From 68099b2294d9b335a86aa3ca561a46912603f531 Mon Sep 17 00:00:00 2001
From: Davide Giunchi - Diennea <davide.giunchi@diennea.com>
Date: Fri, 20 May 2016 18:02:51 +0200
Subject: [PATCH 1/3] updated and simplified
 wp-security-stop-users-enumeration.php for bug/bypass
 https://wpvulndb.com/vulnerabilities/8436

---
 .../wp-security-stop-users-enumeration.php    | 24 +++----------------
 1 file changed, 3 insertions(+), 21 deletions(-)

diff --git a/all-in-one-wp-security/other-includes/wp-security-stop-users-enumeration.php b/all-in-one-wp-security/other-includes/wp-security-stop-users-enumeration.php
index 2ea0a89..b1c6b13 100644
--- a/all-in-one-wp-security/other-includes/wp-security-stop-users-enumeration.php
+++ b/all-in-one-wp-security/other-includes/wp-security-stop-users-enumeration.php
@@ -19,26 +19,8 @@
 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 */
 
-if ( ! is_admin()){
-    if ( ! is_admin()){
-      if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 ) {
-         if (!empty($_POST['author'])) {
-            wp_die('forbidden');
-         }
+if ( ! is_admin() && isset($_SERVER['REQUEST_URI'])){
+      if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 && !empty($_REQUEST['author']) ) {
+                wp_die('forbidden');
       }
-
-    if(preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
-    wp_die('forbidden');
-
-    add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
-        }
-}
-
-add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
-function ll_detect_enumeration ($redirect_url, $requested_url) {
-if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url)===1  | isset($_POST['author']) ) {
-     wp_die('forbidden');
-   } else {
-     return $redirect_url;
-   }
 }

From 4c913acbb7a3dcf27ed416dd3e081e57eea81768 Mon Sep 17 00:00:00 2001
From: Davide Giunchi - Diennea <davide.giunchi@diennea.com>
Date: Mon, 28 Nov 2016 14:41:08 +0100
Subject: [PATCH 2/3] fix error on block_ip_if_locked, doesn 't exit with an
 wp_user. Other plugins that create the $user (aka ldap auth plugins), will
 not work

---
 .../classes/wp-security-user-login.php                 | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/all-in-one-wp-security/classes/wp-security-user-login.php b/all-in-one-wp-security/classes/wp-security-user-login.php
index 05b5d8e..60e85aa 100644
--- a/all-in-one-wp-security/classes/wp-security-user-login.php
+++ b/all-in-one-wp-security/classes/wp-security-user-login.php
@@ -10,7 +10,7 @@ function __construct()
     {
         $this->key_login_msg = 'aiowps_login_msg_id';
         // As a first authentication step, check if user's IP is locked.
-        add_filter('authenticate', array($this, 'block_ip_if_locked'), 1, 0);
+        add_filter('authenticate', array($this, 'block_ip_if_locked'), 1, 1);
         // Check whether user needs to be manually approved after default WordPress authenticate hooks (with priority 20).
         add_filter('authenticate', array($this, 'check_manual_registration_approval'), 30, 1);
         // Check login captcha
@@ -27,7 +27,7 @@ function __construct()
      *
      * @global AIO_WP_Security $aio_wp_security
      */
-    function block_ip_if_locked()
+    function block_ip_if_locked($user)
     {
         global $aio_wp_security;
         $user_locked = $this->check_locked_user();
@@ -41,7 +41,9 @@ function block_ip_if_locked()
                 $error_msg .= $this->get_unlock_request_form();
             }
             wp_die($error_msg, __('Service Temporarily Unavailable', 'all-in-one-wp-security-and-firewall'), 503);
-        }
+        } else {
+		return $user;
+	}
 	}
     /**
      * Check login captcha (if enabled).
@@ -560,4 +562,4 @@ function get_unlock_request_form()
         $unlock_request_form .= '<button type="submit" name="aiowps_unlock_request" id="aiowps_unlock_request" class="button">'.__('Request Unlock', 'all-in-one-wp-security-and-firewall').'</button></div></form>';
         return $unlock_request_form;
     }
-}
\ No newline at end of file
+}

From 29977b691db07f01fe2eb219d0449b9d6a6ec4c1 Mon Sep 17 00:00:00 2001
From: Davide Giunchi - Diennea <davide.giunchi@diennea.com>
Date: Mon, 28 Nov 2016 14:44:39 +0100
Subject: [PATCH 3/3] fix error on block_ip_if_locked, doesn 't exit with an
 wp_user. Other plugins that create the $user (aka ldap auth plugins), will
 not work

---
 all-in-one-wp-security/classes/wp-security-user-login.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/all-in-one-wp-security/classes/wp-security-user-login.php b/all-in-one-wp-security/classes/wp-security-user-login.php
index 60e85aa..0d287d4 100644
--- a/all-in-one-wp-security/classes/wp-security-user-login.php
+++ b/all-in-one-wp-security/classes/wp-security-user-login.php
@@ -26,6 +26,8 @@ function __construct()
      * user's IP is currently locked.
      *
      * @global AIO_WP_Security $aio_wp_security
+     * @param WP_Error|WP_User $user
+     * @return WP_User
      */
     function block_ip_if_locked($user)
     {