Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3048298

Timestamp:

03/09/2024 04:09:47 PM (5 months ago)

Author:

sajjad67

Message:

Fixed Plugin settings XSS vulnerability.

Location:

wp-edit-username

Files:

: 11 edited

tags/1.0.5/admin/ajax-handler.php (modified) (1 diff)
tags/1.0.5/admin/js/script.js (modified) (6 diffs)
tags/1.0.5/admin/modal.php (modified) (1 diff)
tags/1.0.5/includes/settings.php (modified) (12 diffs)
tags/1.0.6/assets/js/script.js (modified) (2 diffs)
tags/1.0.6/wp-edit-username.php (modified) (4 diffs)
trunk/admin/ajax-handler.php (modified) (1 diff)
trunk/admin/js/script.js (modified) (2 diffs)
trunk/admin/modal.php (modified) (1 diff)
trunk/includes/settings.php (modified) (3 diffs)
trunk/readme.txt (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

wp-edit-username/tags/1.0.5/admin/ajax-handler.php

-                      r3047088
+                      r3048298
 function wpeu_update_user_name()
+{
+    // ---------------------------------------------------------
+    // Check if current_user_can() functions exists in this scope
+    // ---------------------------------------------------------
+    if( ! function_exists( 'wp_get_current_user' ) )
+    {
+        include( ABSPATH . "wp-includes/pluggable.php" );
+    }
+    if( ! current_user_can( 'edit_users' ) ) die();
+    if( ! current_user_can( 'edit_users' ) )
+    {
+        return;
+    }
+    if ( isset( $_POST['wp_edit_username_nonce'] ) && wp_verify_nonce( $_POST['wp_edit_username_nonce'], 'wp_edit_username_action' ) )
+    {
+        $new_username       = sanitize_user( $_POST['new_username'] );
+        $current_username   = sanitize_user( $_POST['current_username'] );
     $_POST = array_map( 'trim', array_map( 'strip_tags', $_POST ) );
+);
     extract( $_POST );
+);
+    $response = array();
+        // ---------------------------------------------------------
+        // check if new_username is empty
+        // ---------------------------------------------------------
+        if( empty( $new_username ) || empty( $current_username ) )
+        {
+            $response['alert_message'] = __( 'Username Can Not be Empty!', 'wp-edit-username' );
+            wp_send_json( $response ); die();
+        }
     // ---------------------------------------------------------
+    // check if new_username is empty
     // ---------------------------------------------------------
     if( empty( $new_username ) || empty( $current_username ) )
+    {
         $response['alert_message'] = __( 'Username Can Not be Empty!' );
         wp_send_json( $response ); die();
+    }
+// ---------------------------------------------------------
+        // Check if username consists invalid illegal character
+// ---------------------------------------------------------
+_username ) )
+{
+' );
+wp_send_json( $response ); die();
+}
+    // ---------------------------------------------------------
+    // Check if username consists invalid illegal character
+    // ---------------------------------------------------------
+    if( ! validate_username( $new_username ) )
+    {
+        $response['alert_message'] = __( 'Username can not have illegal characters' );
+        wp_send_json( $response ); die();
+    }
+        // ---------------------------------------------------------
+        // Filters the list of blacklisted usernames.
+        //
+        // @https://developer.wordpress.org/reference/hooks/illegal_user_logins/
+        // ---------------------------------------------------------
+        $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );
+    // ---------------------------------------------------------
+    // Filters the list of blacklisted usernames.
+    //
+    // @https://developer.wordpress.org/reference/hooks/illegal_user_logins/
+    // ---------------------------------------------------------
+    $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );
+        if ( in_array( $new_username, $illegal_user_logins ) )
+        {
+            $response['alert_message'] =  __( 'Sorry, that username is not allowed.', 'wp-edit-username' );
+            wp_send_json( $response ); die();
+        }
+    if ( in_array( $new_username, $illegal_user_logins ) )
+    {
+        $response['alert_message'] =  __( 'Sorry, that username is not allowed.' );
+        wp_send_json( $response ); die();
+    }
+        // ---------------------------------------------------------
+        // If $new_username already registered
+        // ---------------------------------------------------------
+        if( username_exists( $new_username ) )
+        {
+            $response['alert_message'] =  __( 'Sorry, that username already exists and not available.', 'wp-edit-username' );
+            wp_send_json( $response ); die();
+        }
+    // ---------------------------------------------------------
+    // If $new_username already registered
+    // ---------------------------------------------------------
+    if( username_exists( $new_username ) )
+    {
+        $response['alert_message'] =  __( 'Sorry, that username already exists and not available.' );
+        wp_send_json( $response ); die();
+    }
+        global $wpdb;
+    global $wpdb;
+        // ---------------------------------------------------------
+        // Change / Update Username With old one
+        // ---------------------------------------------------------
+        $query  = $wpdb->prepare( "UPDATE $wpdb->users SET user_login = %s WHERE user_login = %s", $new_username, $current_username );
+        $result = $wpdb->query( $query );
+    // ---------------------------------------------------------
+    // Change / Update Username With old one
+    // ---------------------------------------------------------
+    $query  = $wpdb->prepare( "UPDATE $wpdb->users SET user_login = %s WHERE user_login = %s", $new_username, $current_username );
+    $result = $wpdb->query( $query );
+        $options = get_option( 'wpeu_register_settings_fields' );
     if ( $result > 0 )
+    {
         $response['success_message'] =  sprintf( 'Username Updated from <code>%s</code> to <code>%s</code>.', $current_username, $new_username );
+if ( $result > 0 )
+{
+$response['success_message'] =  sprintf( 'Username Updated from <code>%s</code> to <code>%s</code>.', $current_username, $new_username );
+        $options = get_option( 'wpeu_register_settings_fields' );
+            if ( isset( $options['wpeu_send_email_field'] ) && $options['wpeu_send_email_field'] == 'on' )
+            {
+                $user_email = $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM $wpdb->users WHERE user_login = %s", $new_username ) );
+        if ( $options['wpeu_send_email_field'] == 'on' )
+        {
