Headline
CVE-2023-3369: aboutme3000.php in about-me-3000/trunk – WordPress Plugin Repository
The About Me 3000 widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
1<?php2/*3Plugin Name: About Me 30004Plugin URI: http://www.wpmaniax.com/about-me-3000/5Description: Add an “About Me” widget to your sidebar.6Author: Csaba Kissi7Version: 2.2.68Author URI: http://www.wpmaniax.com9*/101112require_once(ABSPATH . ‘/wp-admin/includes/image.php’);1314$arr_am_titles = array(“Facebook", “Friendfeed", “Feedburner", “Flickr", “Delicious", “GitHub", “Google Plus", “Instagram", “MySpace", “LinkedIn", “Pinterest", “Posterous", “Skype", “StumbleUpon", “Technorati", “Twitter", “YouTube", “Tumblr", “Xing”);15$arr_am_urls = array(“http://www.facebook.com/profile.php?id=", “http://friendfeed.com/", “http://feeds2.feedburner.com/", “http://www.flickr.com/photos/", “http://delicious.com/", “http://www.myspace.com/", “http://www.linkedin.com/in/", “http://posterous.com/people/", “http://YourID.stumbleupon.com", “http://technorati.com/people/technorati/", “http://twitter.com/", “http://www.youtube.com/user/", “http://YourID.tumblr.com", “http://www.xing.com/profile/", ‘http://www.pinterest.com/’);1617// Shows widget18function widget_aboutme($args)19{20 global $arr_am_titles, $arr_am_urls;21 extract($args);22 $options = get_option(“widget_aboutme”);23 if (empty($options[‘title’])) $options[‘title’] = 'About Me’;24 echo $before_widget;25 echo $before_title;26 echo $options[‘title’];27 echo $after_title;28?>29 <style>30 .aboutme {31 clear: both32 }3334 .aboutme * {35 border: 0px solid;36 }3738 .aboutme img {39 padding: 0px;40 }41 </style>42 <?php43 echo “<div class=’aboutme’>";44 if (!empty($options[‘grav_x’])) $x = $options[‘grav_x’];45 else $x = 80;46 if (!empty($options[‘grav_y’])) $y = $options[‘grav_y’];47 else $y = 80;48 if (!empty($options[‘email’]) && $options[‘grav_on’] == 1) echo “<img width=\"” . $x . “\” height=\"” . $y . “\” style=’float:” . (($options[“alignright_on”] == ‘1’) ? ‘right’ : ‘left’) . “;” . (($options[“frame_on”] == ‘1’) ? ‘border:1px solid #999;’ : ‘’) . " margin:5px;’ src=’http://www.gravatar.com/avatar/” . md5($options[‘email’]) . “?s=80’>";49 if (@$options[‘grav_on’] == 2) echo “<img width=\"80\” height=\"80\” style=’float:” . ((@$options[“alignright_on”] == ‘1’) ? ‘right’ : ‘left’) . “;” . ((@$options[“frame_on”] == ‘1’) ? ‘border:1px solid #999;’ : ‘’) . " margin:5px;’ src=’” . $options[‘image_url’] . “’>";50 echo @$options[‘text’];51 echo “<div style=’clear:both’></div>";52 echo “<div style=’border-top: 1px solid #eee; padding-top:5px; position:relative; height:25px’>";53 echo “<div style=’left:0; position: absolute’>";54 for ($i = 0; $i < count($arr_am_titles); $i++) {55 $tag_id = str_replace(' ‘, ‘’, strtolower($arr_am_titles[$i]));56 /*if ($i == 0 && @$options[‘vanityurl_on’]) echo "<a style=’padding:2px’ target=’_blank’ href=’http://www.facebook.com/” . @$options[$tag_id] . “’><img src=’” . get_bloginfo(‘wpurl’) . “/wp-content/plugins/about-me-3000/” . $tag_id . “.png’ border=’0’></a>";57 else58 if ($i == 8 && @$options[$tag_id . ‘_on’]) echo “<a style=’padding:2px’ target=’_blank’ href=’http://” . @$options[$tag_id] . “.stumbleupon.com/’><img src=’” . get_bloginfo(‘wpurl’) . “/wp-content/plugins/about-me-3000/” . $tag_id . “.png’ border=’0’></a>";59 else60 if ($i == 12 && @$options[$tag_id . ‘_on’]) echo “<a style=’padding:2px’ target=’_blank’ href=’http://” . @$options[$tag_id] . “.tumblr.com/’><img src=’” . get_bloginfo(‘wpurl’) . “/wp-content/plugins/about-me-3000/” . $tag_id . “.png’ border=’0’></a>";61 else*/62 if (@$options[$tag_id . ‘_on’]) echo “<a style=’padding:2px’ target=’_blank’ href=’” . @$options[$tag_id] . “’><img src=’” . get_bloginfo(‘wpurl’) . “/wp-content/plugins/about-me-3000/” . $tag_id . “.png’ border=’0’></a>";63 }64 if (!empty($options[‘email’]) && $options[‘email_on’]) {65 $arr_email = explode(‘@’, strtolower($options[‘email’]));66 /* ?