v4.2.0 #237
Merged
v4.2.0 #237
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Summary - clarify PHP support expectations in the contributor instructions - add security and coding-standard requirements to the agents guidelines - extend the pre-submission checklist with security and localization reviews ## Testing - not run (documentation-only change) ------ https://chatgpt.com/codex/tasks/task_b_68d77cbf21b88321a302f6b7124b54d5
## Summary - add a helper that normalizes configured notification email addresses before wp_mail runs and fall back to the admin email when forced - update the notification sender to use the sanitized recipient list instead of mutating stored settings - cover the new helper and forced fallback logic with PHPUnit tests ## Testing - `vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-notifications.php tests` *(fails: existing project-level missing symbol issues)* - `vendor/bin/phpunit` *(fails: WordPress test suite not installed in the container)* - `vendor/bin/phpcs` *(fails: phpcs binary is not available in the workspace)* ------ https://chatgpt.com/codex/tasks/task_b_6901ef732ce88321903d94d36d5ddfe0
## Summary - add the missing footer table row wrapper so the site URL renders correctly in notification emails - keep the disable/manage notification links in their own row to restore the expected email layout ## Testing - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-notifications.php *(fails: reports missing wpvulnerability_* helper functions already declared elsewhere)* - vendor/bin/phpunit *(fails: WordPress test suite not installed in /tmp/wordpress-tests-lib)* - vendor/bin/phpcs *(fails: PHPCompatibilityWP sniff not installed in the coding standards configuration)* ------ https://chatgpt.com/codex/tasks/task_b_690219a7116083218d67d17381dfda47
## Summary - add coverage for admin cache, schedule, notification channel, and email sanitization helpers - verify analyze settings respond to panel toggles and hide constants ## Testing - vendor/bin/phpunit *(fails: WordPress test suite not installed)* - vendor/bin/phpstan analyse --memory-limit=1G tests/test-admin-settings.php *(fails: WordPress testing classes/functions not autoloaded for PHPStan)* - vendor/bin/phpcs *(fails: PHPCompatibilityWP sniff bundle unavailable in environment)* ------ https://chatgpt.com/codex/tasks/task_b_69021fab54708321be739a8303d1a1be
## Summary - update AGENTS.md to document project structure, tooling, and compatibility expectations - clarify required checks, coding standards, security requirements, and release checklist for the plugin ## Testing - not run (documentation-only changes) ------ https://chatgpt.com/codex/tasks/task_b_69022340d4748321b051586fb14cadc7
## Summary - add deterministic signatures for plugin and theme inventories so cache refreshes only when the installed list changes - persist the running core version with cache metadata and clear new signature keys when caches are flushed ## Testing - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-core.php wpvulnerability-plugins.php wpvulnerability-themes.php wpvulnerability-general.php *(fails: reports existing wpvulnerability_analyze_filter symbol issues and callback warnings)* - vendor/bin/phpunit *(fails: missing /tmp/wordpress-tests-lib/includes/functions.php)* - vendor/bin/phpcs wpvulnerability-core.php wpvulnerability-general.php wpvulnerability-plugins.php wpvulnerability-themes.php *(fails: PHPCompatibilityWP sniff not available in the environment)* ------ https://chatgpt.com/codex/tasks/task_b_6902277ab5a083219bcd7e6d419e8386
## Summary - replace the two-column settings layout with WordPress nav tabs for Notifications, Analysis, Tools, and About - mirror the tabbed layout in the multisite settings screen and keep existing forms intact - add tab styling and JavaScript to manage panel visibility and URL hashes ## Testing - vendor/bin/phpcs wpvulnerability-admin.php wpvulnerability-adminms.php *(fails: referenced sniff "PHPCompatibilityWP" does not exist)* ------ https://chatgpt.com/codex/tasks/task_b_690238f028688321bd296ed26a94add9
## Summary - restructure the admin settings navigation to use query-based tabs that render one section at a time - move each tab’s markup into dedicated render helpers and ensure tools forms preserve their tab context - drop the client-side tab toggling script that is no longer needed ## Testing - `vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-admin.php` *(fails: numerous plugin helpers are not autoloaded