Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-5435: up-down-image-slideshow-gallery.php in up-down-image-slideshow-gallery/trunk – WordPress Plugin Repository

The Up down image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE
#sql#web#js#java#wordpress#php#auth

1<?php2/*3Plugin Name: Up down image slideshow gallery4Plugin URI: http://www.gopiplus.com/work/2011/04/25/wordpress-plugin-up-down-image-slideshow-script/5Description: Up down image slideshow gallery lets showcase images in a vertical move style. Single image at a time and pull one by one continually. This slideshow will pause on mouse over. The speed of the plugin gallery is customizable. Persistence of last viewed image supported, so when the user reloads the page, the slideshow continues from the last image.6Author: Gopi Ramasamy7Version: 12.08Author URI: http://www.gopiplus.com/work/9Donate link: http://www.gopiplus.com/work/2011/04/25/wordpress-plugin-up-down-image-slideshow-script/10Tags: slidshow, gallery11License: GPLv2 or later12License URI: http://www.gnu.org/licenses/gpl-2.0.html13Text Domain: up-down-image-slideshow-gallery14Domain Path: /languages15*/1617if(preg_match(‘#’ . basename(__FILE__) . '#’, $_SERVER[‘PHP_SELF’])) { die(‘You are not allowed to call this page directly.’); }1819global $wpdb, $wp_version;20define("WP_udisg_TABLE", $wpdb->prefix . “udisg_plugin”);21define('WP_UDISG_FAV’, ‘http://www.gopiplus.com/work/2011/04/25/wordpress-plugin-up-down-image-slideshow-script/’);2223if ( ! defined( ‘WP_UDISG_BASENAME’ ) )24 define( 'WP_UDISG_BASENAME’, plugin_basename( __FILE__ ) );25 26if ( ! defined( ‘WP_UDISG_PLUGIN_NAME’ ) )27 define( 'WP_UDISG_PLUGIN_NAME’, trim( dirname( WP_UDISG_BASENAME ), ‘/’ ) );28 29if ( ! defined( ‘WP_UDISG_PLUGIN_URL’ ) )30 define( 'WP_UDISG_PLUGIN_URL’, WP_PLUGIN_URL . ‘/’ . WP_UDISG_PLUGIN_NAME );31 32if ( ! defined( ‘WP_UDISG_ADMIN_URL’ ) )33 define( ‘WP_UDISG_ADMIN_URL’, get_option(‘siteurl’) . ‘/wp-admin/options-general.php?page=up-down-image-slideshow-gallery’ );3435function udisg() 36{37 global $wpdb;38 $udisg_package = "";39 $udisg_title = get_option(‘udisg_title’);40 $udisg_width = get_option(‘udisg_width’);41 $udisg_height = get_option(‘udisg_height’);42 $udisg_pause = get_option(‘udisg_pause’);43 $udisg_cycles = get_option(‘udisg_cycles’);44 $udisg_persist = get_option(‘udisg_persist’);45 $udisg_slideduration = get_option(‘udisg_slideduration’);46 $udisg_random = get_option(‘udisg_random’);47 $udisg_type = get_option(‘udisg_type’);48 49 if(!is_numeric($udisg_width)) { @$udisg_width = 250 ;}50 if(!is_numeric($udisg_height)) { @$udisg_height = 200; }51 if(!is_numeric($udisg_pause)) { @$udisg_pause = 2000; }52 if(!is_numeric($udisg_cycles)) { @$udisg_cycles = 5; }53 if(!is_numeric($udisg_slideduration)) { @$udisg_slideduration = 300; }54 55 $sSql = "select udisg_path,udisg_link,udisg_target,udisg_title from “.WP_udisg_TABLE.” where 1=1";56 if($udisg_type <> “”){ $sSql = $sSql . " and udisg_type=’".$udisg_type."’"; }57 if($udisg_random == “YES”){ $sSql = $sSql . " ORDER BY RAND()"; }else{ $sSql = $sSql . " ORDER BY udisg_order"; }58 59 $data = $wpdb->get_results($sSql);60 61 if ( ! empty($data) ) 62 {63 foreach ( $data as $data ) 64 {65 $udisg_package = $udisg_package .’["’.$data->udisg_path.’", "’.$data->udisg_link.’", “’.