From 516bdc173a81c12e5ed3025fbb9424bbf1ab40d8 Mon Sep 17 00:00:00 2001
From: azett <githubregistrierung@azett.com>
Date: Fri, 30 Dec 2022 12:46:35 +0100
Subject: [PATCH 1/3] check for correct admin referer on delete entry (see #64)

---
 admin/panels/entry/admin.entry.delete.php    |  3 +++
 fp-includes/core/core.wp-pluggable-funcs.php | 19 +++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/admin/panels/entry/admin.entry.delete.php b/admin/panels/entry/admin.entry.delete.php
index 752170d..256cc24 100755
--- a/admin/panels/entry/admin.entry.delete.php
+++ b/admin/panels/entry/admin.entry.delete.php
@@ -45,6 +45,9 @@ class admin_entry_delete extends AdminPanelAction {
 	}
 
 	function ondelete() {
+		// at first: check if nonce was given correctly
+		check_admin_referer('admin_entry_delete');
+
 		$id = $_REQUEST ['entry'];
 		$ok = draft_delete($id) || entry_delete($id);
 
diff --git a/fp-includes/core/core.wp-pluggable-funcs.php b/fp-includes/core/core.wp-pluggable-funcs.php
index 9849c27..3f00016 100755
--- a/fp-includes/core/core.wp-pluggable-funcs.php
+++ b/fp-includes/core/core.wp-pluggable-funcs.php
@@ -327,6 +327,15 @@ endif;
 
 if (!function_exists('wp_verify_nonce')) :
 
+	/**
+	 * Verifies the given nonce for the given action string.
+	 *
+	 * @param string $nonce
+	 *        	the nonce to verify
+	 * @param string $action
+	 *        	the action
+	 * @return boolean <code>true</code> if the nonce is valid; <code>false</code> otherwise
+	 */
 	function wp_verify_nonce($nonce, $action = -1) {
 		$user = user_get();
 		$uid = $user ['userid'];
@@ -334,11 +343,13 @@ if (!function_exists('wp_verify_nonce')) :
 		// new nonce each 12 hours
 		$i = ceil(time() / (60 * 60 * 12));
 
-		// Allow for expanding range, but only do one check if we can
+		// The nonce we expect for the given action at the current time
 		$expectedNonce = substr(wp_hash($i . $action . $uid), -12, 10);
-		if ($expectedNonce == $nonce || substr(wp_hash(($i - 1) . $action . $uid), -12, 10) == $nonce)
-			return true;
-		return false;
+		// The nonce we expect for the given action in the previous time period
+		$expectedPreviousNonce = substr(wp_hash(($i - 1) . $action . $uid), -12, 10);
+
+		// given nonce must match the current or the previous nonce
+		return $nonce == $expectedNonce || $nonce == $expectedPreviousNonce;
 	}
 endif;
 

From 37597afee848c118c2ae5bfaa00d19e8278ce2fb Mon Sep 17 00:00:00 2001
From: azett <githubregistrierung@azett.com>
Date: Fri, 30 Dec 2022 12:52:03 +0100
Subject: [PATCH 2/3] check for correct admin referer on enable/disable plugin
 (see #64)

---
 admin/panels/plugin/admin.plugin.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/admin/panels/plugin/admin.plugin.php b/admin/panels/plugin/admin.plugin.php
index dded24f..e29d4df 100644
--- a/admin/panels/plugin/admin.plugin.php
+++ b/admin/panels/plugin/admin.plugin.php
@@ -53,6 +53,9 @@ class admin_plugin_default extends AdminPanelAction {
 	}
 
 	function dodisable($id) {
+		// at first: check if nonce was given correctly
+		check_admin_referer('admin_plugin_default_disable_' . $id);
+
 		$fp_plugins = $this->fp_plugins;
 
 		$success = -1;
@@ -78,6 +81,9 @@ class admin_plugin_default extends AdminPanelAction {
 	}
 
 	function doenable($id) {
+		// at first: check if nonce was given correctly
+		check_admin_referer('admin_plugin_default_enable_' . $id);
+
 		$success = -1;
 		$fp_plugins = $this->fp_plugins;
 

From 8c79821e9e8366c732b63cb0c38341a017bd7203 Mon Sep 17 00:00:00 2001
From: Arvid Zimmermann <azett@users.noreply.github.com>
Date: Fri, 30 Dec 2022 12:56:23 +0100
Subject: [PATCH 3/3] Update CHANGELOG.md

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b82e392..911c123 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -45,7 +45,6 @@
 
 ## Security
 - Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags
-- Possible path traversal in Media Manager plugin prevented
 - Proper check of uploaded files ([#152](https://github.com/flatpressblog/flatpress/issues/152), [#170](https://github.com/flatpressblog/flatpress/issues/170))
 - Possible XSS prevented: Admin Area URL ([#153](https://github.com/flatpressblog/flatpress/issues/153))
 - Possible XSS prevented: SVG/XML/MD upload ([#172](https://github.com/flatpressblog/flatpress/issues/172), [#178](https://github.com/flatpressblog/flatpress/issues/178))
@@ -54,6 +53,7 @@
 - Possible XSS in Media Manager plugin prevented ([#177](https://github.com/flatpressblog/flatpress/issues/177))
 - Possible path traversal in Media Manager plugin prevented ([#179](https://github.com/flatpressblog/flatpress/issues/179))
 - Possible XSSs in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180), [#183](https://github.com/flatpressblog/flatpress/issues/183))
+- Possible CSRFs in Admin Area prevented ([#64](https://github.com/flatpressblog/flatpress/issues/64))
 
 # 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1)
 ## Bugfixes