Fixes a CSRF vulnerability / [CVE-2023-27444](https://www.cve.org/CVE…

…Record?id=CVE-2023-27444) discovered by [Mika](https://patchstack.com/database/researcher/5ade6efe-f495-4836-906d-3de30c24edad) from [Patchstack](https://patchstack.com)

CHANGELOG.md

@@ -3,6 +3,11 @@ All notable changes to **DecaLog** are documented in this *changelog*.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **DecaLog** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.7.1] - 2023-03-02
+
+### Fixed
+- [SEC003] CSRF vulnerability / [CVE-2023-27444](https://www.cve.org/CVERecord?id=CVE-2023-27444) (thanks to [Mika](https://patchstack.com/database/researcher/5ade6efe-f495-4836-906d-3de30c24edad) from [Patchstack](https://patchstack.com)).
+
 ## [3.7.0] - 2023-02-24
 
 The developments of PerfOps One suite, of which this plugin is a part, is now sponsored by [Hosterra](https://hosterra.eu).

admin/class-decalog-admin.php

@@ -653,7 +653,7 @@ public function get_settings_page() {
 							}
 							break;
 						case 'install-podd':
-							if ( class_exists( 'PerfOpsOne\Installer' ) ) {
+							if ( class_exists( 'PerfOpsOne\Installer' ) && $nonce && wp_verify_nonce( $nonce, $action ) ) {
 								$result = \PerfOpsOne\Installer::do( 'device-detector', true );
 								if ( '' === $result ) {
 									add_settings_error( 'decalog_no_error', '', esc_html__( 'Plugin successfully installed and activated with default settings.', 'decalog' ), 'info' );
@@ -663,7 +663,7 @@ public function get_settings_page() {
 							}
 							break;
 						case 'install-iplocator':
-							if ( class_exists( 'PerfOpsOne\Installer' ) ) {
+							if ( class_exists( 'PerfOpsOne\Installer' ) && $nonce && wp_verify_nonce( $nonce, $action ) ) {
 								$result = \PerfOpsOne\Installer::do( 'ip-locator', true );
 								if ( '' === $result ) {
 									add_settings_error( 'decalog_no_error', '', esc_html__( 'Plugin successfully installed and activated with default settings.', 'decalog' ), 'info' );
@@ -1181,7 +1181,7 @@ public function plugin_options_section_callback() {
 			$help  = '<img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'alert-triangle', 'none', '#FF8C00' ) . '" />&nbsp;';
 			$help .= sprintf( esc_html__('Your site does not use any device detection mechanism. To handle user-agents and callers reporting in DecaLog, I recommend you to install the excellent (and free) %s. But it is not mandatory.', 'decalog' ), '<a href="https://wordpress.org/plugins/device-detector/">Device Detector</a>' );
 			if ( class_exists( 'PerfOpsOne\Installer' ) && ! Environment::is_wordpress_multisite() ) {
-				$help .= '<br/><a href="' . esc_url( admin_url( 'admin.php?page=decalog-settings&tab=misc&action=install-podd' ) ) . '" class="poo-button-install"><img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'download-cloud', 'none', '#FFFFFF', 3 ) . '" />&nbsp;&nbsp;' . esc_html__('Install It Now', 'decalog' ) . '</a>';
+				$help .= '<br/><a href="' . wp_nonce_url( admin_url( 'admin.php?page=decalog-settings&tab=misc&action=install-podd' ), 'install-podd', 'nonce' ) . '" class="poo-button-install"><img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'download-cloud', 'none', '#FFFFFF', 3 ) . '" />&nbsp;&nbsp;' . esc_html__('Install It Now', 'decalog' ) . '</a>';
 			}
 		}
 		add_settings_field(
@@ -1203,7 +1203,7 @@ public function plugin_options_section_callback() {
 			$help  = '<img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'alert-triangle', 'none', '#FF8C00' ) . '" />&nbsp;';
 			$help .= sprintf( esc_html__('Your site does not use any IP geographic information plugin. To display callers geographical details in DecaLog, I recommend you to install the excellent (and free) %s. But it is not mandatory.', 'decalog' ), '<a href="https://wordpress.org/plugins/ip-locator/">IP Locator</a>' );
 			if ( class_exists( 'PerfOpsOne\Installer' ) && ! Environment::is_wordpress_multisite() ) {
-				$help .= '<br/><a href="' . esc_url( admin_url( 'admin.php?page=decalog-settings&tab=misc&action=install-iplocator' ) ) . '" class="poo-button-install"><img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'download-cloud', 'none', '#FFFFFF', 3 ) . '" />&nbsp;&nbsp;' . esc_html__('Install It Now', 'decalog' ) . '</a>';
+				$help .= '<br/><a href="' . wp_nonce_url( admin_url( 'admin.php?page=decalog-settings&tab=misc&action=install-iplocator' ), 'install-iplocator', 'nonce' ) . '" class="poo-button-install"><img style="width:16px;vertical-align:text-bottom;" src="' . \Feather\Icons::get_base64( 'download-cloud', 'none', '#FFFFFF', 3 ) . '" />&nbsp;&nbsp;' . esc_html__('Install It Now', 'decalog' ) . '</a>';
 			}
 		}
 		add_settings_field(

decalog.php

@@ -10,7 +10,7 @@
  * Plugin Name:       DecaLog
  * Plugin URI:        https://perfops.one/decalog
  * Description:       Capture and log events, metrics and traces on your site. Make WordPress observable – finally!
- * Version:           3.7.0
+ * Version:           3.7.1
  * Requires at least: 5.2
  * Requires PHP:      7.2
  * Author:            Pierre Lannoy / PerfOps One

init.php

@@ -12,7 +12,7 @@
 define( 'DECALOG_PRODUCT_SHORTNAME', 'DecaLog' );
 define( 'DECALOG_PRODUCT_ABBREVIATION', 'decalog' );
 define( 'DECALOG_SLUG', 'decalog' );
-define( 'DECALOG_VERSION', '3.7.0' );
+define( 'DECALOG_VERSION', '3.7.1' );
 define( 'DECALOG_API_VERSION', '3' );
 define( 'DECALOG_MONOLOG_VERSION', '2.9.1' );
 define( 'DECALOG_CODENAME', '"-"' );

readme.txt

@@ -4,7 +4,7 @@ Tags: logs, error reporting, monitoring, tracing, logging
 Requires at least: 5.2
 Requires PHP: 7.2
 Tested up to: 6.2
-Stable tag: 3.7.0
+Stable tag: 3.7.1
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html