CVE-2023-1404: atw-showposts-sc.php in show-posts/tags/1.6/includes – WordPress Plugin Repository

1<?php2// ====================================== >>> atw_show_posts_shortcode <<< ======================================34function atw_show_posts_shortcode( $args = ‘’ ) {5 /* implement [weaver_show_posts] */67 /* DOC NOTES:8 CSS styling: The group of posts will be wrapped with a <div> with a class called9 .wvr-show-posts. You can add an additional class to that by providing a ‘class=classname’ option10 (without the leading ‘.’ used in the actual CSS definition). You can also provide inline styling11 by providing a ‘style=value’ option where value is whatever styling you need, each terminated12 with a semi-colon (;).1314 The optional header is in a <div> called .wvr_show_posts_header. You can add an additional class15 name with 'header_class=classname’. You can provide inline styling with 'header_style=value’.1617 .wvr-show-posts .hentry {margin-top: 0px; margin-right: 0px; margin-bottom: 40px; margin-left: 0px;}18 .widget-area .wvr-show-posts .hentry {margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;}19 */2021 $opts = array(22 /* formatting options */23 ‘cols’ => '1’, // display posts in 1 to 3 columns24 ‘excerpt_length’ => '’, // excerpt length25 ‘hide_bottom_info’ => '’, // hide bottom info line26 ‘hide_featured_image’ => '’, // hide featured image - FI is displayed by default27 ‘hide_title’ => '’, // hide the title?28 ‘hide_top_info’ => '’, // hide the top info line29 ‘show’ => '’, // show: title | excerpt | full | titlelist | title_featured30 ‘show_avatar’ => false, // show the author avatar31 ‘more_msg’ => '’, // replacement for Continue Reading excerpt message32 ‘use_paging’ => false, // Use paging when displaying multiple posts33 ‘no_top_clear’ => false // prevent emitting clear:both34 );353637 $slider = '’;38 $filter = '’;39 if ( isset( $args[‘slider’] ) ) {40 $slider = $args[‘slider’];41 unset( $args[‘slider’] );4243 if ( ! function_exists( ‘atw_slider_installed’ ) ) {44 return ‘<strong>ERROR with [show_posts slider="’ . $slider . '"]: Weaver Slider Plugin not installed.</strong>’;45 }4647 if ( $slider == ‘’ || atw_posts_get_slider_opt( 'name’, $slider ) == ‘’ ) {48 return ‘<strong>ERROR with [show_posts slider="’ . $slider . '"]: You must specify a valid slider name.</strong>’;49 }5051 $filter = atw_posts_get_slider_opt( 'selected_slider_filter’, $slider );52 if ( $filter == ‘’ ) {53 $filter = 'default’;54 }5556 if ( atw_posts_get_filter_opt( 'slug’, $filter ) != $filter ) {57 return ‘<strong>ERROR with [show_posts slider="’ . $slider . '"]: Filter (' . $filter . ') is not a defined filter.</strong>’;58 }59 $params = atw_posts_get_filter_params( $filter );60 if ( $params != ‘’ ) { // they specified a $filter via slider, so wipe out everything else61 unset( $args );62 $args = shortcode_parse_atts( $params );63 $args[‘use_paging’] = false; // use_paging breaks sliders64 } else {65 $filter = '’;66 }67 } elseif ( isset( $args[‘filter’] ) ) {68 $filter = $args[‘filter’];69 $params = atw_posts_get_filter_params( $filter );70 if ( $params != ‘’ ) { // they specified a $filter arg, so use it and wipe out anything else…71 unset( $args );72 $args = shortcode_parse_atts( $params );73 } else {74 $filter = '’;75 }76 }777879 $qargs = atw_posts_get_qargs( $args, $opts );8081 extract( shortcode_atts( $opts, $args ) ); // setup local vars8283 if ( $show == ‘titlelist’ && $slider ) {84 $show = 'title’;85 } // cheap fix…8687 // set transient opts for these options8889 atw_trans_set( 'showposts’, true ); // global to see if we are in this function9091 atw_trans_set( 'show’, $show ); // this will always be set - but ‘’ (blank) implies ‘full’ for built-in, but not Weaver/Aspen settings for them9293 if ( $hide_title != ‘’ ) {94 atw_trans_set( 'hide_title’, true );95 }96 if ( $hide_top_info != ‘’ ) {97 atw_trans_set( 'hide_top_info’, true );98 }99 if ( $hide_bottom_info != ‘’ ) {100 atw_trans_set( 'hide_bottom_info’, true );101 }102 if ( $hide_featured_image != ‘’ ) {103 atw_trans_set( 'hide_featured_image’, true );104 }105 if ( isset( $args[‘show_avatar’] ) ) { // need this weirdness for Aspen/Weaver compatibility (not set means use global setting)106 if ( $show_avatar ) {107 atw_trans_set( 'show_avatar’, true );108 } else {109 atw_trans_set( 'show_avatar’, ‘no’ );110 }111 }112 if ( $more_msg != ‘’ ) {113 atw_trans_set( 'more_msg’, $more_msg );114 }115116117 $ourposts = new WP_Query( apply_filters( 'atw_show_posts_wp_query’, $qargs, $args ) );118119 /* now start the content */120 $class = '’;121 if ( $filter != ‘’ ) {122 $class = ' atw-show-posts-filter-' . $filter;123 }124125 $content = '’;126 $tail = '’;127128 if ( $slider == ‘’ ) {129 $content = '’;130 if ( ! $no_top_clear ) {131 $content = '<div style="clear:both;"></div>’;132 }133 $content .= ‘<div class="atw-show-posts’ . $class . '">’;134 $tail = “</div><!-- show_posts -->\n";135 }136137 ob_start();138139 if ( $slider && function_exists( ‘atw_slider_installed’ ) && atw_posts_get_slider_opt( 'content_type’, $slider ) == ‘images’ ) {140 atw_slider_do_gallery( $ourposts, $slider );141 // reset stuff142 wp_reset_query();143 wp_reset_postdata();144 atw_trans_clear_all();145 $content .= ob_get_clean(); // get the output146147 return $content;148 }149150 $slide_li_begin = '’;151 $slide_li_end = '’;152153 if ( $slider ) {154 $style = '’;155156 $slide_li_begin = ‘<div class="atwk-slide"><div class="slide-content slide-post"’ . $style . ‘>’ . “\n";157 $slide_li_end = “\n</div></div><!-- slide-content slide-post -->\n";158 }159160 // add excerpt filter here161 if ( $excerpt_length != ‘’ ) {162 $GLOBALS[‘atw_show_posts_excerpt_length’] = $excerpt_length;163 add_filter( 'excerpt_length’, 'atw_posts_excerpt_length_filter’, 20 ); // user our excerpt filter early to override others164 }165166167 if ( $show == ‘titlelist’ ) {168 echo '<ul>’;169 }170171 $posts_out = 0;172 $col = 0;173 if ( ! $ourposts->have_posts() ) {174 echo apply_filters( 'wvr_show_posts_no_posts’, __( 'No posts found.’, ‘atw_showposts’ ));175 }176177 if ( WEAVER_SHOWPOSTS_TEMPLATE && atw_posts_get_filter_opt( 'post_template’, $filter ) ) {178 require_once( dirname( __FILE__ ) . ‘/atw-posts-template.php’ );179 } // NOW - load the template code180181 while ( $ourposts->have_posts() ) {182 $ourposts->the_post();183 $posts_out ++;184185 echo $slide_li_begin;186187 // aspen_per_post_style();188 if ( $show == ‘titlelist’ ) {189 ?>190 <li><a href="<?php the_permalink(); ?>” title="<?php printf( esc_attr( __( 'Permalink to %s’, ‘show-posts’ ) ),191 the_title_attribute( ‘echo=0’ ) ); ?>” rel="bookmark"><?php the_title(); ?></a></li>192 <?php193 } else {194 switch ( $cols ) {195 case 2:196 $col++;197 $style = '’;198 if ( ( $col % 2 ) == 1 ) { // force stuff to be even199 $style = ' style="clear:left;"’;200 }201 echo( ‘<div class="atw-content-2-col atw-cf"’ . $style . ‘>’ . “\n” );202 atw_show_content( $slider, $filter );203 echo( “</div> <!