[auto] Plugin: wordpress-popular-posts 3.3.3

wp-content/plugins/wordpress-popular-posts/readme.txt

@@ -3,8 +3,8 @@ Contributors: hcabrera
 Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=hcabrerab%40gmail%2ecom&lc=GB&item_name=WordPress%20Popular%20Posts%20Plugin&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG_global%2egif%3aNonHosted
 Tags: popular, posts, widget, popularity, top
 Requires at least: 3.8
-Tested up to: 4.3.1
-Stable tag: 3.3.2
+Tested up to: 4.4
+Stable tag: 3.3.3
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -67,6 +67,11 @@ The [FAQ section](https://github.com/cabrerahector/wordpress-popular-posts/wiki/
 4. WordPress Popular Posts Stats panel.
 
 == Changelog ==
+= 3.3.3 =
+- Fixes potential XSS exploit in WPP's admin dashboard.
+- Adds filter to set which post types should be tracked by WPP ([details](https://github.com/cabrerahector/wordpress-popular-posts/wiki/3.-Filters#wpp_trackable_post_types)).
+- Adds ability to select first attached image as thumbnail source (thanks, [@serglopatin](https://github.com/serglopatin)!)
+
 = 3.3.2 =
 - Fixes warning message: 'stream does not support seeking in...'
 - Removes excerpt HTML encoding.
@@ -119,29 +124,6 @@ The [FAQ section](https://github.com/cabrerahector/wordpress-popular-posts/wiki/
 * Fixes missing HTML decoding for custom HTML in widget.
 * Puts LIMIT clause back to the outer query.
 
-= 3.2.0 =
-* Adds check for jQuery.
-* Fixes invalid parameter in htmlspecialchars().
-* Switches AJAX update to POST method.
-* Removes href attribute from link when popular post is viewed.
-* Removes unnecesary ORDER BY clause in views/comments subquery.
-* Fixes Javascript console not working under IE8 (thanks, @[raphaelsaunier](https://github.com/raphaelsaunier)!)
-* Fixes WPML compatibility bug storing post IDs as 0.
-* Removes wpp-upload.js since it was no longer in use.
-* Fixes undefined default thumbnail image (thanks, Lea Cohen!)
-* Fixes rating parameter returning false value.
-* Adds Data Sampling (thanks, @[kurtpayne](https://github.com/kurtpayne)!)
-* Minor query optimizations.
-* Adds {date} (thanks, @[matsuoshi](https://github.com/matsuoshi)!) and {thumb_img} tags to custom html.
-* Adds minute time option for caching.
-* Adds wpp_data_sampling filter.
-* Removes jQuery's DOM ready hook for AJAX views update.
-* Adds back missing GROUP BY clause.
-* Removes unnecesary HTML decoding for custom HTML (thanks, Lea Cohen!)
-* Translates category name when WPML is detected.
-* Adds list of available thumbnail sizes to the widget.
-* Other minor bugfixes and improvements.
-
 See [full changelog](https://github.com/cabrerahector/wordpress-popular-posts/blob/master/changelog.md).
 
 == Language support ==
@@ -157,3 +139,5 @@ All translations are community made: people who are nice enough to share their t
 * Flame graphic by freevector/Vecteezy.com.
 
 == Upgrade Notice ==
+= 3.3.3 =
+This version fixes a potential security issue. You should upgrade as soon as possible.
\ No newline at end of file

wp-content/plugins/wordpress-popular-posts/views/admin.php

@@ -14,69 +14,91 @@ else
 if ( isset($_POST['section']) ) {
 	
 	if ( "stats" == $_POST['section'] ) {		
+		
 		$current = 'stats';
 		
