Fixes a CSRF vulnerability / [CVE-2023-27444](https://www.cve.org/CVE…

…Record?id=CVE-2023-27444) discovered by [Mika](https://patchstack.com/database/researcher/5ade6efe-f495-4836-906d-3de30c24edad) from [Patchstack](https://patchstack.com)

CHANGELOG.md

@@ -3,6 +3,11 @@ All notable changes to **oEmbed Manager** are documented in this *changelog*.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **oEmbed Manager** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.10.1] - 2023-03-02
+
+### Fixed
+- [SEC002] CSRF vulnerability / [CVE-2023-27444](https://www.cve.org/CVERecord?id=CVE-2023-27444) (thanks to [Mika](https://patchstack.com/database/researcher/5ade6efe-f495-4836-906d-3de30c24edad) from [Patchstack](https://patchstack.com)).
+
 ## [2.10.0] - 2023-02-24
 
 The developments of PerfOps One suite, of which this plugin is a part, is now sponsored by [Hosterra](https://hosterra.eu).

admin/class-oembed-manager-admin.php

@@ -309,6 +309,7 @@ public function get_settings_page() {
 		if ( ! ( $action = filter_input( INPUT_GET, 'action' ) ) ) {
 			$action = filter_input( INPUT_POST, 'action' );
 		}
+		$nonce = filter_input( INPUT_GET, 'nonce' );
 		if ( $action && $tab ) {
 			switch ( $tab ) {
 				case 'misc':
@@ -323,7 +324,7 @@ public function get_settings_page() {
 							}
 							break;
 						case 'install-decalog':
-							if ( class_exists( 'PerfOpsOne\Installer' ) ) {
+							if ( class_exists( 'PerfOpsOne\Installer' ) && $nonce && wp_verify_nonce( $nonce, $action ) ) {
 								$result = \PerfOpsOne\Installer::do( 'decalog', true );
 								if ( '' === $result ) {
 									add_settings_error( 'oemm_no_error', '', esc_html__( 'Plugin successfully installed and activated with default settings.', 'oembed-manager' ), 'info' );
@@ -482,7 +483,7 @@ public function plugin_options_section_callback() {
 			$help  = '<img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'alert-triangle', 'none', '#FF8C00' ) . '" />&nbsp;';
 			$help .= sprintf( esc_html__( 'Your site does not use any logging plugin. To log all events triggered in oEmbed Manager, I recommend you to install the excellent (and free) %s. But it is not mandatory.', 'oembed-manager' ), '<a href="https://wordpress.org/plugins/decalog/">DecaLog</a>' );
 			if ( class_exists( 'PerfOpsOne\Installer' ) && ! Environment::is_wordpress_multisite() ) {
-				$help .= '<br/><a href="' . esc_url( admin_url( 'admin.php?page=oemm-settings&tab=misc&action=install-decalog' ) ) . '" class="poo-button-install"><img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'download-cloud', 'none', '#FFFFFF', 3 ) . '" />&nbsp;&nbsp;' . esc_html__('Install It Now', 'oembed-manager' ) . '</a>';
+				$help .= '<br/><a href="' . wp_nonce_url( admin_url( 'admin.php?page=oemm-settings&tab=misc&action=install-decalog' ), 'install-decalog', 'nonce' ) . '" class="poo-button-install"><img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'download-cloud', 'none', '#FFFFFF', 3 ) . '" />&nbsp;&nbsp;' . esc_html__('Install It Now', 'oembed-manager' ) . '</a>';
 			}
 		}
 		add_settings_field(

init.php

@@ -12,7 +12,7 @@
 define( 'OEMM_PRODUCT_SHORTNAME', 'oEmbed Manager' );
 define( 'OEMM_PRODUCT_ABBREVIATION', 'oemm' );
 define( 'OEMM_SLUG', 'oembed-manager' );
-define( 'OEMM_VERSION', '2.10.0' );
+define( 'OEMM_VERSION', '2.10.1' );
 define( 'OEMM_CODENAME', '"-"' );
 
 define( 'OEMM_CDN_AVAILABLE', true );

oembed-manager.php

@@ -10,7 +10,7 @@
  * Plugin Name:       oEmbed Manager
  * Plugin URI:        https://perfops.one/oembed-manager
  * Description:       Manage oEmbed capabilities of your website and take a new step in the GDPR compliance of your embedded content.
- * Version:           2.10.0
+ * Version:           2.10.1
  * Requires at least: 5.2
  * Requires PHP:      7.2
  * Author:            Pierre Lannoy / PerfOps One

readme.txt

@@ -4,7 +4,7 @@ Tags: oembed, embed, privacy, gdpr, manager
 Requires at least: 5.2
 Tested up to: 6.2
 Requires PHP: 7.2
-Stable tag: 2.10.0
+Stable tag: 2.10.1
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html