>67 <script type="text/javascript">68 <!–69 var string1 = "<?php echo $arr_email[0]?>";70 var string2 = "@";71 var string3 = "<?php echo $arr_email[1]?>";72 var string4 = string1 + string2 + string3;73 document.write("<a style=’padding:2px’ href=’” + “mail” + “to:” + string1 + string2 + string3 + “’ target=’_blank’>”);74 document.write(“<img src=’<?php echo get_bloginfo(‘url’)?>/wp-content/plugins/about-me-3000/email.png’ border=’0’>”);75 document.write(“</a>”);76 //–>77 </script>78 <?php */79 //echo “<a style=’padding:2px’ href=’mailto:".$options[‘email’]."’><img src=’".get_bloginfo(‘url’)."/wp-content/plugins/about-me-3000/email.png’ border=’0’></a>";80 $label = “<img src=’” . get_bloginfo(‘url’) . “/wp-content/plugins/about-me-3000/email.png’ border=’0’>";81 echo encode_mailto($options[‘email’], $label);82 }83 echo “</div>";84 if (@$options[‘counter_on’]) echo “<div style=’right:0; position: absolute;’><img src=’http://feeds.feedburner.com/~fc/” . @$options[‘feedburner’] . “’></div>";85 if (@$options[‘promote_on’] && 1 == 2) echo “<div style=’left:0; position: absolute; margin-top:18px; padding-left:10px;’><small><a href=\"http://www.webdev3000.com\">Wordpress plugins</a></small></div>";86 echo “</div></div>";87 echo $after_widget;88}8990function encode_mailto($mail, $label, $subject = “", $body = “”)91{92 $chars = preg_split(“//", $mail, -1, PREG_SPLIT_NO_EMPTY);93 $new_mail = “<a style=’padding:2px’ href=\"mailto:";94 foreach ($chars as $val) {95 $new_mail .= “&#” . ord($val) . “;";96 }97 $new_mail .= ($subject != “” && $body != “”) ? “?subject=” . $subject . “&body=” . $body : “";98 $new_mail .= “\">” . $label . “</a>";99 return $new_mail;100}101102// Widget options103function control_aboutme()104{105 global $arr_am_titles, $arr_am_urls;106 $options = get_option(“widget_aboutme”);107 if (!is_array($options)) {108 $options = array(109 ‘title’ => ‘About Me’110 );111 }112 if (@$_POST[‘sent’] == ‘Y’) {113 $options[‘title’] = strip_tags(stripslashes($_POST[‘aboutme-title’]));114 //$options[‘text’] = strip_tags(stripslashes($_POST[‘aboutme-text’]),’<p><a><b><strong><i><u><br>’);115 $options[‘text’] = stripslashes($_POST[‘aboutme-text’]);116 $options[‘email’] = strip_tags(stripslashes(strtolower($_POST[‘aboutme-email’])));117 $options[‘promote_on’] = @$_POST[“aboutme-promote_on”];118 $options[‘frame_on’] = @$_POST[“aboutme-frame_on”];119 $options[‘alignright_on’] = @$_POST[“aboutme-alignright_on”];120 $options[‘email_on’] = @$_POST[“aboutme-email_on”];121 $options[‘grav_on’] = @$_POST[“aboutme-grav_on”];122 $options[‘grav_x’] = @$_POST[“aboutme-grav_x”];123 $options[‘grav_y’] = @$_POST[“aboutme-grav_y”];124 $options[‘counter_on’] = @$_POST[“aboutme-counter_on”];125 $options[‘vanityurl_on’] = @$_POST[“aboutme-vanityurl_on”];126 for ($i = 0; $i < count($arr_am_titles); $i++) {127 $tag_id = str_replace(' ', '’, strtolower($arr_am_titles[$i]));128 $options[$tag_id] = $_POST[“aboutme-" . $tag_id];129 $options[$tag_id . “_on”] = @$_POST[“aboutme-" . $tag_id . “_on”];130 }131 if (!empty($_FILES[‘wp_custom_attachment’][‘name’])) {132 // Setup the array of supported file types. In this case, it’s just PDF.133 $supported_types = array('image/jpeg’, 'image/png’, ‘image/gif’);134135 // Get the file type of the upload136 $arr_file_type = wp_check_filetype(basename($_FILES[‘wp_custom_attachment’][‘name’]));137 $uploaded_type = $arr_file_type[‘type’];138139 // Check if the type is supported. If not, throw an error.140 if (in_array($uploaded_type, $supported_types)) {141142 // Use the WordPress API to upload the file143 $upload = wp_upload_bits($_FILES[‘wp_custom_attachment’][‘name’], null, file_get_contents($_FILES[‘wp_custom_attachment’][‘tmp_name’]));144145 if (isset($upload[‘error’]) && $upload[‘error’] != 0) {146 echo “<div id=\"err_message\” class=\"error\"><p>There was an error uploading your file. The error is: " . $upload[‘error’] . “</p></div>";147 } else {148 //echo “<pre>"; print_r($upload); echo “</pre>";149 if (file_exists($options[‘image’])) @unlink($options[‘image’]);150 if (file_exists(str_replace('-avat’, '’, $options[‘image’]))) @unlink(str_replace('-avat’, '’, $options[‘image’]));151 $thumb = @image_resize($upload[‘file’], 80, 80, true, ‘avat’);152 if (is_object($thumb)) {153 echo “<div id=\"err_message\” class=\"error\"><p>There was an error resize the image</p></div>";154 $options[‘image’] = $upload[‘file’];155 $options[‘image_url’] = content_url() . str_replace(WP_CONTENT_DIR, '’, $upload[‘file’]);156 } else157 if (!file_exists($thumb)) echo “<div id=\"err_message\” class=\"error\"><p>There was an error resize the image</p></div>";158 else {159 $options[‘image’] = $thumb;160 $options[‘image_url’] = content_url() . str_replace(WP_CONTENT_DIR, '’, $options[‘image’]);161 }162 //echo “<pre>"; print_r($thumb); echo “</pre>";163164 } // end if/else165166 } else {167 echo “<div id=\"err_message\” class=\"error\"><p>The file type that you’ve uploaded is not an image</p></div>";168 }169 }170 update_option(“widget_aboutme", $options);171 }172 ?>173 <div class="wrap">174 <?php /*<div id="message” class="updated"><p>Help us to improve our plugin. Your feedback will be appreciated. Feel free to post your <a href="http://www.webdev3000.com/about-me-3000-ver-1-6-released/#comment” target="_blank">comment</a></p></div>*/ ?>175 <?php echo “<h2>” . __('About Me 3000’, ‘’) . “</h2>"; ?>176 <div id="message” class="updated fade">177 <h3>Please leave comment…</h3>178 <p>179 Help us to improve our plugin. Your feedback will be appreciated. Feel free to post your <a href="http://www.wpspeedster.com/blog/about-me-3000-widget/#comment” target="_blank"><strong>comment</strong></a>180181 </p>182 </div>183 <div style="clear:both;"></div>184 <?php echo “<h4>” . __('Settings’, ‘settings_h4’) . “</h4>"; ?>185 <form name="aboutme3000_form” method="post” action="<?php echo str_replace('%7E’, '~’, $_SERVER[‘REQUEST_URI’]); ?>” enctype="multipart/form-data">186 <input type="hidden” name="sent” value="Y">187 <table class="form-table">188 <tr>189 <th><label for="aboutme-title">Title: </label></th>190 <td>191 <input type="text” id="aboutme-title” name="aboutme-title” value="<?php echo $options[‘title’]; ?>” />192 <?php /*<br/><input class="checkbox” type="checkbox” id="aboutme-promote_on” name="aboutme-promote_on"193 value="1” <?php echo((@$options[“promote_on”] == ‘1’) ? ' checked=1’ : ‘’); ?> />194 <label for="aboutme-promote_on">Help us to promote this widget</label><br/>*/ ?>195 </td>196 </tr>197 <tr>198 <th><label for="aboutme-email">Email:199 <small><em>(used for gravatar)</em></small>200 </label></th>201 <td><input type="text” id="aboutme-email” name="aboutme-email” value="<?php echo @$options[‘email’]; ?>” /><br />202 <input class="checkbox” type="checkbox” id="aboutme-email_on” name="aboutme-email_on” value="1” <?php echo ((@$options[“email_on”] == ‘1’) ? ' checked=1’ : ‘’); ?> />203 <label for="aboutme-email_on">Show email contact</label>204 </td>205 </tr>206 <tr>207 <th><label for="aboutme-email">Gravatar:</label></th>208 <td><input type="text” id="aboutme-gvaratar_x” name="aboutme-grav_x” value="<?php echo @$options[‘grav_x’]; ?>” size="2” maxlength="2” /> x209 <input type="text” id="aboutme-gvaratar_y” name="aboutme-grav_y” value="<?php echo @$options[‘grav_y’]; ?>” size="2” maxlength="2” />210 <br />211 <?php /*<input class="checkbox” type="checkbox” id="aboutme-grav_on” name="aboutme-grav_on” value="1” <?php echo (($options[“grav_on”]==’1’)?’ checked=1’:’’); ?> />212 <label for="aboutme-grav_on">Show gravatar</label><br />*/ ?>213 <input class="checkbox” type="checkbox” id="aboutme-frame_on” name="aboutme-frame_on” value="1” <?php echo ((@$options[“frame_on”] == ‘1’) ? ' checked=1’ : ‘’); ?> />214 <label for="aboutme-frame_on">Show frame for gravatar</label><br />215 <input class="checkbox” type="checkbox” id="aboutme-alignright_on” name="aboutme-alignright_on” value="1” <?php echo ((@$options[“alignright_on”] == ‘1’) ? ' checked=1’ : ‘’); ?> />216 <label for="aboutme-alignright_on">Align gravatar to right</label><br />217 </td>218 </tr>219 <tr valign="top">220 <th scope="row">Upload Image<br />221 <small><em>(will be resized to 80x80px)</em></small>222 </th>223 <td>224 <input type="file” id="wp_custom_attachment” name="wp_custom_attachment” value="" size="25"><br />225 <?php226 //echo $options[‘image_url’]."<br/>";227 echo ‘<img src="’ . @$options[‘image_url’] . ‘" alt="image" />’;228 ?>229 </td>230 </tr>231 <tr>232 <th scope="row">Image/Gravatar:</th>233 <td>234 <input type="radio" name="aboutme-grav_on" value="0" <?php echo ((@$options[“grav_on”] == ‘0’ || @$options[“grav_on”] == ‘’) ? ' checked=true’ : ‘’); ?>>235 Show nothing<br />236 <input type="radio" name="aboutme-grav_on" value="1" <?php echo ((@$options[“grav_on”] == ‘1’) ? ' checked=true’ : ‘’); ?>> Show237 Gravatar<br />238 <input type="radio" name="aboutme-grav_on" value="2" <?php echo ((@$options[“grav_on”] == ‘2’) ? ' checked=true’ : ‘’); ?>> Show239 uploaded image240 </td>241 </tr>242 <tr>243 <th><label for="aboutme-text">About you: </label></th>244 <td>245 <div class="postbox">246 <!–!<textarea name="aboutme-text" class="aboutme-text" id="aboutme-text" style="width:inherit; height:150px;"><?php echo trim(@$options[‘text’]); ?></textarea>–>247 <?php wp_editor(trim(@$options[‘text’]), ‘aboutme-text’, $settings = array(‘textarea_name’ => ‘aboutme-text’)); ?>248 </div>249 </td>250 </tr>251 <?php252 for ($i = 0; $i < count($arr_am_titles); $i++) {253 $tag_id = str_replace(' ‘, ‘’, strtolower($arr_am_titles[$i]));254 ?>255 <tr>256 <th><label for="aboutme-<?php echo $tag_id ?>"><?php echo $arr_am_titles[$i] ?> URL:</label></th>257 <td><input type="text" id="aboutme-<?php echo $tag_id ?>" name="aboutme-<?php echo $tag_id ?>" value="<?php echo @$options[$tag_id]; ?>" /> <img src="<?php echo get_bloginfo(‘wpurl’) ?>/wp-content/plugins/about-me-3000/<?php echo $tag_id ?>.png" border="0"><br />258 <?php /*259 if ($i == 0) { ?>260 <?php if (@$options[‘vanityurl_on’]) $url = “http://www.facebook.com/";261 else $url = $arr_am_urls[$i];262 ?>263 <small>(<?php echo $url ?