Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-2436: blog-in-blog.php in blog-in-blog/tags/1.1.1 – WordPress Plugin Repository

The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blog_in_blog’ shortcode in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE
#xss#web#redis#wordpress#php#perl#auth

1<?php23/*4 Plugin Name: Blog in Blog5 Plugin URI: http://informationtakesover.co.uk/blog-in-blog-wordpress-plugin/6 Description: Create a blog within a blog using a category, post_type or tag. This plugin basically shows selected posts on a page using shortcodes.7 Version: 1.1.18 Author: Tim Hodson9 Author URI: http://timhodson.com10 Text Domain: blog-in-blog11 */12/* Copyright 2009 Tim Hodson (email : [email protected])1314 This program is free software; you can redistribute it and/or modify15 it under the terms of the GNU General Public License as published by16 the Free Software Foundation; either version 2 of the License, or17 (at your option) any later version.1819 This program is distributed in the hope that it will be useful,20 but WITHOUT ANY WARRANTY; without even the implied warranty of21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the22 GNU General Public License for more details.2324 You should have received a copy of the GNU General Public License25 along with this program; if not, write to the Free Software26 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA27 */2829/*30 * [blog_in_blog category_id= num= template=’’]31 * Assume most recent first (it’s supposed to be a mini blog)32 */3334if (!defined(‘BIB_VERSION’))35 define('BIB_VERSION’, ‘1.1.1’);3637// Pre-2.6 compatibility38if (!defined(‘WP_CONTENT_URL’))39 define('WP_CONTENT_URL’, get_option(‘siteurl’) . ‘/wp-content’);40if (!defined(‘WP_CONTENT_DIR’))41 define('WP_CONTENT_DIR’, ABSPATH . ‘wp-content’);42if (!defined(‘WP_PLUGIN_URL’))43 define('WP_PLUGIN_URL’, WP_CONTENT_URL . ‘/plugins’);44if (!defined(‘WP_PLUGIN_DIR’))45 define('WP_PLUGIN_DIR’, WP_CONTENT_DIR . ‘/plugins’);464748if (!defined(‘BIB_WP_UPLOADS_DIR’)) {49 $uploads = wp_upload_dir();50 define('BIB_WP_UPLOADS_DIR’, $uploads[‘basedir’]);51}5253include_once( WP_PLUGIN_DIR . “/blog-in-blog/options.php” );5455$plugin_dir = basename(dirname(__FILE__));56load_plugin_textdomain('blog-in-blog’, WP_PLUGIN_DIR . $plugin_dir, $plugin_dir . ‘/languages’);5758global $blog_in_blog_opts;5960function blog_in_blog_func($atts) {61 global $blog_in_blog_opts;62 global $wp_query;6364 bib_write_debug(__FUNCTION__, “Shortcode parameters”);65 bib_write_debug(__FUNCTION__, print_r($atts, TRUE));6667 if(! is_page()){68 return wpautop(wptexturize(“<strong>ERROR:</strong> Blog-in-Blog shortcodes can only be used in pages, not posts.”));69 exit;70 }7172 extract(shortcode_atts(array(73 ‘category_id’ => '’,74 ‘category_slug’ => '’,75 ‘tag_slug’ => '’,76 ‘custom_post_type’ => '’,77 ‘author’ => '’,78 ‘author_name’ => '’,79// ‘taxonomy’ => '’,80// ‘tax_field’ => '’,81// ‘tax_terms’ => '’,82// ‘tax_operator’ => '’,83 ‘num’ => '10’,84 ‘order_by’ => 'date’,85 ‘template’ => '’,86 ‘pagination’ => 'on’,87 ‘sort’ => 'newest’,88 ‘post_id’ => '’,89 ‘custom_order_by’ => '’,90 ‘thumbnail_size’ => 'thumbnail’,91 ‘hidefirst’ => 092 ), $atts));9394 // set some values from the shortcode95 $blog_in_blog_opts[‘cat’] = $category_id;96 $blog_in_blog_opts[‘cat_slug’] = $category_slug;97 $blog_in_blog_opts[‘tag_slug’] = $tag_slug;98 $blog_in_blog_opts[‘custom_post_type’] = $custom_post_type;99// $blog_in_blog_opts[‘taxonomy’] = $taxonomy;100// $blog_in_blog_opts[‘tax_field’] = $tax_field;101// $blog_in_blog_opts[‘tax_terms’] = $tax_terms;102// $blog_in_blog_opts[‘tax_operator’] = $tax_operator;103 $blog_in_blog_opts[‘num’] = $num;104 $blog_in_blog_opts[‘post_order’] = bib_set_post_order($sort);105 $blog_in_blog_opts[‘order_by’] = $order_by;106 $blog_in_blog_opts[‘custom_order_by’] = $custom_order_by;107 $blog_in_blog_opts[‘post_id’] = $post_id;108 $blog_in_blog_opts[‘pagination’] = $pagination;109 $blog_in_blog_opts[‘template’] = $template ;110 $blog_in_blog_opts[‘author’] = $author ;111 $blog_in_blog_opts[‘author_name’] = $author_name ;112 $blog_in_blog_opts[‘hidefirst’] = $hidefirst ;113114 if(isset ($wp_query->post->ID)){115 $blog_in_blog_opts[‘host_page’] = $wp_query->post->ID;116 bib_write_debug(__FUNCTION__, “Host page => {$wp_query->post->ID}”);117 } else {118 bib_write_debug(__FUNCTION__,"Host page => (Cannot Set Host page ID)");119 }120121122 if (strstr($thumbnail_size, ‘x’)) {123 $blog_in_blog_opts[‘thumbnail_size’] = split(‘x’, $thumbnail_size);124 } else {125 $blog_in_blog_opts[‘thumbnail_size’] = $thumbnail_size;126 }127128 // set the template if set in shortcode, look in uploads, then plugin dir, then use default.129 if ($template != ‘’) {130 bib_write_debug(__FUNCTION__, “deciding on a template to use: $template”);131 // get template string from options132 if (is_array($blog_in_blog_opts[‘bib_templates’])) {133 foreach($blog_in_blog_opts[‘bib_templates’] as $k => $v){134 if ($v[‘template_name’] == $blog_in_blog_opts[‘template’]){135 bib_write_debug(__FUNCTION__, "using template from database: “.$v[‘template_name’]);136 $blog_in_blog_opts[‘bib_post_template’] = ‘’; // this will force using bib_html from database.137 }else{138 bib_write_debug(__FUNCTION__, "$template != ".$v[‘template_name’]);139 }140 }141 // currently no default applied here…142 } 143 if (file_exists(BIB_WP_UPLOADS_DIR . “/” . $template)) {144 $blog_in_blog_opts[‘bib_post_template’] = BIB_WP_UPLOADS_DIR . “/” . $template;145 echo “<!-- BIB: using template: “.$blog_in_blog_opts[‘bib_post_template’].” -->” ;146 bib_write_debug(__FUNCTION__, "using template ".$blog_in_blog_opts[‘bib_post_template’]);147 148 } else if (file_exists(WP_CONTENT_DIR . ‘/uploads/’ . $template)) {149 $blog_in_blog_opts[‘bib_post_template’] = WP_CONTENT_DIR . ‘/uploads/’ . $template;150 echo “<!-- BIB: using template: “.$blog_in_blog_opts[‘bib_post_template’].” -->” ;151 bib_write_debug(__FUNCTION__, "using template ".$blog_in_blog_opts[‘bib_post_template’]);152 153 } else if (file_exists(WP_PLUGIN_DIR . “/blog-in-blog/” . $template)) {154 $blog_in_blog_opts[‘bib_post_template’] = WP_PLUGIN_DIR . “/blog-in-blog/” . $template;155 echo “<!-- BIB: using template: “.$blog_in_blog_opts[‘bib_post_template’].” -->” ;156 bib_write_debug(__FUNCTION__, "using template “.$blog_in_blog_opts[‘bib_post_template’]);157 158 }else{159 $blog_in_blog_opts[‘bib_post_template’] = ‘’; // this will force using of bib_html option160 //echo “Cannot find template file <b>$template</b> in either <code>".BIB_WP_UPLOADS_DIR."/</code> or <code>".WP_PLUGIN_DIR."/blog-in-blog/</code>” ;161 bib_write_debug(__FUNCTION__, "template not found “.$blog_in_blog_opts[‘bib_post_template’]);162 }163 } else {164 $blog_in_blog_opts[‘bib_post_template’] = '’; // this will force using bib_html from database.165 echo “<!-- BIB: using default template from database -->” ;166 bib_write_debug(__FUNCTION__, “defaulting to database template.”);167 }168169 // get some posts for that category170171 $out = “"; // reset output172173 // validate selections and give useful responses174 // TODO expand this properly into a separate function…175 if($blog_in_blog_opts[‘author’] != ‘’ && !is_object(get_user_by(‘id’,$blog_in_blog_opts[‘author’]))){176 $out = “Error: Author with id ‘{$blog_in_blog_opts[‘author’]}’ is not an author in this site.";177 return $out;178 }179 if($blog_in_blog_opts[‘author_name’] != ‘’ && !is_object(get_user_by(‘slug’,$blog_in_blog_opts[‘author_name’]))){180 $out = "Error: Author with slug ‘{$blog_in_blog_opts[‘author_name’]}’ is not an author in this site.";181 return $out;182 }183184 if (isset($wp_query->query[‘bib_page_offset’])) {185 $blog_in_blog_opts[‘offset’] = $wp_query->query[‘bib_page_offset’]; //TODO, fix homepage offset issues186 //var_dump($wp_query->query);187 //echo "offset : $nextoffset";188 } else {189 $blog_in_blog_opts[‘offset’] = 0;190 }191192 // get the posts193 $postslist = bib_get_posts();194 // now for each post, populate the data195 if (is_array($postslist)){196197 if(count($postslist) <= 0){198 $out = “<strong>Blog in Blog:</strong> There are no posts that match the selection criteria.";199 return $out;200 }201202 foreach ($postslist as $post) {203204 //var_dump($post);205206 setup_postdata($post);207 208 $data[‘post_object’] = $post ;209210 $data[‘post_id’] = $post->ID;211 // Because some filters are not working in the same context as our individual posts, 212 // we need to track the current post id in a global variable!213 $blog_in_blog_opts[‘current_post_id’] = $post->ID;214215 $data[‘post_date’] = date_i18n($blog_in_blog_opts[‘date_format’], strtotime($post->post_date));216 $data[‘post_time’] = date_i18n($blog_in_blog_opts[‘time_format’], strtotime($post->post_date));217 $data[‘post_day’] = date_i18n('j’, strtotime($post->post_date));218 $data[‘post_dw’] = date_i18n('D’, strtotime($post->post_date));219 $data[‘post_dow’] = date_i18n('l’, strtotime($post->post_date));220 $data[‘post_mon’] = date_i18n('M’, strtotime($post->post_date));221 $data[‘post_month’] = date_i18n('F’, strtotime($post->post_date));222 $data[‘post_m’] = date_i18n('m’, strtotime($post->post_date));223 $data[‘post_n’] = date_i18n('n’, strtotime($post->post_date));224 $data[‘post_year’] = date_i18n('Y’, strtotime($post->post_date));225 $data[‘post_yr’] = date_i18n('y’, strtotime($post->post_date));226227 $data[‘post_title’] = apply_filters('the_title’, $post->post_title);228229 $user = get_userdata($post->post_author);230 $data[‘post_author’] = apply_filters(‘the_author’, $user->display_name);231 $data[‘post_author_avatar’] = get_avatar($post->post_author, $blog_in_blog_opts[‘bib_avatar_size’]);232233 $data[‘post_content’] = wpautop(wptexturize($post->post_content));234 $data[‘post_content’] = bib_process_gallery($data[‘post_content’], $post->ID);235 236 $data[‘post_excerpt’] = bib_check_password_protected($post,’post_excerpt’);237 238 // this should probably get removed, as we do this in bib_process_moretag()239 //$data[‘post_excerpt’] = wpautop(wptexturize(get_the_excerpt()));240 241 $data[‘post_permalink’] = get_permalink($post);242 $data[‘post_comments’] = bib_process_comments($post->comment_status, $post->comment_count, $data[‘post_permalink’]);243 $data[‘post_tags’] = bib_get_the_tags($post->ID);244245 if (function_exists(‘get_the_post_thumbnail’)) {246 $data[‘post_thumbnail’] = get_the_post_thumbnail($post->ID, $blog_in_blog_opts[‘thumbnail_size’]);247 } else {248 $data[‘post_thumbnail’] = ‘’;249 }250251 // get categories for this post252 $cats = get_the_category($post->ID);253 $catstr = "";254 if (is_array($cats)){255 foreach ($cats as $v) {256 $cat_link = get_category_link($v->cat_ID);257 $catstr .