2 plugins for CP

Hi Simone, If they’re specifically written for ClassicPress and do not contain extra code, references, and documentation for WordPress, they can usually go on the list.

However, I’ll be unable to add the cpvars plugin as it executes PHP code as a feature. Really bad idea – this greatly increases the chances of WSOD and hacked sites. To be clear, I’m not saying the plugin can’t be listed in the directory; I have no control over that. But, this list, which is just a random forum post that I’ve created, will be unable to list a plugin with such a glaring issue.

The other plugin can be added to the list. To maintain the readability of the list, the description is limited to 300 characters. Please feel free to message or post a description here and I’ll get it added.


1 Like

Can Cpvars also be used in php templates? Or only in the text editor / admin area?

You can always use shortcodes in PHP templates; it’s a feature of shortcodes, rather than something we have to support with extra code in our plugins. :wink: You just change the format and execute them this way:

<?php echo do_shortcode("[your-shorcode]"); ?>
1 Like

How would you turn [cpvars]name[/cpvars] into a working do_shortcode function?

<?php echo do_shortcode("[cpvars]whatever[/cpvars]"); ?>
1 Like

I’m just adding cpv_do( 'YOURPLACEHOLDER' ).
Thank you for the idea!
And thank you @anon71687268 for the “do_shortcode” solution!


Shows my inexperience I thought you could only perform a do_shortcode on a single blockquote element, not a blockquote open and shut.

1 Like

Happy to help!

And @klein, I’m sure we all learn new little intricacies of the system on a regular basis. :slight_smile:

1 Like


Yes, both plugins are just for ClassicPress.


Mark plugins not compatible with WP version 4.9.
Add a menu that displays top 200 plugins from wp.org and their compatibility
Fixes some compatibility issues with Classicpress: at the moment: wp-cli core check-update, SEO by Rank Math.
With cpvars you can define name-value associations from the admin.
Then, in your content you can insert [cpvars]name[/cpvars] and get value displayed.
There is also an option to display shortcodes everywhere.

about exec()

Completely agree with you.
But I use to do things like © <?php echo date("Y"); ?>.
I’m going to remove the exec section and using apply_filters to the output (this way a user can define a filter to uppercase the string or… exec php :sunglasses:)

What do you think about?

Edit: latest version now has the filter and the new function.


What do you think, should we incorporate something like this into a future version of ClassicPress itself? Some previous discussion on the forums and I have also opened an issue on GitHub for this specifically: https://github.com/ClassicPress/ClassicPress/issues/470

1 Like

I suppose this is ok for experienced users, but the main problem with allowing users to insert PHP directly is that less experienced users (clients or friends) may use it to insert dangerous things without understanding the problems with such an approach. Also, it is trivial to use this feature to escalate account privileges, so this is basically the same thing as immediately giving anyone that has “edit page or post” access a full administrator account, even if all they can do is edit a draft.

It may be a bit more work, but running PHP code in the context of a page should always be done via a shortcode or a widget that is specific to the purpose of what you’re trying to achieve (like inserting the current date).


Added CP Compatibility to the list of ClassicPress-specific plugins. The other plugin, cpvars, wasn’t included for the reasons indicated above.

Update: The cpvars plugin has been cleaned of the eval() function and how now been included in the list.


Same reply on GitHub

I’m a big fan of wp-cli, so I’d like to see a fix in the core. The code was written before CP 1.x, and as I can remember wp core update works correctly, just wp core check-update is buggy.
Just tested now, but not sure this is the right way, by changing values in version.php.
Sure the response could be processed better! This is the response:

    [0] => stdClass Object
            [response] => latest
            [download] => https://github.com/ClassicPress/ClassicPress-release/archive/1.0.1.zip
            [locale] => en_US
            [packages] => stdClass Object
                    [full] => https://github.com/ClassicPress/ClassicPress-release/archive/1.0.1.zip
                    [no_content] => 
                    [new_bundled] => 
                    [partial] => 
                    [rollback] => 

            [current] => 1.0.1
            [version] => 1.0.1
            [php_version] => 5.6.4
            [mysql_version] => 5.0
            [new_bundled] => 4.7
            [partial_version] => 
            [dismissed] => 
1 Like

Thank you for CP Compatibility.
But for cpvars I’ve removed PHP execution!


This is in your release.

	eval( "?>" . $testvars[$content] ."<?php" );
	$evalContent = ob_get_contents();
	return $evalContent;	

As James pointed out, there is a proper way to do this…

1 Like

I can’t understand why the link at the latest release in my first post is pointing at the previous release (1.0.1), but this one is to the current release(1.1.0)…
But the link is https://github.com/xxsimoxx/cpvars/releases/latest in both…

Sorry :man_facepalming:

1 Like

No worries, I’ll take another stab at it. :slight_smile:

1 Like

Quick follow-up: @Simone, I see you’ve removed the risky eval() code. Also wanted to point out (moreso for others) that you’ve also removed those relevant settings and even did a cleanup of the option in your deactivation function – this is good practice. …and good work!

Thanks for helping to keep the community safe – the plugin is now on the list of ClassicPress-specific plugins. :slight_smile:


Thank you very much :slight_smile:


The CP Compatibility plugin made it on the WP Plugins A to Z podcast today :).