Version: 2.175.

2.175

Author: Glomberg

changelog.txt

@@ -1,5 +1,37 @@
 == Changelog ==
 
+= 2.162 Aug 18 2025
+* New. PassCheck. Users passwords checking for information leaks functionality implemented
+* Fix. CSS. Editing the logo position on the authorization page
+* Fix. Scan. Fixed cure behavior on view when file deleted.
+
+= 2.161 Aug 04 2025
+* Fix. Code. Code direct call preventing.
+* Fix. CSS. Login notification.
+* Fix. SecurityLog. Fixed getting role capabilities.
+* Fix. UploadChecker. Skip binary files check.
+* Mod. Scanner. HeuristicAnalyser. Compatibility of classes for using entropy with php 5.6
+* New. DoingItWrongHandler class. Collect all SPBC errors, suppress remote calls translation errors.
+* New. Scanner. OSCron. Signature analysis of cron tasks. Minor visual updates.
+* Revert "Upd. CSS. Add const SPBC_OVERRIDE_LOGIN_BODY_DISPLAY to override custom body.login display to "block"."
+* Upd. File Editor Disabler. Show last tried config path. Config file getting improved.
+* Upd. FireWall. Blocking screen updates.
+* Upd. REST. Block REST route "/users". Do not check logged in users.
+* Upd. Scanner. Important files listing. Check content of files if response code is 200.
+
+= 2.160 July 14 2025
+* Mod. SettingsDesc. Description of suspicious vulnerabilities.
+* Mod. RemoteCalls. Updated test calls error formatting.
+* Code. Unit Test. Disable admin bar exclaim test.
+* Fix. AjaxActions. Added nonce verification.
+* Fix. Code. Code direct call prevention.
+* Fix. FileEditorDisabler. Do not write error_log. Messages refactored.
+* Fix. Admin bar. Hide exclaim sign if no SPBC banners need user attention.
+* Fix. VulnerabilityAlarm. Set autoload for option to 'off'.
+
+= 2.159.1 July 10 2025
+* Fix. Code. React. Return ErrorBlock component.
+
 = 2.159 June 30 2025
 * New. FileEditorDisabler. New functionality for disabling the file editor
 * New. FileEditorDisabler. Multisite setup mode, dashboard banners, and settings page

css/spbc-settings.min.css

@@ -221,14 +221,6 @@ div.pagination{
 					width: 500px;
 				}
 
-
-/* Show/hide key link */
-#showHideLink{
-	display: inline-block;
-	margin-top: 5px;
-	color: #777;
-}
-
 /* Log button */
 .spbc__wrapper--center{margin: 10px 0 10px 0; text-align: center;}
 
@@ -805,47 +797,6 @@ button#spbc_setting_get_key_auto:disabled {
 	flex-grow: 1;
 }
 
-.spbc-quicknav--bar_wrapper {
-	display: flex;
-	flex-direction: column;
-	flex-wrap: nowrap;
-	justify-content: flex-start;
-	height: fit-content;
-	position: sticky;
-	top: 5vh;
-}
-
-.spbc-quicknav--links_wrapper {
-	display: flex;
-	flex-direction: column;
-	flex-wrap: nowrap;
-	justify-content: center;
-	padding: 3px;
-	border: 1px solid #e5e5e5;
-	margin: 10px;
-}
-
-.spbc-quicknav--link{
-	margin: 3px;
-	width: -webkit-fill-available;
-	width: -moz-available;
-	text-align: left;
-	display: flex;
-	flex-direction: row;
-	justify-content: flex-start;
-}
-
-#spbc_quicknav--header {
-	color: #026E88;
-	text-align: center;
-	margin: 5px 0;
-}
-
-.spbc_quicknav--save_button {
-	margin: 10px 5px !important;
-	height: 40px;
-}
-
 .spbc_settings--save_button_custom {
 	position: sticky;
 	bottom: 0;

