Security hardening and modernization for ACF Typography plugin

[Copilot]

WordPress plugin unmaintained for 3+ major versions with critical XSS vulnerabilities, insecure external requests, and deprecated code patterns. Addresses security issues while maintaining backward compatibility.

Security Fixes

XSS Vulnerabilities (10+ instances)

• Field rendering in v4/v5 output unescaped user data
• API template functions echo values without sanitization
• Admin settings display unvalidated input

// Before
echo $value;
echo $f;
$options .= '<option val="'.$opt.'" '. ($field['value'][$f] == $opt? 'selected': '') .'>'.$opt.'</option>';

// After
echo esc_html($value);
echo esc_attr($f);
echo '<option value="' . esc_attr($opt) . '" ' . selected($current_value, $opt, false) . '>' . esc_html($opt) . '</option>';

Input Sanitization

• Added sanitize_text_field() for Google Fonts API key
• Added sanitization callback to settings registration
• Improved array key validation

Insecure External Requests

• Replaced file_get_contents() with wp_remote_get()
• Added 15s timeout and error handling
• Added JSON validation before file write

// Before
$json = file_get_contents('https://www.googleapis.com/webfonts/v1/webfonts?key=' . $API_KEY);

// After
$response = wp_remote_get($api_url, array('timeout' => 15));
if (is_wp_error($response)) return false;
$json = wp_remote_retrieve_body($response);

Access Control

• Added current_user_can('manage_options') check in settings page

Code Quality

• Added PHPDoc blocks for all functions, classes, and methods
• Replaced deprecated extract() with shortcode_atts()
• Fixed syntax error (missing semicolon in admin_settings.php)
• Applied WordPress Coding Standards throughout

Compatibility

• WordPress: 6.0 - 6.9 (was 3.5.0 - 6.0)
• PHP: 7.4+ minimum requirement added

Backward Compatibility

All public functions, hooks, filters, database schema, and option names unchanged. ACF v4 and v5 support maintained.

Original prompt

Context:
This repository contains a WordPress plugin that is publicly available in the WordPress.org plugin repository. The plugin has not been maintained for several releases and is currently missing compatibility with at least the last 3 major WordPress versions.
Objective:
Modernize and secure the codebase without adding new features or breaking existing functionality.
Specific Tasks:
WordPress Compatibility
Update deprecated WordPress functions and hooks to their modern equivalents
Ensure compatibility with the latest WordPress version and the previous 2 major releases
Check and update minimum WordPress version requirements if needed
Verify all WordPress core APIs are being used correctly
Code Quality Improvements
Refactor code to follow WordPress Coding Standards (WPCS)
Improve code organization and structure
Add proper PHPDoc blocks for functions, classes, and methods
Remove any redundant or unused code
Ensure proper use of WordPress nonces, sanitization, and validation
Security Audit
Identify and fix SQL injection vulnerabilities (ensure proper use of $wpdb->prepare())
Check for XSS vulnerabilities (verify proper escaping with esc_html(), esc_attr(), esc_url(), etc.)
Validate and sanitize all user inputs
Review file upload handling if applicable
Check for CSRF protection using nonces
Audit capability checks for admin functions
Performance & Best Practices
Identify database queries that could be optimized
Check for proper enqueueing of scripts and styles
Ensure proper use of WordPress transients for caching where appropriate
Review and optimize autoloading settings
Backward Compatibility
DO NOT remove or modify existing public functions, hooks, or filters that users may depend on
DO NOT change database schema in a way that would cause data loss
Maintain existing option names and data structures
Document any deprecations clearly if absolutely necessary
Constraints:
No new features or functionality additions
Must maintain backward compatibility with existing installations
All changes should be incremental and testable
Follow WordPress.org plugin guidelines and review requirements
Output Format:
For each issue found, please provide:
Description of the problem
Severity level (Critical/High/Medium/Low)
Specific code location
Recommended fix with code example
Any potential impact on existing functionality

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[mujahidi]

@copilot IMPORTANT: WordPress Version Clarification
The current latest stable version of WordPress is 6.9 (released January 2025), not 6.7. Please use WordPress 6.9 as the target version for all compatibility checks and recommendations.
Updated Compatibility Requirements:
Target Version: WordPress 6.9.x
Minimum Supported Version: WordPress 6.0 or higher
PHP Version: Minimum PHP 7.4 (WordPress 6.9 recommendation)
When reviewing code:
Check the WordPress 6.9 Core Trac and Developer Notes for breaking changes
Reference the WordPress 6.9 changelog for deprecated functions
Verify compatibility with WordPress 6.9's updated APIs and hooks
Consider features introduced in 6.7, 6.8, and 6.9 that might affect this plugin
Please search for and review the official WordPress 6.9 release notes and developer documentation before making recommendations.

[Copilot]

@copilot IMPORTANT: WordPress Version Clarification
The current latest stable version of WordPress is 6.9 (released January 2025), not 6.7. Please use WordPress 6.9 as the target version for all compa...

Updated compatibility requirements in commit 82c5fb9:

• Tested up to: WordPress 6.9
• Requires at least: WordPress 6.0
• Requires PHP: 7.4

The changes are reflected in readme.txt and CHANGELOG.md.