in this standalone run)* - `vendor/bin/phpunit` *(fails: WordPress test library is not installed)* - `vendor/bin/phpcs` *(fails: PHPCompatibilityWP sniff is not available in the tooling bundle)* ------ https://chatgpt.com/codex/tasks/task_b_6902412222d48321906aa635e743e972
## Summary - guard against invalid statistics data before rendering the About tab content - remove the project promotion block from the single-site About section - fix the multisite About markup by dropping extra wrapper closures ## Testing - `php -l wpvulnerability-admin.php` - `php -l wpvulnerability-adminms.php` ------ https://chatgpt.com/codex/tasks/task_b_6902412222d48321906aa635e743e972
## Summary - add a log retention selector to the new Logs tab for both single-site and multisite settings, honoring the WPVULNERABILITY_LOG_RETENTION_DAYS constant - persist log retention through option sanitization and provide shared helpers to resolve defaults and forced values - extend the WP-CLI config command set with `log-retention` to manage the new option from the command line ## Testing - vendor/bin/phpstan analyse --memory-limit=1G *(fails: At least one path must be specified to analyse.)* - vendor/bin/phpunit *(fails: Could not find /tmp/wordpress-tests-lib/includes/functions.php)* - vendor/bin/phpcs *(fails: Referenced sniff "PHPCompatibilityWP" does not exist.)* ------ https://chatgpt.com/codex/tasks/task_b_690308626ecc8321a82c6beab7ca2b58
## Summary - update all vulnerability notice images to reference the bundled SVG icon - keep existing styling for icons so WordPress notices render consistently across contexts ## Testing - `vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-core.php wpvulnerability-plugins.php wpvulnerability-themes.php` *(fails: existing project configuration lacks symbol definitions, reporting missing wpvulnerability_* functions)* - `vendor/bin/phpunit` *(fails: WordPress test library is not installed in the environment)* - `vendor/bin/phpcs` *(fails: referenced PHPCompatibilityWP sniff is missing from the local ruleset)* ------ https://chatgpt.com/codex/tasks/task_b_690462e2475483218cb2b3f734f37622
## Summary - convert remaining @Version annotations to @SInCE across general, process, multisite admin, and Site Health helpers - add missing @SInCE tags to the sanitization helpers and Site Health software checks so every function documents its introduction ## Testing - vendor/bin/phpcs *(fails: Referenced sniff "PHPCompatibilityWP" does not exist.)* - vendor/bin/phpstan analyse --memory-limit=1G *(fails: At least one path must be specified to analyse.)* - vendor/bin/phpunit *(fails: Missing /tmp/wordpress-tests-lib setup)* ------ https://chatgpt.com/codex/tasks/task_b_6904628a05848321994e7e8b82310c1a
## Summary - load the notifications module before handling URL-based opt-out requests and delegate to the shared handler - add a PHPUnit test covering successful email opt-out requests updating the stored configuration ## Testing - `vendor/bin/phpunit` *(fails: WordPress test library is not installed in the environment)* - `vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability.php tests/test-notifications.php` *(fails: WordPress test classes and plugin functions are not autoloadable for PHPStan in this environment)* - `vendor/bin/phpcs` *(fails: PHPCompatibilityWP sniff is unavailable in the toolchain)* ------ https://chatgpt.com/codex/tasks/task_b_69046cb259ac8321a6fc403d8416ac9f
## Summary - adjust Memcached version detection to ignore empty or sentinel values returned by the Memcached extension and normalise the first valid version string - align the Memcached detection unit test with the updated extraction logic ## Testing - vendor/bin/phpstan analyse --memory-limit=1G - vendor/bin/phpunit *(fails: missing WordPress test library in the test environment)* - vendor/bin/phpcs *(fails: PHPCompatibilityWP sniff not available in the current PHPCS setup)* ------ https://chatgpt.com/codex/tasks/task_b_690450140924832185f70e05e56468d7
## Summary - add a helper to generate the signed unsubscribe URL used by notification emails - include an unsubscribe message in the HTML footer that also reminds admins they can set email frequency to “Never” - add a regression test ensuring notification emails expose the unsubscribe mechanism ## Testing - vendor/bin/phpunit *(fails: WordPress test library missing in environment)* - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-notifications.php *(fails: existing symbols missing from analysis