css/src/spbc-settings.css

@@ -6,6 +6,7 @@
 use CleantalkSP\SpbctWP\DTO\ReactDataDTO;
 use CleantalkSP\SpbctWP\Escape;
 use CleantalkSP\SpbctWP\Scanner\DBTrigger\DBTriggerService;
+use CleantalkSP\SpbctWP\Settings\SettingsGeneralReact;
 use CleantalkSP\SpbctWP\VulnerabilityAlarm\Dto\PluginReport;
 use CleantalkSP\SpbctWP\Firewall\View as FirewallView;
 use CleantalkSP\SpbctWP\VulnerabilityAlarm\Dto\ThemeReport;
@@ -137,7 +138,6 @@ function spbc_admin_init()
     add_action('wp_ajax_spbc_settings__get_description', 'spbc_settings__get_description');
     add_action('wp_ajax_spbc_settings__get_recommendation', 'spbc_settings__get_recommendation');
     add_action('wp_ajax_spbc_settings__check_renew_banner', 'spbc_settings__check_renew_banner');
-    add_action('wp_ajax_spbc_sync', 'spbc_sync');
     add_action('wp_ajax_spbc_get_key_auto', 'spbc_get_key_auto');
     add_action('wp_ajax_spbc_update_account_email', 'spbc_settings__update_account_email');
     add_action('wp_ajax_spbc_create_support_user', 'spbc_settings__spbc_create_support_user');
@@ -171,11 +171,13 @@ function spbc_admin_init()
 
     // Drop debug data
     if (Post::getString('spbc_debug__drop')) {
+        spbc_check_ajax_referer('spbc_secret_nonce', 'security');
         $spbc->deleteOption('debug', 'use_prefix');
     }
 
     // Drop debug data
     if (Post::getString('spbc_debug__check_connection')) {
+        spbc_check_ajax_referer('spbc_secret_nonce', 'security');
         $result = spbc_test_connection();
         spbc_log($result);
     }
@@ -227,6 +229,9 @@ function spbct_get_tab_data()
         case 'traffic_control':
             wp_send_json(FirewallView::getReactData($data));
             break;
+        case 'settings_general':
+            wp_send_json(SettingsGeneralReact::getReactData());
+            break;
         case 'spbct_settings_overview':
             wp_send_json(spbc_field_options_overview_traffic_light());
             break;

inc/spbc-admin.php

@@ -3,6 +3,7 @@
 use CleantalkSP\SpbctWP\Counters\SecurityCounter;
 use CleantalkSP\SpbctWP\Firewall\WafBlocker;
 use CleantalkSP\SpbctWP\G2FA\GoogleAuthenticator;
+use CleantalkSP\SpbctWP\UsersPassCheckModule\UsersPassCheckModel;
 use CleantalkSP\SpbctWP\Variables\Cookie;
 use CleantalkSP\SpbctWP\Helpers\IP;
 use CleantalkSP\Variables\Get;
@@ -636,6 +637,10 @@ function spbc_passleak_change_password_handler()
         wp_die(__('User not found', 'security-malware-firewall'));
     }
 
+    if ( ! UsersPassCheckModel::isUserPassLeaked($user->ID)) {
+        wp_safe_redirect(wp_login_url());
+    }
+
     if ($password_new !== $password_confirm) {
         wp_redirect(
             wp_login_url()
@@ -661,11 +666,15 @@ function spbc_passleak_change_password_handler()
     wp_set_password($password_new, $user->ID);
     UsersPassCheckHandler::removeUserPassOnPasswordChange($user->ID);
 
-    // set user authenticated
-    wp_set_auth_cookie($user->ID);
+    wp_signon([
+        'user_login'    => $user_name,
+        'user_password' => $password_new
+    ]);
 
-    // redirect to dashboard
-    wp_redirect(admin_url());
+    $redirect_to = Post::getString('redirect_to') ?: admin_url();
+    wp_safe_redirect(
+        wp_sanitize_redirect($redirect_to)
+    );
 
     exit;
 }
@@ -961,7 +970,8 @@ function spbc_2fa__success(\WP_User $user)
     }
 
     $redirect_to = remove_query_arg(array('wc_error', 'password-reset', 'spbc_2fa_user'), $redirect_to);
-    wp_redirect($redirect_to);
+    $redirect_to = wp_validate_redirect($redirect_to, admin_url());
+    wp_safe_redirect($redirect_to);
     die();
 }
 

inc/spbc-auth.php

@@ -56,12 +56,17 @@ function spbc_firewall__check()
         $login_url = RenameLoginPage::getURL($spbc->settings['login_page_rename__name']);
     }
 
