v2.12.13

wpcodefactory · Sep 23, 2024 · 39d2f27 · 39d2f27
1 parent a509784
commit 39d2f27
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 37 deletions.
diff --git a/eu-vat-for-woocommerce.php b/eu-vat-for-woocommerce.php
@@ -3,7 +3,7 @@
 Plugin Name: EU/UK VAT for WooCommerce
 Plugin URI: https://wpfactory.com/item/eu-vat-for-woocommerce/
 Description: Manage EU VAT in WooCommerce. Beautifully.
-Version: 2.12.12
+Version: 2.12.13
 Author: WPFactory
 Author URI: https://wpfactory.com/
 Text Domain: eu-vat-for-woocommerce
@@ -22,7 +22,7 @@
  * Main Alg_WC_EU_VAT Class
  *
  * @class   Alg_WC_EU_VAT
- * @version 2.12.8
+ * @version 2.12.13
  * @since   1.0.0
  */
 final class Alg_WC_EU_VAT {
@@ -33,7 +33,7 @@ final class Alg_WC_EU_VAT {
 	 * @var   string
 	 * @since 1.0.0
 	 */
-	public $version = '2.12.12';
+	public $version = '2.12.13';
 
 	/**
 	 * core object.

diff --git a/includes/admin/class-alg-wc-eu-vat-country-rates.php b/includes/admin/class-alg-wc-eu-vat-country-rates.php
@@ -2,7 +2,7 @@
 /**
  * EU VAT for WooCommerce - Tool - EU country VAT Rates
  *
- * @version 1.7.0
+ * @version 2.12.13
  * @since   1.0.0
  * @author  WPFactory
  */
@@ -101,7 +101,7 @@ function get_european_union_countries_with_vat() {
 	/**
 	 * add_eu_countries_vat_rates.
 	 *
-	 * @version 1.7.0
+	 * @version 2.12.13
 	 * @since   1.0.0
 	 */
 	function add_eu_countries_vat_rates() {
@@ -120,7 +120,7 @@ function add_eu_countries_vat_rates() {
 				'tax_rate_country'  => $country,
 				'tax_rate'          => $rate,
 
-				'tax_rate_name'     => isset( $_POST['alg_wc_eu_vat_tax_name'] ) ? $_POST['alg_wc_eu_vat_tax_name'] : __( 'VAT', 'woocommerce' ),
+				'tax_rate_name'     => isset( $_POST['alg_wc_eu_vat_tax_name'] ) ? esc_attr($_POST['alg_wc_eu_vat_tax_name']) : __( 'VAT', 'woocommerce' ),
 				'tax_rate_priority' => 1,
 				'tax_rate_compound' => 0,
 				'tax_rate_shipping' => 1,
@@ -167,7 +167,7 @@ function add_eu_countries_vat_rates_tool() {
 	/**
 	 * create_eu_countries_vat_rates_tool.
 	 *
-	 * @version 1.5.0
+	 * @version 2.12.13
 	 * @since   1.0.0
 	 */
 	function create_eu_countries_vat_rates_tool() {
@@ -181,7 +181,7 @@ function create_eu_countries_vat_rates_tool() {
 		$the_tool_html .= $header_html;
 
 		$data = array();
-		$the_name = ( isset( $_POST['alg_wc_eu_vat_tax_name'] ) ? $_POST['alg_wc_eu_vat_tax_name'] : __( 'VAT', 'woocommerce' ) );
+		$the_name = ( isset( $_POST['alg_wc_eu_vat_tax_name'] ) ? esc_attr($_POST['alg_wc_eu_vat_tax_name']) : __( 'VAT', 'woocommerce' ) );
 		$data[] = array(
 			__( 'Name', 'eu-vat-for-woocommerce' ) . '<br>' .
 				'<input class="input-text" type="text" name="alg_wc_eu_vat_tax_name" value="' . $the_name . '">',

diff --git a/includes/class-alg-wc-eu-vat-ajax.php b/includes/class-alg-wc-eu-vat-ajax.php
@@ -2,7 +2,7 @@
 /**
  * EU VAT for WooCommerce - AJAX Class
  *
- * @version 2.12.6
+ * @version 2.12.13
  * @since   1.0.0
  * @author  WPFactory
  */
@@ -66,6 +66,13 @@ function enqueue_scripts() {
 		}
 	}
 
+	/**
+	 * get_preserve_countrues.
+	 *
+	 * @version 2.12.13
+	 * @since   2.12.13
+	 */
+
 	function get_preserve_countrues(){
 		$return = array();
 		$preservecountries = get_option( 'alg_wc_eu_vat_preserve_in_base_country', 'no' );
@@ -82,6 +89,12 @@ function get_preserve_countrues(){
 		return $return;
 	}
 
