File: //wordpress/mu-plugins/atomic-platform-virtual-patches.php
<?php
/**
* This mu-plugin contains Virtual Patches for the Atomic platform.
*
* The file's source of truth is the wpcloud-virtual-patches repository.
*
* @author Bastion Team
*/
// Protection from accidental double loading.
//
// phpcs:disable Generic.CodeAnalysis.RequireExplicitBooleanOperatorPrecedence.MissingParentheses
// phpcs:disable WordPress.PHP.YodaConditions.NotYoda
// phpcs:disable WordPress.PHP.DevelopmentFunctions.error_log_print_r
// phpcs:disable WordPress.PHP.DevelopmentFunctions.error_log_error_log
// phpcs:disable WordPress.PHP.DevelopmentFunctions.error_log_debug_backtrace
if ( ! class_exists( 'Atomic_Platform_Virtual_Patches' ) ) {
class Atomic_Platform_Virtual_Patches {
/**
* Adds a log entry with the vuln UUID as the file (to be able to filter by it) and -403 as
* line number to filter those logs in Logstach
*/
public static function add_log( string $vuln_uuid, string $message = 'Blocked by vPatch', mixed $data = null ) {
if ( defined( 'ENABLE_VPATCH_LOGGING' ) && ENABLE_VPATCH_LOGGING === true ) {
if ( ! is_null( $data ) ) {
$message .= ': ' . print_r( $data, true );
}
error_log( "{$message} in {$vuln_uuid} on line -403" );
}
}
/**
* Determine the code triggering the generic vPatch by checking the stacktrace
*/
public static function determine_caller() {
$trace = debug_backtrace( DEBUG_BACKTRACE_IGNORE_ARGS );
$exclude_functions = [ 'apply_filters', 'determine_caller', 'add_exploratory_log' ];
foreach ( $trace as $caller ) {
if ( in_array( $caller['function'], $exclude_functions, true ) ) {
continue;
}
// TODO: better check here, to avoid skipping files in /<slug>/**wp-includes/** (quite rare but could happen)
if ( str_contains( $caller['file'], '/wp-includes/' ) || str_contains( $caller['file'], '/wp-admin/includes/' ) ) {
continue;
}
return $caller;
}
return $trace[0];
}
/**
* Adds an exploratory log entry and -418 as line number to filter those logs in Logstach
*/
public static function add_exploratory_log( $message, $data = null ) {
if ( defined( 'ENABLE_VPATCH_LOGGING' ) && ENABLE_VPATCH_LOGGING === true ) {
$caller = self::determine_caller();
if ( is_null( $data ) ) {
$data = [
'get' => $_GET,
'post' => $_POST,
'raw' => file_get_contents( 'php://input' ),
'files' => $_FILES,
'referer' => $_SERVER['HTTP_REFERER'] ?? 'n/a',
'uri' => $_SERVER['REQUEST_URI'],
'backtrace' => debug_backtrace( DEBUG_BACKTRACE_IGNORE_ARGS, 15 ),
];
}
$message .= ': ' . print_r( $data, true );
error_log( "{$message} in {$caller['file']}:{$caller['line']} on line -418" );
}
}
/**
* Checks if the backtrace contains a caller with the $func and $file provided
*/
public static function backtrace_includes( $func, $file, $backtrace = null ) {
if ( is_null( $backtrace ) ) {
$backtrace = debug_backtrace( DEBUG_BACKTRACE_IGNORE_ARGS );
}
foreach ( $backtrace as $caller ) {
if ( $caller['function'] === $func && str_ends_with( $caller['file'], $file ) ) {
return true;
}
}
return false;
}
/**
* Adds an exploratory error log entry and -4181 as line number to filter those logs in Logstach
* Those logs will contain exceptions raised by generic patches for us to investigate and fix
*/
public static function add_exploratory_error_log( $exception ) {
if ( defined( 'ENABLE_VPATCH_LOGGING' ) && ENABLE_VPATCH_LOGGING === true ) {
error_log( "{$exception} in {$exception->getFile()}:{$exception->getLine()} on line -4181" );
}
}
public static function request_has_user_input() {
if ( empty( $_GET ) && empty( $_POST ) && empty( $_SERVER['CONTENT_LENGTH'] ) && empty( $_SERVER['HTTP_TRANSFER_ENCODING'] ) ) {
return false;
}
return true;
}
public static function onelogin_saml_response_is_verified( $b64_response, $idp_cert_text ) {
$raw = base64_decode( (string) $b64_response, true );
if ( false === $raw || '' === $raw ) {
return false;
}
$cert = trim( (string) $idp_cert_text );
if ( '' === $cert ) {
return false;
}
if ( false === strpos( $cert, '-----BEGIN' ) ) {
$cert = "-----BEGIN CERTIFICATE-----\n" . chunk_split( preg_replace( '/\s+/', '', $cert ), 64, "\n" ) . "-----END CERTIFICATE-----\n";
}
$pubkey = @openssl_pkey_get_public( $cert );
if ( ! $pubkey ) {
return false;
}
$sig_algos = array(
'http://www.w3.org/2000/09/xmldsig#rsa-sha1' => OPENSSL_ALGO_SHA1,
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' => OPENSSL_ALGO_SHA256,
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' => OPENSSL_ALGO_SHA384,
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' => OPENSSL_ALGO_SHA512,
);
$digest_algos = array(
'http://www.w3.org/2000/09/xmldsig#sha1' => 'sha1',
'http://www.w3.org/2001/04/xmlenc#sha256' => 'sha256',
'http://www.w3.org/2001/04/xmldsig-more#sha384' => 'sha384',
'http://www.w3.org/2001/04/xmlenc#sha512' => 'sha512',
);
$is_exclusive = static function ( $algo ) {
return false !== strpos( (string) $algo, 'xml-exc-c14n' );
};
$prefix_list = static function ( $context, $xp ) {
$nodes = $xp->query( './/*[local-name()="InclusiveNamespaces"]/@PrefixList', $context );
if ( $nodes && $nodes->length ) {
$pfx = array_values( array_filter( explode( ' ', $nodes->item( 0 )->nodeValue ) ) );
return $pfx ? $pfx : null;
}
return null;
};
$doc = new DOMDocument();
$prev = libxml_use_internal_errors( true );
$ok = $doc->loadXML( $raw, LIBXML_NONET | LIBXML_NOENT );
libxml_use_internal_errors( $prev );
if ( ! $ok || ! $doc->documentElement ) {
return false;
}
$xp = new DOMXPath( $doc );
$xp->registerNamespace( 'ds', 'http://www.w3.org/2000/09/xmldsig#' );
$xp->registerNamespace( 'saml', 'urn:oasis:names:tc:SAML:2.0:assertion' );
$sigs = $xp->query( '//ds:Signature' );
if ( ! $sigs || 0 === $sigs->length ) {
return false;
}
$signed_nodes = array();
foreach ( $sigs as $sig ) {
$si_nodes = $xp->query( './ds:SignedInfo', $sig );
if ( ! $si_nodes->length ) {
return false;
}
$si = $si_nodes->item( 0 );
$cm_nodes = $xp->query( './ds:CanonicalizationMethod/@Algorithm', $si );
$cm = $cm_nodes->length ? $cm_nodes->item( 0 )->nodeValue : '';
$si_c14n = $si->C14N( $is_exclusive( $cm ), false, null, $prefix_list( $si, $xp ) );
$sm_nodes = $xp->query( './ds:SignatureMethod/@Algorithm', $si );
$sm = $sm_nodes->length ? $sm_nodes->item( 0 )->nodeValue : '';
if ( ! isset( $sig_algos[ $sm ] ) ) {
return false;
}
$sv_nodes = $xp->query( './ds:SignatureValue', $sig );
if ( ! $sv_nodes->length ) {
return false;
}
$sigval = base64_decode( preg_replace( '/\s+/', '', $sv_nodes->item( 0 )->textContent ), true );
if ( false === $sigval ) {
return false;
}
if ( 1 !== openssl_verify( $si_c14n, $sigval, $pubkey, $sig_algos[ $sm ] ) ) {
return false;
}
$refs = $xp->query( './ds:SignedInfo/ds:Reference', $sig );
if ( ! $refs->length ) {
return false;
}
foreach ( $refs as $ref ) {
$uri = $ref->getAttribute( 'URI' );
if ( '' === $uri || '#' !== $uri[0] ) {
return false;
}
$id = substr( $uri, 1 );
$target = null;
foreach ( array( 'ID', 'Id', 'id' ) as $id_attr ) {
$found = $xp->query( '//*[@' . $id_attr . '="' . $id . '"]' );
if ( $found->length ) {
$target = $found->item( 0 );
break;
}
}
if ( null === $target ) {
return false;
}
$tmp = new DOMDocument();
$imported = $tmp->importNode( $target->cloneNode( true ), true );
$tmp->appendChild( $imported );
$txp = new DOMXPath( $tmp );
$txp->registerNamespace( 'ds', 'http://www.w3.org/2000/09/xmldsig#' );
foreach ( iterator_to_array( $txp->query( '//ds:Signature' ) ) as $inner_sig ) {
$inner_sig->parentNode->removeChild( $inner_sig );
}
$excl = false;
$t_algos = $xp->query( './ds:Transforms/ds:Transform/@Algorithm', $ref );
foreach ( $t_algos as $ta ) {
if ( $is_exclusive( $ta->nodeValue ) ) {
$excl = true;
}
}
$c14n = $imported->C14N( $excl, false, null, $prefix_list( $ref, $xp ) );
$dm_nodes = $xp->query( './ds:DigestMethod/@Algorithm', $ref );
$dm = $dm_nodes->length ? $dm_nodes->item( 0 )->nodeValue : '';
if ( ! isset( $digest_algos[ $dm ] ) ) {
return false;
}
$dv_nodes = $xp->query( './ds:DigestValue', $ref );
if ( ! $dv_nodes->length ) {
return false;
}
$expected = base64_decode( preg_replace( '/\s+/', '', $dv_nodes->item( 0 )->textContent ), true );
$actual = hash( $digest_algos[ $dm ], $c14n, true );
if ( ! hash_equals( (string) $expected, (string) $actual ) ) {
return false;
}
$signed_nodes[] = $target;
}
}
$assertions = $xp->query( '//saml:Assertion | //saml:EncryptedAssertion' );
if ( ! $assertions->length ) {
return false;
}
foreach ( $assertions as $assertion ) {
$covered = false;
foreach ( $signed_nodes as $signed_node ) {
$ancestor = $assertion;
while ( null !== $ancestor ) {
if ( $signed_node->isSameNode( $ancestor ) ) {
$covered = true;
break;
}
$ancestor = $ancestor->parentNode;
}
if ( $covered ) {
break;
}
}
if ( ! $covered ) {
return false;
}
}
return true;
}
public function __construct() {
if ( ! defined( 'ENABLE_VPATCH_LOGGING' ) ) {
define( 'ENABLE_VPATCH_LOGGING', true );
}
self::register_generic_vpatch();
// https://wpscan.com/vulnerability/cbde48bb-5aa4-4f69-8101-095132239923/
add_action(
'woocommerce_api_paymob_callback',
function () {
if ( ! defined( 'PAYMOB_VERSION' ) ) {
return;
}
if ( ( $_SERVER['REQUEST_METHOD'] ?? '' ) !== 'POST' ) {
return;
}
$raw = file_get_contents( 'php://input' );
if ( ! is_string( $raw ) || '' === $raw ) {
return;
}
$json = json_decode( $raw, true );
if ( ! is_array( $json ) ) {
return;
}
$candidates = array(
$json['obj']['order']['merchant_order_id'] ?? null,
$json['intention']['extras']['creation_extras']['merchant_intention_id'] ?? null,
);
foreach ( $candidates as $value ) {
if ( is_string( $value ) && ( strpos( $value, "'" ) !== false || strpos( $value, '\\' ) !== false ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'cbde48bb-5aa4-4f69-8101-095132239923', 'SQLi (paymob callback pixel lookup)', $value );
wp_die( 'Access denied.', 403 );
}
}
},
1
);
// https://wpscan.com/vulnerability/6dea8543-72e8-4524-8071-70ed17dc66bf/
if ( isset( $_FILES['wcj_add_new_product_image']['name'] ) ) {
add_action(
'init',
function () {
if ( ! class_exists( 'WC_Jetpack', false ) ) {
return;
}
$booster = WC_Jetpack::instance();
if ( ! is_object( $booster ) || empty( $booster->version ) || version_compare( $booster->version, '8.0.2', '>=' ) ) {
return;
}
$allowed_extensions = array( 'jpg', 'jpeg', 'jpe', 'gif', 'png', 'webp', 'heic', 'heif' );
$names = (array) $_FILES['wcj_add_new_product_image']['name'];
array_walk_recursive(
$names,
function ( $name ) use ( $allowed_extensions ) {
if ( ! is_string( $name ) || '' === $name ) {
return;
}
$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );
if ( ! in_array( $ext, $allowed_extensions, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6dea8543-72e8-4524-8071-70ed17dc66bf', 'Arbitrary File Upload', $name );
wp_die( 'Access denied.', 403 );
}
}
);
},
0
);
}
// https://wpscan.com/vulnerability/6df2d073-f3ee-4d02-be5d-c78b38a786b7/
if ( isset( $_POST['quform_form_id'] ) && ! empty( $_FILES ) ) {
add_action(
'init',
function () {
if ( ! defined( 'QUFORM_VERSION' ) || version_compare( QUFORM_VERSION, '2.23.1', '>=' ) ) {
return;
}
foreach ( $_FILES as $file_data ) {
if ( ! is_array( $file_data ) || ! isset( $file_data['name'] ) ) {
continue;
}
$names = (array) $file_data['name'];
array_walk_recursive(
$names,
function ( $name ) {
if ( ! is_string( $name ) || '' === $name ) {
return;
}
$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6df2d073-f3ee-4d02-be5d-c78b38a786b7', 'Arbitrary File Upload', $name );
wp_die( 'Access denied.', 403 );
}
}
);
}
},
0
);
}
// https://wpscan.com/vulnerability/0b045091-4f30-4630-8f1a-01b71e17660c/
if ( isset( $_POST['pt-paytium-user-data'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'PT_VERSION' ) || version_compare( PT_VERSION, '5.0.3', '>=' ) ) {
return;
}
$raw = $_POST['pt-paytium-user-data'];
if ( ! is_string( $raw ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0b045091-4f30-4630-8f1a-01b71e17660c', 'Privilege Escalation', $raw );
unset( $_POST['pt-paytium-user-data'] );
return;
}
$dangerous_caps = array(
'manage_options',
'edit_users',
'promote_users',
'create_users',
'delete_users',
'remove_users',
'install_plugins',
'activate_plugins',
'edit_plugins',
'install_themes',
'switch_themes',
'edit_themes',
'update_core',
'edit_files',
'unfiltered_html',
'manage_woocommerce',
'edit_others_posts',
'edit_pages',
'manage_network',
);
foreach ( explode( ',', str_replace( ' ', '', $raw ) ) as $slug ) {
if ( '' === $slug ) {
continue;
}
$role = get_role( $slug );
if ( ! $role ) {
continue;
}
foreach ( $dangerous_caps as $cap ) {
if ( ! empty( $role->capabilities[ $cap ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0b045091-4f30-4630-8f1a-01b71e17660c', 'Privilege Escalation', $raw );
unset( $_POST['pt-paytium-user-data'] );
return;
}
}
}
},
1
);
}
// https://wpscan.com/vulnerability/9c2d9b95-ad00-44a9-98c1-37d25b3f1c1a/
$divi_form_builder_upload_vpatch = function () {
if ( ! defined( 'DE_FB_VERSION' ) || version_compare( DE_FB_VERSION, '5.1.9', '>=' ) ) {
return;
}
if ( empty( $_FILES ) || ! is_array( $_FILES ) ) {
return;
}
$allowed_extensions = array();
foreach ( array_keys( wp_get_mime_types() ) as $ext_group ) {
foreach ( explode( '|', $ext_group ) as $ext ) {
$allowed_extensions[ strtolower( $ext ) ] = true;
}
}
foreach ( $_FILES as $file_data ) {
if ( ! is_array( $file_data ) || ! isset( $file_data['name'] ) ) {
continue;
}
$names = is_array( $file_data['name'] ) ? $file_data['name'] : array( $file_data['name'] );
foreach ( $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );
$is_dangerous = str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' );
if ( '' === $ext || $is_dangerous || ! isset( $allowed_extensions[ $ext ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '9c2d9b95-ad00-44a9-98c1-37d25b3f1c1a', 'Arbitrary File Upload', $name );
wp_die( 'Access denied.', 403 );
}
}
}
};
add_action( 'wp_ajax_de_fb_image_upload', $divi_form_builder_upload_vpatch, -1 );
add_action( 'wp_ajax_nopriv_de_fb_image_upload', $divi_form_builder_upload_vpatch, -1 );
// https://wpscan.com/vulnerability/24e5afd6-5463-4c7f-9096-638c27b01949/
if ( isset( $_POST['form_type'] ) && is_scalar( $_POST['form_type'] ) && 'register' === sanitize_text_field( wp_unslash( $_POST['form_type'] ) ) ) {
add_action(
'init',
function () {
if ( ! defined( 'DE_FB_VERSION' ) || version_compare( DE_FB_VERSION, '5.1.9', '>=' ) ) {
return;
}
foreach ( array( 'ID', 'de_fb_ID' ) as $de_fb_id_key ) {
if ( ! isset( $_POST[ $de_fb_id_key ] ) || ! is_scalar( $_POST[ $de_fb_id_key ] ) ) {
continue;
}
$target_user_id = absint( $_POST[ $de_fb_id_key ] );
if ( $target_user_id > 0 && ! current_user_can( 'edit_user', $target_user_id ) ) {
Atomic_Platform_Virtual_Patches::add_log( '24e5afd6-5463-4c7f-9096-638c27b01949', 'IDOR privesc', $_POST );
wp_die( 'Access denied.', 403 );
}
}
},
1
);
}
// https://wpscan.com/vulnerability/d9f1b40f-526a-44ed-a3ec-a3c1ce0f1ece/
add_action(
'init',
function () {
if ( empty( $_POST['SAMLResponse'] ) ) {
return;
}
$saml_script = isset( $_SERVER['SCRIPT_FILENAME'] ) ? (string) $_SERVER['SCRIPT_FILENAME'] : '';
$is_onelogin_acs = ( function_exists( 'saml_acs' ) && defined( 'SAML_NAMEID_SP_NAME_QUALIFIER_COOKIE' ) )
|| false !== strpos( $saml_script, 'onelogin-saml-sso/alternative_acs.php' );
if ( ! $is_onelogin_acs ) {
return;
}
$version_file = WP_PLUGIN_DIR . '/onelogin-saml-sso/version.json';
if ( is_readable( $version_file ) ) {
$version_data = json_decode( (string) file_get_contents( $version_file ), true );
if ( ! empty( $version_data['plugin']['version'] )
&& version_compare( (string) $version_data['plugin']['version'], '3.6.0', '>=' ) ) {
return;
}
}
$idp_cert = get_option( 'onelogin_saml_idp_x509cert' );
if ( empty( $idp_cert ) && is_multisite() ) {
$idp_cert = get_site_option( 'onelogin_saml_idp_x509cert' );
}
if ( Atomic_Platform_Virtual_Patches::onelogin_saml_response_is_verified( wp_unslash( $_POST['SAMLResponse'] ), $idp_cert ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'd9f1b40f-526a-44ed-a3ec-a3c1ce0f1ece', 'SAML signature bypass', $_POST['SAMLResponse'] );
wp_die( 'Access denied.', 403 );
},
0
);
// https://wpscan.com/vulnerability/9f40b56c-6162-4d79-9ed8-01c8ed5c2c08/
// https://wpscan.com/vulnerability/2ef5169d-d7ad-4269-8232-c38b39bb13d2/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'WP_USERSWITCH_PATH' ) ) {
return;
}
if ( empty( $_REQUEST['wpus_username'] ) || empty( $_REQUEST['wpus_userid'] ) ) {
return;
}
$switcher = null;
if ( defined( 'WP_USERSWITCH_LOGGED_IN_COOKIE' ) && isset( $_COOKIE[ WP_USERSWITCH_LOGGED_IN_COOKIE ] ) ) {
$switcher_id = wp_validate_auth_cookie( wp_unslash( $_COOKIE[ WP_USERSWITCH_LOGGED_IN_COOKIE ] ), 'logged_in' );
if ( $switcher_id ) {
$switcher = get_userdata( $switcher_id );
}
}
if ( ! $switcher || ! $switcher->exists() ) {
$switcher = wp_get_current_user();
}
if ( $switcher && $switcher->exists() && user_can( $switcher, 'manage_options' ) ) {
return;
}
$target = get_user_by( 'login', sanitize_user( wp_unslash( $_REQUEST['wpus_username'] ) ) );
if ( ! $target ) {
return;
}
$switcher_caps = ( $switcher && $switcher->exists() ) ? array_filter( (array) $switcher->allcaps ) : array();
$target_caps = array_filter( (array) $target->allcaps );
foreach ( $target_caps as $cap => $granted ) {
if ( empty( $switcher_caps[ $cap ] ) ) {
$uuid = defined( 'WP_USERSWITCH_VERSION' ) ? '9f40b56c-6162-4d79-9ed8-01c8ed5c2c08' : '2ef5169d-d7ad-4269-8232-c38b39bb13d2';
Atomic_Platform_Virtual_Patches::add_log( $uuid, 'WP User Switch privilege escalation blocked', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
}
},
9
);
// https://wpscan.com/vulnerability/26d46d58-39a4-41c7-8916-3be724723007/
add_action(
'wp_ajax_wpcaptcha_run_tool',
function () {
if ( ! class_exists( 'WPCaptcha' ) || version_compare( (string) WPCaptcha::$version, '5.39', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '26d46d58-39a4-41c7-8916-3be724723007', 'Auth Bypass', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
-1
);
// https://wpscan.com/vulnerability/a2598b87-45aa-4a12-98da-5d73a784ccd5/
add_action(
'wp_ajax_wf_licensing_wpcaptcha_save',
function () {
if ( ! class_exists( 'WPCaptcha' ) || version_compare( (string) WPCaptcha::$version, '5.39', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'a2598b87-45aa-4a12-98da-5d73a784ccd5', 'Upload', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
-1
);
// Security: Monkeypatch for Elementor Pro.
add_action(
'wp_ajax_elementor_ajax',
function () {
if ( ! defined( 'ELEMENTOR_PRO_VERSION' ) || version_compare( ELEMENTOR_PRO_VERSION, '3.11.7', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['actions'] ) || is_array( $_REQUEST['actions'] ) ) {
return;
}
// https://wpscan.com/vulnerability/c2a7ac08-460e-4485-a1c6-d2066ee94920/ - Elementor Pro < 2.9.4 - Subscriber+ Arbitrary File Upload
if ( false !== strpos( $_REQUEST['actions'], 'pro_assets_manager_custom_icon_upload' ) ) {
// Icons_Manager::CAPABILITY
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'c2a7ac08-460e-4485-a1c6-d2066ee94920' );
wp_die( 'Access denied', 403 );
}
}
// https://wpscan.com/vulnerability/73e8e030-8e8b-43de-a602-c699ab2eafaf/ - Elementor Pro < 3.11.7 - Subscriber+ Arbitrary Options Update
if ( false !== strpos( $_REQUEST['actions'], 'pro_woocommerce_update_page_option' ) ) {
if ( ! current_user_can( 'manage_options' ) || ! current_user_can( 'manage_woocommerce' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '73e8e030-8e8b-43de-a602-c699ab2eafaf' );
wp_die( 'Access denied', 403 );
}
}
},
-1
);
// https://wpscan.com/vulnerability/1a075d62-b5d2-4b58-a74f-73a0166aee12/
if ( isset( $_POST['bbp-forums-role'] ) ) {
add_action(
'init',
function () {
if ( ! is_super_admin() ) {
$_POST['bbp-forums-role'] = function_exists( 'bbp_get_default_role' ) ? bbp_get_default_role() : null;
}
}
);
}
// https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89/
if ( isset( $_POST['tp_user_reg_role'] ) ) {
if ( 'administrator' === $_POST['tp_user_reg_role'] ) {
add_action(
'init',
function () {
Atomic_Platform_Virtual_Patches::add_log( 'c311feef-7041-4c21-9525-132b9bd32f89' );
wp_die( 'Access denied.' );
}
);
}
$_POST['tp_user_reg_role'] = 'subscriber';
}
if ( isset( $_POST['email'] ) ) {
add_action(
'plugins_loaded',
function () {
remove_action( 'wp_ajax_nopriv_theplus_ajax_login', 'theplus_ajax_login', 10 );
},
11
);
}
// https://wpscan.com/vulnerability/909e34d5-710f-49fd-8188-ee0ecd1522ac/
if ( isset( $_POST['_mc4wp_action'] ) && 'unsubscribe' === trim( wp_strip_all_tags( $_POST['_mc4wp_action'] ) ) ) {
add_action(
'init',
function () {
if ( ! defined( 'MC4WP_VERSION' ) || version_compare( MC4WP_VERSION, '4.12.0', '>=' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '909e34d5-710f-49fd-8188-ee0ecd1522ac', 'Blocked unsubscribe action', $_POST['_mc4wp_action'] );
wp_die( 'Denied', 403 );
},
1
);
}
// https://wpscan.com/vulnerability/10528cb2-12a1-43f7-9b7d-d75d18fdf5bb/
// See https://wp.me/pbuNQi-1bO
if ( isset( $_POST['action'] ) && 'iva_bh_ajax_action' === $_POST['action'] ) {
add_action(
'init',
function () {
remove_action( 'wp_ajax_nopriv_iva_bh_ajax_action', 'iva_bh_update_plugin', 10 );
if ( ! current_user_can( 'manage_options' ) ) {
remove_action( 'wp_ajax_iva_bh_ajax_action', 'iva_bh_update_plugin', 10 );
}
}
);
}
// Security: Monkeypatch for kaswara
// See https://wp.me/paWMBk-iA
// See https://nvd.nist.gov/vuln/detail/CVE-2021-24284
if ( isset( $_POST['action'] ) && 'uploadFontIcon' === $_POST['action'] ) {
add_action(
'init',
function () {
remove_action( 'wp_ajax_uploadFontIcon', 'kaswara_uploadfonticon_handler_callback', 10 );
remove_action( 'wp_ajax_nopriv_uploadFontIcon', 'kaswara_uploadfonticon_handler_callback', 10 );
}
);
}
// Security: Monkeypatch for wp_die handler
// See: https://wp.me/p3btAN-1o6
add_filter(
'wp_die_jsonp_handler',
function ( $wp_die_handler ) {
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
return $wp_die_handler;
}
if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
return apply_filters( 'wp_die_xmlrpc_handler', '_xmlrpc_wp_die_handler' );
}
global $wp_query;
if ( wp_is_xml_request()
|| isset( $wp_query ) &&
( function_exists( 'is_feed' ) && is_feed()
|| function_exists( 'is_comment_feed' ) && is_comment_feed()
|| function_exists( 'is_trackback' ) && is_trackback() ) ) {
return apply_filters( 'wp_die_xml_handler', '_xml_wp_die_handler' );
}
return apply_filters( 'wp_die_handler', '_default_wp_die_handler' );
},
99
);
// See: https://wp.me/p3btAN-1ve
// See: https://wp.me/pbfA90-16T (PHP 8.1 compat)
add_filter(
'sanitize_taxonomy_name',
function ( $sanitized, $taxonomy ) {
$str = preg_replace( '/\x00|<[^>]*>?/', '', $sanitized );
return str_replace( [ "'", '"' ], [ ''', '"' ], $str );
},
11,
2
);
// See: https://wp.me/p3btAN-1AQ
add_action(
'init',
function () {
if ( class_exists( 'AIOSEO\Plugin\AIOSEO', false ) ) {
if ( ! defined( 'AIOSEO_VERSION' ) || version_compare( AIOSEO_VERSION, '4.1.5.3', '>=' ) ) {
return;
}
// https://wpscan.com/vulnerability/6de4a7de-6b71-4349-8e52-04c89c5e6d6c/
add_filter(
'rest_request_before_callbacks',
function ( $response, $handler, $request ) {
$route = $request->get_route();
$lowercased = strtolower( $route );
if ( strpos( $lowercased, '/aioseo/v1' ) === 0 && $lowercased !== $route ) {
$request->set_route( $lowercased );
}
return $response;
},
1,
3
);
// https://wpscan.com/vulnerability/4cd2a57b-3e1a-4acf-aecb-201ed9f4ee6d/
add_filter(
'rest_dispatch_request',
function ( $result, $request, $route ) {
$lowercased = strtolower( $route );
if ( strpos( $lowercased, '/aioseo/v1' ) === 0 ) {
switch ( untrailingslashit( $lowercased ) ) {
case '/aioseo/v1/objects':
global $wpdb;
$body = $request->get_json_params();
if ( ! empty( $body['query'] ) && ! empty( $body['type'] ) ) {
$query = $body['query'];
$raw = $wpdb->esc_like( $query );
$escaped = $wpdb->_real_escape( $raw );
if ( $raw !== $escaped ) {
Atomic_Platform_Virtual_Patches::add_log( '4cd2a57b-3e1a-4acf-aecb-201ed9f4ee6d', 'SQLi', $raw );
wp_die( 'Sorry, you are not allowed to do that.', 401 );
}
}
break;
default:
break;
}
}
return $result;
},
1,
3
);
}
}
);
// https://wpscan.com/vulnerability/2f0f1a32-0c7a-48e6-8617-e0b2dcf62727/
// See: https://wp.me/p3btAN-1Bi
add_action(
'init',
function () {
if ( ! defined( 'CAPSMAN_VERSION' ) || version_compare( CAPSMAN_VERSION, '2.3.1', '>=' ) ) {
return;
}
if ( ! empty( $_POST['all_options'] ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2f0f1a32-0c7a-48e6-8617-e0b2dcf62727', 'Option', $_POST );
die();
}
},
1
);
// https://wpscan.com/vulnerability/e387f08d-7c9c-4e54-9e2f-222def11216c/
// See: https://wp.me/p3btAN-1Bi
if ( isset( $_POST['action'] ) && 'kiwi_social_share_get_option' === $_POST['action'] ) {
add_action(
'init',
function () {
if ( ! current_user_can( 'edit_posts' ) ) {
remove_action( 'wp_ajax_kiwi_social_share_get_option', 'kiwi_social_share_get_option', 10 );
remove_action( 'wp_ajax_nopriv_kiwi_social_share_get_option', 'kiwi_social_share_get_option', 10 );
}
if ( isset( $_POST['args']['group'] ) && 'kiwi_social_identities' !== $_POST['args']['group'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'e387f08d-7c9c-4e54-9e2f-222def11216c', 'Option', $_POST['args']['group'] );
wp_die( 'Forbidden' );
}
}
);
}
// https://wpscan.com/vulnerability/5c65ba36-b6cb-4982-977a-0fbce8812ad3/
if ( isset( $_POST['action'] ) && 'kiwi_social_share_set_option' === $_POST['action'] ) {
add_action(
'init',
function () {
if ( ! current_user_can( 'manage_options' ) ) {
remove_action( 'wp_ajax_kiwi_social_share_set_option', 'kiwi_social_share_set_option', 10 );
remove_action( 'wp_ajax_nopriv_kiwi_social_share_set_option', 'kiwi_social_share_set_option', 10 );
}
if ( isset( $_POST['args']['group'] ) && 'kiwi_registration' !== $_POST['args']['group'] ) {
Atomic_Platform_Virtual_Patches::add_log( '5c65ba36-b6cb-4982-977a-0fbce8812ad3', 'Option', $_POST['args']['group'] );
wp_die( 'Forbidden' );
}
}
);
}
// https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1/
// See: https://wp.me/p3btAN-1Cb
if ( isset( $_POST['action'] ) && 'upload_ugc' === $_POST['action'] ) {
add_filter(
'fu_allowed_mime_types',
function ( $types ) {
unset( $types['htm|html'] );
unset( $types['js'] );
unset( $types['svg'] );
return $types;
}
);
}
// https://wpscan.com/vulnerability/8f72a636-52c0-4a63-b1b2-4af7e6825801/
// See: https://wp.me/p3btAN-2gW
add_action(
'wp',
function () {
if ( ! defined( 'WCPAY_VERSION_NUMBER' ) || version_compare( WCPAY_VERSION_NUMBER, '4.5.1', '>=' ) ) {
return;
}
// Check if WooCommerce is active.
if ( ! class_exists( 'WooCommerce' ) ) {
return;
}
// Check if WCPay is active.
if ( ! class_exists( 'WC_Payments' ) ) {
return;
}
if ( ! ( function_exists( 'is_order_received_page' ) && is_order_received_page() ) ) {
return;
}
if ( ! isset( $_GET['wc_payment_method'] ) ) {
return;
}
if ( ! isset( $_REQUEST['_wpnonce'] ) ) {
return;
}
$is_nonce_valid = check_admin_referer( 'wcpay_process_redirect_order_nonce' );
if ( ! $is_nonce_valid || empty( $_GET['wc_payment_method'] ) ) {
return;
}
if ( ! empty( $_GET['payment_intent_client_secret'] ) ) {
$intent_id_received = isset( $_GET['payment_intent'] ) ? wc_clean( wp_unslash( $_GET['payment_intent'] ) ) : '';
} elseif ( ! empty( $_GET['setup_intent_client_secret'] ) ) {
$intent_id_received = isset( $_GET['setup_intent'] ) ? wc_clean( wp_unslash( $_GET['setup_intent'] ) ) : '';
} else {
return;
}
$order_id = isset( $_GET['order_id'] ) ? wc_clean( wp_unslash( $_GET['order_id'] ) ) : '';
if ( empty( $order_id ) ) {
return;
}
$order = wc_get_order( $order_id );
if ( ! is_object( $order ) ) {
return;
}
$intent_id_order_meta = $order->get_meta( '_intent_id', true );
if ( ! hash_equals( $intent_id_order_meta, $intent_id_received ) ) {
$message = __( "We're not able to process this payment. Please try again later.", 'woocommerce-payments' );
wc_add_notice( $message, 'error' );
Atomic_Platform_Virtual_Patches::add_log( '8f72a636-52c0-4a63-b1b2-4af7e6825801' );
do_action( 'wcpay_possible_pending_payment_exploit_attempt' );
wp_safe_redirect( wc_get_cart_url() );
exit;
}
},
9
);
// https://wpscan.com/vulnerability/0d02b222-e672-4ac0-a1d4-d34e1ecf4a95/
// See: https://wp.me/p3btAN-1DL
if ( isset( $_REQUEST['action'] ) && 'load_more' === $_REQUEST['action'] ) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'EAEL_PLUGIN_PATH' ) && ! defined( 'EAEL_PRO_PLUGIN_PATH' ) ) {
return;
}
if ( defined( 'EAEL_PLUGIN_VERSION' ) && version_compare( EAEL_PLUGIN_VERSION, '5.0.5', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['template_info']['file_name'] ) ) {
return;
}
$plugin_path = isset( $_REQUEST['template_info']['dir'] ) && 'pro' === $_REQUEST['template_info']['dir'] ? EAEL_PRO_PLUGIN_PATH : EAEL_PLUGIN_PATH;
$plugin_path .= 'includes';
if ( isset( $_REQUEST['template_info']['dir'] ) && 'theme' === $_REQUEST['template_info']['dir'] ) {
$theme = wp_get_theme();
$plugin_path = sprintf( '%s/%s', $theme->theme_root, $theme->stylesheet );
}
$name = isset( $_REQUEST['template_info']['name'] ) ? $_REQUEST['template_info']['name'] : '';
$template = realpath(
sprintf( '%s/Template/%s/%s', $plugin_path, $name, $_REQUEST['template_info']['file_name'] )
);
if ( ! $template || 0 !== strpos( $template, $plugin_path ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0d02b222-e672-4ac0-a1d4-d34e1ecf4a95', 'Tpl', $_REQUEST['template_info'] );
wp_die( 'Invalid template', 'invalid_template', 400 );
}
}
);
}
// https://wpscan.com/vulnerability/d1480717-726d-4be2-95cb-1007a3f010bb/
// See: https://wp.me/p3btAN-1Gf
if ( isset( $_REQUEST['api_key'] ) && isset( $_REQUEST['id'] ) ) {
add_action(
'rest_api_init',
function () {
if ( defined( 'NOTIFICATIONX_VERSION' ) && version_compare( NOTIFICATIONX_VERSION, '2.3.12', '>=' ) ) {
return;
}
if ( defined( 'NOTIFICATIONX_FILE' ) ) {
if ( isset( $_GET['id'] ) ) {
$_GET['id'] = (int) $_GET['id'];
}
if ( isset( $_POST['id'] ) ) {
$_POST['id'] = (int) $_POST['id'];
}
}
},
0
);
}
// https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd/
// See: https://wp.me/p3btAN-1HI
if ( isset( $_REQUEST['action'] ) && 'add_custom_font' === $_REQUEST['action'] ) {
add_action(
'init',
function () {
if ( ! defined( 'TATSU_VERSION' ) || version_compare( TATSU_VERSION, '3.3.12', '>=' ) ) {
return;
}
remove_all_actions( 'wp_ajax_nopriv_add_custom_font' );
},
10
);
}
// https://wpscan.com/vulnerability/df62d170-c7d1-43a4-b6dc-20512934c33e/
// See: https://wp.me/p3btAN-1Jo
$p3btan1jo = array(
'elementor_update_site_name',
'elementor_update_site_logo',
'elementor_upload_site_logo',
'elementor_update_data_sharing',
'elementor_activate_hello_theme',
'elementor_upload_and_install_pro',
'elementor_update_onboarding_option',
);
if ( isset( $_POST['action'] ) && in_array( $_POST['action'], $p3btan1jo, true ) ) {
add_action(
'admin_init',
function () {
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'df62d170-c7d1-43a4-b6dc-20512934c33e', 'Action', $_POST['action'] );
unset( $_POST['action'] );
}
},
9
);
}
// https://wpscan.com/vulnerability/8843d66b-e895-4336-afda-00b99442cdc1/
// See: https://wp.me/p3btAN-1Mi
if ( isset( $_REQUEST['action'] ) && 'nf_ajax_submit' === $_REQUEST['action'] ) {
add_action(
'init',
function () {
if ( ! class_exists( 'Ninja_Forms' ) || version_compare( Ninja_Forms::VERSION, '3.6.11', '>=' ) ) {
return;
}
// phpcs:ignore WordPress.WP.AlternativeFunctions.parse_url_parse_url
$url_query = parse_url( wp_get_referer(), PHP_URL_QUERY );
if ( empty( $url_query ) ) {
return;
}
parse_str( $url_query, $query_args );
foreach ( $query_args as $key => $value ) {
if ( false !== strpos( $key, '::' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '8843d66b-e895-4336-afda-00b99442cdc1', 'Object', $key );
wp_die( '0', 400 );
}
}
},
1
);
}
// See: https://wpscan.com/vulnerability/574f7607-96d8-4ef8-b96c-0425ad7e7690
add_filter(
'shortcode_atts_yarpp',
function ( $atts ) {
$attributes = (array) $atts;
$sanitized_attributes = [];
foreach ( $attributes as $att_name => $att_value ) {
$normalized_name = trim( strtolower( $att_name ) );
if ( 'recent' === $normalized_name ) {
$regex_result = preg_match( '/\d+\s{1,}(month|week|day)+$/i', trim( $att_value ), $matches );
if ( 1 === $regex_result && ! empty( $matches[0] ) ) {
$sanitized_attributes[ $att_name ] = $matches[0];
}
} elseif ( 'limit' === $normalized_name ) {
$sanitized_attributes[ $att_name ] = (string) intval( $att_value );
} elseif ( 'template' === $normalized_name ) {
if ( 0 === validate_file( $att_value ) ) {
$sanitized_attributes[ $att_name ] = $att_value;
}
} else {
$sanitized_attributes[ $att_name ] = $att_value;
}
}
return $sanitized_attributes;
},
1
);
// https://wpscan.com/vulnerability/4855dbf0-d40c-46be-840b-aed1168e2191/
// See: https://wp.me/p3btAN-2c8
add_action(
'eael/login-register/before-processing-login-register',
function () {
if ( defined( 'EAEL_PLUGIN_VERSION' ) && isset( $_POST['eael-pass1'] ) && version_compare( EAEL_PLUGIN_VERSION, '5.7.2', '<' ) ) {
wp_die();
}
}
);
// https://wpscan.com/vulnerability/694235c7-4469-4ffd-a722-9225b19e98d7/
// See: https://wp.me/p3btAN-2km
// Note: intentionally not gated on UM_VERSION. The patch matches a generic POST
// payload shape and applies even when Ultimate Member isn't installed (defense
// in depth — see the UltimateMemberCest comment that documents this design).
add_action(
'muplugins_loaded',
function () {
if ( isset( $_SERVER['REQUEST_METHOD'] ) && 'POST' === $_SERVER['REQUEST_METHOD'] && isset( $_POST['um_request'] ) && isset( $_REQUEST['_wpnonce'] ) && isset( $_REQUEST['form_id'] ) ) {
$found = false;
foreach ( $_POST as $p ) {
if ( ! is_array( $p ) ) {
continue;
}
$post = implode( '', array_keys( $p ) );
foreach ( array( 'administrator', 'editor', 'author', 'contributor' ) as $s ) {
if ( false !== strpos( $post, $s ) ) {
$found = true;
break;
}
}
}
if ( $found ) {
Atomic_Platform_Virtual_Patches::add_log( '694235c7-4469-4ffd-a722-9225b19e98d7' );
wp_die( 'Access denied.', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/96adb2d3-af34-4455-97d4-90af58049e78/
add_filter(
'um_profile_field_filter_hook__textarea',
function ( $value, $data ) {
if ( ! defined( 'UM_VERSION' ) || version_compare( UM_VERSION, '2.12.0', '>=' ) || ! is_string( $value ) || '' === $value ) {
return $value;
}
if ( ! empty( $data['html'] ) ) {
return $value;
}
return wp_kses_post( $value );
},
100,
2
);
// https://wpscan.com/vulnerability/dd394110-cf3c-4158-8b50-7abb8a23a2be/
add_filter(
'um_registration_user_role',
function ( $user_role ) {
if ( ! defined( 'UM_VERSION' ) || version_compare( UM_VERSION, '2.12.1', '>=' ) || ! is_string( $user_role ) || '' === $user_role ) {
return $user_role;
}
$role = get_role( $user_role );
if ( ! $role ) {
return $user_role;
}
foreach ( array( 'manage_options', 'promote_users', 'level_10' ) as $cap ) {
if ( $role->has_cap( $cap ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'dd394110-cf3c-4158-8b50-7abb8a23a2be', 'Privilege Escalation (role)', $user_role );
wp_die( 'Access denied.', 403 );
}
}
return $user_role;
},
PHP_INT_MAX
);
// https://wpscan.com/vulnerability/e6d8216d-ace4-48ba-afca-74da0dc5abb5/
// See: https://wp.me/p3btAN-2rw
add_filter(
'rest_dispatch_request',
function ( $dispatch_result, $request, $route ) {
if ( '/tdw/save_css' === $route ) {
if ( ! is_user_logged_in() || ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e6d8216d-ace4-48ba-afca-74da0dc5abb5' );
return new WP_REST_Response( null, 403 );
}
}
return $dispatch_result;
},
10,
3
);
// See: https://wp.me/p9o2xV-47I
if ( isset( $_REQUEST ) && array_key_exists( 'wpcode_snippet_code', $_REQUEST ) && is_string( $_REQUEST['wpcode_snippet_code'] ) ) {
add_action(
'init',
function () {
if ( preg_match_all( '/(base64_decode|error_reporting|ini_set|eval)\s*\(/i', $_REQUEST['wpcode_snippet_code'], $matches ) ) {
if ( count( $matches[0] ) > 10 ) {
wp_die( esc_html__( 'You do not have permission to access this page.', 'insert-headers-and-footers' ) );
}
}
}
);
}
// https://wpscan.com/vulnerability/7835c8f9-701a-4eaa-924b-a27569a58124/
// See: https://wp.me/p3btAN-2QV
add_action(
'wpmuadminedit',
function () {
if ( ! function_exists( 'wp_stream_get_instance' ) ) {
return;
}
$instance = wp_stream_get_instance();
if ( ! is_object( $instance ) || ! method_exists( $instance, 'get_version' ) ) {
return;
}
if ( version_compare( $instance->get_version(), '4.0.1', '>' ) ) {
return;
}
$allowed_referrers = [ 'wp_stream_network_settings', 'wp_stream_default_settings' ];
if ( ! isset( $_GET['action'] ) || ! in_array( $_GET['action'], $allowed_referrers, true ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
wp_die( 'Access denied.' );
}
$options = isset( $_POST['option_page'] ) ? explode( ',', stripslashes( $_POST['option_page'] ) ) : [];
if ( count( $options ) !== 1 || $options[0] !== 'wp_stream_network' ) {
Atomic_Platform_Virtual_Patches::add_log( '7835c8f9-701a-4eaa-924b-a27569a58124', 'Option', $options );
wp_die( 'Access deined.' );
}
},
1
);
// https://wpscan.com/vulnerability/505aa04b-3969-4fea-a296-a6af7ef71409/
// See: https://wp.me/p3btAN-2Wh
add_action(
'admin_init',
function () {
if ( ! defined( 'WC_VERSION' ) || version_compare( WC_VERSION, '9.4.3', '>=' ) ) {
return;
}
global $pagenow;
if ( $pagenow !== 'admin.php' ) {
return;
}
$page = $_GET['page'] ?? '';
$path = $_GET['path'] ?? '';
if ( 'wc-admin' === $page && str_starts_with( $path, '/customize-store' ) ) {
add_action(
'admin_enqueue_scripts',
function () {
?><script type="text/javascript">
window.addEventListener( 'message', function( event ) {
if ( event.data.type === 'navigate' ) {
const allowedOrigins = [ '<?php echo esc_js( home_url() ); ?>' ];
if ( ! allowedOrigins.includes( event.origin ) ) {
event.stopPropagation();
event.stopImmediatePropagation();
return;
}
}
}, true );
</script>
<?php
},
-1
);
}
}
);
// https://wpscan.com/vulnerability/efdb562c-8015-496c-905a-db2ca802ffa1/
// See: https://wp.me/p3btAN-2Zo
add_filter(
'gform_get_field_value',
function ( $value, $entry, $field ) {
if ( ! class_exists( 'GFCommon', false ) ) {
return $value;
}
if ( ! property_exists( 'GFCommon', 'version' ) ) {
return $value;
}
if ( version_compare( GFCommon::$version, '2.9.1', '>' ) ) {
return $value;
}
if ( $field && isset( $field->type ) && $field->type === 'post_image' ) {
$value = esc_attr( $value );
}
return $value;
},
10,
3
);
// https://wpscan.com/vulnerability/0339fd81-3f5a-4e05-bbd0-206f0e9cace1/
// See: https://wp.me/p3btAN-3eN
add_action(
'init',
function () {
if ( ! class_exists( 'GFForms' ) || ! isset( $_POST['gform_submit'] ) ) {
return;
}
if ( version_compare( GFForms::$version, '2.9.18', '<' ) || version_compare( GFForms::$version, '2.9.20', '>' ) ) {
return;
}
if ( isset( $_POST['gform_uploaded_files'] ) ) {
$uploaded_files = json_decode( stripslashes( $_POST['gform_uploaded_files'] ), true );
}
if ( empty( $uploaded_files ) ) {
return;
}
if ( is_array( $uploaded_files ) ) {
array_walk_recursive(
$uploaded_files,
function ( $value, $key ) {
if ( $key === 'url' && ! str_starts_with( $value, get_site_url() ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0339fd81-3f5a-4e05-bbd0-206f0e9cace1', 'File', $value );
wp_die( 'Access denied', 403 );
}
}
);
}
}
);
// https://wpscan.com/vulnerability/bf4e8eb8-49e9-4dc0-a5f2-1ccb95fab090/
add_action(
'init',
function () {
if ( ! class_exists( 'GFForms' ) ) {
return;
}
$plugin_version = (string) GFForms::$version;
if ( '' === $plugin_version || version_compare( $plugin_version, '2.10.1', '>=' ) ) {
return;
}
add_filter(
'gform_save_field_value',
function ( $value, $entry, $field, $form, $input_id ) {
if ( ! isset( $field->type ) || 'calculation' !== $field->type ) {
return $value;
}
if ( ! is_string( $input_id ) || substr( $input_id, -2 ) !== '.1' ) {
return $value;
}
if ( ! is_string( $value ) ) {
return $value;
}
$sanitized = wp_kses( $value, array() );
if ( $sanitized !== $value ) {
Atomic_Platform_Virtual_Patches::add_log( 'bf4e8eb8-49e9-4dc0-a5f2-1ccb95fab090', 'Sanitized calculation field product name', $value );
}
return $sanitized;
},
10,
5
);
},
0
);
// https://wpscan.com/vulnerability/25dfef07-6c1e-40b3-8f83-cc738ed2ce2c/
add_action(
'init',
function () {
if ( ! class_exists( 'GFForms' ) ) {
return;
}
$plugin_version = (string) GFForms::$version;
if ( '' === $plugin_version || version_compare( $plugin_version, '2.10.1', '>=' ) ) {
return;
}
add_filter(
'gform_file_path_pre_delete_file',
function ( $file_path, $url ) {
if ( ! is_string( $url ) || ! method_exists( 'GFFormsModel', 'get_upload_url_root' ) ) {
return $file_path;
}
$root = (string) GFFormsModel::get_upload_url_root();
if ( ! str_starts_with( $url, $root ) || str_contains( $url, '..' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '25dfef07-6c1e-40b3-8f83-cc738ed2ce2c', 'Arbitrary File Deletion', $url );
wp_die( 'Access denied.', 403 );
}
return $file_path;
},
1,
2
);
},
0
);
// https://wpscan.com/vulnerability/2e513930-ec01-4dc6-8991-645c5267e14c/
// See https://wp.me/p3btAN-358
add_action(
'plugins_loaded',
function () {
if ( ! ( class_exists( 'order_delivery_date' ) && isset( $_FILES ) && isset( $_FILES['orddd-import-file'] ) ) ) {
return;
}
global $orddd_version;
if ( $orddd_version === null
|| version_compare( $orddd_version, '2.0', '<' )
|| version_compare( $orddd_version, '12.3.1', '>=' ) ) {
return;
}
if ( ! ( current_user_can( 'manage_options' ) || current_user_can( 'manage_woocommerce' ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2e513930-ec01-4dc6-8991-645c5267e14c', 'File', $_FILES['orddd-import-file'] );
unset( $_FILES['orddd-import-file'] );
}
},
10
);
// https://wpscan.com/vulnerability/31effe45-fe29-4e71-bcd4-c65f22a0dc81/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'POST_SMTP_VER' ) || version_compare( POST_SMTP_VER, '3.3.0', '>=' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( str_contains( $route, '/psd/v1/' ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '31effe45-fe29-4e71-bcd4-c65f22a0dc81' );
wp_die( 'Denied', 403 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/42bcbde2-db8a-41ee-b119-a5918ee37de0/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'POST_SMTP_VER' ) ) {
return;
}
$plugin_version = (string) constant( 'POST_SMTP_VER' );
if ( version_compare( $plugin_version, '3.9.0', '>=' ) ) {
return;
}
// Source guard: reject forged tracking payloads early.
add_filter(
'rest_request_before_callbacks',
function ( $response, $handler, $request ) {
if ( 0 !== stripos( $request->get_route(), '/post-smtp/v1/t/' ) ) {
return $response;
}
$encoded = (string) $request->get_param( 'data' );
if ( '' === $encoded ) {
return new WP_Error( 'psrat_invalid_tracking', 'Invalid tracking payload.', array( 'status' => 400 ) );
}
$decoded = base64_decode( $encoded, true );
if ( false === $decoded ) {
return new WP_Error( 'psrat_invalid_tracking', 'Invalid tracking payload.', array( 'status' => 400 ) );
}
parse_str( $decoded, $parts );
$event_type = isset( $parts['event_type'] ) ? (string) $parts['event_type'] : '';
$email_id = isset( $parts['email_id'] ) ? (string) $parts['email_id'] : '';
// Match expected behavior from plugin generation path: only open-email is valid.
if ( 'open-email' !== $event_type || '' === $email_id || ! ctype_digit( $email_id ) ) {
Atomic_Platform_Virtual_Patches::add_log( '42bcbde2-db8a-41ee-b119-a5918ee37de0', 'malicious tracking payload', $parts );
wp_die( 'Denied', 403 );
}
return $response;
},
10,
3
);
// Sink guard for vulnerable versions.
