Headline
CVE-2023-2557: Changeset 2911049 for currency-switcher – WordPress Plugin Repository
The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit an arbitrary custom drop-down currency switcher.
currency-switcher/trunk/classes/smart-designer.php
r2753759
r2911049
11
11
add\_action('wp\_ajax\_wpcs\_sd\_create', array($this, 'create'));
12
12
add\_action('wp\_ajax\_wpcs\_sd\_delete', function () {
13
$id = intval($\_REQUEST\['id'\]);
14
delete\_option('wpcs\_sd\_' . $id);
15
$designs = $this->get\_designs();
16
if (($key = array\_search($id, $designs, true)) !== false) {
17
unset($designs\[$key\]);
18
}
19
update\_option('wpcs\_sd', $designs);
13
if ( !current\_user\_can( 'manage\_options' ) ) {
14
die();
15
}
16
if (isset($\_REQUEST\['nonce'\]) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'wpcs\_sd\_nonce' )) {
17
$id = intval($\_REQUEST\['id'\]);
18
delete\_option('wpcs\_sd\_' . $id);
19
$designs = $this->get\_designs();
20
if (($key = array\_search($id, $designs, true)) !== false) {
21
unset($designs\[$key\]);
22
}
23
update\_option('wpcs\_sd', $designs);
24
}
20
25
});
21
26
add\_action('wp\_ajax\_wpcs\_sd\_save', array($this, 'save'));
22
27
add\_action('wp\_ajax\_wpcs\_sd\_get', function () {
23
die(json\_encode($this->get(intval($\_REQUEST\['id'\]))));
28
if ( !current\_user\_can( 'manage\_options' ) ) {
29
die();
30
}
31
if (isset($\_REQUEST\['nonce'\]) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'wpcs\_sd\_nonce' )) {
32
die(json\_encode($this->get(intval($\_REQUEST\['id'\]))));
33
}
24
34
});
25
35
…
…
44
54
45
55
wp\_localize\_script('wpcs-sd', 'wpcs\_sd', \[
56
'nonce' => wp\_create\_nonce( 'wpcs\_sd\_nonce'),
46
57
'lang' => \[
47
58
'loading' => esc\_html\_\_('Loading ...', 'currency-switcher'),
…
…
102
113
//ajax
103
114
public function create() {
104
$designs = $this->get\_designs();
115
if ( !current\_user\_can( 'manage\_options' ) ) {
116
die();
117
}
118
if (isset($\_REQUEST\['nonce'\]) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'wpcs\_sd\_nonce' )) {
119
$designs = $this->get\_designs();
105
120
106
if (empty($designs)) {
107
$id = 1;
108
} else {
109
//$id = max($designs) + 1;
110
$id = intval(get\_option('wpcs\_sd\_max')) + 1;
111
}
121
if (empty($designs)) {
122
$id = 1;
123
} else {
124
//$id = max($designs) + 1;
125
$id = intval(get\_option('wpcs\_sd\_max')) + 1;
126
}
112
127
113
add\_option('wpcs\_sd\_' . $id, \[\]);
114
$designs\[\] = $id;
115
update\_option('wpcs\_sd', $designs);
116
update\_option('wpcs\_sd\_max', $id);
117
die("" . $id);
128
add\_option('wpcs\_sd\_' . $id, \[\]);
129
$designs\[\] = $id;
130
update\_option('wpcs\_sd', $designs);
131
update\_option('wpcs\_sd\_max', $id);
132
die("" . $id);
133
}
118
134
}
119
135
120
136
//ajax
121
137
public function save() {
122
$data = json\_decode(stripslashes($\_REQUEST\['options'\]), true);
123
update\_option('wpcs\_sd\_' . intval($\_REQUEST\['id'\]), $data);
138
if ( !current\_user\_can( 'manage\_options' ) ) {
139
die();
140
}
141
if (isset($\_REQUEST\['nonce'\]) && wp\_verify\_nonce( $\_REQUEST\['nonce'\], 'wpcs\_sd\_nonce' )) {
142
$data = json\_decode(stripslashes($\_REQUEST\['options'\]), true);
143
update\_option('wpcs\_sd\_' . intval($\_REQUEST\['id'\]), $data);
144
}
124
145
}
125
146
currency-switcher/trunk/index.php
r2890285
r2911049
5
5
Description: Currency Switcher for WordPress - plugin that allows to switch currencies and get their rates converted in the real time on your site!