+	/**
+	 * alg_wc_eu_vat_validate_action_first_load.
+	 *
+	 * @version 2.12.13
+	 * @since   2.12.13
+	 */
 	function alg_wc_eu_vat_validate_action_first_load( $param ) {
 		$alg_wc_eu_vat_valid = alg_wc_eu_vat_session_get( 'alg_wc_eu_vat_valid' );
 
@@ -96,7 +109,7 @@ function alg_wc_eu_vat_validate_action_first_load( $param ) {
 	/**
 	 * alg_wc_eu_vat_validate_action.
 	 *
-	 * @version 2.12.6
+	 * @version 2.12.13
 	 * @since   1.0.0
 	 * @todo    [dev] (maybe) better codes (i.e. not 0, 1, 2, 3)
 	 * @todo    [dev] (maybe) `if ( ! isset( $_POST['alg_wc_eu_vat_validate_action'] ) ) return;`
@@ -105,7 +118,7 @@ function alg_wc_eu_vat_validate_action_first_load( $param ) {
 	function alg_wc_eu_vat_validate_action( $param ) {
 		$vat_number = '';
 		if ( isset( $_POST['alg_wc_eu_vat_to_check'] ) && '' != $_POST['alg_wc_eu_vat_to_check'] ) {
-			$vat_number = $_POST['alg_wc_eu_vat_to_check'];
+			$vat_number = esc_attr($_POST['alg_wc_eu_vat_to_check']);
 		}
 		if($vat_number == 'checkout_block_first_load') {
 			if ( version_compare( get_option( 'woocommerce_version', null ), '8.9.1', '>=' ) ) {
@@ -114,8 +127,8 @@ function alg_wc_eu_vat_validate_action( $param ) {
 		}
 
 		if ( isset( $_POST['alg_wc_eu_vat_to_check'] ) && '' != $_POST['alg_wc_eu_vat_to_check'] ) {
-			$eu_vat_number   = alg_wc_eu_vat_parse_vat( $vat_number, $_POST['billing_country'] );
-			$billing_company = ( isset( $_POST['billing_company'] ) ? $_POST['billing_company'] : '' );
+			$eu_vat_number   = alg_wc_eu_vat_parse_vat( $vat_number, esc_attr($_POST['billing_country']) );
+			$billing_company = ( isset( $_POST['billing_company'] ) ? esc_attr($_POST['billing_company']) : '' );
 			if ( 'yes' === apply_filters( 'alg_wc_eu_vat_check_ip_location_country', 'no' ) ) {
 				$country_by_ip   = alg_wc_eu_vat_get_customers_location_by_ip();
 				$is_county_valid = ( $country_by_ip === $eu_vat_number['country'] );
@@ -149,7 +162,7 @@ function alg_wc_eu_vat_validate_action( $param ) {
 
 		if ( $is_valid && 'no' != ( $preserve_option_value_base_country = get_option( 'alg_wc_eu_vat_preserve_in_base_country', 'no' ) ) ) {
 
-			$selected_country_at_checkout = $_POST['billing_country'];
+			$selected_country_at_checkout = esc_attr($_POST['billing_country']);
 
 			if ( 'yes' === $preserve_option_value_base_country ) {
 				$location = wc_get_base_location();
@@ -190,10 +203,10 @@ function alg_wc_eu_vat_validate_action( $param ) {
 		}else if ( true === $is_preserv ) {
 			alg_wc_eu_vat_session_set( 'alg_wc_eu_vat_to_check', null );
 		}else{
-			alg_wc_eu_vat_session_set( 'alg_wc_eu_vat_to_check', ( isset( $_POST['alg_wc_eu_vat_to_check'] ) ? $_POST['alg_wc_eu_vat_to_check'] : '' ) );
+			alg_wc_eu_vat_session_set( 'alg_wc_eu_vat_to_check', ( isset( $_POST['alg_wc_eu_vat_to_check'] ) ? esc_attr($_POST['alg_wc_eu_vat_to_check']) : '' ) );
 		}
 
-		$alg_wc_eu_vat_belgium_compatibility = ( isset( $_POST['alg_wc_eu_vat_belgium_compatibility'] ) ? $_POST['alg_wc_eu_vat_belgium_compatibility'] : '' );
+		$alg_wc_eu_vat_belgium_compatibility = ( isset( $_POST['alg_wc_eu_vat_belgium_compatibility'] ) ? esc_attr($_POST['alg_wc_eu_vat_belgium_compatibility']) : '' );
 
 		if( $alg_wc_eu_vat_belgium_compatibility == 'yes' ){
 			alg_wc_eu_vat_session_set( 'alg_wc_eu_vat_valid',    $is_valid );
@@ -263,9 +276,15 @@ function alg_wc_eu_vat_validate_action( $param ) {
 		die();
 	}
 
