Headline
CVE-2023-5707: shortcode.php in seo-slider/trunk/includes – WordPress Plugin Repository
The SEO Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘slider’ shortcode and post meta in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
1<?php2/**3 * This file registers the [slider] shortcode.4 *5 * @package SEOSlider6 */78add_shortcode( 'slider’, ‘seo_slider_shortcode’ );9/**10 * Add shortcode.11 *12 * @param array $atts Shortcode attributes.13 *14 * @return string15 */16function seo_slider_shortcode( $atts ) {17 $atts = shortcode_atts(18 [19 ‘id’ => '1’,20 ],21 $atts22 );2324 $output = '’;2526 $schema = apply_filters( 'seo_slider_schema’, [27 ‘gallery’ => ' itemscope itemtype="http://schema.org/ImageGallery"’,28 ‘object’ => ' itemprop="associatedMedia" itemscope itemtype="http://schema.org/ImageObject"’,29 ‘content’ => ' itemprop="description"’,30 ‘image’ => [31 ‘class’ => 'slick-image’,32 ‘itemprop’ => 'image’,33 ],34 ] );3536 if ( defined( ‘WPSEO_VERSION’ ) ) {37 $schema = [38 ‘gallery’ => '’,39 ‘object’ => '’,40 ‘content’ => '’,41 ‘image’ => [42 ‘class’ => 'slick-image’,43 ],44 ];45 }4647 $id = $atts[‘id’];48 $prefix = 'seo_slider_’;49 $breakpoint = apply_filters( 'seo_slider_breakpoint’, 640 );50 $dots = ( get_post_meta( $id, $prefix . 'dots’, true ) ? ‘true’ : ‘false’ );51 $arrows = ( get_post_meta( $id, $prefix . 'arrows’, true ) ? ‘true’ : ‘false’ );52 $loop = ( get_post_meta( $id, $prefix . 'loop’, true ) ? ‘true’ : ‘false’ );53 $autoplay = ( get_post_meta( $id, $prefix . 'autoplay’, true ) ? ‘true’ : ‘false’ );54 $effect = ( get_post_meta( $id, $prefix . 'effect’, true ) === ‘true’ ? ‘true’ : ‘false’ );55 $duration = get_post_meta( $id, $prefix . 'duration’, true );56 $transition = get_post_meta( $id, $prefix . 'transition’, true );57 $mobile = get_post_meta( $id, $prefix . 'mobile’, true );58 $desktop = get_post_meta( $id, $prefix . 'desktop’, true );59 $overlay = get_post_meta( $id, $prefix . 'overlay’, true );60 $text = get_post_meta( $id, $prefix . 'text’, true );61 $slides = get_post_meta( $id, $prefix . 'slides’, true );6263 $js = "64 jQuery( document ).ready( function($) {65 $( ‘.slick-slider-$id’ ).slick( {66 dots: $dots,67 infinite: $loop,68 speed: $transition,69 arrows: $arrows,70 autoplay: $autoplay,71 autoplaySpeed: $duration,72 fade: $effect,73 slidesToShow: 1 ,74 slidesToScroll: 1,75 lazyLoad: 'ondemand’,76 mobileFirst: true77 } ); 78 } );79 ";8081 $css = "82 .slick-slider-$id {83 height: ${mobile}px;84 }85 .slick-slider-$id,86 .slick-slider-$id p,87 .slick-slider-$id h1,88 .slick-slider-$id h2,89 .slick-slider-$id h3,90 .slick-slider-$id h4,91 .slick-slider-$id h5,92 .slick-slider-$id h6,93 .slick-slider-$id li {94 color: $text;95 }96 .slick-slider-$id .slick-overlay {97 background-color: $overlay;98 }99 @media (min-width: ${breakpoint}px) {100 .slick-slider-$id {101 height: ${desktop}px;102 }103 }104 “;105106 if ( apply_filters( 'seo_slider_output_inline_js’, false ) ) {107 $output .= sprintf( '<script>%s</script>’, $js );108 } else {109 wp_add_inline_script( seo_slider_get_slug(), $js );110 }111112 if ( apply_filters( 'seo_slider_output_inline_css’, false ) ) {113 $output .= sprintf( '<style>%s</style>’, seo_slider_minify_css( $css ) );114 } else {115 wp_add_inline_style( seo_slider_get_slug(), seo_slider_minify_css( $css ) );116 }117118 ob_start();119120 do_action( 'seo_slider_before_slider’, $id );121 ?>122123 <section class="slick-slider slick-slider-<?php echo esc_attr( $id ); ?>” role="banner"<?php echo $schema[‘gallery’]; ?>>124125 <?php $slide_id = 1; ?>126127 <?php foreach ( $slides as $slide ) : ?>128129 <?php do_action( 'seo_slider_before_slide’, $slide ); ?>130131 <figure class="slick-slide slick-slide-<?php esc_attr_e( $slide_id++ ); ?>"<?php echo $schema[‘object’]; ?>>132133 <?php134 $img_id = isset( $slide[‘seo_slider_image_id’] ) ? $slide[‘seo_slider_image_id’] : false;135 $img_size = apply_filters( 'seo_slider_image_size’, ‘slider’ );136 $img_atts = apply_filters( 'seo_slider_image_args’, $schema[‘image’] );137 $img_html = wp_get_attachment_image( $img_id, $img_size, false, $img_atts );138 ?>139140 <?php if ( isset( $slide[‘seo_slider_image_id’] ) ) :141 echo apply_filters( 'seo_slider_image_output’, $img_html, $img_id, $img_size, $img_atts );142 endif; ?>143144 <div class="slick-overlay"></div>145146 <?php do_action( 'seo_slider_before_wrap’, $slide ); ?>147148 <div class="slick-wrap">149150 <?php do_action( 'seo_slider_before_content’, $slide ); ?>151152 <div class="slick-content"<?php echo $schema[‘content’]; ?>>153154 <?php if ( isset( $slide[‘seo_slider_content’] ) ) :155 printf( apply_filters(156 'seo_slider_content_output’,157 do_shortcode( wp_kses_post( wpautop( $slide[‘seo_slider_content’] ) ) ),158 $slide[‘seo_slider_content’]159 ) );160 endif; ?>161162 </div>163164 <?php do_action( 'seo_slider_after_content’, $slide ); ?>165166 </div>167168 <?php do_action( 'seo_slider_after_wrap’, $slide ); ?>169170 </figure>171172 <?php do_action( 'seo_slider_after_slide’, $slide ); ?>173174 <?php endforeach; ?>175176 </section>177178 <?php179180 do_action( 'seo_slider_after_slider’, $id );181182 $output .= ob_get_clean();183184 return apply_filters( 'seo_slider_output’, $output );185}