+            $user_email = $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM $wpdb->users WHERE user_login = %s", $new_username ) );
+                if ( isset( $options['wpeu_email_receiver_field'] ) )
+                {
+                    if ( $options['wpeu_email_receiver_field'] == 'user_only' )
+                    {
+                        $to         = array( sanitize_email( $user_email ) );
+                    }
+                    elseif ( $options['wpeu_email_receiver_field'] == 'admin_only' )
+                    {
+                        $to         = array();
+                        $admins     = get_users( 'role=Administrator' );
+                        foreach ( $admins as $admin )
+                        {
+                            $to[]   = sanitize_email( $admin->user_email );
+                        }
+                    }
+                    elseif ( $options['wpeu_email_receiver_field'] == 'admin_user' )
+                    {
+                        $to         = array( sanitize_email( $user_email ) );
+                        $admins     = get_users( 'role=Administrator' );
+                        foreach ( $admins as $admin )
+                        {
+                            $to[]   = sanitize_email( $admin->user_email );
+                        }
+                    }
+                }
+            if ( $options['wpeu_email_receiver_field'] == 'user_only' )
+            {
+                $to = array( $user_email );
+            }
+            elseif ( $options['wpeu_email_receiver_field'] == 'admin_only' )
+            {
+                $to = array();
+                $admins = get_users( 'role=Administrator' );
+                foreach ( $admins as $admin )
+                {
+                    $to[] = $admin->user_email;
+                }
+            }
+            elseif ( $options['wpeu_email_receiver_field'] == 'admin_user' )
+            {
+                $to = array( $user_email );
+                $admins = get_users( 'role=Administrator' );
+                foreach ( $admins as $admin )
+                {
+                    $to[] = $admin->user_email;
+                }
+            }
+                $subject = apply_filters( 'wp_username_changed_email_subject', $subject = $options['wpeu_email_subject_field'], $old_username, $new_username );
             $subject = apply_filters( "wp_username_changed_email_subject", $subject = $options['wpeu_email_subject_field'], $old_username, $new_username );
+_field'], $old_username, $new_username );
+            $body    = apply_filters( "wp_username_changed_email_body", $body = $options['wpeu_email_body_field'], $old_username, $new_username );
+                $user    = get_user_by( 'login', $new_username );
+                if( $user )
+                {
+                    $body = str_replace( [ '{{first_name}}', '{{last_name}}', '{{display_name}}', '{{full_name}}', '{{old_username}}', '{{new_username}}' ], [ $user->first_name, $user->last_name, $user->display_name, $user->first_name . ' ' . $user->last_name, $current_username, $new_username ], $body );
+                }
+            $user    = get_user_by( 'login', $new_username );
+            if( $user )
+            {
+                $body = str_replace( [ '{{first_name}}', '{{last_name}}', '{{display_name}}', '{{full_name}}', '{{old_username}}', '{{new_username}}' ], [ $user->first_name, $user->last_name, $user->display_name, $user->first_name .' '. $user->last_name, $current_username, $new_username ], $body );
+            }
+                $headers = array( 'Content-Type: text/html; charset=UTF-8' );
+            $headers = array( 'Content-Type: text/html; charset=UTF-8' );
+                foreach ( $to as $email )
+                {
+                    wp_mail( $email, $subject, $body, $headers );
+                }
+            }
+        }
+            foreach ( $to as $email )
+            {
+                wp_mail( $email, $subject, $body, $headers );
+            }
+        }
+    }
+        // ---------------------------------------------------------
+        // Change / Update nicename if == username
+        // ---------------------------------------------------------
+        $query = $wpdb->prepare( "UPDATE $wpdb->users SET user_nicename = %s WHERE user_login = %s AND user_nicename = %s", $new_username, $new_username, $current_username );
+        $wpdb->query( $query );
     // ---------------------------------------------------------
     // Change / Update nicename if == username
     // ---------------------------------------------------------
     $query = $wpdb->prepare( "UPDATE $wpdb->users SET user_nicename = %s WHERE user_login = %s AND user_nicename = %s", $new_username, $new_username, $current_username );
     $wpdb->query( $query );
+// ---------------------------------------------------------
+name if == username
+// ---------------------------------------------------------
+name = %s", $new_username, $new_username, $current_username );
+$wpdb->query( $query );
+    // ---------------------------------------------------------
+    // Change / Update display name if == username
+    // ---------------------------------------------------------
+    $query  = $wpdb->prepare( "UPDATE $wpdb->users SET display_name = %s WHERE user_login = %s AND display_name = %s", $new_username, $new_username, $current_username );
+    $wpdb->query( $query );
+        // ---------------------------------------------------------
+        // Update Username on Multisite
+        // ---------------------------------------------------------
+        if( is_multisite() )
+        {
+            $super_admins = (array) get_site_option( 'site_admins', array( 'admin' ) );
+            $array_key = array_search( $current_username, $super_admins );
+    // ---------------------------------------------------------
+    // Update Username on Multisite
+    // ---------------------------------------------------------
+    if( is_multisite() )
+    {
+        $super_admins = (array) get_site_option( 'site_admins', array( 'admin' ) );
+        $array_key = array_search( $current_username, $super_admins );
+            if( $array_key )
+            {
+                $super_admins[ $array_key ] = $new_username;
+            }
+            update_site_option( 'site_admins' , $super_admins );
+        }
+    }
+    else
+    {
+        $response['alert_message'] =  __( 'Nonce verification failed.', 'wp-edit-username' );
+    }
+        if( $array_key )
+        {
+            $super_admins[ $array_key ] = $new_username;
+        }
+        update_site_option( 'site_admins' , $super_admins );
+    }
+    wp_send_json( $response ); die();
+    wp_send_json( $response ); die();
+}