+	/**
+	 * alg_wc_eu_vat_exempt_vat_from_admin.
+	 *
+	 * @version 2.12.13
+	 * @since   2.12.13
+	 */
 	function alg_wc_eu_vat_exempt_vat_from_admin( $param ){
 		if ( isset( $_POST['order_id'] ) && '' != $_POST['order_id'] ) {
-			$orderid = $_POST['order_id'];
+			$orderid = esc_attr($_POST['order_id']);
 			if(isset( $_POST['status'] ) && 'yes' == $_POST['status'] ){
 				update_post_meta($orderid, 'exempt_vat_from_admin', 'never');
 				echo "never";

diff --git a/includes/class-alg-wc-eu-vat-core.php b/includes/class-alg-wc-eu-vat-core.php
@@ -2,7 +2,7 @@
 /**
  * EU VAT for WooCommerce - Core Class
  *
- * @version 2.12.12
+ * @version 2.12.13
  * @since   1.0.0
  * @author  WPFactory
  */
@@ -1717,7 +1717,7 @@ function filter_available_payment_gateways_allowed( $available_gateways ) {
 	/**
 	 * checkout_validate_vat.
 	 *
-	 * @version 2.12.8
+	 * @version 2.12.13
 	 * @since   1.0.0
 	 * @todo    [dev] (important) simplify the code
 	 */
@@ -1748,7 +1748,7 @@ function checkout_validate_vat( $_posted ) {
 			$show_eu_vat_field_countries = array_map( 'strtoupper', array_map( 'trim', explode( ',', $this->show_in_countries ) ) );
 		}
 
-		$country_code = isset( $_posted['billing_country'] ) ? $_posted['billing_country'] : '';
+		$country_code = isset( $_posted['billing_country'] ) ? esc_attr( $_posted['billing_country'] ) : '';
 
 		if ( 'yes_for_company' === $eu_vat_required ) {
 			if(isset( $_posted['billing_company']) && !empty($_posted['billing_company'])){
@@ -1764,7 +1764,7 @@ function checkout_validate_vat( $_posted ) {
 
 					if( !$is_valid ) {
 						wc_add_notice(
-							str_replace( '%eu_vat_number%', $_posted[ alg_wc_eu_vat_get_field_id() ],
+							str_replace( '%eu_vat_number%', esc_attr($_posted[ alg_wc_eu_vat_get_field_id() ]),
 								do_shortcode( get_option( 'alg_wc_eu_vat_not_valid_message', __( '<strong>EU VAT Number</strong> is not valid.', 'eu-vat-for-woocommerce' ) ) ) ),
 							'error'
 						);
@@ -1791,14 +1791,14 @@ function checkout_validate_vat( $_posted ) {
 				) {
 					$is_valid = $this->check_and_save_eu_vat(
 						$_posted[ alg_wc_eu_vat_get_field_id() ],
-						( isset( $_posted['billing_country'] ) ? $_posted['billing_country'] : '' ),
-						( isset( $_posted['billing_company'] ) ? $_posted['billing_company'] : '' )
+						( isset( $_posted['billing_country'] ) ? esc_attr($_posted['billing_country']) : '' ),
+						( isset( $_posted['billing_company'] ) ? esc_attr($_posted['billing_company']) : '' )
 					);
 				} else {
 
-					$vat_number = $_posted[ alg_wc_eu_vat_get_field_id() ];
-					$billing_country = isset( $_posted['billing_country'] ) ? $_posted['billing_country'] : '';
-					$billing_company = isset( $_posted['billing_company'] ) ? $_posted['billing_company'] : '';
+					$vat_number = esc_attr($_posted[ alg_wc_eu_vat_get_field_id() ]);
+					$billing_country = isset( $_posted['billing_country'] ) ? esc_attr($_posted['billing_country']) : '';
+					$billing_company = isset( $_posted['billing_company'] ) ? esc_attr($_posted['billing_company']) : '';
 					$vat_number = preg_replace('/\s+/', '', $vat_number);
 					$eu_vat_number = alg_wc_eu_vat_parse_vat( $vat_number, $billing_country );
 