context)* - vendor/bin/phpcs wpvulnerability-notifications.php tests/test-notifications.php *(fails: repository PHPCS configuration references unavailable sniff)* ------ https://chatgpt.com/codex/tasks/task_b_69046ebf23f88321b1b1f7b89b038524
## Summary - add a helper to normalize version strings returned by Memcached and Memcache extensions - rebuild the Memcached detection routine to avoid duplicate try/catch blocks that caused syntax errors and improve fallback handling ## Testing - php -l wpvulnerability-general.php - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-general.php - vendor/bin/phpunit *(fails: WordPress test library not installed)* - vendor/bin/phpcs *(fails: PHPCompatibilityWP sniff not available in the environment)* ------ https://chatgpt.com/codex/tasks/task_b_690474500b848321a40ad9c52e8c9c0e
## Summary - require the general helper library before running the notification opt-out handler so normalization utilities are available during early loads ## Testing - composer install --no-interaction - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability.php wpvulnerability-notifications.php wpvulnerability-general.php *(fails: existing missing function errors in notifications/general bootstrap)* - vendor/bin/phpunit *(fails: WordPress test suite not installed)* - vendor/bin/phpcs *(fails: missing PHPCompatibilityWP sniff in bundled ruleset)* ------ https://chatgpt.com/codex/tasks/task_b_69047c5bad8c8321b5dd78a2203afed4
## Summary - replace the SVG logo in the notification email template with the bundled PNG icon so email clients can display it ## Testing - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-notifications.php *(fails: Function wpvulnerability_normalize_notify_settings not found)* - vendor/bin/phpunit *(fails: WordPress test library not installed)* - vendor/bin/phpcs *(fails: Referenced sniff "PHPCompatibilityWP" does not exist)* ------ https://chatgpt.com/codex/tasks/task_b_69047c8f9020832196b4003b5aec5f32
## Summary - ensure the WordPress cookie constants are loaded before handling the unsubscribe request - keep the early opt-out handler compatible with multisite environments by bootstrapping default constants when needed ## Testing - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability.php *(fails: reports missing symbol definitions and DOING_CRON constant usage pre-existing in repository)* - vendor/bin/phpunit *(fails: WordPress test suite not installed in container)* - vendor/bin/phpcs *(fails: PHPCompatibilityWP sniff not available in container)* ------ https://chatgpt.com/codex/tasks/task_b_6904851c62ec83218eacb8682bec931d
## Summary - update the changelog and readme to roll the 4.1.6/4.1.11 notes into a 4.2.0 release entry - bump the plugin header metadata and version constant to 4.2.0 - align the uninstall test @SInCE annotations with the 4.2.0 release ## Testing - vendor/bin/phpunit *(fails: WordPress test library not installed)* - vendor/bin/phpcs *(fails: missing PHPCompatibilityWP sniff)* - vendor/bin/phpstan analyse --memory-limit=1G *(fails: no analysis paths configured)* ------ https://chatgpt.com/codex/tasks/task_b_690487782fd48321a6045b2d08c3e61d
## Summary - guard detected software versions before sanitising them with wp_kses - return null when detection helpers yield empty values to avoid PHP 8.1+ deprecation warnings ## Testing - vendor/bin/phpunit *(fails: WordPress test library is not installed in the container)* - vendor/bin/phpstan analyse --memory-limit=1G wpvulnerability-software.php *(fails: plugin helper functions are not autoloaded for standalone analysis)* - vendor/bin/phpcs wpvulnerability-software.php *(fails: repository PHPCS configuration references a missing PHPCompatibilityWP sniff)* ------ https://chatgpt.com/codex/tasks/task_b_69048ff5fb60832180ca626377fa6725
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| id = id.replace(/row\/:/gi, ''); | ||
| return /MSIE/.test(navigator.userAgent); | ||
|
|
||
| var re = new RegExp(/<\/?(\w+)((\s+\w+(\s*=\s*(?:".*?"|'.*?'|[^'">\s]+))?)+\s*|\s*)\/?>/gim); |
Check failure
Code scanning / CodeQL
Inefficient regular expression High library
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
To fix the inefficiency, the regex should be rewritten to avoid ambiguous matches within the alternation. Specifically, replace ".*?" and '.*?' with "[^"]*" and '[^']*', respectively. This way, quoted attribute values only match up to the next quote, eliminating the ambiguity that leads to exponential backtracking.