-		$this->user_settings['stats']['order_by'] = $_POST['stats_order'];
-		$this->user_settings['stats']['limit'] = (is_numeric($_POST['stats_limit']) && $_POST['stats_limit'] > 0) ? $_POST['stats_limit'] : 10;
-		$this->user_settings['stats']['post_type'] = empty($_POST['stats_type']) ? "post,page" : $_POST['stats_type'];
-		$this->user_settings['stats']['freshness'] = empty($_POST['stats_freshness']) ? false : $_POST['stats_freshness'];
+		if ( isset( $_POST['wpp-admin-token'] ) && wp_verify_nonce( $_POST['wpp-admin-token'], 'wpp-update-stats-options' ) ) {
+			
+			$this->user_settings['stats']['order_by'] = $_POST['stats_order'];
+			$this->user_settings['stats']['limit'] = (is_numeric($_POST['stats_limit']) && $_POST['stats_limit'] > 0) ? $_POST['stats_limit'] : 10;
+			$this->user_settings['stats']['post_type'] = empty($_POST['stats_type']) ? "post,page" : $_POST['stats_type'];
+			$this->user_settings['stats']['freshness'] = empty($_POST['stats_freshness']) ? false : $_POST['stats_freshness'];
+			
+			update_site_option('wpp_settings_config', $this->user_settings);
+			echo "<div class=\"updated\"><p><strong>" . __('Settings saved.', $this->plugin_slug ) . "</strong></p></div>";
+			
+		}
 		
-		update_site_option('wpp_settings_config', $this->user_settings);			
-		echo "<div class=\"updated\"><p><strong>" . __('Settings saved.', $this->plugin_slug ) . "</strong></p></div>";		
 	}
 	elseif ( "misc" == $_POST['section'] ) {		
-		$current = 'tools';
-			
-		$this->user_settings['tools']['link']['target'] = $_POST['link_target'];		
-		$this->user_settings['tools']['css'] = $_POST['css'];
 		
-		update_site_option('wpp_settings_config', $this->user_settings);
-		echo "<div class=\"updated\"><p><strong>" . __('Settings saved.', $this->plugin_slug ) . "</strong></p></div>";		
-	}	
-	elseif ( "thumb" == $_POST['section'] ) {		
 		$current = 'tools';
 		
-		if ($_POST['thumb_source'] == "custom_field" && (!isset($_POST['thumb_field']) || empty($_POST['thumb_field']))) {
-			echo '<div id="wpp-message" class="error fade"><p>'.__('Please provide the name of your custom field.', $this->plugin_slug).'</p></div>';
-		} else {				
-			$this->user_settings['tools']['thumbnail']['source'] = $_POST['thumb_source'];
-			$this->user_settings['tools']['thumbnail']['field'] = ( !empty( $_POST['thumb_field']) ) ? $_POST['thumb_field'] : "wpp_thumbnail";
-			$this->user_settings['tools']['thumbnail']['default'] = ( !empty( $_POST['upload_thumb_src']) ) ? $_POST['upload_thumb_src'] : "";
-			$this->user_settings['tools']['thumbnail']['resize'] = $_POST['thumb_field_resize'];
-			$this->user_settings['tools']['thumbnail']['responsive'] = $_POST['thumb_responsive'];
+		if ( isset( $_POST['wpp-admin-token'] ) && wp_verify_nonce( $_POST['wpp-admin-token'], 'wpp-update-misc-options' ) ) {
+			
+			$this->user_settings['tools']['link']['target'] = $_POST['link_target'];
+			$this->user_settings['tools']['css'] = $_POST['css'];
 			
-			update_site_option('wpp_settings_config', $this->user_settings);				
+			update_site_option('wpp_settings_config', $this->user_settings);
 			echo "<div class=\"updated\"><p><strong>" . __('Settings saved.', $this->plugin_slug ) . "</strong></p></div>";
+		
 		}
-	}
-	elseif ( "data" == $_POST['section'] ) {		
+	}	
+	elseif ( "thumb" == $_POST['section'] ) {		
+	
 		$current = 'tools';
 		
-		$this->user_settings['tools']['log']['level'] = $_POST['log_option'];
-		$this->user_settings['tools']['log']['limit'] = $_POST['log_limit'];
-		$this->user_settings['tools']['log']['expires_after'] = ( $this->__is_numeric($_POST['log_expire_time']) && $_POST['log_expire_time'] > 0 ) 
-		  ? $_POST['log_expire_time'] 
-		  : $this->default_user_settings['tools']['log']['expires_after'];
-		$this->user_settings['tools']['ajax'] = $_POST['ajax'];
+		if ( isset( $_POST['wpp-admin-token'] ) && wp_verify_nonce( $_POST['wpp-admin-token'], 'wpp-update-thumbnail-options' ) ) {
+		
+			if ($_POST['thumb_source'] == "custom_field" && (!isset($_POST['thumb_field']) || empty($_POST['thumb_field']))) {
+				echo '<div id="wpp-message" class="error fade"><p>'.__('Please provide the name of your custom field.', $this->plugin_slug).'</p></div>';
+			} else {				
+				$this->user_settings['tools']['thumbnail']['source'] = $_POST['thumb_source'];
+				$this->user_settings['tools']['thumbnail']['field'] = ( !empty( $_POST['thumb_field']) ) ? $_POST['thumb_field'] : "wpp_thumbnail";
+				$this->user_settings['tools']['thumbnail']['default'] = ( !empty( $_POST['upload_thumb_src']) ) ? $_POST['upload_thumb_src'] : "";
+				$this->user_settings['tools']['thumbnail']['resize'] = $_POST['thumb_field_resize'];
+				$this->user_settings['tools']['thumbnail']['responsive'] = $_POST['thumb_responsive'];
+				
+				update_site_option('wpp_settings_config', $this->user_settings);				
+				echo "<div class=\"updated\"><p><strong>" . __('Settings saved.', $this->plugin_slug ) . "</strong></p></div>";
+			}
 		
-		// if any of the caching settings was updated, destroy all transients created by the plugin
-		if ( $this->user_settings['tools']['cache']['active'] != $_POST['cache'] || $this->user_settings['tools']['cache']['interval']['time'] != $_POST['cache_interval_time'] || $this->user_settings['tools']['cache']['interval']['value'] != $_POST['cache_interval_value'] ) {
-			$this->__flush_transients();
 		}
 		
-		$this->user_settings['tools']['cache']['active'] = $_POST['cache'];			
-		$this->user_settings['tools']['cache']['interval']['time'] = $_POST['cache_interval_time'];
-		$this->user_settings['tools']['cache']['interval']['value'] = ( isset($_POST['cache_interval_value']) && is_numeric($_POST['cache_interval_value']) && $_POST['cache_interval_value'] > 0 ) 
-		  ? $_POST['cache_interval_value']
-		  : 1;
+	}
+	elseif ( "data" == $_POST['section'] ) {	
+		
+		$current = 'tools';
+		
+		if ( isset( $_POST['wpp-admin-token'] ) && wp_verify_nonce( $_POST['wpp-admin-token'], 'wpp-update-data-options' ) ) {
 		
