security vulnerability fix (#638)

README.md

@@ -17,7 +17,7 @@ Official Download Link:
 
 **Requires at least:** 4.7
 
-**Tested up to:** 6.6
+**Tested up to:** 6.7
 
 **License:** GPLv2 or later
 

includes/class-boldgrid-editor-preview.php

@@ -178,7 +178,9 @@ public function set_dynamic_template( $template ) {
 	public function template_via_url( $template ) {
 		global $post;
 
-		$template_choice = ! empty( $_GET['template_choice'] ) ? $_GET['template_choice'] : false;
+		$template_choice = ! empty( $_GET['template_choice'] ) ?
+			$this->sanitize_template_choice( $_GET['template_choice'] ) :
+			false;
 
 		if ( $post && self::is_template_via_url() ) {
 			$template_choice = ( 'default' === $template_choice ) ? 'page.php' : $template_choice;
@@ -195,6 +197,38 @@ public function template_via_url( $template ) {
 		return $template;
 	}
 
+	/**
+	 * Sanitize the template choice.
+	 * 
+	 * This is used to prevent directory traversal attacks
+	 * by ensuring that the template choice is either in the
+	 * theme folder, parent theme folder, theme-compat or
+	 * plugin template folder.
+	 */
+	public static function sanitize_template_choice( $template_choice ) {
+		// Template is in current theme folder.
+		if ( 0 === strpos( realpath( $template_choice ), realpath( STYLESHEETPATH ) ) ) {
+			return true;
+		}
+
+		// Template is in current or parent theme folder.
+		if ( 0 === strpos( realpath( $template_choice ), realpath( TEMPLATEPATH ) ) ) {
+			return true;
+		}
+
+		// Template is in theme-compat folder.
+		if ( 0 === strpos( realpath( $template_choice ), realpath( ABSPATH . WPINC . '/theme-compat/' ) ) ) {
+			return true;
+		}
+
+		// Template is in plugin template folder.
+		if ( 0 === strpos( realpath( $template_choice ), realpath( BOLDGRID_EDITOR_PATH . '/includes/template/' ) ) ) {
+			return true;
+		}
+
+		return false;
+	}
+
 	/**
 	 * Check if the user has enabled template via url.
 	 *

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "boldgrid-editor",
-	"version": "1.27.6",
+	"version": "1.27.7",
 	"description": "Post and Page Builder is a standalone plugin which adds functionality to the existing TinyMCE Editor.",
 	"main": "assets/js/editor.js",
 	"scripts": {

post-and-page-builder.php

@@ -3,7 +3,7 @@
  * Plugin Name: Post and Page Builder
  * Plugin URI: https://www.boldgrid.com/boldgrid-editor/?utm_source=ppb-wp-repo&utm_medium=plugin-uri&utm_campaign=ppb
  * Description: Customized drag and drop editing for posts and pages. The Post and Page Builder adds functionality to the existing TinyMCE Editor to give you easier control over your content.
- * Version: 1.27.6
+ * Version: 1.27.7
  * Author: BoldGrid <[email protected]>
  * Author URI: https://www.boldgrid.com/?utm_source=ppb-wp-repo&utm_medium=author-uri&utm_campaign=ppb
  * Text Domain: boldgrid-editor

readme.txt

@@ -4,7 +4,7 @@ Tags: boldgrid, page builder, drag and drop, tinymce, editor, landing page
 Requires at least: 4.7
 Tested up to: 6.7
 Requires PHP: 5.4
-Stable tag: 1.27.6
+Stable tag: 1.27.7
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -134,6 +134,9 @@ WordPress Editor.
 
 == Changelog ==
 
+= 1.27.7 = 
+* Security Update: Resolved a security vulnerability reported by WordFence [#637](https://github.com/BoldGrid/post-and-page-builder/issues/637)
+
 = 1.27.6 =
 * Security Update: Resolved a security vulnerability reported by PatchStack [#635](https://github.com/BoldGrid/post-and-page-builder/issues/635)