Skip to content

Commit

Permalink
SECURITY FIX / prevent XSS vulnerability on admin interface page with…
Browse files Browse the repository at this point in the history 
… a cooked visibility=... parameter. Disclosed via CVE-2021-25055 thru WPScan and WordPress Plugin Review Team.
  • Loading branch information
@radgeek
radgeek committed Jan 23, 2022
1 parent 5afc20f commit 7ff765a
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions feedwordpresssyndicationpage.class.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,13 +57,14 @@ function visibility_toggle () {
$defaultVisibility = 'N';
endif;

// this may be output into HTML, and it should really only ever be Y or N...
$visibility = (
isset($_REQUEST['visibility'])
? $_REQUEST['visibility']
? preg_replace('/[^YyNn]+/', '', strip_tags($_REQUEST['visibility']))
: $defaultVisibility
);

return $visibility;
return (strlen($visibility) > 0 ? $visibility : $defaultVisibility);
} /* FeedWordPressSyndicationPage::visibility_toggle() */

function show_inactive () {
Expand Down Expand Up @@ -475,6 +476,7 @@ function dashboard_box ($page, $box = NULL) {
endif;

// Hey ho, let's go...
$syndicatedLinks_formAction = esc_url( sprintf('%s&visibility=%s', $hrefPrefix, urlencode($visibility)) );
?>
<div style="float: left; background: #F5F5F5; padding-top: 5px; padding-right: 5px;"><a href="<?php print $this->form_action(); ?>"><img src="<?php print esc_url(plugins_url( "feedwordpress.png", __FILE__ ) ); ?>" alt="" /></a></div>

Expand Down Expand Up @@ -527,7 +529,7 @@ function dashboard_box ($page, $box = NULL) {
</form>
<?php endif; ?>

<form id="syndicated-links" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
<form id="syndicated-links" action="<?php print $syndicatedLinks_formAction; ?>" method="post">
<div class="container"><?php FeedWordPressCompatibility::stamp_nonce('feedwordpress_feeds'); ?>
<label for="add-uri">Add:
<input type="text" name="lookup" id="add-uri" placeholder="Source URL"
Expand All @@ -551,14 +553,15 @@ function syndicated_sources_box ($page, $box = NULL) {

$visibility = $this->visibility_toggle();
$showInactive = $this->show_inactive();

$hrefPrefix = $this->form_action();
$formHref = esc_url( sprintf( '%s&amp;visibility=%s', $hrefPrefix, urlencode($visibility) ) );
?>
<div><?php FeedWordPressCompatibility::stamp_nonce('feedwordpress_feeds'); ?></div>
<div class="tablenav">

<div id="add-multiple-uri" class="hide-if-js">
<form action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
<form action="<?php print $formHref; ?>" method="post">
<div><?php FeedWordPressCompatibility::stamp_nonce('feedwordpress_feeds'); ?></div>
<h4>Add Multiple Sources</h4>
<div>Enter one feed or website URL per line. If a URL links to a website which provides multiple feeds, FeedWordPress will use the first one listed.</div>
Expand All @@ -577,7 +580,7 @@ function syndicated_sources_box ($page, $box = NULL) {
a URL for the OPML document, or by uploading a copy from your
computer.</p>

<form enctype="multipart/form-data" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
<form enctype="multipart/form-data" action="<?php print $formHref; ?>" method="post">
<div><?php FeedWordPressCompatibility::stamp_nonce('feedwordpress_feeds'); ?><input type="hidden" name="MAX_FILE_SIZE" value="100000" /></div>
<div style="clear: both"><label for="opml-lookup" style="float: left; width: 8.0em; margin-top: 5px;">From URL:</label> <input type="text" id="opml-lookup" name="opml_lookup" value="OPML document" /></div>
<div style="clear: both"><label for="opml-upload" style="float: left; width: 8.0em; margin-top: 5px;">From file:</label> <input type="file" id="opml-upload" name="opml_upload" /></div>
Expand All @@ -590,7 +593,7 @@ function syndicated_sources_box ($page, $box = NULL) {
</div> <!-- id="upload-opml" -->

<div id="add-single-uri" class="alignright">
<form id="syndicated-links" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
<form id="syndicated-links" action="<?php print $formHref; ?>" method="post">
<div><?php FeedWordPressCompatibility::stamp_nonce('feedwordpress_feeds'); ?></div>
<ul class="subsubsub">
<li><label for="add-uri">New source:</label>
Expand Down Expand Up @@ -618,7 +621,7 @@ function syndicated_sources_box ($page, $box = NULL) {

</div> <!-- class="tablenav" -->

<form id="syndicated-links" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
<form id="syndicated-links" action="<?php print $formHref; ?>" method="post">
<div><?php FeedWordPressCompatibility::stamp_nonce('feedwordpress_feeds'); ?></div>

<?php if ($showInactive) : ?>
Expand Down

0 comments on commit 7ff765a

Please sign in to comment.