Changeset 3465101

Timestamp:

02/19/2026 12:56:55 PM (3 months ago)

Author:

PierreLannoy

Message:

MailArchiver 4.5.0 released from GitHub

Location:

mailarchiver

Files:

• tags/4.5.0 (copied) (copied from mailarchiver/trunk)
• tags/4.5.0/CHANGELOG.md (modified) (1 diff)
• tags/4.5.0/admin/class-mailarchiver-admin.php (modified) (4 diffs)
• tags/4.5.0/includes/system/class-form.php (modified) (2 diffs)
• tags/4.5.0/init.php (modified) (1 diff)
• tags/4.5.0/mailarchiver.php (modified) (1 diff)
• tags/4.5.0/readme.txt (modified) (1 diff)
• trunk/CHANGELOG.md (modified) (1 diff)
• trunk/admin/class-mailarchiver-admin.php (modified) (4 diffs)
• trunk/includes/system/class-form.php (modified) (2 diffs)
• trunk/init.php (modified) (1 diff)
• trunk/mailarchiver.php (modified) (1 diff)
• trunk/readme.txt (modified) (1 diff)

mailarchiver/tags/4.5.0/CHANGELOG.md

@@ -3 +3 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **MailArchiver** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [4.5.0] - 2026-02-19
+
+### Changed
+- Once an encryption key has been defined for an archiver, it can no longer be modified.
+
+### Fixed
+- [SEC006] Authenticated (Administrator+) Stored XSS vulnerability in the key encryption field / [CVE-2026-2721](https://www.cve.org/CVERecord?id=CVE-2026-2721) (thanks to Ronnachai Chaipha (rxnr) via [Wordfence](https://www.wordfence.com)).
 
 ## [4.4.0] - 2026-01-14

mailarchiver/tags/4.5.0/admin/class-mailarchiver-admin.php

@@ -70 +70 @@
      */
     protected $current_view = null;
+
+    /**
+     * Password already set "flag".
+     *
+     * @since  4.5.0
+     * @var    string    $password_set    The "flag".
+     */
+    private $password_set = 'password already set';
 
     /**
@@ -576 +584 @@
                     $this->current_archiver['privacy']['mailanonymization'] = ( array_key_exists( 'mailarchiver_archiver_privacy_mail', $_POST ) ? true : false );
                     $this->current_archiver['security']['xss']              = ( array_key_exists( 'mailarchiver_archiver_security_xss', $_POST ) ? true : false );
-                    $this->current_archiver['privacy']['encryption']        = ( array_key_exists( 'mailarchiver_archiver_privacy_encryption', $_POST ) ? Secret::set( filter_input( INPUT_POST, 'mailarchiver_archiver_privacy_encryption', FILTER_UNSAFE_RAW ) ) : '' );
-                    $this->current_archiver['processors']                   = [];
+                    if ( array_key_exists( 'mailarchiver_archiver_privacy_encryption', $_POST ) ) {
+                        $key = filter_input( INPUT_POST, 'mailarchiver_archiver_privacy_encryption', FILTER_UNSAFE_RAW );
+                        if ( $key !== $this->password_set) {
+                            $this->current_archiver['privacy']['encryption'] = Secret::set( $key );
+                        }
+                    } else {
+                        $this->current_archiver['privacy']['encryption'] = '';
+                    }
+                    $this->current_archiver['processors'] = [];
                     $proc = new ProcessorTypes();
                     foreach ( array_reverse( $proc->get_all() ) as $processor ) {
@@ -1104 +1119 @@
         );
         register_setting( 'mailarchiver_archiver_privacy_section', 'mailarchiver_archiver_privacy_mail' );
-        if ( PwdProtect::is_available() ) {
-            $description  = esc_html__( 'Note: this is NOT a strong security feature; it\'s just a simple way to protect privacy in case of data leaks from external services. Think about it as a simple "password protection", with the password stored in plain text in your WordPress database.', 'mailarchiver' );
-            $description .= '<br/>' . esc_html__( 'Encryption used:', 'mailarchiver' ) . ' ' . PwdProtect::get_encryption_details();
+
+
+        if ( '' === $this->current_archiver['privacy']['encryption'] ) {
+            if ( PwdProtect::is_available() ) {
+                $description  = esc_html__( 'Note: this is NOT a strong security feature; it\'s just a simple way to protect privacy in case of data leaks from external services. Think about it as a simple "password protection", with the password stored in plain text in your WordPress database.', 'mailarchiver' );
+                $description .= '<br/>' . esc_html__( 'Encryption used:', 'mailarchiver' ) . ' ' . PwdProtect::get_encryption_details();
+            } else {
+                $description = esc_html__( 'Your server does not have OpenSSL installed. Mail body encryption is unavailable.', 'mailarchiver' );
+            }
+            $description = esc_html__( 'Key used to encrypt mail body: once set, you can\'t change it. Let blank to not encrypt it.', 'mailarchiver' ) . '<br/>' . $description;
+            $enabled = PwdProtect::is_available();
+            $value = PwdProtect::is_available() ? Secret::get( $this->current_archiver['privacy']['encryption'] ) : '';
+            $readonly = false;
         } else {
-            $description = esc_html__( 'Your server does not have OpenSSL installed. Mail body encryption is unavailable.', 'mailarchiver' );
+            $description = esc_html__( 'The key is already set. You can\'t change it.', 'mailarchiver' );
+            $enabled = true;
+            $readonly = true;
+            $value = $this->password_set;
         }
         add_settings_field(
@@ -1118 +1146 @@
             [
                 'id'          => 'mailarchiver_archiver_privacy_encryption',
-                'value'       => PwdProtect::is_available() ? Secret::get( $this->current_archiver['privacy']['encryption'] ) : '',
-                'description' => esc_html__( 'Key used to encrypt mail body. Let blank to not encrypt it.', 'mailarchiver' ) . '<br/>' . $description,
-                'full_width'  => false,
-                'enabled'     => PwdProtect::is_available(),
+                'value'       => $value,
+                'description' => $description,
+                'full_width'  => false,
+                'enabled'     => $enabled,
+                'readonly'    => $readonly,
             ]
         );