add_filter(
'ps_email_logs_row',
function ( $row ) {
if ( isset( $row->event_type ) ) {
$row->event_type = esc_html( (string) $row->event_type );
}
return $row;
},
10,
1
);
},
0
);
// https://wpscan.com/vulnerability/46854e0d-b84e-4cd2-a435-60184bd3a6e1/
// See https://wp.me/p3btAN-3cD
add_action(
'plugins_loaded',
function () {
if ( class_exists( Tribe__Events__Main::class ) ) {
$reflection = new ReflectionClass( Tribe__Events__Main::class );
if ( $reflection->hasConstant( 'VERSION' ) ) {
$version = $reflection->getConstant( 'VERSION' );
if ( version_compare( $version, '6.15.1.1', '<' ) ) {
add_action(
'tec_events_custom_tables_v1_custom_tables_query_pre_get_posts',
function ( $q ) {
remove_filter( 'posts_orderby', [ $q, 'redirect_posts_orderby' ], 200 );
},
100
);
}
}
}
}
);
// https://wpscan.com/vulnerability/c99bd60f-63b7-4373-a935-3d2da70169ab/
add_action(
'plugins_loaded',
function () {
if ( ! class_exists( 'Tribe__Events__Main', false ) ) {
return;
}
// Affected version: 6.15.1.1 - 6.15.9
if ( ! ( version_compare( \Tribe__Events__Main::VERSION, '6.15.1.1', '>=' ) &&
version_compare( \Tribe__Events__Main::VERSION, '6.15.9', '<=' ) ) ) {
return;
}
add_filter(
'posts_orderby',
function ( $posts_orderby, $query ) {
if ( ! isset( $_GET['view_data']['tribe-bar-search'] ) &&
! isset( $_GET['tribe-events-views']['tribe-bar-search'] ) &&
! isset( $_GET['tribe-bar-search'] ) &&
! isset( $_GET['s'] ) ) {
return $posts_orderby;
}
if ( ! is_string( $posts_orderby ) || trim( $posts_orderby ) === '' ) {
return $posts_orderby;
}
$cleaned_orderbys = [];
$orderbys = explode( ',', $posts_orderby );
foreach ( $orderbys as $orderby_frag ) {
$trimmed_frag = trim( $orderby_frag );
if ( stripos( $trimmed_frag, 'rand' ) === 0 ) {
// Only allow the exact RAND() function to prevent SQL injection
if ( preg_match( '/^rand\s*\(\s*\)$/i', $trimmed_frag ) ) {
$cleaned_orderbys[] = 'RAND()';
}
} else {
$cleaned_orderbys[] = $trimmed_frag;
}
}
return implode( ', ', $cleaned_orderbys );
},
199,
2
);
}
);
// https://wpscan.com/vulnerability/d3f3a2dd-695b-40b8-adf5-890e026f729c/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
$route = strtolower( (string) $request->get_route() );
if ( '/tec/v1/events' !== $route ) {
return $result;
}
if ( ! class_exists( 'Tribe__Events__Main' ) ) {
return $result;
}
if ( ! ( version_compare( Tribe__Events__Main::VERSION, '6.15.12', '>=' ) &&
version_compare( Tribe__Events__Main::VERSION, '6.16.3', '<' ) ) ) {
return $result;
}
$order = $request->get_param( 'order' );
if ( null !== $order && ! in_array( strtoupper( (string) $order ), [ 'ASC', 'DESC' ], true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'd3f3a2dd-695b-40b8-adf5-890e026f729c', 'SQLi', $order );
wp_die( 'Denied', 403 );
}
$orderby = $request->get_param( 'orderby' );
if ( null !== $orderby && ! in_array( (string) $orderby, [ 'date', 'event_date', 'title', 'menu_order', 'modified' ], true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'd3f3a2dd-695b-40b8-adf5-890e026f729c', 'SQLi', $orderby );
wp_die( 'Denied', 403 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/476dae92-b86b-4acc-909d-28992438e404/
// See https://wp.me/p3btAN-3eL
add_filter(
'block_type_metadata_settings',
function ( $settings ) {
if ( defined( 'GUTENBERG_VERSION' ) && version_compare( GUTENBERG_VERSION, '21.9.0', '<' ) ) {
if ( ! empty( $settings['render_callback'] ) && $settings['render_callback'] === 'gutenberg_render_block_core_terms_query' ) {
$settings['render_callback'] = function ( $attributes, $content, $block ) {
return wp_kses_post( gutenberg_render_block_core_terms_query( $attributes, $content, $block ) );
};
}
}
return $settings;
}
);
add_filter(
'rest_endpoints',
function ( $endpoints ) {
// https://wpscan.com/vulnerability/036554f5-253a-45b5-8c2c-4e34094f5859/
if ( defined( 'SURE_TRIGGERS_REST_NAMESPACE' ) && defined( 'SURE_TRIGGERS_VER' ) ) {
$affected_endpoint = '/' . SURE_TRIGGERS_REST_NAMESPACE . '/connection/create-wp-connection';
if ( isset( $endpoints[ $affected_endpoint ] ) && version_compare( SURE_TRIGGERS_VER, '1.0.83', '<' ) ) {
unset( $endpoints[ $affected_endpoint ] );
}
}
// https://wpscan.com/vulnerability/c815babc-2a9d-4d2a-901e-13b4825526f1/
if ( defined( 'WP_STATISTICS_VERSION' ) && version_compare( WP_STATISTICS_VERSION, '14.15.5', '<' ) ) {
unset( $endpoints['/wp-statistics/v2/hit'] );
unset( $endpoints['/wp-statistics/v2/online'] );
}
// https://wpscan.com/vulnerability/f6e6b774-94a8-4571-9c40-cc6a454b442c/
// below 5.3.2, the version is set by define( 'FMA_VERSION', '5.3.1' . time() );, hence the substr below
if ( defined( 'FMA_VERSION' ) && version_compare( substr( FMA_VERSION, 0, 5 ), '5.3.2', '<' ) ) {
foreach ( $endpoints as $route => $handlers ) {
if ( $route === '/file-manager-advanced/v1/hide-banner' || $route === '/file-manager-advanced/v1/minimize-maximize-banner' ) {
foreach ( $handlers as $key => $handler ) {
if ( is_numeric( $key ) && is_array( $handler ) ) {
$handlers[ $key ]['permission_callback'] = function () {
return current_user_can( 'manage_options' );
};
}
}
$endpoints[ $route ] = $handlers;
}
}
}
return $endpoints;
}
);
// https://wpscan.com/vulnerability/5e03858d-db0b-4b65-99cc-eb01ad4195e9/
$fma_file_ops_vpatch = function () {
if ( ! defined( 'FMA_VERSION' ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '5e03858d-db0b-4b65-99cc-eb01ad4195e9', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_fma_load_fma_ui', $fma_file_ops_vpatch, -1 );
add_action( 'wp_ajax_fma_save_php_file', $fma_file_ops_vpatch, -1 );
add_action( 'wp_ajax_fma_debug_php', $fma_file_ops_vpatch, -1 );
// https://wpscan.com/vulnerability/8678ef91-ff05-43a1-a8e3-6d35da548826/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'ROYAL_MCP_VERSION' ) || version_compare( ROYAL_MCP_VERSION, '1.4.26', '>=' ) ) {
return $result;
}
if ( strpos( (string) $request->get_route(), '/royal-mcp/v1/mcp' ) !== 0 ) {
return $result;
}
if ( ! empty( $request->get_header( 'x-royal-mcp-api-key' ) ) ) {
return $result;
}
$auth = (string) $request->get_header( 'authorization' );
if ( stripos( $auth, 'Bearer ' ) !== 0 || ! class_exists( '\Royal_MCP\OAuth\Token_Store' ) ) {
return $result;
}
$token_data = \Royal_MCP\OAuth\Token_Store::validate_token( substr( $auth, 7 ) );
if ( ! is_array( $token_data ) || empty( $token_data['user_id'] ) ) {
return $result;
}
if ( ! user_can( (int) $token_data['user_id'], 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '8678ef91-ff05-43a1-a8e3-6d35da548826', 'Insufficient Authorization', $request->get_route() );
wp_die( 'You do not have permission to use the MCP API.', 403 );
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/e06a6497-e44f-43b9-b6ba-407aea171387/
$crt_manage_form_xss_vpatch = function () {
if ( ! defined( 'CRT_MANAGE_VERSION' ) || version_compare( CRT_MANAGE_VERSION, '1.6.7', '>=' ) ) {
return;
}
$suspicious = false;
$encode = function ( $data ) use ( &$encode, &$suspicious ) {
if ( is_array( $data ) ) {
return array_map( $encode, $data );
}
if ( ! is_string( $data ) ) {
return $data;
}
$raw = wp_unslash( $data );
if ( false !== strpbrk( $raw, '<>"' ) ) {
$suspicious = true;
}
return esc_attr( $raw );
};
$logged = array();
foreach ( array( 'form_content', 'form_name', 'form_id', 'form_page', 'form_page_id' ) as $field ) {
if ( isset( $_POST[ $field ] ) ) {
$logged[ $field ] = wp_unslash( $_POST[ $field ] );
$_POST[ $field ] = wp_slash( $encode( $_POST[ $field ] ) );
}
}
if ( $suspicious ) {
Atomic_Platform_Virtual_Patches::add_log( 'e06a6497-e44f-43b9-b6ba-407aea171387', 'Stored XSS', $logged );
}
};
add_action( 'wp_ajax_crt_form_builder_submissions', $crt_manage_form_xss_vpatch, 1 );
add_action( 'wp_ajax_nopriv_crt_form_builder_submissions', $crt_manage_form_xss_vpatch, 1 );
// https://wpscan.com/vulnerability/ef4e95a3-6f90-4423-9551-9ac28f7b6291/
if ( isset( $_GET['alg_wc_ev_verify_email'] ) ) {
add_action(
'init',
function () {
if ( ! function_exists( 'alg_wc_ev' ) ) {
return;
}
$ev = alg_wc_ev();
if ( ! is_object( $ev ) || empty( $ev->version ) || version_compare( $ev->version, '2.4.0', '<' ) || version_compare( $ev->version, '3.2.6', '>=' ) ) {
return;
}
$raw = sanitize_text_field( (string) filter_input( INPUT_GET, 'alg_wc_ev_verify_email' ) );
if ( '' === $raw ) {
return;
}
$data = json_decode( base64_decode( strtr( $raw, '._-', '+/=' ) ), true ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
if ( is_array( $data ) && array_key_exists( 'code', $data ) && ! is_string( $data['code'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'ef4e95a3-6f90-4423-9551-9ac28f7b6291', 'Auth Bypass (type juggling)', $raw );
wp_die( 'Access denied', 403 );
}
},
1
);
}
// https://wpscan.com/vulnerability/f5b21a05-7a51-4530-9e07-4700f00eeca3/
add_action(
'admin_init',
function () {
if ( defined( 'WPGMZA_FILE' ) ) {
$all_plugins = get_plugins();
if ( isset( $all_plugins['wp-google-maps/wpGoogleMaps.php'] ) ) {
if ( version_compare( $all_plugins['wp-google-maps/wpGoogleMaps.php']['Version'], '9.0.48', '<' ) ) {
remove_action( 'wp_ajax_wpgmza_store_nominatim_cache', 'WPGMZA\\store_nominatim_cache' );
remove_action( 'wp_ajax_nopriv_wpgmza_store_nominatim_cache', 'WPGMZA\\store_nominatim_cache' );
}
}
}
}
);
// https://wpscan.com/vulnerability/e654ece1-120e-4fe4-9923-180df20671bf/
add_action(
'login_init',
function () {
// Ensure the plugin exists
if ( ! class_exists( Login_And_Logout_Redirect::class ) ) {
return;
}
// Ensure the plugin would actually be in a vulnerable state
if ( empty( $_REQUEST['action'] ) || empty( $_REQUEST['redirect_to'] ) || $_REQUEST['action'] !== 'logout' ) {
return;
}
// The plugin is only vulnerable when a non-logged-in user visits a trapped URL
// So, if they are logged in, we don't need to do anything here.
if ( is_user_logged_in() ) {
return;
}
$redirect = '';
if ( is_multisite() && is_plugin_active_for_network( 'login-and-logout-redirect/login-and-logout-redirect.php' ) ) {
$redirect = get_site_option( 'logout_redirect_url' );
}
if ( ! $redirect ) {
$redirect = get_option( 'logout_redirect_url' );
}
// If the redirect is not the one the plugin expects,
// rely on wp_safe_redirect() to make things safer
if ( $redirect && $redirect !== $_REQUEST['redirect_to'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'e654ece1-120e-4fe4-9923-180df20671bf', 'Redirect', $_REQUEST['redirect_to'] );
wp_safe_redirect( $_REQUEST['redirect_to'] );
exit;
}
// Hook at priority one, before the plugin hooks
},
1
);
$et_sp6_harden_json_import = function () {
if ( empty( $_FILES['file'] ) ) {
return;
}
if ( ! isset( $_FILES['file']['name'] ) || substr( sanitize_file_name( $_FILES['file']['name'] ), -5 ) !== '.json' ) {
//Atomic_Platform_Virtual_Patches::add_log();
die();
}
};
add_action( 'wp_ajax_et_core_portability_import', $et_sp6_harden_json_import, 0 );
add_action( 'wp_ajax_et_theme_builder_api_import_theme_builder', $et_sp6_harden_json_import, 0 );
// See https://wp.me/p3btAN-3gm / https://wpscan.com/vulnerability/21bc9b41-a967-42dc-9916-bb993b05709c/
add_action(
'admin_init',
function () {
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'wpd_login_callback' ) {
return;
}
// The plugin does not have its version in a constant or attribute, only in their main file header/readme
$all_plugins = get_plugins();
$slug = 'wpdiscuz/class.WpdiscuzCore.php';
if ( ! isset( $all_plugins[ $slug ], $all_plugins[ $slug ]['Version'] ) || version_compare( $all_plugins[ $slug ]['Version'], '7.6.40', '>=' ) ) {
return;
}
// Don't use $_REQUEST below, otherwise it will be bypassable
if ( isset( $_GET['provider'] ) && sanitize_text_field( $_GET['provider'] ) === 'disqus' ) {
Atomic_Platform_Virtual_Patches::add_log( '21bc9b41-a967-42dc-9916-bb993b05709c' );
wp_die( 'Disqus Provider Disabled', 403 );
}
if ( isset( $_POST['provider'] ) && sanitize_text_field( $_POST['provider'] ) === 'disqus' ) {
Atomic_Platform_Virtual_Patches::add_log( '21bc9b41-a967-42dc-9916-bb993b05709c' );
wp_die( 'Disqus Provider Disabled', 403 );
}
}
);
// https://wpscan.com/vulnerability/0fbcd5ac-4fcb-4179-9b33-4905d7b254f8/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'WPDISCUZ_DIR_PATH' ) && ! class_exists( 'WpdiscuzCore', false ) ) {
return;
}
if ( ! function_exists( 'get_plugins' ) ) {
require_once ABSPATH . 'wp-admin/includes/plugin.php';
}
$all_plugins = get_plugins();
$slug = 'wpdiscuz/class.WpdiscuzCore.php';
if ( ! isset( $all_plugins[ $slug ]['Version'] ) || version_compare( $all_plugins[ $slug ]['Version'], '7.6.57', '>=' ) ) {
return;
}
$escape_link_attributes = function ( $attributes ) {
if ( ! is_array( $attributes ) ) {
return $attributes;
}
$safe = array();
foreach ( $attributes as $attribute => $value ) {
$attribute = sanitize_key( (string) $attribute );
if ( '' === $attribute ) {
continue;
}
if ( 'href' === $attribute || 'src' === $attribute ) {
$safe[ $attribute ] = esc_url( (string) $value );
} else {
$safe[ $attribute ] = esc_attr( (string) $value );
}
}
return $safe;
};
add_filter( 'wpdiscuz_author_link_attributes', $escape_link_attributes, 999 );
add_filter( 'wpdiscuz_avatar_link_attributes', $escape_link_attributes, 999 );
add_filter(
'wpdiscuz_comment_author',
function ( $author_name ) {
return esc_html( (string) $author_name );
},
999
);
},
11
);
// https://wpscan.com/vulnerability/e77ea3fb-4d38-4fa7-a50b-1a0078f34474/
add_filter(
'wpdiscuz_source_to_image_conversion',
function ( $html, $url ) {
if ( ! is_string( $url ) || strpos( $url, "'" ) === false ) {
return $html;
}
$safe_url = esc_url( $url );
$rel = 'noreferrer ugc';
if ( function_exists( 'get_site_url' ) && strpos( $url, get_site_url() ) !== 0 ) {
$rel .= ' nofollow';
}
Atomic_Platform_Virtual_Patches::add_log( 'e77ea3fb-4d38-4fa7-a50b-1a0078f34474', 'XSS', $url );
return "<a rel='" . esc_attr( $rel ) . "' target='_blank' href='" . $safe_url . "'><img alt='comment image' src='" . $safe_url . "' /></a>";
},
999,
2
);
// https://wpscan.com/vulnerability/4b19a333-eb19-4903-aa96-1fe871dd0f9f/
add_filter(
'rest_pre_dispatch',
function ( $val, $rest_server, $request ) {
if ( ! class_exists( 'Ninja_Forms' ) ) {
return $val;
}
if ( empty( Ninja_Forms::VERSION ) ) {
return $val;
}
if ( ! in_array( Ninja_Forms::VERSION, [ '3.13.1', '3.13.2', '3.13.3' ], true ) ) {
return $val;
}
if ( ! preg_match( '#^/ninja-forms-views/token/refresh#i', $request->get_route(), $matches ) ) {
return $val;
}
$referer = wp_get_referer();
if ( ! $referer ) {
return new WP_Error( 403, 'Invalid Referer.', [ 'status' => 403 ] );
}
$formIds = [];
if ( isset( $request['formIds'] ) && is_array( $request['formIds'] ) ) {
$formIds = $request['formIds'];
}
if ( ! empty( $request['formId'] ) ) {
$formIds[] = $request['formId'];
}
$formIds = array_map( 'absint', $formIds );
// Sanity check that this won't DOS the server
if ( count( $formIds ) > 5 ) {
return new WP_Error( 403, 'Too many formIds.', [ 'status' => 403 ] );
}
$post = get_post( url_to_postid( $referer ) );
if ( ! $post ) {
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
if ( ! has_block( 'ninja-forms/submissions-table', $post ) ) {
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
foreach ( $formIds as $formId ) {
if ( ! str_contains( $post->post_content, 'ninja-forms/submissions-table {"formID":"' . $formId . '"' ) ) {
return new WP_Error( 403, 'Invalid Post.', [ 'status' => 403 ] );
}
}
// If post is public _and_ password-protected, but user hasn't provided a valid password
$is_public = is_post_publicly_viewable( $post );
if ( $is_public && post_password_required( $post ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4b19a333-eb19-4903-aa96-1fe871dd0f9f' );
wp_die( 'Invalid Post.', 403 );
}
// If post is private or just generally not public, and logged-in user cannot read it
if ( ! $is_public && ! current_user_can( 'read_post', $post ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4b19a333-eb19-4903-aa96-1fe871dd0f9f' );
wp_die( 'Invalid Post.', 403 );
}
return $val;
},
0,
3
);
// See: https://wpscan.com/vulnerability/11bb6d7a-38e5-4d4d-9f4b-04ad05b13425/
add_filter(
'surerank_search_title',
function ( $title, $search_query ) {
if ( ! defined( 'SURERANK_VERSION' ) || version_compare( SURERANK_VERSION, '1.4.0', '>=' ) ) {
return $title;
}
$escaped = get_search_query();
return str_replace( $search_query, $escaped, $title );
},
100,
2
);
// https://wpscan.com/vulnerability/8fef9fe6-dee2-4f98-8cfe-8445622eb53b/
add_action(
'admin_init',
function () {
if ( ! defined( 'WOOLENTOR_VERSION' ) || version_compare( WOOLENTOR_VERSION, '3.2.5', '>' ) ) {
return;
}
remove_all_actions( 'wp_ajax_woolentor_load_more_products' );
remove_all_actions( 'wp_ajax_nopriv_woolentor_load_more_products' );
}
);
// https://www.wordfence.com/blog/2025/12/attackers-actively-exploiting-critical-vulnerability-in-sneeit-framework-plugin/
// https://wpscan.com/vulnerability/8e67c9fa-4b3e-4485-9535-916dfb794f07/
add_action(
'admin_init',
function () {
if ( ! defined( 'SNEEIT_PLUGIN_VERSION' ) || version_compare( SNEEIT_PLUGIN_VERSION, '8.4', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'sneeit_articles_pagination' ) {
return;
}
if ( isset( $_GET['callback'] ) && $_GET['callback'] !== 'fn_block_pagination' ) {
Atomic_Platform_Virtual_Patches::add_log( '8e67c9fa-4b3e-4485-9535-916dfb794f07', 'Callback', $_GET['callback'] );
wp_die( 'Denied', 403 );
}
if ( isset( $_POST['callback'] ) && $_POST['callback'] !== 'fn_block_pagination' ) {
Atomic_Platform_Virtual_Patches::add_log( '8e67c9fa-4b3e-4485-9535-916dfb794f07', 'Callback', $_POST['callback'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/
// https://wp.me/p3btAN-3hn-p2
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! ( defined( 'WC_VERSION' ) && version_compare( WC_VERSION, '8.1.0', '>=' ) && version_compare( WC_VERSION, '10.4.3', '<' ) ) ) {
return $result;
}
$route = $request->get_route();
// Only target the order endpoint.
if ( ! preg_match( '#^/wc/store(/v1)?/order/(\d+)$#i', $route, $matches ) ) {
return $result;
}
$order_id = absint( $matches[2] );
$order = wc_get_order( $order_id );
if ( ! $order ) {
return new WP_Error( 'woocommerce_rest_invalid_order', 'Invalid order ID.', array( 'status' => 404 ) );
}
$order_customer_id = (int) $order->get_customer_id();
$current_user_id = (int) get_current_user_id();
// Customer order: only owner can access.
if ( $order_customer_id > 0 ) {
if ( $current_user_id !== $order_customer_id ) {
Atomic_Platform_Virtual_Patches::add_log( 'f55fd7d3-7fbe-474f-9406-f47f8aee5e57', 'Order (Belongs to another)', $request->get_params() );
wp_die( 'This order belongs to a different customer.', 403 );
}
return $result; // Owner - allow.
}
// Guest order: require key + email.
$order_key = sanitize_text_field( wp_unslash( $request->get_param( 'key' ) ) );
$billing_email = sanitize_text_field( wp_unslash( $request->get_param( 'billing_email' ) ) );
if ( ! $order_key || $order->get_order_key() !== $order_key ) {
Atomic_Platform_Virtual_Patches::add_log( 'f55fd7d3-7fbe-474f-9406-f47f8aee5e57', 'Order (Invalid Key)', $request->get_params() );
wp_die( 'Invalid order key.', 401 );
}
$order_email = $order->get_billing_email();
if ( ! $billing_email && ! empty( $order_email ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'f55fd7d3-7fbe-474f-9406-f47f8aee5e57', 'Order (No Email)', $request->get_params() );
wp_die( 'Billing email required.', 401 );
}
if ( 0 !== strcasecmp( (string) $order_email, (string) $billing_email ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'f55fd7d3-7fbe-474f-9406-f47f8aee5e57', 'Order (Invalid Email)', $request->get_params() );
wp_die( 'Invalid billing email.', 401 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/
// https://wp.me/p3btAN-3hC-p2
// https://wpscan.com/vulnerability/a1403186-51aa-4eae-a3fe-0c559570eb93/
// https://wp.me/p3btAN-3hr-p2
add_action(
'init',
function () {
if (
( defined( 'PROFILE_BUILDER_VERSION' ) && version_compare( PROFILE_BUILDER_VERSION, '1.1.27', '>=' ) && version_compare( PROFILE_BUILDER_VERSION, '3.15.2', '<' ) )
// LOGINCUST_FREE_VERSION is at https://plugins.trac.wordpress.org/browser/login-customizer/trunk/src/Essentials.php?marks=29.53#L29
// The login-customizer issue was introduced in 2.1.1 however the plugin forgot to update the constant and it stayed at 2.1.0 for quite some time
// See https://plugins.trac.wordpress.org/browser/login-customizer/tags/2.1.1/src/Essentials.php
|| ( defined( 'LOGINCUST_FREE_VERSION' ) && version_compare( LOGINCUST_FREE_VERSION, '2.1.0', '>=' ) && version_compare( LOGINCUST_FREE_VERSION, '2.5.4', '<' ) )
) {
add_filter(
'random_password',
function ( $password ) {
if ( isset( $_POST['user_pass'] ) ) {
$uuid = defined( 'PROFILE_BUILDER_VERSION' ) ? '344cb1b1-342e-44b2-ae4a-3bb31be56b22' : 'a1403186-51aa-4eae-a3fe-0c559570eb93';
Atomic_Platform_Virtual_Patches::add_log( $uuid );
unset( $_POST['user_pass'] );
}
return $password;
},
1
);
}
}
);
// https://wpscan.com/vulnerability/e28e37b0-b11d-489c-bc77-12410cc91e24/
add_action(
'admin_init',
function () {
if ( ! defined( 'LS_PLUGIN_VERSION' ) ) {
return;
}
if ( version_compare( LS_PLUGIN_VERSION, '7.9.11', '<' ) || version_compare( LS_PLUGIN_VERSION, '7.10.1', '>' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'ls_get_popup_markup' ) {
return;
}
if ( isset( $_GET['id'] ) && ! is_scalar( $_GET['id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e28e37b0-b11d-489c-bc77-12410cc91e24' );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/b0d583a2-14e1-40bc-b875-3b48e992b803/
add_filter(
'rest_endpoints',
function ( $endpoints ) {
if ( ! defined( 'MWAI_VERSION' ) || version_compare( MWAI_VERSION, '3.1.4', '>=' ) ) {
return $endpoints;
}
foreach ( $endpoints as $route => $handlers ) {
if ( preg_match( '#^/mcp/v1/[^/]+/(?:sse|messages)$#', $route ) ) {
foreach ( $handlers as $key => $handler ) {
if ( is_numeric( $key ) && is_array( $handler ) ) {
$handlers[ $key ]['show_in_index'] = false;
}
}
$endpoints[ $route ] = $handlers;
}
}
return $endpoints;
},
999
);
// https://wpscan.com/vulnerability/a930eabb-0672-49f8-9df0-5f18b084dbba/
add_filter(
'mwai_allow_mcp',
function ( $allow, $request ) {
if ( ! defined( 'MWAI_VERSION' ) || version_compare( MWAI_VERSION, '3.4.9', '<' ) || version_compare( MWAI_VERSION, '3.5.0', '>=' ) ) {
return $allow;
}
if ( true !== $allow || current_user_can( 'manage_options' ) ) {
return $allow;
}
$route = is_object( $request ) && method_exists( $request, 'get_route' ) ? $request->get_route() : '';
Atomic_Platform_Virtual_Patches::add_log(
'a930eabb-0672-49f8-9df0-5f18b084dbba',
'UserID/Route',
[
'UserID/Route' => get_current_user_id() . ' / ' . $route,
'_request' => $_REQUEST,
]
);
wp_die( 'Denied', 403 );
},
99,
2
);
// https://wpscan.com/vulnerability/a23453df-58de-4248-89a7-e1370274a349/
add_filter(
'rest_post_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'MWAI_VERSION' ) || ! ( $result instanceof WP_REST_Response ) ) {
return $result;
}
if ( '/mwai/v1/discussions/list' !== strtolower( (string) $request->get_route() ) ) {
return $result;
}
$data = $result->get_data();
if ( ! is_array( $data ) || empty( $data['chats'] ) || ! is_array( $data['chats'] ) ) {
return $result;
}
$modified = false;
foreach ( $data['chats'] as &$chat ) {
if ( ! isset( $chat['messages'] ) || ! is_string( $chat['messages'] ) ) {
continue;
}
$messages = json_decode( $chat['messages'], true );
if ( ! is_array( $messages ) ) {
continue;
}
foreach ( $messages as &$message ) {
if ( ! is_array( $message ) || ! isset( $message['content'] ) || ! is_string( $message['content'] ) ) {
continue;
}
$clean = wp_kses_post( $message['content'] );
if ( $clean !== $message['content'] ) {
$message['content'] = $clean;
$modified = true;
}
}
unset( $message );
$chat['messages'] = wp_json_encode( $messages );
}
unset( $chat );
if ( $modified ) {
Atomic_Platform_Virtual_Patches::add_log( 'a23453df-58de-4248-89a7-e1370274a349', 'Stored XSS' );
$result->set_data( $data );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/3ccaa0fd-b11c-4f9f-bab5-644a53b11035/
add_action(
'init',
function () {
if ( ! defined( 'MODULAR_CONNECTOR_VERSION' ) ) {
return;
}
if ( version_compare( MODULAR_CONNECTOR_VERSION, '1.5.0', '<' ) || version_compare( MODULAR_CONNECTOR_VERSION, '2.5.1', '>' ) ) {
return;
}
// routes are case sensitive
if ( ! isset( $_SERVER['REQUEST_URI'] ) || ! isset( $_GET['type'] ) || strpos( $_SERVER['REQUEST_URI'], '/api/modular-connector/' ) === false ) {
return;
}
// To exploit the issue, the GET['type'] must be set (any value and is checked above),
// then the origin must === 'mo' OR the User-Agent be "ModularConnector/* (Linux)" (case sensitive)
if ( ( isset( $_GET['origin'] ) && $_GET['origin'] === 'mo' ) || ( isset( $_SERVER['HTTP_USER_AGENT'] ) && strpos( $_SERVER['HTTP_USER_AGENT'], 'ModularConnector' ) !== false ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3ccaa0fd-b11c-4f9f-bab5-644a53b11035', 'Route', $_SERVER['REQUEST_URI'] . $_SERVER['QUERY_STRING'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/691b01af-a6cc-47bc-b473-cfbde662d461/
add_action(
'acfe/form/validate_user',
function ( $form, $action ) {
if ( ! defined( 'ACFE_VERSION' ) ) {
return;
}
if ( version_compare( ACFE_VERSION, '0.9', '<' ) || version_compare( ACFE_VERSION, '0.9.2.2', '>=' ) ) {
return;
}
if ( ! isset( $action['action'] ) || $action['action'] !== 'user' ) {
return;
}
if ( ! isset( $action['type'] ) ||
( $action['type'] !== 'insert_user' && $action['type'] !== 'update_user' ) ) {
return;
}
if ( empty( $action['save']['role'] ) ) {
return;
}
$role = $action['save']['role'];
// Check if role is tied to a user-facing field (indicated by starting with '{')
if ( is_string( $role ) && strpos( $role, '{' ) === 0 ) {
if ( ! current_user_can( 'promote_users' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '691b01af-a6cc-47bc-b473-cfbde662d461', 'Role', $role );
// Return validation error
wp_die( 'Access denied', 403 );
}
}
},
0, // priority
2 // accepted_args
);
// https://wpscan.com/vulnerability/37581baa-b6c2-4584-95af-aba986fd8053/
add_filter(
'acfe/form/submit_user_args',
function ( $args, $form, $action ) {
if ( ! defined( 'ACFE_VERSION' ) || version_compare( ACFE_VERSION, '0.9.2.6', '>=' ) ) {
return $args;
}
if ( ! is_array( $action ) ) {
return $args;
}
$type = $action['type'] ?? '';
if ( 'insert_user' !== $type && 'update_user' !== $type ) {
return $args;
}
if ( current_user_can( 'promote_users' ) ) {
return $args;
}
$roles = is_array( $args ) ? ( $args['role'] ?? null ) : null;
if ( ! is_array( $roles ) ) {
$roles = array( $roles );
}
foreach ( $roles as $role ) {
if ( ! is_string( $role ) || '' === $role ) {
continue;
}
$normalized = strtolower( $role );
$elevated = ( 'administrator' === $normalized || 'super_admin' === $normalized );
if ( ! $elevated ) {
$role_object = get_role( $normalized );
$elevated = $role_object && $role_object->has_cap( 'edit_posts' );
}
if ( $elevated ) {
Atomic_Platform_Virtual_Patches::add_log( '37581baa-b6c2-4584-95af-aba986fd8053', 'Elevated Role', $action );
wp_die( 'Access denied.', 403 );
}
}
return $args;
},
0,
3
);
// https://wpscan.com/vulnerability/a4a9eab6-3c10-402c-a635-3ae275b12c1d/
add_filter(
'acfe/form/submit_user_args',
function ( $args, $form, $action ) {
if ( ! defined( 'ACFE_VERSION' ) || ! is_array( $action ) ) {
return $args;
}
if ( ( $action['type'] ?? '' ) !== 'update_user' ) {
return $args;
}
$target_id = is_array( $args ) ? (int) ( $args['ID'] ?? 0 ) : 0;
if ( $target_id <= 0 ) {
return $args;
}
if ( current_user_can( 'edit_user', $target_id ) ) {
return $args;
}
Atomic_Platform_Virtual_Patches::add_log( 'a4a9eab6-3c10-402c-a635-3ae275b12c1d', 'Account Takeover (update_user)', $action );
wp_die( 'Access denied.', 403 );
},
0,
3
);
// https://wpscan.com/vulnerability/501a3352-7597-409a-aa30-0a2dd6e1592f/
add_action(
'init',
function () {
if ( ! defined( 'WCML_VERSION' ) || version_compare( WCML_VERSION, '5.3.9', '>=' ) || current_user_can( 'manage_options' ) ) {
return;
}
if ( isset( $_POST['icl_ajx_action'] ) && 'icl_custom_tax_sync_options' === $_POST['icl_ajx_action'] ) {
Atomic_Platform_Virtual_Patches::add_log( '501a3352-7597-409a-aa30-0a2dd6e1592f' );
wp_die( 'Access Denied', 403 );
}
}
);
/**
* The logging and protection are separated because:
* - if both were hooked to get_comment_text, we would have log everytime a malicious comment is displayed
* - if both were hooked to preprocess_comment, existing payloads would not be processed, and we would modify comments before they are saved,
* which could cause some issue (ie the original comment data is lost and replaced with a sanitized one).
* Furthermore, the plugin actually modifies the comment before it is displayed, and then it becomes injected.
* When saved, the comment is not actually malicious.
*
* That way, we log when a comment is added/updated and protect it via sanitization when the comment is displayed
*
* Logging for
* https://wpscan.com/vulnerability/a45c74b7-b174-479f-9681-464601b082df/
* https://wpscan.com/vulnerability/fa3a84b6-6d5d-4e10-8587-ae49c127483b/
*/
add_filter(
'preprocess_comment',
function ( $comment_data ) {
if ( defined( 'RESPONSIVE_LIGHTBOX_URL' ) ) {
if ( ! isset( $comment_data['comment_content'] ) || stripos( $comment_data['comment_content'], 'data-rel' ) === false ) {
return $comment_data;
}
$all_plugins = get_plugins();
$slug = 'responsive-lightbox/responsive-lightbox.php';
if (
isset( $all_plugins[ $slug ] ) &&
version_compare( $all_plugins[ $slug ]['Version'], '1.7.0', '>=' ) &&
version_compare( $all_plugins[ $slug ]['Version'], '2.6.1', '<' )
) {
if ( $comment_data['comment_content'] !== wp_kses_post( $comment_data['comment_content'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'fa3a84b6-6d5d-4e10-8587-ae49c127483b', 'Sanitized Comment', $comment_data );
}
}
}
return $comment_data;
},
999
);
/** vPatch Sanitization for
* https://wpscan.com/vulnerability/a45c74b7-b174-479f-9681-464601b082df/
* https://wpscan.com/vulnerability/fa3a84b6-6d5d-4e10-8587-ae49c127483b/
*/
add_filter(
'get_comment_text',
function ( $comment_content ) {
if ( defined( 'RESPONSIVE_LIGHTBOX_URL' ) && stripos( $comment_content, 'data-rel' ) !== false ) {
$all_plugins = get_plugins();
$slug = 'responsive-lightbox/responsive-lightbox.php';
if (
isset( $all_plugins[ $slug ] ) &&
version_compare( $all_plugins[ $slug ]['Version'], '1.7.0', '>=' ) &&
version_compare( $all_plugins[ $slug ]['Version'], '2.6.1', '<' )
) {
return wp_kses_post( $comment_content );
}
}
return $comment_content;
},
999
);
// https://wpscan.com/vulnerability/78b2042a-683f-4a80-8b7a-c4c06aadca01
add_action(
'init',
function () {
if ( ! defined( 'SCCP_NAME_VERSION' ) || version_compare( SCCP_NAME_VERSION, '4.4.5', '>=' ) || empty( $_POST ) ) {
return;
}
foreach ( $_POST as $post_key => $post_value ) {
if ( stripos( $post_key, 'ays_sb_name_field_' ) === 0 && str_contains( $post_value, '<' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '78b2042a-683f-4a80-8b7a-c4c06aadca01', 'XSS', $post_value );
wp_die( 'Denied', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/26d5963e-63bf-468c-877e-fd376e491773/
add_action(
'admin_init',
function () {
if ( ! defined( 'BDP_VERSION' ) || version_compare( BDP_VERSION, '4.0.1', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'bdp_load_more_posts' || ! isset( $_POST['shrt_param'] ) ) {
return;
}
$params = json_decode( wp_unslash( $_POST['shrt_param'] ), true );
if ( isset( $params['design'] ) && str_contains( $params['design'], '..' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '26d5963e-63bf-468c-877e-fd376e491773', 'LFI', $params['design'] );
wp_die( 'Access Denied', 403 );
}
}
);
add_filter(
'rest_request_before_callbacks',
function ( $response, $handler, $request ) {
$route = strtolower( (string) $request->get_route() );
// https://wpscan.com/vulnerability/42f7ac2a-7b2a-4b03-a84b-058f254cf15a/
if ( defined( 'PRFI_VERSION' ) ) { // don't rely on its value as it's not updated
// phpcs:ignore WordPress.WP.Capabilities.RoleFound
if ( strpos( $route, '/stocktend/v1/stocktend_object' ) === 0 && ! current_user_can( 'administrator' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '42f7ac2a-7b2a-4b03-a84b-058f254cf15a', 'REST', $request->get_body() );
wp_die( 'Sorry, you are not allowed to do that.', 401 );
}
}
// https://wpscan.com/vulnerability/e5e4ca9f-f823-409d-96ba-f7b3b0855371/
if ( defined( 'OPTML_VERSION' ) && version_compare( OPTML_VERSION, '4.2.3', '<' ) ) {
if ( strpos( $route, '/optml/v1/optimizations' ) === 0 && ! current_user_can( 'manage_options' ) ) {
$descriptors = $request->get_param( 's' );
if ( ! $descriptors || empty( $descriptors ) || ! is_array( $descriptors ) ) {
return $response;
}
foreach ( $descriptors as $descriptor ) {
foreach ( $descriptor as $config ) {
if ( ! empty( $config['s'] ) && ! preg_match( '/\A[\dw]+\z/', $config['s'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e5e4ca9f-f823-409d-96ba-f7b3b0855371', 'XSS', $request->get_params() );
wp_send_json_error( 'Denied', 403 );
}
}
}
}
}
return $response;
},
1,
3
);
// https://wpscan.com/vulnerability/3f9147f7-9aec-4dd8-be6e-cd7448dbe6dc
add_action(
'init',
function () {
if ( ! class_exists( 'excellikepricechangeforwoocommerceandwpecommercelight' ) ) {
return;
}
if ( isset( $_REQUEST['scemail'] ) && ! current_user_can( 'edit_users' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3f9147f7-9aec-4dd8-be6e-cd7448dbe6dc', 'Privesc', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/bfcb8c41-1ccd-4f21-bf13-c2398e1948fc
add_action(
'admin_init',
function () {
if ( ! defined( 'EASYSTRIPE_VERSION' ) || version_compare( EASYSTRIPE_VERSION, '1.2', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['function'] ) || $_REQUEST['action'] !== 'easystripe_load_function' ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'bfcb8c41-1ccd-4f21-bf13-c2398e1948fc', 'Function Call', $_POST['function'] );
wp_die( 'Denied', 403 );
}
// User is an admin so we need to check if the function called is in the whitelist below
$allowed_functions = [ 'easystripe_report_overview', 'easystripe_earnings_report_callback' ];
if ( ! in_array( $_POST['function'], $allowed_functions, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'bfcb8c41-1ccd-4f21-bf13-c2398e1948fc', 'Function Call (Admin)', $_POST['function'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/d37954b2-63bb-4a12-8bdf-46d9bd3d8842/
// https://wpscan.com/vulnerability/9f8cf6c8-1cb8-4c8f-aa92-3d5221687e70/
add_action(
'init',
function () {
if ( ! class_exists( 'CleverReach\WordPress\Controllers\Clever_Reach_Article_Search_Controller' ) || ! isset( $_REQUEST['cleverreach_wp_controller'] ) ) {
return;
}
// Plugin does not have a constant with its version, so let's go old school
$all_plugins = get_plugins();
$slug = 'cleverreach-wp/cleverreach-wp.php';
if ( ! isset( $all_plugins[ $slug ] ) || ! isset( $all_plugins[ $slug ]['Version'] ) ) {
return;
}
$version = $all_plugins[ $slug ]['Version'];
// https://wpscan.com/vulnerability/d37954b2-63bb-4a12-8bdf-46d9bd3d8842/
if ( version_compare( $version, '1.5.21', '<' ) ) {
if ( isset( $_REQUEST['title'] ) ) {
global $wpdb;
$escaped = esc_sql( $wpdb->esc_like( $_REQUEST['title'] ) );
if ( $escaped !== $_REQUEST['title'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'd37954b2-63bb-4a12-8bdf-46d9bd3d8842', 'SQLi', $_REQUEST['title'] );
wp_die( 'Denied', 403 );
}
}
}
// https://wpscan.com/vulnerability/9f8cf6c8-1cb8-4c8f-aa92-3d5221687e70/
if ( version_compare( $version, '1.5.22', '<' ) ) {
if ( isset( $_REQUEST['id'] ) && ! ctype_digit( $_REQUEST['id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '9f8cf6c8-1cb8-4c8f-aa92-3d5221687e70', 'SQLi', $_REQUEST['id'] );
wp_die( 'Denied', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/2ae77b48-30b4-4863-a4be-32ca379c1028/
add_action(
'admin_init',
function () {
if ( ! class_exists( 'DTLMSCore' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'dtlms_register_user_front_end' ) {
return;
}
if ( isset( $_POST['userrole'] ) && ! in_array( $_POST['userrole'], array( 'student', 'subscriber' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2ae77b48-30b4-4863-a4be-32ca379c1028', 'Privesc', $_POST['userrole'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/fe76a111-998e-469c-aaab-da17e911d23b/
add_action(
'init',
function () {
if ( ! defined( 'LATEPOINT_VERSION' ) || version_compare( LATEPOINT_VERSION, '5.2.0', '>=' ) ) {
return;
}
if ( ! isset( $_POST['params'] ) && ! isset( $_GET['customer'] ) ) {
return;
}
$post_params = [];
// Do not change this, otherwise bypasses will be possible
if ( ! empty( $_POST['params'] ) ) {
if ( is_string( $_POST['params'] ) ) {
parse_str( $_POST['params'], $post_params );
} elseif ( is_array( $_POST['params'] ) ) {
$post_params = $_POST['params'];
}
}
$params = stripslashes_deep( array_merge( $post_params, $_GET ) );
if ( empty( $params['current_step_code'] ) || empty( $params['customer'] ) ) {
return;
}
if ( $params['current_step_code'] === 'customer' && ! empty( $params['customer']['email'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'fe76a111-998e-469c-aaab-da17e911d23b', 'Auth Bypass', $params );
wp_die( 'Access Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/adc51414-6090-46df-9407-e5bc682147fa/
add_action(
'admin_init',
function () {
if ( ! defined( 'LOCAL_SYNC_VERSION' ) || version_compare( LOCAL_SYNC_VERSION, '1.1.9', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'process_add_site' || ! isset( $_POST['data'] ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) || ! check_ajax_referer( 'ls_revmakx', 'security', false ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'adc51414-6090-46df-9407-e5bc682147fa', 'Prod Key', $_POST['data'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/6a77aa5f-b1dc-4d8f-b0b0-5b7d7280a09c
add_action(
'init',
function () {
// All versions are affected at the time of writing (2.1.1)
if ( defined( 'SOCIAL_LOGIN_VERSION' ) ) {
remove_all_actions( 'wp_ajax_atbdp_social_login' );
remove_all_actions( 'wp_ajax_nopriv_atbdp_social_login' );
}
},
20
);
// https://wpscan.com/vulnerability/876d9d29-4705-4c75-b151-8140b2709155/
// https://wpscan.com/vulnerability/762530ae-80a5-4ff8-9725-6adab9498c33/
add_action(
'admin_init',
function () {
if ( ! defined( 'TRX_ADDONS_VERSION' ) || ! isset( $_FILES ) ) {
return;
}
if ( version_compare( TRX_ADDONS_VERSION, '2.34.0', '<' ) ) {
$indexes_to_check = [ 'upload_audio', 'upload_voice', 'upload_image', 'upload_music', 'upload_nusic' ];
$vuln_uuid = '876d9d29-4705-4c75-b151-8140b2709155';
} else {
$indexes_to_check = [ 'upload_voice' ];
$vuln_uuid = '762530ae-80a5-4ff8-9725-6adab9498c33';
}
foreach ( $indexes_to_check as $index ) {
if ( isset( $_FILES[ $index ] ) ) {
$validate = wp_check_filetype( $_FILES[ $index ]['name'] );
if ( $validate['type'] === false ) {
Atomic_Platform_Virtual_Patches::add_log( $vuln_uuid, 'File', $_FILES[ $index ] );
wp_die( 'Denied', 403 );
}
}
}
}
);
// https://wpscan.com/vulnerability/93e83da0-1784-4d94-87ba-ba902325f834/
add_action(
'admin_init',
function () {
if ( ! defined( 'WPFORMS_GOOGLESHEET_VERSION' ) || version_compare( WPFORMS_GOOGLESHEET_VERSION, '4.0.2', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || 'gscwpform_install_plugin' !== $_REQUEST['action'] ) {
return;
}
if ( ! isset( $_POST['plugin_slug'], $_POST['download_url'] ) ) {
return;
}
if ( ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '93e83da0-1784-4d94-87ba-ba902325f834', 'Plugin Install', $_POST['download_url'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/b72c539b-4d56-4c54-8b24-fcae0e891e54/
add_filter(
'ninja_forms_submit_data',
function ( $form_data ) {
if ( ! class_exists( 'Ninja_Forms' ) ) {
return $form_data;
}
if ( version_compare( \Ninja_Forms::VERSION, '3.14.1', '>=' ) ) {
return $form_data;
}
if ( ! defined( 'DOING_AJAX' ) || ! DOING_AJAX ) {
return $form_data;
}
if ( empty( $_REQUEST['action'] ) || 'nf_ajax_submit' !== $_REQUEST['action'] ) {
return $form_data;
}
$fields = $form_data['fields'];
// Iterate over all fields in the form.
foreach ( $fields as $field_data ) {
// Skip non‑repeater fields.
if ( ! isset( $field_data['key'] ) || ! preg_match( '/^repeater/', $field_data['key'] ) ) {
continue;
}
$repeater_rows = isset( $field_data['value'] ) ? $field_data['value'] : [];
if ( ! is_array( $repeater_rows ) ) {
continue;
}
// Scan each row for merge tags.
foreach ( $repeater_rows as $row ) {
foreach ( $row as $sub_val ) {
// Only strings can contain merge tags.
if ( ! is_string( $sub_val ) ) {
continue;
}
// Basic merge‑tag pattern: {something}
if ( preg_match( '/\{((?:post|user)_meta|wp|form|other|querystring|submission|(?:all)?fields_table)/i', $sub_val ) ) {
// Attack detected, die early
Atomic_Platform_Virtual_Patches::add_log( 'b72c539b-4d56-4c54-8b24-fcae0e891e54', 'Tag', $sub_val );
wp_die( 'Invalid merge tags', 403 );
}
}
}
}
return $form_data;
},
999,
);
// https://wpscan.com/vulnerability/9973615c-7af8-44e7-8cae-8e45ccd362e6/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'WPVIVID_PLUGIN_VERSION' ) || version_compare( WPVIVID_PLUGIN_VERSION, '0.9.124', '>=' ) ) {
return;
}
if ( ! isset( $_POST['wpvivid_action'] ) ) {
return;
}
$vulnerable_actions = array( 'send_to_site', 'send_to_site_file_status' );
if ( in_array( $_POST['wpvivid_action'], $vulnerable_actions, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '9973615c-7af8-44e7-8cae-8e45ccd362e6', 'Action', $_POST );
wp_die( 'Denied', 403 );
}
},
1
);
// https://wpscan.com/vulnerability/370b1c37-4183-4496-83dc-786290b71367/
// https://wpscan.com/vulnerability/5f808149-1181-4e8c-9c1d-ef5e50cbe1b1/ (duplicate of the above one)
add_action(
'admin_init',
function () {
if ( ! defined( 'SRM_VERSION' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || 'starfish-execute-restore-default-options' !== $_REQUEST['action'] ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '370b1c37-4183-4496-83dc-786290b71367', 'Options', $_POST['options'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/1007861b-cf54-4f5e-b2eb-92b4b7029475/
// Hooked on `init` (after wp_magic_quotes rebuilds $_REQUEST) and before PixelYourSite reads these values.
add_action(
'init',
function () {
$fixed_version = '11.2.0.2';
$plugin_version = defined( 'PYS_FREE_VERSION' ) ? PYS_FREE_VERSION : '';
if ( empty( $plugin_version ) || version_compare( $plugin_version, $fixed_version, '>=' ) ) {
return;
}
$blocked = [];
// Sanitize cookie values PixelYourSite reads.
foreach ( array( 'pysTrafficSource', 'last_pysTrafficSource' ) as $cookie_key ) {
if ( isset( $_COOKIE[ $cookie_key ] ) ) {
$original = $_COOKIE[ $cookie_key ];
$_COOKIE[ $cookie_key ] = sanitize_text_field( $original );
if ( $original !== $_COOKIE[ $cookie_key ] ) {
$blocked[ $cookie_key ] = $original;
}
}
}
foreach ( array( 'pys_landing_page', 'last_pys_landing_page' ) as $cookie_key ) {
if ( isset( $_COOKIE[ $cookie_key ] ) ) {
$original = $_COOKIE[ $cookie_key ];
$_COOKIE[ $cookie_key ] = sanitize_url( $original );
if ( $original !== $_COOKIE[ $cookie_key ] ) {
$blocked[ $cookie_key ] = $original;
}
}
}
// Sanitize session values PixelYourSite uses as fallback.
if ( isset( $_SESSION['TrafficSource'] ) ) {
$original = $_SESSION['TrafficSource'];
$_SESSION['TrafficSource'] = sanitize_text_field( $original );
if ( $original !== $_SESSION['TrafficSource'] ) {
$blocked['TrafficSource'] = $original;
}
}
if ( isset( $_SESSION['LandingPage'] ) ) {
$original = $_SESSION['LandingPage'];
$_SESSION['LandingPage'] = sanitize_url( $original );
if ( $original !== $_SESSION['LandingPage'] ) {
$blocked['LandingPage'] = $original;
}
}
// Sanitize request keys that end up in `pys_enrich_data`.