-- atw-content-2-col -->\n” );204205 break;206 case 3:207 $col++;208 $style = '’;209 if ( ( $col % 3 ) == 1 ) { // force stuff to be even210 $style = ' style="clear:left;"’;211 }212 echo( ‘<div class="atw-content-3-col atw-cf"’ . $style . ‘>’ . “\n” );213 atw_show_content( $slider, $filter );214 echo( “</div> <!-- atw-content-3-col -->\n” );215216 break;217 case 1:218 default:219 atw_show_content( $slider, $filter );220 break;221 } // end switch $cols222 }223224 echo $slide_li_end;225226 } // end loop227 if ( $show == ‘titlelist’ ) {228 echo “</ul>\n";229 }230231 // unhook excerpt filter here232 if ( $excerpt_length != ‘’ ) {233 unset( $GLOBALS[‘atw_show_posts_excerpt_length’] );234 remove_filter( 'excerpt_length’, 'atw_posts_excerpt_length_filter’, 20 ); // user our excerpt filter early to override others235 }236237 if ( $use_paging ) {238 if ( ! $no_top_clear ) {239 echo '<div style="clear:both;"></div>’;240 }241242 ?>243 <div id="atw-show-posts-navigation” class="atw-post-nav">244 <?php245 $big = 999999;246 echo paginate_links( array(247 ‘base’ => str_replace( $big, '%#%’, esc_url( get_pagenum_link( $big ) ) ),248 ‘format’ => '?paged=%#%’,249 ‘current’ => max( 1, $qargs[‘paged’] ),250 ‘total’ => $ourposts->max_num_pages,251 ) );252 ?>253 </div>254 <?php255 }256 $content .= ob_get_clean(); // get the output257258 // get posts259260 $content .= $tail;261262263 // reset stuff264 wp_reset_query();265 wp_reset_postdata();266 atw_trans_clear_all();267268 return $content;269}270271// =================================== >>> atw_posts_excerpt_length_filter <<< =========================272273function atw_posts_excerpt_length_filter( $length ) {274 $val = $GLOBALS[‘atw_show_posts_excerpt_length’];275 if ( $val > 0 || $val === ‘0’ ) {276 return $val;277 }278 if ( $length != 0 ) {279 return $length;280 } else {281 return 40;282 }283}284285// ====================================== >>> atw_show_content <<< ======================================286287function atw_show_content( $slider, $filter = ‘’ ) {288289 $cur_post_id = get_the_ID();290291 /* We have to do our own sticky processing because WP is_sticky() will not work because we are in our own WP_Query,292 * and will thus never be on the home page which is one of the tests in the core is_sticky()293 */294295 $sticky = is_sticky( $cur_post_id );296297 do_action( 'atw_show_sliders_post_pager’, $slider );298299 $saved_the_content_filter_key = atw_save_the_content_filters();300301 if ( ( ! atw_posts_getopt( ‘ignore_aspen_weaver’ ) && ( atw_posts_is_wvrx() || atw_posts_is_wii() ) )302 || ( atw_posts_getopt( ‘use_native_theme_templates’ ) && atw_posts_theme_has_templates() )303 ) {304305 if ( $sticky ) {306 echo '<div class="sticky">’;307 }308309 if ( atw_posts_is_wvrx() ) {310 get_template_part( 'templates/content’, get_post_format() );311 } elseif ( function_exists( ‘twentysixteen_setup’ ) ) { // custom support for twentysixteen312 get_template_part( 'template-parts/content’, get_post_format() );313 } else {314 get_template_part( 'content’, get_post_format() );315 }316317 if ( $sticky ) {318 echo '</div>’;319 }320 echo “<div style=’clear:both;’></div>\n";321 atw_restore_the_content_filters( $saved_the_content_filter_key );322323 return;324 }325326 if ( WEAVER_SHOWPOSTS_TEMPLATE ) {327 $template = atw_posts_get_filter_opt( 'post_template’, $filter );328329 if ( $template != ‘’ ) {330 atw_posts_do_template( $slider, $template );331 atw_restore_the_content_filters( $saved_the_content_filter_key );332333 return;334 }335 }336337338 $add_class = 'atw-post’;339 if ( $sticky ) {340 $add_class .