wp-edit-username/tags/1.0.5/admin/js/script.js

-                      r2976213
+                      r3048298
     var $wpeu_new_username = $( "#wpeu_new_username" );
     var $wpeu_message = $( "#wpeu_message" );
 …
         $update_user_name_tigger.removeAttr( 'disabled' );
     } );
+    });
     $( "#cancel_button" ).click( function( event )
 …
         $wpeu_message.empty().hide();
     } );
+    });
     $wpeu_new_username.keyup( function( event )
 …
             $update_user_name_tigger.removeAttr( 'disabled' );
+        }
     } );
+    });
     $( document ).on( 'click', "#update_user_name_tigger", function( e )
 …
+        {
             action : 'wpeu_update_user_name',
             current_username : $input.val(),
 …
                 $wpeu_message.addClass( 'alert-success' ).html( msg.success_message ).show();
+            }
         } );
     } );
 } );
+        });
+    });
+});

wp-edit-username/tags/1.0.5/admin/modal.php

r2976213	r3048298
20	20	</div>
21	21	<input type="text" class="form-control" id="wpeu_new_username" placeholder="<?php echo __( 'New Username' ); ?>" aria-label="Username" aria-describedby="basic-addon1">
	22
	23
22	24	</div>
23	25	</div>

wp-edit-username/tags/1.0.5/includes/settings.php

-                      r2976213
+                      r3048298
     <div class="wrap">
         <h2 style="background-image: <?php echo $icon; ?>;background-repeat:  no-repeat;background-position: left 12px;background-size: 25px;padding-left: 30px;">
             Edit Username Settings
+    <h2 style="background-image: <?php echo $icon; ?>;background-repeat:  no-repeat;background-position: left 12px;background-size: 25px;padding-left: 30px;">
+        Edit Username Settings
         </h2>
         <form action="options.php" method="post"><?php
+    <form action="options.php" method="post"><?php
             settings_fields( 'wpeu_settings_group' );
 …
             do_settings_sections( 'wpeu_settings_section' );
             submit_button( 'Save Changes' ); ?>
+            submit_button(); ?>
         </form>
+    </form>
     </div>
  <?php }
 …
     add_settings_section(
         'wpeu_main_settings_section',
         'Notifications Settings',
+        ' Settings',
         'wpeu_main_settings_description',
         'wpeu_settings_section'
 …
     add_settings_field(
         'wpeu_send_email_field_setting',
         'Send Email',
+        'Send Email',
         'wpeu_send_email_field_setting',
         'wpeu_settings_section',
 …
     add_settings_field(
         'wpeu_email_receiver_field',
         'Send Emails To',
+        'Send Emails To',
         'wpeu_email_receiver_field_setting',
         'wpeu_settings_section',
 …
     add_settings_field(
         'wpeu_email_subject_field',
         'Email Subject',
+        'Email Subject',
         'wpeu_email_subject_field_setting',
         'wpeu_settings_section',
 …
     add_settings_field(
         'wpeu_email_body_field',
         'Email Body Text',
+        'Email Body Text',
         'wpeu_email_body_field_setting',
         'wpeu_settings_section',
 …
     $options = get_option( 'wpeu_register_settings_fields' );
     $options['wpeu_send_email_field'] = trim( $arr_input['wpeu_send_email_field'] );
+    $options['wpeu_send_email_field'] = ( $arr_input['wpeu_send_email_field'] );
     $options['wpeu_email_receiver_field'] = trim( $arr_input['wpeu_email_receiver_field'] );
+    $options['wpeu_email_receiver_field'] = ( $arr_input['wpeu_email_receiver_field'] );
     $options['wpeu_email_subject_field'] = trim( $arr_input['wpeu_email_subject_field'] );
+    $options['wpeu_email_subject_field'] = ( $arr_input['wpeu_email_subject_field'] );
     $options['wpeu_email_body_field'] = trim( $arr_input['wpeu_email_body_field'] );
+    $options['wpeu_email_body_field'] = ( $arr_input['wpeu_email_body_field'] );
     return $options;
 …
     $options = get_option( 'wpeu_register_settings_fields' ); ?>
     <input type="checkbox" name="wpeu_register_settings_fields[wpeu_send_email_field]" <?php checked( 'on', $options['wpeu_send_email_field'],true); ?> />
+<input type="checkbox" name="wpeu_register_settings_fields[wpeu_send_email_field]" <?php checked( 'on', $options['wpeu_send_email_field'],true); ?> />
 <?php }
 …
     $options = get_option( 'wpeu_register_settings_fields' ); ?>
+    <input type="radio" name="wpeu_register_settings_fields[wpeu_email_receiver_field]" value="admin_only" <?php checked( 'admin_only' == $options['wpeu_email_receiver_field'] ); ?> /> Admins Only
+    <input type="radio" name="wpeu_register_settings_fields[wpeu_email_receiver_field]" value="user_only" <?php checked( 'user_only' == $options['wpeu_email_receiver_field'] ); ?> /> User Only
+    <input type="radio" name="wpeu_register_settings_fields[wpeu_email_receiver_field]" value="admin_user" <?php checked( 'admin_user' == $options['wpeu_email_receiver_field'] ); ?> /> Admins & User
+    <input type="radio" name="wpeu_register_settings_fields[wpeu_email_receiver_field]" value="admin_only" <?php checked( 'admin_only' == $options['wpeu_email_receiver_field'] ); ?> /> Admin Only
+    <input type="radio" name="wpeu_register_settings_fields[wpeu_email_receiver_field]" value="admin_user" <?php checked( 'admin_user' == $options['wpeu_email_receiver_field'] ); ?> /> Admin & User
 <?php }
 …
     $options = get_option( 'wpeu_register_settings_fields' ); ?>
     <input type="text" class="widefat" name="wpeu_register_settings_fields[wpeu_email_subject_field]" value="<?php if ( isset( $options['wpeu_email_subject_field'] ) ){ echo $options['wpeu_email_subject_field']; } else { echo 'Username Changed!'; } ?>" />
+'; } ?>" />
 <?php }
 …
     $options = get_option( 'wpeu_register_settings_fields' ); ?>
+    <textarea class="widefat" style="min-height: 150px;" name="wpeu_register_settings_fields[wpeu_email_body_field]" ><?php if ( isset( $options['wpeu_email_body_field'] ) ){ echo $options['wpeu_email_body_field']; } else { echo 'Your Username has been changed'; } ?></textarea>
+    <p>Available shortcodes are : <code>{{first_name}}</code> <code>{{last_name}}</code> <code>{{display_name}} <code>{{full_name}}</code> <code>{{old_username}}</code> <code>{{new_username}}</code></p>
+    <textarea class="widefat" style="min-height: 150px;" name="wpeu_register_settings_fields[wpeu_email_body_field]" ><?php if ( isset( $options['wpeu_email_body_field'] ) ){ echo esc_textarea( $options['wpeu_email_body_field'] ); } else { echo 'Your Username has been changed'; } ?></textarea>
 <?php }