foreach ( array( 'pys_source', 'last_pys_source' ) as $req_key ) {
if ( isset( $_REQUEST[ $req_key ] ) ) {
$original = $_REQUEST[ $req_key ];
$_REQUEST[ $req_key ] = sanitize_text_field( $original );
if ( $original !== $_REQUEST[ $req_key ] ) {
$blocked[ $req_key ] = $original;
}
}
}
foreach ( array( 'pys_landing', 'last_pys_landing' ) as $req_key ) {
if ( isset( $_REQUEST[ $req_key ] ) ) {
$original = $_REQUEST[ $req_key ];
$_REQUEST[ $req_key ] = sanitize_url( $original );
if ( $original !== $_REQUEST[ $req_key ] ) {
$blocked[ $req_key ] = $original;
}
}
}
if ( ! empty( $blocked ) ) {
Atomic_Platform_Virtual_Patches::add_log( '1007861b-cf54-4f5e-b2eb-92b4b7029475', 'XSS', $blocked );
}
},
0
);
// https://wpscan.com/vulnerability/005aa0d5-2bec-4b56-8dfb-7ef7dc3fa05e/
add_action(
'admin_init',
function () {
if ( ! defined( 'REVENUE_VER' ) || version_compare( REVENUE_VER, '2.1.4', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'revx_install' ) {
return;
}
if ( isset( $_POST['install_plugin'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '005aa0d5-2bec-4b56-8dfb-7ef7dc3fa05e', 'Plugin Install', $_POST['install_plugin'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/dda88031-50fd-49b7-a6b1-dc92b487e124/
add_action(
'init',
function () {
if ( ! class_exists( 'EcwidPlatform' ) || ! isset( $_POST['ec_store_admin_access'] ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'ecwid-shopping-cart/ecwid-shopping-cart.php';
if ( ! isset( $all_plugins[ $slug ] ) || version_compare( $all_plugins[ $slug ]['Version'], '7.0.8', '>=' ) ) {
return;
}
if ( ! current_user_can( 'edit_users' ) && ! current_user_can( 'ec_store_can_grant_access' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'dda88031-50fd-49b7-a6b1-dc92b487e124' );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/c8f5e821-1788-419f-a00c-cfd4306d0fa5/
add_action(
'init',
function () {
if ( ! defined( 'BOOSTER_VERSION' ) || version_compare( BOOSTER_VERSION, '5.0.2', '>=' ) ) {
return;
}
if ( isset( $_FILES['uploaded_file'] ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'c8f5e821-1788-419f-a00c-cfd4306d0fa5',
'File',
[
'file' => $_FILES['uploaded_file'],
'content' => @gzdecode( @file_get_contents( $_FILES['uploaded_file']['tmp_name'] ) ),
]
);
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/3c18c3ba-44fd-4769-a877-04e1571a016b/
add_action(
'admin_init',
function () {
if ( ! has_action( 'wp_ajax_pxlart_upload_demo_manual' ) ) {
return;
}
add_action(
'wp_ajax_pxlart_upload_demo_manual',
function () {
if ( isset( $_FILES['file'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'3c18c3ba-44fd-4769-a877-04e1571a016b',
'File',
[
'file' => $_FILES['file'],
'content' => @file_get_contents( $_FILES['file']['tmp_name'] ),
]
);
wp_die( 'Denied', 403 );
}
},
-1
);
},
999
);
// https://wpscan.com/vulnerability/998dbbf2-3b31-47aa-be3f-1d8806f6abe0/
add_action(
'init',
function () {
if ( ! defined( 'WPBDP_VERSION' ) ) {
return;
}
if ( version_compare( WPBDP_VERSION, '6.4.22', '>=' ) ) {
return;
}
$view = '';
if ( isset( $_REQUEST['wpbdp_view'] ) ) {
$view = $_REQUEST['wpbdp_view'];
// Normalize (same logic as the plugin's normalization function)
$view = strtolower( $view );
$view = remove_accents( $view );
$view = preg_replace( '/\s+/', '_', $view );
$view = preg_replace( '/[^a-zA-Z0-9_-]+/', '', $view );
}
if ( 'checkout' !== $view || ! isset( $_REQUEST['payment'] ) ) {
return;
}
if ( is_array( $_REQUEST['payment'] ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'998dbbf2-3b31-47aa-be3f-1d8806f6abe0',
'SQLi',
$_REQUEST['payment']
);
wp_die( esc_html__( 'Invalid Payment ID/key', 'business-directory-plugin' ), 403 );
}
}
);
// https://wpscan.com/vulnerability/7d815d93-e691-44be-813e-e187b3efd752/
add_action(
'init',
function () {
if ( ! defined( 'ORDERABLE_VERSION' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || 'iconic_onboard_orderable_install_plugin' !== $_REQUEST['action'] ) {
return;
}
if ( isset( $_POST['plugin_data'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7d815d93-e691-44be-813e-e187b3efd752', 'Plugin Install', $_POST['plugin_data'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/7c3e9405-8b40-4eb3-91aa-11eb778ca9d5/
if ( isset( $_REQUEST['action'] ) && 'newsblogger_install_activate_plugin' === $_REQUEST['action'] ) {
add_action(
'wp_ajax_newsblogger_install_activate_plugin',
function () {
$theme = wp_get_theme();
if ( ! str_contains( $theme->get_stylesheet(), 'newsblogger' ) ) {
return;
}
if ( version_compare( $theme->get( 'Version' ), '0.2.6', '>=' ) ) {
return;
}
if ( ! isset( $_POST['_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_ajax_nonce'] ) ), 'plugin_installer_nonce' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7c3e9405-8b40-4eb3-91aa-11eb778ca9d5', 'CSRF' );
wp_send_json_error( esc_html__( 'Nonce verification failed.', 'newsblogger' ), 403 );
}
},
1
);
}
// https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'WC_VERSION' ) || version_compare( WC_VERSION, '5.4.0', '<' ) || version_compare( WC_VERSION, '10.5.3', '>=' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( '/wc/store/batch' !== $route && '/wc/store/v1/batch' !== $route ) {
return $result;
}
$sub_requests = $request->get_param( 'requests' );
if ( ! is_array( $sub_requests ) ) {
return $result;
}
foreach ( $sub_requests as $args ) {
$path = wp_parse_url( $args['path'] ?? '', PHP_URL_PATH );
if ( ! $path || strpos( $path, '/wc/store' ) !== 0 ) {
Atomic_Platform_Virtual_Patches::add_log(
'53ded097-274d-4850-82ee-620bf02f7553',
'Batch',
[
'params' => $request->get_params(),
'referer' => $_SERVER['HTTP_REFERER'] ?? 'n/a',
],
);
wp_die( 'Invalid path provided.', 400 );
}
}
return $result;
},
5,
3
);
// https://wpscan.com/vulnerability/6c263002-7d06-412c-81e3-393a7321e85f/
add_action(
'admin_init',
function () {
if ( ! has_action( 'wp_ajax_nopriv_wwlc_create_user' ) ) {
return;
}
$callback = function () {
$allowed_roles = array( 'customer', 'subscriber', 'wholesale_customer' );
// PHP auto-parses bracket notation (user_data[wwlc_role]) into nested arrays.
if ( ! empty( $_POST['user_data']['wwlc_role'] ) && ! in_array( $_POST['user_data']['wwlc_role'], $allowed_roles, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6c263002-7d06-412c-81e3-393a7321e85f', 'Privesc', $_POST['user_data']['wwlc_role'] );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wwlc_create_user', $callback, -1 );
add_action( 'wp_ajax_nopriv_wwlc_create_user', $callback, -1 );
},
999
);
// https://wpscan.com/vulnerability/a3cc250e-abec-4c6f-bbbd-4e5cb2b468df/
add_action(
'admin_init',
function () {
if ( ! has_action( 'wp_ajax_nopriv_wwlc_file_upload_handler' ) ) {
return;
}
$callback = function () {
if ( ! isset( $_FILES['uploaded_file']['tmp_name'], $_FILES['uploaded_file']['name'] ) ) {
return;
}
$file_check = wp_check_filetype_and_ext( $_FILES['uploaded_file']['tmp_name'], $_FILES['uploaded_file']['name'] );
if ( false === $file_check['ext'] || false === $file_check['type'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'a3cc250e-abec-4c6f-bbbd-4e5cb2b468df', 'File Upload', $_FILES['uploaded_file']['name'] );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wwlc_file_upload_handler', $callback, -1 );
add_action( 'wp_ajax_nopriv_wwlc_file_upload_handler', $callback, -1 );
},
999
);
add_filter(
'pre_http_request',
function ( $pre, $args, $url ) {
$blocked_domains = [
'hacklinkpanel.app',
'hacklinkmarket.com',
'wpjs1.com',
'pixel-cdn.com',
'tidio.cc',
// https://wpscan.com/vulnerability/ddc83705-3df6-427c-957b-935135330f73/
'84.201.6.54',
// https://wpscan.com/vulnerability/0e5f5730-167d-4853-a764-bb9e3d62fdc4/
'escortwp.com',
// https://wpscan.com/vulnerability/0115a640-7139-4ef9-81be-6ee5c755a601/
'imagehosting.space',
];
$host = wp_parse_url( $url, PHP_URL_HOST );
if ( ! $host ) {
return $pre;
}
$host = strtolower( $host );
foreach ( $blocked_domains as $blocked ) {
if ( $host === $blocked || str_ends_with( $host, '.' . $blocked ) ) {
$message = 'Outgoing Request to %s (in %s:%d)';
$caller = Atomic_Platform_Virtual_Patches::determine_caller();
Atomic_Platform_Virtual_Patches::add_log( 'Malware', sprintf( $message, $url, $caller['file'], $caller['line'] ), $args );
return array(
'headers' => array(),
'body' => '',
'response' => array(
'code' => 200,
'message' => 'OK',
),
'cookies' => array(),
'filename' => null,
);
}
}
return $pre;
},
-1, // Priority
3 // Args
);
// https://wpscan.com/vulnerability/0e5f5730-167d-4853-a764-bb9e3d62fdc4/
$escortwp_block_content_wipe = function () {
if ( isset( $_POST['ajax_transient_time_check'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0e5f5730-167d-4853-a764-bb9e3d62fdc4', 'Backdoor (content deletion)', $_REQUEST );
}
wp_die( 'done' );
};
add_action( 'wp_ajax_ajax_check_mobile_detect_legacy', $escortwp_block_content_wipe, -1 );
add_action( 'wp_ajax_nopriv_ajax_check_mobile_detect_legacy', $escortwp_block_content_wipe, -1 );
// https://wpscan.com/vulnerability/0115a640-7139-4ef9-81be-6ee5c755a601/
add_action(
'plugins_loaded',
function () {
if ( ! function_exists( 'seo_automation_listen' ) ) {
return;
}
if ( ( isset( $_GET['Action'] ) && in_array( strtolower( (string) $_GET['Action'] ), [ 'checkfiles', 'checkwpfiles', 'buildfiles', 'update', 'updatecss', 'version', 'pr' ], true ) ) || isset( $_GET['phpconfirm'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0115a640-7139-4ef9-81be-6ee5c755a601', 'Premium SEO backdoor', $_REQUEST );
}
remove_action( 'init', 'seo_automation_listen', 1 );
remove_action( 'wp', 'seo_automation_schedule_cron' );
remove_action( 'wp', 'seo_custom' );
remove_action( 'wp_head', 'seo_automation_head_scripts' );
remove_action( 'wp_footer', 'seo_automation_copyright_footer', 1 );
remove_action( 'seo_automation_cron', 'seo_automation_cron_function' );
},
0
);
// https://wpscan.com/vulnerability/0115a640-7139-4ef9-81be-6ee5c755a601/
add_filter(
'wp_pre_insert_user_data',
function ( $data ) {
if ( is_array( $data ) && isset( $data['user_email'] ) && 'wppremiumseoplugin@gmail.com' === strtolower( trim( (string) $data['user_email'] ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0115a640-7139-4ef9-81be-6ee5c755a601', 'Premium SEO backdoor admin', $data );
wp_die( 'Access denied.', 403 );
}
return $data;
},
-1
);
// https://wpscan.com/vulnerability/0115a640-7139-4ef9-81be-6ee5c755a601/
add_filter(
'authenticate',
function ( $user ) {
if ( $user instanceof WP_User && 'wppremiumseoplugin@gmail.com' === strtolower( trim( (string) $user->user_email ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0115a640-7139-4ef9-81be-6ee5c755a601', 'Premium SEO backdoor admin login', $user->user_login );
return new WP_Error( 'authentication_failed', 'Access denied.' );
}
return $user;
},
99
);
if ( isset( $_POST['guvenlik_sifresi'] ) || isset( $_GET['guvenlik_sifresi'] ) ) {
add_action(
'init',
function () {
Atomic_Platform_Virtual_Patches::add_log( 'Malware', 'Backdoor (guvenlik_sifresi)', $_REQUEST );
wp_die( 'Access denied.', 403 );
},
0
);
}
// https://wpscan.com/vulnerability/e754ef68-40ae-4420-a0b8-6c23a83bc450/
add_action(
'template_redirect',
function () {
if ( ! defined( 'PROGRID_PLUGIN_VERSION' ) || version_compare( PROGRID_PLUGIN_VERSION, '5.9.9.8', '>=' ) ) {
return;
}
if ( ( ! isset( $_POST['reg_form_submit'] ) && ! isset( $_POST['pm_payment_method'] ) ) || current_user_can( 'promote_users' ) ) {
return;
}
$gid = absint( filter_input( INPUT_GET, 'gid', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
if ( $gid <= 0 ) {
return;
}
global $wpdb;
$table = $wpdb->prefix . 'promag_groups';
$associate_role = $wpdb->get_var( $wpdb->prepare( "SELECT associate_role FROM `{$table}` WHERE id = %d", $gid ) ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery, WordPress.DB.PreparedSQL.InterpolatedNotPrepared
if ( ! is_string( $associate_role ) || '' === $associate_role ) {
return;
}
$role = get_role( $associate_role );
if ( ! $role instanceof WP_Role ) {
return;
}
$privileged_caps = array( 'edit_posts', 'publish_posts', 'edit_others_posts', 'manage_categories', 'moderate_comments', 'manage_options', 'promote_users', 'edit_users', 'install_plugins', 'edit_theme_options' );
foreach ( $privileged_caps as $cap ) {
if ( ! empty( $role->capabilities[ $cap ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e754ef68-40ae-4420-a0b8-6c23a83bc450', 'Privesc', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
},
0
);
// https://wpscan.com/vulnerability/949e422c-fa0e-4848-b0ec-864d07fafaa1/
add_action(
'template_redirect',
function () {
if ( ! defined( 'PROGRID_PLUGIN_VERSION' ) || version_compare( PROGRID_PLUGIN_VERSION, '5.9.9.6', '>=' ) ) {
return;
}
if ( ! isset( $_POST['reg_form_submit'] ) && ! isset( $_POST['pm_payment_method'] ) ) {
return;
}
if ( is_user_logged_in() && ! has_action( 'profilegrid_group_register_onlogin' ) ) {
return;
}
$raw_login = isset( $_POST['user_login'] ) ? $_POST['user_login'] : ( $_POST['user_email'] ?? '' );
$user_name = is_string( $raw_login ) ? sanitize_user( $raw_login, true ) : '';
$raw_email = $_POST['user_email'] ?? '';
$user_email = is_string( $raw_email ) ? sanitize_email( trim( $raw_email ) ) : '';
if ( '' === $user_name
|| username_exists( $user_name )
|| ( ! is_multisite() && '' !== $user_email && email_exists( $user_email ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '949e422c-fa0e-4848-b0ec-864d07fafaa1', 'Account Takeover', $_REQUEST );
wp_die( 'Denied', 403 );
}
},
0
);
// https://wpscan.com/vulnerability/eb2f34bd-c626-4831-a886-c82882073bcd/
add_action(
'admin_init',
function () {
if ( ! defined( 'CE4WP_PLUGIN_VERSION' ) || version_compare( CE4WP_PLUGIN_VERSION, '1.6.5', '<' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'ce4wp_abandoned_checkouts_capture_guest_checkout' ) {
return;
}
if ( ! isset( $_GET['ce4wp-recover'] ) ) {
return;
}
if ( sanitize_key( $_GET['ce4wp-recover'] ) !== $_GET['ce4wp-recover'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'eb2f34bd-c626-4831-a886-c82882073bcd', 'SQLi', $_GET['ce4wp-recover'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/69f36598-590f-4047-9d1e-4aaaacede409/
add_action(
'admin_init',
function () {
if (
defined( 'JLTMA_VER' ) &&
defined( 'JLTMA_VER_PRO' ) &&
version_compare( JLTMA_VER, '2.1.4', '>=' ) &&
version_compare( JLTMA_VER_PRO, '2.1.4', '>=' )
) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'jltma_widget_render_preview' ) {
return;
}
if ( ! current_user_can( 'edit_files' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '69f36598-590f-4047-9d1e-4aaaacede409', 'RCE', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/
// https://wpscan.com/vulnerability/381fb82f-2fdc-49cb-bb0d-8d70ead61d86/
add_filter(
'get_comment_text',
function ( $comment_content ) {
if ( ! defined( 'SiteGround_Optimizer\VERSION' ) && ! defined( 'AUTOPTIMIZE_PLUGIN_VERSION' ) && ! defined( 'WCL_PLUGIN_VERSION' ) && ! defined( 'BREEZE_VERSION' ) ) {
return $comment_content;
}
if ( defined( 'AUTOPTIMIZE_PLUGIN_VERSION' ) && version_compare( AUTOPTIMIZE_PLUGIN_VERSION, '3.1.15', '>=' ) ) {
return $comment_content;
}
if ( defined( 'WCL_PLUGIN_VERSION' ) && version_compare( WCL_PLUGIN_VERSION, '2.4.2', '>=' ) ) {
return $comment_content;
}
if ( defined( 'SiteGround_Optimizer\VERSION' ) && version_compare( SiteGround_Optimizer\VERSION, '7.7.9', '>=' ) ) {
return $comment_content;
}
if ( defined( 'BREEZE_VERSION' ) && version_compare( BREEZE_VERSION, '2.5.6', '>=' ) ) {
return $comment_content;
}
if ( stripos( $comment_content, '%MINIFYHTML' ) !== false ) {
return 'Malicious Content Removed';
}
return $comment_content;
},
5
);
// https://wpscan.com/vulnerability/e27c6505-e32f-49cc-8890-77362fe8e76b/
add_action(
'init',
function () {
if ( ! isset( $_REQUEST['id_token'] ) ) {
return;
}
if ( ! str_contains( sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ), '/oauthcallback' ) && ! isset( $_REQUEST['code'] ) ) {
return;
}
if ( ! class_exists( 'MOAzure_Handler' ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'login-with-azure/mo_oauth_settings.php';
if ( ! isset( $all_plugins[ $slug ] ) ) {
return;
}
if ( version_compare( $all_plugins[ $slug ]['Version'], '2.2.6', '>=' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'e27c6505-e32f-49cc-8890-77362fe8e76b', 'Auth Bypass', $_REQUEST );
wp_die( 'Denied', 403 );
},
1
);
// https://wpscan.com/vulnerability/a78d6c18-97af-4789-8106-7d0de3845730
add_action(
'admin_init',
function () {
if ( ! defined( 'REALESTATE7_SL_THEME_VERSION' ) || version_compare( REALESTATE7_SL_THEME_VERSION, '3.5.2', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'ct_add_new_member' ) {
return;
}
$allowed_roles = [ 'subscriber', 'agent', 'broker', 'buyer', 'seller' ];
if ( isset( $_POST['ct_user_role'] ) && ! in_array( $_POST['ct_user_role'], $allowed_roles, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'a78d6c18-97af-4789-8106-7d0de3845730', 'Privesc', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/e91c0901-ac93-4a06-8237-8e89aced7832/
add_action(
'admin_init',
function () {
// Only proceed if WowOptin is loaded and version is vulnerable
if ( ! defined( 'OPTN_VERSION' ) || version_compare( OPTN_VERSION, '1.4.25', '>=' ) ) {
return;
}
// Only proceed if this is the vulnerable AJAX action
if ( ! isset( $_REQUEST['action'] ) || 'optn_install' !== $_REQUEST['action'] ) {
return;
}
// Block users without install_plugins capability
if ( isset( $_POST['install_plugin'] ) && ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'e91c0901-ac93-4a06-8237-8e89aced7832',
'Plugin Install',
$_POST['install_plugin']
);
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/06c5dfc9-8726-40bd-81fc-3e0ab19a238a/
// https://wpscan.com/vulnerability/252a4518-d9d0-45bc-9560-ab5caf29efdc/
add_action(
'init',
function () {
$get_action = isset( $_GET['action'] ) ? $_GET['action'] : '';
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] : '';
if ( 'dt_paypal_cancel' !== $get_action && 'update-user' !== $action && 'ultimate_booking_pro_new_reservation' !== $action ) {
return;
}
$all_plugins = get_plugins();
$slug = 'wedesigntech-ultimate-booking-addon/wedesigntech-ultimate-booking-addon.php';
if ( ! isset( $all_plugins[ $slug ] ) ) {
return;
}
// Auth bypass
if ( 'update-user' === $action && isset( $_REQUEST['hiduserid'] ) ) {
if ( ! current_user_can( 'edit_user', absint( $_REQUEST['hiduserid'] ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '06c5dfc9-8726-40bd-81fc-3e0ab19a238a', 'Auth bypass', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
// Arbitrary option deletion
if ( 'dt_paypal_cancel' === $get_action && isset( $_GET['res'] ) ) {
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '252a4518-d9d0-45bc-9560-ab5caf29efdc', 'Arbitrary option deletion', $_GET );
wp_die( 'Denied', 403 );
}
}
// Unauthenticated auth bypass
if ( 'ultimate_booking_pro_new_reservation' === $action && ! is_user_logged_in() && isset( $_REQUEST['email'] ) && email_exists( $_REQUEST['email'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '252a4518-d9d0-45bc-9560-ab5caf29efdc', 'Unauthenticated auth bypass', $_REQUEST );
wp_die( 'Denied', 403 );
}
},
1
);
// https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/
add_action(
'admin_init',
function () {
if ( ! defined( 'WPF_VERSION' ) || version_compare( WPF_VERSION, '3.1.3', '>=' ) ) {
return;
}
$post_to_check = $_POST['settings']['filters']['order'] ?? $_POST['generalSettings'] ?? null;
if ( is_null( $post_to_check ) ) {
return;
}
$decoded = json_decode( stripslashes( $post_to_check ), true );
if ( is_null( $decoded ) ) {
return;
}
foreach ( $decoded as $filter ) {
if ( ! isset( $filter['settings'] ) ) {
continue;
}
if ( isset( $filter['settings']['f_list'] ) ) {
if ( esc_sql( $filter['settings']['f_list'] ) !== $filter['settings']['f_list'] ) {
Atomic_Platform_Virtual_Patches::add_log( '768014fd-0403-4182-b19e-3d46c92d8755', 'SQLi', $filter );
wp_die( 'Denied', 403 );
}
}
}
}
);
// https://wpscan.com/vulnerability/d64f04aa-c11c-4137-a05a-8037340da965/ - Unlimited Elements for Elementor < 2.0.6 - Unauthenticated Stored XSS
add_action(
'init',
function () {
$plugin_version = '';
if ( defined( 'UNLIMITED_ELEMENTS_VERSION' ) ) {
$plugin_version = (string) UNLIMITED_ELEMENTS_VERSION;
}
if ( '' === $plugin_version || version_compare( $plugin_version, '2.0.6', '>=' ) ) {
return;
}
$action_raw = null;
// This matches the `UniteFunctionsUC::getPostGetVariable()` behavior
if ( isset( $_POST['ucfrontajaxaction'] ) ) {
$action_raw = $_POST['ucfrontajaxaction'];
} elseif ( isset( $_GET['ucfrontajaxaction'] ) ) {
$action_raw = $_GET['ucfrontajaxaction'];
}
if ( ! is_string( $action_raw ) ) {
return;
}
$action = sanitize_key( $action_raw );
if ( 'submitform' !== $action ) {
return;
}
$formData = null;
if ( isset( $_POST['formData'] ) ) {
$formData = &$_POST['formData'];
} elseif ( isset( $_GET['formData'] ) ) {
$formData = &$_GET['formData'];
}
if ( ! is_array( $formData ) ) {
return;
}
$sanitized_fields = array();
foreach ( $formData as $key => $fields ) {
if ( is_array( $fields ) && isset( $fields['value'] ) && is_string( $fields['value'] ) ) {
$original_value = $fields['value'];
$sanitized_value = wp_kses_post( wp_unslash( $fields['value'] ) );
$formData[ $key ]['value'] = wp_slash( $sanitized_value );
if ( $original_value !== $formData[ $key ]['value'] ) {
$sanitized_fields[ $key ] = array(
'original' => $original_value,
'sanitized' => $formData[ $key ]['value'],
);
}
}
}
if ( ! empty( $sanitized_fields ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'd64f04aa-c11c-4137-a05a-8037340da965',
'Sanitized form field values',
$sanitized_fields
);
}
$_REQUEST['formData'] = $formData;
},
0
);
// https://wpscan.com/vulnerability/e5cde405-5b34-4d3d-bfda-325402b0a5bc/
add_filter(
'http_response',
function ( $response, $args, $url ) {
if ( ! defined( 'UNLIMITED_ELEMENTS_VERSION' ) || version_compare( UNLIMITED_ELEMENTS_VERSION, '2.0.11', '>=' ) || ! is_string( $url ) ) {
return $response;
}
if ( 'serpapi.com' !== strtolower( (string) wp_parse_url( $url, PHP_URL_HOST ) ) ) {
return $response;
}
$body = wp_remote_retrieve_body( $response );
if ( ! is_string( $body ) || false === strpos( $body, '<' ) ) {
return $response;
}
$data = json_decode( $body, true );
if ( empty( $data['reviews'] ) || ! is_array( $data['reviews'] ) ) {
return $response;
}
$changed = false;
foreach ( $data['reviews'] as $i => $review ) {
if ( ! isset( $review['snippet'] ) || ! is_string( $review['snippet'] ) ) {
continue;
}
$clean = wp_strip_all_tags( $review['snippet'] );
if ( $clean !== trim( $review['snippet'] ) ) {
$data['reviews'][ $i ]['snippet'] = $clean;
$changed = true;
}
}
if ( false === $changed ) {
return $response;
}
Atomic_Platform_Virtual_Patches::add_log( 'e5cde405-5b34-4d3d-bfda-325402b0a5bc', 'XSS', $url );
$response['body'] = wp_json_encode( $data );
return $response;
},
PHP_INT_MAX,
3
);
// https://wpscan.com/vulnerability/6680cc6a-9758-4040-bb39-7b9545041dc3/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! ( $request instanceof WP_REST_Request ) || strpos( strtolower( (string) $request->get_route() ), '/vitepos/v1/user/create' ) !== 0 ) {
return $result;
}
$role = $request->get_param( 'role' );
if ( ! is_string( $role ) || '' === $role ) {
return $result;
}
if ( current_user_can( 'promote_users' ) ) {
return $result;
}
if ( ! function_exists( 'get_plugins' ) ) {
require_once ABSPATH . 'wp-admin/includes/plugin.php';
}
$plugins = get_plugins();
$version = $plugins['vitepos-lite/vitepos-lite.php']['Version'] ?? '';
if ( '' === $version || version_compare( $version, '3.4.2', '>=' ) ) {
return $result;
}
$wp_role = get_role( strtolower( $role ) );
if ( ! $wp_role ) {
return $result;
}
$privileged_caps = array( 'manage_options', 'promote_users', 'edit_users', 'delete_users', 'manage_network', 'activate_plugins', 'install_plugins', 'edit_plugins' );
foreach ( $privileged_caps as $cap ) {
if ( ! empty( $wp_role->capabilities[ $cap ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6680cc6a-9758-4040-bb39-7b9545041dc3', 'PrivEsc', $request->get_params() );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/530312f1-9138-4b56-a256-49f2c2c196d1/
$tutor_lms_pro_vpatch = function () {
// Early parameter checks before running get_plugins() to avoid overhead on every request.
$auth_provider = isset( $_POST['auth'] ) ? sanitize_text_field( wp_unslash( $_POST['auth'] ) ) : '';
if ( ! in_array( $auth_provider, array( 'google', 'facebook' ), true ) ) {
return;
}
$token = isset( $_POST['token'] ) ? sanitize_text_field( wp_unslash( $_POST['token'] ) ) : '';
$submitted_email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';
if ( empty( $token ) || empty( $submitted_email ) ) {
return;
}
// Version check: Only patch vulnerable versions (< 3.9.6).
$all_plugins = get_plugins();
$slug = 'tutor-pro/tutor-pro.php';
if ( ! isset( $all_plugins[ $slug ] ) ) {
return;
}
if ( version_compare( $all_plugins[ $slug ]['Version'], '3.9.6', '>=' ) ) {
return;
}
$verified_email = null;
// Verify the token and get the ACTUAL email from the OAuth provider.
if ( 'google' === $auth_provider ) {
$response = wp_remote_get( 'https://oauth2.googleapis.com/tokeninfo?id_token=' . rawurlencode( $token ) );
if ( ! is_wp_error( $response ) && 200 === wp_remote_retrieve_response_code( $response ) ) {
$body = json_decode( wp_remote_retrieve_body( $response ), true );
// Check if email is verified and get it.
// Note: Google returns email_verified as a string "true" or "false", not a boolean.
// Handle both string and boolean values explicitly.
if ( isset( $body['email'], $body['email_verified'] ) && ( $body['email_verified'] === 'true' || $body['email_verified'] === true ) ) {
$verified_email = $body['email'];
}
}
} elseif ( 'facebook' === $auth_provider ) {
$response = wp_remote_get( 'https://graph.facebook.com/me?fields=email&access_token=' . rawurlencode( $token ) );
if ( ! is_wp_error( $response ) && 200 === wp_remote_retrieve_response_code( $response ) ) {
$body = json_decode( wp_remote_retrieve_body( $response ), true );
if ( isset( $body['email'] ) ) {
$verified_email = $body['email'];
}
}
}
// FAIL CLOSED: If verification failed, block the request.
// This prevents attacks with invalid/forged tokens.
if ( $verified_email === null ) {
Atomic_Platform_Virtual_Patches::add_log( '530312f1-9138-4b56-a256-49f2c2c196d1', 'OAuth verification failed', $_POST );
wp_send_json_error( 'Authentication failed. Please try again.', 403 );
}
// Case-insensitive comparison (emails are case-insensitive per RFC 5321)
if ( strtolower( $verified_email ) !== strtolower( $submitted_email ) ) {
// EMAIL MISMATCH - This is an attack!
Atomic_Platform_Virtual_Patches::add_log(
'530312f1-9138-4b56-a256-49f2c2c196d1',
'Auth Bypass',
array(
'provider' => $auth_provider,
'submitted' => $submitted_email,
'verified' => $verified_email,
)
);
wp_send_json_error( 'Authentication failed. Please try again.', 403 );
}
// Emails match - request is safe to proceed to original handler
};
add_action( 'wp_ajax_nopriv_tutor_pro_social_authentication', $tutor_lms_pro_vpatch, 1 );
add_action( 'wp_ajax_tutor_pro_social_authentication', $tutor_lms_pro_vpatch, 1 );
// https://wpscan.com/vulnerability/064c39b8-5aba-489a-94ad-be562af4325a/
add_filter(
'rest_dispatch_request',
function ( $result, $request, $route ) {
if ( ! class_exists( 'FormGent' ) ) {
return $result;
}
if ( '/formgent/responses/attachments' !== strtolower( $route ) || 'DELETE' !== $request->get_method() ) {
return $result;
}
$file_token = $request->get_param( 'file_token' );
if ( ! $file_token ) {
return $result;
}
$decoded = base64_decode( $file_token, true );
if ( $decoded === false ) {
return $result;
}
if ( str_contains( $decoded, '..' ) || str_contains( $decoded, '/' ) || str_contains( $decoded, '\\' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '064c39b8-5aba-489a-94ad-be562af4325a', 'Path traversal', $decoded );
wp_die( 'Denied', 403 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/9e4870eb-cbcb-4a2a-bf4f-d4610f2afeca/
add_action(
'init',
function () {
if ( ! defined( 'APBCT_VERSION' ) || version_compare( APBCT_VERSION, '6.45', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['spbc_remote_call_token'] ) ) {
return;
}
$token = sanitize_textarea_field( $_REQUEST['spbc_remote_call_token'] );
if ( $token === 'd41d8cd98f00b204e9800998ecf8427e' || $token === 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' ) {
Atomic_Platform_Virtual_Patches::add_log( '9e4870eb-cbcb-4a2a-bf4f-d4610f2afeca', 'Plugin Install', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/b405bf0e-b253-445e-9c4d-67b7b871cb79/
$formidable_payment_vpatch = function () {
if ( ! class_exists( 'FrmAppHelper' ) || ! method_exists( 'FrmAppHelper', 'plugin_version' ) ) {
return;
}
$plugin_version = FrmAppHelper::plugin_version();
if ( '' === $plugin_version || version_compare( $plugin_version, '6.29', '>=' ) ) {
return;
}
$intent_id = sanitize_text_field( wp_unslash( (string) ( $_GET['payment_intent'] ?? '' ) ) );
if ( '' === $intent_id ) {
return;
}
if ( ! class_exists( 'FrmTransLitePayment' ) || ! class_exists( 'FrmStrpLiteAppHelper' ) || ! class_exists( 'FrmTransLiteAppHelper' ) || ! class_exists( 'FrmCurrencyHelper' ) ) {
return;
}
$frm_payment = new FrmTransLitePayment();
$payment = $frm_payment->get_one_by( $intent_id, 'receipt_id' );
if ( ! $payment || ! isset( $payment->amount ) ) {
return;
}
$intent = FrmStrpLiteAppHelper::call_stripe_helper_class( 'get_intent', $intent_id );
if ( ! is_object( $intent ) || ! isset( $intent->amount ) ) {
return;
}
$currency = FrmTransLiteAppHelper::get_action_setting( 'currency', array( 'payment' => $payment ) );
$currency = FrmCurrencyHelper::get_currency( $currency );
$actual_amount = intval( $intent->amount );
$expected_amount = round( floatval( $payment->amount ), 2 );
if ( isset( $currency['decimals'] ) && 0 !== (int) $currency['decimals'] ) {
$expected_amount *= 100;
}
$expected_amount = intval( round( $expected_amount ) );
if ( $expected_amount !== $actual_amount ) {
Atomic_Platform_Virtual_Patches::add_log(
'b405bf0e-b253-445e-9c4d-67b7b871cb79',
'PaymentIntent spoofing',
[
'expected' => $expected_amount,
'actual' => $actual_amount,
]
);
wp_die( 'Blocked by temporary mitigation.', 403 );
}
};
add_action( 'wp_ajax_nopriv_frmstrplinkreturn', $formidable_payment_vpatch, -1 );
add_action( 'wp_ajax_frmstrplinkreturn', $formidable_payment_vpatch, -1 );
// https://wpscan.com/vulnerability/e90b8027-14c1-415b-b94b-202020590d64/
// https://wpscan.com/vulnerability/5fa8a9d9-80a4-477e-849f-1e929762ef73/
add_action(
'init',
function () {
if ( ! defined( 'APBCT_VERSION' ) || version_compare( APBCT_VERSION, '6.72', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['plugin_name'], $_REQUEST['spbc_remote_call_action'] ) || isset( $_REQUEST['spbc_remote_call_token'] ) ) {
return;
}
if ( $_REQUEST['spbc_remote_call_action'] === 'get_fresh_wpnonce' ) {
return;
}
$ip = $_SERVER['REMOTE_ADDR'];
$allowed_ips = array_merge( gethostbynamel( 'netserv3.cleantalk.org' ), gethostbynamel( 'netserv4.cleantalk.org' ) );
if ( ! in_array( $ip, $allowed_ips, true ) ) {
$vuln_uuid = 'e90b8027-14c1-415b-b94b-202020590d64';
if ( version_compare( APBCT_VERSION, '6.44', '<' ) ) {
$vuln_uuid = '5fa8a9d9-80a4-477e-849f-1e929762ef73';
}
Atomic_Platform_Virtual_Patches::add_log(
$vuln_uuid,
'Action',
array(
'request' => $_REQUEST,
'ip' => $ip,
)
);
wp_die( 'Denied', 403 );
}
},
-1 // Priority
);
// https://wpscan.com/vulnerability/0d4635b5-2d79-4337-a1ad-6b8d02cfd64b/
$cleantalk_apbct_encode_data_xss = function ( $content ) {
if ( ! defined( 'APBCT_VERSION' ) || version_compare( APBCT_VERSION, '6.79', '>=' ) ) {
return $content;
}
if ( ! is_string( $content ) || false === stripos( $content, '[apbct_encode_data]' ) ) {
return $content;
}
return preg_replace_callback(
'/\[apbct_encode_data\](.*?)\[\/apbct_encode_data\]/is',
function ( $matches ) {
if ( false === strpos( $matches[1], '<' ) ) {
return $matches[0];
}
Atomic_Platform_Virtual_Patches::add_log( '0d4635b5-2d79-4337-a1ad-6b8d02cfd64b', 'XSS (apbct_encode_data)', $matches[0] );
return '';
},
$content
);
};
add_filter( 'comment_text', $cleantalk_apbct_encode_data_xss, 1 );
add_filter( 'comment_excerpt', $cleantalk_apbct_encode_data_xss, 1 );
// https://wpscan.com/vulnerability/e19c0bd9-8a80-4bed-a541-463069662d48/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'KIVI_CARE_VERSION' ) ) {
return $result;
}
if ( version_compare( KIVI_CARE_VERSION, '4.1.3', '>=' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/kivicare/v1/auth/patient/social-login' ) === 0 ) {
Atomic_Platform_Virtual_Patches::add_log(
'e19c0bd9-8a80-4bed-a541-463069662d48',
'Auth Bypass',
[
'route' => $route,
'email' => $request->get_param( 'email' ),
]
);
wp_die( 'Denied', 403 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/24951a75-46e7-44f9-947b-070ca2f2b244/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'KIVI_CARE_VERSION' ) || ! is_object( $request ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/kivicare/v1/auth/register' ) !== false ) {
$user_role = $request->get_param( 'user_role' );
if ( is_string( $user_role ) && '' !== trim( $user_role )
&& ! in_array( strtolower( trim( $user_role ) ), array( 'kivicare_patient', 'patient' ), true )
&& ! current_user_can( 'kiviCare_clinic_admin' )
&& ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '24951a75-46e7-44f9-947b-070ca2f2b244', 'Privesc (registration role)', $user_role );
wp_die( 'Access denied.', 403 );
}
}
if ( strpos( $route, '/kivicare/v1/clinics/' ) !== false && strpos( $route, '/change-admin' ) !== false ) {
if ( ! current_user_can( 'kiviCare_clinic_admin' ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '24951a75-46e7-44f9-947b-070ca2f2b244', 'Privesc (change-admin)', $route );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
11,
3
);
// https://wpscan.com/vulnerability/7c550b0e-7884-4231-a26c-b59dee0437e6/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'FUSION_BUILDER_VERSION' ) || version_compare( FUSION_BUILDER_VERSION, '3.11.14', '>=' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( '/awb/rendered_content' === $route && ! current_user_can( 'edit_others_posts' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'7c550b0e-7884-4231-a26c-b59dee0437e6',
'fusion-builder-awb-rendered-content-unauthorized',
[
'route' => $route,
'content' => $request->get_param( 'content' ),
]
);
wp_die( 'Denied', 403 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/bf7034ab-24c4-461f-a709-3f73988b536b/
$fusion_builder_block_ssrf_sink = function () {
if ( ! defined( 'FUSION_BUILDER_VERSION' ) || version_compare( FUSION_BUILDER_VERSION, '3.6.2', '>=' ) ) {
return;
}
if ( isset( $_POST['fusionAction'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'bf7034ab-24c4-461f-a709-3f73988b536b', 'SSRF', $_REQUEST );
wp_die( 'Denied', 403 );
}
};
add_action( 'wp_ajax_fusion_form_submit_form_to_url', $fusion_builder_block_ssrf_sink, 1 );
add_action( 'wp_ajax_nopriv_fusion_form_submit_form_to_url', $fusion_builder_block_ssrf_sink, 1 );
// https://wpscan.com/vulnerability/34df3d2e-006d-4cee-87f3-cb4d535ec667/
$fusion_builder_block_widget_markup = function () {
if ( ! defined( 'FUSION_BUILDER_VERSION' ) || version_compare( FUSION_BUILDER_VERSION, '3.15.3', '>=' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '34df3d2e-006d-4cee-87f3-cb4d535ec667', 'RCE', $_REQUEST );
wp_die( 'Denied', 403 );
};
add_action( 'wp_ajax_fusion_get_widget_markup', $fusion_builder_block_widget_markup, 1 );
add_action( 'wp_ajax_nopriv_fusion_get_widget_markup', $fusion_builder_block_widget_markup, 1 );
// https://wpscan.com/vulnerability/3f01ce7c-5098-41f2-82dd-191f6df43d35/
$fusion_builder_strip_privacy_expiration = function () {
if ( ! defined( 'FUSION_BUILDER_VERSION' ) || version_compare( FUSION_BUILDER_VERSION, '3.15.4', '>=' ) ) {
return;
}
if ( ! isset( $_POST['formData'] ) || ! is_string( $_POST['formData'] ) ) {
return;
}
parse_str( wp_unslash( $_POST['formData'] ), $form_data );
if ( ! isset( $form_data['privacy_expiration_action'] ) || 'delete' !== $form_data['privacy_expiration_action'] ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '3f01ce7c-5098-41f2-82dd-191f6df43d35', 'Arbitrary File Deletion', $form_data );
unset( $form_data['fusion_privacy_expiration_interval'], $form_data['privacy_expiration_action'] );
$_POST['formData'] = wp_slash( http_build_query( $form_data ) );
};
add_action( 'wp_ajax_fusion_form_submit_ajax', $fusion_builder_strip_privacy_expiration, 1 );
add_action( 'wp_ajax_nopriv_fusion_form_submit_ajax', $fusion_builder_strip_privacy_expiration, 1 );
// https://wpscan.com/vulnerability/fa3692d8-95ab-41fb-b9e5-ea86ef24f0d9/
if ( isset( $_GET['loginpress_code'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'LOGINPRESS_PRO_VERSION' ) || version_compare( LOGINPRESS_PRO_VERSION, '6.2.3', '>=' ) ) {
return;
}
$loginpress_code = preg_replace( '/[^a-zA-Z0-9]+/', '', sanitize_text_field( wp_unslash( $_GET['loginpress_code'] ) ) );
if ( is_string( $loginpress_code ) && strlen( $loginpress_code ) >= 20 ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'fa3692d8-95ab-41fb-b9e5-ea86ef24f0d9', 'Privilege Escalation', $_GET['loginpress_code'] );
wp_die( 'Access denied.', 403 );
},
10
);
}
// https://wpscan.com/vulnerability/0cbcb12f-9b80-4233-863d-7262313e6c4a/
$remove_xagio_api_key = function () {
if ( ! defined( 'XAGIO_CURRENT_VERSION' ) || version_compare( XAGIO_CURRENT_VERSION, '7.1.0.31', '>=' ) ) {
return;
}
global $wp_scripts;
if ( ! ( $wp_scripts instanceof WP_Scripts ) ) {
return;
}
foreach ( [ 'xagio_main', 'xagio_user', 'xagio_global' ] as $script_handle ) {
if ( ! isset( $wp_scripts->registered[ $script_handle ] ) ) {
continue;
}
$current_data = $wp_scripts->get_data( $script_handle, 'data' );
if ( ! $current_data ) {
continue;
}
// Remove api_key field using two-pattern approach for clean JSON
// First: Handle api_key in the middle (with trailing comma)
$modified_data = preg_replace(
'/"api_key"\s*:\s*"[^"]*"\s*,\s*/',
'',
$current_data
);
// Second: Handle api_key at the end (with leading comma)
$modified_data = preg_replace(
'/,\s*"api_key"\s*:\s*"[^"]*"/',
'',
$modified_data
);
$wp_scripts->registered[ $script_handle ]->extra['data'] = $modified_data;
}
};
add_action( 'wp_footer', $remove_xagio_api_key, 1 );
add_action( 'admin_footer', $remove_xagio_api_key, 1 );
// https://wpscan.com/vulnerability/df32569a-e4fe-430b-8310-df7be80d7249/
add_action(
'admin_init',
function () {
if ( ! defined( 'KALIFORMS_VERSION' ) || version_compare( KALIFORMS_VERSION, '2.4.10', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'kaliforms_form_process' ) {
return;
}
if ( empty( $_POST['data'] ) ) {
return;
}
$protected_keys = [ 'entryCounter', 'thisPermalink', 'submission_link' ];
foreach ( $_POST['data'] as $key => $value ) {
if ( in_array( $key, $protected_keys, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'df32569a-e4fe-430b-8310-df7be80d7249', 'RCE', $_POST );
wp_die( 'Denied', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/66d7dc3a-bfc4-4878-938f-9745217e79a7/
add_action(
'admin_init',
function () {
if ( ! defined( 'RM_PLUGIN_VERSION' ) || version_compare( RM_PLUGIN_VERSION, '6.0.7.2', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'] ) || $_REQUEST['action'] !== 'rm_login_social_user' ) {
return;
}
if ( isset( $_POST['type'] ) && sanitize_text_field( $_POST['type'] ) === 'instagram' ) {
Atomic_Platform_Virtual_Patches::add_log( '66d7dc3a-bfc4-4878-938f-9745217e79a7', 'Privesc', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/624c7617-e9ac-4c81-8953-ca8bb498537e/
add_filter(
'woocommerce_add_to_cart_validation',
function ( $is_valid, $product_id, $quantity ) {
if ( ! defined( 'WCPA_VERSION' ) ) {
return $is_valid;
}
if ( version_compare( WCPA_VERSION, '5.4.2', '>=' ) ) {
return $is_valid;
}
if ( ! class_exists( 'Acowebs\WCPA\Product' ) ) {
return $is_valid;
}
$wcpaProduct = new Acowebs\WCPA\Product();
$fields = $wcpaProduct->get_fields( $product_id );
if ( empty( $fields['fields'] ) || ! is_object( $fields['fields'] ) ) {
return $is_valid;
}
// Recursively look for fields included in price-calculation formulas
$formula_fields = [];
$find_formula_fields = function ( $v, $callback ) use ( &$formula_fields ) {
// Both {this.value} and {value} work.
if ( isset( $v['name'] ) && isset( $v['price'] ) && str_contains( $v['price'], 'value}' ) ) {
$formula_fields[] = $v;
}
foreach ( $v as $potential_field ) {
if ( is_object( $potential_field ) && $potential_field instanceof StdClass ) {
$callback( (array) $potential_field, $callback );
} elseif ( is_array( $potential_field ) ) {
$callback( (array) $potential_field, $callback );
}
}
};
$find_formula_fields( $fields, $find_formula_fields );
if ( empty( $formula_fields ) ) {
return $is_valid;
}
foreach ( $formula_fields as $field ) {
if ( ! empty( $_POST[ $field['name'] ] ) && is_string( $_POST[ $field['name'] ] ) ) {
if ( str_contains( $_POST[ $field['name'] ], "'" ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'624c7617-e9ac-4c81-8953-ca8bb498537e',
'Potential RCE payload escaped',
$_POST
);
$_POST[ $field['name'] ] = addslashes( $_POST[ $field['name'] ] );
}
}
}
return $is_valid;
},
1,
3
);
// https://wpscan.com/vulnerability/eea4999f-5f86-46fa-aab5-f6840d481967/
add_action(
'personal_options_update',
function () {
if ( ! defined( 'EXPIRE_USERS_VERSION' ) ) {
return;
}
if ( isset( $_POST['expire_user_role'] ) && ! current_user_can( 'edit_users' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'eea4999f-5f86-46fa-aab5-f6840d481967', 'Privesc', $_POST );
wp_die( 'Denied', 403 );
}
},
5 // Priority
);
// https://wpscan.com/vulnerability/679318f4-759c-4017-b3e1-4d809daa3f6b/
// https://wpscan.com/vulnerability/3a9ef6f7-3ea5-4329-b23d-71f5de8eac1e/
add_filter(
'rest_request_before_callbacks',
function ( $response, $handler, $request ) {
if ( ! defined( 'MASTERIYO_VERSION' ) || version_compare( MASTERIYO_VERSION, '2.1.7', '>=' ) ) {
return $response;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/masteriyo/v1/users/' ) === 0 ) {
if ( ! isset( $request['id'], $request['roles'] ) || ! is_user_logged_in() ) {
return $response;
}
if ( ! current_user_can( 'edit_users' ) ) {
$vuln_uuid = version_compare( MASTERIYO_VERSION, '1.13.4', '<' ) ? '3a9ef6f7-3ea5-4329-b23d-71f5de8eac1e' : '679318f4-759c-4017-b3e1-4d809daa3f6b';
Atomic_Platform_Virtual_Patches::add_log( $vuln_uuid, 'Privesc', $request->get_params() );
wp_die( 'Denied', 403 );
}
}
return $response;
},
1, // Priority
3 // Args
);
// https://wpscan.com/vulnerability/0ee3abf4-1566-4a14-a548-865932b2125b/
add_filter(
'rest_request_before_callbacks',
function ( $response, $handler, $request ) {
if ( ! defined( 'MASTERIYO_VERSION' ) || version_compare( MASTERIYO_VERSION, '2.2.1', '>=' ) ) {
return $response;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/masteriyo/v1/users' ) !== 0 ) {
return $response;
}
$meta_data = $request['meta_data'];
if ( ! is_array( $meta_data ) || current_user_can( 'manage_options' ) ) {
return $response;
}
global $wpdb;
$prefix = $wpdb->get_blog_prefix();
$privileged_keys = array(
'roles',
'role',
'capabilities',
'user_level',
'session_tokens',
'wp_capabilities',
'wp_user_level',
$prefix . 'capabilities',
$prefix . 'user_level',
);
foreach ( $meta_data as $meta ) {
if ( ! is_array( $meta ) || ! isset( $meta['key'] ) ) {
continue;
}
if ( in_array( sanitize_key( $meta['key'] ), $privileged_keys, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0ee3abf4-1566-4a14-a548-865932b2125b', 'Privesc', $request->get_params() );
wp_die( 'Denied', 403 );
}
}
return $response;
},
1, // Priority
3 // Args
);
// https://wpscan.com/vulnerability/46004b6c-65b0-4d27-93cf-5680f1bd2199/
add_action(
'init',
function () {
if ( ! defined( 'ACPT_PLUGIN_VERSION' ) || version_compare( ACPT_PLUGIN_VERSION, '2.0.54', '>=' ) ) {
return;
}
if ( 'evaluateCodeAction' !== ( $_REQUEST['action'] ?? '' ) ) {
return;
}
if ( isset( $_POST['data'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '46004b6c-65b0-4d27-93cf-5680f1bd2199', 'RCE', $_POST );
wp_die( 'Access denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/576e3999-47f8-48c5-ad1f-d3b53d025d51/
add_action(
'admin_init',
function () {
if ( ! function_exists( 'loco_plugin_version' ) ) {
return;
}
if ( 'loco-config' !== ( $_GET['page'] ?? '' ) ) {
return;
}
if ( 'version' !== ( $_GET['action'] ?? '' ) ) {
return;
}
if ( version_compare( loco_plugin_version(), '2.8.3', '>=' ) ) {
return;
}
if ( isset( $_GET['update_href'] ) && ! preg_match( '#^https?://#i', $_GET['update_href'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '576e3999-47f8-48c5-ad1f-d3b53d025d51', 'XSS', $_GET['update_href'] );
}
unset( $_GET['update'], $_GET['update_href'], $_REQUEST['update'], $_REQUEST['update_href'] );
},
0
);
// https://wpscan.com/vulnerability/5aa50a99-b5df-4b6e-b855-74072e9f0751/
add_action(
'rest_api_init',
function () {
if ( ! defined( 'GF_GRAVITY_SMTP_VERSION' ) || version_compare( (string) GF_GRAVITY_SMTP_VERSION, '2.1.5', '>=' ) ) {
return;
}
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( 0 !== strcasecmp( '/gravitysmtp/v1/tests/mock-data', (string) $request->get_route() ) ) {
return $result;
}
Atomic_Platform_Virtual_Patches::add_log( '5aa50a99-b5df-4b6e-b855-74072e9f0751' );
wp_die( 'Denied', 403 );
},
10,
3
);
}
);
// https://wpscan.com/vulnerability/78a48081-1de2-4d16-9076-7f0e2c918abc/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'GF_GRAVITY_SMTP_VERSION' ) || version_compare( GF_GRAVITY_SMTP_VERSION, '2.1.4', '>' ) ) {
return;
}
add_action(
'wp_ajax_gravitysmtp_uninstall_plugin',
function () {
if ( ! current_user_can( 'activate_plugins' ) || ! wp_verify_nonce( 'gravitysmtp_uninstall_plugin', 'security' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '78a48081-1de2-4d16-9076-7f0e2c918abc' );
wp_die( ' Denied', 403 );
}
},
1
);
}
);
// Input side: https://wp.me/p3btAN-3vh
add_action(
'admin_init',
function () {
// phpcs:ignore WordPress.Security.NonceVerification.Missing
if ( ! isset( $_POST['action'] ) || $_POST['action'] !== 'rocket_beacon' || ! isset( $_POST['results'] ) ) {
return;
}
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$results = json_decode( wp_unslash( $_POST['results'] ) );
if ( ! is_object( $results ) || empty( $results->lcp ) || ! is_array( $results->lcp ) ) {
return;
}
$modified = false;
foreach ( $results->lcp as $image ) {
if ( empty( $image->type ) ) {
continue;
}
// Sanitize picture source fields that are rendered unescaped.
if ( $image->type === 'picture' && ! empty( $image->sources ) && is_array( $image->sources ) ) {
foreach ( $image->sources as $source ) {
if ( ! is_object( $source ) ) {
continue;
}
foreach ( [ 'srcset', 'media', 'sizes', 'type' ] as $field ) {
if ( isset( $source->$field ) && is_string( $source->$field ) ) {
if ( strpbrk( $source->$field, "\"'\\<>" ) !== false ) {
$source->$field = esc_attr( $source->$field );
$modified = true;
}
}
}
}
}
// Sanitize img-srcset fields (srcset is stored unescaped in create_object).
if ( $image->type === 'img-srcset' ) {
foreach ( [ 'srcset', 'sizes' ] as $field ) {
if ( isset( $image->$field ) && is_string( $image->$field ) ) {
if ( strpbrk( $image->$field, "\"'\\<>" ) !== false ) {
$image->$field = esc_attr( $image->$field );
$modified = true;
}
}
}
}
}
if ( $modified ) {
Atomic_Platform_Virtual_Patches::add_log( 'wp-rocket-beacon-xss', 'Sanitized LCP data', $results );
// phpcs:ignore WordPress.Security.NonceVerification.Missing
$_POST['results'] = wp_slash( wp_json_encode( $results ) );
}
},
1
);
// Output-side: https://wp.me/p3btAN-3vh
add_filter(
'rocket_buffer',
function ( $html ) {
if ( ! is_string( $html ) || strpos( $html, 'data-rocket-preload' ) === false ) {
return $html;
}
// Match from <link...data-rocket-preload to the closing fetchpriority="high">.