-		$this->user_settings['tools']['sampling']['active'] = $_POST['sampling'];			
-		$this->user_settings['tools']['sampling']['rate'] = ( isset($_POST['sample_rate']) && is_numeric($_POST['sample_rate']) && $_POST['sample_rate'] > 0 ) 
-		  ? $_POST['sample_rate']
-		  : 100;
+			$this->user_settings['tools']['log']['level'] = $_POST['log_option'];
+			$this->user_settings['tools']['log']['limit'] = $_POST['log_limit'];
+			$this->user_settings['tools']['log']['expires_after'] = ( $this->__is_numeric($_POST['log_expire_time']) && $_POST['log_expire_time'] > 0 ) 
+			  ? $_POST['log_expire_time'] 
+			  : $this->default_user_settings['tools']['log']['expires_after'];
+			$this->user_settings['tools']['ajax'] = $_POST['ajax'];
+			
+			// if any of the caching settings was updated, destroy all transients created by the plugin
+			if ( $this->user_settings['tools']['cache']['active'] != $_POST['cache'] || $this->user_settings['tools']['cache']['interval']['time'] != $_POST['cache_interval_time'] || $this->user_settings['tools']['cache']['interval']['value'] != $_POST['cache_interval_value'] ) {
+				$this->__flush_transients();
+			}
+			
+			$this->user_settings['tools']['cache']['active'] = $_POST['cache'];			
+			$this->user_settings['tools']['cache']['interval']['time'] = $_POST['cache_interval_time'];
+			$this->user_settings['tools']['cache']['interval']['value'] = ( isset($_POST['cache_interval_value']) && is_numeric($_POST['cache_interval_value']) && $_POST['cache_interval_value'] > 0 ) 
+			  ? $_POST['cache_interval_value']
+			  : 1;
+			
+			$this->user_settings['tools']['sampling']['active'] = $_POST['sampling'];			
+			$this->user_settings['tools']['sampling']['rate'] = ( isset($_POST['sample_rate']) && is_numeric($_POST['sample_rate']) && $_POST['sample_rate'] > 0 ) 
+			  ? $_POST['sample_rate']
+			  : 100;
+			
+			update_site_option('wpp_settings_config', $this->user_settings);
+			echo "<div class=\"updated\"><p><strong>" . __('Settings saved.', $this->plugin_slug ) . "</strong></p></div>";
 		
-		update_site_option('wpp_settings_config', $this->user_settings);
-		echo "<div class=\"updated\"><p><strong>" . __('Settings saved.', $this->plugin_slug ) . "</strong></p></div>";		
+		}
 	}
 		
 }
@@ -172,13 +194,15 @@ if (empty($wpp_rand)) {
                         <option <?php if ($this->user_settings['stats']['order_by'] == "views") {?>selected="selected"<?php } ?> value="views"><?php _e("Order by views", $this->plugin_slug); ?></option>
                         <option <?php if ($this->user_settings['stats']['order_by'] == "avg") {?>selected="selected"<?php } ?> value="avg"><?php _e("Order by avg. daily views", $this->plugin_slug); ?></option>
                     </select>
-                    <label for="stats_type"><?php _e("Post type", $this->plugin_slug); ?>:</label> <input type="text" name="stats_type" value="<?php echo $this->user_settings['stats']['post_type']; ?>" size="15" />
+                    <label for="stats_type"><?php _e("Post type", $this->plugin_slug); ?>:</label> <input type="text" name="stats_type" value="<?php echo esc_attr( $this->user_settings['stats']['post_type'] ); ?>" size="15" />
                     <label for="stats_limits"><?php _e("Limit", $this->plugin_slug); ?>:</label> <input type="text" name="stats_limit" value="<?php echo $this->user_settings['stats']['limit']; ?>" size="5" />
                     <input type="hidden" name="section" value="stats" />
                     <input type="submit" class="button-secondary action" value="<?php _e("Apply", $this->plugin_slug); ?>" name="" />
                     