mailarchiver/tags/4.5.0/includes/system/class-form.php

@@ -114 +114 @@
      * @param   string  $description    Optional. A description to display.
      * @param   boolean $full_width     Optional. Is the control full width?
-     * @param   boolean $enabled     Optional. Is the control enabled?
+     * @param   boolean $enabled        Optional. Is the control enabled?
+     * @param   boolean $readonly       Optional. Is the control readonly?
      * @return  string The HTML string ready to print.
      * @since   1.0.0
      */
-    public function field_input_password( $id, $value = '', $description = null, $full_width = true, $enabled = true ) {
-        if ( $full_width ) {
-            $width = ' style="width:100%;"';
-        } else {
-            $width = '';
-        }
-        $html = '<input' . ( $enabled ? '' : ' disabled' ) . ' name="' . $id . '" type="password" id="' . $id . '" value="' . $value . '"' . $width . '/>';
+    public function field_input_password( $id, $value = '', $description = null, $full_width = true, $enabled = true, $readonly = false ) {
+        if ( $full_width ) {
+            $width = ' style="width:100%;"';
+        } else {
+            $width = '';
+        }
+        $html = '<input' . ( $enabled ? '' : ' disabled' ) . ' name="' . $id . '" type="password" id="' . $id . '" value="' . $value . '"' . $width . ' ' . ( $readonly ? 'readonly' : '' ) . '/>';
         if ( isset( $description ) ) {
             $html .= '<p class="description">' . $description . '</p>';
@@ -138 +139 @@
      */
     public function echo_field_input_password( $args ) {
-        echo $this->field_input_password( $args['id'], $args['value'], $args['description'], $args['full_width'], $args['enabled'] );
+        echo $this->field_input_password( $args['id'], $args['value'], $args['description'], $args['full_width'], $args['enabled'], $args['readonly'] ?? false );
     }
 

mailarchiver/tags/4.5.0/init.php

@@ -13 +13 @@
 define( 'MAILARCHIVER_PRODUCT_ABBREVIATION', 'mailarchiver' );
 define( 'MAILARCHIVER_SLUG', 'mailarchiver' );
-define( 'MAILARCHIVER_VERSION', '4.4.0' );
+define( 'MAILARCHIVER_VERSION', '4.5.0' );
 define( 'MAILARCHIVER_MONOLOG_VERSION', '2.9.3' );
 define( 'MAILARCHIVER_CODENAME', '"-"' );