@@ -1822,8 +1822,8 @@ function checkout_validate_vat( $_posted ) {
 				}
 
 				if ( 'no' != ( $preserve_option_value = get_option( 'alg_wc_eu_vat_preserv_vat_for_different_shipping', 'no' ) ) ) {
-					$billing_country = isset( $_REQUEST['billing_country'] ) ? $_REQUEST['billing_country'] : '';
-					$shipping_country = isset( $_REQUEST['shipping_country'] ) ? $_REQUEST['shipping_country'] : '';
+					$billing_country = isset( $_REQUEST['billing_country'] ) ? esc_attr($_REQUEST['billing_country']) : '';
+					$shipping_country = isset( $_REQUEST['shipping_country'] ) ? esc_attr($_REQUEST['shipping_country']) : '';
 
 					$is_country_same = ( strtoupper( $billing_country ) !== strtoupper( $shipping_country) );
 					if(!$is_country_same && !$is_valid){
@@ -1834,14 +1834,14 @@ function checkout_validate_vat( $_posted ) {
 				$is_valid = apply_filters( 'alg_wc_eu_vat_is_valid_vat_at_checkout', $is_valid );
 				if ( ! $is_valid ) {
 					wc_add_notice(
-						str_replace( '%eu_vat_number%', $_posted[ alg_wc_eu_vat_get_field_id() ],
+						str_replace( '%eu_vat_number%', esc_attr($_posted[ alg_wc_eu_vat_get_field_id() ]),
 							do_shortcode( get_option( 'alg_wc_eu_vat_not_valid_message', __( '<strong>EU VAT Number</strong> is not valid.', 'eu-vat-for-woocommerce' ) ) ) ),
 						'error'
 					);
 					alg_wc_eu_vat_maybe_log(
-						( isset( $_posted['billing_country'] ) ? $_posted['billing_country'] : '' ),
-						$_posted[ alg_wc_eu_vat_get_field_id() ],
-						( isset( $_posted['billing_company'] ) ? $_posted['billing_company'] : '' ),
+						( isset( $_posted['billing_country'] ) ? esc_attr($_posted['billing_country']) : '' ),
+						esc_attr($_posted[ alg_wc_eu_vat_get_field_id() ]),
+						( isset( $_posted['billing_company'] ) ? esc_attr($_posted['billing_company']) : '' ),
 						'',
 						__( 'Error: VAT is not valid (checkout)', 'eu-vat-for-woocommerce' )
 					);
@@ -1875,7 +1875,7 @@ function add_eu_vat_registration_woocommerce(){
 	 */
 	function add_eu_vat_registration_woocommerce_validation( $username, $email, $errors ){
 		$field_id = alg_wc_eu_vat_get_field_id();
-		$eu_vat_to_check = $_POST[$field_id];
+		$eu_vat_to_check = esc_attr($_POST[$field_id]);
 
 		$form_company_name = isset($_POST['billing_company']) ? esc_attr($_POST['billing_company']) : '';
 		$form_country = isset($_POST['billing_country']) ? esc_attr($_POST['billing_country']) : '';

diff --git a/langs/eu-vat-for-woocommerce.pot b/langs/eu-vat-for-woocommerce.pot
@@ -2,14 +2,14 @@
 # This file is distributed under the GNU General Public License v3.0.
 msgid ""
 msgstr ""
-"Project-Id-Version: eu-vat-for-woocommerce 2.12.12\n"
+"Project-Id-Version: eu-vat-for-woocommerce 2.12.13\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/eu-vat-for-woocommerce\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2024-09-12T08:30:31+02:00\n"
+"POT-Creation-Date: 2024-09-23T15:20:59+02:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.9.0\n"
 "X-Domain: eu-vat-for-woocommerce\n"
@@ -200,7 +200,7 @@ msgstr ""
 msgid "(optional)"
 msgstr ""
 
-#: includes/class-alg-wc-eu-vat-ajax.php:125
+#: includes/class-alg-wc-eu-vat-ajax.php:138
 #: includes/class-alg-wc-eu-vat-core.php:1593
 msgid "Error: Country by IP does not match (%s)"
 msgstr ""

diff --git a/readme.txt b/readme.txt
@@ -3,7 +3,7 @@ Contributors: wpcodefactory, omardabbas, karzin, anbinder, algoritmika, kousikmu
 Tags: EU VAT, UK VAT, tax, vat validation, VAT
 Requires at least: 6.1
 Tested up to: 6.6
-Stable tag: 2.12.12
+Stable tag: 2.12.13
 License: GNU General Public License v3.0
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 
@@ -290,6 +290,9 @@ Once activated, access the plugin's settings by navigating to “WooCommerce > S
 
 == Changelog ==
 
+= 2.12.13 - 23/09/2024 =
+* Fix - Cross-Site Scripting vulnerability.
+
 = 2.12.12 - 12/09/2024 =
 * Fix - HPOS error issue.