                     <div class="clear"></div>
                     <label for="stats_freshness"><input type="checkbox" class="checkbox" <?php echo ($this->user_settings['stats']['freshness']) ? 'checked="checked"' : ''; ?> id="stats_freshness" name="stats_freshness" /> <?php _e('Display only posts published within the selected Time Range', $this->plugin_slug); ?></label>
+                    
+                    <?php wp_nonce_field( 'wpp-update-stats-options', 'wpp-admin-token' ); ?>
                 </form>
             </div>
         </div>
@@ -231,6 +255,7 @@ if (empty($wpp_rand)) {
                             <select name="thumb_source" id="thumb_source">
                                 <option <?php if ($this->user_settings['tools']['thumbnail']['source'] == "featured") {?>selected="selected"<?php } ?> value="featured"><?php _e("Featured image", $this->plugin_slug); ?></option>
                                 <option <?php if ($this->user_settings['tools']['thumbnail']['source'] == "first_image") {?>selected="selected"<?php } ?> value="first_image"><?php _e("First image on post", $this->plugin_slug); ?></option>
+                                <option <?php if ($this->user_settings['tools']['thumbnail']['source'] == "first_attachment") {?>selected="selected"<?php } ?> value="first_attachment"><?php _e("First attachment", $this->plugin_slug); ?></option>
                                 <option <?php if ($this->user_settings['tools']['thumbnail']['source'] == "custom_field") {?>selected="selected"<?php } ?> value="custom_field"><?php _e("Custom field", $this->plugin_slug); ?></option>
                             </select>
                             <br />
@@ -240,7 +265,7 @@ if (empty($wpp_rand)) {
                     <tr valign="top" <?php if ($this->user_settings['tools']['thumbnail']['source'] != "custom_field") {?>style="display:none;"<?php } ?> id="row_custom_field">
                         <th scope="row"><label for="thumb_field"><?php _e("Custom field name", $this->plugin_slug); ?>:</label></th>
                         <td>
-                            <input type="text" id="thumb_field" name="thumb_field" value="<?php echo $this->user_settings['tools']['thumbnail']['field']; ?>" size="10" <?php if ($this->user_settings['tools']['thumbnail']['source'] != "custom_field") {?>style="display:none;"<?php } ?> />
+                            <input type="text" id="thumb_field" name="thumb_field" value="<?php echo esc_attr( $this->user_settings['tools']['thumbnail']['field'] ); ?>" size="10" <?php if ($this->user_settings['tools']['thumbnail']['source'] != "custom_field") {?>style="display:none;"<?php } ?> />
                         </td>
                     </tr>
                     <tr valign="top" <?php if ($this->user_settings['tools']['thumbnail']['source'] != "custom_field") {?>style="display:none;"<?php } ?> id="row_custom_field_resize">
@@ -285,6 +310,8 @@ if (empty($wpp_rand)) {
                     </tr>
                 </tbody>
             </table>
+            
+            <?php wp_nonce_field( 'wpp-update-thumbnail-options', 'wpp-admin-token' ); ?>
         </form>
         <br />
         <p style="display:block; float:none; clear:both">&nbsp;</p>
@@ -312,7 +339,7 @@ if (empty($wpp_rand)) {
                                 <option <?php if ($this->user_settings['tools']['log']['limit'] == 1) {?>selected="selected"<?php } ?> value="1"><?php _e("Keep data for", $this->plugin_slug); ?></option>
                             </select>
                             
-                            <label for="log_expire_time"<?php echo ($this->user_settings['tools']['log']['limit'] == 0) ? ' style="display:none;"' : ''; ?>><input type="text" id="log_expire_time" name="log_expire_time" value="<?php echo $this->user_settings['tools']['log']['expires_after']; ?>" size="3" /> <?php _e("day(s)", $this->plugin_slug); ?></label>
+                            <label for="log_expire_time"<?php echo ($this->user_settings['tools']['log']['limit'] == 0) ? ' style="display:none;"' : ''; ?>><input type="text" id="log_expire_time" name="log_expire_time" value="<?php echo esc_attr( $this->user_settings['tools']['log']['expires_after'] ); ?>" size="3" /> <?php _e("day(s)", $this->plugin_slug); ?></label>
                             
                             <p class="description"<?php echo ($this->user_settings['tools']['log']['limit'] == 0) ? ' style="display:none;"' : ''; ?>><?php _e("Data from entries that haven't been viewed within the specified time frame will be automatically discarded", $this->plugin_slug); ?>.</p>
                             