= ' sticky’;341 }342 ?>343 <article id="post-<?php the_ID(); ?>” <?php post_class( $add_class ); ?>>344 <header class="atw-entry-header">345 <?php346 if ( ! atw_trans_get( ‘hide_title’ ) ) { // ========== TITLE347 ?>348 <hgroup class="atw-entry-hdr"><h2 class="atw-entry-title">349 <a href="<?php the_permalink(); ?>” title="<?php printf( esc_attr( __( 'Permalink to %s’, ‘show-posts’ ) ),350 the_title_attribute( ‘echo=0’ ) ); ?>" rel="bookmark"><?php the_title(); ?></a>351 </h2></hgroup>352353 <?php354 }355356 if ( ! atw_trans_get( ‘hide_top_info’ ) ) { // ============ TOP META357 ?>358 <div class="atw-entry-meta">359 <div class="atw-entry-meta-icons">360 <?php361362 printf( __( '<span class="entry-date"><a href="%1$s" title="%2$s" rel="bookmark"><time datetime="%3$s" pubdate>%4$s</time></a></span> <span class="by-author"><span class="author vcard"><a class="url fn n" href="%5$s" title="%6$s" rel="author">%7$s</a></span></span>’, ‘show-posts’ ),363 esc_url( get_permalink() ),364 esc_attr( get_the_time() ),365 esc_attr( get_the_date( ‘c’ ) ),366 esc_html( get_the_date() ),367 esc_url( get_author_posts_url( get_the_author_meta( ‘ID’ ) ) ),368 sprintf( esc_attr( __( 'View all posts by %s’, ‘show-posts’ ) ), get_the_author() ),369 esc_html( get_the_author() )370 );371372 if ( atw_trans_get( ‘show_avatar’ ) != ‘’ && atw_trans_get( ‘show_avatar’ ) != ‘no’ ) {373 echo '  ' . get_avatar( get_the_author_meta( ‘user_email’ ), 22, null, ‘avatar’ );374 }375 ?>376 </div><!-- .atw-entry-meta-icons -->377 </div><!-- .atw-entry-meta -->378 <?php379 }380 ?>381 </header><!-- .atw-entry-header -->382 <?php383 if ( atw_trans_get( ‘show’ ) == ‘title’ ) {384 echo '</article><!-- #post-' . get_the_ID() . '–>’;385 atw_restore_the_content_filters( $saved_the_content_filter_key );386387 return;388 }389390 if ( atw_trans_get( ‘show’ ) == ‘title_featured’ ) {391392 if ( get_post_thumbnail_id() ) {393 //$image = wp_get_attachment_image_src( get_post_thumbnail_id( ), ‘thumbnail’ ); // (url, width, height)394 //$href = $image[0];395 $href = get_permalink();396 ?>397 <p class=’atw-featured-image’><a href="<?php echo $href; ?>"><?php esc_url( the_post_thumbnail( ‘thumbnail’ ) ); ?></a></p>398 <?php399 }400 echo '</article><!-- #post-' . get_the_ID() . '–>’;401 atw_restore_the_content_filters( $saved_the_content_filter_key );402403 return;404 }405406 if ( atw_trans_get( ‘show’ ) == ‘excerpt’ ) { // =================== EXCERPT407 ?>408 <div class="atw-entry-summary atw-cf">409 <?php410 atw_show_post_content( $slider );411 ?>412 </div><!-- .atw-entry-summary -->413 <?php414 } else { // ================== FULL CONTENT415 ?>416 <div class="atw-entry-content atw-cf">417 <?php418 atw_show_post_content( $slider );419 ?>420 </div><!-- .atw-entry-content -->421 <?php422 }423424 if ( ! atw_trans_get( ‘hide_bottom_info’ ) ) { // ================= BOTTOM META425 ?>426427 <footer class="atw-entry-utility">428 <div class="atw-entry-meta-icons">429 <?php430 $categories_list = get_the_category_list( __( ', ', ‘show-posts’ ) );431 if ( $categories_list ) { ?