mailarchiver/tags/4.5.0/mailarchiver.php

@@ -11 +11 @@
  * Plugin URI:        https://perfops.one/mailarchiver
  * Description:       Automatically archive and store all emails sent from your site.
- * Version:           4.4.0
+ * Version:           4.5.0
  * Requires at least: 6.2
  * Requires PHP:      8.1

mailarchiver/tags/4.5.0/readme.txt

@@ -5 +5 @@
 Requires PHP: 8.1
 Tested up to: 6.9
-Stable tag: 4.4.0
+Stable tag: 4.5.0
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html

mailarchiver/trunk/CHANGELOG.md

@@ -3 +3 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **MailArchiver** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [4.5.0] - 2026-02-19
+
+### Changed
+- Once an encryption key has been defined for an archiver, it can no longer be modified.
+
+### Fixed
+- [SEC006] Authenticated (Administrator+) Stored XSS vulnerability in the key encryption field / [CVE-2026-2721](https://www.cve.org/CVERecord?id=CVE-2026-2721) (thanks to Ronnachai Chaipha (rxnr) via [Wordfence](https://www.wordfence.com)).
 
 ## [4.4.0] - 2026-01-14

mailarchiver/trunk/admin/class-mailarchiver-admin.php

@@ -70 +70 @@
      */
     protected $current_view = null;
+
+    /**
+     * Password already set "flag".
+     *
+     * @since  4.5.0
+     * @var    string    $password_set    The "flag".
+     */
+    private $password_set = 'password already set';
 
     /**
@@ -576 +584 @@
                     $this->current_archiver['privacy']['mailanonymization'] = ( array_key_exists( 'mailarchiver_archiver_privacy_mail', $_POST ) ? true : false );
                     $this->current_archiver['security']['xss']              = ( array_key_exists( 'mailarchiver_archiver_security_xss', $_POST ) ? true : false );
-                    $this->current_archiver['privacy']['encryption']        = ( array_key_exists( 'mailarchiver_archiver_privacy_encryption', $_POST ) ? Secret::set( filter_input( INPUT_POST, 'mailarchiver_archiver_privacy_encryption', FILTER_UNSAFE_RAW ) ) : '' );
-                    $this->current_archiver['processors']                   = [];
+                    if ( array_key_exists( 'mailarchiver_archiver_privacy_encryption', $_POST ) ) {
+                        $key = filter_input( INPUT_POST, 'mailarchiver_archiver_privacy_encryption', FILTER_UNSAFE_RAW );
+                        if ( $key !== $this->password_set) {
+                            $this->current_archiver['privacy']['encryption'] = Secret::set( $key );
+                        }
+                    } else {
+                        $this->current_archiver['privacy']['encryption'] = '';
+                    }
+                    $this->current_archiver['processors'] = [];
                     $proc = new ProcessorTypes();
                     foreach ( array_reverse( $proc->get_all() ) as $processor ) {
@@ -1104 +1119 @@
         );
         register_setting( 'mailarchiver_archiver_privacy_section', 'mailarchiver_archiver_privacy_mail' );
-        if ( PwdProtect::is_available() ) {
-            $description  = esc_html__( 'Note: this is NOT a strong security feature; it\'s just a simple way to protect privacy in case of data leaks from external services. Think about it as a simple "password protection", with the password stored in plain text in your WordPress database.', 'mailarchiver' );
-            $description .= '<br/>' . esc_html__( 'Encryption used:', 'mailarchiver' ) . ' ' . PwdProtect::get_encryption_details();
+
+
+        if ( '' === $this->current_archiver['privacy']['encryption'] ) {
+            if ( PwdProtect::is_available() ) {
+                $description  = esc_html__( 'Note: this is NOT a strong security feature; it\'s just a simple way to protect privacy in case of data leaks from external services. Think about it as a simple "password protection", with the password stored in plain text in your WordPress database.', 'mailarchiver' );
+                $description .= '<br/>' . esc_html__( 'Encryption used:', 'mailarchiver' ) . ' ' . PwdProtect::get_encryption_details();
+            } else {
+                $description = esc_html__( 'Your server does not have OpenSSL installed. Mail body encryption is unavailable.', 'mailarchiver' );
+            }
+            $description = esc_html__( 'Key used to encrypt mail body: once set, you can\'t change it. Let blank to not encrypt it.', 'mailarchiver' ) . '<br/>' . $description;
+            $enabled = PwdProtect::is_available();
+            $value = PwdProtect::is_available() ? Secret::get( $this->current_archiver['privacy']['encryption'] ) : '';
+            $readonly = false;
         } else {
-            $description = esc_html__( 'Your server does not have OpenSSL installed. Mail body encryption is unavailable.', 'mailarchiver' );
+            $description = esc_html__( 'The key is already set. You can\'t change it.', 'mailarchiver' );
+            $enabled = true;
+            $readonly = true;
+            $value = $this->password_set;
         }
         add_settings_field(
@@ -1118 +1146 @@
             [
                 'id'          => 'mailarchiver_archiver_privacy_encryption',
-                'value'       => PwdProtect::is_available() ? Secret::get( $this->current_archiver['privacy']['encryption'] ) : '',
-                'description' => esc_html__( 'Key used to encrypt mail body. Let blank to not encrypt it.', 'mailarchiver' ) . '<br/>' . $description,
-                'full_width'  => false,
-                'enabled'     => PwdProtect::is_available(),
+                'value'       => $value,
+                'description' => $description,
+                'full_width'  => false,
+                'enabled'     => $enabled,
+                'readonly'    => $readonly,
             ]
         );

