Security Fix: Improved code security enforcement in theme/plugin file editor [ED-16139] (#220)

hooks/class-aal-hook-plugins.php

@@ -41,34 +41,6 @@ class AAL_Hook_Plugins extends AAL_Hook_Base {
 		$this->_add_log_plugin( 'deleted', $plugin_file );
 	}
 
-	public function hooks_plugin_modify( $location, $status ) {
-		if ( false !== strpos( $location, 'plugin-editor.php' ) ) {
-			if ( ( ! empty( $_POST ) && 'update' === $_REQUEST['action'] ) ) {
-				$aal_args = array(
-					'action'         => 'file_updated',
-					'object_type'    => 'Plugins',
-					'object_subtype' => 'plugin_unknown',
-					'object_id'      => 0,
-					'object_name'    => 'file_unknown',
-				);
-
-				if ( ! empty( $_REQUEST['file'] ) ) {
-					$aal_args['object_name'] = $_REQUEST['file'];
-					// Get plugin name
-					$plugin_dir  = explode( '/', $_REQUEST['file'] );
-					$plugin_data = array_values( get_plugins( '/' . $plugin_dir[0] ) );
-					$plugin_data = array_shift( $plugin_data );
-
-					$aal_args['object_subtype'] = $plugin_data['Name'];
-				}
-				aal_insert_log( $aal_args );
-			}
-		}
-
-		// We are need return the instance, for complete the filter.
-		return $location;
-	}
-
 	/**
 	 * @param Plugin_Upgrader $upgrader
 	 * @param array $extra
@@ -141,8 +113,6 @@ class AAL_Hook_Plugins extends AAL_Hook_Base {
 		
 		add_action( 'delete_plugin', array( $this, 'hooks_delete_plugin' ) );
 
-		add_filter( 'wp_redirect', array( $this, 'hooks_plugin_modify' ), 10, 2 );
-		
 		add_action( 'upgrader_process_complete', array( $this, 'hooks_plugin_install_or_update' ), 10, 2 );
 
 		add_action( 'update_site_option_auto_update_plugins', [ $this, 'hooks_auto_update_settings' ], 10, 3 );

hooks/class-aal-hook-themes.php

@@ -3,31 +3,6 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
 
 class AAL_Hook_Themes extends AAL_Hook_Base {
 
-	public function hooks_theme_modify( $location, $status ) {
-		if ( false !== strpos( $location, 'theme-editor.php?file=' ) ) {
-			if ( ! empty( $_POST ) && 'update' === $_POST['action'] ) {
-				$aal_args = array(
-					'action'         => 'file_updated',
-					'object_type'    => 'Themes',
-					'object_subtype' => 'theme_unknown',
-					'object_id'      => 0,
-					'object_name'    => 'file_unknown',
-				);
-
-				if ( ! empty( $_POST['file'] ) )
-					$aal_args['object_name'] = $_POST['file'];
-
-				if ( ! empty( $_POST['theme'] ) )
-					$aal_args['object_subtype'] = $_POST['theme'];
-
-				aal_insert_log( $aal_args );
-			}
-		}
-
-		// We are need return the instance, for complete the filter.
-		return $location;
-	}
-
 	public function hooks_switch_theme( $new_name, WP_Theme $new_theme ) {
 		aal_insert_log(
 			array(
@@ -165,7 +140,6 @@ class AAL_Hook_Themes extends AAL_Hook_Base {
 	}
 
 	public function __construct() {
-		add_filter( 'wp_redirect', array( &$this, 'hooks_theme_modify' ), 10, 2 );
 		add_action( 'switch_theme', array( &$this, 'hooks_switch_theme' ), 10, 2 );
 		add_action( 'delete_site_transient_update_themes', array( &$this, 'hooks_theme_deleted' ) );
 		add_action( 'upgrader_process_complete', array( &$this, 'hooks_theme_install_or_update' ), 10, 2 );

readme.txt

@@ -118,6 +118,9 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro
 
 == Changelog ==
 
+= 2.11.2 - 2024-11-12 =
+* Security Fix: Improved code security enforcement in theme/plugin file editor
+
 = 2.11.1 - 2024-11-05 =
 * Tweak: Added ability to search in context column