CVE-2023-2188: utils.php in colibri-page-builder/trunk/extend-builder – WordPress Plugin Repository

1<?php23namespace ExtendBuilder;45use ColibriWP\PageBuilder\PageBuilder;67function prefix($name = “”)8{9 return "extend_builder_$name";10}1112function get_public_post_types()13{14 $args = array(15 ‘public’ => true,16 ‘_builtin’ => false,17 );1819 $output = 'names’;20 $operator = 'and’;2122 $post_types = get_post_types($args, $output, $operator);2324 return $post_types;25}2627function log($msg)28{29 // openlog("extend builder", LOG_PID | LOG_PERROR, LOG_USER);30 // $access = date(“Y/m/d H:i:s”);31 // syslog(LOG_WARNING, “$access : $msg”);32 // closelog();33}3435function log2($msg)36{37 $t = microtime(true);38 $micro = sprintf(“%06d", ($t - floor($t)) * 1000000);39 $d = new \DateTime(date(‘Y-m-d H:i:s.’ . $micro, $t));40 error_log($msg . "->” . $d->format(“Y-m-d H:i:s.u”));41}4243$colibri_loaded_files_values = array();4445function load_file_value($key, $json_string)46{47 global $colibri_loaded_files_values;48 if (is_string($json_string)) {49 $colibri_loaded_files_values[$key] = json_decode($json_string, true);50 } else {51 $colibri_loaded_files_values[$key] = $json_string;52 }5354 return $colibri_loaded_files_values[$key];55}5657function get_file_value($key)58{59 global $colibri_loaded_files_values;6061 return $colibri_loaded_files_values[$key];62}6364function get_key_value($array, $key, $default)65{66 $value = array_get_value($array, $key, $default);6768 return $value;69}7071/**72 * @param array $array73 * @param array|string $parents74 * @param string $glue75 *76 * @return mixed77 */78function array_get_value(array &$array, $parents, $default = null, $glue = ‘.’)79{80 if (!$array || !is_array($array)) {81 return $default;82 }8384 if (!is_array($parents)) {85 $parents = explode($glue, $parents);86 }8788 $ref = &$array;8990 foreach ((array) $parents as $parent) {91 if (is_array($ref) && array_key_exists($parent, $ref)) {92 $ref = &$ref[$parent];93 // walk inside object94 } else if (is_object($ref) && property_exists($ref, $parent)) {95 $ref = &$ref->$parent;96 } else {97 return $default;98 }99 }100101 return $ref;102}103104function colibri_esc_html_preserve_spaces($text)105{106 return esc_html(str_replace(" ", " ", $text));107}108109/**110 * @param array $array111 * @param array|string $parents112 * @param mixed $value113 * @param string $glue114 */115function array_set_value(array &$array, $parents, $value, $glue = ‘.’)116{117 if (!is_array($parents)) {118 $parents = explode($glue, (string) $parents);119 }120121 $ref = &$array;122123 foreach ($parents as $parent) {124 if (isset($ref) && !is_array($ref)) {125 $ref = array();126 }127128 $ref = &$ref[$parent];129 }130131 $ref = $value;132}133134/**135 * @param array $array136 * @param array|string $parents137 * @param string $glue138 */139function array_unset_value(&$array, $parents, $glue = ‘.’)140{141 if (!is_array($parents)) {142 $parents = explode($glue, $parents);143 }144145 $key = array_shift($parents);146147 if (empty($parents)) {148 unset($array[$key]);149 } else {150 array_unset_value($array[$key], $parents);151 }152}153154function array_map_by_key($array, $key)155{156 $result = [];157 array_walk($array, function ($partial) use ($result, $key) {158 $id = array_get_value($partial, $key, null);159 if ($id !