// Using .*? with the s flag to span broken HTML from attribute injection or tag breakout.
return preg_replace_callback(
'/<link\b[^>]*?data-rocket-preload.*?fetchpriority="high">/is',
function ( $matches ) {
$tag = $matches[0];
if ( preg_match( '/\bon\w+\s*=/i', $tag ) || preg_match( '/<script/i', $tag ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'wp-rocket-beacon-xss', 'Stripped preload tag from output', $tag );
return '';
}
return $tag;
},
$html
);
},
18
);
// https://wpscan.com/vulnerability/bf59610b-98ba-4c05-b2fc-85c163e9a389/
add_action(
'init',
function () {
if ( defined( 'EAE_FILTER_PRIORITY' ) && defined( 'EAE_REGEXP' ) && strpos( EAE_REGEXP, '".*?"' ) !== false ) {
add_filter(
'eae_regexp',
function () {
return '{
(?:mailto:)?(?:[-!#$%&*+/=?^_`.{|}~\w\x80-\xFF]+)\@(?:[-a-z0-9\x80-\xFF]+(\.[-a-z0-9\x80-\xFF]+)*\.[a-z]+|\[[\d.a-fA-F:]+\])}xi';
}
);
}
}
);
// https://wpscan.com/vulnerability/97908c15-6e7a-4242-8c6f-66c8b804364c/
add_action(
'init',
function () {
if ( defined( 'CK_MAIL_VERSION' ) && version_compare( CK_MAIL_VERSION, '2.0.13', '<' ) ) {
add_filter(
'check_email_e_regexp',
function () {
return '{
(?:mailto:)?(?:[-!#$%&*+/=?^_`.{|}~\w\x80-\xFF]+)\@(?:[-a-z0-9\x80-\xFF]+(\.[-a-z0-9\x80-\xFF]+)*\.[a-z]+|\[[\d.a-fA-F:]+\])}xi';
}
);
}
}
);
// https://wpscan.com/vulnerability/7883a893-306e-4b44-984d-556c786f487f/
if ( isset( $_POST['action'] ) && 'mailpoet' === $_POST['action']
&& isset( $_POST['data']['sort_by'] ) && is_string( $_POST['data']['sort_by'] )
) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'MAILPOET_VERSION' ) ) {
return;
}
if ( version_compare( MAILPOET_VERSION, '5.23.0', '>=' ) ) {
return;
}
$sort_by = trim( $_POST['data']['sort_by'] );
$allowed = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_';
if ( '' === $sort_by || strlen( $sort_by ) !== strspn( $sort_by, $allowed ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7883a893-306e-4b44-984d-556c786f487f', 'sort_by sanitized', $_POST['data']['sort_by'] );
$_POST['data']['sort_by'] = 'id';
}
},
0
);
}
// https://wpscan.com/vulnerability/0530006c-81cf-4472-bf8b-a28eb728e103/
if ( isset( $_POST['everest_forms']['form_fields'] ) && is_array( $_POST['everest_forms']['form_fields'] ) ) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'EFP_VERSION' ) ) {
return;
}
if ( version_compare( EFP_VERSION, '1.9.13', '>=' ) ) {
return;
}
foreach ( $_POST['everest_forms']['form_fields'] as $field_id => $field_value ) {
if ( ! is_string( $field_value ) ) {
continue;
}
if ( ! str_contains( $field_value, "'" ) ) {
continue;
}
Atomic_Platform_Virtual_Patches::add_log(
'0530006c-81cf-4472-bf8b-a28eb728e103',
'Potential RCE payload sanitized',
$field_value
);
$_POST['everest_forms']['form_fields'][ $field_id ] = addslashes( $field_value );
}
},
0
);
}
// https://wpscan.com/vulnerability/6f7de128-b04e-42b1-8699-9dfbd8bfefe9/
$ona_vuln_actions = array( 'ona_activate_child_theme', 'ona_update_child_theme' );
if ( isset( $_REQUEST['action'] ) && in_array( $_REQUEST['action'], $ona_vuln_actions, true ) ) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'ONA_VERSION' ) || version_compare( ONA_VERSION, '1.24', '>=' ) ) {
return;
}
if ( ! current_user_can( 'install_themes' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6f7de128-b04e-42b1-8699-9dfbd8bfefe9', 'Action', $_REQUEST );
wp_die( 'Denied', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/e1db44ac-5ab9-4245-8f63-3878025c04e2/
if ( isset( $_SERVER['HTTP_X_CACHE_STATUS'] ) && $_SERVER['HTTP_X_CACHE_STATUS'] === 'nw9xQmK4' ) {
self::add_log( 'e1db44ac-5ab9-4245-8f63-3878025c04e2', 'RCE (headers)', $_SERVER['HTTP_X_CACHE_KEY'] ?? '' );
wp_die( 'Denied', 403 );
}
add_action(
'init',
function () {
if ( isset( $_GET['_chk'] ) && get_option( '_wpc_ak' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e1db44ac-5ab9-4245-8f63-3878025c04e2', 'RCE (init)', $_REQUEST );
wp_die( 'Denied', 403 );
}
},
-1 // Priority
);
add_filter(
'wp_pre_insert_user_data',
function ( $data, $update, $id, $userdata ) {
$new_roles = (array) ( $userdata['role'] ?? [] );
$email = $data['user_email'] ?? $userdata['user_email'];
if ( in_array( 'administrator', $new_roles, true ) && $email === 'kiziltxt2@gmail.com' ) {
Atomic_Platform_Virtual_Patches::add_log( 'e1db44ac-5ab9-4245-8f63-3878025c04e2', 'Admin Creation', $data );
return new WP_Error( 'unauthorized', 'Unauthorized.', [ 'status' => 403 ] );
}
return $data;
},
1, // Priority
4 // args
);
// https://wpscan.com/vulnerability/81374e2e-1748-4533-b6d2-da5528c320b6/
add_action(
'admin_init',
function () {
if ( ! class_exists( 'NF_FU_File_Uploads' ) || version_compare( NF_File_Uploads()->plugin_version, '3.3.27', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['field_id'] ) || $_REQUEST['action'] !== 'nf_fu_upload' || empty( $_FILES ) ) {
return;
}
// Checks for any malicious filename in POST data
foreach ( $_POST as $value ) {
if ( ! is_string( $value ) ) {
continue;
}
if ( preg_match( '/\A(?:ph|ht).*\z/i', pathinfo( $value, PATHINFO_EXTENSION ) ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'81374e2e-1748-4533-b6d2-da5528c320b6',
'Upload',
[
'_request' => $_REQUEST,
'_files' => $_FILES,
]
);
wp_die( 'Denied', 403 );
}
}
},
1
);
// https://wpscan.com/vulnerability/490b3569-6810-4ac7-92a5-b1fca4203cfc/
if (
isset( $_REQUEST['action'], $_POST['change_plan_sub_id'] )
&& $_REQUEST['action'] === 'ppress_process_checkout'
) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'PPRESS_VERSION_NUMBER' ) || version_compare( (string) PPRESS_VERSION_NUMBER, '4.16.12', '>=' ) ) {
return;
}
$raw = $_POST['change_plan_sub_id'];
if ( ! is_string( $raw ) && ! is_numeric( $raw ) ) {
return;
}
$change_plan_sub_id = intval( $raw );
if ( $change_plan_sub_id <= 0 ) {
return;
}
global $wpdb;
// phpcs:ignore WordPress.DB.DirectDatabaseQuery
$sub_customer_id = (int) $wpdb->get_var(
$wpdb->prepare( "SELECT customer_id FROM `{$wpdb->prefix}ppress_subscriptions` WHERE id = %d", $change_plan_sub_id )
);
if ( $sub_customer_id <= 0 ) {
return;
}
// phpcs:ignore WordPress.DB.DirectDatabaseQuery
$current_customer_id = (int) $wpdb->get_var(
$wpdb->prepare( "SELECT id FROM `{$wpdb->prefix}ppress_customers` WHERE user_id = %d", get_current_user_id() )
);
if ( $current_customer_id !== $sub_customer_id ) {
Atomic_Platform_Virtual_Patches::add_log( '490b3569-6810-4ac7-92a5-b1fca4203cfc', 'cross-user change_plan_sub_id', $_POST );
wp_send_json_error( array( 'message' => esc_html__( 'You are not allowed to switch from this plan.', 'wp-user-avatar' ) ) );
}
},
0
);
}
// https://wpscan.com/vulnerability/cb7ad514-e0d5-4ff3-803a-918cdc194f39/
if ( isset( $_GET['ppress_myac_sub_action'], $_GET['sub_id'] ) ) {
add_action(
'wp',
function () {
if ( ! defined( 'PPRESS_VERSION_NUMBER' ) || version_compare( (string) PPRESS_VERSION_NUMBER, '4.16.17', '>=' ) ) {
return;
}
$raw = $_GET['sub_id'];
$sub_id = is_array( $raw ) ? ( empty( $raw ) ? 0 : 1 ) : (int) $raw;
if ( $sub_id <= 0 ) {
return;
}
global $wpdb;
// phpcs:ignore WordPress.DB.DirectDatabaseQuery
$sub_customer_id = (int) $wpdb->get_var(
$wpdb->prepare( "SELECT customer_id FROM `{$wpdb->prefix}ppress_subscriptions` WHERE id = %d", $sub_id )
);
if ( $sub_customer_id <= 0 ) {
return;
}
// phpcs:ignore WordPress.DB.DirectDatabaseQuery
$current_customer_id = (int) $wpdb->get_var(
$wpdb->prepare( "SELECT id FROM `{$wpdb->prefix}ppress_customers` WHERE user_id = %d", get_current_user_id() )
);
if ( $current_customer_id !== $sub_customer_id ) {
Atomic_Platform_Virtual_Patches::add_log( 'cb7ad514-e0d5-4ff3-803a-918cdc194f39', 'cross-user subscription action', $_GET );
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/bfb14acb-051c-4bcb-adfc-10a27a00dfe7/
add_filter(
'ppress_acceptable_user_role',
function ( $roles, $form_id ) {
if ( ! defined( 'PPRESS_VERSION_NUMBER' )
|| version_compare( (string) PPRESS_VERSION_NUMBER, '4.16.18', '>=' )
|| ! class_exists( 'ProfilePress\Core\Classes\FormRepository', false ) ) {
return $roles;
}
$form_repository = 'ProfilePress\Core\Classes\FormRepository';
if ( $form_repository::is_drag_drop( $form_id, $form_repository::REGISTRATION_TYPE ) ) {
return $roles;
}
$structure = (string) $form_repository::get_form_meta( $form_id, $form_repository::REGISTRATION_TYPE, $form_repository::FORM_STRUCTURE );
if ( ! preg_match( '/\[reg-select-role([^\]]*)\]/', $structure, $matches ) ) {
return $roles;
}
$atts = shortcode_parse_atts( $matches[1] );
if ( ! is_array( $atts ) || empty( $atts['options'] ) || ! is_string( $atts['options'] ) ) {
return $roles;
}
$offered = array_values( array_filter( array_map( 'trim', explode( ',', $atts['options'] ) ) ) );
$over_broad = array_diff( (array) $roles, $offered );
if ( ! empty( $over_broad ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'bfb14acb-051c-4bcb-adfc-10a27a00dfe7',
'Privilege Escalation',
array(
'form_id' => $form_id,
'blocked_roles' => array_values( $over_broad ),
)
);
}
return $offered;
},
99,
2
);
// https://wpscan.com/vulnerability/b55ebf9e-a05d-4ae4-b653-da7db63e76d2/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'YMC_SMART_FILTER_VERSION' ) || version_compare( (string) YMC_SMART_FILTER_VERSION, '3.11.3', '>=' ) ) {
return $result;
}
if ( '/ymc/v1/posts/filter' !== strtolower( (string) $request->get_route() ) ) {
return $result;
}
if ( current_user_can( 'read_private_posts' ) ) {
return $result;
}
$json_params = $request->get_json_params();
$params = is_array( $json_params ) ? ( $json_params['params'] ?? null ) : null;
if ( ! is_array( $params ) || ! isset( $params['post_status'] ) ) {
return $result;
}
foreach ( (array) $params['post_status'] as $status ) {
if ( ! is_string( $status ) || 'publish' !== strtolower( trim( $status ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'b55ebf9e-a05d-4ae4-b653-da7db63e76d2', 'Non-public post_status', $params['post_status'] );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/5315f748-624f-4670-8946-290367125aa7/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'HIPPOO_VERSION' ) || version_compare( (string) HIPPOO_VERSION, '1.9.5', '>=' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/wc-hippoo/v1/ext/' ) !== 0 ) {
return $result;
}
$user = wp_get_current_user();
if ( ! is_user_logged_in() || ! $user || ! $user->exists() ) {
Atomic_Platform_Virtual_Patches::add_log( '5315f748-624f-4670-8946-290367125aa7', 'Auth Bypass', $request->get_route() );
wp_die( 'Access denied.', 403 );
}
if ( in_array( 'administrator', (array) $user->roles, true ) ) {
return $result;
}
$settings = get_option( 'hippoo_permissions_settings', array() );
$perms = false;
foreach ( (array) $user->roles as $role ) {
if ( isset( $settings[ $role ] ) ) {
$perms = $settings[ $role ];
break;
}
}
$allowed = is_array( $perms )
&& ! empty( $perms['general']['enable_access'] )
&& ! empty( $perms['app_features']['access_extensions'] );
if ( ! $allowed ) {
Atomic_Platform_Virtual_Patches::add_log( '5315f748-624f-4670-8946-290367125aa7', 'Auth Bypass', $request->get_route() );
wp_die( 'Access denied.', 403 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/572229cb-8a09-406d-8623-7d6b553bfdde/
if ( isset( $_REQUEST['action'] )
&& is_string( $_REQUEST['action'] )
&& strpos( $_REQUEST['action'], 'mec_' ) === 0 ) {
add_action(
'init',
function () {
if ( ! defined( 'MEC_VERSION' ) || version_compare( MEC_VERSION, '7.34.0', '>=' ) ) {
return;
}
$atts = ( isset( $_REQUEST['atts'] ) && is_array( $_REQUEST['atts'] ) ) ? $_REQUEST['atts'] : array();
$sf = ( isset( $_REQUEST['sf'] ) && is_array( $_REQUEST['sf'] ) ) ? $_REQUEST['sf'] : array();
foreach ( array( 'include', 'exclude' ) as $key ) {
if ( ! isset( $atts[ $key ] ) || ! is_array( $atts[ $key ] ) ) {
continue;
}
foreach ( $atts[ $key ] as $value ) {
if ( ! is_scalar( $value ) || ! ctype_digit( (string) $value ) ) {
Atomic_Platform_Virtual_Patches::add_log( '572229cb-8a09-406d-8623-7d6b553bfdde', 'SQLi (atts ' . $key . ')', $value );
wp_die( 'Access denied.', 403 );
}
}
}
foreach ( array( $atts['address'] ?? null, $sf['address'] ?? null ) as $address ) {
if ( null === $address ) {
continue;
}
if ( ! is_scalar( $address ) ) {
Atomic_Platform_Virtual_Patches::add_log( '572229cb-8a09-406d-8623-7d6b553bfdde', 'SQLi (address)', $address );
wp_die( 'Access denied.', 403 );
}
$value = wp_unslash( (string) $address );
if ( $value !== esc_sql( $value ) ) {
Atomic_Platform_Virtual_Patches::add_log( '572229cb-8a09-406d-8623-7d6b553bfdde', 'SQLi (address)', $address );
wp_die( 'Access denied.', 403 );
}
}
},
0
);
}
// https://wpscan.com/vulnerability/194e35d8-08ca-402d-a9bb-52383bc3dfab/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( '/allcoach/v1/auth/register-client' !== strtolower( (string) $request->get_route() ) ) {
return $result;
}
if ( ! class_exists( 'AllCoach\Core\Constants', false ) || version_compare( (string) \AllCoach\Core\Constants::VERSION, '1.0.2', '>=' ) ) {
return $result;
}
$email = $request->get_param( 'email' );
if ( ! is_string( $email ) ) {
return $result;
}
$email = sanitize_text_field( $email );
if ( '' === $email ) {
return $result;
}
if ( email_exists( $email ) ) {
Atomic_Platform_Virtual_Patches::add_log( '194e35d8-08ca-402d-a9bb-52383bc3dfab', 'Account takeover (existing email)', $email );
wp_die( 'Access denied.', 403 );
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/3c7b37ab-b069-4257-82b2-5b4c54f7e503/
$salesmanago_export_vpatch = function () {
if ( ! defined( 'SM_VERSION' ) || version_compare( (string) SM_VERSION, '3.11.3', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3c7b37ab-b069-4257-82b2-5b4c54f7e503', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
};
foreach (
array(
'salesmanago_export_count_contacts',
'salesmanago_export_contacts',
'salesmanago_export_count_events',
'salesmanago_export_events',
'salesmanago_export_products',
) as $salesmanago_export_action
) {
add_action( 'wp_ajax_' . $salesmanago_export_action, $salesmanago_export_vpatch, -1 );
}
// https://wpscan.com/vulnerability/00c0b9f7-c559-463e-80ae-97d99e0ef99f/
add_action(
'init',
function () {
if ( ! defined( 'EEB_VERSION' ) || version_compare( EEB_VERSION, '2.4.7', '>=' ) ) {
return;
}
add_filter(
'eeb_mailto',
function ( $callback, $display = '', $email = '', $attrs = [] ) {
if ( is_callable( $callback ) ) {
return call_user_func( $callback, $display, $email, $attrs );
}
return str_replace( 'href=";"', 'href="javascript:;"', wp_kses_post( $callback ) );
},
99999,
4
);
}
);
// https://wpscan.com/vulnerability/0dde2d89-267f-4aca-b2f0-d086b15adff0/
add_filter(
'wpforo_form_prepare_values',
function ( $f ) {
if ( ! defined( 'WPFORO_VERSION' ) || ! is_array( $f ) || ! isset( $f['value'] ) || ! is_string( $f['value'] ) ) {
return $f;
}
$name = isset( $f['name'] ) ? $f['name'] : '';
$type = isset( $f['type'] ) ? $f['type'] : '';
if ( ! in_array( $name, array( 'location', 'skype' ), true ) && ! in_array( $type, array( 'url', 'email', 'tel' ), true ) ) {
return $f;
}
$safe = wp_kses(
$f['value'],
array(
'a' => array(
'href' => true,
'target' => true,
'rel' => true,
'title' => true,
),
),
array_merge( wp_allowed_protocols(), array( 'skype' ) )
);
if ( $safe !== $f['value'] ) {
Atomic_Platform_Virtual_Patches::add_log( '0dde2d89-267f-4aca-b2f0-d086b15adff0', 'Stored XSS', $f['value'] );
$f['value'] = $safe;
}
return $f;
},
99
);
// https://wpscan.com/vulnerability/11ac9587-18cc-4385-b3f2-cc7fda0dc5c4/
if ( isset( $_REQUEST['action'] ) && 'wpforo_delete_ajax' === $_REQUEST['action'] ) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'WPFORO_VERSION' ) || version_compare( WPFORO_VERSION, '2.4.17', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['postid'] ) ) {
return;
}
add_action(
'init',
function () {
global $wpdb;
$postid = absint( $_REQUEST['postid'] );
$table = $wpdb->prefix . 'wpforo_posts';
// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
$post = $wpdb->get_row(
$wpdb->prepare(
'SELECT postid, body FROM %i WHERE postid = %d',
$table,
$postid
),
ARRAY_A
);
if ( ! $post || empty( $post['body'] ) ) {
return;
}
preg_match_all(
'|\/wpforo\/default_attachments\/([^\s\"\]]+)|i',
$post['body'],
$matches,
PREG_SET_ORDER
);
if ( empty( $matches ) ) {
return;
}
$body_modified = false;
$sanitized_body = $post['body'];
$malicious_filenames = [];
foreach ( $matches as $match ) {
if ( empty( $match[1] ) ) {
continue;
}
$filename = urldecode( trim( $match[1] ) );
if ( preg_match( '/\.\.\/|\.\.\\\\|\.\/|\.\\\\/', $filename ) ) {
$sanitized_filename = $filename;
do {
$prev = $sanitized_filename;
$sanitized_filename = str_replace( [ '../', './', '\\' ], '', $sanitized_filename );
} while ( $sanitized_filename !== $prev );
// Remove any remaining leading dots
$sanitized_filename = ltrim( $sanitized_filename, '.' );
$sanitized_body = str_replace( $match[0], '/wpforo/default_attachments/' . $sanitized_filename, $sanitized_body );
$body_modified = true;
$malicious_filenames[] = $filename;
}
}
if ( $body_modified ) {
// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
$wpdb->update(
$table,
[ 'body' => $sanitized_body ],
[ 'postid' => $postid ],
[ '%s' ],
[ '%d' ]
);
Atomic_Platform_Virtual_Patches::add_log(
'11ac9587-18cc-4385-b3f2-cc7fda0dc5c4',
'Path Traversal',
[
'postid' => $postid,
'filenames' => $malicious_filenames,
]
);
}
},
1
);
},
0
);
}
// https://wpscan.com/vulnerability/33f60e48-68b6-4fd6-99b2-dbad9a82c9a3/
add_action(
'admin_init',
function () {
if ( ! defined( 'FEA_VERSION' ) || version_compare( FEA_VERSION, '3.28.21', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['acff'] ) || $_REQUEST['action'] !== 'frontend_admin/form_submit' ) {
return;
}
if ( ! empty( $_POST['acff']['admin_options'] ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '33f60e48-68b6-4fd6-99b2-dbad9a82c9a3', 'Option', $_POST['acff']['admin_options'] );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/3660e0be-db18-493e-b3f3-e63d70ddb160/
// https://wpscan.com/vulnerability/bb7aa799-6ee3-4323-a35c-b44dfe877e34/
$acf_frontend_form_injection_vpatch = function () {
if ( ! defined( 'FEA_VERSION' ) || version_compare( FEA_VERSION, '3.29.3', '>=' ) ) {
return;
}
if ( isset( $_POST['_acf_form'] ) && is_array( $_POST['_acf_form'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'bb7aa799-6ee3-4323-a35c-b44dfe877e34', 'Form Injection Blocked', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_frontend_admin/form_submit', $acf_frontend_form_injection_vpatch, -1 );
add_action( 'wp_ajax_nopriv_frontend_admin/form_submit', $acf_frontend_form_injection_vpatch, -1 );
// https://wpscan.com/vulnerability/836bc6cd-42f0-4cd9-bb4c-ce5b0ff0d84b/
add_filter(
'frontend_admin/forms/sanitize_input',
function ( $value ) {
if ( ! defined( 'FEA_VERSION' ) || ! is_string( $value ) || '' === $value ) {
return $value;
}
$decoded = $value;
do {
$prev = $decoded;
$decoded = html_entity_decode( $prev, ENT_QUOTES );
} while ( $decoded !== $prev );
$clean = wp_kses_post( $decoded );
if ( $clean !== $value ) {
Atomic_Platform_Virtual_Patches::add_log( '836bc6cd-42f0-4cd9-bb4c-ce5b0ff0d84b', 'Stored XSS', $value );
}
return $clean;
},
PHP_INT_MAX
);
// https://wpscan.com/vulnerability/5c46a8a1-d55c-4fd4-9049-68102462cf95/
add_filter(
'frontend_admin/form_data',
function ( $form ) {
if ( ! defined( 'FEA_VERSION' ) || version_compare( FEA_VERSION, '3.29.3', '>=' ) ) {
return $form;
}
if ( ! is_array( $form ) || ! isset( $form['user_id'] ) ) {
return $form;
}
$target_user_id = is_scalar( $form['user_id'] ) ? (int) $form['user_id'] : 0;
if ( $target_user_id > 0 && ! current_user_can( 'edit_user', $target_user_id ) ) {
Atomic_Platform_Virtual_Patches::add_log( '5c46a8a1-d55c-4fd4-9049-68102462cf95', 'Account Takeover', $form );
wp_die( 'Access denied.', 403 );
}
return $form;
},
1
);
// https://wpscan.com/vulnerability/1963a5b3-8032-4003-914c-94c8bf9c7193/
if ( isset( $_REQUEST['action'], $_POST['billing_details']['email'] ) && 'express_pay_for_order' === $_REQUEST['action'] ) {
add_action(
'admin_init',
function () {
if ( defined( 'VISA_ACCEPTANCE_PLUGIN_VERSION' ) && ! is_user_logged_in() && email_exists( $_POST['billing_details']['email'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '1963a5b3-8032-4003-914c-94c8bf9c7193', 'Privesc', $_POST );
wp_die( 'Access denied.', 403 );
}
}
);
}
// https://wpscan.com/vulnerability/e1155bc0-e0fc-4ec0-84b1-3a7b23d82bf6/
if ( isset( $_REQUEST['action'] ) && 'jet_engine_ajax' === $_REQUEST['action'] ) {
$jet_engine_fq_callback = function () {
$all_plugins = get_plugins();
$slug = 'jet-engine/jet-engine.php';
if ( ! isset( $all_plugins[ $slug ] ) || version_compare( $all_plugins[ $slug ]['Version'], '3.8.6.2', '>=' ) ) {
return;
}
if ( empty( $_REQUEST['query']['filtered_query']['meta_query'] ) || ! is_array( $_REQUEST['query']['filtered_query']['meta_query'] ) ) {
return;
}
$allowed_compare = array(
'=',
'!=',
'>',
'>=',
'<',
'<=',
'LIKE',
'NOT LIKE',
'IN',
'NOT IN',
'BETWEEN',
'NOT BETWEEN',
'EXISTS',
'NOT EXISTS',
'REGEXP',
'NOT REGEXP',
'RLIKE',
);
foreach ( $_REQUEST['query']['filtered_query']['meta_query'] as $row ) {
if ( ! empty( $row['compare'] ) && ! in_array( strtoupper( trim( $row['compare'] ) ), $allowed_compare, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e1155bc0-e0fc-4ec0-84b1-3a7b23d82bf6', 'SQLi (filtered_query compare)', $row['compare'] );
wp_die( 'Denied', 403 );
}
}
};
add_action( 'wp_ajax_jet_engine_ajax', $jet_engine_fq_callback, -1 );
add_action( 'wp_ajax_nopriv_jet_engine_ajax', $jet_engine_fq_callback, -1 );
}
// https://wpscan.com/vulnerability/989986ef-89f7-4198-ba73-4bc3956123a7/
if ( isset( $_REQUEST['action'] ) && 'jet_engine_calendar_get_month' === $_REQUEST['action'] ) {
$jet_engine_calendar_vpatch = function () {
$all_plugins = get_plugins();
$slug = 'jet-engine/jet-engine.php';
if ( ! isset( $all_plugins[ $slug ] ) || version_compare( $all_plugins[ $slug ]['Version'], '3.7.8', '>=' ) ) {
return;
}
if ( isset( $_REQUEST['settings']['cache_id'] ) && ! ctype_digit( (string) $_REQUEST['settings']['cache_id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '989986ef-89f7-4198-ba73-4bc3956123a7', 'XSS (cache_id)', $_REQUEST['settings']['cache_id'] );
$_REQUEST['settings']['cache_id'] = absint( $_REQUEST['settings']['cache_id'] );
$_POST['settings']['cache_id'] = $_REQUEST['settings']['cache_id'];
$_GET['settings']['cache_id'] = $_REQUEST['settings']['cache_id'];
}
};
add_action( 'wp_ajax_jet_engine_calendar_get_month', $jet_engine_calendar_vpatch, -1 );
add_action( 'wp_ajax_nopriv_jet_engine_calendar_get_month', $jet_engine_calendar_vpatch, -1 );
}
// https://wpscan.com/vulnerability/6eb62386-df9b-4d6d-af0d-2cba963e8bd2/
add_action(
'wp_ajax_nopriv_ai1wm_import',
function () {
if ( ! defined( 'AI1WM_VERSION' ) || version_compare( AI1WM_VERSION, '7.90', '>=' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '6eb62386-df9b-4d6d-af0d-2cba963e8bd2', 'Unauthenticated ai1wm_import', $_REQUEST );
wp_die( 'Denied', 403 );
},
1
);
// https://wpscan.com/vulnerability/4a82a6d1-03b9-425c-9a0b-2eb616bbfd90/
if ( isset( $_REQUEST['action'] ) && 'td_ajax_search' === $_REQUEST['action'] ) {
add_action(
'wp_ajax_nopriv_td_ajax_search',
function () {
if ( ! isset( $_POST['module'] ) ) {
return;
}
$module = $_POST['module'];
if ( ! preg_match( '/^(td_module_|tdb_module_|td_woo_product_module)/', $module ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4a82a6d1-03b9-425c-9a0b-2eb616bbfd90', 'Module', $module );
wp_die( 'Denied', 403 );
}
},
-1
);
}
// https://wpscan.com/vulnerability/b276d067-6605-404b-80de-1a5f2cfce816/
if ( isset( $_GET['action'], $_GET['token'] ) && 'barcodeScannerConfigs' === $_GET['action'] ) {
add_action(
'init',
function () {
if ( ! defined( 'USBS_PLUGIN_BASE_URL' ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/barcode-scanner.php';
if ( ! isset( $all_plugins[ $slug ] ) || version_compare( $all_plugins[ $slug ]['Version'], '1.12.0', '>=' ) ) {
return;
}
if ( ! is_user_logged_in() ) {
Atomic_Platform_Virtual_Patches::add_log( 'b276d067-6605-404b-80de-1a5f2cfce816', 'Action', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
);
}
// https://wpscan.com/vulnerability/37f689e4-16e7-4ab7-86e2-a9f0b1675ed0/
add_action(
'save_post_wpcf7r_leads',
function ( $post_id ) {
if ( ! defined( 'WPCF7_PRO_REDIRECT_PLUGIN_VERSION' ) || version_compare( WPCF7_PRO_REDIRECT_PLUGIN_VERSION, '3.2.8', '>=' ) ) {
return;
}
if ( ! isset( $_POST['wpcf7-redirect']['files'] ) || ! is_array( $_POST['wpcf7-redirect']['files'] ) ) {
return;
}
foreach ( $_POST['wpcf7-redirect']['files'] as $index => $file ) {
if ( ! isset( $file['path'] ) ) {
continue;
}
$file_path = $file['path'];
// Block protocol-scheme paths (http://, phar://, ftp://, etc.)
if ( preg_match( '#^[a-zA-Z0-9+.-]+://#', $file_path ) ) {
Atomic_Platform_Virtual_Patches::add_log( '37f689e4-16e7-4ab7-86e2-a9f0b1675ed0', 'Protocol scheme', $file_path );
unset( $_POST['wpcf7-redirect']['files'][ $index ] );
continue;
}
// Block disallowed file extensions
$validate = wp_check_filetype( $file_path );
if ( ! $validate['type'] ) {
Atomic_Platform_Virtual_Patches::add_log( '37f689e4-16e7-4ab7-86e2-a9f0b1675ed0', 'Disallowed file type', $file_path );
unset( $_POST['wpcf7-redirect']['files'][ $index ] );
}
}
},
1
);
// https://wpscan.com/vulnerability/9a673a25-3dd5-421a-b628-ed53cc5037de/
add_action(
'registered_post_type',
function ( $post_type ) {
if ( 'wpcf7r_leads' !== $post_type ) {
return;
}
if ( ! defined( 'WPCF7_PRO_REDIRECT_PLUGIN_VERSION' ) || version_compare( WPCF7_PRO_REDIRECT_PLUGIN_VERSION, '3.2.5', '>=' ) ) {
return;
}
add_filter(
'get_post_metadata',
function ( $value, $object_id, $meta_key, $single ) {
if ( 'files' !== $meta_key ) {
return $value;
}
if ( get_post_type( $object_id ) !== 'wpcf7r_leads' ) {
return $value;
}
$meta_cache = wp_cache_get( $object_id, 'post_meta' );
if ( false === $meta_cache ) {
update_meta_cache( 'post', [ $object_id ] );
$meta_cache = wp_cache_get( $object_id, 'post_meta' );
}
if ( ! isset( $meta_cache['files'] ) ) {
return $value;
}
$raw = $meta_cache['files'];
$files = $single ? maybe_unserialize( $raw[0] ) : array_map( 'maybe_unserialize', $raw );
if ( ! is_array( $files ) ) {
return $value;
}
$upload_dir = wp_upload_dir();
$uploads_basedir = trailingslashit( wp_normalize_path( $upload_dir['basedir'] ) );
$modified = false;
foreach ( $files as $field_key => $file_data ) {
if ( ! is_array( $file_data ) || ! isset( $file_data['path'] ) ) {
continue;
}
$original = $file_data['path'];
$safe_name = sanitize_file_name( basename( $original ) );
$safe_path = $uploads_basedir . $safe_name;
if ( wp_normalize_path( $original ) !== $safe_path ) {
Atomic_Platform_Virtual_Patches::add_log( '9a673a25-3dd5-421a-b628-ed53cc5037de', 'Path sanitized', $original );
$files[ $field_key ]['path'] = $safe_path;
$modified = true;
}
}
if ( ! $modified ) {
return $value;
}
return $single ? $files : [ $files ];
},
5,
4
);
}
);
// https://wpscan.com/vulnerability/e5359923-b8c2-48fe-8196-c82f41ce4088/
add_action(
'wp_ajax_wcmlim_create_user',
function () {
if ( ! defined( 'WCMLIM_DIR_PATH' ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'WooCommerce-Multi-Locations-Inventory-Management/wcmlim.php';
if ( ! isset( $all_plugins[ $slug ] ) || version_compare( $all_plugins[ $slug ]['Version'], '4.2.16', '>=' ) ) {
return;
}
if ( isset( $_POST['user_role'] ) && ! current_user_can( 'add_users' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e5359923-b8c2-48fe-8196-c82f41ce4088', 'User Creation', $_POST );
wp_die( 'Denied', 403 );
}
},
-1
);
// https://wpscan.com/vulnerability/c332177a-9582-49a9-8565-ab8bf1b5222c
if ( isset( $_REQUEST['action'] ) && 'wcmlim_settings_operations' === $_REQUEST['action'] ) {
add_action(
'admin_init',
function () {
if ( ! defined( 'WCMLIM_DIR_PATH' ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'WooCommerce-Multi-Locations-Inventory-Management/wcmlim.php';
if ( ! isset( $all_plugins[ $slug ] ) || version_compare( $all_plugins[ $slug ]['Version'], '4.2.9', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'c332177a-9582-49a9-8565-ab8bf1b5222c', 'Options', $_POST );
wp_die( 'Denied', 403 );
}
}
);
}
// https://wpscan.com/vulnerability/a6624782-24f4-4157-9f7e-5b7e53c12195/
add_action(
'admin_init',
function () {
if ( ! defined( 'HOUZEZ_THEME_VERSION' ) || version_compare( HOUZEZ_THEME_VERSION, '2.7.2', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['user_role'] ) || $_REQUEST['action'] !== 'houzez_register_user_with_membership' ) {
return;
}
$allowed_roles = [ 'houzez_agency', 'houzez_agent', 'houzez_buyer', 'houzez_seller', 'houzez_owner', 'houzez_manager' ];
if ( ! in_array( $_POST['user_role'], $allowed_roles, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'a6624782-24f4-4157-9f7e-5b7e53c12195', 'Privesc', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/6507af99-d6ad-44e3-bdbb-d60dff325ba7/
add_action(
'admin_init',
function () {
if ( ! defined( 'HOUZEZ_LOGIN_PLUGIN_URL' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['role'] ) || $_REQUEST['action'] !== 'houzez_register' ) {
return;
}
$all_plugins = get_plugins();
$slug = 'houzez-login-register/houzez-login-register.php';
if ( empty( $all_plugins[ $slug ]['Version'] ) || version_compare( $all_plugins[ $slug ]['Version'], '2.6.4', '>=' ) ) {
return;
}
$allowed_roles = [ 'houzez_agency', 'houzez_agent', 'houzez_buyer', 'houzez_seller', 'houzez_owner', 'houzez_manager' ];
if ( ! in_array( $_POST['role'], $allowed_roles, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6507af99-d6ad-44e3-bdbb-d60dff325ba7', 'Privesc', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/2193bf29-1d37-41de-863b-fa4f9472d507/
if ( isset( $_REQUEST['geticwppluginurl'] ) ) {
add_action(
'init',
function () {
if ( ! class_exists( 'ICWP_Plugin' ) ) {
return;
}
$controller = ICWP_Plugin::getController();
if ( $controller && version_compare( $controller->getVersion(), '5.5.4', '<' ) && ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2193bf29-1d37-41de-863b-fa4f9472d507', 'PrivEsc' );
wp_die( 'Denied', 403 );
}
},
-100001 // Priority (plugin has it at -100000)
);
}
// https://wpscan.com/vulnerability/5e335bfd-b788-4f8c-9362-4bc8bc3f3fbd/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! function_exists( 'jet_engine' ) ) {
return $result;
}
if ( version_compare( jet_engine()->get_version(), '3.8.6.2', '>=' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/jet-cct/' ) !== 0 ) {
return $result;
}
$cct_search = $request->get_param( '_cct_search' );
if ( ! empty( $cct_search ) && preg_match( '/[\'\\\\";()]/', $cct_search ) ) {
Atomic_Platform_Virtual_Patches::add_log( '5e335bfd-b788-4f8c-9362-4bc8bc3f3fbd', 'SQLi (_cct_search)', $cct_search );
wp_die( 'Denied', 403 );
}
$cct_search_by = $request->get_param( '_cct_search_by' );
if ( ! empty( $cct_search_by ) ) {
$fields = explode( ',', str_replace( ' ', '', $cct_search_by ) );
foreach ( $fields as $field ) {
if ( ! preg_match( '/^[a-zA-Z0-9_]+$/', $field ) ) {
Atomic_Platform_Virtual_Patches::add_log( '5e335bfd-b788-4f8c-9362-4bc8bc3f3fbd', 'SQLi (_cct_search_by)', $cct_search_by );
wp_die( 'Denied', 403 );
}
}
}
return $result;
},
10,
3
);
// https://wpscan.com/vulnerability/c097fb2c-7805-48f6-9903-ebf22b7901b7
if ( isset( $_REQUEST['action'] ) && 'bsr_ajax' === $_REQUEST['action'] ) {
add_action(
'admin_init',
function () {
if ( ! defined( 'BSR_VERSION' ) || version_compare( BSR_VERSION, '1.4.5', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['bsr-ajax'] ) || 'process_search_replace' !== $_REQUEST['bsr-ajax'] ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log(
'c097fb2c-7805-48f6-9903-ebf22b7901b7',
'PHP Object Injection - Search/Replace Operation',
[
'action' => $_REQUEST['action'],
'bsr-ajax' => $_REQUEST['bsr-ajax'],
]
);
wp_die( 'Denied', 403 );
},
1
);
}
// https://wpscan.com/vulnerability/428c25fd-b21b-4ebd-9c15-c8b645c847c3/
if ( isset( $_REQUEST['action'], $_POST['find_replace_pairs'] ) && 'wpmdb_process_pull_request' === $_REQUEST['action'] ) {
add_action(
'wp_ajax_nopriv_wpmdb_process_pull_request',
function () {
$all_plugins = get_plugins();
$slug = 'wp-migrate-db-pro/wp-migrate-db-pro.php';
if ( ! isset( $all_plugins[ $slug ] ) ) {
return;
}
if ( version_compare( $all_plugins[ $slug ]['Version'], '2.6.11', '>=' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '428c25fd-b21b-4ebd-9c15-c8b645c847c3', 'Object Injection', $_POST['find_replace_pairs'] );
wp_die( 'Denied', 403 );
},
1
);
}
// https://wpscan.com/vulnerability/a0b1c059-e156-4402-ac8d-67f8ad7386cc/
$wcjp_actions = [ 'fc_ajax_call', 'wcjp_ajax_call', 'core_frontend_ajax_calls', 'core_backend_ajax_calls' ];
if ( isset( $_REQUEST['action'], $_POST['operation'], $_POST['id'] ) && in_array( $_REQUEST['action'], $wcjp_actions, true ) ) {
add_action(
'admin_init',
function () {
if ( ! defined( 'WCJP_SLUG' ) ) {
return;
}
$operation = sanitize_text_field( wp_unslash( $_POST['operation'] ) );
if ( $operation === 'wce_editor_inline_code' && ! is_numeric( $_POST['id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'a0b1c059-e156-4402-ac8d-67f8ad7386cc', 'SQLi/RCE', $_REQUEST );
wp_die( 'Denied', 403 );
}
}
);
}
// https://wpscan.com/vulnerability/4014e2f7-1db9-4ca7-b396-d5e4f12d7a21/
// Astra Theme < 4.12.4 - Contributor+ Stored XSS via Post Meta
$astra_xss_meta_keys = array( 'ast-page-background-meta', 'ast-content-background-meta' );
foreach ( $astra_xss_meta_keys as $astra_meta_key ) {
add_filter(
"sanitize_post_meta_{$astra_meta_key}",
function ( $meta_value ) {
if ( ! defined( 'ASTRA_THEME_VERSION' ) || version_compare( ASTRA_THEME_VERSION, '4.12.4', '>=' ) ) {
return $meta_value;
}
if ( ! is_array( $meta_value ) ) {
return $meta_value;
}
$original = $meta_value;
$devices = array( 'desktop', 'tablet', 'mobile' );
foreach ( $devices as $device ) {
if ( ! isset( $meta_value[ $device ] ) || ! is_array( $meta_value[ $device ] ) ) {
continue;
}
foreach ( $meta_value[ $device ] as $key => $value ) {
if ( is_string( $value ) ) {
$meta_value[ $device ][ $key ] = sanitize_text_field( $value );
}
}
}
if ( $meta_value !== $original ) {
Atomic_Platform_Virtual_Patches::add_log( '4014e2f7-1db9-4ca7-b396-d5e4f12d7a21', 'Sanitized Astra background meta', $original );
}
return $meta_value;
}
);
}
// https://wpscan.com/vulnerability/3ae46284-1530-4196-ad5c-ef796f59c618/
if ( isset( $_GET['wpfb-form-ajax'], $_POST['role'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'FORM_BUILDER_WP_VERSION' ) ) {
return;
}
if ( 'subscriber' !== $_POST['role'] && ! current_user_can( 'create_users' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3ae46284-1530-4196-ad5c-ef796f59c618/', 'Privesc', $_POST );
wp_die( 'Denied', 403 );
}
},
-1 // Priority
);
}
// https://wpscan.com/vulnerability/0e82d028-9422-48de-b168-90ba78a492cb/
if (
isset( $_GET['page'] ) && 'masterslider' === $_GET['page']
&& ( isset( $_REQUEST['slider_params'] ) || isset( $_REQUEST['preset_style'] ) || isset( $_REQUEST['preset_buttons'] ) )
) {
add_action(
'admin_init',
function () {
if ( ! defined( 'MSWP_AVERTA_VERSION' ) ) {
return;
}
if ( ! version_compare( MSWP_AVERTA_VERSION, '3.6.5', '<=' ) ) {
return;
}
$serialized_pattern = '/^(O|a|C|s|i|d|b|N):\+?\d+:/';
// All three parameters follow the same msp_maybe_base64_decode() →
// json_decode() → MSPanel.* → maybe_unserialize() chain in preview.php.
$params_to_check = array_filter(
[
'slider_params' => $_REQUEST['slider_params'] ?? null,
'preset_style' => $_REQUEST['preset_style'] ?? null,
'preset_buttons' => $_REQUEST['preset_buttons'] ?? null,
]
);
foreach ( $params_to_check as $raw ) {
// Block raw serialized strings (WAF rule 933170 handles this in
// production; the vpatch covers local/WAF-bypassed environments).
if ( preg_match( $serialized_pattern, $raw ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0e82d028-9422-48de-b168-90ba78a492cb', 'PHP Object Injection Blocked', $raw );
wp_die( 'Denied', 403 );
}
// Mirroring msp_maybe_base64_decode(): try base64 decode first,
// fall back to raw JSON.
$decoded = base64_decode( $raw, true );
$data = json_decode( false !== $decoded ? $decoded : $raw, true );
if ( ! is_array( $data ) ) {
continue;
}
foreach ( $data as $panel_key => $panel_value ) {
if ( ! str_starts_with( (string) $panel_key, 'MSPanel.' ) ) {
continue;
}
if ( ! is_array( $panel_value ) ) {
continue;
}
foreach ( $panel_value as $leaf ) {
if ( ! is_string( $leaf ) ) {
continue;
}
// The plugin's get_parsable_*() methods apply a second
// json_decode() on each element before passing it to
// parse_slide() / parse_each_style() → maybe_unserialize().