+    // Compare only the path part of URLs to avoid scheme mismatch issues
+    $current_path = parse_url(Server::getURL(), PHP_URL_PATH) ?: Server::get('REQUEST_URI');
+    $login_path = parse_url($login_url, PHP_URL_PATH) ?: '/wp-login.php';
+    $is_login_page = strpos(trim($current_path, '/'), trim($login_path, '/')) === 0;
+
     $firewall->loadFwModule(
         new BFP(
             array(
             'api_key'       => $spbc->api_key,
             'state'         => $spbc,
-            'is_login_page' => strpos(trim(Server::getURL(), '/'), trim($login_url, '/')) === 0,
+            'is_login_page' => $is_login_page,
             'is_logged_in'  => Cookie::getString('spbc_is_logged_in') === md5($spbc->data['salt'] . get_option('home')),
             'bf_limit'      => $spbc->settings['bfp__allowed_wrong_auths'],
             'block_period'  => $spbc->settings['bfp__block_period__5_fails'],

inc/spbc-firewall.php

@@ -203,71 +203,6 @@ function spbc_settings__register()
                 'ajax'         => true,
                 'after'        => 'spbc_settings_draw_save_button_bottom_block',
                 'sections'     => array(
-                    'section_top_banner' => array(
-                        'type'   => 'section_banner',
-                        'fields' => array(
-                            'security_log' => array(
-                                'type'     => 'field',
-                            ),
-                        ),
-                    ),
-                    'apikey'          => array(
-                        'type'   => 'section',
-                        'title'  => __('Access Key', 'security-malware-firewall'),
-                        'anchor'      => 'apikey',
-                        'fields' => array(
-                            'apikey'                  => array(
-                                'type'     => 'field',
-                                'callback' => 'spbc_field_key'
-                            ),
-                            'ms__work_mode'           => array(
-                                'type'             => 'field',
-                                'input_type'       => 'select',
-                                'options'          => array(
-                                    array(
-                                        'val'             => 1,
-                                        'label'           => __('Mutual Account, Individual Access Keys', 'security-malware-firewall'),
-                                        'children_enable' => 1,
-                                    ),
-                                    array(
-                                        'val'             => 2,
-                                        'label'           => __('Mutual Account, Mutual Access Key', 'security-malware-firewall'),
-                                        'children_enable' => 0,
-                                    ),
-                                    array(
-                                        'val'             => 3,
-                                        'label'           => __('Individual accounts, individual Access keys', 'security-malware-firewall'),
-                                        'children_enable' => 0,
-                                    ),
-                                ),
-                                'title'            => __('WordPress Multisite Work Mode', 'security-malware-firewall'),
-                                'description'      => __('You can choose the work mode here for the child blogs and how they will operate with the CleanTalk Cloud. Press "?" for the detailed description.', 'security-malware-firewall'),
-                                'long_description' => true,
-                                'display'          => $spbc->is_network && $spbc->is_mainsite,
-                                'children'         => array('ms__hoster_api_key'),
-                                'value_source'     => 'network_settings',
-                            ),
-                            'ms__hoster_api_key'      => array(
-                                'type'                => 'field',
-                                'input_type'          => 'text',
-                                'title'               => __('Hoster access key', 'security-malware-firewall'),
-                                'description'         => __('Another API allowing you to hold multiple blogs on on account.', 'security-malware-firewall'),
-                                'class'               => 'spbc_middle_text_field',
-                                'title_first'         => true,
-                                'long_description'    => true,
-                                'display'             => $spbc->is_network && $spbc->is_mainsite,
-                                'disabled'            => ! isset($spbc->network_settings['ms__work_mode']) || $spbc->network_settings['ms__work_mode'] != 1,
-                                'value_source'        => 'network_settings',
-                                'parent_value_source' => 'network_settings',
-                                'parent'              => 'ms__work_mode',
-                            ),
-                            'ms__service_utilization' => array(
-                                'type'     => 'field',
-                                'callback' => 'spbc_field_service_utilization',
-                                'display'  => $spbc->is_network && $spbc->is_mainsite && $spbc->ms__work_mode == 1,
-                            ),
-                        ),
-                    ),
                     'auth'            => array(
                         'type'   => 'section',
                         'title'  => __('Authentication and Logging In', 'security-malware-firewall'),
@@ -1395,32 +1330,7 @@ function spbct_settings__the_settings_tab_draw($elem)
     $settings_content = ob_get_clean();
     // End buffer
 