== null) {160 $result[$id] = $partial;161 }162 });163164 return $result;165}166167function colibri_placeholder_p($text, $echo = false)168{169 $content = "";170171 if (mesmerize_is_customize_preview()) {172 $content = ‘<p class="content-placeholder-p">’ . wp_kses_post($text) . '</p>’;173 }174175 if ($echo) {176 echo $content;177 } else {178 return $content;179 }180}181182function colibri_cache_get($name, $default = null)183{184185 $colibri_cache = isset($GLOBALS[‘__colibri_plugin_cache__’]) ? $GLOBALS[‘__colibri_plugin_cache__’] : array();186 $value = $default;187188 if (colibri_cache_has($name)) {189 $value = $colibri_cache[$name];190 }191192 return $value;193}194195function colibri_cache_has($name)196{197 $colibri_cache = isset($GLOBALS[‘__colibri_plugin_cache__’]) ? $GLOBALS[‘__colibri_plugin_cache__’] : array();198199 return array_key_exists($name, $colibri_cache);200}201202function colibri_cache_set($name, $value)203{204 $colibri_cache = isset($GLOBALS[‘__colibri_plugin_cache__’]) ? $GLOBALS[‘__colibri_plugin_cache__’] : array();205 $colibri_cache[$name] = $value;206207 $GLOBALS[‘__colibri_plugin_cache__’] = $colibri_cache;208}209210function _colibri_transient_cache_clear()211{212 delete_transient(‘colibri_page_builder_cache’);213}214215add_filter("customize_save_response", function ($value) {216217 if (!isset($value[‘changeset_status’]) || $value[‘changeset_status’] !== “auto-draft”) {218 _colibri_transient_cache_clear();219 }220221 return $value;222});223224add_action('updated_postmeta’, ‘\ExtendBuilder\_colibri_transient_cache_clear’);225add_action('wp_insert_post’, ‘\ExtendBuilder\_colibri_transient_cache_clear’);226227function colibri_transient_cache_get($name, $fallback = null)228{229 $transient = (array) get_transient(‘colibri_page_builder_cache’);230231 return array_get_value($transient, $name, $fallback);232}233234function colibri_transient_cache_set($name, $value)235{236 $transient = (array) get_transient(‘colibri_page_builder_cache’);237 array_set_value($transient, $name, $value);238 set_transient('colibri_page_builder_cache’, $transient);239}240241function is_true($var)242{243244 if ($var === true || intval($var) !== 0) {245 return true;246 }247248249 switch (strtolower($var)) {250 case '1’:251 case 'true’:252 case 'on’:253 case 'yes’:254 case 'y’:255 return true;256 default:257 return false;258 }259}260261262function is_false($var)263{264265 if ($var === false || intval($var) === 0) {266 return true;267 }268269 switch (strtolower($var)) {270 case '0’:271 case 'false’:272 case 'off’:273 case 'no’:274 case 'n’:275 return true;276 default:277 return false;278 }279}280281function get_template_part($slug, $name = null)282{283 do_action("get_template_part_{$slug}", $slug, $name);284285 $templates = array();286 $name = (string) $name;287 if (‘’ !== $name) {288 $templates[] = "{$slug}-{$name}.php";289 }290291 $templates[] = "{$slug}.php";292293 $located_in_theme = locate_template($templates, false, false);294295 if ($located_in_theme) {296 locate_template($templates, true, false);297 } else {298 foreach ($templates as $template_name) {299 $path = "/template-parts/$template_name";300 if (PageBuilder::instance()->fileExists($path)) {301 PageBuilder::instance()->loadFile($path);302 break;303 }304 }305 }306}307308function _sanitize_customizer_preview_context_query($query)309{310311 if (!is_array($query)) {312 return array();313 }314315 $query_args = array(316 ‘p’ => null,317 ‘page_id’ => null,318 ‘name’ => null,319 ‘pagename’ => null,320 ‘title’ => null,321 ‘post_type’ => null,322 );323 $keys = array('p’, 'page_id’, 'name’, 'pagename’, 'title’, ‘post_type’);324325 // pick only the needed variabiles in the query326 foreach ($query as $key => $value) {327 if (in_array($key, $keys)) {328 $query_args[$key] = $value;329 }330 }331332 $post_types = get_post_types();333334 // sanitize paramaters335 $query_args[‘p’] = is_scalar($query_args[‘p’]) ? absint($query_args[‘page_id’]) : null;336 $query_args[‘page_id’] = is_scalar($query_args[‘page_id’]) ? absint($query_args[‘page_id’]) : null;337 $query_args[‘pagename’] = is_string($query_args[‘pagename’]) ? sanitize_title($query_args[‘pagename’]) : null;338 $query_args[‘name’] = is_string($query_args[‘name’]) ? sanitize_title($query_args[‘name’]) : null;339 $query_args[‘title’] = is_string($query_args[‘title’]) ? sanitize_title($query_args[‘title’]) : null;340 // check if the post_type is an actually registered post type341 $query_args[‘post_type’] = isset($post_types[$query_args[‘post_type’]]) ? $query_args[‘post_type’] : null;342343 // cleanup null values344 foreach ($query_args as $key => $value) {345 if ($value === null) {346 unset($query_args[$key]);347 }348 }349350 return $query_args;351}352353function apply_customizer_preview_context()354{355 if (!is_customize_preview()) {356 return;357 }358359 $context = isset($_REQUEST[‘context’]) ? $_REQUEST[‘context’] : array();360 $query = is_array($context) && isset($context[‘query’]) ? _sanitize_customizer_preview_context_query($context[‘query’]) : array();361362 if (count($query)) {363 query_posts($query);364 }365}366367function ob_wrap($function, $params = array())368{369 ob_start();370 call_user_func_array($function, $params);371372 return ob_get_clean();373}374375function colibri_current_user_has_role($role)376{377 $user = wp_get_current_user();378 if (in_array($role, (array) $user->roles)) {379 return true;380 }381382 return false;383}384385function colibri_shortcode_decode($data)386{387 return urldecode(base64_decode($data));388}389390function get_colibri_image($name)391{392 global $wpdb;393 $posts = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->posts WHERE post_title LIKE '%s’", ‘%’ . $wpdb->esc_like($name) . ‘%’));394 if ($posts && count($posts)) {395 $id = $posts[0]->ID;396397 return array(“id” => $id, “url” => wp_get_attachment_url($id));398 }399}400401function import_colibri_image($url)402{403 $skip_import = apply_filters('colibri_api_import_image_skip’, false);404 if ($skip_import) {405 return array(406 ‘colibri-url’ => $url,407 ‘url’ => $url,408 );409 }410 include_once(ABSPATH . ‘wp-admin/includes/image.php’);411 $name = basename($url);412 $existing_image = get_colibri_image($name);413 if ($existing_image) {414 $existing_image[‘colibri-url’] = $url;415 return $existing_image;416 }417418 $filename = $name;419 $response = null;420421 try {422 $response = wp_safe_remote_get($url);423 } catch (Exception $e) {424 }425426 $file_content = wp_remote_retrieve_body($response);427 if (empty($file_content)) {428 return false;429 }430431 $upload = wp_upload_bits(432 $filename,433 null,434 $file_content435 );436437 $post = [438 ‘post_title’ => $filename,439 ‘guid’ => $upload[‘url’],440 ];441442 $info = wp_check_filetype($upload[‘file’]);443 if ($info) {444 $post[‘post_mime_type’] = $info[‘type’];445 }446447 $post_id = wp_insert_attachment($post, $upload[‘file’]);448 wp_update_attachment_metadata(449 $post_id,450 wp_generate_attachment_metadata($post_id, $upload[‘file’])451 );452 $new_attachment = array(453 ‘colibri-url’ => $url,454 ‘url’ => $upload[‘url’],455 ‘id’ => $post_id,456 );457458 return $new_attachment;459}460461function convertStrSpaceToHtml($str)462{463 return str_replace(' ', '&nbsp’, $str);464}465466467function compose_cache_key($prefix)468{469 return implode('-', func_get_args());470}471472function colibri_get_post_featured_img()473{474 $post = get_post();475 if (!$post) {476 return;477 }478 $background_img = wp_get_attachment_image_src(get_post_thumbnail_id($post->ID), ‘single-post-thumbnail’);479 if (!$background_img) {480 return null;481 }482483 return $background_img[0];484}485486function get_mailchimp_form_shortcode()487{488 $form_id = “";489490 //check for mailchimp plugin491 if (class_exists(‘\MC4WP_Forms_Admin’)) {492 $forms = \mc4wp_get_forms();493 if (count($forms) > 0) {494 $form_id = $forms[0]->ID;495 } else {496497498 //code from MC4WP_Forms_Admin->process_add_form function499 $form_content = include MC4WP_PLUGIN_DIR . 'config/default-form-content.php’;500501 $form_id = wp_insert_post(502 array(503 ‘post_type’ => 'mc4wp-form’,504 ‘post_status’ => 'publish’,505 ‘post_title’ => 'colibri-form’,506 ‘post_content’ => $form_content,507 )508 );509 }510 }511 $shortcode = '’;512 if ($form_id) {513 $shortcode = sprintf('[mc4wp_form id="%d”]', $form_id);514 }515516 return $shortcode;517}518519function colibri_duplicate_post_as_draft($post_id, $title = null)520{521522 /*523 * get the original post id524 */525526 // verify Nonce527 global $wpdb;528 $suffix = '–copy’;529 $post_status = 'draft’;530 $returnpage = ‘’;531532 $post = get_post($post_id);533534 if ($title === null) {535 $new_post_title = $post->post_title . $suffix;536 } else {537 $new_post_title = $title;538 }539540 /*541 * if you don’t want current user to be the new post author,542 * then change next couple of lines to this: $new_post_author = $post->post_author;543 */544 $current_user = wp_get_current_user();545 $new_post_author = $current_user->ID;546 /*547 * if post data exists, create the post duplicate548 */549 if (isset($post) && $post != null) {550 /*551 * new post data array552 */553 $args = array(554 ‘comment_status’ => $post->comment_status,555 ‘ping_status’ => $post->ping_status,556 ‘post_author’ => $new_post_author,557 ‘post_content’ => $post->post_content,558 ‘post_excerpt’ => $post->post_excerpt,559 //’post_name’ => $post->post_name,560 ‘post_parent’ => $post->post_parent,561 ‘post_password’ => $post->post_password,562 ‘post_status’ => $post_status,563 ‘post_title’ => $new_post_title,564 ‘post_type’ => $post->post_type,565 ‘to_ping’ => $post->to_ping,566 ‘menu_order’ => $post->menu_order,567 );568 /*569 * insert the post by wp_insert_post() function570 */571 $new_post_id = wp_insert_post($args);572 /*573 * get all current post terms ad set them to the new post draft574 */575 $taxonomies = get_object_taxonomies($post->post_type);576 if (!empty($taxonomies) && is_array($taxonomies)) :577 foreach ($taxonomies as $taxonomy) {578 $post_terms = wp_get_object_terms($post_id, $taxonomy, array(‘fields’ => ‘slugs’));579 wp_set_object_terms($new_post_id, $post_terms, $taxonomy, false);580 }581 endif;582 /*583 * duplicate all post meta584 */585 $post_meta_infos = $wpdb->get_results($wpdb->prepare("SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id = %d", $post_id));586 if (count($post_meta_infos) != 0) {587588 foreach ($post_meta_infos as $meta_info) {589 $meta_key = $meta_info->meta_key;590 $meta_value = $meta_info->meta_value;591 $sql_query_sel[] = $wpdb->prepare(592 "SELECT %d, %s,%s ",593 $new_post_id,594 $meta_key,595 $meta_value596 );597 }598599 $sql_query = "INSERT INTO $wpdb->postmeta (post_id, meta_key, meta_value) ";600 $sql_query .= implode(" UNION ALL ", $sql_query_sel);601602 $wpdb->query($sql_query);603 }604 return $new_post_id;605 } else {606 wp_die('Error! Post creation failed, could not find original post: ' . $post_id);607 }608}609610function colibri_is_blog_archive_page()611{612 $is_post_type_archive = get_post_type() === 'post’;613 return (is_archive() && $is_post_type_archive) || is_blog_posts();614}