Headline
CVE-2022-2864: Changeset 2772352 for demon-image-annotation – WordPress Plugin Repository
The demon image annotation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7. This is due to missing nonce validation in the ~/includes/settings.php file. This makes it possible for unauthenticated attackers to modify the plugin’s settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
6 if($_POST[‘dia_hidden’] == ‘Y’) { 7 //post content wrapper 8 $dia_csscontainer = $_POST[‘dia_csscontainer’]; 9 update_option('demon_image_annotation_postcontainer’, $dia_csscontainer); 10 11 //plugin status 12 $dia_display = $_POST[‘dia_display’]; 13 update_option('demon_image_annotation_display’, $dia_display); 14 15 //admin only 16 $dia_admin = $_POST[‘dia_admin’]; 17 update_option('demon_image_annotation_admin’, $dia_admin); 18 19 //auto resize image 20 $dia_autoresize = $_POST[‘dia_autoresize’]; 21 update_option('demon_image_annotation_autoresize’, $dia_autoresize); 22 23 //comments thumbnail 24 $dia_thumbnail = $_POST[‘dia_thumbnail’]; 25 update_option('demon_image_annotation_thumbnail’, $dia_thumbnail); 26 27 //image note gravatar 28 $dia_gravatar = $_POST[‘dia_gravatar’]; 29 update_option('demon_image_annotation_gravatar’, $dia_gravatar); 30 31 //image note gravatar 32 $dia_gravatardefault = $_POST[‘dia_gravatardefault’]; 33 update_option('demon_image_annotation_gravatar_deafult’, $dia_gravatardefault); 34 35 //auto approve comment 36 $dia_autoapprove = $_POST[‘dia_autoapprove’]; 37 update_option('demon_image_annotation_autoapprove’, $dia_autoapprove); 38 39 //wordpress comment 40 $dia_comments = $_POST[‘dia_comments’]; 41 update_option('demon_image_annotation_comments’, $dia_comments); 42 43 //auto insert image id attribute 44 $dia_autoimageid = $_POST[‘dia_autoimageid’]; 45 update_option('demon_image_annotation_autoimageid’, $dia_autoimageid); 46 47 //numbering 48 $dia_numbering = $_POST[‘dia_numbering’]; 49 update_option('demon_image_annotation_numbering’, $dia_numbering); 50 51 //mouse over desc 52 $dia_mouseoverdesc = $_POST[‘dia_mouseoverdesc’]; 53 update_option('demon_image_annotation_mouseoverdesc’, $dia_mouseoverdesc); 54 55 //link 56 $dia_linkoption = $_POST[‘dia_linkoption’]; 57 update_option('demon_image_annotation_linkoption’, $dia_linkoption); 58 59 //link desc 60 $dia_linkdesc = $_POST[‘dia_linkdesc’]; 61 update_option('demon_image_annotation_linkdesc’, $dia_linkdesc); 62 63 //mouseover text 64 $dia_clickable_text = $_POST[‘dia_clickable_text’]; 65 update_option('demon_image_annotation_clickable_text’, $dia_clickable_text); 66 67 //note maxlength 68 $dia_maxlength = $_POST[‘dia_maxlength’]; 69 update_option('demon_image_annotation_maxlength’, $dia_maxlength); 70 71 ?> 72 <div class="updated"><p><strong><?php _e(‘Options saved.’ ); ?></strong></p></div> 6if (isset($_POST[“update_dia_options”])) { 7 if ( 8 !wp_verify_nonce( 9 $_POST[“_wpnonce”], 10 “diaupdateoptions” 11 ) 12 ) { 13 die(esc_html__( 'Update security violated’, ‘demon-image-annotation’ )); 14 } 15 if (sanitize_text_field($_POST[“update_dia_options”]) == “yes”) { 16 //post content wrapper 17 $dia_csscontainer = sanitize_text_field($_POST[‘dia_csscontainer’]); 18 update_option('demon_image_annotation_postcontainer’, $dia_csscontainer); 19 20 //plugin status 21 $dia_display = sanitize_text_field($_POST[‘dia_display’]); 22 update_option('demon_image_annotation_display’, $dia_display); 23 24 //admin only 25 $dia_admin = sanitize_text_field($_POST[‘dia_admin’]); 26 update_option('demon_image_annotation_admin’, $dia_admin); 27 28 //auto resize image 29 $dia_autoresize = sanitize_text_field($_POST[‘dia_autoresize’]); 30 update_option('demon_image_annotation_autoresize’, $dia_autoresize); 31 32 //comments thumbnail 33 $dia_thumbnail = sanitize_text_field($_POST[‘dia_thumbnail’]); 34 update_option('demon_image_annotation_thumbnail’, $dia_thumbnail); 