @@ public static function event_admin_init() {
 				}
 			}
 
-			if ( isset( $post_array['option_page'] ) && 'reading' === $post_array['option_page'] && isset( $post_array['show_on_front'] )
+			if ( isset( $post_array['option_page'] ) && 'reading' === $post_array['option_page'] && isset( $post_array['show_on_front'] ) && isset( $post_array['_wpnonce'] )
 			&& wp_verify_nonce( $post_array['_wpnonce'], 'reading-options' ) ) {
 				$old_homepage = ( 'posts' === get_site_option( 'show_on_front' ) ) ? __( 'latest posts', 'wp-security-audit-log' ) : __( 'static page', 'wp-security-audit-log' );
 				$new_homepage = ( 'posts' === $post_array['show_on_front'] ) ? __( 'latest posts', 'wp-security-audit-log' ) : __( 'static page', 'wp-security-audit-log' );
@@ -804,7 +804,7 @@ public static function event_admin_init() {
 				}
 			}
 
-			if ( isset( $post_array['option_page'] ) && 'reading' === $post_array['option_page'] && isset( $post_array['page_on_front'] )
+			if ( isset( $post_array['option_page'] ) && 'reading' === $post_array['option_page'] && isset( $post_array['page_on_front'] ) && isset( $post_array['_wpnonce'] )
 			&& wp_verify_nonce( $post_array['_wpnonce'], 'reading-options' ) ) {
 				$old_frontpage = get_the_title( get_site_option( 'page_on_front' ) );
 				$new_frontpage = get_the_title( $post_array['page_on_front'] );
@@ -819,7 +819,7 @@ public static function event_admin_init() {
 				}
 			}
 
-			if ( isset( $post_array['option_page'] ) && 'reading' === $post_array['option_page'] && isset( $post_array['page_for_posts'] )
+			if ( isset( $post_array['option_page'] ) && 'reading' === $post_array['option_page'] && isset( $post_array['page_for_posts'] ) && isset( $post_array['_wpnonce'] )
 			&& wp_verify_nonce( $post_array['_wpnonce'], 'reading-options' ) ) {
 				$old_postspage = get_the_title( get_site_option( 'page_for_posts' ) );
 				$new_postspage = get_the_title( $post_array['page_for_posts'] );
@@ -835,12 +835,12 @@ public static function event_admin_init() {
 			}
 
 			// Check timezone change.
-			if ( $is_option_page && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['timezone_string'] ) ) {
+			if ( $is_option_page && isset( $post_array['_wpnonce'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['timezone_string'] ) ) {
 				self::check_timezone_change( $post_array );
 			}
 
 			// Check date format change.
-			if ( $is_option_page && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['date_format'] ) ) {
+			if ( $is_option_page && isset( $post_array['_wpnonce'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['date_format'] ) ) {
 				$old_date_format = get_option( 'date_format' );
 				$new_date_format = ( '\c\u\s\t\o\m' === $post_array['date_format'] ) ? \sanitize_text_field( \wp_unslash( $post_array['date_format_custom'] ) ) : \sanitize_text_field( \wp_unslash( $post_array['date_format'] ) );
 				if ( $old_date_format !== $new_date_format ) {
@@ -856,7 +856,7 @@ public static function event_admin_init() {
 			}
 
 			// Check time format change.
-			if ( $is_option_page && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['time_format'] ) ) {
+			if ( $is_option_page && isset( $post_array['_wpnonce'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['time_format'] ) ) {
 				$old_time_format = get_option( 'time_format' );
 				$new_time_format = ( '\c\u\s\t\o\m' === $post_array['time_format'] ) ? \sanitize_text_field( \wp_unslash( $post_array['time_format_custom'] ) ) : \sanitize_text_field( \wp_unslash( $post_array['time_format'] ) );
 				if ( $old_time_format !== $new_time_format ) {
@@ -872,7 +872,7 @@ public static function event_admin_init() {
 			}
 
 			// Registration Option.
-			if ( $is_option_page && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ( get_option( 'users_can_register' ) xor isset( $post_array['users_can_register'] ) ) ) {
+			if ( $is_option_page && isset( $post_array['_wpnonce'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ( get_option( 'users_can_register' ) xor isset( $post_array['users_can_register'] ) ) ) {
 				$old = get_option( 'users_can_register' ) ? 'enabled' : 'disabled';
 				$new = isset( $post_array['users_can_register'] ) ? 'enabled' : 'disabled';
 
@@ -888,7 +888,7 @@ public static function event_admin_init() {
 			}
 
 			// Default Role option.
-			if ( $is_option_page && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['default_role'] ) ) {
+			if ( $is_option_page && isset( $post_array['_wpnonce'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['default_role'] ) ) {
 				$old = get_option( 'default_role' );
 				$new = trim( \sanitize_text_field( \wp_unslash( $post_array['default_role'] ) ) );
 				if ( $old !== $new ) {
@@ -904,7 +904,7 @@ public static function event_admin_init() {
 			}
 
