Headline
CVE-2020-36739: Changeset 2369818 for feed-them-social – WordPress Plugin Repository
The Feed Them Social – Page, Post, Video, and Photo Galleries plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the my_fts_fb_load_more() function. This makes it possible for unauthenticated attackers to load feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Timestamp:
08/26/2020 10:08:30 PM (3 years ago)
slickremix
Message:
Release 2.8.7, see readme.txt for the changelog.
Location:
feed-them-social
Files:
- tags/2.8.7 (copied from feed-them-social/trunk)
- tags/2.8.7/feed-them.php (3 diffs)
- tags/2.8.7/includes/feed-them-functions.php (3 diffs)
- tags/2.8.7/readme.txt (2 diffs)
- trunk/feed-them.php (3 diffs)
- trunk/includes/feed-them-functions.php (3 diffs)
- trunk/readme.txt (2 diffs)
Legend:
Unmodified
Added
Removed
feed-them-social/tags/2.8.7/feed-them.php
r2345756
r2369818
8
8
\* Plugin URI: https://feedthemsocial.com/
9
9
\* Description: Display a Custom Facebook feed, Instagram feed, Twitter feed, Pinterest feed & YouTube feed on pages, posts or widgets.
10
\* Version: 2.8.6
10
\* Version: 2.8.7
11
11
\* Author: SlickRemix
12
12
\* Author URI: https://www.slickremix.com/
…
…
14
14
\* Domain Path: /languages
15
15
\* Requires at least: WordPress 4.0.0
16
\* Tested up to: WordPress 5.4.2
17
\* Stable tag: 2.8.6
16
\* Tested up to: WordPress 5.5.0
17
\* Stable tag: 2.8.7
18
18
\* License: GPLv2 or later
19
19
\* License URI: https://www.gnu.org/licenses/gpl-3.0.html
20
20
\*
21
\* @version 2.8.6
21
\* @version 2.8.7
22
22
\* @package FeedThemSocial/Core
23
23
\* @copyright Copyright (c) 2012-2020 SlickRemix
…
…
32
32
\* Makes sure any js or css changes are reloaded properly. Added to enqued css and js files throughout!
33
33
\*/
34
define( 'FTS\_CURRENT\_VERSION', '2.8.6' );
34
define( 'FTS\_CURRENT\_VERSION', '2.8.7' );
35
35
36
36
define( 'FEED\_THEM\_SOCIAL\_NOTICE\_STATUS', get\_option( 'rating\_fts\_slick\_notice', false ) );
feed-them-social/tags/2.8.7/includes/feed-them-functions.php
r2345756
r2369818
812
812
\*/
813
813
public function my\_fts\_fb\_load\_more() {
814
if ( isset( $\_REQUEST\['fts\_security'\], $\_REQUEST\['fts\_time'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_security'\] ) ), sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_time'\] ) ) . 'load-more-nonce' ) ) {
814
815
// Check security token is set.
816
if ( ! isset( $\_REQUEST\['fts\_security'\], $\_REQUEST\['fts\_time'\] ) ) {
815
817
exit( 'Sorry, You can\\'t do that!' );
816
} else {
817
818
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ) {
819
if ( isset( $\_REQUEST\['next\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ), 'https://graph.facebook.com/' ) ||
820
isset( $\_REQUEST\['next\_location\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ), 'https://graph.facebook.com/' ) ||
821
isset( $\_REQUEST\['next\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) ||
822
isset( $\_REQUEST\['next\_location\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) ) {
823
824
exit( 'That is not an FTS shortcode!' );
825
}
826
}
827
828
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ||
818
}
819
820
// Verify Nonce Security.
