Thanks to visit codestin.com
Credit goes to github.com

Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Codeinwp/visualizer
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v4.0.4
Choose a base ref
...
head repository: Codeinwp/visualizer
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v4.0.5
Choose a head ref
  • 6 commits
  • 10 files changed
  • 5 contributors

Commits on Jun 30, 2026

  1. Sync branch [skip ci]

    pirate-bot authored Jun 30, 2026
    Configuration menu
    Copy the full SHA
    2b32603 View commit details
    Browse the repository at this point in the history
  2. Sync branch [skip ci]

    pirate-bot authored Jun 30, 2026
    Configuration menu
    Copy the full SHA
    aa36ff4 View commit details
    Browse the repository at this point in the history

Commits on Jul 8, 2026

  1. fix: prevent SSRF via JSON import handlers

    The `getJsonRoots()` and `getJsonData()` AJAX handlers verified only a
    nonce before fetching a user-supplied URL server-side, and the fetch used
    the unsafe `wp_remote_request()`. A Contributor (edit_posts) could read the
    nonce from the chart editor and make WordPress fetch arbitrary internal
    URLs, with the response reflected back (non-blind SSRF).
    
    - Add a `current_user_can( 'edit_posts' )` guard to both handlers, matching
      the sibling AJAX handlers in the file.
    - Switch `Visualizer_Source_Json::connect()` to `wp_safe_remote_request()`,
      matching the SSRF-safe transport already used by the CSV/remote path.
    - Add regression tests covering the capability guard and safe transport.
    
    Fixes Codeinwp/visualizer-pro#591
    
    Co-Authored-By: Claude Fable 5 <[email protected]>
    RaduCristianPopescu and claude committed Jul 8, 2026
    Configuration menu
    Copy the full SHA
    fa41530 View commit details
    Browse the repository at this point in the history

Commits on Jul 10, 2026

  1. Merge pull request #1331 from Codeinwp/fix/json-import

    fix: prevent SSRF via JSON import handlers
    vytisbulkevicius authored Jul 10, 2026
    Configuration menu
    Copy the full SHA
    5c3946e View commit details
    Browse the repository at this point in the history
  2. release: fixes

    - Enhanced security
    vytisbulkevicius authored Jul 10, 2026
    Configuration menu
    Copy the full SHA
    73770b6 View commit details
    Browse the repository at this point in the history
  3. chore(release): 4.0.5

    ##### [Version 4.0.5](v4.0.4...v4.0.5) (2026-07-10)
    
    - Enhanced security
    pirate-bot committed Jul 10, 2026
    Configuration menu
    Copy the full SHA
    72ebc74 View commit details
    Browse the repository at this point in the history
Loading