CVE-2023-5337: formforall_common.php in formforall/trunk – WordPress Plugin Repository

1<?php2/*3FormForAll :: Common functions4*/56function formforall_install() { }78function formforall_remove() {9 delete_option(‘formforall’); 10}1112/*******************************************************/13/* GENERAL DISPLAY */14/*******************************************************/15/**16 * Displays the iframe with the form17 */18function formforall_front_display($formid, $timestamp) {19 $url = 'www.formforall.com’;20 $buffer = ‘<script src="https://’ . $url . '/assets/javascripts/ffa.js" type="text/javascript"></script>’;21 $buffer .= ‘<div id="formforall_container’ . $timestamp . ‘"></div>22 <script type="text/javascript">23 var ffa = new __FFA(24 document.getElementById("formforall_container’ . $timestamp . ‘"),25 "’ . $formid . ‘",26 "’ . $url . '"27 );28 </script>’;29 return $buffer;30}313233/*******************************************************/34/* WIDGET */35/*******************************************************/36add_action( 'widgets_init’, ‘formforall_add_widget’);3738/**39 * Adds the widget40 */41function formforall_add_widget() {42 register_widget(‘FormForAll_Widget’);43}4445/**46 * Class which manages the widget47 */48class FormForAll_Widget extends WP_Widget {49 /**50 * Register widget with WordPress.51 */52 function __construct() {53 parent::__construct(54 'formforall_widget’, // Base ID55 'FormForAll’, // Name56 array(‘description’ => __("Easily embedded forms", “formforall”)) // Args57 );58 }59 60 /**61 * Back-end widget form.62 * @param array $instance Previously saved values from database.63 */64 public function form( $instance ) {65 if (isset($instance[‘formid’])) {66 $formid = $instance[‘formid’];67 }68 69 $option = get_option(‘formforall’);70 if (!isset($option[‘user_id’])) $option[‘user_id’] = '’;71 if (!isset($option[‘api_key’])) $option[‘api_key’] = ‘’;72 73 $opts = array (74 ‘http’ => array (75 ‘method’ => "GET",76 ‘header’ => "Authorization: " . $option[‘api_key’]77 )78 );79 $context = stream_context_create($opts);80 81 $requestUrlPath = “https://www.formforall.com/api/users/” . $option[‘user_id’] . "/forms";82 $file = @file_get_contents($requestUrlPath, false, $context);83 if ($file === FALSE) {84 ?><p><a href="options-general.php?page=formforall-settings"><?php echo __("Parameters have not been set correctly", ‘formforall’); ?></a></span>85 <?php 86 } else {87 $result = json_decode($file);8889 ?>90 <p>91 <label for="<?php echo $this->get_field_name(‘formid’); ?>"><?php echo __(“Form", ‘formforall’); ?></label> 92 <select name="<?php echo $this->get_field_name(‘formid’); ?>” id="<?php echo $this->get_field_id(‘formid’); ?>">93 <?php 94 for ($i = 0; $i < count($result); $i++) echo ‘<option value="’ . $result[$i]->id .’"’. ($result[$i]->id == $formid ? ‘selected="selected"’ : ‘’) .’>’ . $result[$i]->title . '</option>’;95 ?>96 </select>97 </p>98 <?php99 }100 }101 102 /**103 * Sanitize widget form values as they are saved.104 * @param array $new_instance Values just sent to be saved.105 * @param array $old_instance Previously saved values from database.106 *107 * @return array Updated safe values to be saved.108 */109 public function update($new_instance, $old_instance) {110 $instance = array();111 $instance[‘formid’] = (!empty( $new_instance[‘formid’])) ? strip_tags($new_instance[‘formid’]) : '’;112 return $instance;113 }114 115 /**116 * Front-end display of widget.117 * @param array $args Widget arguments.118 * @param array $instance Saved values from database.119 */120 public function widget( $args, $instance ) {121 $formid = apply_filters( 'widget_title’, $instance[‘formid’] );122123 echo $args[‘before_widget’];124 125 echo formforall_front_display($formid, $this->get_field_id(‘formid’));126 127 echo $args[‘after_widget’];128 }129}130?>