821
if ( ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_security'\] ) ) , sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_time'\] ) ) . 'load-more-nonce' ) ) {
822
exit( 'Sorry, You can\\'t do that!' );
823
}
824
825
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ) {
826
if ( isset( $\_REQUEST\['next\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ), 'https://graph.facebook.com/' ) ||
827
isset( $\_REQUEST\['next\_location\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ), 'https://graph.facebook.com/' ) ||
828
isset( $\_REQUEST\['next\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) ||
829
isset( $\_REQUEST\['next\_location\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) ) {
830
831
exit( 'That is not an FTS shortcode!' );
832
}
833
}
834
835
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ||
829
836
isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_twitter' === $\_REQUEST\['feed\_name'\] ||
830
837
isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_youtube' === $\_REQUEST\['feed\_name'\] ||
…
…
833
840
isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_instagram' === $\_REQUEST\['feed\_name'\] ) {
834
841
835
$feed\_atts = isset( $\_REQUEST\['feed\_attributes'\] ) ? array\_map( 'sanitize\_text\_field', wp\_unslash( $\_REQUEST\['feed\_attributes'\] ) ) : '';
836
837
$build\_shortcode = '\[' . sanitize\_text\_field( wp\_unslash( $\_REQUEST\['feed\_name'\] ) ) . '';
838
foreach ( $feed\_atts as $attribute => $value ) {
839
$build\_shortcode .= ' ' . $attribute . '=' . $value;
840
}
841
842
if ( 'fts\_twitter' === $\_REQUEST\['feed\_name'\] ) {
843
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
844
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
845
} elseif ( 'fts\_youtube' === $\_REQUEST\['feed\_name'\] ) {
846
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
847
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
848
} else {
849
$build\_shortcode .= ' \]';
850
}
851
852
echo do\_shortcode( $build\_shortcode );
853
842
$feed\_atts = isset( $\_REQUEST\['feed\_attributes'\] ) ? array\_map( 'sanitize\_text\_field', wp\_unslash( $\_REQUEST\['feed\_attributes'\] ) ) : '';
843
844
$build\_shortcode = '\[' . sanitize\_text\_field( wp\_unslash( $\_REQUEST\['feed\_name'\] ) ) . '';
845
foreach ( $feed\_atts as $attribute => $value ) {
846
$build\_shortcode .= ' ' . $attribute . '=' . $value;
847
}
848
849
if ( 'fts\_twitter' === $\_REQUEST\['feed\_name'\] ) {
850
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
851
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
852
} elseif ( 'fts\_youtube' === $\_REQUEST\['feed\_name'\] ) {
853
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
854
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
854
855
} else {
855
exit( esc\_html( 'That is not an FTS shortcode!' ) );
856
}
856
$build\_shortcode .= ' \]';
857
}
858
859
echo do\_shortcode( $build\_shortcode );
860
861
} else {
862
exit( esc\_html( 'That is not an FTS shortcode!' ) );
857
863
}
858
864
die();
…
…
1090
1096
'fb\_events\_map\_link\_color',
1091
1097
'fb\_hide\_shared\_by\_etc\_text',
1092
'fb\_title\_htag',
1098
'fb\_title\_htag',
1093
1099
'fb\_title\_htag\_size',
1094
1100
'fts\_facebook\_custom\_api\_token\_biz',
feed-them-social/tags/2.8.7/readme.txt
r2345756
r2369818
3
3
Tags: Facebook, Instagram, Twitter, YouTube, Feed
4
4
Requires at least: 3.6.0
5
Tested up to: 5.4.2
6
Stable tag: 2.8.6
5
Tested up to: 5.5
6
Stable tag: 2.8.7
7
7
License: GPLv2 or later
8
8
…
…
76
76
77
77
\== Changelog ==
78
\= Version 2.8.7 Tuesday, August 25th, 2020 =
79
\* TESTED: Tested plugin with WordPress version 5.5.0.
80
\* FIX: Security Fixes.
81
78
82
\= Version 2.8.6 Thursday, July 23rd, 2020 =
79
83
\* NEW: Facebook Feed: All target="\_blank" a tag elements now have rel="noreferrer" for better SEO results.
feed-them-social/trunk/feed-them.php
r2345756
r2369818
8
8
\* Plugin URI: https://feedthemsocial.com/
9
9
\* Description: Display a Custom Facebook feed, Instagram feed, Twitter feed, Pinterest feed & YouTube feed on pages, posts or widgets.
10
\* Version: 2.8.6
10
\* Version: 2.8.7
11
11
\* Author: SlickRemix
12
12
\* Author URI: https://www.slickremix.com/
…
…
14
14
\* Domain Path: /languages
15
15
\* Requires at least: WordPress 4.0.0
16
\* Tested up to: WordPress 5.4.2
17
\* Stable tag: 2.8.6
16
\* Tested up to: WordPress 5.5.0
17
\* Stable tag: 2.8.7
18
18
\* License: GPLv2 or later
19
19
\* License URI: https://www.gnu.org/licenses/gpl-3.0.html
20
20
\*
21
\* @version 2.8.6
21
\* @version 2.8.7
22
22
\* @package FeedThemSocial/Core
23
23
\* @copyright Copyright (c) 2012-2020 SlickRemix
…
…
32
32
\* Makes sure any js or css changes are reloaded properly. Added to enqued css and js files throughout!
33
33
\*/
34
define( 'FTS\_CURRENT\_VERSION', '2.8.6' );
34
define( 'FTS\_CURRENT\_VERSION', '2.8.7' );
35
35
36
36
define( 'FEED\_THEM\_SOCIAL\_NOTICE\_STATUS', get\_option( 'rating\_fts\_slick\_notice', false ) );
feed-them-social/trunk/includes/feed-them-functions.php
r2345756
r2369818
812
812
\*/
813
813
public function my\_fts\_fb\_load\_more() {
814
if ( isset( $\_REQUEST\['fts\_security'\], $\_REQUEST\['fts\_time'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_security'\] ) ), sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_time'\] ) ) . 'load-more-nonce' ) ) {
814
815
// Check security token is set.
816
if ( ! isset( $\_REQUEST\['fts\_security'\], $\_REQUEST\['fts\_time'\] ) ) {
815
817
exit( 'Sorry, You can\\'t do that!' );
816
} else {
817
818
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ) {
819
if ( isset( $\_REQUEST\['next\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ), 'https://graph.facebook.com/' ) ||
820
isset( $\_REQUEST\['next\_location\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ), 'https://graph.facebook.com/' ) ||
821
isset( $\_REQUEST\['next\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) ||
822
isset( $\_REQUEST\['next\_location\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) ) {
823
824
exit( 'That is not an FTS shortcode!' );
825
}
826
}
827
828
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ||
818
}
819
820
// Verify Nonce Security.
