Merge pull request #42 from jakobbouchard/develop

Fix CSRF possibility

hestia-nginx-cache.php

@@ -11,7 +11,7 @@
  * Plugin Name:       Hestia Nginx Cache
  * Description:       Hestia Nginx Cache Integration for WordPress. Auto-purges the Nginx cache when needed.
  * Plugin URI:        https://github.com/jakobbouchard/hestia-nginx-cache
- * Version:           2.4.0
+ * Version:           2.4.1
  * Requires at least: 4.8
  * Requires PHP:      5.4
  * Author:            Jakob Bouchard
@@ -28,7 +28,7 @@
 class Hestia_Nginx_Cache
 {
 	public const NAME = 'hestia-nginx-cache';
-	public const VERSION = '2.4.0';
+	public const VERSION = '2.4.1';
 
 	private static $instance = null;
 	public static $plugin_basename = null;

includes/admin.php

@@ -263,6 +263,20 @@ public function embed_admin_notices()
 
 	public function purge()
 	{
+		if (!current_user_can('edit_posts')) {
+			wp_send_json_error([
+				'message' => esc_html__('The Hestia Nginx Cache could not be purged!', 'hestia-nginx-cache'),
+				'error'   => esc_html__('Not enough permissions.', 'hestia-nginx-cache')
+			]);
+		}
+
+		if (!wp_verify_nonce($_POST['wp_nonce'], 'hestia-nginx-cache-purge-wp-nonce')) {
+			wp_send_json_error([
+				'message' => esc_html__('The Hestia Nginx Cache could not be purged!', 'hestia-nginx-cache'),
+				'error'   => esc_html__('Invalid nonce.', 'hestia-nginx-cache')
+			]);
+		}
+
 		$result = $this->plugin->purge(true);
 		if ($result) {
 			$exit_code = wp_remote_retrieve_header($result, 'Hestia-Exit-Code');
@@ -280,10 +294,10 @@ public function purge()
 				$args['error'] = 'Unknown error';
 			}
 			wp_send_json_error($args);
-		} elseif (wp_verify_nonce($_POST['wp_nonce'], 'hestia-nginx-cache-purge-wp-nonce')) {
-			wp_send_json_success([
-				'message' => esc_html__('The Hestia Nginx Cache was purged successfully.', 'hestia-nginx-cache')
-			]);
 		}
+
+		wp_send_json_success([
+			'message' => esc_html__('The Hestia Nginx Cache was purged successfully.', 'hestia-nginx-cache')
+		]);
 	}
 }

languages/hestia-nginx-cache-fr_CA.po

@@ -1,6 +1,6 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Hestia Nginx Cache 2.4.0\n"
+"Project-Id-Version: Hestia Nginx Cache 2.4.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/hestia-nginx-cache\n"
 "Last-Translator: Jakob Bouchard <jakob@bchrd.ca>\n"
 "Language-Team: Unknown\n"

languages/hestia-nginx-cache-pt_BR.po

@@ -1,6 +1,6 @@
 msgid ""
 msgstr ""
-"Project-Id-Version: Hestia Nginx Cache 2.4.0\n"
+"Project-Id-Version: Hestia Nginx Cache 2.4.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/hestia-nginx-"
 "cache\n"
 "Last-Translator: Maison da Silva\n"

languages/hestia-nginx-cache.pot

@@ -2,7 +2,7 @@
 # This file is distributed under the GPL v3.
 msgid ""
 msgstr ""
-"Project-Id-Version: Hestia Nginx Cache 2.4.0\n"
+"Project-Id-Version: Hestia Nginx Cache 2.4.1\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/hestia-nginx-cache\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

readme.txt

@@ -5,7 +5,7 @@ Tags: cache, flush, purge, hestia, nginx
 Requires at least: 4.8
 Tested up to: 6.6
 Requires PHP: 5.4
-Stable tag: 2.4.0
+Stable tag: 2.4.1
 License: GPL v3
 License URI: http://www.gnu.org/licenses/gpl-3.0.txt
 
@@ -72,6 +72,9 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro
 
 == Changelog ==
 
+= 2.4.1 =
+* Fix CSRF possibility (thanks to Marek Mikita for reporting via PatchStack).
+
 = 2.4.0 =
 * Add WP CLI support.