Aaron Forgue

+1

/public_html (master)$ git add .
fatal: Not a git repository: wp-content/plugins/custom-sidebars/inc/external/wdev-frash/../../../.git/modules/inc/external/wdev-frash

Just a normal custom post type that I created in one of our own plugins. Wasn’t anything related to WooCommerce.

Just short-circuiting that condition that I listed above fixed the issue we were having in the admin area (although I don’t like having to modify core plugin code, which is why I started this discussion to begin with).

Essentially, the only issue we had was that the “Set permalink” hover link wasn’t showing up in the admin area because the JS was enqueued and loaded.

Let me know what specific details you’d like to know. I’m happy to help.

What specifically is not supported by the API? I’d like to look into to it to be sure.

Thanks for your help!

Actually, while I’ve got your attention, do you have any feature requests? How would you like to be able to do with this plugin?

It does nothing yet. Still under development.

Netcore,
We ran into a similar issue. Here’s an actual solution to your question, rather than a lecture on best practices.

global $wpdb;

$profile_id = $_POST['prof_id'];
$username = $_POST['log_name'];
$password = $_POST['wachtwoord'];
$md5password = wp_hash_password($password);

// You may want to use $wpdb->prepare() here. As it stands, malicous code could be passed in via $_POST['prof_id'] or $_POST['log_name']
$wpdb->query("UPDATE <code>wp_users</code> SET <code>user_login</code> = '".$username."', <code>user_pass</code> = '{$md5password}' WHERE <code>ID</code> = '" . $profile_id . "'");

// Here is the magic:
wp_cache_delete($profile_id, 'users');
wp_cache_delete($username, 'userlogins'); // This might be an issue for how you are doing it. Presumably you'd need to run this for the ORIGINAL user login name, not the new one.
wp_logout();
wp_signon(array('user_login' => $username, 'user_password' => $password));

Credits go to this plugin for the above trick: https://www.ads-software.com/extend/plugins/change-password-e-mail/

“template_url” is not something that should be replace, it is an actual variable name. So try changing:

get_bloginfo(‘themes/dark_splash’).’/style.css’;

To:

get_bloginfo(‘template_url’).’/style.css’;

When actually executed, this will be translated into “themes/dark_splash/style.css”

Confirmed, two sites in our network (so far) have been hit by this exploit. Both were version 2.7.1

Symptoms: Bogus permalink, unauthorized admin account with code in the “first name” field.

Has anyone been able to confirm that this is NOT an issue with 2.8.4?

Just remembered that I did document this at the top of the plugin (line 9):
Author Note: My AssociateID will be automatically inserted 10% of the time. Feel free to disable this.

So I’m not crazy… but I will remove the 10% referral anyway.

Justin,

You are exactly right and you explained the logic perfectly.

I originally developed this widget for my own personal blog because I was unsatisfied with other Amazon widgets. When I made it public, many people adopted it for their own blogs and started hounding me for support. That line was included simply to help pay for the additional hours I have spent updating this widget with user-requested features.

This is the first complaint I have received and will act accordingly. I thought I had mentioned this in the text file documentation, but I indeed have not and should have. I will upload version 1.4 tonight minus the 10% line.

Aaron