821
if ( ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_security'\] ) ) , sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_time'\] ) ) . 'load-more-nonce' ) ) {
822
exit( 'Sorry, You can\\'t do that!' );
823
}
824
825
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ) {
826
if ( isset( $\_REQUEST\['next\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ), 'https://graph.facebook.com/' ) ||
827
isset( $\_REQUEST\['next\_location\_url'\] ) && false === strpos( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ), 'https://graph.facebook.com/' ) ||
828
isset( $\_REQUEST\['next\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_url'\] ) ) ||
829
isset( $\_REQUEST\['next\_location\_url'\] ) && sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) !== sanitize\_text\_field( wp\_unslash( $\_REQUEST\['next\_location\_url'\] ) ) ) {
830
831
exit( 'That is not an FTS shortcode!' );
832
}
833
}
834
835
if ( isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_fb\_page\_token' === $\_REQUEST\['feed\_name'\] ||
829
836
isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_twitter' === $\_REQUEST\['feed\_name'\] ||
830
837
isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_youtube' === $\_REQUEST\['feed\_name'\] ||
…
…
833
840
isset( $\_REQUEST\['feed\_name'\] ) && 'fts\_instagram' === $\_REQUEST\['feed\_name'\] ) {
834
841
835
$feed\_atts = isset( $\_REQUEST\['feed\_attributes'\] ) ? array\_map( 'sanitize\_text\_field', wp\_unslash( $\_REQUEST\['feed\_attributes'\] ) ) : '';
836
837
$build\_shortcode = '\[' . sanitize\_text\_field( wp\_unslash( $\_REQUEST\['feed\_name'\] ) ) . '';
838
foreach ( $feed\_atts as $attribute => $value ) {
839
$build\_shortcode .= ' ' . $attribute . '=' . $value;
840
}
841
842
if ( 'fts\_twitter' === $\_REQUEST\['feed\_name'\] ) {
843
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
844
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
845
} elseif ( 'fts\_youtube' === $\_REQUEST\['feed\_name'\] ) {
846
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
847
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
848
} else {
849
$build\_shortcode .= ' \]';
850
}
851
852
echo do\_shortcode( $build\_shortcode );
853
842
$feed\_atts = isset( $\_REQUEST\['feed\_attributes'\] ) ? array\_map( 'sanitize\_text\_field', wp\_unslash( $\_REQUEST\['feed\_attributes'\] ) ) : '';
843
844
$build\_shortcode = '\[' . sanitize\_text\_field( wp\_unslash( $\_REQUEST\['feed\_name'\] ) ) . '';
845
foreach ( $feed\_atts as $attribute => $value ) {
846
$build\_shortcode .= ' ' . $attribute . '=' . $value;
847
}
848
849
if ( 'fts\_twitter' === $\_REQUEST\['feed\_name'\] ) {
850
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
851
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
852
} elseif ( 'fts\_youtube' === $\_REQUEST\['feed\_name'\] ) {
853
$loadmore\_count = isset( $\_REQUEST\['loadmore\_count'\] ) ? sanitize\_text\_field( wp\_unslash( $\_REQUEST\['loadmore\_count'\] ) ) : '';
854
$build\_shortcode .= ' ' . $loadmore\_count . '\]';
854
855
} else {
855
exit( esc\_html( 'That is not an FTS shortcode!' ) );
856
}
856
$build\_shortcode .= ' \]';
857
}
858
859
echo do\_shortcode( $build\_shortcode );
860
861
} else {
862
exit( esc\_html( 'That is not an FTS shortcode!' ) );
857
863
}
858
864
die();
…
…
1090
1096
'fb\_events\_map\_link\_color',
1091
1097
'fb\_hide\_shared\_by\_etc\_text',
1092
'fb\_title\_htag',
1098
'fb\_title\_htag',
1093
1099
'fb\_title\_htag\_size',
1094
1100
'fts\_facebook\_custom\_api\_token\_biz',
feed-them-social/trunk/readme.txt
r2345756
r2369818
3
3
Tags: Facebook, Instagram, Twitter, YouTube, Feed
4
4
Requires at least: 3.6.0
5
Tested up to: 5.4.2
6
Stable tag: 2.8.6
5
Tested up to: 5.5
6
Stable tag: 2.8.7
7
7
License: GPLv2 or later
8
8
…
…
76
76
77
77
\== Changelog ==
78
\= Version 2.8.7 Tuesday, August 25th, 2020 =
79
\* TESTED: Tested plugin with WordPress version 5.5.0.
80
\* FIX: Security Fixes.
81
78
82
\= Version 2.8.6 Thursday, July 23rd, 2020 =
79
83
\* NEW: Facebook Feed: All target="\_blank" a tag elements now have rel="noreferrer" for better SEO results.
Note: See TracChangeset for help on using the changeset viewer.