In the file vendor/squizlabs/php_codesniffer/src/Standards/Squiz/Tests/Formatting/OperatorBracketUnitTest.js, find line 76, which creates the problematic RegExp. Change the pattern:
- Replace
".*?"with"[^"]*" - Replace
'.*?'with'[^']*'
No imports or extra library code are needed; just a replacement of the regex pattern string.
Suggested changeset
1
vendor/squizlabs/php_codesniffer/src/Standards/Squiz/Tests/Formatting/OperatorBracketUnitTest.js
| @@ -73,7 +73,7 @@ | ||
| id = id.replace(/row\/:/gi, ''); | ||
| return /MSIE/.test(navigator.userAgent); | ||
|
|
||
| var re = new RegExp(/<\/?(\w+)((\s+\w+(\s*=\s*(?:".*?"|'.*?'|[^'">\s]+))?)+\s*|\s*)\/?>/gim); | ||
| var re = new RegExp(/<\/?(\w+)((\s+\w+(\s*=\s*(?:"[^"]*"|'[^']*'|[^'">\s]+))?)+\s*|\s*)\/?>/gim); | ||
|
|
||
| var options = { | ||
| minVal: -1, |
Copilot is powered by AI and may make mistakes. Always verify output.
| id = id.replace(/row\/:/gi, ''); | ||
| return /MSIE/.test(navigator.userAgent); | ||
|
|
||
| var re = new RegExp(/<\/?(\w+)((\s+\w+(\s*=\s*(?:".*?"|'.*?'|[^'">\s]+))?)+\s*|\s*)\/?>/gim); |
Check failure
Code scanning / CodeQL
Inefficient regular expression High library
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
To fix this problem, the ambiguous .*? in the alternations for quoted attribute values should be replaced with a more precise expression that matches any character except for the quote character and does not allow for matching the closing quote, removing ambiguity between the alternatives. That is, replace ".*?" by "[^"]*", and similarly replace '.*?' by '[^']*'. This change eliminates the problematic overlapping alternatives and the possibility for exponential backtracking while preserving the intent ("match a quoted string, with inner content not containing the closing quote").
Edit only line 76 in vendor/squizlabs/php_codesniffer/src/Standards/Squiz/Tests/Formatting/OperatorBracketUnitTest.js and make this change. No new imports or definitions are required.
Suggested changeset
1
vendor/squizlabs/php_codesniffer/src/Standards/Squiz/Tests/Formatting/OperatorBracketUnitTest.js
| @@ -73,7 +73,7 @@ | ||
| id = id.replace(/row\/:/gi, ''); | ||
| return /MSIE/.test(navigator.userAgent); | ||
|
|
||
| var re = new RegExp(/<\/?(\w+)((\s+\w+(\s*=\s*(?:".*?"|'.*?'|[^'">\s]+))?)+\s*|\s*)\/?>/gim); | ||
| var re = new RegExp(/<\/?(\w+)((\s+\w+(\s*=\s*(?:"[^"]*"|'[^']*'|[^'">\s]+))?)+\s*|\s*)\/?>/gim); | ||
|
|
||
| var options = { | ||
| minVal: -1, |
Copilot is powered by AI and may make mistakes. Always verify output.
