Fix an authenticated (Contributor) SQL Injection issue

Author: winkm89

core/class-db-helpers.php

@@ -220,7 +220,7 @@ public static function get_db_index ($db_name) {
      * @since 9.0.8
      */
     public static function validate_qualifier ($input, $default = '') {
-        if ( preg_match("#^[a-zA-Z0-9 \.,_\]]+$#", $input) ) {
+        if ( preg_match("#^[a-zA-Z0-9 \.,`_\]]+$#", $input) ) {
             return $input;
         } else {
             return $default;

core/class-db-options.php

@@ -99,7 +99,8 @@ function get_tp_option($var, $category = 'system') {
  */
 function get_tp_options($category, $order = "`setting_id` DESC", $output_type = OBJECT) {
     global $wpdb;
-    $order = esc_sql($order);
+    
+    $order = TP_DB_Helpers::validate_qualifier($order);
     $result = $wpdb->get_results( 
         $wpdb->prepare( "SELECT * FROM " . TEACHPRESS_SETTINGS . " WHERE `category` = %s ORDER BY " . $order,  $category ), $output_type
 

core/class-update.php

@@ -895,8 +895,8 @@ private static function rename_table($oldname, $newname) {
 
         global $wpdb;
         // Check if the old table exists
-        if( $wpdb->get_var("SHOW TABLES LIKE '" . esc_sql($oldname) . "'") == esc_sql($oldname) ) {
-            $wpdb->query('RENAME TABLE ' . esc_sql($oldname) . ' TO ' . esc_sql($newname) . '');
+        if( $wpdb->get_var("SHOW TABLES LIKE '" . TP_DB_Helpers::validate_qualifier($oldname) . "'") == TP_DB_Helpers::validate_qualifier($oldname) ) {
+            $wpdb->query('RENAME TABLE ' . TP_DB_Helpers::validate_qualifier($oldname) . ' TO ' . TP_DB_Helpers::validate_qualifier($newname) . '');
             return true;
         }
         return false;

readme.txt

@@ -6,7 +6,7 @@ License URI: https://www.gnu.org/licenses/gpl-2.0.html
 Requires at least: 3.9
 Tested up to: 6.7.2
 Requires PHP: 7.0
-Stable tag: 9.0.11
+Stable tag: 9.0.12
 
 Manage your publications with teachPress 
 
@@ -124,18 +124,21 @@ Please note the [teachPress 6.0 Upgrade Information](https://mtrv.wordpress.com/
 
 == Changelog ==
 
+= 9.0.12 =
+* Bugfix: Fix an authenticated (Contributor) SQL Injection issue
+
 = 9.0.11 (22.03.2025) =
 * Bugfix: Change used gettext functions
 
 = 9.0.10 (20.03.2025) =
-* Bugfix: Fixes another CSRF vulnerability in tp import dialog
+* Bugfix: Fixes another CSRF vulnerability in tp import dialog (CVE-2025-1320) (Thanks to Krzysztof Zając for reporting)
 
 = 9.0.9 (11.03.2025)
 * Bugfix: Fix space handling in bibtex keys within publication exists check (#267)
 * Bugfix: Unknown column 'r.name' in 'where clause' error in function TP:Authors::get_authors() (#262)
 
 = 9.0.8 (25.02.2025) =
-* Bugfix: Fix an authenticated (Contributor) SQL Injection issue (Thanks to truonghuuphuc for reporting)
+* Bugfix: Fix an authenticated (Contributor) SQL Injection issue (CVE-2025-1321	) (Thanks to Krzysztof Zając for reporting)
 
 = 9.0.7 (18.01.2025) =
 * New: Meta keys search to shortcodes added (Thanks to Juma7C9) (#259)

teachpress.php

@@ -5,7 +5,7 @@
  * Description:         Powerful publication management for WordPress
  * Author:              Michael Winkler
  * Author URI:          http://mtrv.wordpress.com/
- * Version:             9.0.11
+ * Version:             9.0.12
  * Requires at least:   3.9
  * Text Domain:         teachpress
  * Domain Path:         /languages
@@ -219,7 +219,7 @@ function tp_show_screen_options($current, $screen) {
  * @return string
  */
 function get_tp_version() {
-    return '9.0.11';
+    return '9.0.12';
 }
 
 /**