Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-4384: admin-page-galleries.php in photo-contest/tags/1.0.6/includes/admin – WordPress Plugin Repository

The WordPress Photo Gallery – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the load_images_thumbnail() and edit_gallery() functions. This makes it possible for unauthenticated attackers to edit galleries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE
Open in Source
#sql#wordpress#php#auth#ssl

1<?php2if (!defined(‘ABSPATH’)) {3 exit; // Exit if accessed directly4}56class OriginCode_Photo_Gallery_WP_Galleries7{89 /**10 * Load Gallerys admin page11 */12 public function load_gallery_page()13 {14 global $wpdb;15 if (isset($_GET[‘page’]) && $_GET[‘page’] == ‘origincode_photo_gallery_wp_gallery’) {16 $task = origincode_photo_gallery_wp_get_gallery_task();17 $id = origincode_photo_gallery_wp_get_gallery_id();18 }19 do_action(‘origincode_photo_gallery_wp_before_galleries’);20 switch ($task) {21 case 'edit_cat’:22 if (!isset($_REQUEST[‘origin_code_gallery_nonce’]) || !wp_verify_nonce($_REQUEST[‘origin_code_gallery_nonce’], ‘origin_code_gallery_nonce’)) {23 wp_die(‘Security check fail’);24 }25 if ($id) {26 $this->edit_gallery($id);27 } else {28 $id = $wpdb->get_var(“SELECT MAX( id ) FROM " . $wpdb->prefix . “origincode_photo_gallery_wp_gallerys”);29 $this->edit_gallery($id);30 }31 break;32 case 'save’:33 if ($id) {34 $this->save_gallery_data($id);35 }36 break;37 case 'apply’:3839 if ($id) {40 $this->save_gallery_data($id);41 $this->edit_gallery($id);42 }43 break;44 default:45 $this->show_galleries_page();46 break;47 }48 }4950 /**51 * Shows Gallery Main Page52 */53 public function show_galleries_page()54 {55 if (isset($_COOKIE[‘gallery_deleted’])) {56 if ($_COOKIE[‘gallery_deleted’] == ‘success’) {57 ?>58 <div class="updated"><p><strong><?php _e(‘Item Deleted.’,’origincode-photo-gallery-wp’); ?></strong></p></div>59 <?php60 } elseif ($_COOKIE[“gallery_deleted”] == ‘fail’) {61 ?>62 <div id="message” class="error"><p>Gallery Not Deleted</p></div>63 <?php }64 }6566 $offset = 0;67 $limit = 10;68 $where = "";69 $params = array();70 if (isset($_GET[‘search_keyword’]) && sanitize_text_field($_GET[‘search_keyword’]) != “”) {71 $where = "WHERE galleries.name LIKE %s";72 array_unshift($params, “%” . trim(sanitize_text_field($_GET[‘search_keyword’])) . “%”);73 $pagination = $this->add_gallery_pagination(trim(sanitize_text_field($_GET[‘search_keyword’])), $limit);74 } else {75 $pagination = $this->add_gallery_pagination(null, $limit);76 }77 if (!isset($_GET[‘paged’])) {78 $offset = 0;79 } else {80 if ((int)$_GET[‘paged’] == 0) wp_die(‘Pagination Error’);81 if ($pagination[‘pagination_links_count’] >= (int)$_GET[‘paged’]) {82 $offset = (int)$_GET[‘paged’] * $limit - $limit;83 $pagination[‘current’] = (int)$_GET[‘paged’];84 }85 }86 array_push($params, $limit, $offset);8788 global $wpdb;89 $query = "SELECT galleries.*, COUNT(images.id) as images_count FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys AS galleries LEFT JOIN " . $wpdb->prefix . "origincode_photo_gallery_wp_images AS images ON galleries.id = images.gallery_id " . $where . " GROUP BY galleries.id LIMIT %d OFFSET %d";90 $galleries = $wpdb->get_results($wpdb->prepare($query, $params));91 require_once(PHOTO_GALLERY_WP_TEMPLATES_PATH . DIRECTORY_SEPARATOR . ‘admin’ . DIRECTORY_SEPARATOR . ‘galleries-list-function.php’);9293 }9495 /**96 * Prints Gallery images after edit data97 *98 * @param $id99 *100 * @return string101 */102 public function edit_gallery($id)103 {104 if (isset($_GET[“removeslide”])) {105 $idfordelete = absint($_GET[“removeslide”]);106 }107 if (isset($_REQUEST[‘gallery_nonce_remove_image’]) && !wp_verify_nonce($_REQUEST[‘gallery_nonce_remove_image’], ‘gallery_nonce_remove_image’ . $idfordelete)) {108 wp_die(‘Security check fail edit’);109 }110 global $wpdb;111 if (isset($_POST[“origincode_photo_gallery_wp_sl_effects”])) {112 if (isset($_GET[“removeslide”])) {113 if ($_GET[“removeslide”] != ‘’) {114 $wpdb->query($wpdb->prepare("DELETE FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_images WHERE id = %d ", $idfordelete));115 }116 }117 }118 $query = $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys WHERE id= %d", $id);119 $row = $wpdb->get_row($query);120 if (!isset($row->gallery_list_effects_s)) {121 return 'id not found’;122 }123 $images = explode(";;;", $row->gallery_list_effects_s);124 $par = explode(' ', $row->param);125 $count_ord = count($images);126 $query = $wpdb->prepare("SELECT name,ordering FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys WHERE sl_width=%d ORDER BY `ordering` ", $row->sl_width);127 $ord_elem = $wpdb->get_results($query);128 $query = $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_images where gallery_id = %d order by ordering ASC ", $row->id);129 $rowim = $wpdb->get_results($query);130 if (isset($_GET[“addslide”])) {131 if ($_GET[“addslide”] == 1) {132 $table_name = $wpdb->prefix . "origincode_photo_gallery_wp_images";133 $sql_2 = “INSERT INTO 134`” . $table_name . “` ( `name`, `gallery_id`, `description`, `image_url`, `sl_url`, `ordering`, `published`, `published_in_sl_width`) VALUES135( '’, '” . $row->id . "’, '’, '’, '’, 'par_TV’, 2, ‘1’ )";136 $wpdb->query($sql_2);137 }138 }139 $query = "SELECT * FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys order by id ASC";140 $rowsld = $wpdb->get_results($query);141 $paramssld = origincode_photo_gallery_wp_get_general_options();142143 $query = "SELECT * FROM " . $wpdb->prefix . "posts where post_type = ‘post’ and post_status = ‘publish’ order by id ASC";144 $rowsposts = $wpdb->get_results($query);145 $rowsposts8 = '’;146 $postsbycat = '’;147 if (isset($_POST[“iframecatid”])) {148 $query = $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "term_relationships where term_taxonomy_id = %d order by object_id ASC", sanitize_text_field($_POST[“iframecatid”]));149 $rowsposts8 = $wpdb->get_results($query);150 foreach ($rowsposts8 as $rowsposts13) {151 $query = $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "posts where post_type = ‘post’ and post_status = ‘publish’ and ID = %d order by ID ASC", $rowsposts13->object_id);152 $rowsposts1 = $wpdb->get_results($query);153 $postsbycat = $rowsposts1;154 }155 }156 require_once(PHOTO_GALLERY_WP_TEMPLATES_PATH . DIRECTORY_SEPARATOR . ‘admin’ . DIRECTORY_SEPARATOR . ‘galleries-list-view.php’);157 }158159 /**160 * Edit Gallery images and data161 *162 * @param $id163 *164 * @return bool165 */166 function save_gallery_data($id)167 {168 global $wpdb;169 if (!is_numeric($id)) {170 echo 'insert numeric id’;171172 return false;173 }174 if (!(isset($_POST[‘sl_width’]) && isset($_POST[“name”]))) {175 echo '’;176 }177 if (isset($_POST[‘origincode_photo_gallery_wp_admin_image_hover_preview’])) {178 $img_hover_preview = sanitize_text_field($_POST[‘origincode_photo_gallery_wp_admin_image_hover_preview’]);179 update_option('origincode_photo_gallery_wp_admin_image_hover_preview’, $img_hover_preview);180 }181 182 if (isset($_POST[“name”])) {183 if ($_POST[“name”] != ‘’) {184 $data = array(185 “name” => sanitize_text_field($_POST[“name”]),186 “sl_width” => sanitize_text_field($_POST[“sl_width”]),187 “sl_height” => sanitize_text_field($_POST[“sl_height”]),188 “pause_on_hover” => sanitize_text_field($_POST[“pause_on_hover”]),189 “gallery_list_effects_s” => sanitize_text_field($_POST[“gallery_list_effects_s”]),190 “description” => sanitize_text_field($_POST[“sl_pausetime”]),191 “param” => sanitize_text_field($_POST[“sl_changespeed”]),192 “sl_position” => sanitize_text_field($_POST[“sl_position”]),193 “origincode_photo_gallery_wp_sl_effects” => sanitize_text_field($_POST[“origincode_photo_gallery_wp_sl_effects”]),194 “ordering” => '1’,195 “rating” => sanitize_text_field($_POST[“rating”]),196 “autoslide” => sanitize_text_field($_POST[“autoslide”]),197 “hover_effect” => sanitize_text_field($_POST[“hovers”])198 );199 $format = array("%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", '%s’, "%s", '%s’, ‘%s’);200 $where = array(‘id’ => $id);201 $where_format = array(‘%d’);202 if (isset($_POST[“display_type”]) && isset($_POST[“content_per_page”])) {203 $data[‘content_per_page’] = sanitize_text_field($_POST[“content_per_page”]);204 $data[‘display_type’] = sanitize_text_field($_POST[“display_type”]);205 array_push($format, '%s’, ‘%s’);206 }207 $data[‘gallery_loader_type’] = 0;208 array_push($format, ‘%s’);209 if (isset($_POST[‘show-hide-loading’]) && $_POST[‘show-hide-loading’] == 1) {210 if (isset($_POST[‘gallery_loader_type’]) && in_array($_POST[‘gallery_loader_type’], range(1,16))) {211 $data[‘gallery_loader_type’] = sanitize_text_field($_POST[“gallery_loader_type”]);212 }213 }214215 $wpdb->update($wpdb->prefix . "origincode_photo_gallery_wp_gallerys", $data, $where, $format, $where_format);216 }217 }218 219 $query = $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys WHERE id = %d", $id);220 $row = $wpdb->get_row($query);221222 if (isset($_POST[‘changedvalues’]) && $_POST[‘changedvalues’] != ‘’) {223224 $changedValues = preg_replace('#[^0-9,]+#’, '’, $_POST[‘changedvalues’]);225 $query = $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_images where gallery_id = %d AND id in (" . $changedValues . ") order by id ASC", $row->id);226 $rowim = $wpdb->get_results($query);227 foreach ($rowim as $key => $rowimages) {228 $orderBy = sanitize_text_field($_POST[“order_by_” . $rowimages->id]);229 $linkTaret = sanitize_text_field($_POST[“sl_link_target” . $rowimages->id]);230 $slUrl = sanitize_text_field(str_replace('%’, '__5_5_5__’, $_POST[“sl_url” . $rowimages->id]));231 $name = str_replace('%’, '__5_5_5__’, sanitize_text_field($_POST[“titleimage” . $rowimages->id]));232 $desc = str_replace('%’, '__5_5_5__’, wp_kses_post($_POST[“im_description” . $rowimages->id]));233 $imageUrl = sanitize_text_field($_POST[“imagess” . $rowimages->id]);234 $like = sanitize_text_field($_POST[“like_” . $rowimages->id]);235 $dislike = sanitize_text_field($_POST[“dislike_” . $rowimages->id]);236237 if (isset($_POST[“order_by_” . $rowimages->id . “”]) && isset($_POST[“like_” . $rowimages->id . “”])) {238 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET ordering = ‘%s’ WHERE ID = %d ", $orderBy, $rowimages->id));239 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET link_target = ‘%s’ WHERE ID = %d ", $linkTaret, $rowimages->id));240 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET sl_url = ‘%s’ WHERE ID = %d ", $slUrl, $rowimages->id));241 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET name = ‘%s’ WHERE ID = %d ", $name, $rowimages->id));242 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET description = ‘%s’ WHERE ID = %d ", $desc, $rowimages->id));243 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET image_url = ‘%s’ WHERE ID = %d ", $imageUrl, $rowimages->id));244 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET `like` = %d WHERE ID = %d ", $like, $rowimages->id));245 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET dislike = %d WHERE ID = %d ", $dislike, $rowimages->id));246 }247 if (isset($_POST[“order_by_” . $rowimages->id . “”]) && isset($_POST[“heart_” . $rowimages->id . “”])) {248 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET ordering = ‘%s’ WHERE ID = %d ", $orderBy, $rowimages->id));249 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET link_target = ‘%s’ WHERE ID = %d ", $linkTaret, $rowimages->id));250 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET sl_url = ‘%s’ WHERE ID = %d ", $slUrl, $rowimages->id));251 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET name = ‘%s’ WHERE ID = %d ", $name, $rowimages->id));252 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET description = ‘%s’ WHERE ID = %d ", $desc, $rowimages->id));253 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET image_url = ‘%s’ WHERE ID = %d ", $imageUrl, $rowimages->id));254 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET `like` = %d WHERE ID = %d ", $like, $rowimages->id));255 }256 }257 }258 if (isset($_POST[“imagess”])) {259 if ($_POST[“imagess”] != ‘’) {260 $query = $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_images where gallery_id = %d order by id ASC", $row->id);261 $rowim = $wpdb->get_results($query);262 foreach ($rowim as $key => $rowimages) {263 $orderingplus = $rowimages->ordering + 1;264 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_images SET ordering = %d WHERE ID = %d ", $orderingplus, $rowimages->id));265 }266 $table_name = $wpdb->prefix . "origincode_photo_gallery_wp_images";267 $imagesnewuploader = explode(“;;;", sanitize_text_field($_POST[“imagess”]));268 array_pop($imagesnewuploader);269 foreach ($imagesnewuploader as $imagesnewupload) {270 $sql_2 = " INSERT INTO `” . $table_name . “` ( `name`, `gallery_id`, `description`, `image_url`, `sl_url`, `sl_type`, `link_target`, `ordering`, 271 `published`, `published_in_sl_width`) VALUES ( '’, '” . $row->id . “’, '’, '” . esc_html(wp_kses_post($imagesnewupload)) . "’, '’, 'image’, 'on’, 'par_TV’, 2, ‘1’ )";272 $wpdb->query($sql_2);273 }274 }275 }276 if (isset($_POST[“postorigin-code-description-length”])) {277 $wpdb->query($wpdb->prepare("UPDATE " . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys SET published = %d WHERE id = %d ", sanitize_text_field($_POST[“postorigin-code-description-length”]), absint($_GET[‘id’])));278 }279 ?>280 <div class="updated"><p><strong><?php _e(‘Item Saved’,’origincode-photo-gallery-wp’); ?></strong></p></div>281 <?php282 return true;283284 }285286287 /**288 * Get Galleries with keyword289 */290 protected function search_gallery($keyword)291 {292 $galleries = array();293 return $galleries;294 }295296297 /**298 * @param $condition string default null299 * @return int300 */301 protected function add_gallery_pagination($condition = null, $limit)302 {303 $pagination = array(304 ‘total’ => 0,305 ‘enable’ => false,306 ‘current’ => 1,307 ‘pagination_links_count’ => 0,308 ‘links’ => 'admin.php?page=origincode_photo_gallery_wp_gallery’309 );310 $parts = parse_url($_SERVER[‘REQUEST_URI’]);311 global $wpdb;312 if ($condition) {313 $query = $wpdb->prepare(“SELECT COUNT(`id`) FROM `” . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys` WHERE `name` LIKE %s", ‘%’ . $condition . ‘%’);314 $pagination[‘links’] .= “&search_keyword=” . $condition;315 } else {316 $query = "SELECT COUNT(id) FROM " . $wpdb->prefix . "origincode_photo_gallery_wp_gallerys";317 }318 $pagination[‘total’] = $wpdb->get_var($query);319 if ($pagination[‘total’] > $limit) {320 $pagination[‘enable’] = true;321 $pagination[‘pagination_links_count’] = ceil($pagination[‘total’] / $limit);322 }323 return $pagination;324 }325}326327

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE