CVE-2023-5295: user-file.php in facebook-comment-by-vivacity/tags/1.4 – WordPress Plugin Repository

1<?php2if ( ! defined( ‘ABSPATH’ ) ) exit;3add_action('wp_head’, ‘vi_fbopengraph’);4add_action('wp_footer’, ‘vi_fbmlsetting’);5add_filter ('the_content’, ‘vi_commentscode’);6add_filter('language_attributes’, ‘vi_fbcomment_schema’);7add_shortcode('vivafbcomment’, ‘vi_commentshortcode’);89global $fboptn;101112function vi_fbmlsetting() {13 $fboptn = get_option(‘fbcomment’);14 15if (!isset($fboptn[‘fbml’])) {$fboptn[‘fbml’] = “";}16if ($fboptn[‘fbml’] == ‘on’) {17 ?>18<div id="fb-root"></div>19<script>(function(d, s, id) {20 var js, fjs = d.getElementsByTagName(s)[0];21 if (d.getElementById(id)) return;22 js = d.createElement(s); js.id = id;23 js.src = “//connect.facebook.net/<?php echo $fboptn[‘lang’]; ?>/sdk.js#xfbml=1&appId=<?php echo $fboptn[‘appID’]; ?>&version=v2.0";24 fjs.parentNode.insertBefore(js, fjs);25}(document, 'script’, ‘facebook-jssdk’));</script>26<?php }27} 282930function vi_fbcomment_schema($attr) {31 $fboptn = get_option(‘fbcomment’);32if (!isset($fboptn[‘fbns’])) {$fboptn[‘fbns’] = “";}33if (!isset($fboptn[‘opengraph’])) {$fboptn[‘opengraph’] = “";}34 if ($fboptn[‘opengraph’] == ‘on’) {$attr .= “\n xmlns:og=\"http://opengraphprotocol.org/schema/\"";}35 if ($fboptn[‘fbns’] == ‘on’) {$attr .= “\n xmlns:fb=\"http://www.facebook.com/2008/fbml\"";}36 return $attr;37}3839 40// ----Code for Adding Open Graph meta41 function vi_fbopengraph() {42 $fboptn = get_option(‘fbcomment’); ?>43<meta property="fb:app_id” content="<?php echo $fboptn[‘appID’]; ?>"/>44<meta property="fb:admins” content="<?php echo $fboptn[‘mods’]; ?>"/>45<meta property="og:locale” content="<?php echo $fboptn[‘lang’]; ?>” />46<meta property="og:locale:alternate” content="<?php echo $fboptn[‘lang’]; ?>” />47<?php48}4950// ----Code for hideWpComments51$fboptn = get_option(‘fbcomment’);5253if (!isset($fboptn[‘postshideWpComments’])) {$fboptn[‘postshideWpComments’] = "off";}54if (!isset($fboptn[‘pageshideWpComments’])) {$fboptn[‘pageshideWpComments’] = "off";}5556if ($fboptn[‘postshideWpComments’] == ‘on’ ) {57 function vi_posts_enqueueHideWpCommentsCss() 58 {59 wp_register_style('posts-front-css’, plugins_url('css/fb-comments-hidewpcomments-posts.css’,__FILE__));60 wp_enqueue_style(‘posts-front-css’);61 } 62 add_action('init’, ‘vi_posts_enqueueHideWpCommentsCss’);63 }646566if ( $fboptn[‘pageshideWpComments’] == ‘on’ ) {6768function vi_pages_enqueueHideWpCommentsCss() 69{70 wp_register_style('pages-front-css’, plugins_url('css/fb-comments-hidewpcomments-pages.css’,__FILE__));71 wp_enqueue_style(‘pages-front-css’);72} 73add_action('init’, ‘vi_pages_enqueueHideWpCommentsCss’);74}757677if (!isset($fboptn[‘hideWpComments’])) {$fboptn[‘hideWpComments’] = "";}7879 if ($fboptn[‘hideWpComments’] == “on” ) {80 function vi_fbComments_enqueueHideWpCommentsCss() {81 82 wp_register_style('front-css’, plugins_url('css/fb-comments-hidewpcomments.css’,__FILE__));83 wp_enqueue_style(‘front-css’);84 }85 add_action('init’, ‘vi_fbComments_enqueueHideWpCommentsCss’);86}878889function vi_commentscode($content) {90$fboptn = get_option(‘fbcomment’);91$pages = $fboptn[‘pagesid’];92$totalpages = explode(“,",$pages);93 $allpage=get_all_page_ids();9495 $allpage=array_diff($allpage,$totalpages);9697if (!isset($fboptn[‘html5’])) {$fboptn[‘html5’] = “off";}98if (!isset($fboptn[‘pluginsite’])) {$fboptn[‘pluginsite’] = “off";}99if (!isset($fboptn[‘posts’])) {$fboptn[‘posts’] = “off";}100if (!isset($fboptn[‘pages’])) {$fboptn[‘pages’] = “off";}101if (!isset($fboptn[‘homepage’])) {$fboptn[‘homepage’] = “off";}102if (!isset($fboptn[‘count’])) {$fboptn[‘count’] = “off";}103if (!isset($fboptn[‘countmsg’])) {$fboptn[‘countmsg’] = “0";}104 if ((is_single() && $fboptn[‘posts’] == ‘on’) ||105 (is_page($allpage) && $fboptn[‘pages’] == ‘on’) ||106 ((is_home() || is_front_page()) && $fboptn[‘homepage’] == ‘on’)) {107if($fboptn[‘appID’] != “”) {108 if ($fboptn[‘count’] == ‘on’) {109 110 $commentcount = “<p class=’commentcount’>";111 $commentcount .