wp-edit-username/tags/1.0.6/assets/js/script.js

-                      r3047088
+                      r3048298
     var $wpeu_new_username          = $( "#wpeu_new_username" );
     var $wpeu_message               = $( "#wpeu_message" );
 …
         var data =
+        {
             action              : 'wpeu_update_user_name',
+            action              : 'wpeu_update_user_name',
             current_username    : $input.val(),
+            .val(),
+            new_username        : $wpeu_new_username.val()
+            current_username        : $input.val(),
+            new_username            : $wpeu_new_username.val()
         };

wp-edit-username/tags/1.0.6/wp-edit-username.php

-                      r3047088
+                      r3048298
         public function email_subject_field_setting()
+        {
             ?><input type="text" class="widefat" name="wpeu_register_settings_fields[wpeu_email_subject_field]" value="<?php if ( isset( $this->options['wpeu_email_subject_field'] ) ){ echo esc_html__( $this->options['wpeu_email_subject_field'] ); } else { _e( 'Username Changed!', 'wp-edit-username' ); } ?>" /><?php
+            ?><input type="text" class="widefat" name="wpeu_register_settings_fields[wpeu_email_subject_field]" value="<?php if ( isset( $this->options['wpeu_email_subject_field'] ) ){ echo esc_( $this->options['wpeu_email_subject_field'] ); } else { _e( 'Username Changed!', 'wp-edit-username' ); } ?>" /><?php
+        }
 …
+        {
             ?>
                 <textarea class="widefat" style="min-height: 150px;" name="wpeu_register_settings_fields[wpeu_email_body_field]" ><?php if ( isset( $this->options['wpeu_email_body_field'] ) ){ echo esc_html( $this->options['wpeu_email_body_field'] ); } else { _e( 'Your Username has been changed', 'wp-edit-username' ); } ?></textarea>
+                <textarea class="widefat" style="min-height: 150px;" name="wpeu_register_settings_fields[wpeu_email_body_field]" ><?php if ( isset( $this->options['wpeu_email_body_field'] ) ){ echo esc_( $this->options['wpeu_email_body_field'] ); } else { _e( 'Your Username has been changed', 'wp-edit-username' ); } ?></textarea>
                 <p><?php _e( 'Available shortcodes are', 'wp-edit-username' ); ?> : <code>{{first_name}}</code> <code>{{last_name}}</code> <code>{{display_name}}</code> <code>{{full_name}}</code> <code>{{old_username}}</code> <code>{{new_username}}</code></p>
 …
                                     </div>
                                     <input type="text" class="form-control" id="wpeu_new_username" placeholder="<?php echo __( 'New Username', 'wp-edit-username' ); ?>" aria-label="Username" aria-describedby="basic-addon1">
                                 </div>
                             </div>
 …
         public function update_user_name()
+        {
             if( ! current_user_can( 'edit_users' ) ) die();
+            $_POST              = array_map( 'trim', array_map( 'strip_tags', $_POST ) );
+            extract( $_POST );
+            $response           = array();
+            $to                 = array();
+            $new_username       = sanitize_user( $new_username );
+            $current_username   = sanitize_user( $current_username );
+            // ---------------------------------------------------------
+            // check if new_username is empty
+            // ---------------------------------------------------------
+            if( empty( $new_username ) || empty( $current_username ) )
+            if ( ! isset( $_POST['new_username'] ) && ! isset( $_POST['current_username'] ) )
+            {
+                $response['alert_message'] = __( 'Username Can Not be Empty!', 'wp-edit-username' );
+                $response['alert_message'] = __( 'Invalid fields!', 'wp-edit-username' );
+                wp_send_json( $response ); die();
+            }
+            if ( isset( $_POST['wp_edit_username_nonce'] ) && wp_verify_nonce( $_POST['wp_edit_username_nonce'], 'wp_edit_username_action' ) )
+            {
+                $new_username       = sanitize_user( $_POST['new_username'] );
+                wp_send_json( $response ); die();
+            }
+            // ---------------------------------------------------------
+            // Check if username consists invalid illegal character
+            // ---------------------------------------------------------
+            if( ! validate_username( $new_username ) )
+            {
+                $response['alert_message'] = __( 'Username can not have illegal characters', 'wp-edit-username' );
+                $current_username   = sanitize_user( $_POST['current_username'] );
+                // ---------------------------------------------------------
+                // check if new_username is empty
+                // ---------------------------------------------------------
+                if( empty( $new_username ) || empty( $current_username ) )
+                {
+                    $response['alert_message'] = __( 'Username Can Not be Empty!', 'wp-edit-username' );
+                    wp_send_json( $response ); die();
+                }
+                // ---------------------------------------------------------
+                // Check if username consists invalid illegal character
+                // ---------------------------------------------------------
+                if( ! validate_username( $new_username ) )
+                {
+                    $response['alert_message'] = __( 'Username can not have illegal characters', 'wp-edit-username' );
+                    wp_send_json( $response ); die();
+                }
+                // ---------------------------------------------------------
+                // Filters the list of blacklisted usernames.
+                //
+                // @https://developer.wordpress.org/reference/hooks/illegal_user_logins/
+                // ---------------------------------------------------------
+                $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );
+                if ( in_array( $new_username, $illegal_user_logins ) )
+                {
+                    $response['alert_message'] =  __( 'Sorry, that username is not allowed.', 'wp-edit-username' );
+                    wp_send_json( $response ); die();
+                }
+                // ---------------------------------------------------------
+                // If $new_username already registered
+                // ---------------------------------------------------------
+                if( username_exists( $new_username ) )
+                {
+                    $response['alert_message'] =  __( 'Sorry, that username already exists and not available.', 'wp-edit-username' );
+                    wp_send_json( $response ); die();
+                }
+                global $wpdb;
+                // ---------------------------------------------------------
+                // Change / Update Username With old one
+                // ---------------------------------------------------------
+                $query  = $wpdb->prepare( "UPDATE $wpdb->users SET user_login = %s WHERE user_login = %s", $new_username, $current_username );
+                wp_send_json( $response ); die();
+            }
+            // ---------------------------------------------------------
+            // Filters the list of blacklisted usernames.
+            //
+            // @https://developer.wordpress.org/reference/hooks/illegal_user_logins/
+            // ---------------------------------------------------------
+            $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );
+            if ( in_array( $new_username, $illegal_user_logins ) )
+            {
+                $response['alert_message'] =  __( 'Sorry, that username is not allowed.', 'wp-edit-username' );
+                wp_send_json( $response ); die();
+            }
+            // ---------------------------------------------------------
+            // If $new_username already registered
+            // ---------------------------------------------------------
+            if( username_exists( $new_username ) )
+            {
+                $response['alert_message'] =  __( 'Sorry, that username already exists and not available.', 'wp-edit-username' );
+                wp_send_json( $response ); die();
+            }
+            global $wpdb;
+            // ---------------------------------------------------------
+            // Change / Update Username With old one
+            // ---------------------------------------------------------
