From ee671ed6b00a79459862217e5a6f6b59141f9236 Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Mon, 2 Mar 2026 14:01:32 +0530 Subject: [PATCH 1/3] fix: add WooCommerce request verification token --- classes/Visualizer/Source/Json.php | 36 ++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/classes/Visualizer/Source/Json.php b/classes/Visualizer/Source/Json.php index e4068f64b..1a4b03a4e 100644 --- a/classes/Visualizer/Source/Json.php +++ b/classes/Visualizer/Source/Json.php @@ -457,6 +457,17 @@ function( $headers ) { } } + // Check if this is a WooCommerce endpoint request and add verification token. + if ( $this->is_woocommerce_request( $url ) ) { + // Generate a unique token for this specific request. + $token = wp_generate_password( 32, false ); + set_transient( 'visualizer_wc_token_' . $token, time(), 60 ); + if ( ! isset( $args['headers'] ) ) { + $args['headers'] = array(); + } + $args['headers']['X-Visualizer-Token'] = $token; + } + do_action( 'themeisle_log_event', Visualizer_Plugin::NAME, sprintf( 'Connecting to %s with args = %s ', $url, print_r( $args, true ) ), 'debug', __FILE__, __LINE__ ); return wp_remote_request( $url, $args ); } @@ -488,6 +499,31 @@ public function refresh( $series ) { return true; } + /** + * Check if the URL is a WooCommerce endpoint request. + * + * @access private + * @param string $url The URL to check. + * @return bool True if it's a WooCommerce request, false otherwise. + */ + private function is_woocommerce_request( $url ) { + // Check if the URL contains WooCommerce API patterns. + $wc_patterns = array( + '/wp-json/wc/', + '/wc-analytics/', + '/wc/v', + '/reports/', + ); + + foreach ( $wc_patterns as $pattern ) { + if ( strpos( $url, $pattern ) !== false ) { + return true; + } + } + + return false; + } + /** * Returns source name. * From 6b3357d87d92d75f922dfb4f4d57feac7fcd6fdd Mon Sep 17 00:00:00 2001 From: girishpanchal30 Date: Mon, 2 Mar 2026 15:01:32 +0530 Subject: [PATCH 2/3] fix: enhance wc request validation --- classes/Visualizer/Source/Json.php | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/classes/Visualizer/Source/Json.php b/classes/Visualizer/Source/Json.php index 1a4b03a4e..2bd79d9ee 100644 --- a/classes/Visualizer/Source/Json.php +++ b/classes/Visualizer/Source/Json.php @@ -507,16 +507,36 @@ public function refresh( $series ) { * @return bool True if it's a WooCommerce request, false otherwise. */ private function is_woocommerce_request( $url ) { - // Check if the URL contains WooCommerce API patterns. + if ( empty( $url ) || ! is_string( $url ) ) { + return false; + } + + $parsed_url = function_exists( 'wp_parse_url' ) ? wp_parse_url( $url ) : parse_url( $url ); + if ( empty( $parsed_url ) || empty( $parsed_url['host'] ) || empty( $parsed_url['path'] ) ) { + return false; + } + + $site_url = function_exists( 'home_url' ) ? home_url() : ( function_exists( 'site_url' ) ? site_url() : '' ); + $site_parts = $site_url ? ( function_exists( 'wp_parse_url' ) ? wp_parse_url( $site_url ) : parse_url( $site_url ) ) : array(); + if ( empty( $site_parts['host'] ) ) { + return false; + } + + $target_host = strtolower( $parsed_url['host'] ); + $site_host = strtolower( $site_parts['host'] ); + if ( $target_host !== $site_host ) { + return false; + } + + $path = '/' . ltrim( $parsed_url['path'], '/' ); $wc_patterns = array( '/wp-json/wc/', + '/wp-json/wc-analytics/', '/wc-analytics/', - '/wc/v', - '/reports/', ); foreach ( $wc_patterns as $pattern ) { - if ( strpos( $url, $pattern ) !== false ) { + if ( strpos( $path, $pattern ) !== false ) { return true; } } From 59e2aef137ec6ee6508bc421dcbf29b06968520e Mon Sep 17 00:00:00 2001 From: vytisbulkevicius <36594177+vytisbulkevicius@users.noreply.github.com> Date: Tue, 3 Mar 2026 17:23:43 +0200 Subject: [PATCH 3/3] Refactor is_woocommerce_request function condition --- classes/Visualizer/Source/Json.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/Visualizer/Source/Json.php b/classes/Visualizer/Source/Json.php index 2bd79d9ee..2961cd3ba 100644 --- a/classes/Visualizer/Source/Json.php +++ b/classes/Visualizer/Source/Json.php @@ -507,7 +507,7 @@ public function refresh( $series ) { * @return bool True if it's a WooCommerce request, false otherwise. */ private function is_woocommerce_request( $url ) { - if ( empty( $url ) || ! is_string( $url ) ) { + if ( empty( $url ) ) { return false; }