Public Security Patch

webmasteral
(@webmasteral)

1 week, 1 day ago
A client of mine really enjoys this plugin but the security issues must be addressed. I am posting the patches I made to this plugin to address the two major security issues. The Broken Access Control and CSRF issue.

==============================================
WORDPRESS PLUGIN SECURITY FIXES
Mega Addons For WPBakery Page Builder Version 4.3.0 -> 4.3.1

==============================================

FILE 1: main.php

Line 87-99 – SECURITY FIX: Added nonce verification AND capability check

BEFORE:
```
function vc_saving_data() {
if (isset($_REQUEST)) {

    // Sanitizing $_REQUEST before saving
    $vc_save_data = array_map( 'sanitize_text_field', $_REQUEST );
    update_option( 'vc_save_data', $vc_save_data );

}

}
```
AFTER:
```
function vc_saving_data() {
check_ajax_referer( 'vc_mega_addons_nonce', 'nonce' );

if ( ! current_user_can( 'manage_options' ) ) {
    wp_die( __( 'Unauthorized', 'mega-addons' ) );
}

if (isset($_REQUEST)) {
    $vc_save_data = array_map( 'sanitize_text_field', $_REQUEST );
    update_option( 'vc_save_data', $vc_save_data );

}

}
```
CHANGES MADE:
- Line 88: Added check_ajax_referer( ‘vc_mega_addons_nonce’, ‘nonce’ );
- Lines 90-92: Added capability check for manage_options
Line 117 – VERSION UPDATE
BEFORE:
```
<p>Version 4.3.0</p>
```
AFTER:
```
<p>Version 4.3.1</p>
```
==============================================

FILE 2: includes/settings.php

Line 13-15 – SECURITY FIX: Added nonce field

BEFORE:
```
<form id="addonsdata">
    <table class="form-table">
```
AFTER:
```
<form id="addonsdata">
    <?php wp_nonce_field( 'vc_mega_addons_save', 'vc_mega_addons_nonce' ); ?>
    <table class="form-table">
```
CHANGES MADE:
```
- Line 14: Added <?php wp_nonce_field( 'vc_mega_addons_save', 'vc_mega_addons_nonce' ); ?>
```
==============================================

FILE 3: lib/admin.js

Line 7 – SECURITY FIX: Added nonce to AJAX call

BEFORE:
```
data = data + '&action=vc_save_data';
```
AFTER:
```
data = data + '&action=vc_save_data&nonce=' + jQuery('#vc_mega_addons_nonce').val();
```
CHANGES MADE:
- Line 7: Added nonce parameter to AJAX data
==============================================

FILE 4: index.php

Line 8 – VERSION UPDATE

BEFORE:
```
Version: 4.3.0
```
AFTER:
```
Version: 4.3.1
```
==============================================

SECURITY ISSUES FIXED:
1. CSRF (Cross-Site Request Forgery)
- The AJAX action vc_save_data had no nonce verification
- Attackers could trick authenticated admins to submit forms
  
  FIX: Added check_ajax_referer() and wp_nonce_field()
1. Broken Access Control (Subscriber+ Settings Update)
- No capability check – any logged-in user could update settings
- Should require ‘manage_options’ capability (admin only)
  
  FIX: Added current_user_can( ‘manage_options’ ) check
==============================================

SUMMARY OF CHANGES:

main.php – 3 changes (nonce check, capability check, version)
includes/settings.php – 1 change (nonce field)
lib/admin.js – 1 change (nonce in ajax)
index.php – 1 change (version)

Total files modified: 4
Total changes: 6

I hope this helps others. User Note: I have not independently verified that this closed or fixes the two currently known security issues with this plugin. This is my best personal attempt at solving them in the short term until an official patch is released. Please use this information and patch details at your own risk.
- This topic was modified 1 week, 1 day ago by webmasteral.

You must be logged in to reply to this topic.

Tags