+            $query  = $wpdb->prepare( "UPDATE $wpdb->users SET user_login = %s WHERE user_login = %s", $new_username, $current_username );
+            $result = $wpdb->query( $query );
+            if ( $result > 0 )
+            {
+                $response['success_message'] =  sprintf( 'Username Updated from <code>%s</code> to <code>%s</code>.', $current_username, $new_username );
+                if ( isset( $this->options['wpeu_send_email_field'] ) && $this->options['wpeu_send_email_field'] == 'on' )
+                {
+                    $user_email = $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM $wpdb->users WHERE user_login = %s", $new_username ) );
+                    if ( isset( $this->options['wpeu_email_receiver_field'] ) )
+                    {
+                        if ( $this->options['wpeu_email_receiver_field'] == 'user_only' )
+                        {
+                            $to         = array( sanitize_email( $user_email ) );
+                        }
+                        elseif ( $this->options['wpeu_email_receiver_field'] == 'admin_only' )
+                        {
+                            $to         = array();
+                            $admins     = get_users( 'role=Administrator' );
+                            foreach ( $admins as $admin )
+                $result = $wpdb->query( $query );
+                if ( $result > 0 )
+                {
+                    $response['success_message'] =  sprintf( 'Username Updated from <code>%s</code> to <code>%s</code>.', $current_username, $new_username );
+                    if ( isset( $this->options['wpeu_send_email_field'] ) && $this->options['wpeu_send_email_field'] == 'on' )
+                    {
+                        $user_email = $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM $wpdb->users WHERE user_login = %s", $new_username ) );
+                        if ( isset( $this->options['wpeu_email_receiver_field'] ) )
+                        {
+                            if ( $this->options['wpeu_email_receiver_field'] == 'user_only' )
+                            {
+                                $to         = array( sanitize_email( $user_email ) );
+                            }
+                            elseif ( $this->options['wpeu_email_receiver_field'] == 'admin_only' )
+                            {
+                                $to         = array();
+                                $admins     = get_users( 'role=Administrator' );
+                                foreach ( $admins as $admin )
+                                {
+                                    $to[]   = sanitize_email( $admin->user_email );
+                                }
+                            }
+                            elseif ( $this->options['wpeu_email_receiver_field'] == 'admin_user' )
+                            {
+                                $to[]   = sanitize_email( $admin->user_email );
+                                $to         = array( sanitize_email( $user_email ) );
+                                $admins     = get_users( 'role=Administrator' );
+                                foreach ( $admins as $admin )
+                                {
+                                    $to[]   = sanitize_email( $admin->user_email );
+                                }
+                            }
+                        }
+                        elseif ( $this->options['wpeu_email_receiver_field'] == 'admin_user' )
+                        $subject = apply_filters( 'wp_username_changed_email_subject', $subject = $this->options['wpeu_email_subject_field'], $old_username, $new_username );
+                        $body    = apply_filters( 'wp_username_changed_email_body', $body = $this->options['wpeu_email_body_field'], $old_username, $new_username );
+                        $user    = get_user_by( 'login', $new_username );
+                        if( $user )
+                        {
                             $to         = array( sanitize_email( $user_email ) );
+                            $admins     = get_users( 'role=Administrator' );
+                            foreach ( $admins as $admin )
+                            {
                                 $to[]   = sanitize_email( $admin->user_email );
+                            }
+                            $ );
+                        }
+                    }
+                    $subject = apply_filters( 'wp_username_changed_email_subject', $subject = $this->options['wpeu_email_subject_field'], $old_username, $new_username );
+                    $body    = apply_filters( 'wp_username_changed_email_body', $body = $this->options['wpeu_email_body_field'], $old_username, $new_username );
+                    $user    = get_user_by( 'login', $new_username );
+                    if( $user )
+                }
+                // ---------------------------------------------------------
+                // Change / Update nicename if == username
+                // ---------------------------------------------------------
+                $query = $wpdb->prepare( "UPDATE $wpdb->users SET user_nicename = %s WHERE user_login = %s AND user_nicename = %s", $new_username, $new_username, $current_username );
+                $wpdb->query( $query );
+                // ---------------------------------------------------------
+                // Change / Update display name if == username
+                // ---------------------------------------------------------
+                $query  = $wpdb->prepare( "UPDATE $wpdb->users SET display_name = %s WHERE user_login = %s AND display_name = %s", $new_username, $new_username, $current_username );
+                $wpdb->query( $query );
+                // ---------------------------------------------------------
+                // Update Username on Multisite
+                // ---------------------------------------------------------
+                if( is_multisite() )
+                {
+                    $super_admins = (array) get_site_option( 'site_admins', array( 'admin' ) );
+                    $array_key = array_search( $current_username, $super_admins );
+                    if( $array_key )
+                    {
                         $body = str_replace( [ '{{first_name}}', '{{last_name}}', '{{display_name}}', '{{full_name}}', '{{old_username}}', '{{new_username}}' ], [ $user->first_name, $user->last_name, $user->display_name, $user->first_name . ' ' . $user->last_name, $current_username, $new_username ], $body );
+                        $;
+                    }
+                    $headers = array( 'Content-Type: text/html; charset=UTF-8' );
+                    foreach ( $to as $email )
+                    {
+                        wp_mail( $email, $subject, $body, $headers );
+                    }
+                }
+            }
+            // ---------------------------------------------------------
+            // Change / Update nicename if == username
+            // ---------------------------------------------------------
+            $query = $wpdb->prepare( "UPDATE $wpdb->users SET user_nicename = %s WHERE user_login = %s AND user_nicename = %s", $new_username, $new_username, $current_username );
+            $wpdb->query( $query );
+            // ---------------------------------------------------------
+            // Change / Update display name if == username
+            // ---------------------------------------------------------
+            $query  = $wpdb->prepare( "UPDATE $wpdb->users SET display_name = %s WHERE user_login = %s AND display_name = %s", $new_username, $new_username, $current_username );
+            $wpdb->query( $query );
+            // ---------------------------------------------------------
+            // Update Username on Multisite
+            // ---------------------------------------------------------
+            if( is_multisite() )
+                    update_site_option( 'site_admins' , $super_admins );
+                }
+            }
+            else
+            {
+                $super_admins = (array) get_site_option( 'site_admins', array( 'admin' ) );
+                $array_key = array_search( $current_username, $super_admins );
+                if( $array_key )
+                {
+                    $super_admins[ $array_key ] = $new_username;
+                }
+                update_site_option( 'site_admins' , $super_admins );
+                $response['alert_message'] =  __( 'Nonce verification failed.', 'wp-edit-username' );
+            }

