diff --git a/classes/Pods.php b/classes/Pods.php
index de0a799cc4..bae99e9268 100644
--- a/classes/Pods.php
+++ b/classes/Pods.php
@@ -3949,6 +3949,15 @@ public function form( $params = null, $label = null, $thank_you = null ) {
$fields_only = $params['fields_only'];
$output_type = $params['output_type'];
+ // Sanitize thank_you for security.
+ if ( ! empty( $thank_you ) ) {
+ // Additional sanitization.
+ $thank_you = sanitize_text_field( $thank_you );
+
+ // Fallback to '' so that the logic below can kick in if the thank you URL was not safe.
+ $thank_you = pods_enforce_safe_url( $thank_you, '' );
+ }
+
if ( empty( $output_type ) ) {
$output_type = 'div';
}
diff --git a/includes/data.php b/includes/data.php
index 7fd2ec35ec..19c80787a5 100644
--- a/includes/data.php
+++ b/includes/data.php
@@ -2644,3 +2644,24 @@ function pods_clean_memory( $sleep_time = 0 ) {
call_user_func( [ $wp_object_cache, '__remoteset' ] ); // important
}
}
+
+/**
+ * Enforce a URL as safe and fallback to another URL if it is not safe.
+ *
+ * @since 2.8.23.3
+ *
+ * @param string $url The URL to enforce as safe.
+ * @param string|null $fallback_url The fallback URL to use if the URL is not valid.
+ *
+ * @return string The safe URL or the fallback URL if that was not valid.
+ */
+function pods_enforce_safe_url( $url, $fallback_url = null ) {
+ $url = wp_sanitize_redirect( $url );
+
+ if ( null === $fallback_url ) {
+ $fallback_url = pods_current_url();
+ }
+
+ return wp_validate_redirect( $url, $fallback_url );
+}
+
diff --git a/init.php b/init.php
index b4a9e99843..6486f37d14 100644
--- a/init.php
+++ b/init.php
@@ -10,7 +10,7 @@
* Plugin Name: Pods - Custom Content Types and Fields
* Plugin URI: https://pods.io/
* Description: Pods is a framework for creating, managing, and deploying customized content types and fields
- * Version: 2.8.23.1
+ * Version: 2.8.23.3
* Author: Pods Framework Team
* Author URI: https://pods.io/about/
* Text Domain: pods
@@ -43,7 +43,7 @@
add_action( 'init', 'pods_deactivate_pods_ui' );
} else {
// Current version.
- define( 'PODS_VERSION', '2.8.23.1' );
+ define( 'PODS_VERSION', '2.8.23.3' );
// Current database version, this is the last version we had a database migration added in the /sql/ directory.
define( 'PODS_DB_VERSION', '2.3.5' );
diff --git a/package.json b/package.json
index c5c4a9ae57..5bac3323a2 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "pods",
- "version": "2.8.23.1",
+ "version": "2.8.23.3",
"description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.",
"author": "Pods Foundation, Inc",
"homepage": "https://pods.io/",
diff --git a/readme.txt b/readme.txt
index 658b6b9f9e..b1fd723247 100644
--- a/readme.txt
+++ b/readme.txt
@@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields,
Requires at least: 5.5
Tested up to: 6.0
Requires PHP: 5.6
-Stable tag: 2.8.23.1
+Stable tag: 2.8.23.3
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -156,6 +156,18 @@ Pods really wouldn't be where it is without all the contributions from our [dono
== Changelog ==
+= 2.8.23.3 - May 8th, 2024 =
+
+*Security Release*
+
+* Security hardening: Enforce safe URLs for Pods form submission confirmation page URLs. Props to the wesley (wcraft) / Wordfence for responsibly reporting this. (@sc0ttkclark)
+
+= 2.8.23.2 - February 21st, 2024 =
+
+*Security Release*
+
+Resolved issue with release deployment, see previous version for more details about the release.
+
= 2.8.23.1 - February 21st, 2024 =
*Security Release*
diff --git a/ui/front/form.php b/ui/front/form.php
index 17ff505097..95fd10d36e 100644
--- a/ui/front/form.php
+++ b/ui/front/form.php
@@ -86,7 +86,7 @@
-