$inner = json_decode( $leaf );
$to_check = is_string( $inner ) ? $inner : $leaf;
if ( preg_match( $serialized_pattern, $to_check ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0e82d028-9422-48de-b168-90ba78a492cb', 'PHP Object Injection Blocked', $raw );
wp_die( 'Denied', 403 );
}
}
}
}
},
9
);
}
// https://wpscan.com/vulnerability/993a95d2-6fce-48de-ae17-06ce2db829ef/
add_action(
'admin_init',
function () {
if ( ! defined( 'TD_COMPOSER' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['user'] ) || 'td_ajax_fb_login_user' !== $_REQUEST['action'] ) {
return;
}
$slug = 'td-composer/td-composer.php';
$plugins = get_plugins();
if ( empty( $plugins[ $slug ]['Version'] ) || ! preg_match( '/^([\d.]+)/', $plugins[ $slug ]['Version'], $matches ) ) {
return;
}
if ( version_compare( $matches[1], '3.5', '<' ) && isset( $_POST['user']['email'] ) && email_exists( $_POST['user']['email'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '993a95d2-6fce-48de-ae17-06ce2db829ef', 'Privesc', $_POST );
wp_die( 'Denied', 403 );
}
}
);
// https://wpscan.com/vulnerability/fff2ca0c-30b9-4a0d-b15f-3b35dede583a/
if ( isset( $_GET['opid'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'WFFN_VERSION' ) || version_compare( WFFN_VERSION, '3.14.0.3', '>=' ) ) {
return;
}
if ( $_GET['opid'] !== sanitize_key( $_GET['opid'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'fff2ca0c-30b9-4a0d-b15f-3b35dede583a', 'SQLi', $_GET['opid'] );
wp_die( 'Denied', 403 );
}
}
);
}
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'WFFN_VERSION' ) || version_compare( WFFN_VERSION, '3.15.0.2', '>=' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/wffn/front' ) !== 0 ) {
return $result;
}
$params = $request->get_params();
if ( empty( $params['data']['track_data'] ) || ! is_array( $params['data']['track_data'] ) ) {
return $result;
}
foreach ( $params['data']['track_data'] as $track_data ) {
if ( ! empty( $track_data['current_step']['id'] ) && ! is_numeric( $track_data['current_step']['id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'funnel-builder', 'SQLi (rest)', $params );
wp_send_json_error( 'Denied', 403 );
}
}
return $result;
},
1,
3
);
add_action(
'admin_init',
function () {
if ( ! defined( 'WFFN_VERSION' ) || version_compare( WFFN_VERSION, '3.15.0.2', '>=' ) ) {
return;
}
if ( ! isset( $_REQUEST['action'], $_POST['data'] ) || ! in_array( $_REQUEST['action'], [ 'wffn_maybe_setup_funnel', 'wffn_frontend_analytics' ], true ) ) {
return;
}
$post_data = json_decode( stripslashes( wffn_clean( wp_unslash( $_POST['data'] ) ) ), true );
if ( empty( $post_data['track_data'] ) || ! is_array( $post_data['track_data'] ) ) {
return;
}
foreach ( $post_data['track_data'] as $track_data ) {
if ( ! empty( $track_data['current_step']['id'] ) && ! is_numeric( $track_data['current_step']['id'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'funnel-builder', 'SQLi (ajax)', $post_data );
wp_die( 'Denied', 403 );
}
}
}
);
// https://wpscan.com/vulnerability/81035d75-81a5-486a-a9fb-b0d1e0befe3c
$wc_gateway_transbank = function () {
if ( ! defined( 'TRANSBANK_WEBPAY_REST_UPLOADS' ) ) {
return;
}
$all_plugins = get_plugins();
$slug = 'transbank-webpay-plus-rest/webpay-rest.php';
if ( ! isset( $all_plugins[ $slug ] ) || version_compare( $all_plugins[ $slug ]['Version'], '1.14.0', '>=' ) ) {
return;
}
$data_to_check = $_SERVER['REQUEST_METHOD'] === 'POST' ? $_POST : $_GET;
$keys_to_check = [ 'token_ws', 'TBK_TOKEN', 'TBK_ORDEN_COMPRA', 'TBK_ID_SESION' ];
foreach ( $keys_to_check as $key ) {
if ( ! empty( $data_to_check[ $key ] ) && ! preg_match( '/\A[\w\-:]+\z/i', $data_to_check[ $key ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '81035d75-81a5-486a-a9fb-b0d1e0befe3c', 'XSS', $data_to_check );
wp_die( 'Denied', 403 );
}
}
};
add_action( 'woocommerce_api_wc_gateway_transbank_webpay_plus_rest', $wc_gateway_transbank );
add_action( 'woocommerce_api_wc_gateway_transbank_oneclick_return_payments', $wc_gateway_transbank );
// https://wpscan.com/vulnerability/4acfefc2-88a2-4dc5-8102-f0f8e4913661/
add_filter(
'get_avatar',
function ( $gravatar ) {
if ( ! defined( 'BREEZE_VERSION' ) || version_compare( BREEZE_VERSION, '2.4.5', '>=' ) ) {
return $gravatar;
}
$settings = get_option( 'breeze_advanced_settings' );
if ( ! isset( $settings['breeze-store-gravatars-locally'] ) || ! $settings['breeze-store-gravatars-locally'] ) {
return $gravatar;
}
$urls = [];
preg_match_all( '/srcset=["\']?((?:.(?!["\']?\s+(?:\S+)=|\s*\/?[>"\']))+.)["\']?/', $gravatar, $srcset );
if ( isset( $srcset[1] ) && isset( $srcset[1][0] ) ) {
$urls[] = explode( ' ', $srcset[1][0] )[0];
}
preg_match_all( '/src=["\']?((?:.(?!["\']?\s+(?:\S+)=|\s*\/?[>"\']))+.)["\']?/', $gravatar, $src );
if ( isset( $src[1] ) && isset( $src[1][0] ) ) {
$urls[] = explode( ' ', $src[1][0] )[0];
}
$allowed_types = array( 'image/jpeg', 'image/png', 'image/gif' );
$allowed_exts = array( 'jpeg', 'jpg', 'png', 'gif' );
foreach ( $urls as $url ) {
$host = strtolower( (string) wp_parse_url( $url, PHP_URL_HOST ) );
if ( 'gravatar.com' !== $host && ! str_ends_with( $host, '.gravatar.com' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4acfefc2-88a2-4dc5-8102-f0f8e4913661', 'Upload (Bad host)', $gravatar );
return '';
}
$gravatar_name = basename( wp_parse_url( $url, PHP_URL_PATH ) );
$filetype = wp_check_filetype( $gravatar_name );
if (
( ! empty( $filetype['type'] ) && ! in_array( $filetype['type'], $allowed_types, true ) ) ||
( ! empty( $filetype['ext'] ) && ! in_array( $filetype['ext'], $allowed_exts, true ) )
) {
Atomic_Platform_Virtual_Patches::add_log( '4acfefc2-88a2-4dc5-8102-f0f8e4913661', 'Upload (Not an image)', $gravatar );
return '';
}
}
return $gravatar;
},
1 // Priority
);
// https://wpscan.com/vulnerability/1841f5d9-2527-43f9-8b8c-cc345c881bb6/
if ( isset( $_GET['cfsPreFill'] ) ) {
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'CFS_VERSION' ) || version_compare( CFS_VERSION, '1.8.0', '>=' ) ) {
return;
}
$sanitized_params = array();
foreach ( $_GET as $key => $value ) {
if ( ! is_string( $value ) ) {
continue;
}
if ( ! str_contains( $value, '{' ) && ! str_contains( $value, '}' ) ) {
continue;
}
$sanitized_params[ $key ] = $value;
$_GET[ $key ] = str_replace( array( '{', '}' ), array( '{', '}' ), $value );
}
if ( ! empty( $sanitized_params ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'1841f5d9-2527-43f9-8b8c-cc345c881bb6',
'SSTI payload sanitized',
$sanitized_params
);
}
},
0
);
}
// https://wpscan.com/vulnerability/54e4f5f3-61fa-49e2-8c5b-f7c6a7a6d481/
add_action(
'init',
function () {
if ( ! defined( 'AVADA_VERSION' ) || version_compare( AVADA_VERSION, '7.11.14', '>=' ) ) {
return;
}
add_action(
'comment_form_after_fields',
function () {
foreach ( array( 'recaptcha_error', 'type' ) as $avada_param ) {
if ( ! isset( $_GET[ $avada_param ] ) || ! is_string( $_GET[ $avada_param ] ) ) {
continue;
}
$original = wp_unslash( $_GET[ $avada_param ] );
$stripped = strip_shortcodes( $original );
if ( $stripped === $original ) {
continue;
}
Atomic_Platform_Virtual_Patches::add_log( '54e4f5f3-61fa-49e2-8c5b-f7c6a7a6d481', 'Shortcode Injection Stripped', $original );
$_GET[ $avada_param ] = wp_slash( $stripped );
}
},
9
);
},
10
);
// https://wpscan.com/vulnerability/6d642d46-a2fe-4b07-a53d-1935126b7e6b/
$wpforms_xss_callback = function () {
if ( ! defined( 'WPFORMS_VERSION' ) || version_compare( WPFORMS_VERSION, '1.8.5.4', '>=' ) ) {
return;
}
if ( ! isset( $_POST['wpforms']['fields'] ) || ! is_array( $_POST['wpforms']['fields'] ) ) {
return;
}
$entity_pattern = '/�*60;|�*62;|�*3c;|�*3e;/i';
foreach ( $_POST['wpforms']['fields'] as $key => $value ) {
if ( ! is_string( $value ) ) {
continue;
}
if ( preg_match( $entity_pattern, $value ) ) {
$original = $value;
$sanitized = preg_replace( $entity_pattern, '', $value );
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$_POST['wpforms']['fields'][ $key ] = $sanitized;
$_REQUEST['wpforms']['fields'][ $key ] = $sanitized;
Atomic_Platform_Virtual_Patches::add_log( '6d642d46-a2fe-4b07-a53d-1935126b7e6b', 'Sanitized entity-encoded XSS in wpforms field', $original );
}
}
};
add_action( 'wp_ajax_nopriv_wpforms_submit', $wpforms_xss_callback, -1 );
add_action( 'wp_ajax_wpforms_submit', $wpforms_xss_callback, -1 );
// https://wpscan.com/vulnerability/f943f511-1720-4e67-bb94-6753287ca6a6/
// https://wpscan.com/vulnerability/eea6acf4-42d7-4644-8adf-5e5ba78c98b2/
if ( isset( $_REQUEST['action'], $_GET['in5'] ) && 'in5' === $_REQUEST['action'] && 'upload' === $_GET['in5'] ) {
add_action(
'admin_init',
function () {
if ( ! defined( 'IN5_PLUGIN_PATH' ) ) {
return;
}
if ( ! current_user_can( 'install_plugins' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'eea6acf4-42d7-4644-8adf-5e5ba78c98b2', 'Blocked File Upload', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/56b75c6d-4484-40a7-b9e0-38117162008c/
add_action(
'admin_init',
function () {
if ( ! defined( 'PMXE_VERSION' ) || version_compare( PMXE_VERSION, '1.9.2', '>=' ) ) {
return;
}
if ( ! isset( $_GET['page'], $_GET['action'] )
|| ! in_array( $_GET['page'], [ 'pmxe-admin-export', 'pmxe-admin-manage' ], true )
|| 'process' !== $_GET['action']
|| ! isset( $_GET['id'] ) ) {
return;
}
$export = new PMXE_Export_Record();
$export->getById( (int) $_GET['id'] );
if ( empty( $export->options['cc_php'] ) || ! array_filter( $export->options['cc_php'] ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log(
'56b75c6d-4484-40a7-b9e0-38117162008c',
'Export with cc_php denied',
$export->id
);
wp_die( 'Exports with PHP snippets require WP All Export Pro 1.9.2+.', 403 );
},
1
);
// https://wpscan.com/vulnerability/3e26c412-c1d4-4e9a-a820-356ea79c2747/
if ( isset( $_SERVER['HTTP_MWP_ACTION'] ) ) {
add_action(
'muplugins_loaded',
function () {
if ( version_compare( $GLOBALS['MMB_WORKER_VERSION'] ?? '0', '4.9.32', '>=' ) ) {
return;
}
$headers = array(
'MWP-Action' => array( $_SERVER['HTTP_MWP_ACTION'] ?? '', '/^[A-Za-z0-9_\-]{1,256}$/' ),
'MWP-Key-Name' => array( $_SERVER['HTTP_MWP_KEY_NAME'] ?? '', '/^[A-Za-z0-9._\-\/=]{1,256}$/' ),
'MWP-Signature-Algorithm' => array( $_SERVER['HTTP_MWP_SIGNATURE_ALGORITHM'] ?? '', '/^[A-Za-z0-9_\-]{1,256}$/' ),
);
foreach ( $headers as $header_name => $check ) {
list( $header_value, $regex ) = $check;
if ( '' === $header_value ) {
continue;
}
if ( ! is_string( $header_value ) || ! preg_match( $regex, $header_value ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3e26c412-c1d4-4e9a-a820-356ea79c2747', 'XSS', $header_name . ': ' . $header_value );
wp_die( 'Denied', 403 );
}
}
},
1
);
}
// https://wpscan.com/vulnerability/8227444f-57ea-4f6b-bdc2-15d3494a6ef0/
$af2_vuln_actions = array( 'af2_import', 'af2_demoimport', 'af2_export' );
if ( isset( $_REQUEST['action'] ) && in_array( $_REQUEST['action'], $af2_vuln_actions, true ) ) {
add_action(
'admin_init',
function () {
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'8227444f-57ea-4f6b-bdc2-15d3494a6ef0',
'RCE',
[
'_request' => $_REQUEST,
'_files' => $_FILES,
],
);
wp_die( 'Denied', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/262b9a2e-1035-45f1-a67b-1bad114a4623/
if ( isset( $_REQUEST['action'] ) && 'save_upe_appearance' === $_REQUEST['action'] ) {
$wcpay_vpatch = function () {
if ( ! defined( 'WCPAY_VERSION_NUMBER' ) || version_compare( WCPAY_VERSION_NUMBER, '10.6.0', '>=' ) ) {
return;
}
if ( current_user_can( 'manage_woocommerce' ) ) {
return;
}
wp_die( 'Denied', 403 );
};
add_action( 'wp_ajax_nopriv_save_upe_appearance', $wcpay_vpatch, 1 );
add_action( 'wp_ajax_save_upe_appearance', $wcpay_vpatch, 1 );
}
// https://wpscan.com/vulnerability/60b4d7fc-5d23-4dcf-bd7f-e202cabc2625/
if ( isset( $_REQUEST['action'] ) && 'nf_ajax_submit' === $_REQUEST['action'] ) {
add_action(
'init',
function () {
if ( ! class_exists( 'Ninja_Forms' ) || version_compare( Ninja_Forms::VERSION, '3.11.1', '>=' ) ) {
return;
}
$form_data = isset( $_POST['formData'] ) ? $_POST['formData'] : '';
if ( empty( $form_data ) || ! is_string( $form_data ) ) {
return;
}
$decoded = json_decode( wp_unslash( $form_data ), true );
if ( ! is_array( $decoded ) || empty( $decoded['fields'] ) || ! is_array( $decoded['fields'] ) ) {
return;
}
foreach ( $decoded['fields'] as $field ) {
if ( ! isset( $field['value'] ) || ! is_string( $field['value'] ) ) {
continue;
}
if ( preg_match( '/O:\+?\d+:/i', urldecode( $field['value'] ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '60b4d7fc-5d23-4dcf-bd7f-e202cabc2625', 'PHP Object Injection in formData', $field['value'] );
wp_die( 'Access denied', 403 );
}
}
},
1
);
}
// https://wpscan.com/vulnerability/25dcc4f5-944e-453b-b684-d5416a0546f7/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/user-verification/v2/process_form_data' ) !== 0 ) {
return $result;
}
$all_plugins = get_plugins();
if ( ! isset( $all_plugins['user-verification/user-verification.php'] ) || version_compare( $all_plugins['user-verification/user-verification.php']['Version'], '2.0.47', '>=' ) ) {
return $result;
}
if ( (int) $request->get_param( 'steps' ) === 2 && $request->get_param( 'otp' ) === true ) {
Atomic_Platform_Virtual_Patches::add_log( '25dcc4f5-944e-453b-b684-d5416a0546f7', 'Auth Bypass', $request->get_params() );
wp_die( 'Access denied.', 403 );
}
},
10,
3
);
// https://wpscan.com/vulnerability/4dff3634-4b4f-48e2-a8c9-dda7e2b682fd/
if ( isset( $_REQUEST['user_verification_action'] ) && is_string( $_REQUEST['user_verification_action'] ) && 'resend_verification' === trim( wp_unslash( $_REQUEST['user_verification_action'] ) ) ) {
add_action(
'template_redirect',
function () {
if ( ! class_exists( 'class_user_verification_manage_verification', false ) ) {
return;
}
if ( ! isset( $_REQUEST['user_id'] ) || ! is_string( $_REQUEST['user_id'] ) ) {
return;
}
$user_id = sanitize_text_field( wp_unslash( $_REQUEST['user_id'] ) );
if ( '' === $user_id ) {
return;
}
$status = (string) get_user_meta( $user_id, 'user_activation_status', true );
$settings = get_option( 'user_verification_settings' );
$existing_user_verified = ( is_array( $settings ) && isset( $settings['unverified']['existing_user_verified'] ) ) ? $settings['unverified']['existing_user_verified'] : 'no';
$target_is_verified = ( '1' === $status ) || ( '' === $status && 'yes' === $existing_user_verified );
if ( ! $target_is_verified ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '4dff3634-4b4f-48e2-a8c9-dda7e2b682fd', 'IDOR Account Lockout', $_REQUEST );
wp_die( 'Access denied.', 403 );
},
0
);
}
// https://wpscan.com/vulnerability/08fd20e1-0d42-4bd6-bcb3-8a7bec536fba/
if ( isset( $_COOKIE['litespeed_hash'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'LSCWP_V' ) || version_compare( LSCWP_V, '6.5.2', '>=' ) ) {
return;
}
if ( is_user_logged_in() ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '08fd20e1-0d42-4bd6-bcb3-8a7bec536fba', 'litespeed-cache privilege escalation blocked', $_COOKIE['litespeed_hash'] );
unset( $_COOKIE['litespeed_hash'] );
wp_die( 'Denied', 403 );
},
4
);
}
// https://wpscan.com/vulnerability/b4ce2a06-b435-4b77-851f-4406f2a91ca6/
if ( isset( $_REQUEST['action'] ) && 'refund' === $_REQUEST['action'] ) {
$eupago_refund_vpatch = function () {
if ( ! class_exists( 'WC_Eupago' ) || version_compare( WC_Eupago::VERSION, '4.7.2', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_woocommerce' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'b4ce2a06-b435-4b77-851f-4406f2a91ca6', 'Blocked refund', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_refund', $eupago_refund_vpatch, -1 );
add_action( 'wp_ajax_nopriv_refund', $eupago_refund_vpatch, -1 );
}
// https://wpscan.com/vulnerability/11576769-67cc-480c-8db8-bb614a86835a/
add_action(
'wp_ajax_user_registration_membership_fetch_upgrade_path',
function () {
if ( ! defined( 'UR_VERSION' ) || version_compare( UR_VERSION, '5.1.3', '>=' ) ) {
return;
}
if ( isset( $_POST['membership_ids'] ) && is_array( $_POST['membership_ids'] ) ) {
foreach ( $_POST['membership_ids'] as $id ) {
if ( ! ctype_digit( (string) $id ) ) {
Atomic_Platform_Virtual_Patches::add_log( '11576769-67cc-480c-8db8-bb614a86835a', 'SQLi', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
}
}
},
-1
);
// https://wpscan.com/vulnerability/420f4067-f828-40c1-8153-be2ec98767e5/
add_action(
'profile_update',
function ( $user_id ) {
if ( ! defined( 'ASENHA_VERSION' ) || version_compare( ASENHA_VERSION, '7.6.3', '>=' ) ) {
return;
}
$viewing_admin_as = get_user_meta( $user_id, '_asenha_viewing_admin_as', true );
if ( empty( $viewing_admin_as ) || 'administrator' === $viewing_admin_as ) {
return;
}
$user = get_user_by( 'id', $user_id );
if ( ! $user ) {
return;
}
$options = get_option( 'admin_site_enhancements', array() );
if ( ! is_array( $options ) || empty( $options['viewing_admin_as_role_are'] ) || ! is_array( $options['viewing_admin_as_role_are'] ) ) {
return;
}
$usernames = $options['viewing_admin_as_role_are'];
$found = false;
foreach ( $usernames as $key => $username ) {
if ( $user->user_login === $username ) {
unset( $usernames[ $key ] );
$found = true;
}
}
if ( ! $found ) {
return;
}
$options['viewing_admin_as_role_are'] = array_values( $usernames );
update_option( 'admin_site_enhancements', $options, true );
delete_user_meta( $user_id, '_asenha_viewing_admin_as' );
delete_user_meta( $user_id, '_asenha_view_admin_as_original_roles' );
Atomic_Platform_Virtual_Patches::add_log( '420f4067-f828-40c1-8153-be2ec98767e5', 'Cleared ASE viewing-as state', $user->user_login );
},
5
);
// https://wpscan.com/vulnerability/a0c94f7f-6314-4ff2-bb92-ec02146975ff/
if ( isset( $_REQUEST['reset-for'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'ASENHA_VERSION' ) || version_compare( ASENHA_VERSION, '7.6.3', '<' ) || version_compare( ASENHA_VERSION, '8.8.4', '>=' ) ) {
return;
}
$reset_for = sanitize_text_field( wp_unslash( $_REQUEST['reset-for'] ) );
if ( '' === $reset_for ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
if ( is_user_logged_in() && wp_get_current_user()->user_login === $reset_for ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'a0c94f7f-6314-4ff2-bb92-ec02146975ff', 'Unauthenticated role restoration', $reset_for );
wp_die( 'Access denied.', 403 );
},
1
);
}
// https://wpscan.com/vulnerability/21b31199-01d5-4c43-8699-eca4bc7e8389/
$bpost_sqli_vpatch = function () {
if ( ! defined( 'BPOST_VERSION' ) || version_compare( BPOST_VERSION, '3.2.3', '>=' ) ) {
return;
}
$params = array( 'shipping_pickup_id', 'shipping_pickup_label', 'Bpost_pickup_extended' );
foreach ( array( $_POST, $_GET ) as $request ) {
foreach ( $params as $param ) {
$value = $request[ $param ] ?? '';
if ( ! is_string( $value ) || strpbrk( $value, "\"'\\`" ) === false ) {
continue;
}
Atomic_Platform_Virtual_Patches::add_log( '21b31199-01d5-4c43-8699-eca4bc7e8389', 'SQLi (' . $param . ')', $value );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'woocommerce_checkout_update_order_meta', $bpost_sqli_vpatch, 1 );
add_action( 'wp_ajax_Bpost_set_pickup_point', $bpost_sqli_vpatch, -1 );
add_action( 'wp_ajax_nopriv_Bpost_set_pickup_point', $bpost_sqli_vpatch, -1 );
// https://wpscan.com/vulnerability/0c8eaa56-9fa3-4394-86f4-3b15e7078c10/
$revslider_ajax_vpatch = function () {
if ( ! defined( 'RS_REVISION' ) || version_compare( RS_REVISION, '7.0.0', '<' ) || version_compare( RS_REVISION, '7.0.11', '>=' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
$data = $_POST['data'] ?? $_GET['data'] ?? null;
if ( ! is_array( $data ) ) {
return;
}
foreach ( $data as $image ) {
$id = is_array( $image ) ? ( $image['id'] ?? '' ) : '';
if ( ! is_string( $id ) || '' === $id ) {
continue;
}
$path = wp_parse_url( $id, PHP_URL_PATH ) ?? $id;
$ext = strtolower( pathinfo( $path, PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0c8eaa56-9fa3-4394-86f4-3b15e7078c10', 'Upload', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_revslider_ajax_action', $revslider_ajax_vpatch, -1 );
add_action( 'wp_ajax_rs_ajax_action', $revslider_ajax_vpatch, -1 );
// https://wpscan.com/vulnerability/e471516a-6f43-4a89-8486-7a638845e197/
if ( isset( $_GET['page'] ) && 'control-data' === $_GET['page'] ) {
add_action(
'admin_init',
function () {
if ( ! defined( 'INFILITY_GLOBAL_VERSION' ) || version_compare( INFILITY_GLOBAL_VERSION, '2.15.19', '>=' ) ) {
return;
}
$params = array(
'type' => null,
'orderby' => '/^[a-zA-Z0-9_]+$/',
'order' => '/^(asc|desc)$/i',
);
foreach ( $params as $param => $whitelist ) {
$value = $_GET[ $param ] ?? '';
if ( ! is_string( $value ) || '' === $value ) {
continue;
}
if ( $value !== esc_sql( $value ) || ( null !== $whitelist && ! preg_match( $whitelist, $value ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e471516a-6f43-4a89-8486-7a638845e197', 'SQLi (' . $param . ')', $value );
wp_die( 'Access denied.', 403 );
}
}
},
0
);
}
// https://wpscan.com/vulnerability/0d8efa0d-68d2-4117-a2d6-f69818d27d02/
$ms_import_check_payload = static function ( $raw_value ) {
if ( ! is_string( $raw_value ) || '' === $raw_value ) {
return;
}
$slideshows = json_decode( stripslashes( urldecode( $raw_value ) ), true );
if ( ! is_array( $slideshows ) ) {
return;
}
foreach ( $slideshows as $slideshow ) {
if ( ! is_array( $slideshow ) || ! isset( $slideshow['meta']['metaslider_slideshow_theme'] ) ) {
continue;
}
$theme = $slideshow['meta']['metaslider_slideshow_theme'];
$folder = '';
$version = '';
if ( is_array( $theme ) ) {
$folder = isset( $theme['folder'] ) ? (string) $theme['folder'] : '';
$version = isset( $theme['version'] ) ? (string) $theme['version'] : '';
} elseif ( is_string( $theme ) ) {
if ( preg_match( '/s:6:"folder";s:\d+:"([^"]*)"/', $theme, $m ) ) {
$folder = (string) $m[1];
}
if ( preg_match( '/s:7:"version";s:\d+:"([^"]*)"/', $theme, $m ) ) {
$version = (string) $m[1];
}
if ( '' === $folder && '' === $version ) {
Atomic_Platform_Virtual_Patches::add_log( '0d8efa0d-68d2-4117-a2d6-f69818d27d02', 'Unparseable serialized theme in slideshow import', $theme );
wp_die( 'Denied', 403 );
}
} else {
Atomic_Platform_Virtual_Patches::add_log( '0d8efa0d-68d2-4117-a2d6-f69818d27d02', 'Unexpected theme type in slideshow import', wp_json_encode( $theme ) );
wp_die( 'Denied', 403 );
}
if ( '' !== $folder && sanitize_key( $folder ) !== $folder ) {
Atomic_Platform_Virtual_Patches::add_log( '0d8efa0d-68d2-4117-a2d6-f69818d27d02', 'Path traversal in theme.folder', $folder );
wp_die( 'Denied', 403 );
}
if ( '' !== $version && ! preg_match( '/^v\d+(?:\.\d+)*$/', trim( $version ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0d8efa0d-68d2-4117-a2d6-f69818d27d02', 'Path traversal in theme.version', $version );
wp_die( 'Denied', 403 );
}
}
};
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) use ( $ms_import_check_payload ) {
if ( '/metaslider/v1/slideshow/import' !== strtolower( (string) $request->get_route() ) ) {
return $result;
}
if ( ! defined( 'METASLIDER_VERSION' ) || version_compare( METASLIDER_VERSION, '3.107.0', '>=' ) ) {
return $result;
}
$slideshows = $request->get_param( 'slideshows' );
if ( is_array( $slideshows ) || is_object( $slideshows ) ) {
$slideshows = wp_json_encode( $slideshows );
}
$ms_import_check_payload( (string) $slideshows );
$ms_import_check_payload( (string) $request->get_body() );
return $result;
},
10,
3
);
add_action(
'admin_init',
function () use ( $ms_import_check_payload ) {
if ( ! isset( $_REQUEST['action'] ) || 'ms_import_slideshows' !== $_REQUEST['action'] ) {
return;
}
if ( ! defined( 'METASLIDER_VERSION' ) || version_compare( METASLIDER_VERSION, '3.107.0', '>=' ) ) {
return;
}
$slideshows = isset( $_REQUEST['slideshows'] ) ? $_REQUEST['slideshows'] : '';
if ( is_array( $slideshows ) || is_object( $slideshows ) ) {
$slideshows = wp_json_encode( $slideshows );
}
$ms_import_check_payload( (string) $slideshows );
$ms_import_check_payload( (string) file_get_contents( 'php://input' ) );
},
0
);
// https://wpscan.com/vulnerability/49484c0e-1637-400e-a7dc-7acef8a578ce/
$charity_zone_install_vpatch = function () {
$theme = wp_get_theme();
if (
! str_contains( $theme->get_stylesheet(), 'charity-zone' )
&& ! str_contains( $theme->get_template(), 'charity-zone' )
&& 'charity-zone' !== $theme->get( 'TextDomain' )
) {
return;
}
if ( version_compare( $theme->get( 'Version' ), '1.1.2', '>=' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '49484c0e-1637-400e-a7dc-7acef8a578ce', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_charity_zone_install_and_activate_plugin', $charity_zone_install_vpatch, -1 );
add_action( 'wp_ajax_tm_install_and_activate_plugin', $charity_zone_install_vpatch, -1 );
// https://wpscan.com/vulnerability/98e07a3d-5214-41fe-8293-c51f6b8c0335/
$restaurant_zone_install_vpatch = function () {
$theme = wp_get_theme();
if (
! str_contains( $theme->get_stylesheet(), 'restaurant-zone' )
&& ! str_contains( $theme->get_template(), 'restaurant-zone' )
&& 'restaurant-zone' !== $theme->get( 'TextDomain' )
) {
return;
}
if ( version_compare( $theme->get( 'Version' ), '0.7.9', '>=' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '98e07a3d-5214-41fe-8293-c51f6b8c0335', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_restaurant_zone_install_and_activate_plugin', $restaurant_zone_install_vpatch, -1 );
add_action( 'wp_ajax_tm_install_and_activate_plugin', $restaurant_zone_install_vpatch, -1 );
// https://wpscan.com/vulnerability/9361a3f8-6ca4-4d3b-95eb-baf9cf1c4e99/
$kids_online_store_install_vpatch = function () {
$theme = wp_get_theme();
if (
! str_contains( $theme->get_stylesheet(), 'kids-online-store' )
&& ! str_contains( $theme->get_template(), 'kids-online-store' )
&& 'kids-online-store' !== $theme->get( 'TextDomain' )
) {
return;
}
if ( version_compare( $theme->get( 'Version' ), '0.9.0', '>=' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '9361a3f8-6ca4-4d3b-95eb-baf9cf1c4e99', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_kids_online_store_install_and_activate_plugin', $kids_online_store_install_vpatch, -1 );
add_action( 'wp_ajax_tm_install_and_activate_plugin', $kids_online_store_install_vpatch, -1 );
// https://wpscan.com/vulnerability/3fda0405-bc03-4d0a-930f-8bd40323442c/
$kids_gift_shop_install_vpatch = function () {
$theme = wp_get_theme();
if (
! str_contains( $theme->get_stylesheet(), 'kids-gift-shop' )
&& ! str_contains( $theme->get_template(), 'kids-gift-shop' )
&& 'kids-gift-shop' !== $theme->get( 'TextDomain' )
) {
return;
}
if ( version_compare( $theme->get( 'Version' ), '0.5.5', '>=' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '3fda0405-bc03-4d0a-930f-8bd40323442c', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_kids_gift_shop_install_and_activate_plugin', $kids_gift_shop_install_vpatch, -1 );
// https://wpscan.com/vulnerability/5323b66f-ed24-4435-a296-f76e5a30df10/
$webenvo_extras_handlers = array(
'wp_ajax_extras_plugin_install' => 'install_plugins',
'wp_ajax_extras_plugin_update' => 'update_plugins',
'wp_ajax_extras_theme_install' => 'install_themes',
'wp_ajax_extras_theme_update' => 'update_themes',
);
foreach ( $webenvo_extras_handlers as $webenvo_action => $webenvo_cap ) {
add_action(
$webenvo_action,
function () use ( $webenvo_cap ) {
$theme = wp_get_theme();
if (
! str_contains( $theme->get_stylesheet(), 'webenvo' )
&& ! str_contains( $theme->get_template(), 'webenvo' )
&& 'webenvo' !== $theme->get( 'TextDomain' )
) {
return;
}
if ( version_compare( $theme->get( 'Version' ), '0.0.7', '>=' ) ) {
return;
}
if ( current_user_can( $webenvo_cap ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '5323b66f-ed24-4435-a296-f76e5a30df10', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
},
-1
);
}
// https://wpscan.com/vulnerability/9fa0941c-1a8a-40b4-8727-eb95935be974/
$ecommerce_zone_install_vpatch = function () {
$theme = wp_get_theme();
if (
! str_contains( $theme->get_stylesheet(), 'ecommerce-zone' )
&& ! str_contains( $theme->get_template(), 'ecommerce-zone' )
&& 'ecommerce-zone' !== $theme->get( 'TextDomain' )
) {
return;
}
if ( version_compare( $theme->get( 'Version' ), '0.9.8', '>=' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '9fa0941c-1a8a-40b4-8727-eb95935be974', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_ecommerce_zone_install_and_activate_plugin', $ecommerce_zone_install_vpatch, -1 );
add_action( 'wp_ajax_tm_install_and_activate_plugin', $ecommerce_zone_install_vpatch, -1 );
// https://wpscan.com/vulnerability/a227fc64-b25a-4635-824d-7b9f2f381c64/
$pafe_pro_file_upload_vpatch = function () {
if ( ! defined( 'PAFE_PRO_VERSION' ) ) {
return;
}
if ( empty( $_FILES ) || ! is_array( $_FILES ) ) {
return;
}
foreach ( $_FILES as $file ) {
$names = $file['name'] ?? null;
if ( null === $names ) {
continue;
}
if ( ! is_array( $names ) ) {
$names = array( $names );
}
foreach ( $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$ext = strtolower( pathinfo( sanitize_file_name( $name ), PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'a227fc64-b25a-4635-824d-7b9f2f381c64', 'Upload', $_FILES );
wp_die( 'Denied.', 403 );
}
}
}
};
add_action( 'wp_ajax_pafe_ajax_form_builder', $pafe_pro_file_upload_vpatch, -1 );
add_action( 'wp_ajax_nopriv_pafe_ajax_form_builder', $pafe_pro_file_upload_vpatch, -1 );
// https://wpscan.com/vulnerability/3cfe872d-0cf1-4e3c-b250-c6119154e592/
$piotnetforms_pro_file_upload_vpatch = function () {
if ( ! defined( 'PIOTNETFORMS_PRO_VERSION' ) ) {
return;
}
if ( empty( $_FILES ) || ! is_array( $_FILES ) ) {
return;
}
foreach ( $_FILES as $file ) {
$names = $file['name'] ?? null;
if ( null === $names ) {
continue;
}
if ( ! is_array( $names ) ) {
$names = array( $names );
}
foreach ( $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$ext = strtolower( pathinfo( sanitize_file_name( $name ), PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3cfe872d-0cf1-4e3c-b250-c6119154e592', 'Upload', $_FILES );
wp_die( 'Denied.', 403 );
}
}
}
};
add_action( 'wp_ajax_piotnetforms_ajax_form_builder', $piotnetforms_pro_file_upload_vpatch, -1 );
add_action( 'wp_ajax_nopriv_piotnetforms_ajax_form_builder', $piotnetforms_pro_file_upload_vpatch, -1 );
if ( isset( $_SERVER['HTTP_X_BURSTMAINWP'] ) ) {
// https://wpscan.com/vulnerability/34c08ac9-47dc-4cf1-9e58-44121810f5aa/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'BURST_FREE_FILE' ) ) {
return;
}
$plugin_data = get_file_data( BURST_FREE_FILE, array( 'Version' => 'Version' ) );
$version = $plugin_data['Version'] ?? '';
if ( '' === $version
|| version_compare( $version, '3.4.0', '<' )
|| version_compare( $version, '3.4.2', '>=' ) ) {
return;
}
$auth_header_key = isset( $_SERVER['HTTP_AUTHORIZATION'] ) ? 'HTTP_AUTHORIZATION' : ( isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ? 'REDIRECT_HTTP_AUTHORIZATION' : '' );
if ( '' === $auth_header_key ) {
return;
}
$auth_header = (string) $_SERVER[ $auth_header_key ];
if ( stripos( $auth_header, 'basic ' ) !== 0 ) {
return;
}
$decoded = base64_decode( substr( $auth_header, 6 ) );
$attempted_login = '';
if ( is_string( $decoded ) ) {
$parts = explode( ':', $decoded, 2 );
$attempted_login = $parts[0] ?? '';
}
Atomic_Platform_Virtual_Patches::add_log( '34c08ac9-47dc-4cf1-9e58-44121810f5aa', 'Auth Bypass (X-BURSTMAINWP)', $attempted_login );
unset( $_SERVER['HTTP_AUTHORIZATION'], $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] );
},
0
);
}
// https://wpscan.com/vulnerability/6ecd37bf-f48a-4f7f-8a93-e7f0475371af/
if ( isset( $_POST['function'] ) && 'register' === $_POST['function'] && isset( $_POST['user'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'MAINWP_CHILD_FILE' ) ) {
return;
}
if ( class_exists( '\MainWP\Child\MainWP_Child' ) && isset( \MainWP\Child\MainWP_Child::$version ) && version_compare( (string) \MainWP\Child\MainWP_Child::$version, '6.1.2', '>=' ) ) {
return;
}
$user = wp_unslash( $_POST['user'] );
if ( ! is_string( $user ) || '' === $user ) {
return;
}
$wp_user = get_user_by( 'login', $user );
if ( ! $wp_user ) {
return;
}
$enable_pwd_auth = get_user_option( 'mainwp_child_user_enable_passwd_auth_connect', $wp_user->ID );
if ( false === $enable_pwd_auth || '1' === $enable_pwd_auth ) {
return;
}
$unique_id = defined( 'MAINWP_CHILD_UNIQUEID' ) ? MAINWP_CHILD_UNIQUEID : get_option( 'mainwp_child_uniqueId', '' );
$unique_id = apply_filters( 'mainwp_child_unique_id', $unique_id );
if ( '' !== (string) $unique_id ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '6ecd37bf-f48a-4f7f-8a93-e7f0475371af', 'Auth Bypass (passwordless register)', $user );
wp_die( 'Access denied.', 403 );
},
1
);
}
// https://wpscan.com/vulnerability/8474eda4-6385-447a-9139-f57c049d1713/
add_filter(
'shibboleth_session_active',
function ( $active ) {
if ( ! $active || ! function_exists( 'shibboleth_getoption' ) || ! function_exists( 'shibboleth_getenv' ) ) {
return $active;
}
if ( defined( 'SHIBBOLETH_PLUGIN_VERSION' ) && version_compare( SHIBBOLETH_PLUGIN_VERSION, '2.5.4', '>=' ) ) {
return $active;
}
$method = shibboleth_getoption( 'shibboleth_attribute_access_method' );
if ( 'http' === $method ) {
$prefix = 'HTTP_';
} elseif ( 'custom' === $method ) {
$prefix = (string) shibboleth_getoption( 'shibboleth_attribute_custom_access_method', '' );
} else {
$prefix = '';
}
if ( 0 !== stripos( $prefix, 'HTTP_' ) ) {
return $active;
}
$spoofkey = shibboleth_getoption( 'shibboleth_spoof_key' );
if ( 'http' === $method && ! empty( $spoofkey ) && shibboleth_getenv( 'Shib-Spoof-Check' ) === $spoofkey ) {
return $active;
}
$shib_headers = shibboleth_getoption( 'shibboleth_headers', array() );
$spoofed_identity = isset( $shib_headers['username']['name'] ) ? shibboleth_getenv( $shib_headers['username']['name'] ) : '';
Atomic_Platform_Virtual_Patches::add_log( '8474eda4-6385-447a-9139-f57c049d1713', 'Auth Bypass', $spoofed_identity );
return false;
},
99
);
// https://wpscan.com/vulnerability/9bad9fc1-5032-45dc-983f-ba2dd7092385/
$wp_google_map_gold_temp_access_vpatch = function () {
if ( ! defined( 'WPGMP_VERSION' ) || version_compare( WPGMP_VERSION, '6.1.1', '>=' ) ) {
return;
}
if ( current_user_can( 'create_users' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '9bad9fc1-5032-45dc-983f-ba2dd7092385', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
$wp_google_map_gold_ajax_call_vpatch = function () use ( $wp_google_map_gold_temp_access_vpatch ) {
$operation = ( isset( $_POST['operation'] ) && is_string( $_POST['operation'] ) ) ? sanitize_text_field( wp_unslash( $_POST['operation'] ) ) : '';
if ( 'wpgmp_temp_access_ajax_callback' === $operation ) {
$wp_google_map_gold_temp_access_vpatch();
}
};
add_action( 'wp_ajax_wpgmp_temp_access_ajax', $wp_google_map_gold_temp_access_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpgmp_temp_access_ajax', $wp_google_map_gold_temp_access_vpatch, -1 );
add_action( 'wp_ajax_wpgmp_ajax_call', $wp_google_map_gold_ajax_call_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpgmp_ajax_call', $wp_google_map_gold_ajax_call_vpatch, -1 );
// https://wpscan.com/vulnerability/2c5bdb17-8b12-45b5-878b-627056dc8956/
add_action(
'after_setup_theme',
function () {
if ( ! defined( 'ETHEME_THEME_VERSION' ) || version_compare( ETHEME_THEME_VERSION, '9.7.3', '>=' ) ) {
return;
}
add_filter(
'posts_where',
function ( $where, $query ) {
if ( ! $query->is_main_query() ) {
return $where;
}
if ( empty( $query->get( 'wc_query' ) ) ) {
return $where;
}
$s = $query->get( 's' );
if ( ! is_string( $s ) || '' === $s ) {
return $where;
}
if ( preg_match( '/\'\s*(?:[()]|AND|OR|UNION|SELECT|--|\/\*|;)/i', $s ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2c5bdb17-8b12-45b5-878b-627056dc8956', 'SQLi (s)', $s );
wp_die( 'Access denied.', 403 );
}
return $where;
},
0,
2
);
},
0
);
// https://wpscan.com/vulnerability/0d8efa0d-68d2-4117-a2d6-f69818d27d02/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'METASLIDER_VERSION' ) || version_compare( METASLIDER_VERSION, '3.107.0', '>=' ) ) {
return;
}
add_filter(
'get_post_metadata',
function ( $check, $post_id, $meta_key, $single ) {
if ( 'metaslider_slideshow_theme' !== $meta_key ) {
return $check;
}
static $depth = 0;
if ( $depth > 0 ) {
return $check;
}
$depth++;
$values = get_post_meta( (int) $post_id, $meta_key, false );
$depth--;
if ( ! is_array( $values ) ) {
return $check;
}
$dirty = false;
$offending = array();
foreach ( $values as $idx => $value ) {
if ( ! is_array( $value ) ) {
continue;
}
$folder = isset( $value['folder'] ) ? (string) $value['folder'] : '';
$version = isset( $value['version'] ) ? (string) $value['version'] : '';
$bad_folder = '' !== $folder && sanitize_key( $folder ) !== $folder;
$bad_version = '' !== $version && ! preg_match( '/^v\d+(?:\.\d+)*$/', trim( $version ) );
if ( $bad_folder || $bad_version ) {
$values[ $idx ] = 'none';
$dirty = true;
$offending[] = array(
'folder' => $folder,
'version' => $version,
);
}
}
if ( ! $dirty ) {
return $check;
}
Atomic_Platform_Virtual_Patches::add_log(
'0d8efa0d-68d2-4117-a2d6-f69818d27d02',
'Sanitized poisoned metaslider_slideshow_theme on read (post ' . (int) $post_id . ')',
$offending
);
if ( $single ) {
return array( isset( $values[0] ) ? $values[0] : '' );
}
return $values;
},
10,
4
);
}
);
// https://wpscan.com/vulnerability/be3d5432-8f8c-4d45-b6e7-de24352378a8/
$easy_elements_register_vpatch = function () {
if ( ! defined( 'EASYELEMENTS_VER' ) || version_compare( EASYELEMENTS_VER, '1.4.5', '>=' ) ) {
return;
}
if ( ! isset( $_POST['role'] ) || 'subscriber' === $_POST['role'] ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'be3d5432-8f8c-4d45-b6e7-de24352378a8', 'Privesc', $_POST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_eel_register', $easy_elements_register_vpatch, -1 );
add_action( 'wp_ajax_nopriv_eel_register', $easy_elements_register_vpatch, -1 );
// https://wpscan.com/vulnerability/ff343ed0-8da1-4b23-810a-034732f598b9/
$easy_elements_custom_meta_vpatch = function () {
if ( ! defined( 'EASYELEMENTS_VER' ) ) {
return;
}
if ( empty( $_POST['custom_meta'] ) || ! is_array( $_POST['custom_meta'] ) ) {
return;
}
foreach ( array_keys( $_POST['custom_meta'] ) as $meta_key ) {
$normalized = sanitize_key( (string) $meta_key );
if ( '' === $normalized ) {
continue;
}
if ( str_starts_with( $normalized, 'wp_' )
|| str_ends_with( $normalized, '_capabilities' )
|| str_ends_with( $normalized, '_user_level' )
|| 'session_tokens' === $normalized ) {
Atomic_Platform_Virtual_Patches::add_log( 'ff343ed0-8da1-4b23-810a-034732f598b9', 'Privesc (custom_meta)', $_POST );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_eel_register', $easy_elements_custom_meta_vpatch, -1 );
add_action( 'wp_ajax_nopriv_eel_register', $easy_elements_custom_meta_vpatch, -1 );
// https://wpscan.com/vulnerability/50f49291-2a7e-4f23-bd21-472a64946e95/
$contest_gallery_pro_register_vpatch = function () {
if ( ! function_exists( 'cg_get_version_for_scripts' ) ) {
return;
}
$version = preg_replace( '/[^0-9.]/', '', cg_get_version_for_scripts() );
if ( '' !== $version && version_compare( $version, '29.0.2', '>=' ) ) {
return;
}
$fields = $_POST['cg_Fields'] ?? null;
if ( ! is_array( $fields ) ) {
return;
}
foreach ( $fields as $field ) {
if ( is_array( $field ) && isset( $field['Field_Type'] ) && 'unconfirmed-mail' === $field['Field_Type'] ) {
Atomic_Platform_Virtual_Patches::add_log( '50f49291-2a7e-4f23-bd21-472a64946e95', 'Privesc', $field );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_post_cg_registry', $contest_gallery_pro_register_vpatch, -1 );
add_action( 'wp_ajax_nopriv_post_cg_registry', $contest_gallery_pro_register_vpatch, -1 );
// https://wpscan.com/vulnerability/7ac96a73-0172-416e-a0b2-1ba06efe7f26/
add_action(
'wp_ajax_acymailing_router',
function () {
if ( ! function_exists( 'acym_config' ) ) {
return;
}
$version = acym_config()->get( 'version', '' );
if ( '' !== $version && version_compare( $version, '10.9.0', '>=' ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '7ac96a73-0172-416e-a0b2-1ba06efe7f26', 'Privesc', $_REQUEST );
wp_die( 'Access denied.', 403 );
},
-1
);
// https://wpscan.com/vulnerability/66e61aa1-4e2e-4fe7-b92b-a0d11e4b596f/
add_action(
'wp_loaded',
function () {
if ( ! function_exists( 'acym_config' ) ) {
return;
}
$acy_version = acym_config()->get( 'version', '' );
if ( is_string( $acy_version ) && version_compare( $acy_version, '10.11.1', '>=' ) ) {
return;
}
if ( 'acymailing_front' !== ( $_REQUEST['page'] ?? '' ) && 'acymailing_router' !== ( $_REQUEST['action'] ?? '' ) ) {
return;
}
$lists = (array) ( $_REQUEST['subscription'] ?? array() );
foreach ( array( 'hiddenlists', 'displayed_checked_lists' ) as $csv_key ) {
if ( isset( $_REQUEST[ $csv_key ] ) && is_string( $_REQUEST[ $csv_key ] ) && '' !== $_REQUEST[ $csv_key ] ) {
$lists = array_merge( $lists, explode( ',', $_REQUEST[ $csv_key ] ) );
}
}
foreach ( $lists as $list ) {
if ( ! is_scalar( $list ) || (string) $list !== (string) (int) $list ) {
Atomic_Platform_Virtual_Patches::add_log( '66e61aa1-4e2e-4fe7-b92b-a0d11e4b596f', 'SQLi (subscription)', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
}
},
0
);
// https://wpscan.com/vulnerability/82d6d5bb-a426-492d-9d9e-eb08b8077924/
if ( isset( $_POST['form_type'] ) && 'register' === $_POST['form_type'] && ( isset( $_POST['role'] ) || isset( $_POST['de_fb_role'] ) ) ) {
add_action(
'init',
function () {
if ( ! defined( 'DE_FB_VERSION' ) || version_compare( DE_FB_VERSION, '5.1.3', '>=' ) ) {
return;
}
$submitted_roles = array(
isset( $_POST['role'] ) && is_string( $_POST['role'] ) ? sanitize_text_field( wp_unslash( $_POST['role'] ) ) : '',
isset( $_POST['de_fb_role'] ) && is_string( $_POST['de_fb_role'] ) ? sanitize_text_field( wp_unslash( $_POST['de_fb_role'] ) ) : '',
);
foreach ( $submitted_roles as $role_name ) {
if ( '' !== $role_name && 'subscriber' !== $role_name ) {
Atomic_Platform_Virtual_Patches::add_log( '82d6d5bb-a426-492d-9d9e-eb08b8077924', 'PrivEsc (role)', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
}
},
1
);
}
// https://wpscan.com/vulnerability/ec68ccb1-34dc-4633-97a1-341269aabcf4/
add_filter(
'bookingpress_validate_submitted_booking_form',
function ( $payment_gateway, $appointment_data ) {
if ( ! defined( 'BOOKINGPRESS_PRO_VERSION' ) || version_compare( BOOKINGPRESS_PRO_VERSION, '5.7', '>=' ) ) {
return $payment_gateway;
}
if ( ! is_array( $appointment_data ) ) {
return $payment_gateway;
}
$form_fields = $appointment_data['form_fields'] ?? null;
if ( ! is_array( $form_fields ) ) {
return $payment_gateway;
}
$allowed_image_exts = array( 'jpg', 'jpeg', 'png', 'gif', 'webp' );
foreach ( $form_fields as $field_value ) {
if ( ! is_string( $field_value ) || ! preg_match( '/^data:image\/(\w+);base64,/i', $field_value, $matches ) ) {
continue;
}
$image_ext = strtolower( $matches[1] );
if ( ! in_array( $image_ext, $allowed_image_exts, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'ec68ccb1-34dc-4633-97a1-341269aabcf4', 'AFU (ext)', $field_value );
wp_die( 'Access denied.', 403 );
}
$base64 = substr( $field_value, strpos( $field_value, ',' ) + 1 );
$base64 = str_replace( ' ', '+', $base64 );
$decoded = base64_decode( $base64, true );
if ( false !== $decoded && false !== strpos( $decoded, '<?' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'ec68ccb1-34dc-4633-97a1-341269aabcf4', 'AFU (php)', $field_value );
wp_die( 'Access denied.', 403 );
}
}
return $payment_gateway;
},
9,
2
);
// https://wpscan.com/vulnerability/eb3abb88-43c3-42a8-a8a8-2ad67d37e020/
$bookingpress_object_injection_vpatch = function () {
if ( ! defined( 'BOOKINGPRESS_VERSION' ) ) {
return;
}
$token_data_raw = isset( $_POST['tokenData'] ) ? sanitize_text_field( wp_unslash( $_POST['tokenData'] ) ) : '';
if ( '' === $token_data_raw ) {
return;
}
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode -- mirrors the plugin's own decoding of tokenData.