wp-edit-username/trunk/admin/ajax-handler.php

-                      r2721337
+                      r3048298
 function wpeu_update_user_name()
+{
+    // ---------------------------------------------------------
+    // Check if current_user_can() functions exists in this scope
+    // ---------------------------------------------------------
+    if( ! function_exists( 'wp_get_current_user' ) )
+    if( ! current_user_can( 'edit_users' ) ) die();
+    if ( isset( $_POST['wp_edit_username_nonce'] ) && wp_verify_nonce( $_POST['wp_edit_username_nonce'], 'wp_edit_username_action' ) )
+    {
+        include( ABSPATH . "wp-includes/pluggable.php" );
+    }
+        $new_username       = sanitize_user( $_POST['new_username'] );
+        $current_username   = sanitize_user( $_POST['current_username'] );
+    if( ! current_user_can( 'edit_users' ) )
+    {
+        return;
+    }
+        $response           = array();
     $_POST = array_map( 'trim', array_map( 'strip_tags', $_POST ) );
+);
+    extract( $_POST );
+        // ---------------------------------------------------------
+        // check if new_username is empty
+        // ---------------------------------------------------------
+        if( empty( $new_username ) || empty( $current_username ) )
+        {
+            $response['alert_message'] = __( 'Username Can Not be Empty!', 'wp-edit-username' );
+            wp_send_json( $response ); die();
+        }
+    $response = array();
+        // ---------------------------------------------------------
+        // Check if username consists invalid illegal character
+        // ---------------------------------------------------------
+        if( ! validate_username( $new_username ) )
+        {
+            $response['alert_message'] = __( 'Username can not have illegal characters', 'wp-edit-username' );
+            wp_send_json( $response ); die();
+        }
+    // ---------------------------------------------------------
+    // check if new_username is empty
+    // ---------------------------------------------------------
+    if( empty( $new_username ) || empty( $current_username ) )
+    {
+        $response['alert_message'] = __( 'Username Can Not be Empty!' );
+        // ---------------------------------------------------------
+        // Filters the list of blacklisted usernames.
+        //
+        // @https://developer.wordpress.org/reference/hooks/illegal_user_logins/
+        // ---------------------------------------------------------
+        $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );
+        if ( in_array( $new_username, $illegal_user_logins ) )
+        {
+            $response['alert_message'] =  __( 'Sorry, that username is not allowed.', 'wp-edit-username' );
+            wp_send_json( $response ); die();
+        }
+        // ---------------------------------------------------------
+        // If $new_username already registered
+        // ---------------------------------------------------------
+        if( username_exists( $new_username ) )
+        {
+            $response['alert_message'] =  __( 'Sorry, that username already exists and not available.', 'wp-edit-username' );
+            wp_send_json( $response ); die();
+        }
+        global $wpdb;
+        // ---------------------------------------------------------
+        // Change / Update Username With old one
+        // ---------------------------------------------------------
+        $query  = $wpdb->prepare( "UPDATE $wpdb->users SET user_login = %s WHERE user_login = %s", $new_username, $current_username );
+        wp_send_json( $response ); die();
+    }
+    // ---------------------------------------------------------
+    // Check if username consists invalid illegal character
+    // ---------------------------------------------------------
+    if( ! validate_username( $new_username ) )
+    {
+        $response['alert_message'] = __( 'Username can not have illegal characters' );
+        wp_send_json( $response ); die();
+    }
+    // ---------------------------------------------------------
+    // Filters the list of blacklisted usernames.
+    //
+    // @https://developer.wordpress.org/reference/hooks/illegal_user_logins/
+    // ---------------------------------------------------------
+    $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );
+    if ( in_array( $new_username, $illegal_user_logins ) )
+    {
+        $response['alert_message'] =  __( 'Sorry, that username is not allowed.' );
+        wp_send_json($response); die();
+    }
+    // ---------------------------------------------------------
+    // If $new_username already registered
+    // ---------------------------------------------------------
+    if( username_exists( $new_username ) )
+    {
+        $response['alert_message'] =  __( 'Sorry, that username already exists and not available.' );
+        wp_send_json( $response ); die();
+    }
+    global $wpdb;
+    // ---------------------------------------------------------
+    // Change / Update Username With old one
+    // ---------------------------------------------------------
+    $query  = $wpdb->prepare( "UPDATE $wpdb->users SET user_login = %s WHERE user_login = %s", $new_username, $current_username );
+    $result = $wpdb->query( $query );
+    if ( $result > 0 )
+    {
+        $response['success_message'] =  sprintf( 'Username Updated from <code>%s</code> to <code>%s</code>.', $current_username, $new_username );
+        $result = $wpdb->query( $query );
         $options = get_option( 'wpeu_register_settings_fields' );
         if ( $options['wpeu_send_email_field'] == 'on' )
+        if ( $ )
+        {
             $email = $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM $wpdb->users WHERE user_login = %s", $new_username ) );
+            $ );
+            if ( $options['wpeu_email_receiver_field'] == 'admin_only' )
+            {
+                $to = array( $email );