35 36 //image note gravatar 37 $dia_gravatar = sanitize_text_field($_POST[‘dia_gravatar’]); 38 update_option('demon_image_annotation_gravatar’, $dia_gravatar); 39 40 //image note gravatar 41 $dia_gravatardefault = sanitize_text_field($_POST[‘dia_gravatardefault’]); 42 update_option('demon_image_annotation_gravatar_deafult’, $dia_gravatardefault); 43 44 //auto approve comment 45 $dia_autoapprove = sanitize_text_field($_POST[‘dia_autoapprove’]); 46 update_option('demon_image_annotation_autoapprove’, $dia_autoapprove); 47 48 //wordpress comment 49 $dia_comments = sanitize_text_field($_POST[‘dia_comments’]); 50 update_option('demon_image_annotation_comments’, $dia_comments); 51 52 //auto insert image id attribute 53 $dia_autoimageid = sanitize_text_field($_POST[‘dia_autoimageid’]); 54 update_option('demon_image_annotation_autoimageid’, $dia_autoimageid); 55 56 //numbering 57 $dia_numbering = sanitize_text_field($_POST[‘dia_numbering’]); 58 update_option('demon_image_annotation_numbering’, $dia_numbering); 59 60 //mouse over desc 61 $dia_mouseoverdesc = sanitize_text_field($_POST[‘dia_mouseoverdesc’]); 62 update_option('demon_image_annotation_mouseoverdesc’, $dia_mouseoverdesc); 63 64 //link 65 $dia_linkoption = sanitize_text_field($_POST[‘dia_linkoption’]); 66 update_option('demon_image_annotation_linkoption’, $dia_linkoption); 67 68 //link desc 69 $dia_linkdesc = sanitize_text_field($_POST[‘dia_linkdesc’]); 70 update_option('demon_image_annotation_linkdesc’, $dia_linkdesc); 71 72 //mouseover text 73 $dia_clickable_text = sanitize_text_field($_POST[‘dia_clickable_text’]); 74 update_option('demon_image_annotation_clickable_text’, $dia_clickable_text); 75 76 //note maxlength 77 $dia_maxlength = sanitize_text_field($_POST[‘dia_maxlength’]); 78 update_option('demon_image_annotation_maxlength’, $dia_maxlength); 79 ?> 80 <div class="updated"><p><strong><?php _e(‘Options saved.’ ); ?></strong></p></div>
101 <input type="hidden" name="dia_hidden" value="Y"> 110 <input type="hidden" name="update_dia_options" value="yes"> 111 <?php wp_nonce_field(“diaupdateoptions”); ?> 112
111 $selected = $dia_display == $key ? ‘checked="checked"’ : '’; 122 $selected = esc_textarea($dia_display) == $key ? ‘checked="checked"’ : '’;
124 <input type="text" name="dia_csscontainer" value="<?php echo ($dia_csscontainer == ‘’) ? ‘’ : $dia_csscontainer; ?>" size="20"><em> eg: #entrybody, .entrybody</em><br> 135 <input type="text" name="dia_csscontainer" value="<?php echo (esc_textarea($dia_csscontainer) == ‘’) ? ‘’ : esc_textarea($dia_csscontainer); ?>" size="20"><em><?php esc_html_e( ' eg: #entrybody, .entrybody’ , ‘demon-image-annotation’) ?></em><br>
126 <strong><?php esc_html_e( ‘Example’ , ‘demon-image-annotation’); ?> (.entrybody)</strong><br> 137 <strong><?php esc_html_e( 'Example (.entrybody)' , ‘demon-image-annotation’); ?></strong><br>
143 $selected = $dia_autoimageid == $key ? ‘checked="checked"’ : '’; 154 $selected = esc_textarea($dia_autoimageid) == $key ? ‘checked="checked"’ : '’;
149 <strong><?php esc_html_e( ‘Example’ , ‘demon-image-annotation’); ?> (img-postid-4774005463)</strong><br> 150 <code><img id="img-12-4774005463" src="http://farm5.static.flickr.com/4121/4774005463_3837b6de44_o.jpg" /></code><br><br> 160 <strong><?php esc_html_e( 'Example (img-postid-4774005463)' , ‘demon-image-annotation’); ?></strong><br> 161 <code><?php esc_html_e( ‘<img id="img-12-4774005463" src="http://farm5.static.flickr.com/4121/4774005463_3837b6de44_o.jpg" />’ , ‘demon-image-annotation’); ?></code><br><br>
164 $selected = $dia_admin == $key ? ‘checked="checked"’ : '’; 175 $selected = esc_textarea($dia_admin) == $key ? ‘checked="checked"’ : '’;
180 $selected = $dia_autoresize == $key ? ‘checked="checked"’ : '’; 191 $selected = esc_textarea($dia_autoresize) == $key ? ‘checked="checked"’ : '’;