$token_json = json_decode( base64_decode( $token_data_raw ), true );
if ( ! is_array( $token_json ) || ! isset( $token_json['token_data'] ) || ! is_string( $token_json['token_data'] ) ) {
return;
}
if ( is_serialized( $token_json['token_data'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'eb3abb88-43c3-42a8-a8a8-2ad67d37e020', 'PHP Object Injection', $token_json['token_data'] );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_bpa_set_timeslot_token', $bookingpress_object_injection_vpatch, -1 );
add_action( 'wp_ajax_nopriv_bpa_set_timeslot_token', $bookingpress_object_injection_vpatch, -1 );
// WishList Member X - unauthenticated/subscriber-level access to admin-only AJAX endpoints
// https://wpscan.com/vulnerability/3a96920d-2d6c-4e30-b794-05b25c571c1f/ (wlm3_get_screen, fixed in 3.31.0)
// https://wpscan.com/vulnerability/f182a86b-d31d-490f-91ed-d917c6524ae9/ (wlm3_generate_api_key, fixed in 3.31.0)
// https://wpscan.com/vulnerability/4fe405f8-1ec2-42c4-81f8-6aa0dad44ac2/ (wlm3_export_settings, fixed in 3.31.0)
// https://wpscan.com/vulnerability/2aa6ca82-c56a-41b3-988e-5bef9499994d/ (wishlistmember_team_accounts_save_settings, no fix as of 3.32.0)
$wishlist_member_privesc_actions = array(
'wlm3_get_screen' => '3a96920d-2d6c-4e30-b794-05b25c571c1f',
'wlm3_generate_api_key' => 'f182a86b-d31d-490f-91ed-d917c6524ae9',
'wlm3_export_settings' => '4fe405f8-1ec2-42c4-81f8-6aa0dad44ac2',
'wishlistmember_team_accounts_save_settings' => '2aa6ca82-c56a-41b3-988e-5bef9499994d',
);
foreach ( $wishlist_member_privesc_actions as $wlm_action => $wlm_uuid ) {
add_action(
'wp_ajax_' . $wlm_action,
function () use ( $wlm_uuid ) {
if ( ! defined( 'WLM_PLUGIN_VERSION' ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( $wlm_uuid, 'WishList Member privesc', $_REQUEST );
wp_die( 'Access denied.', 403 );
},
-1
);
}
// https://wpscan.com/vulnerability/97bb7d9c-6456-403a-9ebc-bd15b64484fe/
$wcppp_read_request_body = static function (): array {
// phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents
$body = file_get_contents( 'php://input' );
if ( ! is_string( $body ) || '' === $body ) {
return array();
}
$decoded = json_decode( $body, true );
return is_array( $decoded ) ? $decoded : array();
};
add_action(
'wc_ajax_ppc-create-order',
static function () use ( $wcppp_read_request_body ) {
// 4.0.2 ships with PAYPAL_INTEGRATION_DATE = '2026-04-01'; earlier vulnerable
// versions all carry an earlier date. The plugin doesn't define a version constant.
if ( ! defined( 'PAYPAL_INTEGRATION_DATE' ) || version_compare( PAYPAL_INTEGRATION_DATE, '2026-04-01', '>=' ) ) {
return;
}
$data = $wcppp_read_request_body();
if ( 'pay-now' !== ( $data['context'] ?? '' ) ) {
return;
}
$order_id = isset( $data['order_id'] ) ? (int) $data['order_id'] : 0;
$order_key = isset( $data['order_key'] ) && is_string( $data['order_key'] ) ? $data['order_key'] : '';
$wc_order = ( $order_id > 0 && function_exists( 'wc_get_order' ) ) ? wc_get_order( $order_id ) : null;
if ( ! $wc_order || ! method_exists( $wc_order, 'key_is_valid' ) || '' === $order_key || ! $wc_order->key_is_valid( $order_key ) ) {
Atomic_Platform_Virtual_Patches::add_log( '97bb7d9c-6456-403a-9ebc-bd15b64484fe', 'WCPPP pay-now missing/invalid order_key', $data );
wp_die( 'Access denied.', 403 );
}
},
1
);
add_action(
'wc_ajax_ppc-get-order',
static function () use ( $wcppp_read_request_body ) {
if ( ! defined( 'PAYPAL_INTEGRATION_DATE' ) || version_compare( PAYPAL_INTEGRATION_DATE, '2026-04-01', '>=' ) ) {
return;
}
$data = $wcppp_read_request_body();
$order_id = isset( $data['order_id'] ) && is_string( $data['order_id'] ) ? $data['order_id'] : '';
if ( '' === $order_id ) {
return;
}
if ( ! get_transient( 'ppcp_cart_by_order_' . $order_id ) ) {
Atomic_Platform_Virtual_Patches::add_log( '97bb7d9c-6456-403a-9ebc-bd15b64484fe', 'WCPPP get-order unbound', $data );
wp_die( 'Access denied.', 403 );
}
},
1
);
// https://wpscan.com/vulnerability/1994ce51-3534-4cb3-b424-d2f9014e8bb3/
$mo2f_block_ga_secret_rebind = function () {
if ( ! defined( 'MO2F_VERSION' ) || version_compare( MO2F_VERSION, '6.2.6', '>=' ) ) {
return;
}
if ( ( $_POST['mo_2f_two_factor_ajax'] ?? '' ) !== 'mo2f_validate_otp_for_configuration' || ! isset( $_POST['ga_secret'] ) ) {
return;
}
if ( is_user_logged_in() ) {
return;
}
$session_id = isset( $_POST['mo2f_session_id'] ) ? sanitize_text_field( wp_unslash( $_POST['mo2f_session_id'] ) ) : '';
if ( '' === $session_id ) {
return;
}
$user_details = get_transient( $session_id . 'mo2f_user_transaction_details' );
$user_id = ( is_array( $user_details ) && ! empty( $user_details['user_id'] ) ) ? (int) $user_details['user_id'] : 0;
if ( $user_id <= 0 ) {
return;
}
$stored_secret = get_user_meta( $user_id, 'mo2f_secret_ga', true );
if ( is_string( $stored_secret ) && '' !== $stored_secret ) {
Atomic_Platform_Virtual_Patches::add_log( '1994ce51-3534-4cb3-b424-d2f9014e8bb3', '2FA bypass (ga_secret rebind)', array_keys( $_POST ) );
unset( $_POST['ga_secret'] );
}
};
add_action( 'wp_ajax_mo_two_factor_ajax', $mo2f_block_ga_secret_rebind, 0 );
add_action( 'wp_ajax_nopriv_mo_two_factor_ajax', $mo2f_block_ga_secret_rebind, 0 );
// https://wpscan.com/vulnerability/d7bdbb69-f63f-45d5-8c87-93f9cb8c6ed6/
if ( isset( $_REQUEST['mo_external_popup_option'] )
&& 'mo_ajax_form_validate' === $_REQUEST['mo_external_popup_option'] ) {
add_action(
'init',
function () {
if ( ! defined( 'MOV_VERSION' ) || version_compare( MOV_VERSION, '5.5.0', '>=' ) ) {
return;
}
foreach ( array_keys( $_POST ) as $key ) {
if ( is_string( $key ) && 0 === strpos( $key, 'username' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'd7bdbb69-f63f-45d5-8c87-93f9cb8c6ed6', 'miniOrange OTP privesc', $_POST );
wp_die( 'Access denied.', 403 );
}
}
},
0
);
}
// https://wpscan.com/vulnerability/ad8055cf-0aa6-4520-bbca-40d6ec095c59/
// https://wpscan.com/vulnerability/b7b3308c-430e-4bc3-a3df-da20d47cf314/
add_action(
'init',
function () {
if ( ! defined( 'WPS_UWGC_PLUGIN_VERSION' ) ) {
return;
}
foreach ( array( 'file', 'wps_cgc_custom_img', 'wps_uwgc_browse_img' ) as $key ) {
$name = $_FILES[ $key ]['name'] ?? '';
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$path = wp_parse_url( $name, PHP_URL_PATH ) ?? $name;
$ext = strtolower( pathinfo( $path, PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'b7b3308c-430e-4bc3-a3df-da20d47cf314', 'Dangerous upload extension', $name );
wp_die( 'Access denied.', 403 );
}
}
},
0
);
// https://wpscan.com/vulnerability/c212885f-cbb8-4cf0-adbf-29819a1b81cb/
if ( isset( $_FILES['blc-review-images']['name'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'BLOCKSY_PATH' ) ) {
return;
}
$names = $_FILES['blc-review-images']['name'] ?? null;
if ( null === $names ) {
return;
}
if ( ! is_array( $names ) ) {
$names = array( $names );
}
foreach ( $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$ext = strtolower( pathinfo( sanitize_file_name( $name ), PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'c212885f-cbb8-4cf0-adbf-29819a1b81cb', 'Dangerous upload extension', $name );
wp_die( 'Access denied.', 403 );
}
}
},
0
);
}
// https://wpscan.com/vulnerability/94e44d2a-15f6-4709-aedb-72b2707e44af/
add_action(
'wp_ajax_uwp_upload_file_remove',
function () {
if ( ! defined( 'USERSWP_VERSION' ) || version_compare( USERSWP_VERSION, '1.2.66', '>=' ) ) {
return;
}
if ( ! function_exists( 'uwp_get_usermeta' ) ) {
return;
}
$user_id = ! empty( $_POST['uid'] ) ? absint( $_POST['uid'] ) : 0;
$htmlvar = ! empty( $_POST['htmlvar'] ) ? sanitize_key( $_POST['htmlvar'] ) : '';
if ( empty( $user_id ) || empty( $htmlvar ) ) {
return;
}
$value = uwp_get_usermeta( $user_id, $htmlvar );
if ( is_string( $value ) && '' !== $value && 0 !== validate_file( $value ) ) {
Atomic_Platform_Virtual_Patches::add_log( '94e44d2a-15f6-4709-aedb-72b2707e44af', 'File deletion traversal', $value );
wp_die( 'Access denied.', 403 );
}
},
-1
);
// https://wpscan.com/vulnerability/2e745e59-0220-4606-a214-4c653ec9850d/
add_action(
'wp_ajax_nopriv_otplaction',
function () {
if ( ! class_exists( 'OtpLoginFront' ) ) {
return;
}
$email_otp = isset( $_POST['email_otp'] ) ? sanitize_text_field( wp_unslash( $_POST['email_otp'] ) ) : '';
if ( '' === $email_otp ) {
return;
}
$email = isset( $_POST['email'] ) ? sanitize_email( wp_unslash( $_POST['email'] ) ) : '';
if ( '' === $email ) {
return;
}
$user_id = email_exists( $email );
if ( ! $user_id ) {
return;
}
$failed_attempts = (int) get_user_meta( $user_id, 'otpl_login_attempts', true );
$last_failed_time = (int) get_user_meta( $user_id, 'otpl_last_failed_time', true );
$max_attempts = (int) get_option( 'otpl_login_attempt' );
if ( $max_attempts <= 0 ) {
$max_attempts = 5;
}
$lockout_period = (int) get_option( 'otpl_login_locktime' );
if ( $lockout_period <= 0 ) {
$lockout_period = 3600;
}
if ( $failed_attempts < $max_attempts || ( time() - $last_failed_time ) >= $lockout_period ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log(
'2e745e59-0220-4606-a214-4c653ec9850d',
'OTP brute force',
array(
'user_id' => $user_id,
'attempts' => $failed_attempts,
)
);
wp_send_json(
array(
'status' => 0,
'message' => 'Too many failed attempts. Please try again later.',
'response' => 'Account locked',
)
);
},
-1
);
// https://wpscan.com/vulnerability/3ade0e4e-2070-4d3b-8f31-0d446839efd0/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'CS_VERSION' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/themeco/data/dynamic-choices' ) !== 0 ) {
return $result;
}
if ( current_user_can( 'list_users' ) ) {
return $result;
}
$params = $request->get_params();
if ( isset( $params['gzip'] ) && $params['gzip'] && isset( $params['request'] ) && is_string( $params['request'] ) ) {
$decoded = json_decode( @gzdecode( base64_decode( $params['request'], true ) ), true );
if ( is_array( $decoded ) ) {
$params = array_merge( $params, $decoded );
}
} elseif ( isset( $params['request'] ) && is_array( $params['request'] ) ) {
$params = array_merge( $params, $params['request'] );
}
if ( ! isset( $params['type'] ) || 'usermeta' !== $params['type'] ) {
return $result;
}
Atomic_Platform_Virtual_Patches::add_log( '3ade0e4e-2070-4d3b-8f31-0d446839efd0', 'Blocked usermeta REST', $params );
wp_die( 'Access denied.', 403 );
},
10,
3
);
// https://wpscan.com/vulnerability/4fc21e38-f2df-41be-86b7-a897483574bb/
add_action(
'init',
function () {
if ( ! isset( $_REQUEST['cs-css'] ) ) {
return;
}
if ( ! defined( 'CS_VERSION' ) ) {
return;
}
if ( current_user_can( 'list_users' ) ) {
return;
}
$raw = file_get_contents( 'php://input' );
if ( ! is_string( $raw ) || false === stripos( $raw, '{{dc:user:meta' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '4fc21e38-f2df-41be-86b7-a897483574bb', 'Blocked dc:user:meta token', $raw );
wp_die( 'Access denied.', 403 );
},
50
);
// https://wpscan.com/vulnerability/9bad36e6-1123-4c85-92f7-6a037a47fee8/
add_action(
'init',
function () {
if ( ! isset( $_REQUEST['cs-css'] ) || ! defined( 'CS_VERSION' ) || version_compare( CS_VERSION, '7.8.8', '>=' ) ) {
return;
}
if ( current_user_can( 'edit_posts' ) ) {
return;
}
$data = null;
$raw = file_get_contents( 'php://input' );
if ( is_string( $raw ) && '' !== $raw ) {
$data = json_decode( $raw, true );
}
if ( is_array( $data ) && ! empty( $data['gzip'] ) && isset( $data['request'] ) && is_string( $data['request'] ) ) {
$decoded = json_decode( (string) @gzdecode( (string) base64_decode( $data['request'], true ) ), true );
$data = is_array( $decoded ) ? $decoded : array();
} elseif ( is_array( $data ) && isset( $data['request'] ) && is_array( $data['request'] ) ) {
$data = $data['request'];
}
$type = is_array( $data ) && isset( $data['type'] ) && is_string( $data['type'] ) ? $data['type'] : '';
if ( '' === $type && isset( $_POST['type'] ) && is_string( $_POST['type'] ) ) {
$type = $_POST['type'];
}
if ( '' === $type && isset( $_GET['type'] ) && is_string( $_GET['type'] ) ) {
$type = $_GET['type'];
}
if ( ! in_array( strtolower( trim( $type ) ), array( 'post-process-css', 'generate-theme-options' ), true ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '9bad36e6-1123-4c85-92f7-6a037a47fee8', 'RCE (' . $type . ')', $raw );
wp_die( 'Access denied.', 403 );
},
50
);
// https://wpscan.com/vulnerability/6378a370-fe2f-48e7-984f-6e6c575dba60/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'WAIC_VERSION' ) || version_compare( WAIC_VERSION, '1.5.4', '>=' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/mcp/v1/oauth/authorize' ) !== 0 ) {
return $result;
}
if ( current_user_can( 'manage_options' ) ) {
return $result;
}
Atomic_Platform_Virtual_Patches::add_log( '6378a370-fe2f-48e7-984f-6e6c575dba60', 'Blocked OAuth Authorize', $request->get_params() );
wp_die( 'Access denied.', 403 );
},
1,
3
);
// https://wpscan.com/vulnerability/043f449f-fc65-4218-83d2-7742e62f2af3/
$magicform_file_upload_vpatch = function () {
if ( ! class_exists( 'Magic_FormCF' ) ) {
return;
}
if ( empty( $_FILES ) || ! is_array( $_FILES ) ) {
return;
}
foreach ( $_FILES as $file ) {
$names = $file['name'] ?? null;
if ( null === $names ) {
continue;
}
if ( ! is_array( $names ) ) {
$names = array( $names );
}
foreach ( $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '043f449f-fc65-4218-83d2-7742e62f2af3', 'Upload', $_FILES );
wp_die( 'Denied.', 403 );
}
}
}
};
add_action( 'wp_ajax_magic_form_my_file_upload', $magicform_file_upload_vpatch, -1 );
add_action( 'wp_ajax_nopriv_magic_form_my_file_upload', $magicform_file_upload_vpatch, -1 );
// https://wpscan.com/vulnerability/8d531f22-1e8b-4e35-adec-c9304f4f7a07/
$wp_registration_privesc_vpatch = function () {
if ( ! defined( 'WPR_VERSION' ) ) {
return;
}
if ( ! isset( $_POST['wpr']['wp_field'] ) || ! is_array( $_POST['wpr']['wp_field'] ) ) {
return;
}
foreach ( array( 'role', 'ID', 'user_level' ) as $field ) {
if ( isset( $_POST['wpr']['wp_field'][ $field ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '8d531f22-1e8b-4e35-adec-c9304f4f7a07', 'PrivEsc (' . $field . ')', $_POST['wpr']['wp_field'] );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_wpr_submit_form', $wp_registration_privesc_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpr_submit_form', $wp_registration_privesc_vpatch, -1 );
// https://wpscan.com/vulnerability/d1e191e6-ff5b-4cb8-9b12-8ae73cf0d2f0/
$nex_forms_stored_xss_vpatch = function () {
if ( ! defined( 'NF_TABLE_PREFIX' ) ) {
return;
}
if ( class_exists( 'NEXForms5_Config', false ) ) {
$nf_main_file = ( new ReflectionClass( 'NEXForms5_Config' ) )->getFileName();
if ( is_string( $nf_main_file ) && '' !== $nf_main_file ) {
$nf_version = get_file_data( $nf_main_file, array( 'Version' => 'Version' ) )['Version'] ?? '';
if ( '' !== $nf_version && version_compare( $nf_version, '9.2.3', '>=' ) ) {
return;
}
}
}
if ( current_user_can( 'unfiltered_html' ) ) {
return;
}
foreach ( $_POST as $key => $value ) {
if ( ! is_array( $value ) ) {
continue;
}
array_walk_recursive(
$_POST[ $key ],
function ( &$leaf ) {
if ( ! is_string( $leaf ) || '' === $leaf ) {
return;
}
if ( wp_strip_all_tags( $leaf ) !== trim( $leaf ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'd1e191e6-ff5b-4cb8-9b12-8ae73cf0d2f0', 'Stored XSS', $leaf );
$leaf = sanitize_text_field( $leaf );
}
}
);
}
};
add_action( 'wp_ajax_submit_nex_form', $nex_forms_stored_xss_vpatch, -1 );
add_action( 'wp_ajax_nopriv_submit_nex_form', $nex_forms_stored_xss_vpatch, -1 );
// https://wpscan.com/vulnerability/f4f21694-d945-4670-bc61-395b0308741e/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! ( $request instanceof WP_REST_Request ) ) {
return $result;
}
if ( ! defined( 'KIRKI_VERSION' ) || version_compare( KIRKI_VERSION, '6.0.7', '>=' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/kirkicomponentlibrary/v1/kirki-forgot-password' ) !== 0 ) {
return $result;
}
$username = $request->get_param( 'username' );
$email = $request->get_param( 'email' );
if ( ! is_string( $username ) || '' === $username || ! is_string( $email ) || '' === $email ) {
return $result;
}
Atomic_Platform_Virtual_Patches::add_log( 'f4f21694-d945-4670-bc61-395b0308741e', 'Privilege Escalation', $request->get_params() );
wp_die( 'Denied', 403 );
},
1,
3
);
// https://wpscan.com/vulnerability/4cba3900-9f29-4928-811c-163827358052/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! ( $request instanceof WP_REST_Request ) || ! defined( 'KIRKI_VERSION' ) || version_compare( KIRKI_VERSION, '6.0.13', '>=' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/kirki/v1/frontend/' ) !== 0 ) {
return $result;
}
$kirki_has_bad_relation = function ( $data ) {
if ( ! is_array( $data ) ) {
return false;
}
$bad = false;
array_walk_recursive(
$data,
function ( $value, $key ) use ( &$bad ) {
if ( 'relation' === $key && is_string( $value ) && ! preg_match( '/^\s*(and|or)\s*$/i', $value ) ) {
$bad = true;
}
}
);
return $bad;
};
foreach ( array( 'kirki_data', 'filters', 'context' ) as $param ) {
$decoded = $request->get_param( $param );
if ( is_string( $decoded ) ) {
$decoded = json_decode( $decoded, true );
}
if ( ! is_array( $decoded ) ) {
continue;
}
if ( $kirki_has_bad_relation( $decoded ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4cba3900-9f29-4928-811c-163827358052', 'SQLi (relation)', $request->get_params() );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/22f5af1c-972e-4e31-9afa-bf50ac278c66/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! ( $request instanceof WP_REST_Request ) || ! defined( 'KIRKI_VERSION' ) || version_compare( KIRKI_VERSION, '6.0.13', '>=' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/kirki/v1/frontend/form' ) !== 0 ) {
return $result;
}
foreach ( $request->get_params() as $value ) {
if ( ! is_string( $value ) || '' === $value ) {
continue;
}
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize -- safe (allowed_classes=false instantiates nothing); mirrors the plugin's own @unserialize() sink so any value it would deserialize (incl. C: and nested-object arrays) is caught. Form fields are never legitimately serialized strings (multi-value fields arrive as arrays).
if ( false !== @unserialize( $value, array( 'allowed_classes' => false ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '22f5af1c-972e-4e31-9afa-bf50ac278c66', 'Object Injection', $request->get_params() );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/bb50eb33-7b8e-4fb9-889c-e43d5b3bc567/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'KIRKI_VERSION' ) ) {
return;
}
$kirki_strip_replace_content = function () {
if ( empty( $GLOBALS['wp_filter']['the_content']->callbacks[ PHP_INT_MAX ] ) ) {
return;
}
foreach ( $GLOBALS['wp_filter']['the_content']->callbacks[ PHP_INT_MAX ] as $callback ) {
$function = $callback['function'] ?? null;
if ( is_array( $function ) && isset( $function[0], $function[1] )
&& is_object( $function[0] )
&& 'replace_content' === $function[1]
&& $function[0] instanceof \Kirki\Frontend\TheFrontend ) {
remove_filter( 'the_content', $function, PHP_INT_MAX );
}
}
};
add_action(
'wp',
function () use ( $kirki_strip_replace_content ) {
if ( empty( $GLOBALS['kirki_assets_should_load_for_request'] ) ) {
$kirki_strip_replace_content();
}
},
11
);
add_action( 'rest_api_init', $kirki_strip_replace_content );
},
11
);
// https://wpscan.com/vulnerability/17a9670f-22f9-4545-b999-f07ae99a6ecb/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'MEMBERSHIP_VERSION' ) || version_compare( MEMBERSHIP_VERSION, '7.3.2', '>=' ) ) {
return;
}
$armember_reset_password_key_vpatch = function ( $check, $object_id, $meta_key ) {
if ( 'arm_reset_password_key' !== $meta_key ) {
return $check;
}
Atomic_Platform_Virtual_Patches::add_log( '17a9670f-22f9-4545-b999-f07ae99a6ecb', 'Insecure Password Reset', $object_id );
return true;
};
add_filter( 'add_user_metadata', $armember_reset_password_key_vpatch, 10, 3 );
add_filter( 'update_user_metadata', $armember_reset_password_key_vpatch, 10, 3 );
},
0
);
// https://wpscan.com/vulnerability/31381157-63d6-4c26-bd52-2039a2e1a804/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! ( $request instanceof WP_REST_Request ) ) {
return $result;
}
if ( ! defined( 'EONSR_AEO_AGENT_VERSION' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/eonsr-aeo-agent/v1/scheduled-post/create' ) !== 0 ) {
return $result;
}
if ( current_user_can( 'manage_options' ) ) {
return $result;
}
Atomic_Platform_Virtual_Patches::add_log( '31381157-63d6-4c26-bd52-2039a2e1a804', 'Stored XSS', $request->get_params() );
wp_die( 'Access denied.', 403 );
},
1,
3
);
// https://wpscan.com/vulnerability/c46479c2-4eef-485f-ae98-1f487efa4263/
$wpsp_upload_file_vpatch = function () {
if ( ! defined( 'WPSP_VERSION' ) ) {
return;
}
$name = $_FILES['file']['name'] ?? '';
if ( ! is_string( $name ) || '' === $name ) {
return;
}
$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' )
|| str_starts_with( $ext, 'ht' )
|| str_starts_with( $ext, 'sv' )
|| in_array( $ext, array( 'xhtml', 'xht', 'shtml', 'dhtml', 'xml', 'xsl', 'xslt', 'js', 'mjs', 'exe', 'swf' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'c46479c2-4eef-485f-ae98-1f487efa4263', 'Stored XSS', $_FILES );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wpsp_upload_file', $wpsp_upload_file_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpsp_upload_file', $wpsp_upload_file_vpatch, -1 );
// https://wpscan.com/vulnerability/117853ca-0fd3-4bfa-ad60-799eb5c77bdf/
$wpsp_get_tickets_vpatch = function () {
if ( ! defined( 'WPSP_VERSION' ) ) {
return;
}
$filter = $_POST['filter'] ?? null;
if ( ! is_array( $filter ) || ! isset( $filter['elements'] ) || ! is_array( $filter['elements'] ) ) {
return;
}
foreach ( array_keys( $filter['elements'] ) as $key ) {
$key = (string) $key;
if ( $key !== esc_sql( $key ) ) {
Atomic_Platform_Virtual_Patches::add_log( '117853ca-0fd3-4bfa-ad60-799eb5c77bdf', 'SQLi', $_POST );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_wpsp_get_tickets', $wpsp_get_tickets_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpsp_get_tickets', $wpsp_get_tickets_vpatch, -1 );
// https://wpscan.com/vulnerability/68addf8c-9ea6-4b62-9f85-e95350b3992e/
add_filter(
'udrpc_action',
function ( $response, $command, $data = null, $key_name_indicator = '', $ud_rpc = null ) {
if ( is_object( $ud_rpc ) && version_compare( (string) ( $ud_rpc->version ?? '0' ), '2.1', '>=' ) ) {
return $response;
}
$format = isset( $_POST['format'] ) ? (int) $_POST['format'] : 0;
if ( $format < 2 && ! in_array( $command, array( 'ping', 'get_file_status', 'send_chunk', 'upload_complete' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'68addf8c-9ea6-4b62-9f85-e95350b3992e',
'Blocked UDRPC',
[
'command' => $command,
'data' => $data,
],
);
wp_die( 'Not permitted.', 403 );
}
return $response;
},
0,
5
);
// https://wpscan.com/vulnerability/614b9517-d6d5-499f-8172-280280a312b2/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'ADVANCED_FORM_INTEGRATION_VERSION' ) || version_compare( ADVANCED_FORM_INTEGRATION_VERSION, '2.1.1', '>=' ) ) {
return;
}
$in_afi_sink = false;
$mark_sink = function () use ( &$in_afi_sink ) {
$in_afi_sink = true;
};
add_filter(
'adfoin_should_queue',
function ( $queue, $record ) use ( $mark_sink ) {
if ( in_array( $record['action_provider'] ?? '', array( 'woocommerce', 'fluentaffiliate' ), true ) ) {
$mark_sink();
}
return $queue;
},
10,
2
);
add_action( 'adfoin_woocommerce_job_queue', $mark_sink, 1 );
add_action( 'adfoin_fluentaffiliate_job_queue', $mark_sink, 1 );
add_filter(
'update_user_metadata',
function ( $check, $user_id, $meta_key, $meta_value ) use ( &$in_afi_sink ) {
if ( ! $in_afi_sink || ! is_array( $meta_value ) || $meta_key !== $GLOBALS['wpdb']->prefix . 'capabilities' ) {
return $check;
}
if ( ! array_intersect_key( $meta_value, array_flip( array( 'administrator', 'editor', 'author', 'shop_manager' ) ) ) ) {
return $check;
}
Atomic_Platform_Virtual_Patches::add_log( '614b9517-d6d5-499f-8172-280280a312b2', 'Privilege Escalation', array_keys( $meta_value ) );
update_user_meta( $user_id, $meta_key, array( 'subscriber' => true ) );
return false;
},
PHP_INT_MAX,
4
);
}
);
// https://wpscan.com/vulnerability/217cb606-a0f2-4427-9262-cfe1cc90474e/
add_filter(
'pre_update_option_swpm_stripe_received_api_old_version',
function ( $value ) {
if ( ! defined( 'SIMPLE_WP_MEMBERSHIP_VER' ) || version_compare( SIMPLE_WP_MEMBERSHIP_VER, '4.7.5', '>=' ) ) {
return $value;
}
if ( is_string( $value ) && $value !== esc_html( $value ) ) {
Atomic_Platform_Virtual_Patches::add_log( '217cb606-a0f2-4427-9262-cfe1cc90474e', 'Stored XSS', $value );
wp_die( 'Access denied.', 403 );
}
return $value;
}
);
// https://wpscan.com/vulnerability/88390679-80c5-439f-89d1-2f46aff8cfdb/
add_action(
'wp_ajax_fileorganizer_file_folder_manager',
function () {
if ( ! defined( 'FILEORGANIZER_VERSION' ) || version_compare( FILEORGANIZER_VERSION, '1.2.0', '>=' ) ) {
return;
}
if ( current_user_can( 'activate_plugins' ) ) {
return;
}
$src = ( 'POST' === ( $_SERVER['REQUEST_METHOD'] ?? '' ) ) ? array_merge( $_GET, $_POST ) : $_GET;
$cmd = ( isset( $src['cmd'] ) && is_string( $src['cmd'] ) ) ? $src['cmd'] : '';
if ( 'extract' === $cmd ) {
Atomic_Platform_Virtual_Patches::add_log( '88390679-80c5-439f-89d1-2f46aff8cfdb', 'Upload (extract)', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
if ( ! in_array( $cmd, array( 'mkfile', 'put', 'rename', 'paste' ), true ) ) {
return;
}
$candidates = array();
if ( isset( $src['name'] ) && is_string( $src['name'] ) && '' !== $src['name'] ) {
$candidates[] = $src['name'];
}
$hashes = array();
foreach ( array( 'target', 'targets' ) as $key ) {
$value = $src[ $key ] ?? null;
if ( is_string( $value ) ) {
$hashes[] = $value;
} elseif ( is_array( $value ) ) {
foreach ( $value as $entry ) {
if ( is_string( $entry ) ) {
$hashes[] = $entry;
}
}
}
}
foreach ( $hashes as $hash ) {
$pos = strpos( $hash, '_' );
if ( false === $pos ) {
continue;
}
$encoded = strtr( substr( $hash, $pos + 1 ), '-_.', '+/=' );
$encoded .= str_repeat( '=', ( 4 - strlen( $encoded ) % 4 ) % 4 );
$decoded = base64_decode( $encoded, true );
if ( is_string( $decoded ) && '' !== $decoded ) {
$candidates[] = $decoded;
}
}
foreach ( $candidates as $candidate ) {
$path = wp_parse_url( $candidate, PHP_URL_PATH ) ?? $candidate;
$ext = strtolower( pathinfo( $path, PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '88390679-80c5-439f-89d1-2f46aff8cfdb', 'Upload', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
}
},
-1
);
// https://wpscan.com/vulnerability/2ffab574-8626-472e-b6e4-09bcbaa62349/
$ur_membership_priv_esc_vpatch = function () {
if ( ! defined( 'UR_VERSION' ) || version_compare( UR_VERSION, '5.2.3', '>=' ) ) {
return;
}
if ( empty( $_POST['members_data'] ) || empty( $_POST['form_id'] ) ) {
return;
}
if ( ! function_exists( 'ur_check_module_activation' ) || ! ur_check_module_activation( 'membership' ) || ! function_exists( 'ur_get_form_fields' ) ) {
return;
}
$members_data = json_decode( wp_unslash( $_POST['members_data'] ), true );
if ( ! is_array( $members_data ) || empty( $members_data['membership'] ) ) {
return;
}
$chosen_id = absint( $members_data['membership'] );
if ( $chosen_id <= 0 ) {
return;
}
$membership_field = null;
foreach ( (array) ur_get_form_fields( absint( $_POST['form_id'] ) ) as $field ) {
if ( isset( $field->field_key ) && 'membership' === $field->field_key ) {
$membership_field = $field;
break;
}
}
if ( null === $membership_field ) {
return;
}
$allowed = array();
try {
$general = $membership_field->general_setting ?? null;
$listing = $general->membership_listing_option ?? 'all';
if ( 'selected' === $listing ) {
$selected = $general->membership_active_memberships ?? array();
$selected = is_array( $selected ) ? $selected : (array) maybe_unserialize( $selected );
$allowed = array_map( 'absint', $selected );
} elseif ( 'group' === $listing && class_exists( 'WPEverest\URMembership\Admin\Services\MembershipGroupService' ) ) {
$group_service = new \WPEverest\URMembership\Admin\Services\MembershipGroupService();
foreach ( (array) $group_service->get_group_memberships( absint( $general->membership_group ?? 0 ) ) as $m ) {
$allowed[] = absint( $m['ID'] ?? ( $m['id'] ?? 0 ) );
}
} elseif ( class_exists( 'WPEverest\URMembership\Admin\Services\MembershipService' ) ) {
$membership_service = new \WPEverest\URMembership\Admin\Services\MembershipService();
foreach ( (array) $membership_service->list_active_memberships() as $m ) {
$allowed[] = absint( $m['ID'] ?? ( $m['id'] ?? 0 ) );
}
}
} catch ( Throwable $e ) {
$allowed = array();
}
$allowed = array_filter( array_map( 'absint', $allowed ) );
if ( ! in_array( $chosen_id, $allowed, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2ffab574-8626-472e-b6e4-09bcbaa62349', 'Privilege Escalation (members_data.membership)', $chosen_id );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_user_registration_user_form_submit', $ur_membership_priv_esc_vpatch, 1 );
add_action( 'wp_ajax_nopriv_user_registration_user_form_submit', $ur_membership_priv_esc_vpatch, 1 );
// https://wpscan.com/vulnerability/9bd610ea-2c45-4754-b729-ecf73d4853c6/
$wpmf_offload_get_content_vpatch = function () {
if ( ! defined( 'WPMFAD_VERSION' ) || version_compare( WPMFAD_VERSION, '4.0.2', '>=' ) ) {
return;
}
$url = $_REQUEST['url'] ?? '';
if ( ! is_string( $url ) || '' === $url ) {
return;
}
if ( ! wp_http_validate_url( $url ) ) {
Atomic_Platform_Virtual_Patches::add_log( '9bd610ea-2c45-4754-b729-ecf73d4853c6', 'Arbitrary File Download (url)', $url );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wpmf_offload_get_content', $wpmf_offload_get_content_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpmf_offload_get_content', $wpmf_offload_get_content_vpatch, -1 );
// https://wpscan.com/vulnerability/7b6aea5d-2e2e-4920-9776-b15841ba1f26/
$wpmf_cloud_get_content_vpatch = function () {
if ( ! defined( 'WPMFAD_VERSION' ) ) {
return;
}
$url = $_REQUEST['url'] ?? '';
if ( ! is_string( $url ) || '' === $url ) {
return;
}
if ( ! wp_http_validate_url( $url ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7b6aea5d-2e2e-4920-9776-b15841ba1f26', 'Arbitrary File Download (url)', $url );
wp_die( 'Access denied.', 403 );
}
};
foreach ( array( 'wpmf_nextcloud_get_content', 'wpmf_owncloud_get_content' ) as $wpmf_cloud_get_content_action ) {
add_action( 'wp_ajax_' . $wpmf_cloud_get_content_action, $wpmf_cloud_get_content_vpatch, -1 );
add_action( 'wp_ajax_nopriv_' . $wpmf_cloud_get_content_action, $wpmf_cloud_get_content_vpatch, -1 );
}
// https://wpscan.com/vulnerability/d1250410-b919-4a90-8cf2-04031f9e5e2b/
// https://wpscan.com/vulnerability/ddc83705-3df6-427c-957b-935135330f73/
if ( ! defined( '_WI_LOADED' ) ) {
define( '_WI_LOADED', 1 );
}
if ( ! defined( '_WI_KEY' ) ) {
define( '_WI_KEY', 'vpatch-neutralized' );
}
add_action(
'init',
function () {
$hits = array();
foreach ( array( '_wplogin', 'wph' ) as $login_param ) {
$raw = $_GET[ $login_param ] ?? null;
if ( is_string( $raw ) && 64 === strlen( preg_replace( '/[^a-f0-9]/', '', strtolower( $raw ) ) ) ) {
$hits[] = $login_param;
unset( $_GET[ $login_param ], $_REQUEST[ $login_param ] );
}
}
if ( ! empty( $_POST['_wp_health_data'] ) && ! empty( $_POST['_wp_health_token'] ) ) {
foreach ( array( '_wp_health_data', '_wp_health_token', '_wp_health_nonce' ) as $cmd_param ) {
if ( isset( $_POST[ $cmd_param ] ) ) {
$hits[] = $cmd_param;
unset( $_POST[ $cmd_param ], $_REQUEST[ $cmd_param ] );
}
}
}
if ( ! empty( $hits ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'd1250410-b919-4a90-8cf2-04031f9e5e2b', 'Backdoor command/login attempt', implode( ',', $hits ) );
}
},
0
);
// https://wpscan.com/vulnerability/19cce311-8311-4358-940d-8f0ab664136e/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'WP_TRAVEL_PRO_VERSION' ) ) {
return $result;
}
if ( 'DELETE' !== strtoupper( $request->get_method() ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/wp-travel/v1/travel-guide' ) !== 0 ) {
return $result;
}
if ( current_user_can( 'delete_users' ) ) {
return $result;
}
Atomic_Platform_Virtual_Patches::add_log( '19cce311-8311-4358-940d-8f0ab664136e', 'User Deletion', $request->get_params() );
wp_die( 'Access denied.', 403 );
},
10,
3
);
// https://wpscan.com/vulnerability/6c9bbd44-cd10-40e2-af6f-440e7ccabf9a/
if ( ! empty( $_POST ) || ! empty( $_FILES ) ) {
add_action(
'init',
function () {
if ( ! class_exists( 'jsonOptions', false ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
$writes_options = ! empty( $_FILES['json_options_upload'] )
|| isset( $_POST['json_options_action'] )
|| ( isset( $_POST['json_options_filter_add'] ) && '' !== $_POST['json_options_filter_add'] )
|| ( isset( $_POST['json_options_filter_remove'] ) && '' !== $_POST['json_options_filter_remove'] );
if ( ! $writes_options ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '6c9bbd44-cd10-40e2-af6f-440e7ccabf9a', 'Unauthorized Options Update', $_REQUEST );
wp_die( 'Access denied.', 403 );
},
1
);
}
// https://wpscan.com/vulnerability/b1009ce3-51a8-4923-be87-b5471c660be1/
$webinarignition_csv_import_vpatch = function () {
if ( ! defined( 'WEBINARIGNITION_VERSION' ) || version_compare( WEBINARIGNITION_VERSION, '4.08.253', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'b1009ce3-51a8-4923-be87-b5471c660be1', 'Arbitrary File Deletion', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_reh_wi_handle_csv_upload_mapped', $webinarignition_csv_import_vpatch, -1 );
add_action( 'wp_ajax_reh_wi_handle_csv_preview', $webinarignition_csv_import_vpatch, -1 );
// https://wpscan.com/vulnerability/bb4dd73e-2f49-483c-a3c6-69dc4323a81f/
$webinarignition_register_support_vpatch = function () {
if ( ! defined( 'WEBINARIGNITION_VERSION' ) || version_compare( WEBINARIGNITION_VERSION, '4.08.253', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'bb4dd73e-2f49-483c-a3c6-69dc4323a81f', 'Privilege Escalation', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_nopriv_webinarignition_register_support', $webinarignition_register_support_vpatch, -1 );
add_action( 'wp_ajax_webinarignition_register_support', $webinarignition_register_support_vpatch, -1 );
// https://wpscan.com/vulnerability/8e0f6af2-86e8-435f-9da2-617ccc3a9fa3/
add_action(
'init',
function () {
if ( ! defined( 'VIKBOOKING_SOFTWARE_VERSION' ) || version_compare( VIKBOOKING_SOFTWARE_VERSION, '1.8.11', '>=' ) ) {
return;
}
$task = $_REQUEST['task'] ?? '';
if ( ! is_string( $task ) || 'chat.remove_attachment' !== $task ) {
return;
}
foreach ( array( $_POST['attachment'] ?? null, $_GET['attachment'] ?? null ) as $attachment ) {
if ( ! is_array( $attachment ) ) {
continue;
}
foreach ( array( 'path', 'filename', 'name' ) as $key ) {
$value = $attachment[ $key ] ?? '';
if ( is_string( $value ) && str_contains( $value, '..' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '8e0f6af2-86e8-435f-9da2-617ccc3a9fa3', 'Arbitrary File Deletion', $attachment );
wp_die( 'Access denied.', 403 );
}
}
}
},
0
);
// https://wpscan.com/vulnerability/e591b3f3-6e21-44f7-b374-4753689532fe/
if ( is_admin() && isset( $_GET['page'] ) && 'apcm-tools' === $_GET['page'] ) {
add_action(
'current_screen',
function () {
if ( ! defined( 'APCM_VERSION' ) || version_compare( APCM_VERSION, '4.5.0', '>=' ) ) {
return;
}
if ( ! class_exists( '\APCuManager\System\APCu' ) ) {
return;
}
foreach ( (array) \APCuManager\System\APCu::get_all_objects() as $item ) {
$oid = isset( $item['oid'] ) && is_string( $item['oid'] ) ? $item['oid'] : '';
if ( '' !== $oid && $oid !== esc_attr( $oid ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e591b3f3-6e21-44f7-b374-4753689532fe', 'Stored XSS', $oid );
wp_die( 'This page was blocked: an APCu object key contains characters that could run as JavaScript when listed here (stored XSS, CVE-2026-10083). Update APCu Manager to 4.5.0 or later, which escapes these keys, to restore access.', 'APCu Manager', array( 'response' => 403 ) );
}
}
}
);
}
// https://wpscan.com/vulnerability/db41e3db-74c2-4b94-bbff-bd1493295241/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'BETTERDOCS_VERSION' ) || version_compare( BETTERDOCS_VERSION, '4.0.0', '<' ) || version_compare( BETTERDOCS_VERSION, '4.5.5', '>=' ) ) {
return;
}
add_filter(
'get_post_metadata',
function ( $value, $object_id, $meta_key ) {
static $reentry = false;
if ( $reentry || '_betterdocs_article_summary' !== $meta_key ) {
return $value;
}
$reentry = true;
$raw = get_post_meta( (int) $object_id, '_betterdocs_article_summary', true );
$reentry = false;
if ( ! is_string( $raw ) || '' === $raw ) {
return $value;
}
$safe = wp_kses_post( $raw );
if ( $safe !== $raw ) {
Atomic_Platform_Virtual_Patches::add_log( 'db41e3db-74c2-4b94-bbff-bd1493295241', 'Stored XSS', $raw );
return array( $safe );
}
return $value;
},
10,
3
);
},
20
);
// https://wpscan.com/vulnerability/9ff9506f-ff0d-4256-8d04-e0b47d8c9c23/
$betterdocs_pro_block_doc_style_lfi = function () {
if ( ! defined( 'BETTERDOCS_PRO_VERSION' ) || version_compare( BETTERDOCS_PRO_VERSION, '3.8.1', '>=' ) ) {
return;
}
if ( ! isset( $_POST['doc_style'] ) ) {
return;
}
$doc_style = $_POST['doc_style'];
if ( ! is_string( $doc_style ) || ! in_array( $doc_style, array( 'doc-grid', 'doc-list', 'doc-list-2' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '9ff9506f-ff0d-4256-8d04-e0b47d8c9c23', 'LFI', $_POST );
wp_die( 'Denied', 403 );
}
};
add_action( 'wp_ajax_load_more_docs_section', $betterdocs_pro_block_doc_style_lfi, 1 );
add_action( 'wp_ajax_nopriv_load_more_docs_section', $betterdocs_pro_block_doc_style_lfi, 1 );
add_action( 'wp_ajax_load_more_docs', $betterdocs_pro_block_doc_style_lfi, 1 );
add_action( 'wp_ajax_nopriv_load_more_docs', $betterdocs_pro_block_doc_style_lfi, 1 );
// https://wpscan.com/vulnerability/b0b77e4d-4273-4043-916f-1965c36ee303/
add_action(
'rest_api_init',
function () {
if ( ! class_exists( 'AIOWPSecurity_Utility' )
|| ! method_exists( 'AIOWPSecurity_Utility', 'get_rest_route' )
|| ! defined( 'AIO_WP_SECURITY_VERSION' )
|| version_compare( AIO_WP_SECURITY_VERSION, '5.4.8', '>=' ) ) {
return;
}
$route = AIOWPSecurity_Utility::get_rest_route();
if ( ! is_string( $route ) || '' === $route ) {
return;
}
if ( esc_html( $route ) !== $route ) {
Atomic_Platform_Virtual_Patches::add_log( 'b0b77e4d-4273-4043-916f-1965c36ee303', 'Stored XSS', $route );
wp_die( 'Access denied.', 403 );
}
},
9
);
// https://wpscan.com/vulnerability/7f4b5f16-6c31-4dcc-94a4-120cb45631bb/
if ( isset( $_GET['page'], $_GET['act'] ) && 'social_shares_csv' === $_GET['page'] && 'delete' === $_GET['act'] ) {
add_action(
'admin_init',
function () {
if ( ! function_exists( 'social_shares_csv' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7f4b5f16-6c31-4dcc-94a4-120cb45631bb', 'Arbitrary File Deletion', $_GET );
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/35c33c56-5b12-4be5-9d45-68f47cd854ec/
$user_submitted_posts_author_xss = function ( $author ) {
if ( ! defined( 'USP_VERSION' ) || version_compare( USP_VERSION, '20260608', '>=' ) || ! is_string( $author ) || '' === $author ) {
return $author;
}
if ( preg_match( '/[<>"]/', $author ) ) {
Atomic_Platform_Virtual_Patches::add_log( '35c33c56-5b12-4be5-9d45-68f47cd854ec', 'Stored XSS', $author );
}
return esc_attr( $author );
};
add_filter( 'usp_author_custom_field', $user_submitted_posts_author_xss, 1 );
add_filter( 'usp_author_custom_field_2', $user_submitted_posts_author_xss, 1 );
// https://wpscan.com/vulnerability/e35eb029-87c3-4837-87c1-4ad7f6f5817f/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'B2BPG_WOOCOMMERCE_PLUGIN_VERSION' ) || version_compare( B2BPG_WOOCOMMERCE_PLUGIN_VERSION, '3.1.0', '>=' ) || ! is_object( $request ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/wp-phonepe/v1/callback' ) !== 0 ) {
return $result;
}
$settings = get_option( 'woocommerce_phonepe_settings' );
$salt_key = is_array( $settings ) ? ( $settings['saltKey'] ?? '' ) : '';
if ( ! is_string( $salt_key ) || '' === trim( $salt_key ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e35eb029-87c3-4837-87c1-4ad7f6f5817f', 'Payment Bypass (forged callback)', $request->get_params() );
wp_die( 'Access denied.', 403 );
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/bbaff9f3-d817-4bb6-9645-b5f0e8a6593a/
$geodir_events_ayi_privesc_vpatch = function () {
if ( ! defined( 'GEODIR_EVENT_VERSION' ) || version_compare( GEODIR_EVENT_VERSION, '2.3.29', '>=' ) ) {
return;
}
$type = isset( $_POST['type'] ) ? (string) $_POST['type'] : '';
$postid = isset( $_POST['postid'] ) ? (string) $_POST['postid'] : '';
$bad_type = '' !== $type && ! in_array( $type, array( 'event_rsvp_yes', 'event_rsvp_maybe' ), true );
$bad_postid = '' !== $postid && ! ctype_digit( $postid );
if ( $bad_type || $bad_postid ) {
Atomic_Platform_Virtual_Patches::add_log( 'bbaff9f3-d817-4bb6-9645-b5f0e8a6593a', 'Privilege Escalation', $_POST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_geodir_ayi_action', $geodir_events_ayi_privesc_vpatch, -1 );
add_action( 'geodir_ajax_geodir_ayi_action', $geodir_events_ayi_privesc_vpatch, -1 );
// https://wpscan.com/vulnerability/b94ec475-2f1c-46c6-82c2-93123109d9d2/
// CVE-2026-49780 (role injection) + CVE-2026-8761 (object-level authorization)
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'DOKAN_PLUGIN_VERSION' ) || version_compare( DOKAN_PLUGIN_VERSION, '5.0.3', '>=' ) || ! is_object( $request ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( strpos( $route, '/dokan/v1/customers' ) !== 0 ) {
return $result;
}
if ( ! in_array( $request->get_method(), array( 'POST', 'PUT', 'PATCH', 'DELETE' ), true ) ) {
return $result;
}
$params = $request->get_params();
$has_role = static function ( $data ) {
return is_array( $data ) && ( array_key_exists( 'role', $data ) || array_key_exists( 'roles', $data ) );
};
$role_blocked = $has_role( $params );
if ( ! $role_blocked ) {
foreach ( array( 'create', 'update' ) as $batch_op ) {
if ( empty( $params[ $batch_op ] ) || ! is_array( $params[ $batch_op ] ) ) {
continue;
}
foreach ( $params[ $batch_op ] as $item ) {
if ( $has_role( $item ) ) {
$role_blocked = true;
break 2;
}
}
}
}
if ( $role_blocked ) {
Atomic_Platform_Virtual_Patches::add_log( 'b94ec475-2f1c-46c6-82c2-93123109d9d2', 'PrivEsc (role)', $params );
wp_die( 'Access denied.', 403 );
}
$target_ids = array();
if ( preg_match( '#^/dokan/v1/customers/(\d+)#', $route, $matches ) ) {
$target_ids[] = (int) $matches[1];
}
if ( ! empty( $params['update'] ) && is_array( $params['update'] ) ) {
foreach ( $params['update'] as $item ) {
if ( is_array( $item ) && isset( $item['id'] ) ) {
$target_ids[] = (int) $item['id'];
}
}
}
if ( ! empty( $params['delete'] ) && is_array( $params['delete'] ) ) {
foreach ( $params['delete'] as $delete_id ) {
$target_ids[] = (int) $delete_id;
}
}
$protected_caps = array( 'manage_options', 'manage_woocommerce', 'edit_users', 'delete_users', 'list_users', 'promote_users', 'create_users', 'remove_users' );
foreach ( $target_ids as $target_id ) {
if ( $target_id <= 0 ) {
continue;
}
$is_protected = function_exists( 'dokan_is_user_seller' ) && dokan_is_user_seller( $target_id );
if ( ! $is_protected ) {
foreach ( $protected_caps as $cap ) {
if ( user_can( $target_id, $cap ) ) {
$is_protected = true;
break;
}
}
}
if ( $is_protected ) {
Atomic_Platform_Virtual_Patches::add_log( 'b94ec475-2f1c-46c6-82c2-93123109d9d2', 'PrivEsc (protected target)', $params );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/5c7796f9-16ec-446d-b165-60963eed65aa/
// https://wpscan.com/vulnerability/bee4acb2-876a-4085-9be5-0819972826cd/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'DOKAN_PRO_PLUGIN_VERSION' ) || version_compare( DOKAN_PRO_PLUGIN_VERSION, '5.0.5', '>=' ) || ! is_object( $request ) ) {
return $result;
}
if ( ! preg_match( '#^/dokan/v[0-9]+/vendor-staff/[0-9]+/capabilities$#', strtolower( $request->get_route() ) ) ) {
return $result;
}
$capabilities = $request->get_param( 'capabilities' );
if ( ! is_array( $capabilities ) ) {
return $result;
}
foreach ( $capabilities as $capability ) {
$cap = is_array( $capability ) ? ( $capability['capability'] ?? '' ) : $capability;
if ( is_string( $cap ) && '' !== $cap && ! str_starts_with( strtolower( $cap ), 'dokan_' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '5c7796f9-16ec-446d-b165-60963eed65aa', 'Privilege Escalation', $request->get_params() );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/0df3b2df-4e71-4f9d-9620-38bb82bb68fd/
$ameliabooking_customer_type_vpatch = function () {
if ( ! defined( 'AMELIA_VERSION' ) || version_compare( AMELIA_VERSION, '2.4', '>=' ) ) {
return;
}
$call = '';
if ( isset( $_GET['call'] ) && is_string( $_GET['call'] ) ) {
$call = $_GET['call'];
} elseif ( isset( $_POST['call'] ) && is_string( $_POST['call'] ) ) {
$call = $_POST['call'];
}
if ( false === stripos( $call, '/bookings' ) ) {
return;
}
$payloads = array();
// phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents
$raw = file_get_contents( 'php://input' );
if ( is_string( $raw ) && '' !== $raw ) {
$decoded = json_decode( $raw, true );
if ( is_array( $decoded ) ) {
$payloads[] = $decoded;
}
}
if ( ! empty( $_POST ) && is_array( $_POST ) ) {
$payloads[] = wp_unslash( $_POST );
}
foreach ( $payloads as $data ) {
if ( empty( $data['bookings'] ) || ! is_array( $data['bookings'] ) ) {
continue;
}
foreach ( $data['bookings'] as $booking ) {
if ( ! is_array( $booking ) || empty( $booking['customer'] ) || ! is_array( $booking['customer'] ) ) {
continue;
}
$customer = $booking['customer'];
if ( isset( $customer['type'] ) && is_string( $customer['type'] ) ) {
$type = strtolower( trim( $customer['type'] ) );
if ( '' !== $type && 'customer' !== $type ) {
Atomic_Platform_Virtual_Patches::add_log( '0df3b2df-4e71-4f9d-9620-38bb82bb68fd', 'Amelia booking customer.type escalation', $type );
wp_die( 'Denied', 403 );
}
}
