A non-profit community organization I work with have had seemingly random problems of serving pages with empty content for roughly the past half-year. We’ve finally managed to trace it down to Simple Custom Post Order 2.5.8.
Some content on our site is very expensive to generate. A batch job needs to run for a couple of minutes. It however only needs to be regenerated once every 24 hours and when relying on a Persistent Object Cache plugin it has not before been a problem. Our understanding is that no well behaved plugin should ever empty the object cache without a very good reason. As we use our own cache group, our data should even survive requests to clear-out the entire default cache group.
Release 2.5.8 breaks our site, and likely other’s too. As far as I can find the release is only described with two words:
Security update
The full change between 2.5.7 and 2.5.8, a relatively short patch.
Common subdirectories: 2.5.7/assets and 2.5.8/assets
Common subdirectories: 2.5.7/languages and 2.5.8/languages
--- 2.5.7/readme.txt
+++ 2.5.8/readme.txt
@@ -3,8 +3,8 @@
Tags: custom post order, post order, js post order, page order, posts order, category order, sort posts, sort pages, sort custom posts
Requires at least: 6.2
Requires PHP: 7.2.5 or higher
-Tested up to: 6.5
-Stable tag: 2.5.7
+Tested up to: 6.6
+Stable tag: 2.5.8
License: GPLv3 or later
License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -35,6 +35,9 @@
3. Settings
== Changelog ==
+
+= Version 2.5.8 - 10.10.2024 =
+* Security update
= Version 2.5.7 - 20.09.2023 =
* Security update fixing multiple issues
--- 2.5.7/simple-custom-post-order.php
+++ 2.5.8/simple-custom-post-order.php
@@ -3,7 +3,7 @@
* Plugin Name: Simple Custom Post Order
* Plugin URI: https://wordpress.org/plugins-wp/simple-custom-post-order/
* Description: Order Items (Posts, Pages, and Custom Post Types) using a Drag and Drop Sortable JavaScript.
- * Version: 2.5.7
+ * Version: 2.5.8
* Author: Colorlib
* Author URI: https://colorlib.com/
* Tested up to: 6.3.1
@@ -36,7 +36,7 @@
define( 'SCPORDER_URL', plugins_url( '', __FILE__ ) );
define( 'SCPORDER_DIR', plugin_dir_path( __FILE__ ) );
-define( 'SCPORDER_VERSION', '2.5.7' );
+define( 'SCPORDER_VERSION', '2.5.8' );
$scporder = new SCPO_Engine();
@@ -233,6 +233,10 @@
wp_enqueue_script( 'jquery' );
wp_enqueue_script( 'jquery-ui-sortable' );
wp_enqueue_script( 'scporderjs', SCPORDER_URL . '/assets/scporder.min.js', array( 'jquery' ), SCPORDER_VERSION, true );
+ wp_localize_script( 'scporderjs', 'scporder_vars', array(
+ 'ajax_url' => admin_url( 'admin-ajax.php' ),
+ 'nonce' => wp_create_nonce( 'scporder_nonce_action' ),
+ ) );
add_action( 'admin_print_styles', array( $this, 'print_scpo_style' ) );
}
@@ -323,6 +327,12 @@
public function update_menu_order() {
global $wpdb;
+ check_ajax_referer( 'scporder_nonce_action', 'nonce' );
+
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return;
+ }
+
parse_str( $_POST['order'], $data );
if ( ! is_array( $data ) ) {
@@ -361,6 +371,8 @@
}
}
+ wp_cache_flush();
+
do_action( 'scp_update_menu_order' );
}
@@ -368,6 +380,12 @@
public function update_menu_order_tags() {
global $wpdb;
+ check_ajax_referer( 'scporder_nonce_action', 'nonce' );
+
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return;
+ }
+
parse_str( $_POST['order'], $data );
if ( ! is_array( $data ) ) {
@@ -403,6 +421,8 @@
); // Passage en requette préparée
}
}
+
+ wp_cache_flush();
do_action( 'scp_update_menu_order_tags' );
As can be seen, the diff does contain addition of a nonce and added access control. Two things which seem like great security features. No objection there. Yet the diff also contains two added calls to wp_cache_flush() which to the best of my understanding seems to be an accidental leftover which was likely only used by the developer to validate the changes.
Edit: After looking closer, I understand this was indeed an intentional change and that the Security update bundled this unrelated breakage. The bug is still just as real. (This discourse wont allow me to link to msgh#130 and msgh#150)