+            }
+            elseif ( $options['wpeu_email_receiver_field'] == 'admin_user' )
+            if ( isset( $options['wpeu_send_email_field'] ) && $options['wpeu_send_email_field'] == 'on' )
+            {
+                $to = array( $email );
+                $admins = get_users( 'role=Administrator' );
+                foreach ( $admins as $admin )
+                $user_email = $wpdb->get_var( $wpdb->prepare( "SELECT user_email FROM $wpdb->users WHERE user_login = %s", $new_username ) );
+                if ( isset( $options['wpeu_email_receiver_field'] ) )
+                {
+                    if ( $options['wpeu_email_receiver_field'] == 'user_only' )
+                    {
+                        $to         = array( sanitize_email( $user_email ) );
+                    }
+                    elseif ( $options['wpeu_email_receiver_field'] == 'admin_only' )
+                    {
+                        $to         = array();
+                        $admins     = get_users( 'role=Administrator' );
+                        foreach ( $admins as $admin )
+                        {
+                            $to[]   = sanitize_email( $admin->user_email );
+                        }
+                    }
+                    elseif ( $options['wpeu_email_receiver_field'] == 'admin_user' )
+                    {
+                        $to         = array( sanitize_email( $user_email ) );
+                        $admins     = get_users( 'role=Administrator' );
+                        foreach ( $admins as $admin )
+                        {
+                            $to[]   = sanitize_email( $admin->user_email );
+                        }
+                    }
+                }
+                $subject = apply_filters( 'wp_username_changed_email_subject', $subject = $options['wpeu_email_subject_field'], $old_username, $new_username );
+                $body    = apply_filters( 'wp_username_changed_email_body', $body = $options['wpeu_email_body_field'], $old_username, $new_username );
+                $user    = get_user_by( 'login', $new_username );
+                if( $user )
+                {
+                    $to[] = $admin->user_email;
+                    $body = str_replace( [ '{{first_name}}', '{{last_name}}', '{{display_name}}', '{{full_name}}', '{{old_username}}', '{{new_username}}' ], [ $user->first_name, $user->last_name, $user->display_name, $user->first_name . ' ' . $user->last_name, $current_username, $new_username ], $body );
+                }
+                $headers = array( 'Content-Type: text/html; charset=UTF-8' );
+                foreach ( $to as $email )
+                {
+                    wp_mail( $email, $subject, $body, $headers );
+                }
+            }
+            $subject = apply_filters( "wp_username_changed_email_subject", $subject = $options['wpeu_email_subject_field'] );
+        // ---------------------------------------------------------
+        // Change / Update nicename if == username
+        // ---------------------------------------------------------
+        $query = $wpdb->prepare( "UPDATE $wpdb->users SET user_nicename = %s WHERE user_login = %s AND user_nicename = %s", $new_username, $new_username, $current_username );
+        $wpdb->query( $query );
+            $body = apply_filters( "wp_username_changed_email_body", $body = $options['wpeu_email_body_field'] );
+        // ---------------------------------------------------------
+        // Change / Update display name if == username
+        // ---------------------------------------------------------
+        $query  = $wpdb->prepare( "UPDATE $wpdb->users SET display_name = %s WHERE user_login = %s AND display_name = %s", $new_username, $new_username, $current_username );
+        $wpdb->query( $query );
+        // ---------------------------------------------------------
+        // Update Username on Multisite
+        // ---------------------------------------------------------
+        if( is_multisite() )
+        {
+            $super_admins = (array) get_site_option( 'site_admins', array( 'admin' ) );
             $body .= __( " Old Username was : $old_username .\nNew Username is : $new_username" );
+            $ );
+            $headers = array( 'Content-Type: text/html; charset=UTF-8' );
+            foreach ( $to as $email )
+            if( $array_key )
+            {
                 wp_mail( $email, $subject, $body, $headers );
+                ;
+            }
+        }
+    }
+    // ---------------------------------------------------------
+    // Change / Update nicename if == username
+    // ---------------------------------------------------------
+    $query = $wpdb->prepare( "UPDATE $wpdb->users SET user_nicename = %s WHERE user_login = %s AND user_nicename = %s", $new_username, $new_username, $current_username );
+    $wpdb->query( $query );
+    // ---------------------------------------------------------
+    // Change / Update display name if == username
+    // ---------------------------------------------------------
+    $query  = $wpdb->prepare( "UPDATE $wpdb->users SET display_name = %s WHERE user_login = %s AND display_name = %s", $new_username, $new_username, $current_username );
+    $wpdb->query( $query );
+    // ---------------------------------------------------------
+    // Update Username on Multisite
+    // ---------------------------------------------------------
+    if( is_multisite() )
+    else
+    {
+        $super_admins = (array) get_site_option( 'site_admins', array( 'admin' ) );
+        $array_key = array_search( $current_username, $super_admins );
+        if( $array_key )
+        {
+            $super_admins[ $array_key ] = $new_username;
+        }
+        update_site_option( 'site_admins' , $super_admins );
+        $response['alert_message'] =  __( 'Nonce verification failed.', 'wp-edit-username' );
+    }