>YourID)</small><br/>264 <input class="checkbox” type="checkbox" id="aboutme-vanityurl_on"265 name="aboutme-vanityurl_on"266 value="1" <?php echo((@$options[“vanityurl_on”] == ‘1’) ? ' checked=1’ : ‘’); ?>/>267 <label for="aboutme-vanityurl_on" title="http://www.facebook.com/YourID">Use Vanity268 URL</label><br/>269 <?php } else270 if ($i == 2) { ?>271 <small>(<?php echo $arr_am_urls[$i] ?>YourID)</small><br/>272 <input class="checkbox" type="checkbox" id="aboutme-counter_on"273 name="aboutme-counter_on"274 value="1" <?php echo((@$options[“counter_on”] == ‘1’) ? ' checked=1’ : ‘’); ?>/>275 <label for="aboutme-counter_on">Show subscribers</label><br/>276 <? } else277 if ($i == 8 || $i == 12) { ?>278 <small>(<?php echo $arr_am_urls[$i] ?>)</small><br/>279 <?280 } else { ?>281 <small>(<?php echo $arr_am_urls[$i] ?>YourID)</small><br/>282 <?php }*/ ?>283 <input class="checkbox" type="checkbox" id="aboutme-<?php echo $tag_id ?>_on" name="aboutme-<?php echo $tag_id ?>_on" value="1" <?php echo ((@$options[$tag_id . “_on”] == ‘1’) ? ' checked=1’ : ‘’); ?> />284 <label for="aboutme-<?php echo $tag_id ?>_on">Show <?php echo $arr_am_titles[$i] ?>285 icon</label>286 </td>287 </tr>288 <?php289 }290 ?>291 </table>292 <p class="submit">293 <input class="button-primary" type="submit" name="Submit" value="<?php _e('Update Options’, ‘oscimp_trdom’) ?>" />294 </p>295 </form>296 </div>297<?php298}299300function control_aboutme_()301{302?>303 <p>304 To configure this widget go to (Settings/About Me 3000) or click <a href=’<?php echo get_bloginfo(‘wpurl’) ?>/wp-admin/options-general.php?page=About-Me’>here</a>305 </p>306<?php307}308309function init_aboutme3000()310{311 wp_register_sidebar_widget('abput_me_3000’, 'About Me 3000’, ‘widget_aboutme’);312 wp_register_widget_control('abput_me_3000’, 'About Me 3000’, ‘control_aboutme_’);313}314315function aboutme3000_admin_actions()316{317 add_options_page("About Me 3000", "About Me", 'edit_plugins’, "About-Me", “control_aboutme”);318}319320function aboutme3000_remove_media_controls()321{322 if (isset($_GET[‘page’]) && $_GET[‘page’] == ‘About-Me’) remove_action('media_buttons’, ‘media_buttons’);323}324325function aboutme3000_show_message()326{327 $user_id = get_current_user_id();328 if (!get_user_meta($user_id, ‘aboutme3000_nag_ignore’)) {329 $msg = “You need to upgrade your database as soon as possible…";330 echo '<div id="message” class="updated fade"><p>’;331 echo (‘<b>About Me 3000 Plugin notice</b>: Structure of the Social links changed. Please check your links on the <a href="/wp-admin/options-general.php?page=About-Me">settings</a> page’);332 echo “</p>";333 echo “<p><strong><a class=\"dismiss-notice\” href=\"options-general.php?page=About-Me&aboutme3000_nag_ignore=0\” target=\"_parent\">Dismiss this notice</a></strong></p></div>";334 }335}336337function aboutme3000_init()338{339 if (isset($_GET[‘aboutme3000_nag_ignore’]) && ‘0’ == $_GET[‘aboutme3000_nag_ignore’]) {340 $user_id = get_current_user_id();341 add_user_meta($user_id, 'aboutme3000_nag_ignore’, 'true’, true);342 if (wp_get_referer()) {343 /* Redirects user to where they were before */344 wp_safe_redirect(wp_get_referer());345 } else {346 /* This will never happen, I can almost gurantee it, but we should still have it just in case*/347 wp_safe_redirect(home_url());348 }349 }350}351352add_action('plugins_loaded’, ‘init_aboutme3000’);353add_action('admin_menu’, ‘aboutme3000_admin_actions’);354add_action('admin_head’, ‘aboutme3000_remove_media_controls’);355add_action('admin_notices’, ‘aboutme3000_show_message’);356add_action('admin_init’, ‘aboutme3000_init’);357?>