-    $template = '
-    <div id="spbc-settings-general-wrapper" class="spbc-settings-general-wrapper">
-        <div id="spbc-settings-general-wrapper-settings">
-            %s
-        </div>
-        <div id="spbc-quicknav--bar_wrapper" class="spbc-quicknav--bar_wrapper">
-            %s
-        </div>
-    </div>
-    ';
-
-    // Settings form elements here
-    echo '<form id="spbc_settings_form" method="post" action="options.php" style="margin-right: 12px; margin-top: -9px;">';
-
-    // Service fields
-    echo "<input type='hidden' name='option_page' value='" . esc_attr(SPBC_SETTINGS) . "' />";
-    echo '<input type="hidden" name="action" value="update" />';
-    wp_nonce_field(SPBC_SETTINGS . '-options', '_wpnonce', false);
-
-    echo sprintf(
-        $template,
-        $settings_content,
-        spbc_settings__get_quick_navbar_html($elem)
-    );
-
-    echo '</form>';
+    echo $settings_content;
 }
 
 /**
@@ -2349,12 +2259,12 @@ function spbc_settings__create_notice_on_tab()
         $button_text = __('Request Malware removal', 'security-malware-firewall');
         $landing_page_link = LinkConstructor::buildCleanTalkLink(
             'banner_link_for_treatment',
-            'website-malware-removal',
+            'wordpress-malware-removal',
             array(
                 'email' => esc_attr($email),
                 'website' => esc_attr($website),
             ),
-            $domain = 'https://l.cleantalk.org'
+            $domain = 'https://cleantalk.org'
         );
         $button_div = '<div style="align-content: center;margin: 0 30px;">';
         $button_div .= '
@@ -4312,9 +4222,11 @@ function spbc_field_debug()
 {
     global $spbc;
 
-    echo '<form id="debug_drop" method="POST"></form>'
-         . '<form id="debug_check_connection" method="POST"></form>'
-         . '<form id="debug__cron_set" method="POST"></form>';
+    $nonce_field = wp_nonce_field('spbc_secret_nonce');
+
+    echo '<form id="debug_drop" method="POST">' . $nonce_field . '</form>'
+         . '<form id="debug_check_connection" method="POST">' . $nonce_field . '</form>'
+         . '<form id="debug__cron_set" method="POST">' . $nonce_field . '</form>';
 
     if ($spbc->debug) {
         $debug  = get_option(SPBC_DEBUG);
@@ -4563,18 +4475,6 @@ function spbc_sanitize_settings($settings)
      */
     do_action('spbc_before_returning_settings', $settings);
 
-    // Sync disallow file edit setting with FileEditorDisabler
-    if (is_multisite()) {
-        if (is_network_admin()) {
-            // Do save for network admin
-            update_site_option('spbc_network_misc_disable_file_editor', $settings['misc_disable_file_editor']);
-        } else {
-            // Always get from site option
-            $settings['misc_disable_file_editor'] = get_site_option('spbc_network_misc_disable_file_editor', 0);
-        }
-    }
-    FileEditorDisabler::syncDisallowFileEditBySettings($settings);
-
     // Try to add|remove content to .htaccess file
     if ($settings['wp__upload_dir_prevent_php_execution'] !== $spbc->settings['wp__upload_dir_prevent_php_execution']) {
         SpbcCron::updateTask('upload_dir_prevent_php_execution', 'spbc_upload_dir_prevent_php_execution', 86400, time() + 60);
@@ -5774,12 +5674,12 @@ function spbc__get_accordion_tab_info_block_html($for)
     $website = get_home_url();
     $landing_page_link = LinkConstructor::buildCleanTalkLink(
         'banner_link_for_treatment',
-        'website-malware-removal',
+        'wordpress-malware-removal',
         array(
             'email' => esc_attr($email),
             'website' => esc_attr($website),
         ),
-        $domain = 'https://l.cleantalk.org'
+        $domain = 'https://cleantalk.org'
     );
 
     $company_name = $spbc->default_data['wl_company_name'];

inc/spbc-settings.php

@@ -115,7 +115,7 @@ public function create($args, $params)
 
         self::prompt(__('Running synchronization process and SFW update init..', 'security_malware_firewall'));
 
-        spbc_sync(true);
+        spbc_sync();
         if ( $spbc->isHaveErrors() ) {
             self::prompt(__("Error occurred while syncing: ", 'security_malware_firewall'));
             self::prompt($spbc->errors, true);