| if (pairs[i].search(/=/) !== -1) { | ||
| } | ||
|
|
||
| if (urlValue.search(/[a-zA-z]+:\/\//) !== 0) { |
Check warning
Code scanning / CodeQL
Overly permissive regular expression range Medium library
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
To fix this problem, replace all instances of [a-zA-z] in regular expressions with [A-Za-z]. This specifically and only matches the uppercase letters (A-Z) and lowercase letters (a-z), which is the actual intent.
In this file, vendor/squizlabs/php_codesniffer/src/Standards/Squiz/Tests/Formatting/OperatorBracketUnitTest.js, the problematic regex appears at least in line 98 and line 101, both in checking a URL value's scheme.
No additional imports or dependencies are needed because the fix is only about changing characters in the regexp pattern.
Suggested changeset
1
vendor/squizlabs/php_codesniffer/src/Standards/Squiz/Tests/Formatting/OperatorBracketUnitTest.js
| @@ -95,10 +95,10 @@ | ||
| if (pairs[i].search(/=/) !== -1) { | ||
| } | ||
|
|
||
| if (urlValue.search(/[a-zA-z]+:\/\//) !== 0) { | ||
| if (urlValue.search(/[A-Za-z]+:\/\//) !== 0) { | ||
| } | ||
|
|
||
| if (urlValue.search(/[a-zA-z]+:\/\/*/) !== 0) { | ||
| if (urlValue.search(/[A-Za-z]+:\/\/*/) !== 0) { | ||
| } | ||
|
|
||
| if (!value || /^\s*$/.test(value)) { |
Copilot is powered by AI and may make mistakes. Always verify output.
| if (urlValue.search(/[a-zA-z]+:\/\//) !== 0) { | ||
| } | ||
|
|
||
| if (urlValue.search(/[a-zA-z]+:\/\/*/) !== 0) { |
Check warning
Code scanning / CodeQL
Overly permissive regular expression range Medium library
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 29 days ago
To fix the issue, the regular expression character range [A-z] should be replaced with [A-Za-z], which precisely matches English alphabetic characters in both upper and lower case. This avoids unintended matches for symbols between Z and a in ASCII. The repair should be applied to all instances where [A-z] appears in a pattern intended for alphabetic characters. In this file, lines 98 and 101 both use [a-zA-z] and should be updated to [A-Za-z].
Required changes:
- On line 98: Change
/[a-zA-z]+:\/\//→/[A-Za-z]+:\/\// - On line 101: Change
/[a-zA-z]+:\/\/*/→/[A-Za-z]+:\/\/*/
No new methods or imports are required.
Suggested changeset
1
vendor/squizlabs/php_codesniffer/src/Standards/Squiz/Tests/Formatting/OperatorBracketUnitTest.js
| @@ -95,10 +95,10 @@ | ||
| if (pairs[i].search(/=/) !== -1) { | ||
| } | ||
|
|
||
| if (urlValue.search(/[a-zA-z]+:\/\//) !== 0) { | ||
| if (urlValue.search(/[A-Za-z]+:\/\//) !== 0) { | ||
| } | ||
|
|
||
| if (urlValue.search(/[a-zA-z]+:\/\/*/) !== 0) { | ||
| if (urlValue.search(/[A-Za-z]+:\/\/*/) !== 0) { | ||
| } | ||
|
|
||
| if (!value || /^\s*$/.test(value)) { |
Copilot is powered by AI and may make mistakes. Always verify output.
Contributor
🔍 Amplify code check status:
IssuesClick on a CWE to view vulnerability in Amplify
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[4.2.0] - 2025-10-31
Added
WPVULNERABILITY_LOG_RETENTION_DAYSto enforce log rotation fromwp-config.php.Updated
Fixed
Compatibility
Tests