= “<fb:comments-count href=\"".get_permalink()."\"></fb:comments-count>".” “.$fboptn[‘countmsg’]."</p>";112 ?>113 114 <?php115 }116 if ($fboptn[‘title’] != ‘’) {117 118 $commenttitle = “<h3 class=’coments-title’>";119 $commenttitle .= $fboptn[‘title’]."</h3>";120 }121 $content .= “<!-- FB Comments For WP: https://www.startbitsolutions.com -->".$commenttitle.$commentcount;122123 if ($fboptn[‘html5’] == ‘on’) {124 $content .= “<div class=\"fb-comments\” data-href=\"".get_permalink()."\” data-numposts=\"".$fboptn[‘num’]."\” data-width=\"".$fboptn[‘width’]."\” data-colorscheme=\"".$fboptn[‘scheme’]."\"></div>";125126 } else {127 128 $content .= “<fb:comments href=\"".get_permalink()."\” num_posts=\"".$fboptn[‘num’]."\” width=\"".$fboptn[‘width’]."\” colorscheme=\"".$fboptn[‘scheme’]."\"></fb:comments>";129 }130131 if (!empty($fboptn[‘pluginsite’])) {132 if($fboptn[‘pluginsite’] == ‘on’){133 $content .= '<p class="pluginsite">’.__( 'FB Comments Plugin Powered by’, ‘facebook-comment-by-vivacity’ ). '<a href="https://www.startbitsolutions.com” target="_blank” >Startbit IT Solutions Pvt. Ltd.</a></p>’;134 }}135 136 }137else {138 $fb_adminUrl = get_admin_url()."options-general.php?page=fbcomment";139 $content .= '<div class="error” style="color:#FF0000; font-weight:bold;">140 <p>’. __( 'Please Enter Your Facebook App ID. Required for FB Comments.’, ‘facebook-comment-by-vivacity’ ). ' <a href="’.$fb_adminUrl.’">’. __( 'Click here for FB Comments Settings page’, ‘facebook-comment-by-vivacity’ )141 .’</a></p>142 </div>’;143 }144 }145 return $content;146}147148149// -------Add facebook shortcode------150function vi_commentshortcode($fbsrt) {151 extract(shortcode_atts(array(152 “fbsrtcode” => get_option(‘fbcomment’),153 “url” => get_permalink(),154 ), $fbsrt));155 if (!empty($fbsrt)) {156 foreach ($fbsrt as $key => $option)157 $fbsrtcode[$key] = $option;158 }159 if($fbsrtcode[‘appID’] != “”) {160 if ($fbsrtcode[‘count’] == ‘on’) {161 162 $commentcount = “<p class=’commentcount’>";163 $commentcount .= “<fb:comments-count href=".$url."></fb:comments-count> “.$fbsrtcode[‘countmsg’]."</p>";164 }165 if ($fbsrtcode[‘title’] != ‘’) {166 $commenttitle = “<h3>";167 $commenttitle .= $fbcomment[‘title’]."</h3>";168 }169 $contentshortcode = $commenttitle.$commentcount;170171 if ($fbsrtcode[‘html5’] == ‘on’) {172 $contentshortcode .= “<div class=\"fb-comments\” data-href=\"".$url."\” data-num-posts=\"".$fbsrtcode[‘num’]."\” data-width=\"".$fbsrtcode[‘width’]."\” data-colorscheme=\"".$fbsrtcode[‘scheme’]."\"></div>";173174 } else {175 $contentshortcode .= “<fb:comments href=\"".$url."\” num_posts=\"".$fbsrtcode[‘num’]."\” width=\"".$fbsrtcode[‘width’]."\” colorscheme=\"".$fbsrtcode[‘scheme’]."\"></fb:comments>";176 }177178 if (!empty($fbsrtcode[‘pluginsite’])) {179 if($fbsrtcode[‘pluginsite’] == ‘on’){180 $contentshortcode .= '<p class="pluginsite">’.__( 'FB Comments Plugin Powered by’, ‘facebook-comment-by-vivacity’ ). '<a href="https://www.startbitsolutions.com” target="_blank” >Startbit IT Solutions Pvt. Ltd.</a></p>’;181 }}182 183 }184 else {185 $fb_adminUrl = get_admin_url()."options-general.php?page=fbcomment";186 $contentshortcode .= '<div class="error” style="color:red; font-weight:bold;">187 <p>’. __( 'Please Enter Your Facebook App ID. Required for FB Comments.’, ‘facebook-comment-by-vivacity’ ). ' <a href="’.$fb_adminUrl.’">’. __( 'Click here for FB Comments Settings page’, ‘facebook-comment-by-vivacity’ )188 .’</a></p>189 </div>’;190 }191 return $contentshortcode;192}193?>