>432 <span class="cat-links">433<?php434echo $categories_list;435?>436 </span>437 <?php438 } // End if categories439 $tags_list = get_the_tag_list( '’, __( ', ', ‘show-posts’ ) );440 if ( $tags_list ) {441 ?>442 <span class="tag-links">443<?php444echo $tags_list;445?>446 </span>447 <?php448 } // End if $tags_list449 if ( comments_open() ) {450 ?>451 <span class="comments-link">452<?php453comments_popup_link( __( 'Leave a reply’, ‘show-posts’ ),454 __( '<b>1</b> Reply’, ‘show-posts’ ),455 __( '<b>%</b> Replies’, ‘show-posts’ ),456 ‘leave-reply’ );457?>458459 </span>460 <div style="clear:both;"></div>461 <?php462 } // End if comments_open()463 ?>464 </div><!-- .entry-meta-icons -->465 </footer><!-- .atw-entry-utility -->466 <?php467 }468 edit_post_link( __( 'Edit’, ‘show-posts’ ), '<span class="atw-edit-link">’, ‘</span>’ );469 ?>470 </article><!-- #post-<?php the_ID(); ?> -->471472 <?php473 atw_restore_the_content_filters( $saved_the_content_filter_key );474}475476function atw_save_the_content_filters() {477 global $wp_filter, $wp_current_filter;478479 $tag = 'the_content’;480 if ( empty( $wp_filter ) || empty( $wp_current_filter ) || ! in_array( $tag, $wp_current_filter ) ) {481 return false;482 }483484 return key( $wp_filter[ $tag ] );485}486487function atw_restore_the_content_filters( $key = false ) {488 global $wp_filter;489 $tag = 'the_content’;490 if ( $key !== false ) {491 reset( $wp_filter[ $tag ] );492 while ( key( $wp_filter[ $tag ] ) !== $key ) {493 if ( next( $wp_filter[ $tag ] ) === false ) {494 break;495 }496 }497 }498}499500// ====================================== >>> atw_show_post_content <<< ======================================501502function atw_show_post_content( $slider ) {503 // display a post - show thumbnail, link to full size image504 if ( ! atw_trans_get( ‘hide_featured_image’ ) && get_post_thumbnail_id() ) {505 //$image = wp_get_attachment_image_src( get_post_thumbnail_id( ), ‘full’ ); // (url, width, height)506 //$href = $image[0];507 $href = get_permalink();508 ?>509 <span class=’atw-featured-image’><a href="<?php echo $href; ?>"><?php the_post_thumbnail( ‘thumbnail’ ); ?></a></span>510 <?php511 }512513 $content = '’;514515 if ( $slider && function_exists( ‘atw_slider_set_pager_image’ ) ) {516 $image = wp_get_attachment_image_src( get_post_thumbnail_id(), ‘full’ ); // (url, width, height)517 $href = $image[0];518 if ( ! $href ) {519 $content = get_the_content( $more );520 }521522 }523524 $more = atw_trans_get( ‘more_msg’ );525 if ( $more == ‘’ ) {526 $more = 'Continue Reading…’;527 } // we always want to show continue reading even if theme sets it to '’528529 if ( atw_trans_get( ‘show’ ) == ‘excerpt’ ) {530 the_excerpt( $more );531 } elseif ( $content != ‘’ ) {532 echo $content;533 } else {534 // atw_show_post_the_content( $more );535 atw_show_post_the_content( $more );536537 }538}539540// ====================================== >>> atw_show_post_content <<< ======================================541function atw_show_post_the_content( $more ) {542 // use this to support nested the_content filters - slight modification of the WP the_content()543544 $content = get_the_content( $more, false );545546 $content = do_shortcode( $content ); // try applying shortcodes before the_content filter547548 $content = apply_filters( 'the_content’, $content );549 //$content = str_replace( ']]>’, ']]>’, $content );550 echo $content;551}