6
6
Author: realmag777
7
Version: 1.1.9
7
Version: 1.2.0
8
8
Requires at least: WP 3.5.0
9
9
Tested up to: WP 6.2
…
…
19
19
20
20
//***
21
define('WPCS_VERSION’, ‘1.1.9’);
21
define('WPCS_VERSION’, ‘1.2.0’);
22
22
//define('WPCS_VERSION’, uniqid('wpcs-')); //for dev
23
23
define('WPCS_PATH’, plugin_dir_path(__FILE__));
…
…
32
32
include_once WPCS_PATH . 'classes/world_currencies.php’;
33
33
34
//12-10-2022
34
//11-05-2023
35
35
final class WPCS {
36
36
currency-switcher/trunk/js/sd/smart-designer.js
r2753759
r2911049
13
13
url: ajaxurl,
14
14
data: {
15
action: 'wpcs\_sd\_create'
15
action: 'wpcs\_sd\_create',
16
nonce: wpcs\_sd.nonce
16
17
},
17
18
success: function (id) {
…
…
81
82
data: {
82
83
action: 'wpcs\_sd\_get',
83
id: id
84
id: id,
85
nonce: wpcs\_sd.nonce
84
86
},
85
87
success: function (options) {
…
…
121
123
data: {
122
124
action: 'wpcs\_sd\_delete',
123
id: id
125
id: id,
126
nonce: wpcs\_sd.nonce
124
127
},
125
128
success: function () {
…
…
168
171
action: 'wpcs\_sd\_save',
169
172
id: wpcs\_sd\_current\_edit\_id,
170
options: JSON.stringify(wpcs\_sd\_dd.settings)
173
options: JSON.stringify(wpcs\_sd\_dd.settings),
174
nonce: wpcs\_sd.nonce
171
175
},
172
176
success: function () {
currency-switcher/trunk/readme.txt
r2890285
r2911049
18
18
WordPress Currency Switcher is available as shortcode **[[wpcs]](https://wp-currency.com/shortcode/wpcs/)** so as the widget. Insert prices into your content by shortcode [[wpcs_price value=20]](https://wp-currency.com/shortcode/wpcs_price/)
19
19
20
List of supported currencies: [https://en.wikipedia.org/wiki/ISO_4217#Active_codes](https://en.wikipedia.org/wiki/ISO_4217#Active_codes)
21
22
20
Demo: [demo.wp-currency.com](https://demo.wp-currency.com/)
23
21
…
…
141
139
== Changelog ==
142
140
141
= 1.2.0 =
142
* security fix, thanks to Alex Thomas from Wordfence Security
143
143
144
= 1.1.9 =
144
145
* New currency aggregator “Currencyapi.com”
…
…
217
218
== License ==
218
219
219
This plugin is copyright pluginus.net © 2012-2022 with [GNU General Public License][] by realmag777.
220
This plugin is copyright pluginus.net © 2012-2023 with [GNU General Public License][] by realmag777.
220
221
221
222
This program is free software; you can redistribute it and/or modify it under the terms of the [GNU General Public License][] as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
currency-switcher/trunk/views/shortcodes/wpcs_current_currency.php
r1860394
r2911049
3
3
4
4
<?php if (!empty($text)): ?>
5
<strong class="wpcs\_current\_currency\_text"><?php echo $text ?></strong>
5
<strong class="wpcs\_current\_currency\_text"><?php echo esc\_html($text) ?></strong>
6
6
<?php endif; ?>
7
7
currency-switcher/trunk/views/shortcodes/wpcs_rates.php
r2753759
r2911049
23
23
<div class="wpcs_rates_shortcode">
24
24
25
<?php if (!empty($currencies)): ?>
25
<?php if (!empty($currencies)): ?>
26
26
<select class="wpcs\_rates\_current\_currency" data-precision="<?php echo $precision ?>" data-exclude="<?php echo $exclude\_string ?>">
27
<?php
28
if (!empty($currencies)) {
29
foreach ($currencies as $key => $c) {
30
if (in\_array($key, $exclude)) {
31
continue;
32
}
33
?>
27
<?php
28
if (!empty($currencies)) {
29
foreach ($currencies as $key => $c) {
30
if (in\_array($key, $exclude)) {
31
continue;
32
}
33
?>
34
34
<option <?php selected($current\_currency, $key) ?> value="<?php echo $key ?>"><?php printf(\_\_('1 %s is', 'currency-switcher'), $c\['name'\]) ?></option>
35
35
<?php
…
…
46
46
?>
47
47
<li>
48
<?php if (!empty($c\['flag'\])): ?>
48
<?php if (!empty($c\['flag'\])): ?>
49
49
<img src="<?php echo $c\['flag'\] ?>" width="30" alt="<?php echo $c\['name'\] ?>" />
50
<?php endif; ?>
50
<?php endif; ?>
51
51
<strong><?php echo $key ?></strong>: <?php
52
$v = 0;
53
if ($c\['rate'\] / $currencies\[$current\_currency\]\['rate'\] > 0) {
54
$v = $c\['rate'\] / $currencies\[$current\_currency\]\['rate'\];
55
}
56
echo number\_format($v, intval($precision), $this->decimal\_sep, '');
57
?><br />
52
$v = 0;
53
$crate = $currencies\[$current\_currency\]\['rate'\];
54
if ($crate && $c\['rate'\] / $crate > 0) {
55
$v = $c\['rate'\] / $crate;
56
}
57
echo number\_format($v, intval($precision), $this->decimal\_sep, '');
58
?><br />
58
59
</li>
59
<?php endforeach; ?>
60
<?php endforeach; ?>
60
61
</ul>
61
<?php endif; ?>
62
<?php endif; ?>
62
63
63
64
</div>