Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: Wordpress Plugins page? #6

Open
Mixerboy24 opened this issue Aug 3, 2024 · 0 comments
Open

Question: Wordpress Plugins page? #6

Mixerboy24 opened this issue Aug 3, 2024 · 0 comments

Comments

@Mixerboy24
Copy link

Mixerboy24 commented Aug 3, 2024
edited
Loading

Hey.

Is the plugin in this GitHub repository the same as the one on the WordPress plugin page?

At a quick glance, I noticed that the source code and the code within the plugin are different. When downloading the plugin from the WordPress plugin page, it causes an SQL Injection Attack detection by OWASP.

Error:
Message: Detected 200 (phase 2). Test 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/*' against '@detectSQLi' is true. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "66"] [id "942100"] [msg "SQL Injection Attack Detected via libinjection"] [logdata "Matched Data: sos found within sos: sos"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [MatchedString "sos"]
Source: /wp-content/plugins/trustpilot-reviews/review/assets/js/headerScript.min.js?ver=1.0'='async

Code differences

In Plugin page "trustpilot-reviews/review/Plugin.php":

	/**
	 * Handle WP actions and filters.
	 */
	private function do_hooks() {
		add_filter( 'clean_url', array( $this, 'trustpilot_async_scripts' ), 11, 1 );
		add_action( 'wp_enqueue_scripts', array( $this, 'trustpilot_load_js' ) );
		require_once( plugin_dir_path( __FILE__ ) . 'TrustBox.php' );
	}

	// Async load
	public function trustpilot_async_scripts( $url ) {
		if ( strpos( $url, '#trustpilot_async' ) === false ) {
			return $url;
		} elseif ( is_admin() ) {
			return str_replace( '#trustpilot_async', '', $url );
		} else {
			return str_replace( '#trustpilot_async', '', $url ) . "' async='async";
		}
	}

	public function trustpilot_load_js( $hook ) {
		wp_register_script( 'tp-js', plugins_url( 'assets/js/headerScript.min.js#trustpilot_async', __FILE__ ), [], '1.0' );
		$key = trustpilot_get_settings( TRUSTPILOT_GENERAL_CONFIGURATION )->key;
		$trustbox = trustpilot_get_settings( TRUSTPILOT_TRUSTBOX_CONFIGURATION );
		wp_localize_script(
			'tp-js',
			'trustpilot_settings',
			array(
				TRUSTPILOT_INTEGRATION_KEY => $key,
				TRUSTPILOT_SCRIPT          => TRUSTPILOT_SCRIPT_URL,
				TRUSTPILOT_INTEGRATION_APP => TRUSTPILOT_INTEGRATION_APP_URL,
				TRUSTPILOT_PREVIEW_SCRIPT  => TRUSTPILOT_PREVIEW_SCRIPT_URL,
				TRUSTPILOT_PREVIEW_CSS     => TRUSTPILOT_PREVIEW_CSS_URL,
				TRUSTPILOT_WP_PREVIEW_CSS  => TRUSTPILOT_WP_PREVIEW_CSS_URL,
				TRUSTPILOT_WIDGET_SCRIPT   => TRUSTPILOT_WIDGET_SCRIPT_URL,
			)
		);
		wp_enqueue_script( 'tp-js' );
		if (isset($trustbox->trustboxes) && count($trustbox->trustboxes) > 0) {
			wp_enqueue_script( 'widget-bootstrap', TRUSTPILOT_WIDGET_SCRIPT_URL . '#trustpilot_async', [], '1.0' );
		}
	}
}

Same point in this repository line:

plugin-woocommerce/Trustpilot/review/Plugin.php

Lines 133 to 156 in 908130b

/**
* Handle WP actions and filters.
*/
private function do_hooks() {
add_action( 'wp_enqueue_scripts', array( $this, 'trustpilot_load_js' ));
require_once(plugin_dir_path(__FILE__) . 'TrustBox.php');
}
public function trustpilot_load_js($hook){
wp_register_script('tp-js', plugins_url('assets/js/headerScript.min.js', __FILE__));
$key = trustpilot_get_settings(TRUSTPILOT_GENERAL_CONFIGURATION)->key;
wp_localize_script('tp-js', 'trustpilot_settings', array(
TRUSTPILOT_INTEGRATION_KEY => $key,
TRUSTPILOT_SCRIPT => TRUSTPILOT_SCRIPT_URL,
TRUSTPILOT_INTEGRATION_APP => TRUSTPILOT_INTEGRATION_APP_URL,
TRUSTPILOT_PREVIEW_SCRIPT => TRUSTPILOT_PREVIEW_SCRIPT_URL,
TRUSTPILOT_PREVIEW_CSS => TRUSTPILOT_PREVIEW_CSS_URL,
TRUSTPILOT_WP_PREVIEW_CSS => TRUSTPILOT_WP_PREVIEW_CSS_URL,
TRUSTPILOT_WIDGET_SCRIPT => TRUSTPILOT_WIDGET_SCRIPT_URL,
));
wp_enqueue_script('tp-js');
wp_enqueue_script('widget-bootstrap', TRUSTPILOT_WIDGET_SCRIPT_URL, null, null);
}
}

This repo last update is 4 years ago. Plugin in Wordpress page last update 1 years ago.

What do you recommend to use?
Is the Woocommerce plugin in the Dashboard up to date and compatible with the latest WP installations?

--
Atte Oksanen // Mixerboy24
Jr Developer, ICT Tecnician
LocalghostFI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Mixerboy24