diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77ff632..74c6302 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,11 @@ All notable changes to **oEmbed Manager** are documented in this *changelog*.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **oEmbed Manager** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.10.1] - 2023-03-02
+
+### Fixed
+- [SEC002] CSRF vulnerability / [CVE-2023-27444](https://www.cve.org/CVERecord?id=CVE-2023-27444) (thanks to [Mika](https://patchstack.com/database/researcher/5ade6efe-f495-4836-906d-3de30c24edad) from [Patchstack](https://patchstack.com)).
+
## [2.10.0] - 2023-02-24
The developments of PerfOps One suite, of which this plugin is a part, is now sponsored by [Hosterra](https://hosterra.eu).
diff --git a/admin/class-oembed-manager-admin.php b/admin/class-oembed-manager-admin.php
index f2f0d67..66f861b 100644
--- a/admin/class-oembed-manager-admin.php
+++ b/admin/class-oembed-manager-admin.php
@@ -309,6 +309,7 @@ public function get_settings_page() {
if ( ! ( $action = filter_input( INPUT_GET, 'action' ) ) ) {
$action = filter_input( INPUT_POST, 'action' );
}
+ $nonce = filter_input( INPUT_GET, 'nonce' );
if ( $action && $tab ) {
switch ( $tab ) {
case 'misc':
@@ -323,7 +324,7 @@ public function get_settings_page() {
}
break;
case 'install-decalog':
- if ( class_exists( 'PerfOpsOne\Installer' ) ) {
+ if ( class_exists( 'PerfOpsOne\Installer' ) && $nonce && wp_verify_nonce( $nonce, $action ) ) {
$result = \PerfOpsOne\Installer::do( 'decalog', true );
if ( '' === $result ) {
add_settings_error( 'oemm_no_error', '', esc_html__( 'Plugin successfully installed and activated with default settings.', 'oembed-manager' ), 'info' );
@@ -482,7 +483,7 @@ public function plugin_options_section_callback() {
$help = ' ';
$help .= sprintf( esc_html__( 'Your site does not use any logging plugin. To log all events triggered in oEmbed Manager, I recommend you to install the excellent (and free) %s. But it is not mandatory.', 'oembed-manager' ), 'DecaLog' );
if ( class_exists( 'PerfOpsOne\Installer' ) && ! Environment::is_wordpress_multisite() ) {
- $help .= '
' . esc_html__('Install It Now', 'oembed-manager' ) . '';
+ $help .= '
' . esc_html__('Install It Now', 'oembed-manager' ) . '';
}
}
add_settings_field(
diff --git a/init.php b/init.php
index 006f661..a172ed7 100644
--- a/init.php
+++ b/init.php
@@ -12,7 +12,7 @@
define( 'OEMM_PRODUCT_SHORTNAME', 'oEmbed Manager' );
define( 'OEMM_PRODUCT_ABBREVIATION', 'oemm' );
define( 'OEMM_SLUG', 'oembed-manager' );
-define( 'OEMM_VERSION', '2.10.0' );
+define( 'OEMM_VERSION', '2.10.1' );
define( 'OEMM_CODENAME', '"-"' );
define( 'OEMM_CDN_AVAILABLE', true );
\ No newline at end of file
diff --git a/oembed-manager.php b/oembed-manager.php
index 5b66e95..ea9d975 100644
--- a/oembed-manager.php
+++ b/oembed-manager.php
@@ -10,7 +10,7 @@
* Plugin Name: oEmbed Manager
* Plugin URI: https://perfops.one/oembed-manager
* Description: Manage oEmbed capabilities of your website and take a new step in the GDPR compliance of your embedded content.
- * Version: 2.10.0
+ * Version: 2.10.1
* Requires at least: 5.2
* Requires PHP: 7.2
* Author: Pierre Lannoy / PerfOps One
diff --git a/readme.txt b/readme.txt
index e24764f..be03c7e 100644
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Tags: oembed, embed, privacy, gdpr, manager
Requires at least: 5.2
Tested up to: 6.2
Requires PHP: 7.2
-Stable tag: 2.10.0
+Stable tag: 2.10.1
License: GPLv3
License URI: https://www.gnu.org/licenses/gpl-3.0.html