# Inbound Rocket - WordPress Marketing Automation Plugin Version: 2.0.0 ## Description Marketing automation and lead generation plugin for WordPress. Track visitors, capture leads, and convert them with powerful conversion tools. ## Requirements - WordPress 5.6 or higher - PHP 7.4 or higher (NEW in v2.0) - MySQL 5.6 or higher - Composer (for development) ## What's New in v2.0 ### Major Security Improvements - **Fixed critical SQL injection vulnerabilities** - All 162 database queries now use `wpdb->prepare()` - **Fixed object injection vulnerabilities** - Replaced 11 unsafe `unserialize()` calls with safe JSON handling - **Fixed Remote Code Execution (RCE)** - Evercookie ZIP download now validates hash, file types, and prevents path traversal attacks - **Fixed CSRF vulnerabilities** - Added nonce verification to all state-changing operations (3 instances) - **Fixed XSS vulnerabilities** - Enhanced output escaping with `wp_kses_post()` and proper sanitization - **Fixed authorization bypass** - Added capability checks to admin AJAX endpoints - **Secured cookie handling** - Added httponly, secure, and samesite flags - **Enhanced cryptographic security** - Using `random_bytes()` instead of weak random generation - **Improved JSON validation** - Added structure validation, depth/count limits, and field sanitization - **Removed error suppression** - Eliminated all `@` operators, added proper error handling and logging - **Enhanced input sanitization** - All `$_SERVER` variables properly sanitized via IR_Input_Sanitizer - **Secure database access** - New safe query helper classes with prepared statements - **Fixed control flow bugs** - Critical bug fixes in plugin deactivation logic ### Modern Architecture - **PHP 7.4+ with typed properties** - Full type safety throughout codebase - **PSR-4 namespaced architecture** - Clean `InboundRocket\` namespace structure - **Composer autoloading** - Modern dependency management - **Repository pattern** - Clean separation of database operations - **Dependency injection container** - Proper dependency management - **SOLID principles** - Clean, maintainable, testable code ### WordPress Standards Compliance - Function naming conflicts resolved - All global functions properly prefixed - Script/style versioning for cache busting - Correct hook usage (add_action vs add_filter) - Internationalization support enhanced ### Backward Compatibility - Seamless upgrade from v1.6.0 - Automatic data migration from serialized to JSON format - Legacy function support via compatibility layer - No data loss during upgrade - User-controlled data deletion on uninstall (defaults to keeping data for safety) ## Installation ### Fresh Installation 1. Upload plugin files to `/wp-content/plugins/inbound-rocket/` 2. Run `composer install --no-dev` in plugin directory (or upload with vendor/ included) 3. Activate through WordPress admin ### Upgrading from v1.6.0 **IMPORTANT: Backup your database before upgrading!** 1. Deactivate plugin 2. Backup your database 3. Replace plugin files with v2.0.0 4. Run `composer install --no-dev` in plugin directory (if not already included) 5. Reactivate plugin 6. Plugin will automatically run migrations ## Developer Information ### Architecture ``` InboundRocket\ ├── Core\ - Plugin bootstrap, DI container │ ├── Container.php - Dependency injection container │ └── ServiceProvider.php - Service registration ├── Database\ │ ├── Models\ - Data models with typed properties │ │ └── Lead.php - Lead/contact model │ └── Repository\ - Database operations │ └── LeadRepository.php - Lead data access ├── Admin\ - Admin interface controllers (planned) ├── PowerUps\ - Modular feature system (planned) ├── Services\ - Business logic services (planned) ├── Ajax\ - AJAX request handlers (planned) └── Helpers\ - Utility classes Legacy (inc/ directory): ├── services\ - Security helpers │ └── class-input-sanitizer.php ├── helpers\ - Data migration │ └── class-data-migration.php └── database\ - Safe queries └── class-safe-queries.php ``` ### Composer Commands ```bash # Install dependencies for production composer install --no-dev # Install all dependencies (including dev) composer install # Run tests (when implemented) composer test # Check coding standards composer phpcs # Fix coding standards automatically composer phpcbf # Lint PHP files composer lint ``` ### Running Tests ```bash composer test ``` ### Coding Standards This plugin follows WordPress Coding Standards with PHP 7.4+ features including: - Typed properties - Arrow functions - Null coalescing assignment - Strict type declarations ## Using the New Architecture ### Example: Using the Lead Repository ```php use InboundRocket\Database\Repository\LeadRepository; use InboundRocket\Database\Models\Lead; // Get repository from container (when implemented in your code) $leadRepo = $container->make(LeadRepository::class); // Find a lead by ID $lead = $leadRepo->find(123); // Find by hashkey $lead = $leadRepo->findByHashkey('abc123'); // Search leads $leads = $leadRepo->search('john@example.com'); // Get all leads with pagination $leads = $leadRepo->getAll(limit: 20, offset: 0); // Save a lead $leadId = $leadRepo->save($lead); // Delete a lead (soft delete) $leadRepo->delete($leadId); ``` ## Security ### Reporting Security Issues Please report security vulnerabilities responsibly. Do not create public GitHub issues for security problems. Contact the maintainers directly. ### Security Features - All 162 database queries use prepared statements (`wpdb->prepare()`) - Input sanitization on all user inputs (dedicated IR_Input_Sanitizer class) - Output escaping in all templates (`esc_html()`, `esc_attr()`, `wp_kses_post()`) - Nonce verification on all forms and AJAX requests - Capability checks on admin functions and AJAX endpoints - Safe unserialize with allowed classes only (migrated to JSON) - Secure cookie handling (httponly, secure, samesite flags) - Cryptographically secure random generation (`random_bytes()`) - Path traversal protection on file operations - Hash verification on remote file downloads - File type whitelisting on ZIP extraction - JSON input validation with depth and count limits - Proper error handling without suppression ## Support - GitHub Issues: Report bugs and feature requests - Documentation: See this README and inline code documentation ## Changelog ### 2.0.0 (2024) **MAJOR UPDATE: Complete plugin modernization with critical security fixes** **Security Fixes (CRITICAL):** - Fixed critical SQL injection vulnerabilities (162 instances) - all queries now use `wpdb->prepare()` - Fixed object injection vulnerabilities (11 instances) - replaced `unserialize()` with safe JSON handling - Fixed Remote Code Execution (RCE) - evercookie ZIP download now has hash verification and path traversal protection - Fixed CSRF vulnerabilities (3 instances) - added nonce verification to all state-changing operations - Fixed XSS vulnerabilities (2 instances) - enhanced output escaping with `wp_kses_post()` - Fixed authorization bypass (2 instances) - added capability checks to admin AJAX endpoints - Fixed insecure cookie handling - added httponly, secure, and samesite flags - Fixed weak cryptographic randomness - using `random_bytes()` instead of `wp_generate_password()` - Fixed path traversal vulnerability (ZipSlip) - ZIP extraction now validates all file paths - Added comprehensive input sanitization via IR_Input_Sanitizer class - Added JSON input validation with depth/count limits - Removed all error suppression (@) with proper error handling **New Features:** - Modern PHP 7.4+ OOP architecture with namespaces (InboundRocket\) - PSR-4 autoloading via Composer - Repository pattern for clean database operations (LeadRepository, PageviewRepository, SubmissionRepository) - Model classes with PHP 7.4 typed properties (Lead, Pageview, Submission) - Dependency injection container for proper service management - User-controlled data deletion on uninstall (defaults to keeping data) - Automatic data migration system for seamless upgrades **Improvements:** - WordPress coding standards compliance throughout - Script/style cache busting with version numbers (35+ instances) - Correct hook usage - fixed add_filter to add_action where needed (4 instances) - Enhanced internationalization with proper text domains - Full backward compatibility maintained via compatibility layer - All deprecated functions have proper deprecation notices **Bug Fixes:** - Critical control flow bug in deactivation hook (missing braces) - Function naming conflicts with WordPress core (plugins_loaded → inboundrocket_init) - Global function prefixes added (in_multiarray → inboundrocket_in_multiarray, etc.) - Deprecated get_currentuserinfo() replaced with wp_get_current_user() (2 instances) - File download validation added to evercookie installer **Breaking Changes:** - Requires PHP 7.4+ (up from PHP 5.2+) - Requires WordPress 5.6+ (up from WordPress 2.5+) - Requires Composer for development (vendor/ included in distribution) **Deprecations:** - Several procedural functions replaced with namespaced OOP equivalents - Backward compatible aliases provided for all deprecated functions - `inboundrocket_get_ip()` → `IR_Input_Sanitizer::get_client_ip()` - `get_total_contacts()` → `LeadRepository::getTotalContacts()` - `in_multiarray()` → `inboundrocket_in_multiarray()` - `recurseRmdir()` → `inboundrocket_recurse_rmdir()` - `recurseChmod()` → `inboundrocket_recurse_chmod()` ### 1.6.0 (Previous) Legacy release ## License GPL-2.0-or-later ## Credits Developed by Inbound Rocket team and contributors. Special thanks to all contributors who helped modernize this plugin to meet current WordPress and PHP standards.