Demo slot Philippines.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved Arashtad
(@arashtad)

9 months, 4 weeks ago
When user’s logged in and tries to view a license that doesn’t exist, an error is generated that is not handled by the plugin. For example is there’s no license with ID 123 and the user calls:

https://example.com/my-account/view-license-keys/123/

The plugin doesn’t handle the error properly and depending on the theme error handling logic, sensitive information about server directory structure, database, and tokens can be revealed.

The issue is cause by /wp-content/plugins/license-manager-for-woocommerce/includes/Integrations/WooCommerce/MyAccount.php at line 238 in viewLicenseKeys() and can be solved by a simple if statement like:
```
if($license != null) {

	$decrypted = $license->getDecryptedLicenseKey();

    if ( is_wp_error( $decrypted ) ) {
        echo sprintf( '<p>%s</p>', $decrypted->get_error_message() );

    	return;
	}
	echo wc_get_template_html(
        'myaccount/single.php',
        array(
        	'license'     => $license,
    	    'license_key' => $license->getDecryptedLicenseKey(),
	        'product'     => ! empty( $license->getProductId() ) ? wc_get_product( $license->getProductId() ) : null,
            'order'       => ! empty( $license->getOrderId() ) ? wc_get_order( $license->getOrderId() ) : null,
            'date_format' => get_option( 'date_format' ),
        ),
        '',
        LMFWC_TEMPLATES_DIR
	);
}
else {
	echo 'Invalid license key';
}
```
Please proceed as it can be misused and put websites in danger easily.
- This topic was modified 9 months, 4 weeks ago by Arashtad.
The page I need help with: [log in to see the link]

Viewing 9 replies - 1 through 9 (of 9 total)

Plugin Support Mirza Hamza
(@hamza1010)

9 months, 4 weeks ago

Hello @arashtad,

Thanks for contacting us,

Hope you are doing well, We’ve informed our technical team about your issue, and they will work on it promptly. When we receive their response, we will get back to you. Our team is here to assist you.

Thanks & Regards
WP Experts Support Team

Plugin Support Mirza Hamza
(@hamza1010)

9 months, 4 weeks ago

Hello @arashtad,

Thanks for reaching us,

Hope you are doing well, We have added the code and will fix it in the next release. Please use the updated plugin on your site and let me know if you still have any issues.

Here is the updated plugin: Download Plugin.

Thanks & Regards
WP Experts Support Team
Thread Starter Arashtad
(@arashtad)

9 months, 4 weeks ago
Thank you for the prompt action and great support. I checked the code and found the modification exactly as expected.
We’ve had a lot of customization done on this powerful plugin using the methods provided in your documentation, template override, etc. But, this one was an already defined function and there was no standard way to modify it unless you do it. Because, our changes would be erased by each update and I’m not a fan of copying and locking others’ plugins; and you did it way quicker and cleaner than what I was expecting.

Thank you and your technical team.
- This reply was modified 9 months, 4 weeks ago by Arashtad.
Plugin Support Mirza Hamza
(@hamza1010)

9 months, 3 weeks ago

Thanks for the feedback.

wpsupacc
(@wpsupacc)

9 months, 3 weeks ago

When is this update going to be pushed to all users ?

Plugin Support Mirza Hamza
(@hamza1010)

9 months, 3 weeks ago

Hello @wpsupacc,

We will add this in an upcoming release.

Thank you
Thread Starter Arashtad
(@arashtad)

6 months, 2 weeks ago
The bug is back.

Your update after my message solved the problem. But, it seems in the newer versions it’s forgotten to be implemented. It would be great if you add this fix to the main branch of your development version to make sure the future updates are equipped with it.

Just add:

if($license != null)

to /wp-content/plugins/license-manager-for-woocommerce/includes/Integrations/WooCommerce/MyAccount.php at line 238 like:
```
if($license != null) {
        	$decrypted = $license->getDecryptedLicenseKey();
        	if ( is_wp_error( $decrypted ) ) {
            	echo sprintf( '<p>%s</p>', $decrypted->get_error_message() );

            	return;
        	}
        	echo wc_get_template_html(
            	'myaccount/single.php',
            	array(
                	'license'     => $license,
                	'license_key' => $license->getDecryptedLicenseKey(),
                	'product'     => ! empty( $license->getProductId() ) ? wc_get_product( $license->getProductId() ) : null,
                	'order'       => ! empty( $license->getOrderId() ) ? wc_get_order( $license->getOrderId() ) : null,
                	'date_format' => get_option( 'date_format' ),
            	),
            	'',
            	LMFWC_TEMPLATES_DIR
        	);
        }
		else {
			echo sprintf( '<h3>%s</h3>', __( 'Not found', 'license-manager-for-woocommerce' ) );
            echo sprintf( '<p>%s</p>', __( 'The license you are looking for is not found.', 'license-manager-for-woocommerce' ) );
		}
```
And that’s it!

Thank you
Plugin Support Mirza Hamza
(@hamza1010)

6 months, 2 weeks ago

Hello @arashtad,

Sorry for the inconvenience, We will discuss this internally and then update you.

Thank you

Plugin Support Mirza Hamza
(@hamza1010)

6 months, 1 week ago

Hello @arashtad,

We would like to inform you that we are releasing a build with the fixes so kindly wait for it we have added code to stop invalid license key.

Thank you

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Security issue’ is closed to new replies.