From 2b966ad3f0fb06d6a76270ff2217cfd0c357d82d Mon Sep 17 00:00:00 2001
From: pjaudiomv <pjaudiomv@gmail.com>
Date: Mon, 4 May 2026 15:57:22 -0400
Subject: [PATCH] Fix CVE-2026-4792: require manage_options to export settings

---
 Dockerfile                  | 2 +-
 admin/class-bread-admin.php | 6 ++++++
 bmlt-meeting-list.php       | 4 ++--
 readme.txt                  | 5 ++++-
 4 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 772c259..8dfe6a5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM wordpress:6.9.0-php8.2-apache
+FROM wordpress:6.9.4-php8.2-apache
 
 RUN apt-get update && \
 	apt-get install -y  --no-install-recommends ssl-cert && \
diff --git a/admin/class-bread-admin.php b/admin/class-bread-admin.php
index 97e5730..fb0f942 100644
--- a/admin/class-bread-admin.php
+++ b/admin/class-bread-admin.php
@@ -269,12 +269,18 @@ function pwsix_process_settings_export()
     function download_settings()
     {
         if ($this->bread->exportingMeetingList()) {
+            if (!current_user_can('manage_options')) {
+                return;
+            }
             $this->download_settings_inner();
         }
     }
     function download_mpdf_log()
     {
         if ($this->bread->exportingLogFile()) {
+            if (!current_user_can('manage_options')) {
+                return;
+            }
             $this->download_log_file();
         }
     }
diff --git a/bmlt-meeting-list.php b/bmlt-meeting-list.php
index 1314b5d..d52e6fb 100644
--- a/bmlt-meeting-list.php
+++ b/bmlt-meeting-list.php
@@ -11,7 +11,7 @@
  * Plugin Name:       Bread
  * Plugin URI:        https://bmlt.app
  * Description:       Maintains and generates PDF Meeting Lists from BMLT.
- * Version:           2.9.12
+ * Version:           2.9.13
  * Author:            bmlt-enabled
  * Author URI:        https://bmlt.app/
  * License:           GPL-2.0+
@@ -30,7 +30,7 @@
  * Start at version 2.8.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define('BREAD_VERSION', '2.9.12');
+define('BREAD_VERSION', '2.9.13');
 
 /**
  * The code that runs during plugin activation.
diff --git a/readme.txt b/readme.txt
index afc7013..db752a8 100644
--- a/readme.txt
+++ b/readme.txt
@@ -5,7 +5,7 @@ Tags: meeting list, bmlt, narcotics anonymous, na
 Requires PHP: 8.1
 Requires at least: 6.2
 Tested up to: 6.9
-Stable tag: 2.9.12
+Stable tag: 2.9.13
 
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
@@ -55,6 +55,9 @@ Follow all these steps, keep in mind that once you start using bread, it's not g
 
 == Changelog ==
 
+= 2.9.13 =
+* Security: Require `manage_options` capability to export plugin settings and download mPDF log files (CVE-2026-4792)
+
 = 2.9.12 =
 * Cleaned up commas after blank fields
 * Updated mPDF