From e66f0f078e987a6cffd9954d94a06d961589ff8b Mon Sep 17 00:00:00 2001
From: Kunal Nagar <2741371+kunalnagar@users.noreply.github.com>
Date: Tue, 17 Jan 2023 18:40:54 -0500
Subject: [PATCH] fix: CSRF in Logs form (#61)

---
 admin/AdminClass.php | 4 ++--
 admin/views/logs.php | 1 +
 custom-404-pro.php   | 2 +-
 readme.txt           | 5 ++++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/admin/AdminClass.php b/admin/AdminClass.php
index 491a277..391f94e 100755
--- a/admin/AdminClass.php
+++ b/admin/AdminClass.php
@@ -113,12 +113,12 @@ public function form_settings_general() {
 
     public function custom_404_pro_admin_init() {
         global $wpdb;
-        if(current_user_can('administrator')) {
+        if( current_user_can( 'administrator' ) && wp_verify_nonce( $_REQUEST['form-logs-options'], 'form-logs-options' ) ) {
             if ( array_key_exists( 'action', $_REQUEST ) ) {
                 $action = sanitize_text_field($_REQUEST['action']);
                 if ( $action === 'c4p-logs--delete' ) {
                     if ( array_key_exists( 'path', $_REQUEST ) ) {
-                        $this->helpers->delete_logs( sanitize_url($_REQUEST['path']) );
+                        $this->helpers->delete_logs( $_REQUEST['path'] );
                         $message = urlencode( 'Log(s) successfully deleted!' );
                         wp_redirect( admin_url( 'admin.php?page=c4p-main&c4pmessage=' . $message . '&c4pmessageType=success' ) );
                     } else {
diff --git a/admin/views/logs.php b/admin/views/logs.php
index 16d01c2..1c507f4 100755
--- a/admin/views/logs.php
+++ b/admin/views/logs.php
@@ -12,6 +12,7 @@
 	<form id="form_logs" method="GET">
 		<!-- For plugins, we also need to ensure that the form posts back to our current page -->
 		<input type="hidden" name="page" value="<?php echo sanitize_text_field($_REQUEST['page']); ?>" />
+        <?php wp_nonce_field("form-logs-options", "form-logs-options"); ?>
 		<!-- Now we can render the completed list table -->
 		<p class="search-box">
 			<label class="screen-reader-text" for="search_id-search-input">Search</label>
diff --git a/custom-404-pro.php b/custom-404-pro.php
index a133600..3799be3 100755
--- a/custom-404-pro.php
+++ b/custom-404-pro.php
@@ -4,7 +4,7 @@
 Plugin Name: Custom 404 Pro
 Plugin URI: https://wordpress.org/plugins/custom-404-pro/
 Description: Override the default 404 page with any page or a custom URL from the Admin Panel.
-Version: 3.7.1
+Version: 3.7.2
 Author: Kunal Nagar
 Author URI: https://www.kunalnagar.in
 License: GPL-2.0+
diff --git a/readme.txt b/readme.txt
index 219bbea..a60bebf 100755
--- a/readme.txt
+++ b/readme.txt
@@ -4,7 +4,7 @@ Donate link: https://www.paypal.me/kunalnagar88/10
 Tags: wordpress, 404, 404 error page, 404 link, 404 page, broken link, custom 404, custom 404 error, custom 404 error page, custom 404 page, customize 404, customize 404 error page, customize 404 page, error, error page, missing, page, page not found, page not found error
 Requires at least: 3.0.1
 Tested up to: 6.1
-Stable tag: 3.7.1
+Stable tag: 3.7.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -55,6 +55,9 @@ Uninstall the plugin from the Plugins page (important!) and reinstall it. Never
 
 == Changelog ==
 
+= 3.7.2 =
+* Fix CSRF vulnerability in Logs table
+
 = 3.7.1 =
 * Fix path vulnerability