196 $selected = $dia_numbering == $key ? ‘checked="checked"’ : '’; 207 $selected = esc_textarea($dia_numbering) == $key ? ‘checked="checked"’ : '’;
202 <code><strong>03</strong> | Mouseover to load notes | Image Note by Flickr</code> 213 <code><?php printf( esc_html__( '%s03%s | Mouseover to load notes | Image Note by Flickr’, ‘demon-image-annotation’ ), '<strong>’, ‘</strong>’); ?></code>
211 <input type="text" name="dia_mouseoverdesc" size="30" value="<?php echo ($dia_mouseoverdesc == ‘’) ? ‘’ : $dia_mouseoverdesc; ?>" size="20"><em> eg. Mouseover to load notes</em> 222 <input type="text" name="dia_mouseoverdesc" size="30" value="<?php echo (esc_textarea($dia_mouseoverdesc) == ‘’) ? ‘’ : esc_textarea($dia_mouseoverdesc); ?>" size="20"><em><?php esc_html_e( ' eg. Mouseover to load notes’, ‘demon-image-annotation’ ); ?></em>
215 <code>03 | <strong>Mouseover to load notes</strong> | Image Note by Flickr</code> 226 <code><?php printf( esc_html__( '03 | %sMouseover to load notes%s | Image Note by Flickr’, ‘demon-image-annotation’ ), '<strong>’, ‘</strong>’); ?></code>
226 $selected = $dia_linkoption == $key ? ‘checked="checked"’ : '’; 237 $selected = esc_textarea($dia_linkoption) == $key ? ‘checked="checked"’ : '’;
232 <input type="text" name="dia_linkdesc" size="30" value="<?php echo ($dia_linkdesc == ‘’) ? ‘’ : $dia_linkdesc; ?>" size="20"><em>eg: Source, Link, Flickr</em> 243 <input type="text" name="dia_linkdesc" size="30" value="<?php echo (esc_textarea($dia_linkdesc) == ‘’) ? ‘’ : esc_textarea($dia_linkdesc); ?>" size="20"><em><?php esc_html_e( 'eg: Source, Link, Flickr’, ‘demon-image-annotation’ ); ?></em>
236 <code>03 | Mouseover to load notes | <strong>Image Note by Flickr</strong></code> 247 <code><?php printf( esc_html__( '03 | Mouseover to load notes | %sImage Note by Flickr%s’, ‘demon-image-annotation’ ), '<strong>’, ‘</strong>’); ?></code>
247 $selected = $dia_clickable_text == $key ? ‘checked="checked"’ : '’; 258 $selected = esc_textarea($dia_clickable_text) == $key ? ‘checked="checked"’ : '’;
267 $selected = $dia_comments == $key ? ‘checked="checked"’ : '’; 278 $selected = esc_textarea($dia_comments) == $key ? ‘checked="checked"’ : '’;
282 $selected = $dia_autoapprove == $key ? ‘checked="checked"’ : '’; 293 $selected = esc_textarea($dia_autoapprove) == $key ? ‘checked="checked"’ : '’;
297 $selected = $dia_thumbnail == $key ? ‘checked="checked"’ : '’; 308 $selected = esc_textarea($dia_thumbnail) == $key ? ‘checked="checked"’ : '’;
309 <input type="number" name="dia_maxlength" max="300" value="<?php echo ($dia_maxlength == ‘’) ? ‘140’ : $dia_maxlength; ?>" size="20"><em> eg: 140</em> 320 <input type="number" name="dia_maxlength" max="300" value="<?php echo (esc_textarea($dia_maxlength) == ‘’) ? ‘140’ : esc_textarea($dia_maxlength); ?>" size="20"><em><?php esc_html_e( ' eg: 140’, ‘demon-image-annotation’ ); ?></em>
322 $selected = $dia_gravatar == $key ? ‘checked="checked"’ : '’; 333 $selected = esc_textarea($dia_gravatar) == $key ? ‘checked="checked"’ : '’;
327 <em><?php esc_html_e( 'Default gravatar : ', ‘demon-image-annotation’ ); ?></em><br/><?php echo get_bloginfo(‘template_url’); ?><input type="text" name="dia_gravatardefault" value="<?php echo $dia_gravatardefault ?>" size="20"> eg: /images/default.png<br> 338 <em><?php esc_html_e( 'Default gravatar : ', ‘demon-image-annotation’ ); ?></em><br/><?php echo get_bloginfo(‘template_url’); ?><input type="text" name="dia_gravatardefault" value="<?php echo esc_textarea($dia_gravatardefault) ?>" size="20"><?php esc_html_e( ' eg: /images/default.png’, ‘demon-image-annotation’ ); ?><br>
Related news
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior.
A vulnerability in the getSelectedMimeTypesByRole function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to view custom extensions added by administrators. This issue affects versions 2.2.3 and prior.