wp-edit-username/trunk/admin/js/script.js

-                      r2721335
+                      r3048298
     var $wpeu_new_username = $( "#wpeu_new_username" );
     var $wpeu_message = $( "#wpeu_message" );
 …
+        {
             action : 'wpeu_update_user_name',
             current_username : $input.val(),

wp-edit-username/trunk/admin/modal.php

r2735092	r3048298
20	20	</div>
21	21	<input type="text" class="form-control" id="wpeu_new_username" placeholder="<?php echo __( 'New Username' ); ?>" aria-label="Username" aria-describedby="basic-addon1">
	22
	23
22	24	</div>
23	25	</div>

wp-edit-username/trunk/includes/settings.php

-                      r2735092
+                      r3048298
     $options = get_option( 'wpeu_register_settings_fields' );
     $options['wpeu_send_email_field'] = trim( $arr_input['wpeu_send_email_field'] );
+    $options['wpeu_send_email_field'] = ( $arr_input['wpeu_send_email_field'] );
     $options['wpeu_email_receiver_field'] = trim( $arr_input['wpeu_email_receiver_field'] );
+    $options['wpeu_email_receiver_field'] = ( $arr_input['wpeu_email_receiver_field'] );
     $options['wpeu_email_subject_field'] = trim( $arr_input['wpeu_email_subject_field'] );
+    $options['wpeu_email_subject_field'] = ( $arr_input['wpeu_email_subject_field'] );
     $options['wpeu_email_body_field'] = trim( $arr_input['wpeu_email_body_field'] );
+    $options['wpeu_email_body_field'] = ( $arr_input['wpeu_email_body_field'] );
     return $options;
 …
     $options = get_option( 'wpeu_register_settings_fields' ); ?>
     <input type="text" class="widefat" name="wpeu_register_settings_fields[wpeu_email_subject_field]" value="<?php if ( isset( $options['wpeu_email_subject_field'] ) ){ echo $options['wpeu_email_subject_field']; } else { echo 'subject'; } ?>" />
+    <input type="text" class="widefat" name="wpeu_register_settings_fields[wpeu_email_subject_field]" value="<?php if ( isset( $options['wpeu_email_subject_field'] ) ){ echo ; } else { echo 'subject'; } ?>" />
 <?php }
 …
     $options = get_option( 'wpeu_register_settings_fields' ); ?>
     <textarea class="widefat" style="min-height: 150px;" name="wpeu_register_settings_fields[wpeu_email_body_field]" ><?php if ( isset( $options['wpeu_email_body_field'] ) ){ echo $options['wpeu_email_body_field']; } else { echo 'Your Username has been changed'; } ?></textarea>
+    <textarea class="widefat" style="min-height: 150px;" name="wpeu_register_settings_fields[wpeu_email_body_field]" ><?php if ( isset( $options['wpeu_email_body_field'] ) ){ echo ; } else { echo 'Your Username has been changed'; } ?></textarea>
 <?php }

wp-edit-username/trunk/readme.txt

r3047088	r3048298
3	3	Tags: user,user-profile,profile-edit,edit,ajax,update,change-username,username
4	4	Requires at least: 5.6
5		Tested up to: 6.3
	5	Tested up to: 6.
6	6	Stable tag: 1.0.6
7	7	License: GPLv2

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Download in other formats: