ADD: jet-form-builder/form-record/export/get-blocks-by-post filter

.github/workflows/ai-pr-review.yml

@@ -10,7 +10,7 @@ jobs:
 
     # Job-level environment
     env:
-      AI_REVIEW_MODEL: gpt-4.1-mini
+      AI_REVIEW_MODEL: gpt-5-mini
 
     permissions:
       contents: read           # to read the repo

README.md

@@ -8,6 +8,14 @@ You can report security bugs through the Patchstack Vulnerability Disclosure Pro
 
 ## ChangeLog
 
+## 3.5.6.3
+* ADD: Support preview for AVIF files in Media Field
+* ADD: `jet-form-builder/form-record/general-values-columns` filter for Form Record General Values Columns
+* FIX: LFI vulnerability
+
+## 3.5.6.2
+* FIX: RCE vulnerability
+
 ## 3.5.6.1
 * FIX: Compatibility with jetBooking 4.0.0
 

assets/build/frontend/advanced.reporting.asset.php

@@ -1 +1 @@
-<?php return array('dependencies' => array('wp-api-fetch'), 'version' => '8ff3219219229b3acd2f');
+<?php return array('dependencies' => array('wp-api-fetch'), 'version' => 'cd9019dc6f52cd8ab6d0');

assets/src/frontend/advanced.reporting/restrictions/ServerSideCallback.js

@@ -98,6 +98,11 @@ function ServerSideCallback() {
 			formData.append( '_jfb_validation_path[]', pathElement );
 		}
 
+		// Security: Include signature for SSR validation
+		if ( this.attrs._sig ) {
+			formData.set( '_jfb_validation_sig', this.attrs._sig );
+		}
+
 		return formData;
 	};
 

includes/blocks/render/media-field-render.php

@@ -75,7 +75,7 @@ protected function render_previews(): string {
 			// preset field
 			$updated = str_replace( '<!-- field -->', $this->get_field_preset( $file ), $updated );
 
-			$image_ext    = array( 'jpg', 'jpeg', 'jpe', 'gif', 'png', 'svg', 'webp' );
+			$image_ext    = array( 'jpg', 'jpeg', 'jpe', 'gif', 'png', 'svg', 'webp', 'avif' );
 			$img_ext_preg = '!\.(' . join( '|', $image_ext ) . ')$!i';
 
 			if ( preg_match( $img_ext_preg, $file['url'] ) ) {

includes/classes/resources/file-tools.php

@@ -30,7 +30,13 @@ public static function get_uploaded( File $file, $preset ) {
 	}
 
 	protected static function is_same_file( File $file, Uploaded_File $uploaded_file ): bool {
-		$info = pathinfo( $uploaded_file->get_url() );
+		$preset_path = $uploaded_file->get_attachment_file();
+
+		if ( ! $preset_path ) {
+			return false;
+		}
+
+		$info = pathinfo( $preset_path );
 
 		return $file->get_name() === ( $info['basename'] ?? '' );
 	}

includes/classes/resources/uploaded-file.php

@@ -96,17 +96,17 @@ public function add_attachment() {
 
 	public function set_from_array( array $upload ): Uploaded_File {
 		if ( isset( $upload['file'] ) ) {
-			$this->file = $upload['file'];
+			$this->file = self::normalize_allowed_upload_file_path( (string) $upload['file'] );
 		}
 		if ( isset( $upload['url'] ) ) {
-			$this->url = $upload['url'];
+			$this->url = esc_url_raw( (string) $upload['url'] );
 		}
 		if ( isset( $upload['type'] ) ) {
-			$this->type = $upload['type'];
+			$this->type = sanitize_mime_type( (string) $upload['type'] );
 		}
 		if ( isset( $upload['id'] ) ) {
 
-			$this->set_attachment_id( (string) $upload['id'] );
+			$this->set_attachment_id( (string) absint( $upload['id'] ) );
 		}
 
 		return $this;
@@ -185,7 +185,10 @@ public function get_attachment_file(): string {
 		$file = $this->get_file();
 
 		if ( $file ) {
-			return $file;
+			$file = self::normalize_allowed_upload_file_path( $file );
+			if ( $file ) {
+				return $file;
+			}
 		}
 
 		$id  = $this->get_attachment_id();
@@ -197,13 +200,59 @@ public function get_attachment_file(): string {
 
 		$file = get_attached_file( $id );
 
-		return is_string( $file ) ? $file : '';
+		if ( ! is_string( $file ) ) {
+			return '';
+		}
+
+		return self::normalize_allowed_upload_file_path( $file );
 	}
 