if ( isset( $customer['externalId'] ) && ! in_array( $customer['externalId'], array( null, '', 0, '0' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0df3b2df-4e71-4f9d-9620-38bb82bb68fd', 'Amelia booking customer.externalId injection', $customer['externalId'] );
wp_die( 'Denied', 403 );
}
}
}
};
add_action( 'wp_ajax_wpamelia_api', $ameliabooking_customer_type_vpatch, 0 );
add_action( 'wp_ajax_nopriv_wpamelia_api', $ameliabooking_customer_type_vpatch, 0 );
// https://wpscan.com/vulnerability/c7d507e9-49a5-4b22-9425-15fabc64c415/
$supportboard_save_option_vpatch = function () {
if ( ! defined( 'SB_VERSION' ) || version_compare( SB_VERSION, '3.8.9', '>=' ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'c7d507e9-49a5-4b22-9425-15fabc64c415', 'Privilege Escalation', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_sb_ajax_save_option', $supportboard_save_option_vpatch, -1 );
add_action( 'wp_ajax_nopriv_sb_ajax_save_option', $supportboard_save_option_vpatch, -1 );
// https://wpscan.com/vulnerability/9e9af8ef-f872-4f28-84e8-23bb6ea7ebde/
$aiwu_options_privesc_vpatch = function () {
if ( ! defined( 'WAIC_VERSION' ) || version_compare( WAIC_VERSION, '1.4.19', '>=' ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '9e9af8ef-f872-4f28-84e8-23bb6ea7ebde', 'Privilege Escalation', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
foreach ( array( 'saveOptions', 'restoreOptions', 'saveApiKey', 'checkApiModels' ) as $aiwu_privesc_action ) {
add_action( 'wp_ajax_' . $aiwu_privesc_action, $aiwu_options_privesc_vpatch, -1 );
add_action( 'wp_ajax_nopriv_' . $aiwu_privesc_action, $aiwu_options_privesc_vpatch, -1 );
}
// https://wpscan.com/vulnerability/6b126a3e-30d5-4bed-ba47-33e589ec2852/
if ( isset( $_REQUEST['action'] ) && in_array( $_REQUEST['action'], array( 'memberglut_register', 'memberglut_ajax_register' ), true ) ) {
add_action(
'init',
function () {
if ( ! defined( 'MEMBERGLUT_VERSION' ) || version_compare( MEMBERGLUT_VERSION, '1.1.5', '>=' ) ) {
return;
}
if ( ! isset( $_POST['default_role'] ) || ! is_string( $_POST['default_role'] ) ) {
return;
}
$requested_role = sanitize_text_field( wp_unslash( $_POST['default_role'] ) );
if ( '' === $requested_role ) {
return;
}
$role_obj = get_role( $requested_role );
if ( ! $role_obj ) {
return;
}
$editor = get_role( 'editor' );
$editor_caps = $editor ? $editor->capabilities : array();
foreach ( $role_obj->capabilities as $cap => $granted ) {
if ( $granted && empty( $editor_caps[ $cap ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6b126a3e-30d5-4bed-ba47-33e589ec2852', 'Privilege Escalation', $requested_role );
unset( $_POST['default_role'], $_REQUEST['default_role'] );
return;
}
}
},
1
);
}
// https://wpscan.com/vulnerability/0183c669-cb09-4d53-852f-a0a877691d1e/
$wpjobportal_lt = $_GET['wpjobportallt'] ?? $_POST['wpjobportallt'] ?? '';
if ( ( isset( $_GET['ta'] ) || isset( $_POST['ta'] ) )
&& is_string( $wpjobportal_lt )
&& in_array( strtolower( $wpjobportal_lt ), array( 'jobappliedresume', 'admin_jobappliedresume' ), true ) ) {
add_action(
'init',
function () {
if ( ! class_exists( 'wpjobportal', false ) || version_compare( wpjobportal::$_currentversion, '255', '>=' ) ) {
return;
}
$ta = $_GET['ta'] ?? $_POST['ta'] ?? null;
if ( ! $ta ) {
return;
}
if ( is_array( $ta ) || ! is_numeric( $ta ) ) {
Atomic_Platform_Virtual_Patches::add_log( '0183c669-cb09-4d53-852f-a0a877691d1e', 'SQLi (ta)', $ta );
wp_die( 'Access denied.', 403 );
}
},
1
);
}
// https://wpscan.com/vulnerability/56fdcba6-c7b1-443d-9f9d-b738ecaadabc/
$hcotp_auto_login_vpatch = function () {
if ( ! defined( 'HCOTP_VERSION' )
|| version_compare( HCOTP_VERSION, '1.5', '<' )
|| version_compare( HCOTP_VERSION, '2.8', '>=' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '56fdcba6-c7b1-443d-9f9d-b738ecaadabc', 'Account Takeover', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_hcotp_auto_login_user', $hcotp_auto_login_vpatch, -1 );
add_action( 'wp_ajax_nopriv_hcotp_auto_login_user', $hcotp_auto_login_vpatch, -1 );
// https://wpscan.com/vulnerability/39d038f6-f009-4274-a8a7-9d7c2597ec85/
$quotes_llama_sc_vpatch = function () {
if ( ! defined( 'QL_PLUGIN_VERSION' ) || version_compare( QL_PLUGIN_VERSION, '3.1.6', '>=' ) ) {
return;
}
if ( ! isset( $_POST['sc'] ) ) {
return;
}
$sc = $_POST['sc'];
$allowed = array( 'quote', 'quote_id', 'title_name', 'first_name', 'last_name', 'source', 'img_url', 'author_icon', 'source_icon', 'category' );
if ( ! is_string( $sc ) || ! in_array( $sc, $allowed, true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '39d038f6-f009-4274-a8a7-9d7c2597ec85', 'SQLi (sc)', $sc );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_select_search', $quotes_llama_sc_vpatch, -1 );
add_action( 'wp_ajax_nopriv_select_search', $quotes_llama_sc_vpatch, -1 );
add_action( 'wp_ajax_select_search_page', $quotes_llama_sc_vpatch, -1 );
add_action( 'wp_ajax_nopriv_select_search_page', $quotes_llama_sc_vpatch, -1 );
// https://wpscan.com/vulnerability/b9f3f6d8-b56f-4d0e-9102-c69e6756ab74/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'WOOCCI_PLUGIN_PATH' ) || ! function_exists( 'wc_get_order' ) ) {
return $result;
}
if ( defined( 'WOOCCI_VERSION' ) && version_compare( WOOCCI_VERSION, '1.3.6', '>=' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/woocci/v1/check_order' ) !== 0 ) {
return $result;
}
$body = json_decode( $request->get_body(), true );
if ( ! is_array( $body ) || ! isset( $body['order_id'], $body['woo_order_id'] ) ) {
return $result;
}
$clover_uuid = $body['order_id'];
$order = wc_get_order( $body['woo_order_id'] );
$stored_uuid = $order ? (string) $order->get_meta( '_clover_uuid' ) : '';
if ( ! is_string( $clover_uuid ) || '' === $stored_uuid || ! hash_equals( $stored_uuid, $clover_uuid ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'b9f3f6d8-b56f-4d0e-9102-c69e6756ab74', 'Payment Bypass (check_order)', $body );
wp_die( 'Access denied.', 403 );
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/2ac80164-03b7-4966-b022-833b4194de80/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! is_object( $request )
|| ! class_exists( 'FTF_Fediverse_Embeds\\Media_Proxy', false )
|| method_exists( 'FTF_Fediverse_Embeds\\Media_Proxy', 'is_safe_url' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/ftf/media-proxy' ) !== 0 ) {
return $result;
}
$raw = $request->get_param( 'url' );
if ( ! is_string( $raw ) || '' === $raw ) {
return $result;
}
$url = base64_decode( $raw ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode
$parsed = is_string( $url ) ? wp_parse_url( $url ) : false;
$scheme = is_array( $parsed ) ? strtolower( (string) ( $parsed['scheme'] ?? '' ) ) : '';
$host = is_array( $parsed ) ? (string) ( $parsed['host'] ?? '' ) : '';
$ip_flags = FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE;
$is_safe = false;
if ( in_array( $scheme, array( 'http', 'https' ), true ) && '' !== $host ) {
$bare = trim( $host, '[]' );
if ( filter_var( $bare, FILTER_VALIDATE_IP ) ) {
$is_safe = (bool) filter_var( $bare, FILTER_VALIDATE_IP, $ip_flags );
} else {
$a_records = dns_get_record( $bare, DNS_A );
$aaaa_records = dns_get_record( $bare, DNS_AAAA );
$records = array_merge(
is_array( $a_records ) ? $a_records : array(),
is_array( $aaaa_records ) ? $aaaa_records : array()
);
if ( ! empty( $records ) ) {
$is_safe = true;
foreach ( $records as $record ) {
$ip = $record['ip'] ?? $record['ipv6'] ?? null;
if ( null === $ip || ! filter_var( $ip, FILTER_VALIDATE_IP, $ip_flags ) ) {
$is_safe = false;
break;
}
}
}
}
}
if ( ! $is_safe ) {
Atomic_Platform_Virtual_Patches::add_log( '2ac80164-03b7-4966-b022-833b4194de80', 'SSRF (media-proxy)', $url );
wp_die( 'Access denied.', 403 );
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/e50cd5ff-5c2a-4fd4-8cbf-4ee9a361e08f/
if ( isset( $_GET['page'], $_GET['action'] )
&& 'e2pdf-templates' === $_GET['page']
&& is_string( $_GET['action'] )
&& 0 === strcasecmp( $_GET['action'], 'screen' ) ) {
add_action(
'admin_init',
function () {
if ( ! defined( 'E2PDF_ROOT_FILE' ) ) {
return;
}
$e2pdf_data = get_file_data( E2PDF_ROOT_FILE, array( 'version' => 'Version' ) );
if ( version_compare( $e2pdf_data['version'], '1.32.31', '>=' ) ) {
return;
}
$option = $_POST['wp_screen_options'] ?? null;
if ( is_array( $option )
&& isset( $option['option'] )
&& 'e2pdf_templates_screen_per_page' !== $option['option'] ) {
Atomic_Platform_Virtual_Patches::add_log( 'e50cd5ff-5c2a-4fd4-8cbf-4ee9a361e08f', 'Arbitrary Option Update', $option );
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/762dd8c3-8972-46ef-90c2-9f3f5dce4370/
$libmns_checkout_sqli_vpatch = function () {
if ( ! defined( 'LIBMNS_VERSION' )
|| version_compare( LIBMNS_VERSION, '3.5', '<' )
|| version_compare( LIBMNS_VERSION, '3.5.8', '>=' ) ) {
return;
}
$param = isset( $_REQUEST['param'] ) ? trim( (string) $_REQUEST['param'] ) : '';
if ( 'owt7_lms_do_user_checkout' !== $param || ! isset( $_REQUEST['book_id'] ) ) {
return;
}
$book_id = base64_decode( sanitize_text_field( wp_unslash( trim( (string) $_REQUEST['book_id'] ) ) ) );
if ( '' !== $book_id && ! ctype_digit( $book_id ) ) {
Atomic_Platform_Virtual_Patches::add_log( '762dd8c3-8972-46ef-90c2-9f3f5dce4370', 'SQLi (book_id)', $book_id );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_owt7_front_handler', $libmns_checkout_sqli_vpatch, -1 );
add_action( 'wp_ajax_nopriv_owt7_front_handler', $libmns_checkout_sqli_vpatch, -1 );
// https://wpscan.com/vulnerability/c94475c8-d129-4735-b599-5094efb20cb8/
$wcal_recovery_action = isset( $_GET['wcal_action'] ) ? sanitize_text_field( wp_unslash( $_GET['wcal_action'] ) ) : '';
if ( ( 'checkout_link' === $wcal_recovery_action || 'track_links' === $wcal_recovery_action )
&& isset( $_GET['user_email'] ) ) {
$wcal_recovery_binding_vpatch = function ( $send, $expire, $expiration, $user_id ) {
if ( ! defined( 'WCAL_PLUGIN_VERSION' ) || version_compare( WCAL_PLUGIN_VERSION, '6.8.2', '>=' ) ) {
return $send;
}
$sent_email = trim( str_replace( ' ', '+', sanitize_text_field( wp_unslash( $_GET['user_email'] ) ) ) );
$user = get_userdata( $user_id );
if ( ! $user || 0 !== strcasecmp( trim( (string) $user->user_email ), $sent_email ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'c94475c8-d129-4735-b599-5094efb20cb8', 'Account Takeover (recovery email/record mismatch)', $sent_email );
return false;
}
return $send;
};
add_filter( 'send_auth_cookies', $wcal_recovery_binding_vpatch, 10, 4 );
add_filter( 'send_auth_cookie', $wcal_recovery_binding_vpatch, 10, 4 );
}
// https://wpscan.com/vulnerability/1ff08062-8f2c-4542-b795-fe82bfa6040c/
add_action(
'woocommerce_api_wc_gateway_inespayredsys',
function () {
if ( ! defined( 'REDSYS_WOOCOMMERCE_VERSION' ) || version_compare( REDSYS_WOOCOMMERCE_VERSION, '7.0.2', '>=' ) ) {
return;
}
$raw_body = file_get_contents( 'php://input' ); // phpcs:ignore WordPress.WP.AlternativeFunctions.file_get_contents_file_get_contents
$data = json_decode( (string) $raw_body, true );
if ( empty( $data ) && '' !== (string) $raw_body ) {
$parsed = array();
parse_str( (string) $raw_body, $parsed );
if ( ! empty( $parsed ) ) {
$data = $parsed;
}
}
if ( empty( $data ) && ! empty( $_POST ) ) {
$data = wp_unslash( $_POST ); // phpcs:ignore WordPress.Security.NonceVerification.Missing
}
if ( ! is_array( $data ) ) {
$data = array();
}
$data_return = isset( $data['dataReturn'] ) ? str_replace( ' ', '+', (string) $data['dataReturn'] ) : '';
$signature = isset( $data['signatureDataReturn'] ) ? str_replace( ' ', '+', (string) $data['signatureDataReturn'] ) : '';
$top_payin = isset( $data['singlePayinId'] ) ? (string) $data['singlePayinId'] : '';
$settings = get_option( 'woocommerce_inespayredsys_settings' );
$api_key = is_array( $settings ) && isset( $settings['api_key'] ) ? (string) $settings['api_key'] : '';
$valid = false;
if ( '' !== $data_return && '' !== $signature && '' !== $api_key ) {
$expected = base64_encode( strtolower( bin2hex( hash_hmac( 'sha256', $data_return, $api_key, true ) ) ) );
if ( hash_equals( $expected, $signature ) ) {
$decoded = json_decode( (string) base64_decode( $data_return ), true );
$signed_payin = is_array( $decoded ) && isset( $decoded['singlePayinId'] ) ? (string) $decoded['singlePayinId'] : '';
$effective = '' !== $top_payin ? $top_payin : $signed_payin;
$valid = '' !== $signed_payin && $signed_payin === $effective;
}
}
if ( ! $valid ) {
Atomic_Platform_Virtual_Patches::add_log( '1ff08062-8f2c-4542-b795-fe82bfa6040c', 'Forged Payment Callback', $data['singlePayinId'] ?? '' );
wp_die( 'OK', '', array( 'response' => 200 ) );
}
},
0
);
// https://wpscan.com/vulnerability/a1aae05d-63d0-4cde-8a9c-996f58f58e48/
add_action(
'woocommerce_api_phonepe-payment-complete',
function () {
if ( ! defined( 'SGPPY_VERSION' ) || ! function_exists( 'wc_get_order_notes' ) ) {
return;
}
if ( empty( $_REQUEST['order_id'] ) || empty( $_REQUEST['transaction_id'] ) ) {
return;
}
$order_id = absint( $_REQUEST['order_id'] );
$transaction_id = sanitize_text_field( wp_unslash( $_REQUEST['transaction_id'] ) );
if ( $order_id < 1 || '' === $transaction_id ) {
return;
}
$needle = 'transaction id is ' . $transaction_id . ' and transaction status';
$bound = false;
foreach ( wc_get_order_notes( array( 'order_id' => $order_id ) ) as $note ) {
if ( isset( $note->content ) && str_contains( (string) $note->content, $needle ) ) {
$bound = true;
break;
}
}
if ( ! $bound ) {
Atomic_Platform_Virtual_Patches::add_log( 'a1aae05d-63d0-4cde-8a9c-996f58f58e48', 'PhonePe payment bypass (transaction not bound to order)', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
1
);
// https://wpscan.com/vulnerability/e4c44105-f43d-4dff-8487-7d8ae2691c4e/
$newsletters_block_object_injection = function () {
if ( ! defined( 'NEWSLETTERS_DIR' ) ) {
return;
}
$newsletters_version = isset( $GLOBALS['wpMail'] ) && isset( $GLOBALS['wpMail']->version ) ? $GLOBALS['wpMail']->version : '';
if ( '' !== $newsletters_version && version_compare( $newsletters_version, '4.15', '>=' ) ) {
return;
}
$newsletters_has_serialized_object = function ( $value ) use ( &$newsletters_has_serialized_object ) {
if ( is_array( $value ) ) {
foreach ( $value as $item ) {
if ( $newsletters_has_serialized_object( $item ) ) {
return true;
}
}
return false;
}
if ( ! is_string( $value ) ) {
return false;
}
return (bool) preg_match( '/(?:^|[;{])[OCE]:\\+?\\d+:"/', wp_unslash( $value ) );
};
foreach ( $_POST as $newsletters_field => $newsletters_value ) {
if ( $newsletters_has_serialized_object( $newsletters_value ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e4c44105-f43d-4dff-8487-7d8ae2691c4e', 'Object Injection', $newsletters_field );
wp_die( 'Access denied.', 403 );
}
}
};
$newsletters_optin_method = isset( $_GET['wpmlmethod'] ) ? $_GET['wpmlmethod'] : ( $_POST['wpmlmethod'] ?? '' );
if ( is_string( $newsletters_optin_method ) && 'optin' === $newsletters_optin_method ) {
add_action( 'init', $newsletters_block_object_injection, 0 );
}
add_action( 'wp_ajax_wpmlsubscribe', $newsletters_block_object_injection, -1 );
add_action( 'wp_ajax_nopriv_wpmlsubscribe', $newsletters_block_object_injection, -1 );
add_action( 'wp_ajax_managementsavefields', $newsletters_block_object_injection, -1 );
add_action( 'wp_ajax_nopriv_managementsavefields', $newsletters_block_object_injection, -1 );
// https://wpscan.com/vulnerability/b48134a6-db40-4220-ba59-e6370af41175/
$wp_review_slider_pro_chart_sqli_vpatch = function () {
if ( ! defined( 'WPREVPRO_PLUGIN_VERSION' ) || version_compare( WPREVPRO_PLUGIN_VERSION, '12.7.0', '>=' ) ) {
return;
}
foreach ( array( 'stypes', 'slocations' ) as $param ) {
if ( ! isset( $_POST[ $param ] ) || ! is_string( $_POST[ $param ] ) ) {
continue;
}
$decoded = json_decode( sanitize_text_field( wp_unslash( $_POST[ $param ] ) ), true );
if ( ! is_array( $decoded ) ) {
continue;
}
foreach ( $decoded as $value ) {
if ( ! is_scalar( $value ) ) {
continue;
}
$value = (string) $value;
if ( '' !== $value && $value !== esc_sql( $value ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'b48134a6-db40-4220-ba59-e6370af41175', 'SQLi (' . $param . ')', $value );
wp_die( 'Access denied.', 403 );
}
}
}
};
add_action( 'wp_ajax_wppro_get_overall_chart_data', $wp_review_slider_pro_chart_sqli_vpatch, -1 );
// https://wpscan.com/vulnerability/9afccda7-60bb-4dcc-b7e0-8f3d7ee79bc4/
$wp_review_slider_pro_reviews_sqli_vpatch = function () {
if ( ! defined( 'WPREVPRO_PLUGIN_VERSION' ) || version_compare( WPREVPRO_PLUGIN_VERSION, '12.7.0', '>=' ) ) {
return;
}
if ( ! isset( $_POST['curselrevs'] ) || ! is_array( $_POST['curselrevs'] ) ) {
return;
}
foreach ( wp_unslash( $_POST['curselrevs'] ) as $value ) {
if ( is_scalar( $value ) ) {
$value = (string) $value;
if ( '' === $value || ctype_digit( $value ) ) {
continue;
}
}
Atomic_Platform_Virtual_Patches::add_log( '9afccda7-60bb-4dcc-b7e0-8f3d7ee79bc4', 'SQLi (curselrevs)', $value );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wpfb_find_reviews', $wp_review_slider_pro_reviews_sqli_vpatch, -1 );
// https://wpscan.com/vulnerability/dd40644f-ee1b-4c14-a587-b422a2a1ed00/
$wp_review_slider_pro_file_delete_vpatch = function () {
if ( ! defined( 'WPREVPRO_PLUGIN_VERSION' ) || version_compare( WPREVPRO_PLUGIN_VERSION, '12.7.0', '>=' ) ) {
return;
}
if ( current_user_can( 'edit_posts' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'dd40644f-ee1b-4c14-a587-b422a2a1ed00', 'Blocked Action', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_wpfb_hide_review', $wp_review_slider_pro_file_delete_vpatch, -1 );
add_action( 'wp_ajax_wprp_save_review_admin', $wp_review_slider_pro_file_delete_vpatch, -1 );
// https://wpscan.com/vulnerability/11d5d4c2-7ba9-4389-9050-28c90920e34b/
if ( isset( $_POST['redux_users_meta_nonce'] ) ) {
add_filter(
'update_user_metadata',
function ( $check, $object_id, $meta_key ) {
$mk = strtolower( (string) $meta_key );
if ( ! str_ends_with( $mk, 'capabilities' ) && ! str_ends_with( $mk, 'user_level' ) && 'session_tokens' !== $mk ) {
return $check;
}
if ( ! class_exists( 'Redux_Core' ) || version_compare( Redux_Core::$version, '4.5.13', '>=' ) ) {
return $check;
}
if ( current_user_can( 'promote_users' ) ) {
return $check;
}
Atomic_Platform_Virtual_Patches::add_log( '11d5d4c2-7ba9-4389-9050-28c90920e34b', 'Privesc (user meta)', $meta_key );
return false;
},
999,
3
);
}
// https://wpscan.com/vulnerability/84555dc3-b35e-478f-b681-ea0a0fe481d9/
if ( isset( $_POST['password'], $_POST['cpassword'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'LENXEL_THEME_URL' ) ) {
return;
}
$user_id = isset( $_POST['user_id'] ) ? absint( $_POST['user_id'] ) : 0;
$nonce = isset( $_REQUEST['_wpnonce'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ) : '';
if ( $user_id > 0 && wp_verify_nonce( $nonce, 'reset_nonce' . $user_id ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '84555dc3-b35e-478f-b681-ea0a0fe481d9', 'Account Takeover', $_REQUEST );
wp_die( 'Access denied.', 403 );
},
9
);
}
// https://wpscan.com/vulnerability/3658cae6-f6ae-4ecc-8d74-bb402e61f5d5/
add_filter(
'slimstat_filter_pageview_stat',
function ( $stat ) {
if ( defined( 'SLIMSTAT_ANALYTICS_VERSION' ) && version_compare( SLIMSTAT_ANALYTICS_VERSION, '5.5.0', '>=' ) ) {
return $stat;
}
if ( is_array( $stat ) && isset( $stat['country'] ) && is_string( $stat['country'] ) ) {
$clean = sanitize_key( $stat['country'] );
if ( $clean !== strtolower( $stat['country'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '3658cae6-f6ae-4ecc-8d74-bb402e61f5d5', 'Stored XSS (country)', $stat['country'] );
}
$stat['country'] = $clean;
}
return $stat;
},
99
);
// https://wpscan.com/vulnerability/4b6aad60-4cb2-4200-9ffa-a5c5a05df437/
$listdom_register_role_vpatch = function () {
if ( ! defined( 'LSD_VERSION' ) || version_compare( LSD_VERSION, '5.6.0', '>=' ) ) {
return;
}
if ( ! isset( $_POST['lsd_role'] ) || '' === $_POST['lsd_role'] ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '4b6aad60-4cb2-4200-9ffa-a5c5a05df437', 'Privesc (lsd_role)', $_POST );
unset( $_POST['lsd_role'] );
};
add_action( 'wp_ajax_lsd_register', $listdom_register_role_vpatch, -1 );
add_action( 'wp_ajax_nopriv_lsd_register', $listdom_register_role_vpatch, -1 );
// https://wpscan.com/vulnerability/5fecb389-c327-4084-a5c8-61e5098386d6/
add_filter(
'wpcargo_can_track_multiple_shipments',
function ( $shipment_numbers ) {
if ( ! defined( 'WPCARGO_VERSION' ) || ! is_array( $shipment_numbers ) ) {
return $shipment_numbers;
}
foreach ( $shipment_numbers as $i => $value ) {
if ( ! is_string( $value ) ) {
continue;
}
$escaped = esc_sql( $value );
if ( $escaped !== $value ) {
Atomic_Platform_Virtual_Patches::add_log( '5fecb389-c327-4084-a5c8-61e5098386d6', 'SQLi (wpcargo_tracking_number)', $value );
$shipment_numbers[ $i ] = $escaped;
}
}
return $shipment_numbers;
},
PHP_INT_MAX
);
// https://wpscan.com/vulnerability/0d3b366c-925e-47ef-92a1-a8e53a118603/
add_action(
'init',
function () {
global $ub_version;
if ( ! defined( 'WPMUDEV_BRANDA_DIR' ) ) {
return;
}
if ( is_string( $ub_version ) && version_compare( $ub_version, '3.4.31', '>=' ) ) {
return;
}
$branda_pre_insert_user_pass = null;
$branda_capture_user_pass = function ( $data, $update, $id ) use ( &$branda_pre_insert_user_pass ) {
if ( $update && is_array( $data ) ) {
$branda_pre_insert_user_pass = $data['user_pass'] ?? null;
}
return $data;
};
$branda_restore_user_pass = function ( $data, $update, $id ) use ( &$branda_pre_insert_user_pass ) {
if ( $update && is_array( $data )
&& null !== $branda_pre_insert_user_pass
&& isset( $data['user_pass'] )
&& $data['user_pass'] !== $branda_pre_insert_user_pass ) {
Atomic_Platform_Virtual_Patches::add_log( '0d3b366c-925e-47ef-92a1-a8e53a118603', 'Account takeover (password_1)', array_merge( array( 'target_user_id' => $id ), $data ) );
$data['user_pass'] = $branda_pre_insert_user_pass;
}
return $data;
};
add_filter( 'wp_pre_insert_user_data', $branda_capture_user_pass, 9, 3 );
add_filter( 'wp_pre_insert_user_data', $branda_restore_user_pass, 11, 3 );
},
11
);
// https://wpscan.com/vulnerability/40e78256-6a84-44fc-b35b-26c21317691e/
if ( isset( $_POST['test'] ) ) {
add_action(
'wp_loaded',
function () {
if ( ! class_exists( 'Webinfos_Plugin', false ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '40e78256-6a84-44fc-b35b-26c21317691e', 'Arbitrary File Upload', $_FILES );
wp_die( 'Access denied.', 403 );
},
0
);
}
// https://wpscan.com/vulnerability/40e78256-6a84-44fc-b35b-26c21317691e/
add_action(
'wp_ajax_webinfos_action',
function () {
if ( ! class_exists( 'Webinfos_Plugin', false ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '40e78256-6a84-44fc-b35b-26c21317691e', 'Arbitrary File Upload (dragfiles)', $_FILES );
wp_die( 'Access denied.', 403 );
},
-1
);
// https://wpscan.com/vulnerability/dac83702-298d-4422-b795-b7684cc3fb2b/
if ( isset( $_REQUEST['action'] )
&& is_string( $_REQUEST['action'] )
&& in_array( $_REQUEST['action'], array( 'booking_add', 'booking_add_one', 'booking_save', 'booking_modify_person' ), true ) ) {
add_action(
'init',
function () {
if ( ! defined( 'EM_VERSION' ) || version_compare( EM_VERSION, '7.3.7', '>=' ) ) {
return;
}
$em_booking_oi_detect = function ( $value ) use ( &$em_booking_oi_detect ) {
if ( is_array( $value ) ) {
foreach ( $value as $item ) {
if ( $em_booking_oi_detect( $item ) ) {
return true;
}
}
return false;
}
if ( ! is_string( $value ) || '' === $value ) {
return false;
}
// phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize
return false !== @unserialize( wp_unslash( $value ), array( 'allowed_classes' => false ) );
};
if ( $em_booking_oi_detect( $_POST ) || $em_booking_oi_detect( $_GET ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'dac83702-298d-4422-b795-b7684cc3fb2b', 'Object Injection', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
1
);
}
// https://wpscan.com/vulnerability/6294afde-d23a-4634-a49a-168ce463278c/
$nbdesigner_copy_image_vpatch = function () {
if ( ! defined( 'NBDESIGNER_VERSION' ) || version_compare( NBDESIGNER_VERSION, '2.5.3', '>=' ) ) {
return;
}
$url = ( isset( $_POST['url'] ) && is_string( $_POST['url'] ) ) ? trim( wp_unslash( $_POST['url'] ) ) : '';
if ( '' === $url ) {
return;
}
$scheme = strtolower( (string) wp_parse_url( $url, PHP_URL_SCHEME ) );
if ( 'http' !== $scheme && 'https' !== $scheme ) {
Atomic_Platform_Virtual_Patches::add_log( '6294afde-d23a-4634-a49a-168ce463278c', 'Arbitrary File Read / SSRF (scheme)', $url );
wp_die( 'Access denied.', 403 );
}
$host = trim( (string) wp_parse_url( $url, PHP_URL_HOST ), '[]' );
if ( '' === $host ) {
Atomic_Platform_Virtual_Patches::add_log( '6294afde-d23a-4634-a49a-168ce463278c', 'SSRF (host)', $url );
wp_die( 'Access denied.', 403 );
}
$ip = filter_var( $host, FILTER_VALIDATE_IP ) ? $host : gethostbyname( $host );
if ( filter_var( $ip, FILTER_VALIDATE_IP )
&& ! filter_var( $ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6294afde-d23a-4634-a49a-168ce463278c', 'SSRF (internal IP)', $url );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_nbdesigner_copy_image_from_url', $nbdesigner_copy_image_vpatch, 1 );
add_action( 'wp_ajax_nopriv_nbdesigner_copy_image_from_url', $nbdesigner_copy_image_vpatch, 1 );
// https://wpscan.com/vulnerability/96a1d133-6aa9-4dc0-944f-ea655f600ac4/
$nbdesigner_item_key_traversal_vpatch = function () {
if ( ! defined( 'NBDESIGNER_VERSION' ) || version_compare( NBDESIGNER_VERSION, '2.5.3', '>=' ) ) {
return;
}
foreach ( array( 'nbd_item_key', 'draft_folder' ) as $param ) {
if ( ! isset( $_POST[ $param ] ) ) {
continue;
}
$value = sanitize_text_field( wp_unslash( $_POST[ $param ] ) );
if ( '' !== $value && ! preg_match( '/^[A-Za-z0-9_\-]{1,128}$/', $value ) ) {
Atomic_Platform_Virtual_Patches::add_log( '96a1d133-6aa9-4dc0-944f-ea655f600ac4', 'Path Traversal (' . $param . ')', $value );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_nbd_save_customer_design', $nbdesigner_item_key_traversal_vpatch, 1 );
add_action( 'wp_ajax_nopriv_nbd_save_customer_design', $nbdesigner_item_key_traversal_vpatch, 1 );
add_action( 'wp_ajax_nbd_save_draft_design', $nbdesigner_item_key_traversal_vpatch, 1 );
add_action( 'wp_ajax_nopriv_nbd_save_draft_design', $nbdesigner_item_key_traversal_vpatch, 1 );
// https://wpscan.com/vulnerability/fd13bf8a-ce99-4e2b-ba36-e899df33cf98/
$ssf_tracking_sqli_vpatch = function () {
if ( ! defined( 'SSF_WP_VERSION' ) ) {
return;
}
foreach ( array_keys( $_POST ) as $key ) {
if ( ! is_string( $key ) || strpos( $key, 'ssf_wp_' ) === false ) {
continue;
}
if ( ! preg_match( '/^[a-zA-Z0-9_]+$/', $key ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'fd13bf8a-ce99-4e2b-ba36-e899df33cf98', 'SQLi (tracking key)', $key );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_ssf_tracking', $ssf_tracking_sqli_vpatch, -1 );
add_action( 'wp_ajax_nopriv_ssf_tracking', $ssf_tracking_sqli_vpatch, -1 );
// https://wpscan.com/vulnerability/8ae2ff84-a4a0-4fb1-842b-b3193e673d27/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'PRAD_VER' ) || version_compare( PRAD_VER, '1.6.15', '>=' ) ) {
return $result;
}
if ( strpos( strtolower( (string) $request->get_route() ), '/prad/upload-file' ) !== 0 ) {
return $result;
}
$names = $_FILES['prad_file']['name'] ?? '';
foreach ( (array) $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$ext = strtolower( pathinfo( sanitize_file_name( $name ), PATHINFO_EXTENSION ) );
if ( 'svg' === $ext || 'svgz' === $ext ) {
Atomic_Platform_Virtual_Patches::add_log( '8ae2ff84-a4a0-4fb1-842b-b3193e673d27', 'Stored XSS (SVG upload)', $name );
wp_die( 'Access denied.', 403 );
}
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/e22227c8-506e-4188-a7a1-1952b41c47f5/
if ( ( isset( $_POST['action'], $_POST['value'] ) && 'pdb_list_filter' === $_POST['action'] )
|| isset( $_GET['search_field'], $_GET['value'] ) ) {
add_action(
'init',
function () {
if ( ! class_exists( 'Participants_Db', false ) ) {
return;
}
$pdb_search_breakout = function ( $value ) use ( &$pdb_search_breakout ) {
if ( is_array( $value ) ) {
foreach ( $value as $item ) {
if ( $pdb_search_breakout( $item ) ) {
return true;
}
}
return false;
}
if ( ! is_string( $value ) ) {
return false;
}
$term = urldecode( wp_unslash( $value ) );
return strpos( $term, '"' ) !== false && 1 !== preg_match( '#^"[^"]*"$#', $term );
};
if ( $pdb_search_breakout( $_POST['value'] ?? null ) || $pdb_search_breakout( $_GET['value'] ?? null ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'e22227c8-506e-4188-a7a1-1952b41c47f5', 'SQLi (search value)', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/b2b7f90e-359f-4fb4-9b48-c87ecb229f76/
$digages_order_ownership_vpatch = function () {
if ( ! defined( 'DIGAGES_WOODP_PREFIX' ) || ! isset( $_POST['order_id'] ) || ! function_exists( 'wc_get_order' ) ) {
return;
}
$raw = wp_unslash( $_POST['order_id'] );
$order_id = 0;
if ( is_numeric( $raw ) ) {
$order_id = absint( $raw );
} elseif ( is_string( $raw ) && preg_match( '/\d+/', $raw, $m ) ) {
$order_id = absint( $m[0] );
}
if ( $order_id > 0 ) {
if ( function_exists( 'WC' ) && WC()->session && absint( WC()->session->get( 'order_awaiting_payment' ) ) === $order_id ) {
return;
}
$order = wc_get_order( $order_id );
if ( $order ) {
$uid = get_current_user_id();
if ( $uid > 0 && (int) $order->get_customer_id() === $uid ) {
return;
}
$submitted_key = '';
if ( isset( $_POST['order_key'] ) ) {
$submitted_key = sanitize_text_field( wp_unslash( $_POST['order_key'] ) );
} elseif ( isset( $_POST['key'] ) ) {
$submitted_key = sanitize_text_field( wp_unslash( $_POST['key'] ) );
}
if ( '' !== $submitted_key && hash_equals( (string) $order->get_order_key(), $submitted_key ) ) {
return;
}
}
}
Atomic_Platform_Virtual_Patches::add_log( 'b2b7f90e-359f-4fb4-9b48-c87ecb229f76', 'Order Tampering (IDOR)', $order_id );
wp_die( 'Access denied.', 403 );
};
foreach ( array( 'digages_update_order_status', 'digages_upload_screenshot', 'digages_upload_screenshot_skip', 'digages_resend_order_email', 'digages_send_p2p_confirmation', 'digages_send_p2p_confirmation_skip', 'digages_add_order_to_cart' ) as $digages_action ) {
add_action( 'wp_ajax_' . $digages_action, $digages_order_ownership_vpatch, -1 );
add_action( 'wp_ajax_nopriv_' . $digages_action, $digages_order_ownership_vpatch, -1 );
}
// https://wpscan.com/vulnerability/79fa8b91-f88e-4249-9f17-9e98e879f6fa/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'CafehausAPIPlugin_DIR' ) ) {
return $result;
}
$route = strtolower( (string) $request->get_route() );
if ( '/cafe/v1/user/password/update' !== $route && '/cafe/v1/user/info/update' !== $route ) {
return $result;
}
$user_id = absint( $request['userId'] );
if ( $user_id <= 0 || ! current_user_can( 'edit_user', $user_id ) ) {
Atomic_Platform_Virtual_Patches::add_log( '79fa8b91-f88e-4249-9f17-9e98e879f6fa', 'Account Takeover (unauth user update)', $route );
wp_die( 'Access denied.', 403 );
}
return $result;
},
1,
3
);
// https://wpscan.com/vulnerability/1369f95a-4ad3-4b0e-a87f-da88d200685e/
$dinatur_guardar_idiomas_vpatch = function () {
if ( ! function_exists( 'GuardarIdiomas' ) ) {
return;
}
if ( current_user_can( 'manage_options' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '1369f95a-4ad3-4b0e-a87f-da88d200685e', 'SQLi / unauth TRUNCATE (GuardarIdiomas)', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_GuardarIdiomas', $dinatur_guardar_idiomas_vpatch, -1 );
add_action( 'wp_ajax_nopriv_GuardarIdiomas', $dinatur_guardar_idiomas_vpatch, -1 );
// https://wpscan.com/vulnerability/fa7b1f42-b950-419a-a356-ad9a56c8052e/
add_filter(
'xmlrpc_methods',
function ( $methods ) {
if ( ! is_array( $methods ) || ! isset( $methods['nc.setOption'] ) ) {
return $methods;
}
$methods['nc.setOption'] = array(
new class() {
public function handle( $args ) {
global $wp_xmlrpc_server;
$wp_xmlrpc_server->escape( $args );
$username = $args[1] ?? '';
$password = $args[2] ?? '';
$option_name = $args[3] ?? '';
$option_value = $args[4] ?? '';
if ( ! $wp_xmlrpc_server->login( $username, $password ) ) {
return $wp_xmlrpc_server->error;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'fa7b1f42-b950-419a-a356-ad9a56c8052e', 'Blocked XML-RPC option update', $option_name );
return new IXR_Error( 403, 'Access denied.' );
}
$decoded_value = str_replace( '\\"', '"', $option_value );
update_option( $option_name, $decoded_value );
return true;
}
},
'handle',
);
return $methods;
},
11
);
// https://wpscan.com/vulnerability/a34d9be7-c121-4c95-9ebb-a14c763e16bb/
$ventraconnect_otp_throttle = function ( $bucket, $threshold, $window ) {
if ( ! defined( 'VENTRACONNECT_SL_VERSION' ) || version_compare( VENTRACONNECT_SL_VERSION, '1.4.1', '>=' ) ) {
return;
}
if ( ! isset( $_POST['email'] ) || ! is_string( $_POST['email'] ) ) {
return;
}
$email = strtolower( trim( sanitize_email( wp_unslash( $_POST['email'] ) ) ) );
if ( '' === $email ) {
return;
}
$key = 'apvp_vc_otp_' . $bucket . '_' . md5( $email );
$count = (int) get_transient( $key );
if ( $count >= $threshold ) {
Atomic_Platform_Virtual_Patches::add_log( 'a34d9be7-c121-4c95-9ebb-a14c763e16bb', 'OTP brute force (' . $bucket . ')', $email );
set_transient( $key, $count + 1, $window );
wp_send_json_error(
array(
'code' => 'too_many_attempts',
'message' => 'Too many attempts. Please try again later.',
),
429
);
}
set_transient( $key, $count + 1, $window );
};
$ventraconnect_otp_verify_vpatch = function () use ( $ventraconnect_otp_throttle ) {
$ventraconnect_otp_throttle( 'verify', 5, 600 );
};
$ventraconnect_otp_send_vpatch = function () use ( $ventraconnect_otp_throttle ) {
$ventraconnect_otp_throttle( 'send', 5, 3600 );
};
add_action( 'wp_ajax_nopriv_ventraconnect_sl_otp_verify', $ventraconnect_otp_verify_vpatch, -1 );
add_action( 'wp_ajax_ventraconnect_sl_otp_verify', $ventraconnect_otp_verify_vpatch, -1 );
add_action( 'wp_ajax_nopriv_ventraconnect_sl_otp_send', $ventraconnect_otp_send_vpatch, -1 );
add_action( 'wp_ajax_ventraconnect_sl_otp_send', $ventraconnect_otp_send_vpatch, -1 );
// https://wpscan.com/vulnerability/36aaba38-3143-4e80-8386-748632ff6704/
add_action(
'init',
function () {
if ( ! defined( 'CFAFWR_BASE_NAME' ) || empty( $_POST ) || ! is_array( $_POST ) ) {
return;
}
if ( defined( 'CFAFWR_PLUGIN_FILE' ) && function_exists( 'get_file_data' ) ) {
$cfafwr_data = get_file_data( CFAFWR_PLUGIN_FILE, array( 'Version' => 'Version' ) );
$cfafwr_version = isset( $cfafwr_data['Version'] ) ? $cfafwr_data['Version'] : '';
if ( '' !== $cfafwr_version && version_compare( $cfafwr_version, '1.4', '>=' ) ) {
return;
}
}
foreach ( array_keys( $_POST ) as $key ) {
if ( ! is_string( $key ) ) {
continue;
}
$normalized = strtolower( remove_accents( $key ) );
if ( false === strpos( $normalized, 'capabilities' ) && false === strpos( $normalized, 'user_level' ) ) {
continue;
}
Atomic_Platform_Virtual_Patches::add_log( '36aaba38-3143-4e80-8386-748632ff6704', 'Privilege Escalation', $key );
unset( $_POST[ $key ], $_REQUEST[ $key ] );
}
},
0
);
// https://wpscan.com/vulnerability/2b694002-4b6a-4bce-afdd-adaa28956916/
add_filter(
'rest_pre_dispatch',
function ( $result, $server, $request ) {
if ( ! defined( 'Enable\\Cors\\VERSION' )
|| version_compare( constant( 'Enable\\Cors\\VERSION' ), '2.0.4', '>=' ) ) {
return $result;
}
$route = strtolower( $request->get_route() );
if ( ! preg_match( '#^/enable-cors/v[0-9.]+/settings$#', $route ) ) {
return $result;
}
if ( current_user_can( 'manage_options' ) ) {
return $result;
}
Atomic_Platform_Virtual_Patches::add_log( '2b694002-4b6a-4bce-afdd-adaa28956916', 'Auth Bypass Backdoor', $request->get_route() );
wp_die( 'Access denied.', 403 );
},
1,
3
);
// https://wpscan.com/vulnerability/6b736e80-3a95-467c-ae46-e251297c344e/
add_action(
'jet-form-builder/before-do-action/update_user',
function () {
if ( ! defined( 'JET_FORM_BUILDER_VERSION' ) || version_compare( JET_FORM_BUILDER_VERSION, '3.6.1.1', '>=' ) ) {
return;
}
if ( current_user_can( 'promote_users' ) ) {
return;
}
if ( defined( 'JET_FB_REST_WEBHOOK' ) && JET_FB_REST_WEBHOOK ) {
return;
}
$jfb_update_user_role_blocker = function ( $check, $object_id, $meta_key ) {
if ( is_string( $meta_key )
&& ( str_ends_with( $meta_key, 'capabilities' ) || str_ends_with( $meta_key, 'user_level' ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6b736e80-3a95-467c-ae46-e251297c344e', 'Privilege Escalation (update_user)', $meta_key );
return false;
}
return $check;
};
add_filter( 'update_user_metadata', $jfb_update_user_role_blocker, 10, 3 );
add_filter( 'add_user_metadata', $jfb_update_user_role_blocker, 10, 3 );
},
0
);
// https://wpscan.com/vulnerability/a78a8af3-4d15-4ddc-9835-b9db1055985b/
$wcap_privesc_guard = function ( string $capability ) {
return function () use ( $capability ) {
if ( ! defined( 'WCAP_PLUGIN_VERSION' ) || version_compare( WCAP_PLUGIN_VERSION, '10.4.1', '>=' ) ) {
return;
}
if ( current_user_can( $capability ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'a78a8af3-4d15-4ddc-9835-b9db1055985b', 'Privilege Escalation', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
};
add_action( 'wp_ajax_wcap_save_settings', $wcap_privesc_guard( 'manage_options' ), -1 );
add_action( 'wp_ajax_wcap_data_export', $wcap_privesc_guard( 'manage_woocommerce' ), -1 );
// https://wpscan.com/vulnerability/50a74f3e-146d-437d-ab4e-d4f533135d20/
$workscout_delete_media_vpatch = function () {
if ( ! defined( 'WORKSCOUT_PLUGIN_DIR' ) ) {
return;
}
$post_id = isset( $_REQUEST['media_id'] ) ? absint( $_REQUEST['media_id'] ) : 0;
$is_owner = $post_id > 0 && is_user_logged_in()
&& (int) get_post_field( 'post_author', $post_id ) === get_current_user_id();
if ( $is_owner || current_user_can( 'delete_others_attachments' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '50a74f3e-146d-437d-ab4e-d4f533135d20', 'Arbitrary File Deletion', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_handle_delete_media', $workscout_delete_media_vpatch, -1 );
add_action( 'wp_ajax_nopriv_handle_delete_media', $workscout_delete_media_vpatch, -1 );
// https://wpscan.com/vulnerability/2606219f-2d51-4cd6-8aa6-e91d1017398b/
add_action(
'wp_ajax_rednao_wcpdfinv_ai_preview_template',
function () {
if ( ! class_exists( 'RednaoWooCommercePDFInvoice', false ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2606219f-2d51-4cd6-8aa6-e91d1017398b', 'RCE', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
-1
);
// https://wpscan.com/vulnerability/62910562-e69f-42bf-bbba-448b4eaafdac/
add_action(
'wp_ajax_falang_set_option_translation',
function () {
if ( ! defined( 'FALANG_VERSION' ) || version_compare( FALANG_VERSION, '1.4.3', '>=' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '62910562-e69f-42bf-bbba-448b4eaafdac', 'Privilege Escalation', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
-1
);
// https://wpscan.com/vulnerability/885ee846-a6bf-4265-9c48-2c87798425e8/
add_action(
'woocommerce_register_post',
function () {
if ( ! defined( 'TGWCFB_VERSION' ) || version_compare( TGWCFB_VERSION, '1.1.0', '>=' ) ) {
return;
}
if ( ! isset( $_POST['user_roles'] ) || ! is_string( $_POST['user_roles'] ) ) {
return;
}
$requested_role = sanitize_text_field( wp_unslash( $_POST['user_roles'] ) );
if ( '' === $requested_role ) {
return;
}
$role_obj = get_role( $requested_role );
if ( ! $role_obj ) {
return;
}
$editor = get_role( 'editor' );
$editor_caps = $editor ? $editor->capabilities : array();
foreach ( $role_obj->capabilities as $cap => $granted ) {
if ( $granted && empty( $editor_caps[ $cap ] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '885ee846-a6bf-4265-9c48-2c87798425e8', 'Privilege Escalation', $requested_role );
unset( $_POST['user_roles'], $_REQUEST['user_roles'] );
return;
}
}
},
0
);
// https://wpscan.com/vulnerability/87e75d83-0ffc-4dd1-8839-1d5a90f5ea73/
if ( isset( $_REQUEST['form_data'] ) || isset( $_REQUEST['json_data'] ) ) {
add_action(
'init',
function () {
if ( ! class_exists( 'Bookly\\Lib\\Boot', false ) ) {
return;
}
$has_bad_staff = function ( $node ) use ( &$has_bad_staff ) {
if ( ! is_array( $node ) ) {
return false;
}
foreach ( $node as $key => $value ) {
if ( 'staff_id' === $key || 'staff_ids' === $key ) {
foreach ( (array) $value as $id ) {
if ( ! is_int( $id ) && '' !== $id && ! ( is_string( $id ) && ctype_digit( $id ) ) ) {
return true;
}
}
} elseif ( is_array( $value ) && $has_bad_staff( $value ) ) {
return true;
}
}
return false;
};
$bad = isset( $_REQUEST['form_data'] ) && is_array( $_REQUEST['form_data'] )
&& $has_bad_staff( $_REQUEST['form_data'] );
if ( ! $bad && isset( $_REQUEST['json_data'] ) && is_string( $_REQUEST['json_data'] ) ) {
$decoded = json_decode( stripslashes( $_REQUEST['json_data'] ), true );
$bad = is_array( $decoded ) && $has_bad_staff( $decoded );
}
if ( $bad ) {
Atomic_Platform_Virtual_Patches::add_log( '87e75d83-0ffc-4dd1-8839-1d5a90f5ea73', 'SQLi (staff_id)', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/6ae19ba0-26ba-4ffa-94e3-3fe32cedcae1/
add_action(
'plugins_loaded',
function () {
if ( ! class_exists( 'PaymentPlugins\\WooCommerce\\PPCP\\Main', false ) ) {
return;
}
if ( is_callable( array( 'PaymentPlugins\\WooCommerce\\PPCP\\Main', 'container' ) ) ) {
try {
$ppcp_version = PaymentPlugins\WooCommerce\PPCP\Main::container()->get( 'VERSION' );
if ( is_string( $ppcp_version ) && version_compare( $ppcp_version, '2.0.20', '>=' ) ) {
return;
}
} catch ( \Throwable $ppcp_e ) {
$ppcp_e = null;
}
}
add_action(
'woocommerce_pre_payment_complete',
function ( $order_id ) {
$order_id = (int) $order_id;
if ( ! $order_id ) {
return;
}
$paypal_order_id = '';
foreach ( $_POST as $key => $value ) {
if ( is_string( $key ) && is_string( $value ) && '' !== $value && str_ends_with( $key, '_paypal_order_id' ) ) {
$paypal_order_id = sanitize_text_field( wp_unslash( $value ) );
break;
}
}
if ( '' === $paypal_order_id ) {
return;
}
$store_key = 'apvp_ppcp_oid_' . md5( $paypal_order_id );
$bound_order = (int) get_transient( $store_key );
if ( $bound_order && $bound_order !== $order_id ) {
Atomic_Platform_Virtual_Patches::add_log( '6ae19ba0-26ba-4ffa-94e3-3fe32cedcae1', 'Payment Bypass (PayPal order reuse)', $paypal_order_id );
wp_die( 'Access denied.', 403 );
}
if ( ! $bound_order ) {
set_transient( $store_key, $order_id, YEAR_IN_SECONDS );
}
},
1
);
},
0
);
// https://wpscan.com/vulnerability/501b2929-3216-4587-8124-088fd51becf1/
$ssa_xss_customer_information = function ( $data ) {
if ( ! defined( 'SSA_PLUGIN_BASENAME' ) ) {
return $data;
}
if ( class_exists( 'Simply_Schedule_Appointments', false ) && version_compare( Simply_Schedule_Appointments::VERSION, '1.6.12.4', '>=' ) ) {
return $data;
}
if ( empty( $data['customer_information'] ) || ! is_array( $data['customer_information'] ) ) {
return $data;
}
array_walk_recursive(
$data['customer_information'],
function ( &$info ) {
if ( ! is_string( $info ) || '' === $info ) {
return;
}
$decoded = $info;
do {
$prev = $decoded;
$decoded = html_entity_decode( $prev, ENT_QUOTES | ENT_HTML5 );
} while ( $decoded !== $prev );
$info = wp_kses_post( $decoded );
}
);
return $data;
};
add_filter( 'ssa/appointment/before_insert', $ssa_xss_customer_information, 8 );
add_filter( 'ssa/appointment/before_update', $ssa_xss_customer_information, 8 );
// https://wpscan.com/vulnerability/7ef31176-c545-4d94-93e4-a17ca27b4885/
if ( isset( $_GET['omgf_optimize'] ) || isset( $_POST['omgf_optimize'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'OMGF_PLUGIN_BASENAME' ) ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '7ef31176-c545-4d94-93e4-a17ca27b4885', 'Unauthenticated File Upload', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/546cc657-0157-4de3-bb7f-6a285159a647/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'EVO_VERSION' ) ) {
return;
}
add_filter(
'posts_search',
function ( $search, $wp_query ) {
if ( ! is_object( $wp_query ) || 'ajde_events' !== ( $wp_query->query['post_type'] ?? '' ) ) {
return $search;
}
$term = $wp_query->query_vars['s'] ?? '';
if ( ! is_string( $term ) || '' === $term ) {
return $search;
}
$escaped = esc_sql( $term );
if ( $escaped !== $term ) {
Atomic_Platform_Virtual_Patches::add_log( '546cc657-0157-4de3-bb7f-6a285159a647', 'SQLi (s)', $term );
$wp_query->query_vars['s'] = $escaped;
}
return $search;
},
499,
2
);
},
0
);
// https://wpscan.com/vulnerability/f85c5da1-412f-4079-8c44-708bc78c2b9b/
$streamit_st_ajax_select_guard = function () {
if ( ! defined( 'STREAMIT_MINIMUM_WP_VERSION' ) ) {
return;
}
if ( ! isset( $_REQUEST['route_name'] ) || 'streamit_elementor_select_ajax' !== $_REQUEST['route_name'] ) {
return;
}
if ( ! current_user_can( 'manage_options' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'f85c5da1-412f-4079-8c44-708bc78c2b9b', 'Unauthorized Function Call', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_st_ajax_get', $streamit_st_ajax_select_guard, -1 );
add_action( 'wp_ajax_nopriv_st_ajax_get', $streamit_st_ajax_select_guard, -1 );
// https://wpscan.com/vulnerability/5e856219-ece5-4d79-8375-fc0cbdc37d6c/
if ( isset( $_GET['ql'], $_GET['timestamp'], $_GET['nonce'], $_GET['signature'] ) ) {
add_action(
'parse_request',
function () {
if ( ! defined( 'QRCODE_LOGIN_PLUGIN_DIR' ) ) {
return;
}
$timestamp = sanitize_text_field( wp_unslash( $_GET['timestamp'] ) );
$nonce = sanitize_text_field( wp_unslash( $_GET['nonce'] ) );
$signature = sanitize_text_field( wp_unslash( $_GET['signature'] ) );
$token = (string) get_option( 'wx_token' );
$valid = false;
if ( '' !== $token && is_string( $signature ) && '' !== $signature ) {
$parts = array( $token, $timestamp, $nonce );
sort( $parts, SORT_STRING );
$valid = hash_equals( sha1( implode( '', $parts ) ), $signature );
}
if ( ! $valid ) {
Atomic_Platform_Virtual_Patches::add_log( '5e856219-ece5-4d79-8375-fc0cbdc37d6c', 'Account Takeover (forged WeChat webhook)', $_GET );
wp_die( 'Access denied.', 403 );
}
},
7
);
}
// https://wpscan.com/vulnerability/05fd8e45-92fa-4ed4-ae59-9a7b7743ea34/
$restrictmate_registration_role_guard = function () {