= ' <a href="’ . $cat_link . '” title="’ . $v->cat_name . '” >’ . $v->cat_name . ‘</a>’ . $blog_in_blog_opts[‘bib_text_delim’];258 }259 }260 $catstr = substr($catstr, 0, strlen($catstr) - strlen($blog_in_blog_opts[‘bib_text_delim’]));261 $data[‘post_categories’] = $catstr;262263 $data = bib_process_moretag($data);264265 $out .= bib_parse_template($data); // finally output the data in the template266267 wp_reset_postdata();268 }269 }270 if ($blog_in_blog_opts[‘pagination’] == ‘on’) {271272 $out .= blog_in_blog_page_navi();273 // func - get page navi274 }275276 // return the posts data.277 return bib_do_shortcode($out);278}279280add_shortcode('blog_in_blog’, ‘blog_in_blog_func’);281add_shortcode(‘bib’, ‘blog_in_blog_func’);282283/**284 * Template tag for blog_in_blog. echos the generated content directly.285 * @param assoc_array $atts attributes that you want to pass to the BIB plugin.286 */287function blog_in_blog($atts){288 echo blog_in_blog_func($atts);289}290291/**292 *293 * @global string $blog_in_blog_opts294 * @return array of posts295 */296function bib_get_posts() {297 global $blog_in_blog_opts;298299 $params = array();300 if ($blog_in_blog_opts[‘post_id’] == ‘’) { // for multiposts301 302 if ($blog_in_blog_opts[‘tag_slug’] != ‘’){303 $params[‘tag_slug__in’] = explode(",", $blog_in_blog_opts[‘tag_slug’]);304 }305 if ($blog_in_blog_opts[‘cat’] != ‘’){306 $params[‘category__in’] = explode(“,", $blog_in_blog_opts[‘cat’]);307 }308 if ($blog_in_blog_opts[‘cat_slug’] != ‘’) {309 $params[‘category_name’] = $blog_in_blog_opts[‘cat_slug’];310 }311 if($blog_in_blog_opts[‘custom_post_type’] != ‘’) {312 $params[‘post_type’] = $blog_in_blog_opts[‘custom_post_type’];313 }314 if($blog_in_blog_opts[‘author’] != ‘’) {315 $params[‘author’] = $blog_in_blog_opts[‘author’];316 }317 if($blog_in_blog_opts[‘author_name’] != ‘’) {318 $params[‘author_name’] =$blog_in_blog_opts[‘author_name’];319 }320 if ($blog_in_blog_opts[‘custom_order_by’] != ‘’) {321 $params[‘orderby’] = 'meta_value’;322 $params[‘order’] = $blog_in_blog_opts[‘post_order’];323 $params[‘meta_key’] = $blog_in_blog_opts[‘custom_order_by’];324 }else{325 $params[‘orderby’] = $blog_in_blog_opts[‘order_by’];326 $params[‘order’] = $blog_in_blog_opts[‘post_order’];327 }328// if ($blog_in_blog_opts[‘taxonomy’] != ‘’){329//330// if($blog_in_blog_opts[‘tax_operator’] != ‘’){331// $operator = $blog_in_blog_opts[‘tax_operator’];332// }333// else334// {335// $operator = 'IN’;336// }337//338// $params[‘tax_query’] = array(339// ‘taxonomy’ => $blog_in_blog_opts[‘taxonomy’],340// ‘field’ => $blog_in_blog_opts[‘tax_field’],341// ‘terms’ => explode(',’,$blog_in_blog_opts[‘tax_terms’]),342// ‘operator’ => $operator343// );344// }345346 // apply whatever the case:347 $params[‘suppress_filters’] = false;348349 // adjust the offsett350 if($blog_in_blog_opts[‘hidefirst’] != ‘’ ){351 if($blog_in_blog_opts[‘offset’] != ‘’){352 $params[‘offset’] = intval($blog_in_blog_opts[‘hidefirst’]) + intval($blog_in_blog_opts[‘offset’]);353 } else {354 $params[‘offset’] = intval($blog_in_blog_opts[‘hidefirst’]);355 }356 }else{357 $params[‘offset’] = $blog_in_blog_opts[‘offset’];358 }359360 $params[‘numberposts’] = $blog_in_blog_opts[‘num’];361362 // get the posts.363 $postslist = get_posts($params);364365 }else{ // for single posts366 $postslist[0] = wp_get_single_post($blog_in_blog_opts[‘post_id’]);367 $blog_in_blog_opts[‘pagination’] = 'off’;368 }369370 if ($blog_in_blog_opts[‘bib_debug’]) {371 bib_write_debug( __FUNCTION__ , “Params passed to get_posts()");372 bib_write_debug( __FUNCTION__ , print_r($params, true));373374 bib_write_debug(__FUNCTION__,"Response from get_posts()");375 bib_write_debug( __FUNCTION__ , print_r($postslist, true));376 }377378 return $postslist;379}380381/**382 * Think this is actually deprecated. remove in next version.383 * @global string $blog_in_blog_opts384 * @return <type>385 */386function bib_parse_filter(){387 global $blog_in_blog_opts ;388389 if($blog_in_blog_opts[‘custom_post_type’] != ‘’ ){390 return array('post_type’=> $blog_in_blog_opts[‘custom_post_type’] );391 }392393 if($blog_in_blog_opts[‘category_slug’] != ‘’ ){394 return array(‘category__in’=> $blog_in_blog_opts[‘category_slug’] );395 }396397 if($blog_in_blog_opts[‘custom_post_type’] != ‘’ ){398 return array(‘post_type’=> $blog_in_blog_opts[‘custom_post_type’] );399 }400401}402403/**404 * Filter to remove the shortcode to prevent display after other functions have applied the_content filter405 * TODO = probably no longer actually need this function here. it’s not called anywhere.406 */407function bib_remove_shortcode($content=’’) {408 $content = preg_replace("/\[blog_in_blog.*\]/", "", $content);409 //echo “The Content from bib_remove_shortcode:(“.$content.”)“;410 if ($blog_in_blog_opts[‘bib_debug’]) {411 bib_write_debug(__FUNCTION__ ,"Removed the bib shortcode from the_content()");412 }413414 return $content;415}416417function bib_do_shortcode($content) {418 return do_shortcode($content);419}420421/**422 * set the order clause of our query423 */424function bib_set_post_order($order) {425 global $blog_in_blog_opts;426427 if (isset($order)) {428 if ($order == “ascending” || $order == “oldest” || $order == “reverse” || $order == “ASC”) {429 return 'ASC’;430 } else if ($order == “desending” || $order == “newest” || $order == “forward” || $order == “DESC”) {431 return 'DESC’;432 } else {433 return 'DESC’;434 }435 } else {436 return ‘DESC’;437 }438}439440/**441 * parse template string442 */443function bib_parse_template($data) {444 global $blog_in_blog_opts;445446 $custom_values = bib_get_custom_fields($data[‘post_id’]);447448 // get template string from options449 if (is_array($blog_in_blog_opts[‘bib_templates’])) {450 foreach($blog_in_blog_opts[‘bib_templates’] as $k => $v){451 if ($v[‘template_name’] == $blog_in_blog_opts[‘template’]){452 bib_write_debug(__FUNCTION__, "using template ".$v[‘template_name’]);453 $template = html_entity_decode($v[‘template_html’]);454 }455 }456 }457458 if ($blog_in_blog_opts[‘bib_post_template’] != ‘’ && !isset ($template)) {459 460 bib_write_debug(__FUNCTION__, “have a template to deal with”);461 if (file_exists($blog_in_blog_opts[‘bib_post_template’])) {462 $template = file_get_contents($blog_in_blog_opts[‘bib_post_template’]);463 bib_write_debug(__FUNCTION__, "using template file: ".$blog_in_blog_opts[‘bib_post_template’]);464 } else {465 bib_write_debug(__FUNCTION__, "ERROR: cannot use template file: ".$blog_in_blog_opts[‘bib_post_template’]);466 $template = "<p>Can’t use template: {$blog_in_blog_opts[‘bib_post_template’]}<br /> Either it doesn’t exist in the database, or it doesn’t exist as a file. <a href=\"".get_site_url()."/wp-admin/options-general.php?page=blog_in_blog_options_identifier\">Blog in Blog Admin Page</a></p>";467 }468 } elseif ($blog_in_blog_opts[‘bib_html’] && !isset ($template)) {469 //echo “not using a template” ;470 bib_write_debug(__FUNCTION__, “using default database template”);471 $template = html_entity_decode($blog_in_blog_opts[‘bib_html’]);472 }473474 // bib version475 $template = str_replace("%bib_version%", BIB_VERSION, $template);476477 // post id478 $template = str_replace("%post_id%", $data[‘post_id’], $template);479480 // dates481 $template = str_replace("%post_date%", $data[‘post_date’], $template);482 $template = str_replace("%post_time%", $data[‘post_time’], $template);483 $template = str_replace("%post_day%", $data[‘post_day’], $template);484 $template = str_replace("%post_dw%", $data[‘post_dw’], $template);485 $template = str_replace("%post_dow%", $data[‘post_dow’], $template);486 $template = str_replace("%post_mon%", $data[‘post_mon’], $template);487 $template = str_replace("%post_month%", $data[‘post_month’], $template);488 $template = str_replace("%post_m%", $data[‘post_m’], $template);489 $template = str_replace("%post_n%", $data[‘post_n’], $template);490 $template = str_replace("%post_year%", $data[‘post_year’], $template);491 $template = str_replace("%post_yr%", $data[‘post_yr’], $template);492 $template = str_replace("%post_title%", $data[‘post_title’], $template);493494 // author495 $template = str_replace("%post_author%", $data[‘post_author’], $template);496 $template = str_replace("%post_author_avatar%", $data[‘post_author_avatar’], $template);497498 // content499 $template = str_replace("%post_content%", $data[‘post_content’], $template);500 $template = str_replace("%post_excerpt%", $data[‘post_excerpt’], $template);501 $template = str_replace("%post_thumbnail%", $data[‘post_thumbnail’], $template);502503 // post meta504 $template = str_replace("%post_permalink%", $data[‘post_permalink’], $template);505 $template = str_replace("%post_categories%", $data[‘post_categories’], $template);506 $template = str_replace(“%post_comments%", $data[‘post_comments’], $template);507 $template = str_replace(“%post_tags%", $data[‘post_tags’], $template);508509 if (is_array($custom_values)) {510 foreach ($custom_values as $key => $value) {511 if ($blog_in_blog_opts[‘bib_debug’]) {512 bib_write_debug(__FUNCTION__,"Custom Vars found”);513 }514 if (is_array($value)){515 foreach ($value as $val) {516517 # Check if key should have it’s value reformatted518 if (is_array($blog_in_blog_opts[‘bib_meta_keys’])) {519520 $key2 = substr(substr($key, 1, strlen($key) - 1), 0, -1);521522 if (in_array($key2, $blog_in_blog_opts[‘bib_meta_keys’])) {523524 $val = date_i18n($blog_in_blog_opts[‘date_format’], strtotime($val));525 if ($blog_in_blog_opts[‘bib_debug’]) {526 bib_write_debug(__FUNCTION__,"Reformated date”);527 }528 }529 }530531 $template = str_replace("$key", $val, $template);532 if ($blog_in_blog_opts[‘bib_debug’]) {533 bib_write_debug( __FUNCTION__ , “$key => $val”);534 }535 }536 }537 }538 }539 return $template;540}541542function bib_get_custom_fields($post) {543544 $out = array();545546 $custom_fields = get_post_custom($post);547548 if (is_array($custom_fields)){549 foreach ($custom_fields as $key => $value) {550 $key = “%” . $key . “%";551 $out[$key] = $value;552 }553 }554 return $out;555}556557/**558 * Process comment data and build a string559 */560function bib_process_comments($cStatus, $cCount, $permalink) {561562 $out = '’;563 if (( $cStatus == ‘open’ && $cCount > 0 ) || ( $cStatus == ‘closed’ && $cCount > 0 )) {564565 if(function_exists(‘_n’)){566 $out = ‘<a href="’ . $permalink . '#comments” title="’ . __('Comments’, ‘blog-in-blog’) . '” >’567 . sprintf(_n('%d Comment’, '%d Comments’, $cCount, ‘blog-in-blog’) . ' »’, $cCount) . '</a>’;568 }else{569 $out = ‘<a href="’ . $permalink . '#comments” title="’ . __('Comments’, ‘blog-in-blog’) . '” >’570 . sprintf(__ngettext('%d Comment’, '%d Comments’, $cCount, ‘blog-in-blog’) . ' »’, $cCount) . '</a>’;571 }572 } elseif ($cStatus == ‘open’) {573574 $out = ‘<a href="’ . $permalink . '#respond” title="’ . __('Respond’, ‘blog-in-blog’) . '” >’575 . __('Leave a response ', ‘blog-in-blog’) . '»</a>’;576 } elseif ($cStatus == ‘closed’) {577578 $out .= __('Comments are closed’, ‘blog-in-blog’);579 }580581582 return $out;583}584585/**586 * based on get_the_content() in wp-includes/post-template.php587 */588function bib_process_moretag($data) {589 global $blog_in_blog_opts;590 global $more, $multipage, $page;591 $more = 0;592593 $output = ‘’;594 $hasTeaser = false;595 $more_link_text = $blog_in_blog_opts[‘bib_more_link_text’];596597 $data[‘post_content’] = bib_check_password_protected($data[‘post_object’],’post_content’);598599 if (preg_match('/<!–more(.*?)?–>/’, $data[‘post_content’], $matches)) {600 $content = explode($matches[0], $data[‘post_content’], 2);601 if (!empty($matches[1]) && !empty($more_link_text))602 $more_link_text = strip_tags(wp_kses_no_null(trim($matches[1])));603604 $hasTeaser = true;605 //$more = 0;606 bib_write_debug(__FUNCTION__, “FOUND a ‘more’ tag.”);607 } else {608 $content = array(609 $data[‘post_content’]610 );611 bib_write_debug(__FUNCTION__, “NO more tag.”);612 // $more = 1;613 }614615 if ((false !== strpos($data[‘post_content’], ‘<!–noteaser–>’)) && ((!$multipage) || ($page == 1))) {616 $stripteaser = 1;617 bib_write_debug(__FUNCTION__, “stripteaser = 1”);618 }619 $teaser = $content[0];620621 if (($more) && ($stripteaser) && ($hasTeaser)) {622 // if ( ($more) && ($hasTeaser) )623 bib_write_debug(__FUNCTION__, “Not going to have any sort of teaser.”);624 $teaser = '’;625 }626627 $output .= $teaser;628629 if (count($content) > 1) {630 if ($more) {631 bib_write_debug(__FUNCTION__, “Content array is greater than 1 and more is true.”);632 $output .= ‘<span id="more-' . $data[‘post_id’] . ‘"></span>’ . $content[1];633 } else {634 bib_write_debug(__FUNCTION__, “Creating more link.”);635 if (!empty($more_link_text))636 $output .= apply_filters(‘the_content_more_link’, ' <a href="’ . $data[‘post_permalink’] . “#more-{$data[‘post_id’]}’\” class=\"more-link\">$more_link_text</a>", $more_link_text);637 $output = force_balance_tags($output);638 }639 }640641 $data[‘post_content’] = $output;642643 644 if($data[‘post_excerpt’] == ‘’){645 if(preg_match(“/{$more_link_text}/", $output)){646 $data[‘post_excerpt’] = $output ;647 }else{648 $data[‘post_excerpt’] = get_the_excerpt();649 }650 } else {651 $data[‘post_excerpt’] = apply_filters('excerpt_more’, ‘’, $data[‘post_excerpt’] );652 }653654 return $data;655}656657/**658 * We need to know the post id of the post we are dealing with and not659 * the post of the page containing the BIB shortcode, so have a global being660 * reset with the current post id each time.661 */662add_filter(‘excerpt_more’, ‘bib_filter_excerpt_more’ , 99 ,2);663function bib_filter_excerpt_more($more, $excerpt=’’){664 //$more isn’t actually used, because we want to dump whatever has been applied to more already, and use our own.665 global $post ;666 global $blog_in_blog_opts ;667 bib_write_debug(__FUNCTION__, “Using excerpt more filter”);668669 bib_write_debug(__FUNCTION__, "The permalink from wordpress is: ".get_permalink($blog_in_blog_opts[‘current_post_id’]));670 bib_write_debug(__FUNCTION__, "The post ID is: ".$blog_in_blog_opts[‘current_post_id’]);671672 $output = “$excerpt <a href=\"” . get_permalink($blog_in_blog_opts[‘current_post_id’]) . “#more-{$blog_in_blog_opts[‘current_post_id’]}’\” class=\"more-link\">".get_option(‘bib_more_link_text’)."