 	/**
 	 * @param string $url
 	 */
 	public function set_url( string $url ) {
-		$this->url = $url;
+		$this->url = esc_url_raw( $url );
+	}
+
+	/**
+	 * Normalize path and allow only existing files inside wp-content uploads directory.
+	 *
+	 * @return string Normalized realpath to a file in uploads, or empty string.
+	 */
+	public static function normalize_allowed_upload_file_path( string $file ): string {
+		if ( '' === $file ) {
+			return '';
+		}
+
+		$path = wp_normalize_path( $file );
+		$real = realpath( $path );
+
+		if ( false === $real ) {
+			return '';
+		}
+
+		$real = wp_normalize_path( $real );
+		$real = untrailingslashit( $real );
+
+		$uploads = wp_get_upload_dir();
+		$base    = (string) ( $uploads['basedir'] ?? '' );
+
+		if ( '' === $base ) {
+			return '';
+		}
+
+		$base_real = realpath( $base );
+		if ( false === $base_real ) {
+			return '';
+		}
+
+		$base = wp_normalize_path( $base_real );
+		$base = untrailingslashit( $base );
+
+		if ( 0 === strpos( $real, $base . '/' ) && is_file( $real ) ) {
+			return $real;
+		}
+
+		return '';
 	}
 }

jet-form-builder.php

@@ -3,7 +3,7 @@
  * Plugin Name:         JetFormBuilder
  * Plugin URI:          https://jetformbuilder.com/
  * Description:         Advanced form builder plugin for WordPress block editor. Create forms from the ground up, customize the existing ones, and style them up – all in one editor.
- * Version:             3.5.6.1
+ * Version:             3.5.6.3
  * Author:              Crocoblock
  * Author URI:          https://crocoblock.com/
  * Text Domain:         jet-form-builder
@@ -18,7 +18,7 @@
 	die();
 }
 
-const JET_FORM_BUILDER_VERSION = '3.5.6.1';
+const JET_FORM_BUILDER_VERSION = '3.5.6.3';
 
 const JET_FORM_BUILDER__FILE__ = __FILE__;
 const JET_FORM_BUILDER_SITE    = 'https://jetformbuilder.com';

modules/actions-v2/send-email/send-email-action.php

@@ -5,6 +5,7 @@
 use Jet_Form_Builder\Actions\Action_Handler;
 use Jet_Form_Builder\Actions\Types\Base;
 use Jet_Form_Builder\Classes\Http\Http_Tools;
+use Jet_Form_Builder\Classes\Resources\Uploaded_File;
 use Jet_Form_Builder\Classes\Tools;
 use Jet_Form_Builder\Exceptions\Action_Exception;
 use Jet_Form_Builder\Request\Request_Tools;
@@ -397,7 +398,29 @@ public function get_default_attachments(): array {
 			);
 		}
 
-		return $attachments;
+		return $this->filter_safe_attachments( $attachments );
+	}
+
+	/**
+	 * Allow only readable files within the uploads directory.
+	 */
+	private function filter_safe_attachments( array $attachments ): array {
+		$safe = array();
+
+		foreach ( $attachments as $attachment ) {
+			if ( ! is_string( $attachment ) || '' === $attachment ) {
+				continue;
+			}
+
+			$allowed = Uploaded_File::normalize_allowed_upload_file_path( $attachment );
+			if ( '' === $allowed || ! is_file( $allowed ) || ! is_readable( $allowed ) ) {
+				continue;
+			}
+
+			$safe[] = $allowed;
+		}
+
+		return array_values( array_unique( $safe ) );
 	}
 
 	public function update_headers() {

modules/form-record/admin/meta-boxes/form-record-values-box.php

@@ -37,15 +37,19 @@ public function get_dependencies(): array {
 	}
 
 	public function get_columns(): array {
-		return array(
-			'form'       => new Form_Link_Column(),
-			'referrer'   => new Referrer_Link_Column(),
-			'status'     => new Status_Column(),
-			'user'       => new User_Login_Column(),
-			'ip_address' => new Ip_Address_Column(),
-			'user_agent' => new User_Agent_Column(),
-			'created_at' => new Created_At_Column(),
-			'updated_at' => new Updated_At_Column(),
+		return apply_filters(
+			'jet-form-builder/form-record/general-values-columns',
+			array(
+				'form'       => new Form_Link_Column(),
+				'referrer'   => new Referrer_Link_Column(),
+				'status'     => new Status_Column(),
+				'user'       => new User_Login_Column(),
+				'ip_address' => new Ip_Address_Column(),
+				'user_agent' => new User_Agent_Column(),
+				'created_at' => new Created_At_Column(),
+				'updated_at' => new Updated_At_Column(),
+			),
+			$this
 		);
 	}
 

modules/form-record/export/multiple-controller.php

@@ -27,9 +27,12 @@ public function do_export() {
 		$this->form_id = $this->get_form_id();
 
 		// set fields without request
-		jet_fb_context()->set_parsers(
-			Block_Helper::get_blocks_by_post( $this->form_id )
+		$blocks = apply_filters( 
+			'jet-form-builder/form-record/export/get-blocks-by-post', 
+			Block_Helper::get_blocks_by_post( $this->form_id ), 
+			$this->form_id 
 		);
+		jet_fb_context()->set_parsers( $blocks );
 
 		$this->fields_columns = $this->get_field_columns();
 		$this->modify_extra_columns();