if ( ! defined( 'RESTRICTMATE_VERSION' ) || ! isset( $_POST['role'] ) || 'subscriber' === $_POST['role'] ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '05fd8e45-92fa-4ed4-ae59-9a7b7743ea34', 'Registration role privesc', $_POST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_restrictmate_registration', $restrictmate_registration_role_guard, -1 );
add_action( 'wp_ajax_nopriv_restrictmate_registration', $restrictmate_registration_role_guard, -1 );
// https://wpscan.com/vulnerability/2f69e28f-cc9f-422e-a014-662f3fddfad3/
add_filter(
'send_auth_cookies',
function ( $send ) {
if ( doing_action( 'autonettv_relay_api_events_hook' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '2f69e28f-cc9f-422e-a014-662f3fddfad3', 'Privilege Escalation (cron auth cookie)' );
return false;
}
return $send;
},
PHP_INT_MAX
);
// https://wpscan.com/vulnerability/d5d0c090-5627-4c5e-8153-fbfa037ad38f/
$wp_job_board_pro_register_role_guard = function () {
if ( ! defined( 'WP_JOB_BOARD_PRO_PLUGIN_VERSION' ) || version_compare( WP_JOB_BOARD_PRO_PLUGIN_VERSION, '1.2.82', '>=' ) ) {
return;
}
if ( ! isset( $_POST['role'] ) ) {
return;
}
$role = $_POST['role'];
if ( ! is_string( $role ) || ! in_array( $role, array( 'wp_job_board_pro_candidate', 'wp_job_board_pro_employer' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'd5d0c090-5627-4c5e-8153-fbfa037ad38f', 'Registration role privesc', $_POST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wjbp_ajax_wp_job_board_pro_ajax_register', $wp_job_board_pro_register_role_guard, -1 );
// https://wpscan.com/vulnerability/69f9dcd8-ab3c-46ed-ac6b-2f1db35f8d1f/
$wpl_io_view = $_GET['wplview'] ?? $_POST['wplview'] ?? '';
$wpl_io_format = $_GET['wplformat'] ?? $_POST['wplformat'] ?? '';
if ( 'io' === $wpl_io_view && 'io' === $wpl_io_format && ! empty( $_FILES['file']['name'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'WPL_VERSION' ) || version_compare( WPL_VERSION, '5.3.0', '>=' ) ) {
return;
}
$allowed_image = array( 'jpg', 'jpeg', 'jpe', 'png', 'gif', 'webp', 'bmp', 'avif', 'tif', 'tiff', 'heic', 'heif', 'ico' );
foreach ( (array) ( $_FILES['file']['name'] ?? array() ) as $name ) {
if ( ! is_string( $name ) || stripos( $name, 'image_' ) !== 0 ) {
continue;
}
$ext = strtolower( pathinfo( substr( $name, 6 ), PATHINFO_EXTENSION ) );
if ( ! in_array( $ext, $allowed_image, true ) ) {
Atomic_Platform_Virtual_Patches::add_log(
'69f9dcd8-ab3c-46ed-ac6b-2f1db35f8d1f',
'Arbitrary File Upload (RCE)',
array(
'REQUEST' => $_REQUEST,
'FILES' => $_FILES,
)
);
wp_die( 'Access denied.', 403 );
}
}
},
1
);
}
// https://wpscan.com/vulnerability/6e100294-80d5-4b55-b9a0-d39b68e39889/
$smsalert_reset_pwd_session_vars = array(
'smsalert-change-password-form' => 'wp_default_lost_pwd',
'smsalert-um-reset-pwd-action' => 'SA_UM_RESET_PWD',
);
add_action(
'otp_verification_successful',
function () use ( $smsalert_reset_pwd_session_vars ) {
if ( ! class_exists( 'SmsAlertConstants', false ) || version_compare( SmsAlertConstants::SA_VERSION, '3.9.6', '>=' ) ) {
return;
}
if ( session_status() !== PHP_SESSION_ACTIVE ) {
@session_start();
}
foreach ( $smsalert_reset_pwd_session_vars as $session_var ) {
if ( isset( $_SESSION[ $session_var ] ) ) {
$_SESSION[ $session_var ] = 'validated';
}
}
},
1
);
add_action(
'init',
function () use ( $smsalert_reset_pwd_session_vars ) {
$option = isset( $_REQUEST['option'] ) ? trim( sanitize_text_field( wp_unslash( $_REQUEST['option'] ) ) ) : '';
if ( ! isset( $smsalert_reset_pwd_session_vars[ $option ] ) ) {
return;
}
if ( ! class_exists( 'SmsAlertConstants', false ) || version_compare( SmsAlertConstants::SA_VERSION, '3.9.6', '>=' ) ) {
return;
}
if ( session_status() !== PHP_SESSION_ACTIVE ) {
@session_start();
}
$session_var = $smsalert_reset_pwd_session_vars[ $option ];
if ( ! isset( $_SESSION[ $session_var ] ) || strcasecmp( (string) $_SESSION[ $session_var ], 'validated' ) !== 0 ) {
Atomic_Platform_Virtual_Patches::add_log( '6e100294-80d5-4b55-b9a0-d39b68e39889', 'Unauthorized password reset', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
// https://wpscan.com/vulnerability/d0bb4c41-392a-4209-9e44-93dbf3898417/
add_action(
'init',
function () {
if ( ! isset( $_REQUEST['option'] ) || 'signwthmob' !== trim( sanitize_text_field( wp_unslash( $_REQUEST['option'] ) ) ) ) {
return;
}
if ( ! class_exists( 'SmsAlertConstants', false ) || ! class_exists( 'WPLogin', false ) ) {
return;
}
$req_phone = isset( $_REQUEST['billing_phone'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['billing_phone'] ) ) : '';
if ( '' === $req_phone ) {
return;
}
$req_user = WPLogin::getUserFromPhoneNumber( $req_phone, 'billing_phone' );
if ( ! $req_user ) {
return;
}
if ( session_status() !== PHP_SESSION_ACTIVE ) {
@session_start();
}
$verified_phone = isset( $_SESSION['phone_number_mo'] ) ? (string) $_SESSION['phone_number_mo'] : '';
$verified_user = '' !== $verified_phone ? WPLogin::getUserFromPhoneNumber( $verified_phone, 'billing_phone' ) : false;
if ( ! $verified_user || (int) $verified_user->ID !== (int) $req_user->ID ) {
Atomic_Platform_Virtual_Patches::add_log( 'd0bb4c41-392a-4209-9e44-93dbf3898417', 'Unbound OTP account takeover', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
// https://wpscan.com/vulnerability/82f14006-c05f-421d-9ba5-bc745e0b2ab8/
$chatondesk_reset_pwd_session_vars = array(
'chatondesk-change-password-form' => 'wp_default_lost_pwd',
'chatondesk-um-reset-pwd-action' => 'SA_UM_RESET_PWD',
);
add_action(
'otp_verification_successful',
function () use ( $chatondesk_reset_pwd_session_vars ) {
if ( ! class_exists( 'ChatOnDesk\\SmsAlertConstants', false ) ) {
return;
}
if ( session_status() !== PHP_SESSION_ACTIVE ) {
@session_start();
}
foreach ( $chatondesk_reset_pwd_session_vars as $session_var ) {
if ( isset( $_SESSION[ $session_var ] ) ) {
$_SESSION[ $session_var ] = 'validated';
}
}
},
1
);
add_action(
'init',
function () use ( $chatondesk_reset_pwd_session_vars ) {
$option = isset( $_REQUEST['option'] ) ? trim( sanitize_text_field( wp_unslash( $_REQUEST['option'] ) ) ) : '';
if ( ! isset( $chatondesk_reset_pwd_session_vars[ $option ] ) ) {
return;
}
if ( ! class_exists( 'ChatOnDesk\\SmsAlertConstants', false ) ) {
return;
}
if ( session_status() !== PHP_SESSION_ACTIVE ) {
@session_start();
}
$session_var = $chatondesk_reset_pwd_session_vars[ $option ];
if ( ! isset( $_SESSION[ $session_var ] ) || strcasecmp( (string) $_SESSION[ $session_var ], 'validated' ) !== 0 ) {
Atomic_Platform_Virtual_Patches::add_log( '82f14006-c05f-421d-9ba5-bc745e0b2ab8', 'Unauthorized password reset', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
// https://wpscan.com/vulnerability/96101127-8b13-4770-9204-f540fb044040/
$lwp_bruteforce_target_key = function ( $bucket ) {
$email = isset( $_GET['email'] ) ? strtolower( trim( sanitize_email( wp_unslash( $_GET['email'] ) ) ) ) : '';
if ( '' !== $email ) {
return 'apvp_lwp_' . $bucket . '_' . md5( 'e:' . $email );
}
$phone = isset( $_GET['phone_number'] ) ? ltrim( preg_replace( '/\D/', '', sanitize_text_field( wp_unslash( $_GET['phone_number'] ) ) ), '0' ) : '';
if ( '' !== $phone ) {
return 'apvp_lwp_' . $bucket . '_' . md5( 'p:' . $phone );
}
return '';
};
$lwp_bruteforce_throttle = function ( $bucket, $threshold, $window ) use ( $lwp_bruteforce_target_key ) {
if ( ! class_exists( 'idehwebLwp', false ) ) {
return;
}
$key = $lwp_bruteforce_target_key( $bucket );
if ( '' === $key ) {
return;
}
$count = (int) get_transient( $key );
if ( $count >= $threshold ) {
Atomic_Platform_Virtual_Patches::add_log( '96101127-8b13-4770-9204-f540fb044040', 'OTP brute force', $_GET );
wp_send_json_error(
array(
'code' => 'too_many_attempts',
'message' => 'Too many attempts. Please try again later.',
),
429
);
}
set_transient( $key, $count + 1, $window );
};
$lwp_verify_throttle = function () use ( $lwp_bruteforce_throttle ) {
$lwp_bruteforce_throttle( 'reg', 10, 600 );
};
add_action( 'wp_ajax_lwp_ajax_register', $lwp_verify_throttle, -1 );
add_action( 'wp_ajax_nopriv_lwp_ajax_register', $lwp_verify_throttle, -1 );
$lwp_mint_throttle = function () use ( $lwp_bruteforce_throttle ) {
$lwp_bruteforce_throttle( 'fp', 5, 3600 );
};
add_action( 'wp_ajax_lwp_forgot_password', $lwp_mint_throttle, -1 );
add_action( 'wp_ajax_nopriv_lwp_forgot_password', $lwp_mint_throttle, -1 );
// https://wpscan.com/vulnerability/4e5b9e2a-c8e0-41db-a989-1b44bc76c9d8/
add_action(
'wp',
function () {
if ( ! isset( $_POST['action'] ) || 'usfw_user' !== $_POST['action'] ) {
return;
}
if ( ! defined( 'USFW_VERSION' ) || version_compare( USFW_VERSION, '2.1.3', '>=' ) ) {
return;
}
$current = get_current_user_id();
if ( ! $current ) {
return;
}
$option = get_option( 'user_switching_for_woocommerce_' . $current, false );
if ( ! is_array( $option ) || ! isset( $option['real_user'], $option['publickey'] ) ) {
return;
}
if ( (int) $option['real_user'] === $current ) {
return;
}
$cookie = isset( $_COOKIE['user_switching_for_woocommerce_'] ) ? (string) wp_unslash( $_COOKIE['user_switching_for_woocommerce_'] ) : '';
if ( '' === $cookie || ! hash_equals( (string) $option['publickey'], $cookie ) ) {
Atomic_Platform_Virtual_Patches::add_log( '4e5b9e2a-c8e0-41db-a989-1b44bc76c9d8', 'Insecure operator resolution privesc', $current );
wp_die( 'Access denied.', 403 );
}
},
998
);
// https://wpscan.com/vulnerability/57296189-db7c-4aac-8ffe-feaeb72db0bb/
add_action(
'admin_init',
function () {
if ( ! defined( 'RM_PLUGIN_VERSION' ) || version_compare( RM_PLUGIN_VERSION, '6.0.9.2', '>=' ) ) {
return;
}
$page = isset( $_REQUEST['page'] ) ? $_REQUEST['page'] : '';
$subbed = isset( $_REQUEST['rmc-task-edit-form-subbed'] ) ? $_REQUEST['rmc-task-edit-form-subbed'] : '';
if ( 'rm_ex_chronos_edit_task' !== $page || 'yes' !== $subbed ) {
return;
}
$same_origin = false;
if ( 'POST' === ( $_SERVER['REQUEST_METHOD'] ?? '' ) ) {
$source = '' !== ( $_SERVER['HTTP_ORIGIN'] ?? '' ) ? $_SERVER['HTTP_ORIGIN'] : ( $_SERVER['HTTP_REFERER'] ?? '' );
if ( '' === $source ) {
$same_origin = true;
} else {
$source_host = wp_parse_url( $source, PHP_URL_HOST );
$same_origin = is_string( $source_host ) && '' !== $source_host && 0 === strcasecmp( $source_host, (string) ( $_SERVER['HTTP_HOST'] ?? '' ) );
}
}
if ( ! $same_origin ) {
Atomic_Platform_Virtual_Patches::add_log( '57296189-db7c-4aac-8ffe-feaeb72db0bb', 'CSRF', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
},
0
);
// https://wpscan.com/vulnerability/f08365f6-57d2-475a-82c8-c4d27286569e/
if ( isset( $_SERVER['REQUEST_URI'] ) && is_string( $_SERVER['REQUEST_URI'] ) && strpos( $_SERVER['REQUEST_URI'], 'FONEfiles' ) !== false && isset( $_GET['i'] ) ) {
add_action(
'muplugins_loaded',
function () {
$fone_main_file = WP_PLUGIN_DIR . '/wp-facturaone/wp-facturaone.php';
if ( is_readable( $fone_main_file ) ) {
$fone_version = get_file_data( $fone_main_file, array( 'Version' => 'Version' ) )['Version'] ?? '';
if ( '' !== $fone_version && version_compare( $fone_version, '5.37', '>=' ) ) {
return;
}
}
if ( '' !== trim( (string) get_option( 'FacturaONE_APIKEY' ) ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( 'f08365f6-57d2-475a-82c8-c4d27286569e', 'Unauth RCE/SSRF/Open Redirect', $_GET );
wp_die( 'Access denied.', 403 );
}
);
}
// https://wpscan.com/vulnerability/99fa208c-1a6f-4379-847c-388b9cec349e/
if ( isset( $_POST['bm_woocommerce_css_editor_content'] ) ) {
add_action(
'init',
function () {
if ( ! function_exists( 'blue_media' ) || current_user_can( 'manage_woocommerce' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '99fa208c-1a6f-4379-847c-388b9cec349e', 'Stored XSS', $_POST['bm_woocommerce_css_editor_content'] );
unset( $_POST['bm_woocommerce_css_editor_content'] );
unset( $_POST['bm_woocommerce_css_editor_checkbox'] );
},
0
);
}
// https://wpscan.com/vulnerability/7ecf657b-b059-4420-8c36-f38d58960d2b/
if ( isset( $_POST['option'] ) && ( 'mo_openid_profile_form_submitted' === $_POST['option'] || 'mo_openid_otp_validation' === $_POST['option'] ) ) {
add_action(
'init',
function () {
if ( ! defined( 'MO_OPENID_SOCIAL_LOGIN_VERSION' ) || version_compare( MO_OPENID_SOCIAL_LOGIN_VERSION, '7.8.0', '>=' ) ) {
return;
}
$option = isset( $_POST['option'] ) ? $_POST['option'] : '';
$email = isset( $_POST['email_field'] ) ? sanitize_email( $_POST['email_field'] ) : '';
if ( session_status() !== PHP_SESSION_ACTIVE ) {
@session_start();
}
if ( 'mo_openid_profile_form_submitted' === $option || isset( $_POST['resend_otp'] ) ) {
$_SESSION['atomic_mo_openid_otp_email'] = $email;
return;
}
$bound = isset( $_SESSION['atomic_mo_openid_otp_email'] ) ? (string) $_SESSION['atomic_mo_openid_otp_email'] : '';
if ( '' !== $bound && $bound !== $email ) {
Atomic_Platform_Virtual_Patches::add_log(
'7ecf657b-b059-4420-8c36-f38d58960d2b',
'Account Takeover (OTP email mismatch)',
array(
'bound' => $bound,
'submitted' => $email,
)
);
wp_die( 'Access denied.', 403 );
}
},
0
);
}
// https://wpscan.com/vulnerability/9ddd1628-0b06-461b-8a5f-ba977f83fa7f/
$wpdevart_svg_xss_vpatch = function () {
if ( ! defined( 'WPDEVART_VERSION' ) || version_compare( WPDEVART_VERSION, '3.2.18', '<' ) ) {
return;
}
foreach ( $_FILES as $file ) {
$names = $file['name'] ?? '';
foreach ( (array) $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
$ext = strtolower( pathinfo( sanitize_file_name( $name ), PATHINFO_EXTENSION ) );
if ( 'svg' === $ext || 'svgz' === $ext ) {
Atomic_Platform_Virtual_Patches::add_log( '9ddd1628-0b06-461b-8a5f-ba977f83fa7f', 'Stored XSS (SVG upload)', $name );
wp_die( 'Access denied.', 403 );
}
}
}
};
add_action( 'wp_ajax_wpdevart_form_ajax', $wpdevart_svg_xss_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpdevart_form_ajax', $wpdevart_svg_xss_vpatch, -1 );
// https://wpscan.com/vulnerability/90cbbed5-9662-4405-88b8-bd55854dccdf/
add_action(
'wp_ajax_nopriv_futurewordpress/project/ajax/submit/popup',
function () {
if ( ! defined( 'TEDDY_BEAR_CUSTOMIZE_ADDON__FILE__' ) ) {
return;
}
$dataset = $_POST['dataset'] ?? '';
if ( ! is_string( $dataset ) || '' === $dataset ) {
return;
}
$request = json_decode( preg_replace( '/[\x00-\x1F\x80-\xFF]/', '', stripslashes( html_entity_decode( $dataset ) ) ), true );
if ( ! is_array( $request ) || ! isset( $request['field']['9002'] ) || ! is_string( $request['field']['9002'] ) ) {
return;
}
$email = $request['field']['9002'];
if ( '' !== $email && get_user_by( 'email', $email ) ) {
Atomic_Platform_Virtual_Patches::add_log( '90cbbed5-9662-4405-88b8-bd55854dccdf', 'Account Takeover', $email );
wp_die( 'Access denied.', 403 );
}
},
-1
);
// https://wpscan.com/vulnerability/02c83708-8f2f-48f8-b73e-df37a42ab360/
add_action(
'wp_ajax_uploadProductImage',
function () {
if ( ! defined( 'ZP_VER' ) ) {
return;
}
$file_name = $_FILES['file']['name'] ?? '';
if ( ! is_string( $file_name ) || '' === $file_name ) {
return;
}
$ext = strtolower( pathinfo( sanitize_file_name( wp_unslash( $file_name ) ), PATHINFO_EXTENSION ) );
if ( ! in_array( $ext, array( 'jpg', 'jpeg', 'png', 'gif', 'bmp' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '02c83708-8f2f-48f8-b73e-df37a42ab360', 'Arbitrary File Upload', $file_name );
wp_die( 'Access denied.', 403 );
}
},
-1
);
// https://wpscan.com/vulnerability/aba51906-91dc-4e75-ad44-373fe128deee/
$teddybear_cart_upload_vpatch = function () {
if ( ! defined( 'TEDDY_BEAR_CUSTOMIZE_ADDON__FILE__' ) ) {
return;
}
$file_name = $_FILES['voice']['name'] ?? '';
if ( ! is_string( $file_name ) || '' === $file_name ) {
return;
}
$ext = strtolower( trim( pathinfo( $file_name, PATHINFO_EXTENSION ) ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'aba51906-91dc-4e75-ad44-373fe128deee', 'Arbitrary File Upload', $file_name );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_futurewordpress/project/ajax/cart/add', $teddybear_cart_upload_vpatch, -1 );
add_action( 'wp_ajax_nopriv_futurewordpress/project/ajax/cart/add', $teddybear_cart_upload_vpatch, -1 );
// https://wpscan.com/vulnerability/ed5c7632-a307-43f1-bff0-f70977522e2e/
$softmarket_verify_takeover_vpatch = function () {
if ( ! defined( 'SMF_VERSION' ) ) {
return;
}
$token = isset( $_GET['token'] ) ? sanitize_text_field( wp_unslash( $_GET['token'] ) ) : '';
$uid = isset( $_GET['uid'] ) ? (int) $_GET['uid'] : 0;
if ( '' === $token || $uid <= 0 ) {
return;
}
global $wpdb;
// phpcs:ignore WordPress.DB.DirectDatabaseQuery
$valid = $wpdb->get_var(
$wpdb->prepare( "SELECT id FROM `{$wpdb->prefix}marketplace_email_tokens` WHERE token = %s AND user_id = %d AND used = 0 AND expires_at > UTC_TIMESTAMP() LIMIT 1", $token, $uid )
);
if ( ! $valid && get_user_meta( $uid, 'smf_email_verified', true ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'ed5c7632-a307-43f1-bff0-f70977522e2e', 'Account Takeover', $uid );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_nopriv_smf_verify_email', $softmarket_verify_takeover_vpatch, -1 );
add_action( 'wp_ajax_smf_verify_email', $softmarket_verify_takeover_vpatch, -1 );
// https://wpscan.com/vulnerability/c97d9841-2bd7-438b-a719-7943d671c754/
$truebooker_resetpass_vpatch = function () {
if ( ! defined( 'TRUEBOOKER_VERSION' ) || version_compare( TRUEBOOKER_VERSION, '1.2.4', '>=' ) ) {
return;
}
$alldata = isset( $_POST['alldata'] ) ? wp_unslash( $_POST['alldata'] ) : '';
if ( ! is_string( $alldata ) || '' === $alldata ) {
return;
}
$parsed = array();
parse_str( $alldata, $parsed );
$uid = isset( $parsed['tbab-userid'] ) ? (int) $parsed['tbab-userid'] : 0;
if ( $uid <= 0 ) {
return;
}
$user = get_user_by( 'id', $uid );
if ( $user && empty( $user->user_activation_key ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'c97d9841-2bd7-438b-a719-7943d671c754', 'Account Takeover', $uid );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_user_front_resetpass', $truebooker_resetpass_vpatch, -1 );
add_action( 'wp_ajax_nopriv_user_front_resetpass', $truebooker_resetpass_vpatch, -1 );
// https://wpscan.com/vulnerability/a23eb55c-f5b1-4dcb-8d53-6e71d80e050a/
$dkel_lostpass_vpatch = function () {
if ( ! defined( 'DYNAMICKIT_VER' ) ) {
return;
}
$page_url = isset( $_POST['page_url'] ) ? esc_url_raw( wp_unslash( $_POST['page_url'] ) ) : '';
if ( '' === $page_url ) {
return;
}
if ( '' === wp_validate_redirect( $page_url, '' ) ) {
Atomic_Platform_Virtual_Patches::add_log( 'a23eb55c-f5b1-4dcb-8d53-6e71d80e050a', 'Account Takeover', $page_url );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_dkel_lf_process_lost_pass', $dkel_lostpass_vpatch, -1 );
add_action( 'wp_ajax_nopriv_dkel_lf_process_lost_pass', $dkel_lostpass_vpatch, -1 );
// https://wpscan.com/vulnerability/9bdb7959-dbe7-4f48-892b-b9ee4c8eb060/
add_action(
'init',
function () {
if ( ! defined( 'XOO_EL_VERSION' ) ) {
return;
}
$action = $_REQUEST['action'] ?? '';
if ( 'xoo_el_code_form_submit' !== $action && 'xoo_el_form_action' !== $action ) {
return;
}
if ( 'xoo_el_form_action' === $action
&& ( ! isset( $_POST['_xoo_el_form'] ) || 'lostPassword' !== $_POST['_xoo_el_form'] ) ) {
return;
}
if ( isset( $_COOKIE['xoo_user_ip_data'] ) && '' !== $_COOKIE['xoo_user_ip_data'] ) {
Atomic_Platform_Virtual_Patches::add_log( '9bdb7959-dbe7-4f48-892b-b9ee4c8eb060', 'Reset code key pinned', $_COOKIE['xoo_user_ip_data'] );
}
$_COOKIE['xoo_user_ip_data'] = wp_json_encode(
array(
'ip_address' => $_SERVER['REMOTE_ADDR'] ?? '',
'countryCode' => '',
)
);
},
0
);
// https://wpscan.com/vulnerability/5635ca2e-c04b-40f9-af7c-2fe6acba899a/
$wpfunnels_optin_rce_vpatch = function () {
if ( ! defined( 'WPFNL_VERSION' ) || version_compare( WPFNL_VERSION, '3.12.8', '>=' ) ) {
return;
}
$post_data = $_POST['postData'] ?? '';
if ( ! is_string( $post_data ) || '' === $post_data ) {
return;
}
if ( str_contains( urldecode( $post_data ), '<?' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '5635ca2e-c04b-40f9-af7c-2fe6acba899a', 'RCE (postData)', $post_data );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_wpfnl_optin_submission', $wpfunnels_optin_rce_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpfnl_optin_submission', $wpfunnels_optin_rce_vpatch, -1 );
add_action( 'wp_ajax_wpfnl_gutenberg_optin_submission', $wpfunnels_optin_rce_vpatch, -1 );
add_action( 'wp_ajax_nopriv_wpfnl_gutenberg_optin_submission', $wpfunnels_optin_rce_vpatch, -1 );
// https://wpscan.com/vulnerability/6d929535-9757-44ae-8c58-682f1eb89785/
add_action(
'plugins_loaded',
function () {
if ( ! class_exists( 'ShopMonitor_Email_Interceptor', false ) ) {
return;
}
remove_filter( 'wp_mail', array( 'ShopMonitor_Email_Interceptor', 'filter_wp_mail' ), 5 );
remove_filter( 'pre_wp_mail', array( 'ShopMonitor_Email_Interceptor', 'filter_pre_wp_mail' ), 5 );
if ( isset( $_SERVER['HTTP_X_SHOPMONITOR_EMAIL_ROUTING'] ) ) {
Atomic_Platform_Virtual_Patches::add_log( '6d929535-9757-44ae-8c58-682f1eb89785', 'Email Reroute', $_SERVER['HTTP_X_SHOPMONITOR_EMAIL_ROUTING'] );
}
},
6
);
// https://wpscan.com/vulnerability/854a0756-ff87-4a65-959a-2e051a302a12/
$elex_raq_add_to_quote_sqli_vpatch = function () {
if ( ! defined( 'ELEX_RAQ_PLUGIN_PATH' ) ) {
return;
}
$data = $_POST['data'] ?? null;
if ( ! is_array( $data ) ) {
return;
}
$suspect = array();
foreach ( array( 'id', 'variation_id' ) as $key ) {
if ( isset( $data[ $key ] ) && is_string( $data[ $key ] ) ) {
$suspect[] = sanitize_text_field( $data[ $key ] );
}
}
if ( isset( $data['attributes'] ) && is_string( $data['attributes'] ) ) {
$decoded = json_decode( stripslashes( sanitize_text_field( $data['attributes'] ) ), true );
if ( is_array( $decoded ) ) {
foreach ( array_column( $decoded, 'attribute_value' ) as $attribute_value ) {
if ( is_string( $attribute_value ) ) {
$suspect[] = $attribute_value;
}
}
}
}
foreach ( $suspect as $value ) {
if ( '' !== $value && $value !== esc_sql( $value ) ) {
Atomic_Platform_Virtual_Patches::add_log( '854a0756-ff87-4a65-959a-2e051a302a12', 'SQLi', $value );
wp_die( 'Access denied.', 403 );
}
}
};
add_action( 'wp_ajax_elex_raq_add_to_quote', $elex_raq_add_to_quote_sqli_vpatch, -1 );
add_action( 'wp_ajax_nopriv_elex_raq_add_to_quote', $elex_raq_add_to_quote_sqli_vpatch, -1 );
// https://wpscan.com/vulnerability/7a99176d-6425-4ecd-9582-55296971660c/
$widget_logic_visual_rce_vpatch = function () {
if ( ! defined( 'WLVPLUGINURL' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
Atomic_Platform_Virtual_Patches::add_log( '7a99176d-6425-4ecd-9582-55296971660c', 'RCE', $_REQUEST );
wp_die( 'Access denied.', 403 );
};
add_action( 'wp_ajax_widget-logic-update-conditional-tags', $widget_logic_visual_rce_vpatch, -1 );
add_action( 'wp_ajax_widget-logic-save', $widget_logic_visual_rce_vpatch, -1 );
add_action( 'wp_ajax_widget-logic-update', $widget_logic_visual_rce_vpatch, -1 );
// https://wpscan.com/vulnerability/5333dd73-c83e-4b0e-8a17-6417435803f2/
if ( ! empty( $_FILES ) ) {
add_action(
'init',
function () {
if ( ! defined( 'CC_WHMCS_BRIDGE_VERSION' ) ) {
return;
}
$names = array();
foreach ( $_FILES as $file ) {
$name = $file['name'] ?? '';
if ( is_array( $name ) ) {
array_walk_recursive(
$name,
function ( $leaf ) use ( &$names ) {
$names[] = $leaf;
}
);
} else {
$names[] = $name;
}
}
foreach ( $names as $name ) {
if ( ! is_string( $name ) || '' === $name ) {
continue;
}
if ( false !== strpbrk( $name, '/\\' ) || false !== strpos( $name, '..' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '5333dd73-c83e-4b0e-8a17-6417435803f2', 'Path traversal', $name );
wp_die( 'Access denied.', 403 );
}
$ext = strtolower( pathinfo( $name, PATHINFO_EXTENSION ) );
if ( str_starts_with( $ext, 'ph' ) || str_starts_with( $ext, 'ht' ) ) {
Atomic_Platform_Virtual_Patches::add_log( '5333dd73-c83e-4b0e-8a17-6417435803f2', 'Dangerous extension', $name );
wp_die( 'Access denied.', 403 );
}
}
},
0
);
}
// https://wpscan.com/vulnerability/228576d1-554c-4d79-bd36-ab32e2df2f62/
$learn_manager_plugin_install_vpatch = function () {
if ( ! defined( 'JSLEARNMANAGER_PLUGIN_PATH' ) ) {
return;
}
if ( current_user_can( 'install_plugins' ) ) {
return;
}
$task = $_GET['task'] ?? $_POST['task'] ?? '';
if ( ! is_string( $task ) ) {
return;
}
$task = strtolower( wp_strip_all_tags( $task ) );
if ( in_array( $task, array( 'installpluginfromajax', 'activatepluginfromajax' ), true ) ) {
Atomic_Platform_Virtual_Patches::add_log( '228576d1-554c-4d79-bd36-ab32e2df2f62', 'Unauth plugin install', $_REQUEST );
wp_die( 'Access denied.', 403 );
}
};
add_action( 'wp_ajax_jslearnmanager_ajax', $learn_manager_plugin_install_vpatch, -1 );
add_action( 'wp_ajax_nopriv_jslearnmanager_ajax', $learn_manager_plugin_install_vpatch, -1 );
// https://wpscan.com/vulnerability/629d655f-cdb8-4733-81d5-12fa88c32bb6/
add_action(
'plugins_loaded',
function () {
if ( ! defined( 'IWP_MMB_CLIENT_VERSION' ) ) {
return;
}
if ( ( $_SERVER['REQUEST_METHOD'] ?? '' ) !== 'POST' ) {
return;
}
$body = file_get_contents( 'php://input' );
if ( ! is_string( $body ) || strpos( $body, '_IWP_JSON_PREFIX_' ) === false ) {
return;
}
$parts = explode( '_IWP_JSON_PREFIX_', $body );
if ( ! isset( $parts[1] ) ) {
return;
}
$data = json_decode( trim( base64_decode( $parts[1] ) ), true );
if ( ! is_array( $data ) ) {
return;
}
$action = ( isset( $data['iwp_action'] ) && is_string( $data['iwp_action'] ) ) ? $data['iwp_action'] : '';
if ( ! in_array( $action, array( 'add_site', 'readd_site' ), true ) ) {
return;
}
if ( '' === trim( (string) get_option( 'iwp_client_activate_key' ) ) ) {
Atomic_Platform_Virtual_Patches::add_log( '629d655f-cdb8-4733-81d5-12fa88c32bb6', 'Multisite ATO', $action );
wp_die( 'Access denied.', 403 );
}
},
1
);
}
/**
* Generic vPatches - Exploratory Mode. They do not block, only log. Exceptions are caught and logged as well
*/
protected static function register_generic_vpatch() {
// Don't run when it's a cron job or a done via CLI
if ( ( defined( 'DOING_CRON' ) && DOING_CRON ) || ( defined( 'WP_CLI' ) && WP_CLI ) ) {
return;
}
// JP Helper Script
if ( defined( 'JP_SECRET' ) && defined( 'JP_EXPIRES' ) ) {
return;
}
// WordPress core's PHPUnit test suite — WP_RUN_CORE_TESTS is defined by
// the user-provided wp-tests-config.php that bootstraps the core test runner.
if ( defined( 'WP_RUN_CORE_TESTS' ) && WP_RUN_CORE_TESTS ) {
return;
}
// Run only for 60% of Atomic Sites
if ( defined( 'ATOMIC_SITE_ID' ) && ATOMIC_SITE_ID % 100 >= 60 ) {
return;
}
add_filter(
'pre_update_option',
function ( $new_value, $option_name, $old_value ) {
try {
global $wpdb;
if ( is_wp_error( $new_value ) || $new_value === $old_value || ! Atomic_Platform_Virtual_Patches::request_has_user_input() ) {
return $new_value;
}
if ( is_int( $new_value ) && is_numeric( $old_value ) && intval( $new_value ) === intval( $old_value ) ) {
return $new_value;
}
$protected_options = [ 'default_role', 'users_can_register', 'admin_email' ]; //, $wpdb->prefix . 'user_roles' ]; user_roles is a bit more complex as it triggers when capabilities are added to a role
// option_name, normalized_option_name, option_value
$error_msg = 'Unauthorized Option Update: %s (%s) with value %s';
if ( ! function_exists( 'wp_get_current_user' ) || current_user_can( 'manage_options' ) ) {
return $new_value;
}
$normalized_option_name = sanitize_key( remove_accents( $option_name ) );
// Basic check, to avoid making a DB request if the payload is a simple one
if ( in_array( $normalized_option_name, $protected_options, true ) ) {
if ( $normalized_option_name === 'default_role' && $new_value !== 'administrator' ) {
return $new_value;
}
if ( Atomic_Platform_Virtual_Patches::is_pre_update_option_allowed() ) {
return $new_value;
}
Atomic_Platform_Virtual_Patches::add_exploratory_log( sprintf( $error_msg, $option_name, $normalized_option_name, print_r( $new_value, true ) ) );
} elseif ( ! has_filter( 'query' ) ) {
// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching
$normalized_option_name = $wpdb->get_var( $wpdb->prepare( "SELECT `option_name` FROM {$wpdb->prefix}options WHERE `option_name` = %s", trim( $option_name ) ) );
if ( in_array( $normalized_option_name, $protected_options, true ) ) {
Atomic_Platform_Virtual_Patches::add_exploratory_log( sprintf( $error_msg, $option_name, $normalized_option_name, print_r( $new_value, true ) ) );
}
}
return $new_value;
} catch ( Throwable $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $new_value;
}
},
5, // Priority
3 // args
);
add_filter(
'wp_pre_insert_user_data',
function ( $data, $update, $id, $userdata ) {
try {
if ( is_wp_error( $data ) || ! Atomic_Platform_Virtual_Patches::request_has_user_input() ) {
return $data;
}
$new_roles = (array) ( $userdata['role'] ?? [] );
// Note: when the default_role is admin and users can register, the userdata does not contain the role, so this code won't block such case (because of https://github.com/WordPress/wordpress-develop/blob/6.8.3/src/wp-includes/user.php#L2572)
// This is handled via the update_user_metadata filter (code above)
if ( ! function_exists( 'wp_get_current_user' ) ) {
return $data;
}
if ( in_array( 'administrator', $new_roles, true ) && ! current_user_can( 'edit_users' ) ) {
if ( defined( 'AYECODE_CONNECT_VERSION' ) && doing_action( 'setup_theme' ) && isset( $_POST['ayecode_connect_support_user'] ) && Atomic_Platform_Virtual_Patches::backtrace_includes( 'wp_insert_user', '/includes/class-ayecode-connect-support.php' ) ) {
return $data;
}
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
if ( defined( 'CLIENVY_VERSION' ) && $_SERVER['REQUEST_URI'] === '/wp-json/clienvy-connect/v1/get-token' && hash_equals( get_option( 'clienvy_connection_secret' ), $_SERVER['HTTP_AUTHORIZATION'] ?? '' ) ) {
return $data;
}
if (
(
$_SERVER['REQUEST_URI'] === '/wp-json/wp-cloud/v1/actions'
|| ( isset( $_GET['rest_route'] ) && $_GET['rest_route'] === '/wp-cloud/v1/actions' )
)
&& Atomic_Platform_Virtual_Patches::backtrace_includes( 'createUserFromEmail', '/src/Handler/OneClickLoginHandler.php' )
) {
return $data;
}
}
if ( class_exists( 'Sign_In_With_Google_Admin', false ) && isset( $_GET['google_response'], $_GET['code'] ) && Atomic_Platform_Virtual_Patches::backtrace_includes( 'find_by_email_or_create', '/src/admin/class-sign-in-with-google-admin.php' ) && Atomic_Platform_Virtual_Patches::backtrace_includes( 'authenticate_user', '/src/admin/class-sign-in-with-google-admin.php' ) ) {
return $data;
}
if ( class_exists( 'OpenID_Connect_Generic_Client_Wrapper', false ) && isset( $_GET['code'], $_GET['state'] ) && Atomic_Platform_Virtual_Patches::backtrace_includes( 'create_new_user', '/includes/openid-connect-generic-client-wrapper.php' ) ) {
return $data;
}
if ( function_exists( 'saml_acs' ) && Atomic_Platform_Virtual_Patches::backtrace_includes( 'saml_acs', '/onelogin-saml-sso/php/functions.php' ) && Atomic_Platform_Virtual_Patches::backtrace_includes( 'wp_insert_user', '/onelogin-saml-sso/php/functions.php' ) ) {
return $data;
}
if ( defined( 'WTLWP_PLUGIN_VERSION' ) && Atomic_Platform_Virtual_Patches::backtrace_includes( 'wp_update_user', '/includes/class-wp-temporary-login-without-password-activator.php' ) ) {
return $data;
}
Atomic_Platform_Virtual_Patches::add_exploratory_log(
sprintf(
'Unauthorized Admin Creation (%s / %d), by user ID %d (%s)',
$data['user_login'] ?? $userdata['user_login'] ?? 'n/a',
$id,
get_current_user_id(),
wp_get_current_user()->user_login
)
);
}
return $data;
} catch ( Throwable $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $data;
}
},
5, // Priority
4 // args
);
// Run only for 40% of Atomic Sites
if ( defined( 'ATOMIC_SITE_ID' ) && ATOMIC_SITE_ID % 100 >= 40 ) {
return;
}
$captured_install_package = '';
add_filter(
'upgrader_package_options',
function ( $options ) use ( &$captured_install_package ) {
$captured_install_package = is_string( $options['package'] ?? '' ) ? $options['package'] : '';
return $options;
}
);
add_filter(
'upgrader_source_selection',
function ( $source, $remote_source, $upgrader, $hook_extra ) use ( &$captured_install_package ) {
try {
if ( empty( $hook_extra['type'] ) || empty( $hook_extra['action'] ) || is_wp_error( $source ) || ! Atomic_Platform_Virtual_Patches::request_has_user_input() ) {
return $source;
}
$type = $hook_extra['type']; // plugin | theme
$action = $hook_extra['action']; // install | update
// Only handle plugin/theme install
if ( ! in_array( $type, [ 'plugin', 'theme' ], true ) || $action !== 'install' ) {
return $source;
}
if ( ! function_exists( 'wp_get_current_user' ) ) {
return $source;
}
$cap = "{$action}_{$type}s";
if ( ! current_user_can( $cap ) && ! current_user_can( 'manage_options' ) ) {
$slug = basename( $source );
if ( Atomic_Platform_Virtual_Patches::is_source_selection_allowed( $slug, $cap ) ) {
return $source;
}
$message = "Unauthorized {$type} {$action} - " . $slug;
if ( '' !== $captured_install_package ) {
$message .= ' | ' . $captured_install_package;
}
Atomic_Platform_Virtual_Patches::add_exploratory_log( $message );
}
return $source;
} catch ( Throwable $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $source;
}
},
5, // Priority
4 // args
);
/*
// Run only for 5% of Atomic Sites
if ( defined( 'ATOMIC_SITE_ID' ) && ATOMIC_SITE_ID % 100 >= 5 ) {
return;
}
add_filter(
'update_user_metadata',
function ( $check, $object_id, $meta_key, $meta_value, $prev_value ) {
try {
global $wpdb;
if ( is_wp_error( $source ) || ! Atomic_Platform_Virtual_Patches::request_has_user_input() ) {
return $check;
}
if ( ! function_exists( 'wp_get_current_user' ) || current_user_can( 'edit_users' ) ) {
return $check;
}
// MS handled as well
$protected_meta_key = $wpdb->get_blog_prefix() . 'capabilities';
$normalized_meta_key_query = $wpdb->prepare( "SELECT `meta_key` FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id = %d", $meta_key, $object_id );
// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared
if ( sanitize_key( remove_accents( $meta_key ) ) === $protected_meta_key || $wpdb->get_var( $normalized_meta_key_query ) === $protected_meta_key ) {
$old_caps = is_array( $prev_value ) ? $prev_value : [];
$new_caps = is_array( $meta_value ) ? $meta_value : [];
// $prev_value does not always contains the previous values ... because reason.
if ( empty( $old_caps ) ) {
$old_caps = get_user_meta( $object_id, $protected_meta_key, true );
}
$had_admin = ! empty( $old_caps['administrator'] );
$gets_admin = ! empty( $new_caps['administrator'] );
if ( ! $had_admin && $gets_admin ) {
if ( defined( 'REST_REQUEST' ) && REST_REQUEST && defined( 'CLIENVY_VERSION' ) && $_SERVER['REQUEST_URI'] === '/wp-json/clienvy-connect/v1/get-token' && hash_equals( get_option( 'clienvy_connection_secret' ), $_SERVER['HTTP_AUTHORIZATION'] ?? '' ) ) {
return $check;
}
Atomic_Platform_Virtual_Patches::add_exploratory_log(
sprintf(
'Unauthorized Metadata Update (%s set to administrator) by User ID %d (%s) on User ID %d',
$protected_meta_key,
get_current_user_id(),
wp_get_current_user()->user_login,
$object_id
)
);
}
}
return $check;
} catch ( Throwable $e ) {
Atomic_Platform_Virtual_Patches::add_exploratory_error_log( $e );
return $check;
}
},
5, // Priority
5 // args
);
*/
}
public static function is_pre_update_option_allowed() {
$backtrace = debug_backtrace( DEBUG_BACKTRACE_IGNORE_ARGS );
if ( doing_action( 'after_setup_theme' ) && self::backtrace_includes( 'oxy_optionz', '/wp-includes/class-wp-hook.php', $backtrace ) ) {
return true;
}
if ( doing_action( 'init' ) && self::backtrace_includes( 'truelysell_update_can_register', '/wp-includes/class-wp-hook.php', $backtrace ) ) {
return true;
}
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
if ( defined( 'BWFAN_VERSION' ) && self::backtrace_includes( 'update_option', '/includes/api/user-preference/class-bwfan-api-update-option.php', $backtrace ) && ( isset( $_GET['bwf-nonce'] ) && $_GET['bwf-nonce'] === get_option( 'bwfan_unique_secret' ) ) ) {
return true;
}
if ( self::backtrace_includes( 'write', '/src/Handler/BootstrapSiteHandler.php', $backtrace ) ) {
return true;
}
}
return false;
}
public static function is_source_selection_allowed( $slug, $cap ) {
$backtrace = debug_backtrace( DEBUG_BACKTRACE_IGNORE_ARGS );
$connect_flows = array(
array(
'const' => 'WPMS_PLUGIN_VER',
'action' => 'wp_mail_smtp_connect_process',
'slug' => 'wp-mail-smtp-pro',
'fn' => 'process',
'file' => '/wp-includes/class-wp-hook.php',
),
array(
'const' => 'EasyWPSMTP_PLUGIN_VERSION',
'action' => 'easy_wp_smtp_connect_process',
'slug' => 'easy-wp-smtp-pro',
'fn' => 'install',
'file' => '/src/Connect.php',
),
array(
'const' => 'AIOSEO_FILE',
'action' => 'aioseo_connect_process',
'param' => 'token',
'slug' => 'all-in-one-seo-pack-pro',
'fn' => 'install',
'file' => '/app/Lite/Admin/Connect.php',
),
array(
'const' => 'SIMPLE_PAY_VERSION',
'action' => 'simpay_connect_process',
'slug' => 'wp-simple-pay-pro-3',
'fn' => 'install',
'file' => '/src/Connect/ConnectSubscriber.php',
),
array(
'const' => 'SBIVER',
'action' => 'sbi_run_one_click_upgrade',
'slug' => 'instagram-feed-pro',
'fn' => 'install',
'file' => '/admin/SBI_Upgrader.php',
),
array(
'const' => 'WPFORMS_VERSION',
'action' => 'wpforms_connect_process',
'slug' => 'wpforms',
'fn' => 'install_package',
'file' => '/src/Helpers/PluginSilentUpgrader.php',
),
array(
'const' => 'WPCODE_VERSION',
'action' => 'wpcode_connect_process',
'slug' => 'wpcode-premium',
'fn' => 'install',
'file' => '/includes/lite/admin/class-wpcode-connect.php',
),
array(
'const' => 'WPCONSENT_VERSION',
'action' => 'wpconsent_connect_process',
'slug' => 'wpconsent-premium',
'fn' => 'install',
'file' => '/includes/lite/admin/class-wpconsent-connect.php',
),
array(
'const' => 'MAILOPTIN_VERSION_NUMBER',
'action' => 'mailoptin_connect_process',
'slug' => 'mailoptin',
'fn' => 'install',
'file' => '/src/core/src/Admin/SettingsPage/LicenseUpgrader.php',
),
array(
'const' => 'SBY_PLUGIN_BASENAME',
'action' => 'sby_run_one_click_upgrade',
'fn' => 'install_package',
'file' => '/inc/PluginSilentUpgrader.php',
),
array(
'const' => 'CFFVER',
'action' => 'cff_run_one_click_upgrade',
'fn' => 'install_package',
'file' => '/inc/Helpers/PluginSilentUpgrader.php',
),
array(
'const' => 'SBIVER',
'action' => 'sbi_run_one_click_upgrade',
'fn' => 'install_package',
'file' => '/inc/admin/PluginSilentUpgrader.php',
),
);
foreach ( $connect_flows as $flow ) {
$param = $flow['param'] ?? 'oth';
if ( defined( $flow['const'] )
&& isset( $_REQUEST['action'], $_REQUEST[ $param ] )
&& $_REQUEST['action'] === $flow['action']
&& ( ! isset( $flow['slug'] ) || $slug === $flow['slug'] )
&& self::backtrace_includes( $flow['fn'], $flow['file'], $backtrace ) ) {
return true;
}
}
$bootstrap_installs = array(
array(
'const' => 'WPSEO_PREMIUM_FILE',
'slug' => 'wordpress-seo',
'fn' => 'install',
'file' => '/src/addon-installer.php',
),
array(
'const' => 'PMAE_PRO_VERSION',
'slug' => 'wp-all-export-csv-excel-xml-for-acf',
'fn' => 'install',
'file' => '/soflyy/addon-installer-sdk/src/AddonInstaller.php',
),
array(
'class' => 'PMXI\\AddonInstaller\\AddonInstaller',
'slug' => 'csv-xml-import-for-acf',
'fn' => 'install',
'file' => '/wpai-acf-add-on/src/AddonInstaller.php',
),
array(
'const' => 'MEMBERSHIP_TXTDOMAIN',
'slug' => 'armember-membership',
'fn' => 'install',
'file' => '/core/classes/class.armember.php',
),
array(
'const' => 'DROIP_VERSION',
'slug' => 'droip-to-kirki',
'fn' => 'install_migration_plugin_from_local',
'file' => '/includes/Manager/PluginLoadedEvents.php',
),
array(
'const' => 'KADENCE_SHOP_KIT_MIGRATION_VERSION',
'slug' => 'kadence-shop-kit',
'fn' => 'install',
'file' => '/kadence-woo-extras/src/App/Upgrade/Installer.php',
),
array(
'const' => 'EAEL_PRO_PLUGIN_VERSION',
'slug' => 'essential-addons-for-elementor-lite',
'fn' => 'make_lite_available',
'file' => '/includes/Classes/Migration.php',
),
array(
'const' => 'BETTERDOCS_PRO_VERSION',
'slug' => 'betterdocs',
'fn' => 'upgrade_or_install_plugin',
'file' => '/betterdocs-pro/includes/Core/Installer.php',
),
array(
'const' => 'BOOKINGPRESS_DIR_PRO',
'slug' => 'bookingpress-appointment-booking',
'fn' => 'update_bookingpress_lite',
'file' => '/core/views/upgrade_latest_pro_data.php',
),
array(
'const' => 'YUMMY_BITES_PRO_VERSION',
'slug' => 'yummy-bites',
'fn' => 'install_and_activate_yummy_bites_theme',
'file' => '/inc/class-yummy-bites-pro.php',
),
);
foreach ( $bootstrap_installs as $install ) {
$present = isset( $install['class'] ) ? class_exists( $install['class'], false ) : defined( $install['const'] );
if ( $present
&& $slug === $install['slug']
&& self::backtrace_includes( $install['fn'], $install['file'], $backtrace ) ) {
return true;
}
}
if ( $slug === 'mythemeshop-connect' && self::backtrace_includes( 'mts_theme_activation', '/themes/mts_schema/functions/theme-actions.php', $backtrace ) ) {
return true;
}
if ( defined( 'JETPACK__VERSION' ) && ( $_GET['for'] ?? '' ) === 'jetpack' && self::backtrace_includes( 'install', '/automattic/jetpack-plugins-installer/src/class-plugins-installer.php', $backtrace ) ) {
return true;
}
if ( defined( 'APBCT_NAME' ) && isset( $_REQUEST['spbc_remote_call_token'] ) && self::backtrace_includes( 'run', '/lib/Cleantalk/ApbctWP/CleantalkUpgrader.php', $backtrace ) ) {
return true;
}
if ( defined( 'WC_PLUGIN_FILE' ) && wp_doing_ajax() && $_REQUEST['action'] === 'as_async_request_queue_runner' && self::backtrace_includes( 'process_action', '/packages/action-scheduler/classes/ActionScheduler_QueueRunner.php', $backtrace ) ) {
return true;
}
if ( defined( 'MONSTERINSIGHTS_VERSION' ) && self::backtrace_includes( 'install_plugin', '/includes/admin/class-monsterinsights-onboarding.php', $backtrace ) ) {
return true;
}
if ( class_exists( 'RankMathPro', false ) && $slug === 'seo-by-rank-math' && isset( $_GET['pcg_probe'], $_GET['token'] ) && $_GET['pcg_probe'] === '1' && self::backtrace_includes( 'install_free_version', '/rank-math-pro.php', $backtrace ) ) {
return true;
}
if ( defined( 'AUTOUPDATER_IN_PROGRESS' ) && $slug === 'autoupdater' ) {
return true;
}
if ( defined( 'WPMUDEV_IS_REMOTE' ) && WPMUDEV_IS_REMOTE && ! empty( $_GET['wpmudev-hub'] ) && ( self::backtrace_includes( 'install', '/hub-connector/inc/class-upgrader.php', $backtrace ) || self::backtrace_includes( 'install', '/includes/class-wpmudev-dashboard-upgrader.php', $backtrace ) ) ) {
return true;
}
if ( defined( 'JETPACK__VERSION' ) && in_array( $slug, [ 'jetpack-boost', 'jetpack-backup', 'creative-mail-by-constant-contact' ], true ) && isset( $_GET['token'], $_GET['nonce'], $_GET['body-hash'], $_GET['signature'] ) && self::backtrace_includes( 'install', '/jetpack_vendor/automattic/jetpack-plugins-installer/src/class-plugins-installer.php', $backtrace ) ) {
return true;
}
if ( class_exists( 'WC_Install' ) && $slug === 'woocommerce-legacy-rest-api' && self::backtrace_includes( 'maybe_install_legacy_api_plugin', '/includes/class-wc-install.php', $backtrace ) && self::backtrace_includes( 'install_plugin_core', '/src/Internal/Utilities/PluginInstaller.php', $backtrace ) ) {
return true;
}
if ( ( class_exists( 'MCManageCallback', false ) || class_exists( 'BVManageCallback', false ) ) && self::backtrace_includes( 'installPackage', '/callback/wings/manage.php', $backtrace ) ) {
return true;
}
if ( class_exists( 'GFSM_Plugin_Updater', false ) && self::backtrace_includes( 'try_zip_install', '/getfused-site-monitor/includes/class-plugin-updater.php', $backtrace ) ) {
return true;
}
if ( defined( 'REST_REQUEST' ) && REST_REQUEST ) {
if ( defined( 'MONSTERINSIGHTS_PLUGIN_NAME' ) && $_SERVER['REQUEST_URI'] === '/wp-json/monsterinsights/v1/onboarding/settings' && self::backtrace_includes( 'install_plugin', '/includes/admin/class-monsterinsights-onboarding.php', $backtrace ) ) {
return true;
}
if ( defined( 'EXACTMETRICS_VERSION' ) && $_SERVER['REQUEST_URI'] === '/wp-json/exactmetrics/v1/onboarding/settings' && self::backtrace_includes( 'install_plugin', '/includes/admin/class-exactmetrics-onboarding.php', $backtrace ) ) {
return true;
}
if ( defined( 'AYECODE_CONNECT_VERSION' ) && $_SERVER['REQUEST_URI'] === '/wp-json/ayecode-connect/v1/do_action' && $_SERVER['REMOTE_ADDR'] === '173.208.153.114' ) {
return true;
}
if ( defined( 'WPMAINTAIN_VERSION' ) && $slug === 'wpmaintain-connector' && self::backtrace_includes( 'install', '/mainttain-connector.php', $backtrace ) && self::backtrace_includes( 'wpmaintain_handle_self_update', '/wp-includes/rest-api/class-wp-rest-server.php', $backtrace ) ) {
return true;
}
if ( defined( 'SC_PLUGIN_VERSION' ) && $slug === 'wp-mail-smtp' && $_SERVER['REQUEST_URI'] === '/wp-json/sugar-calendar/setup-wizard/v1/install-plugins' && self::backtrace_includes( 'install', '/src/Helpers/Installer.php', $backtrace ) ) {
return true;
}
if ( class_exists( 'FrmAddonsController' ) && isset( $_REQUEST['token'] ) && self::backtrace_includes( 'install_addon', '/classes/controllers/FrmAddonsController.php', $backtrace ) && self::backtrace_includes( 'install_addon_api', '/wp-includes/rest-api/class-wp-rest-server.php', $backtrace ) ) {
return true;
}
if ( defined( 'FRESHY_OPS_VERSION' ) && ( $_SERVER['REQUEST_URI'] ?? '' ) === '/wp-json/freshy-ops/v1/execute' && self::backtrace_includes( 'freshy_ops_dispatch_action', '/freshy-ops/freshy-ops.php', $backtrace ) ) {
return true;
}
if ( function_exists( 'ag_auth' ) && ( $_SERVER['REQUEST_URI'] ?? '' ) === '/wp-json/ag-bridge/v1/plugins' && self::backtrace_includes( 'ag_h_plugins', '/antigravity-bridge-pro.php', $backtrace ) ) {
return true;
}
if ( function_exists( 'bionicwp_ai_build_site' ) && ( $_SERVER['REQUEST_URI'] ?? '' ) === '/wp-json/bionicwp-ai/v1/build' && $slug === 'hello-elementor' && self::backtrace_includes( 'bionicwp_ai_ensure_hello_elementor', '/mu-plugins/bwp-site-builder.php', $backtrace ) ) {
return true;
}
if ( defined( 'JETPACK__VERSION' ) && self::backtrace_includes( 'install', '/jetpack_vendor/automattic/jetpack-plugins-installer/src/class-plugins-installer.php', $backtrace ) && self::backtrace_includes( 'do_activation', '/jetpack_vendor/automattic/jetpack-my-jetpack/src/products/class-product.php', $backtrace ) ) {
return true;
}
}
return false;
}
}
new Atomic_Platform_Virtual_Patches();
}