</a>";673 bib_write_debug(__FUNCTION__, “Generated this link:{$output}”);674675 return $output;676}677678679// this function makes sure that the excerpt is set to a suitable phrase if the post is password protected680function bib_check_password_protected($post,$what=’post_excerpt’) {681682 //var_dump($post);683 $output = $post->$what;684 if (post_password_required($post)) {685 $output = __(‘This is a protected post.’);686 return wpautop(wptexturize($output));687 }688689 return wpautop(wptexturize($output));690}691692693694function bib_process_gallery($content, $postid) {695 // if the content contains a gallery shortcode696 // add post_id to attributes697 $content = preg_replace(‘/(\[gallery.*)\]/’, "\\1 id=$postid ]", $content);698699 return $content;700}701702/**703 * Func to get permalink and make sure there is a ? ready for params.704 * @param $flag boolean flag if we expect to add a param or not?705 */706function bib_get_permalink($flag = true) {707 global $blog_in_blog_opts;708 //global $wp_query;709 //global $wpdb;710711// don’t know which post is calling the shortcode.712 // This especially problematic when bib is included in a page which is then included in another page!713 // however big problem is identifying if this is the home page. if it is then we need to do something clever.714 bib_write_debug( __FUNCTION__,"Host Page ID: “.$blog_in_blog_opts[‘host_page’]);715716 //if ($wp_query->is_home()){717 // bib_write_debug(__FUNCTION__,"HOME PAGE!!!”);718 //}719720721722// $post_detail = $wpdb->get_row("723// select post_name, post_date724// from $wpdb->posts725// where $wpdb->posts.ID = ‘{$blog_in_blog_opts[‘host_page’]}’726// and $wpdb->posts.post_type=’page’727// “,728// ARRAY_A729// );730// bib_write_debug( __FUNCTION__,"post_name=".print_r($post_detail, true));731//732// $permalink_structure = get_option(‘permalink_structure’);733//734// $permalink_structure = str_replace('%year%’, date_i18n('Y’, strtotime($post_detail[‘post_date’])), $permalink_structure);735// $permalink_structure = str_replace('%monthnum%’, date_i18n('m’, strtotime($post_detail[‘post_date’])), $permalink_structure);736// $permalink_structure = str_replace(‘%postname%’, $post_detail[‘post_name’], $permalink_structure);737738 //$perma_link = get_permalink($blog_in_blog_opts[‘host_page’], true);739 //$perma_link = get_site_url().$permalink_structure;740 //bib_write_debug(__FUNCTION__,$perma_link);741742 // get the REQUEST_URI743 $perma_link = $_SERVER[‘REQUEST_URI’];744 bib_write_debug(__FUNCTION__,$perma_link);745746747 // if we have previously had an offset, we strip it from the params.748 $perma_link = preg_replace(“/[\&]*bib_page_offset\=\d+/", '’, $perma_link);749 bib_write_debug(__FUNCTION__,$perma_link);750751752 // check for existing params /?.*=.*/753 //if not found add ? to end of url754 if (preg_match('/\?.*\=.*/’, $perma_link)) {755 if ($blog_in_blog_opts[‘bib_debug’]) {756 bib_write_debug(__FUNCTION__,$perma_link);757 }758 return $perma_link;759 } elseif (preg_match('/\?$/’, $perma_link)) {760 if ($flag === FALSE) {761 $perma_link = preg_replace('/\?$/’, ‘’, $perma_link);762 }763 if ($blog_in_blog_opts[‘bib_debug’]) {764 bib_write_debug( __FUNCTION__,$perma_link);765 }766 return $perma_link;767 } else {768 $perma_link = $perma_link . “?";769 if ($blog_in_blog_opts[‘bib_debug’]) {770 bib_write_debug( __FUNCTION__,$perma_link);771 }772 return $perma_link;773 }774}775776function bib_get_the_tags($postid) {777 global $blog_in_blog_opts;778779 $out = '’;780 $tags = get_the_tags($postid);781782 if (is_array($tags)) {783 foreach ($tags as $tag) {784 //Get the tag name785 $tag_name = $tag->name;786 //Get the tag url787 $tag_url = $tag->slug;788 if (get_option(‘tag_base’)) {789 $the_url = get_bloginfo(‘url’) . ‘/’ . get_option(‘tag_base’);790 } else {791 $the_url = get_bloginfo(‘url’) . '/tag’;792 }793794 //Start adding all the linked tags into a single string for the next step795 $out = $out . ‘<a href="’ . $the_url . ‘/’ . $tag_url . ‘/">’ . $tag_name . ‘</a>’ . $blog_in_blog_opts[‘bib_text_delim’] . ' ';796 }797798 //strip trailing delim and space.799 $out = substr($out, 0, strlen($out) - (strlen($blog_in_blog_opts[‘bib_text_delim’]) + 1));800 }801802 return $out;803}804805/**806 * Page navi807 */808function blog_in_blog_page_navi() {809 global $blog_in_blog_opts;810811 // count pages in chosen category812 $catposts = bib_get_post_count();813 $num = $blog_in_blog_opts[‘num’];814815 $dlimit = $blog_in_blog_opts[‘bib_show_dots_after’];816 $elipsis = " …";817 $page = 0;818 $pages = '’;819 $maxpages = floor($catposts / $num);820 $nextoffset = 0;821 $thisloop = 0;822 $match = false;823 $first = false;824 $lastpage = false;825 $precurr = '’;826 $prevlink = '’;827 $nextlink = '’;828829 $out = '<div class="bib_page_nav">’;830831 if ($catposts >= 1) {832 // show page jumps for every $n posts833 for ($i = 0; $i < $catposts; $i++) {834835 if ($i % $num == 0) {836 // start a new page, so837 $nextpage = $page++;838 $nextoffset = $thisloop;839 $thisloop++;840 if ($i + 1 == $catposts) {841 $lastpage = true;842 }843844 // check if this is the current page (based on offset, if offset not set is first page selected845 if ($match == false && (!isset($blog_in_blog_opts[‘offset’]) || $thisloop - 1 == $blog_in_blog_opts[‘offset’])) {846847 $selected = ' bib_selected” style="’ . $blog_in_blog_opts[‘bib_style_selected’] . '"’;848849 $poffset = ($nextoffset - $num);850 $noffset = ($nextoffset + $num);851 $prevlink = ($nextoffset > 0) ? '<a class="bib_prev_link” href="’ . bib_get_permalink() . ‘&bib_page_offset=’ . $poffset . ‘">’ . $blog_in_blog_opts[‘bib_text_previous’] . '</a> ' : ‘<span class="bib_prev_link_inactive">’ . $blog_in_blog_opts[‘bib_text_previous’] . '</span> ';852 $nextlink = ($noffset < $catposts) ? ' <a class="bib_next_link” href="’ . bib_get_permalink() . ‘&bib_page_offset=’ . $noffset . ‘">’ . $blog_in_blog_opts[‘bib_text_next’] . ‘</a>’ : ' <span class="bib_next_link_inactive">’ .