================================================================================ SENDPRESS SECURITY TODO LIST ================================================================================ Created: January 2026 Status: Patchstack fixes READY FOR RELEASE ================================================================================ PHASE 1: IMMEDIATE RELEASE (Patchstack Fixes) - COMPLETED ✅ ================================================================================ [x] CSRF in subscribe_to_list() - Fixed with nonce verification [x] Broken Access Control (bounce/cron API) - Fixed with webhook secret [x] XSS in form attributes - Fixed with esc_attr() escaping [x] Nonce added to non-AJAX forms [x] Documentation created (PATCHSTACK-FIXES.txt) [x] All PHP syntax validated [x] Committed to branch: security/fix-xss-sqli-vulnerabilities RELEASE STEPS: [ ] Final testing on staging environment [ ] Merge branch to main/master [ ] Update plugin version number [ ] Create changelog entry [ ] Deploy to production / WordPress.org ================================================================================ PHASE 2: FUTURE SECURITY IMPROVEMENTS (Post-Release) ================================================================================ CRITICAL: [ ] Fix dynamic function call vulnerability File: classes/public-views/class-sendpress-public-view-post.php Lines: 21-23 Issue: call_user_func() with user-controlled class name HIGH: [ ] Sanitize $_POST data in handle_unsubscribes() File: classes/sc/class-sendpress-sc-forms.php Lines: 580-600 Issue: Unsanitized data passed to database functions [ ] Replace deprecated create_function() calls File: sendpress.php Lines: 145, 148 Issue: Deprecated in PHP 7.2, removed in PHP 8.0 MEDIUM: [ ] Refactor admin URL building to use add_query_arg() + esc_url() Files: 20+ instances across codebase Issue: URLs built by string concatenation instead of proper WP functions Example files: - classes/views/class-sendpress-view-emails-send-confirm.php - classes/class-sendpress-emails-table.php - classes/class-sendpress-queue-table.php - classes/class-sendpress-lists-table.php - sendpress.php Current: href="?page=' . esc_attr($page) . '&view=send&emailID=' . intval($id) Should be: esc_url(add_query_arg(['page'=>$page, 'view'=>'send', 'emailID'=>$id], admin_url('admin.php'))) [ ] Add esc_html() to form labels File: classes/sc/class-sendpress-sc-forms.php Lines: 444, 446, 453, 455, 462, 464, 471, 473 [ ] Review unserialize() usage for object injection File: classes/class-sendpress-option.php Lines: 235-241 LOW: [ ] Standardize direct access protection (ABSPATH checks) [ ] Separate public/private nonce values [ ] Add HMAC signing to sensitive URLs ================================================================================ NOTES ================================================================================ Branch with all fixes: security/fix-xss-sqli-vulnerabilities Files modified: 46 total (Patchstack + earlier WPScan fixes) Documentation files: - PATCHSTACK-FIXES.txt - Details on Patchstack vulnerability fixes - SECURITY-FIXES.md - Comprehensive security audit documentation - SECURITY-AUDIT-ADDITIONAL.txt - Additional issues found for Phase 2 Webhook Secret Configuration: After release, document how admins should set 'webhook_secret' option to secure bounce/cron API endpoints. ================================================================================