 			// Admin Email Option.
-			if ( $is_option_page && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['admin_email'] ) ) {
+			if ( $is_option_page && isset( $post_array['_wpnonce'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'general-options' ) && ! empty( $post_array['admin_email'] ) ) {
 				$old = get_option( 'admin_email' );
 				$new = trim( \sanitize_text_field( \wp_unslash( $post_array['admin_email'] ) ) );
 				if ( $old !== $new ) {
@@ -920,7 +920,7 @@ public static function event_admin_init() {
 			}
 
 			// Admin Email of Network.
-			if ( $is_network_settings && ! empty( $post_array['new_admin_email'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'siteoptions' ) ) {
+			if ( $is_network_settings && isset( $post_array['_wpnonce'] ) && ! empty( $post_array['new_admin_email'] ) && wp_verify_nonce( $post_array['_wpnonce'], 'siteoptions' ) ) {
 				$old = get_site_option( 'admin_email' );
 				$new = trim( \sanitize_text_field( \wp_unslash( $post_array['new_admin_email'] ) ) );
 				if ( $old !== $new ) {
@@ -936,7 +936,7 @@ public static function event_admin_init() {
 			}
 
 			// Permalinks changed.
-			if ( $is_permalink_page && ! empty( $post_array['permalink_structure'] )
+			if ( $is_permalink_page && ! empty( $post_array['permalink_structure'] ) && isset( $post_array['_wpnonce'] )
 			&& wp_verify_nonce( $post_array['_wpnonce'], 'update-permalink' ) ) {
 				$old = get_option( 'permalink_structure' );
 				$new = trim( \sanitize_text_field( \wp_unslash( $post_array['permalink_structure'] ) ));
@@ -953,7 +953,7 @@ public static function event_admin_init() {
 			}
 
 			// Core Update.
-			if ( isset( $get_array['action'] ) && 'do-core-upgrade' === $get_array['action'] && isset( $post_array['version'] )
+			if ( isset( $get_array['action'] ) && 'do-core-upgrade' === $get_array['action'] && isset( $post_array['version'] ) && isset( $post_array['_wpnonce'] )
 			&& wp_verify_nonce( $post_array['_wpnonce'], 'upgrade-core' ) ) {
 				$old_version = get_bloginfo( 'version' );
 				$new_version = \sanitize_text_field( \wp_unslash( $post_array['version'] ) );
@@ -981,7 +981,7 @@ public static function event_admin_init() {
 			}
 
 			// Site Language changed.
-			if ( $is_option_page
+			if ( $is_option_page && isset( $post_array['_wpnonce'] )
 			&& wp_verify_nonce( $post_array['_wpnonce'], 'general-options' )
 			&& isset( $post_array['WPLANG'] ) ) {
 				// Is there a better way to turn the language into a "nice name"?
@@ -1009,7 +1009,7 @@ public static function event_admin_init() {
 			}
 
 			// Site title.
-			if ( $is_option_page
+			if ( $is_option_page && isset( $post_array['_wpnonce'] )
 			&& wp_verify_nonce( $post_array['_wpnonce'], 'general-options' )
 			&& isset( $post_array['blogname'] ) ) {
 				$previous_value = get_option( 'blogname' );

classes/Writers/class-csv-writer.php

@@ -236,7 +236,15 @@ public static function write_csv_ajax() {
 				wp_send_json_error( esc_html_e( 'query is not provided or incorrect', 'wp-security-audit-log' ) );
 				die();
 			} else {
-				$query = unserialize( \base64_decode( \sanitize_text_field( \wp_unslash( $_POST['query'] ) ) ) );
+				$query = \unserialize( \base64_decode( \sanitize_text_field( \wp_unslash( $_POST['query'] ) ) ), array( 'allowed_classes' => false ) );
+
+				if ( ! \is_array( $query ) ) {
+					wp_send_json_error( esc_html_e( 'Unrecognized format', 'wp-security-audit-log' ) );
+					die();
+				}
+
+				array_walk_recursive( $query, 'wp_unslash' );
+				array_walk_recursive( $query, 'sanitize_text_field' );
 			}
 
 			if ( ! array_key_exists( 'order', $_POST ) ) {

classes/class-wp-security-audit-log.php

@@ -174,9 +174,6 @@ public function __construct() {
 			// phpcs:enable
 
 			MainWP_Addon::init();
-
-			Cron_Jobs::init();
-
 			// Hide all unrelated to the plugin notices on the plugin admin pages.
 			\add_action( 'admin_print_scripts', array( WP_Helper::class, 'hide_unrelated_notices' ) );
 
@@ -403,6 +400,8 @@ private static function init_hooks() {
 
 			self::init_freemius();
 
+			Cron_Jobs::init();
+
 			// Extensions which are only admin based.
 			if ( \is_admin() ) {
 				Plugin_Installer::init();
@@ -1347,7 +1346,7 @@ public static function get_plugin_admin_url_page() {
 		 * @since 5.1.1
 		 */
 		public static function get_plugin_version(): string {
-			if ( class_exists( 'WSAL_Freemius', false ) && ! method_exists( 'WSAL_Freemius', 'set_basename' ) && ! ( new WSAL_Freemius() )->is_free_plan() ) {
+			if ( defined( 'WSAL_NOFS_TOOL_PATH' ) ) {
 				return 'NOFS';
 			}
 			if ( function_exists( 'wsal_freemius' ) && wsal_freemius()->has_active_valid_license() ) {