$blog_in_blog_opts[‘bib_text_next’]. '</span>’;853854 $pages[$page][‘current’] = true;855 $match = true;856 } else {857 $selected = ' bib_not_selected” style="’ . $blog_in_blog_opts[‘bib_style_not_selected’] . ‘"’;858 }859860 // if first page has been output861 if ($first == false) {862 $pout = $blog_in_blog_opts[‘bib_text_page’] . ' <a href="’ . bib_get_permalink(FALSE) . '” class="bib_page_number’ . $selected . '” > ' . $page . ‘</a>’ . $blog_in_blog_opts[‘bib_text_delim’];863 $pages[$page][‘html’] = $pout;864 $first = true;865 } else {866 // only output bib_text_delim and page numbers867 if ($lastpage) {868 $pout = ' <a href="’ . bib_get_permalink() . ‘&bib_page_offset=’ . $nextoffset . '” class="bib_page_number’ . $selected . ‘" >’ . $page . ‘</a>’;869 } else {870 $pout = ' <a href="’ . bib_get_permalink() . ‘&bib_page_offset=’ . $nextoffset . ‘" class="bib_page_number’ . $selected . ‘" >’ . $page . ‘</a>’ . $blog_in_blog_opts[‘bib_text_delim’];871 }872 $pages[$page][‘html’] = $pout;873 }874 } else {875 $nextpage = $page;876 $thisloop++;877 }878879 bib_write_debug(__FUNCTION__, “$i, nextpage: $nextpage, thisloop: $thisloop, page: $page, nextoffset: $nextoffset, URLoffset: {$blog_in_blog_opts[‘offset’]}”);880881 if ($thisloop == $nextpage) {882 // do what exactly?883 }884 }885 // var_dump($pages);886 }887888 if (count($pages) > $dlimit) {889 $max = count($pages);890891 $elipsisa = '’;892 $elipsisb = '’;893 $postcurr = '’;894 $current = '’;895 896897 $fp = $pages[1][‘html’];898 $lp = $pages[$max][‘html’];899900 if (is_array($pages)){901 foreach ($pages as $k => $page) {902 if (isset($page[‘current’])) {903904 if ($k == 1 || $k == 2 || $k == 3 ) {905 $fp = '’;906 $elipsisa = '’;907 } elseif ($k == 4 ) {908 // ??? not sure if this condition is actually needed?909 $elipsisa = '’;910 //$elipsisa = $blog_in_blog_opts[‘bib_text_delim’];911 } else {912913 $elipsisa = $elipsis;914 $fp = substr($fp, 0, $fp - strlen($blog_in_blog_opts[‘bib_text_delim’]));915 }916917 if (isset($pages[$k - 2][‘html’])) {918 $precurr = $pages[$k - 2][‘html’];919 }920 if (isset($pages[$k - 1][‘html’])) {921 $precurr .= $pages[$k - 1][‘html’];922 }923 if (isset ($pages[$k][‘html’])){924 $current = $pages[$k][‘html’];925 }926 if (isset ($pages[$k + 1][‘html’])){927 $postcurr = $pages[$k + 1][‘html’];928 }929 //trim bib_text_delim from end of string.930 if (isset ($pages[$k + 2][‘html’])){931 $postcurr .= substr($pages[$k + 2][‘html’], 0, strlen($pages[$k + 2][‘html’]) - strlen($blog_in_blog_opts[‘bib_text_delim’]));932 }933934 if ($k == $max || $k == ($max - 1) || $k == ($max - 2)) {935 $lp = '’;936 $elipsisb = '’;937 } elseif ($k == ($max - 3)) {938 $elipsisb = $blog_in_blog_opts[‘bib_text_delim’];939 } else {940941 $elipsisb = $elipsis;942 }943 }944 bib_write_debug(__FUNCTION__, “$prevlink | $fp | $elipsisa | $precurr | $current | $postcurr | $elipsisb | $lp | $nextlink”);945 }946 }947948 $out .= $prevlink . $fp . $elipsisa . $precurr . $current . $postcurr . $elipsisb . $lp . $nextlink;949950 } else {951 $pagesout = '’;952 if (is_array($pages)) {953 foreach ($pages as $page) {954 $pagesout .= $page[‘html’];955 }956 }957 // remove trailing bib_text_delim958 $pagesout = substr($pagesout, 0, strlen($pagesout) - strlen($blog_in_blog_opts[‘bib_text_delim’]));959960 $out .= $prevlink . $pagesout . $nextlink;961 }962963 $out .= '</div>’;964 // echo htmlspecialchars($out);965 // return HTML966 return $out;967}968969/**970 *971 * gets the post count to use in calculating the pagination.972 * @global object $wpdb973 * @global assoc $blog_in_blog_opts974 * @return int975 */976function bib_get_post_count() {977 global $wpdb;978 global $blog_in_blog_opts;979980 $post_count = 0;981982 $querystr = "983 SELECT count984 FROM $wpdb->term_taxonomy, $wpdb->posts, $wpdb->term_relationships, $wpdb->terms985 WHERE $wpdb->posts.ID = $wpdb->term_relationships.object_id986 AND $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id";987988 /**989 * If there are categories990 */991 if ($blog_in_blog_opts[‘cat’] != ‘’) {992 if (stristr($blog_in_blog_opts[‘cat’], ‘,’)) {993 $querystr .= "994 AND $wpdb->term_taxonomy.term_id in ( {$blog_in_blog_opts[‘cat’]} )";995 } else {996 $querystr .= "997 AND $wpdb->term_taxonomy.term_id = {$blog_in_blog_opts[‘cat’]} ";998999 }1000 }1001 if ($blog_in_blog_opts[‘cat_slug’] != ‘’) {1002 $querystr .