CVE-2025-58806 #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

joshedney merged 4 commits into master from je/plat-14879-cve-2025-58806

Sep 15, 2025

CHANGELOG.md

-Original file line number
+Diff line change
@@ -1,6 +1,10 @@
     Changelog
     =========
+    ## v1.6.4 (2025-09-15)
+    * Patch CVE-2025-58806 [#66](https://github.com/bugsnag/bugsnag-wordpress/pull/66)
     ## v1.6.3 (2023-07-13)
     * Fix PHP 8.2 deprecation notice
@@ Expand Down @@

bugsnag.php

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -3,7 +3,7 @@
  
    Plugin Name: Bugsnag Error Monitoring

    Plugin URI: https://bugsnag.com

    Description: Bugsnag monitors for errors and crashes on your wordpress site, sends them to your bugsnag.com dashboard, and notifies you by email of each error.

    Version: 1.6.3

    Version: 1.6.4

    Author: Bugsnag Inc.

    Author URI: https://bugsnag.com

    License: GPLv2 or later

    @@ -17,7 +17,7 @@ class Bugsnag_Wordpress
  
        private static $NOTIFIER = array(

            'name' => 'Bugsnag Wordpress (Official)',

            'version' => '1.6.3',

            'version' => '1.6.4',

            'url' => 'https://github.com/bugsnag/bugsnag-wordpress',

        );

    @@ -280,6 +280,11 @@ public function pluginActionLinksFilter($links, $file)
  
        public function testBugsnag()

        {

            // Verify nonce for CSRF protection

            if (!wp_verify_nonce($_POST['_wpnonce'], 'test_bugsnag_nonce')) {

                wp_die('Security check failed.');

            }

            $this->apiKey = $_POST['bugsnag_api_key'];

            $this->notifySeverities = $_POST['bugsnag_notify_severities'];

            $this->filterFields = $_POST['bugsnag_filterfields'];

    @@ -301,6 +306,10 @@ public function testBugsnag()
  
        public function renderSettings()

        {

            if (!empty($_POST['action']) && $_POST['action'] == 'update') {

                // Verify nonce for CSRF protection

                if (!wp_verify_nonce($_POST['_wpnonce'], 'update-options')) {

                    wp_die('Security check failed. Please try again.');

                }

                $this->updateNetworkSettings($_POST);

            }

readme.txt

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -2,8 +2,8 @@
  
    Contributors: loopj

    Tags: bugsnag, error, monitoring, exception, logging

    Requires at least: 2.0

    Tested up to: 6.3

    Stable tag: 1.6.3

    Tested up to: 6.8.2

    Stable tag: 1.6.4

    License: GPLv2 or later

    Bugsnag is a WordPress plugin that automatically detects errors & crashes on your WordPress site, and notifies you by email, chat or issues system

    @@ -38,6 +38,9 @@ To manually install Bugsnag:
  
    == Changelog ==

    = 1.6.4 =

    * Patch CVE-2025-58806

    = 1.6.3 =

    * Fix PHP 8.2 deprecation notice

views/settings.php

-Original file line number
+Diff line change
@@ Expand Up / @@ -108,7 +108,8 @@ @@
                 action: 'test_bugsnag',
                 bugsnag_api_key: $('#bugsnag_api_key').val(),
                 bugsnag_notify_severities: $('#bugsnag_notify_severities').val(),
-                bugsnag_filterfields: $('#bugsnag_filterfields').val()
+                bugsnag_filterfields: $('#bugsnag_filterfields').val(),
+                _wpnonce: '<?php echo wp_create_nonce('test_bugsnag_nonce'); ?>'
             };
             // since 2.8 ajaxurl is always defined in the admin header and points to admin-ajax.php
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2025-58806 #66

Uh oh!

Diff view

Diff view

There are no files selected for viewing