fix: close critical vulnerability CVE-2024-4411

mihdan · May 3, 2024 · 2ce3663 · 2ce3663
1 parent f1ce8ab
commit 2ce3663
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 10 deletions.
diff --git a/includes/class-shortcodes.php b/includes/class-shortcodes.php
@@ -21,12 +21,12 @@ public function button_callback( $atts ) {
 
 		return sprintf(
 			'<button formaction="%s" data-background-color="%s" data-color="%s" data-turbo="%s" data-primary="%s">%s</button>',
-			$atts['formaction'],
-			$atts['data-background-color'],
-			$atts['data-color'],
-			$atts['data-turbo'],
-			$atts['data-primary'],
-			$atts['value']
+			esc_attr( $atts['formaction'] ),
+			esc_attr( $atts['data-background-color'] ),
+			esc_attr( $atts['data-color'] ),
+			esc_attr( $atts['data-turbo'] ),
+			esc_attr( $atts['data-primary'] ),
+			esc_html( $atts['value'] )
 		);
 	}
 }
diff --git a/mihdan-yandex-turbo-feed.php b/mihdan-yandex-turbo-feed.php
@@ -17,7 +17,7 @@
  * Plugin Name: Yandex Turbo Feed
  * Plugin URI: https://www.kobzarev.com/projects/yandex-turbo-feed/
  * Description: Плагин создаёт настраиваемые ленты для сервиса Яндекс Турбо
- * Version: 1.6.5.1
+ * Version: 1.6.6
  * Author: Mikhail Kobzarev
  * Author URI: https://www.kobzarev.com/
  * License: GNU General Public License v2
@@ -35,7 +35,7 @@
 
 // Слаг плагина
 define( 'MIHDAN_YANDEX_TURBO_FEED_SLUG', 'mihdan_yandex_turbo_feed' );
-define( 'MIHDAN_YANDEX_TURBO_FEED_VERSION', '1.6.5.1' );
+define( 'MIHDAN_YANDEX_TURBO_FEED_VERSION', '1.6.6' );
 define( 'MIHDAN_YANDEX_TURBO_FEED_PATH', __DIR__ );
 define( 'MIHDAN_YANDEX_TURBO_FEED_URL', trailingslashit( plugin_dir_url( __FILE__ ) ) );
 define( 'MIHDAN_YANDEX_TURBO_FEED_FILE', __FILE__ );

diff --git a/readme.txt b/readme.txt
@@ -5,8 +5,8 @@ Donate link: https://www.kobzarev.com/donate/
 Tags: wordpress, feed, yandex, turbo, rss, yandex-turbo, yandex-turbo-pages, rss-feed, seo, seo-friendly, yoast, google, webmaster, schema, sitemap
 Requires at least: 5.6
 Requires PHP: 7.4
-Tested up to: 6.4
-Stable tag: 1.6.5.1
+Tested up to: 6.5
+Stable tag: 1.6.6
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -174,6 +174,9 @@ add_filter( 'mihdan_yandex_turbo_feed_taxonomy', function( $taxonomy ) {
 
 == Changelog ==
 
+= 1.6.6 (2024-05-03) =
+* Исправлена критическая уязвимость `CVE-2024-4411`
+
 = 1.6.5 (2023-12-05) =
 * Добавлена возможность вставки видео из плагина Lite Video Embed