= "1003 AND $wpdb->terms.term_id = $wpdb->term_taxonomy.term_taxonomy_id1004 AND $wpdb->terms.slug = ‘{$blog_in_blog_opts[‘cat_slug’]}’ ";1005 }10061007 /**1008 * If there is a custom post_type involved.1009 */1010 if ($blog_in_blog_opts[‘custom_post_type’] != ‘’){1011 $querystr .= "1012 AND $wpdb->posts.post_type = '".$blog_in_blog_opts[‘custom_post_type’]."’";1013 }10141015 /**1016 * If there is a author involved. TODO CHECK THIS BIT1017 */1018 if ($blog_in_blog_opts[‘author’] != ‘’ || $blog_in_blog_opts[‘author_name’] != ‘’ ){1019 1020 // do something with the author_name1021 if($blog_in_blog_opts[‘author’] != ‘’){1022 $querystr .= "1023 AND $wpdb->posts.post_author = '".$blog_in_blog_opts[‘author’]."’";1024 }1025 if($blog_in_blog_opts[‘author_name’] != ‘’){1026 $author = get_user_by('slug’,$blog_in_blog_opts[‘author_name’]);1027 bib_write_debug(__FUNCTION__, print_r($author,true));1028 $querystr .= "1029 AND $wpdb->posts.post_author = '".$author->ID."’";1030 }1031 }10321033 /**1034 * If we are getting custom post types only we just count them (restarts query)1035 */1036 if ($blog_in_blog_opts[‘custom_post_type’] != ‘’ 1037 && $blog_in_blog_opts[‘cat’] == '’1038 && $blog_in_blog_opts[‘cat_slug’] == ‘’ ){1039 $querystr = "1040 SELECT count($wpdb->posts.ID)1041 FROM $wpdb->posts1042 WHERE $wpdb->posts.post_type = '".$blog_in_blog_opts[‘custom_post_type’]."’";1043 }10441045 /**1046 * Always limit to published posts only.1047 */1048 $querystr .= "1049 AND $wpdb->posts.post_status = 'publish’";105010511052 $result = $wpdb->get_var($querystr);10531054 if ($blog_in_blog_opts[‘bib_debug’]) {1055 bib_write_debug(__FUNCTION__, " Query string ");1056 bib_write_debug(__FUNCTION__, print_r($querystr, true));1057 bib_write_debug(__FUNCTION__, “Result”);1058 bib_write_debug(__FUNCTION__, print_r($result, true));1059 }10601061 return $result;1062}10631064/**1065 * Register our offset parameter1066 */1067add_filter('query_vars’, ‘bib_url_params’);1068function bib_url_params($qvars) {1069 $qvars[] = 'bib_page_offset’;1070 return $qvars;1071}10721073/**1074 * Hide the category(ies) chosen to be the blog1075 */1076function bib_hide_category($wp_query) {10771078 $c = '’;1079 $cat = get_option(‘bib_hide_category’);1080 $NONE_FLAG = 0;10811082 if (is_home ()) {1083 // hide the categories1084 if (is_array($cat)) {1085 foreach ($cat as $v) {1086 if ($v != “NONE”) {1087 $c .= '-' . $v . ',’;1088 }else{1089 $NONE_FLAG = 1;1090 }1091 }1092 if($NONE_FLAG == 0 ){1093 $c = trim($c, ‘,’);1094 $wp_query->set('cat’, $c);1095 $wp_query->set('category__not_in’, array_values($cat));1096 }1097 }1098 1099 }1100 bib_write_debug(__FUNCTION__, "Hide Category:".print_r($cat, true));1101 bib_write_debug(__FUNCTION__, "wp_query:".print_r($wp_query, true));1102 return $wp_query ;1103}11041105// This must be here.1106add_filter('pre_get_posts’, ‘bib_hide_category’);11071108function bib_hide_category_feed($query) {11091110 $c = '’;1111 $NONE_FLAG = 0;1112 $cat = get_option(‘bib_hide_category’);1113 1114 if (get_option(‘bib_hide_category_from_rss’)) {1115 if ($query->is_feed) {1116 1117 if (is_array($cat)) {1118 foreach ($cat as $v) {1119 if ($v != “NONE”) {1120 $c .= '-' . $v . ',’;1121 }else{1122 $NONE_FLAG = 1;1123 }1124 }1125 if($NONE_FLAG == 0 ){1126 $query->set('cat’, $c);1127 $query->set('category__not_in’, array_values($cat));1128 }1129 }1130 }1131 }1132 bib_write_debug(__FUNCTION__, "Hide Category:".print_r($cat, true));1133 bib_write_debug(__FUNCTION__, "query:".print_r($query, true));1134 return $query;1135}11361137add_filter(‘pre_get_posts’, ‘bib_hide_category_feed’);11381139function bib_write_debug($function, $msg) {1140 global $blog_in_blog_opts;11411142 $OPT = get_option(‘bib_debug’);1143 if($OPT){1144 $msg = "; " . $function . " :: “.$msg."\n” ;11451146 if(!isset ($blog_in_blog_opts[‘debug_output’])){1147 $blog_in_blog_opts[‘debug_output’] = "==================== Started Ouput ==================\n";1148 $blog_in_blog_opts[‘debug_output’] .= $msg."\n";1149 }1150 else {1151 $blog_in_blog_opts[‘debug_output’] .= $msg;1152 }1153 }1154}115511561157add_action(‘wp_footer’,’bib_show_debug’);1158function bib_show_debug() {1159 // output debug stuff1160 global $blog_in_blog_opts;11611162 foreach ($blog_in_blog_opts as $key => $value) {1163 if($key != ‘debug_output’){1164 bib_write_debug("OPTION $key", print_r($value,true));1165 }1166 }1167 1168 1169 $OPT = get_option(‘bib_debug’);1170 if ($OPT){1171 1172 $output = "<br /><h2>BLOG_IN_BLOG DEBUG INFO</h2><small>Turn this off in the ‘Misc’ section of the blog_in_blog admin page.</small><br /><textarea cols=’100’ rows=’20’>{$blog_in_blog_opts[‘debug_output’]}</textarea>";1173 unset ($blog_in_blog_opts[‘debug_output’]);1174 echo $output ; 1175 }1176}117711781179//add_action('all’, create_function('’, 'var_dump( current_filter() ) ; '));1180//add_action('shutdown’, create_function('’, ' global $wpdb; if(isset($wpdb)) var_dump( $wpdb->queries ); '));1181?>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907