mailarchiver/trunk/includes/system/class-form.php

@@ -114 +114 @@
      * @param   string  $description    Optional. A description to display.
      * @param   boolean $full_width     Optional. Is the control full width?
-     * @param   boolean $enabled     Optional. Is the control enabled?
+     * @param   boolean $enabled        Optional. Is the control enabled?
+     * @param   boolean $readonly       Optional. Is the control readonly?
      * @return  string The HTML string ready to print.
      * @since   1.0.0
      */
-    public function field_input_password( $id, $value = '', $description = null, $full_width = true, $enabled = true ) {
-        if ( $full_width ) {
-            $width = ' style="width:100%;"';
-        } else {
-            $width = '';
-        }
-        $html = '<input' . ( $enabled ? '' : ' disabled' ) . ' name="' . $id . '" type="password" id="' . $id . '" value="' . $value . '"' . $width . '/>';
+    public function field_input_password( $id, $value = '', $description = null, $full_width = true, $enabled = true, $readonly = false ) {
+        if ( $full_width ) {
+            $width = ' style="width:100%;"';
+        } else {
+            $width = '';
+        }
+        $html = '<input' . ( $enabled ? '' : ' disabled' ) . ' name="' . $id . '" type="password" id="' . $id . '" value="' . $value . '"' . $width . ' ' . ( $readonly ? 'readonly' : '' ) . '/>';
         if ( isset( $description ) ) {
             $html .= '<p class="description">' . $description . '</p>';
@@ -138 +139 @@
      */
     public function echo_field_input_password( $args ) {
-        echo $this->field_input_password( $args['id'], $args['value'], $args['description'], $args['full_width'], $args['enabled'] );
+        echo $this->field_input_password( $args['id'], $args['value'], $args['description'], $args['full_width'], $args['enabled'], $args['readonly'] ?? false );
     }
 

mailarchiver/trunk/init.php

@@ -13 +13 @@
 define( 'MAILARCHIVER_PRODUCT_ABBREVIATION', 'mailarchiver' );
 define( 'MAILARCHIVER_SLUG', 'mailarchiver' );
-define( 'MAILARCHIVER_VERSION', '4.4.0' );
+define( 'MAILARCHIVER_VERSION', '4.5.0' );
 define( 'MAILARCHIVER_MONOLOG_VERSION', '2.9.3' );
 define( 'MAILARCHIVER_CODENAME', '"-"' );

mailarchiver/trunk/mailarchiver.php

@@ -11 +11 @@
  * Plugin URI:        https://perfops.one/mailarchiver
  * Description:       Automatically archive and store all emails sent from your site.
- * Version:           4.4.0
+ * Version:           4.5.0
  * Requires at least: 6.2
  * Requires PHP:      8.1

mailarchiver/trunk/readme.txt

@@ -5 +5 @@
 Requires PHP: 8.1
 Tested up to: 6.9
-Stable tag: 4.4.0
+Stable tag: 4.5.0
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html