@@ -387,6 +414,8 @@ if (empty($wpp_rand)) {
                     </tr>
                 </tbody>
             </table>
+            
+            <?php wp_nonce_field( 'wpp-update-data-options', 'wpp-admin-token' ); ?>
         </form>
         <br />
         <p style="display:block; float:none; clear:both">&nbsp;</p>
@@ -424,6 +453,8 @@ if (empty($wpp_rand)) {
                     </tr>
                 </tbody>
             </table>
+            
+            <?php wp_nonce_field( 'wpp-update-misc-options', 'wpp-admin-token' ); ?>
         </form>
         <br />
         <p style="display:block; float:none; clear:both">&nbsp;</p>
@@ -703,12 +734,9 @@ if (empty($wpp_rand)) {
         <p><?php _e( 'This version includes the following changes', $this->plugin_slug ); ?>:</p>
         
         <ul>
-            <li>Fixes warning message: 'stream does not support seeking in...'</li>
-			<li>Removes excerpt HTML encoding.</li>
-			<li>Passes widget ID to the instance variable for customization.</li>
-			<li>Adds CSS class current.</li>
-			<li>Documentation cleanup.</li>
-			<li>Other minor bug fixes / improvements.</li>
+            <li>Fixes potential XSS exploit in WPP's admin dashboard.</li>
+            <li>Adds filter to set which post types should be tracked by WPP (details).</li>
+			<li>Adds ability to select first attached image as thumbnail source (thanks, <a href="https://github.com/serglopatin">@serglopatin</a>!)</li>
         </ul>
                 
     </div>

wp-content/plugins/wordpress-popular-posts/wordpress-popular-posts.php

@@ -3,7 +3,7 @@
 Plugin Name: WordPress Popular Posts
 Plugin URI: http://wordpress.org/extend/plugins/wordpress-popular-posts
 Description: WordPress Popular Posts is a highly customizable widget that displays the most popular posts on your blog
-Version: 3.3.2
+Version: 3.3.3
 Author: Hector Cabrera
 Author URI: http://cabrerahector.com
 Author Email: hcabrerab@gmail.com
@@ -61,7 +61,7 @@ if ( !class_exists('WordpressPopularPosts') ) {
 		 * @since	1.3.0
 		 * @var		string
 		 */
-		private $version = '3.3.2';
+		private $version = '3.3.3';
 
 		/**
 		 * Plugin identifier.
@@ -2525,6 +2525,21 @@ if ( !class_exists('WordpressPopularPosts') ) {
 				}
 
 			}
+			// get thumbnail path from first image attachment
+			elseif ($source == "first_attachment") {
+
+				$post_attachments = get_children(
+							array( 'numberposts' => 1,
+								'order' => 'ASC',
+								'post_parent' => $id,
+								'post_type' => 'attachment',
+								'post_mime_type' => 'image'
+								));
+				if ( !empty($post_attachments) ) {
+					$first_img = array_shift( $post_attachments );
+					return get_attached_file($first_img->ID);
+				}
+			}
 			// get thumbnail path from post content
 			elseif ($source == "first_image") {
 
@@ -3094,7 +3109,16 @@ if ( !class_exists('WordpressPopularPosts') ) {
 		 * @since	3.1.2
 		 */
 		public function is_single() {
-			if ( (is_single() || is_page()) && !is_front_page() && !is_preview() && !is_trackback() && !is_feed() && !is_robots() ) {
+			$trackable = array();
+			$registered_post_types = get_post_types( array('public' => true), 'names' );
+			
+			foreach ( $registered_post_types as $post_type ) {
+				$trackable[] = $post_type;
+			}
+			
+			$trackable = apply_filters( 'wpp_trackable_post_types', $trackable );
+			
+			if ( is_singular($trackable) && !is_front_page() && !is_preview() && !is_trackback() && !is_feed() && !is_robots() ) {
 				global $post;				
 				$this->current_post_id = ( is_object($post) ) ? $post->ID : 0;
 			} else {