Skip to content

fix: security hardening from 2026-07 audit#1

Closed
arifulhoque7 wants to merge 2 commits into
developfrom
fix/security-audit-2026-07
Closed

fix: security hardening from 2026-07 audit#1
arifulhoque7 wants to merge 2 commits into
developfrom
fix/security-audit-2026-07

Conversation

@arifulhoque7

Copy link
Copy Markdown
Owner

Security hardening — 2026-07 audit (free plugin)

Free-plugin fixes from the 2026-07 WPUF security audit. Findings are tracked alongside the pro set on weDevsOfficial/wpuf-pro#1622.

Security-only, feature-preserving. php -l clean on all changed files.

  • weDevsOfficial/wpuf-pro#1608 URL custom-field output stored XSS → esc_url / esc_attr / esc_html.
  • weDevsOfficial/wpuf-pro#1609 wpuf_clear_schedule_lock missing authorization → current_user_can( 'edit_others_posts' ) + absint.
  • weDevsOfficial/wpuf-pro#1610 custom-field label escaping, embed URL esc_url_raw, transaction query strict in_array + absint, deprecated create_function → closure.
  • weDevsOfficial/wpuf-pro#1620 repeat-field submissions sanitized per-element on storage.
  • weDevsOfficial/wpuf-pro#1621 JSON form import: allowlist post_type / post_status (mass-assignment).

No behaviour change for legitimate flows (rich text / shortcodes still render; storage-layer sanitization preserves multi-value data).

🤖 Generated with Claude Code

arifulhoque7 and others added 2 commits July 5, 2026 11:56
Security-only, feature-preserving fixes for the free-plugin findings from the
2026-07 audit (tracked with the pro findings on weDevsOfficial/wpuf-pro#1622).

- URL custom-field output: esc_url/esc_attr/esc_html (stored XSS) (weDevsOfficial/wpuf-pro#1608)
- wpuf_clear_schedule_lock: require edit_others_posts + absint (missing authz) (weDevsOfficial/wpuf-pro#1609)
- custom-field labels esc_html, embed URL esc_url_raw, transaction query
  strict in_array + absint (weDevsOfficial/wpuf-pro#1610)
- repeat-field submissions: per-element sanitize on storage (weDevsOfficial/wpuf-pro#1620)
- JSON import: allowlist post_type/post_status (mass-assignment) (weDevsOfficial/wpuf-pro#1621)
- Settings API: replace deprecated create_function with a closure

No functional behaviour change for legitimate flows.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Reformat repeat-field sanitizer closures to WPCS style and restore the
original single-line // phpcs:ignore on the settings-desc callback, so the
security-fix changes introduce zero new PHPCS errors vs develop.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@arifulhoque7

Copy link
Copy Markdown
Owner Author

Recreated against weDevsOfficial: weDevsOfficial#1903

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant