Merge pull request #497 from Codeinwp/bugfix/pro/605

Fixed broken access control vulnerability

Author: vytisbulkevicius

classes/plugin.class.php

@@ -927,7 +927,19 @@ public static function ppom_install_demo_meta() {
 
 	function ppom_attach_meta() {
 
-		$product_id = isset( $_GET['productid'] ) ? intval( $_GET['productid'] ) : '';
+		$product_id  = isset( $_GET['productid'] ) ? intval( $_GET['productid'] ) : '';
+		$product_url = get_permalink( $product_id );
+
+		if ( ! isset( $_GET['nonce'] ) || empty( $_GET['nonce'] ) || ! wp_verify_nonce( $_GET['nonce'], 'ppom_attach' ) ) {
+			wp_redirect( $product_url );
+			exit;
+		}
+
+		if ( ! current_user_can( 'edit_post', $product_id ) ) {
+			wp_redirect( $product_url );
+			exit;
+		}
+											
 		$meta_id    = isset( $_GET['metaid'] ) ? intval( $_GET['metaid'] ) : '';
 		$meta_title = isset( $_GET['metatitle'] ) ? sanitize_title( $_GET['metatitle'] ) : '';
 

inc/admin.php

@@ -808,6 +808,7 @@ function ppom_admin_bar_menu() {
 			'metaid'    => $meta->productmeta_id,
 			'metatitle' => $meta->productmeta_name,
 			'action'    => 'ppom_attach',
+			'nonce'     => wp_create_nonce( 'ppom_attach' ),
 		);
 		$apply_link = add_query_arg( $apply_arg, $apply_link );
 		$bar_title  = "Apply {$meta->productmeta_name}";