$data->udisg_target.’”],’;66 }67 $udisg_package = substr($udisg_package,0,(strlen($udisg_package)-1));68 ?>69 <script type="text/javascript">70 var udisg_SlideShow=new udisg_Show({71 udisg_Wrapperid: "udisg_widgetss", 72 udisg_WidthHeight: [<?php echo $udisg_width; ?>, <?php echo $udisg_height; ?>], 73 udisg_ImageArray: [ <?php echo $udisg_package; ?> ],74 udisg_Displaymode: {type:’auto’, pause:<?php echo $udisg_pause; ?>, cycles:<?php echo $udisg_cycles; ?>, pauseonmouseover:true},75 udisg_Orientation: “v", 76 udisg_Persist: <?php echo $udisg_persist; ?>, 77 udisg_Slideduration: <?php echo $udisg_slideduration; ?> 78 })79 </script>80 <div id="udisg_widgetss” style="max-width:100%"></div>81 <?php82 } 83 else84 {85 _e('Please check the widget setting gallery group’, ‘up-down-image-slideshow-gallery’);86 }87}8889function udisg_install() 90{91 global $wpdb;92 if($wpdb->get_var("show tables like '". WP_udisg_TABLE . “’”) != WP_udisg_TABLE) 93 {94 $sSql = "CREATE TABLE IF NOT EXISTS `". WP_udisg_TABLE . "` (";95 $sSql = $sSql . "udisg_id INT NOT NULL AUTO_INCREMENT ,";96 $sSql = $sSql . "udisg_path TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL ,";97 $sSql = $sSql . "udisg_link TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL ,";98 $sSql = $sSql . "udisg_target VARCHAR( 50 ) NOT NULL ,";99 $sSql = $sSql . "udisg_title VARCHAR( 500 ) NOT NULL ,";100 $sSql = $sSql . "udisg_order INT NOT NULL ,";101 $sSql = $sSql . "udisg_status VARCHAR( 10 ) NOT NULL ,";102 $sSql = $sSql . "udisg_type VARCHAR( 100 ) NOT NULL ,";103 $sSql = $sSql . "udisg_extra1 VARCHAR( 100 ) NOT NULL ,";104 $sSql = $sSql . "udisg_extra2 VARCHAR( 100 ) NOT NULL ,";105 $sSql = $sSql . “udisg_date datetime NOT NULL default ‘0000-00-00 00:00:00’ ,";106 $sSql = $sSql . “PRIMARY KEY ( `udisg_id` )“;107 $sSql = $sSql . ") ENGINE=MyISAM DEFAULT CHARSET=utf8;";108 $wpdb->query($sSql);109 $IsSql = “INSERT INTO `". WP_udisg_TABLE . “` (udisg_path, udisg_link, udisg_target, udisg_title, udisg_order, udisg_status, udisg_type, udisg_date)“; 110 $sSql = $IsSql . " VALUES ('".WP_UDISG_PLUGIN_URL."/images/250x167_1.jpg’, '#’, '_blank’, 'Image 1’, '1’, 'YES’, 'Widget’, ‘0000-00-00 00:00:00’);";111 $wpdb->query($sSql);112 $sSql = $IsSql . " VALUES (‘".WP_UDISG_PLUGIN_URL."/images/250x167_2.jpg’ ,’#’, '_blank’, 'Image 2’, '2’, 'YES’, 'Widget’, ‘0000-00-00 00:00:00’);";113 $wpdb->query($sSql); 114 $sSql = $IsSql . " VALUES ('".WP_UDISG_PLUGIN_URL."/images/250x167_3.jpg’, '#’, '_blank’, 'Image 3’, '1’, 'YES’, 'Sample’, ‘0000-00-00 00:00:00’);";115 $wpdb->query($sSql);116 $sSql = $IsSql . " VALUES ('".WP_UDISG_PLUGIN_URL."/images/250x167_4.jpg’, '#’, '_blank’, 'Image 4’, '2’, 'YES’, 'Sample’, ‘0000-00-00 00:00:00’);";117 $wpdb->query($sSql);118 }119 add_option('udisg_title’, “Up down slideshow”);120 add_option('udisg_width’, “250”);121 add_option('udisg_height’, “200”);122 add_option('udisg_pause’, “2000”);123 add_option('udisg_cycles’, “15”);124 add_option('udisg_persist’, “true”);125 add_option('udisg_slideduration’, “300”);126 add_option('udisg_random’, “YES”);127 add_option('udisg_type’, “Widget”);128}129130function udisg_control() 131{132 echo '<p><b>’;133 _e('Up down slideshow’, ‘up-down-image-slideshow-gallery’);134 echo '.</b> ';135 _e('Check official website for more information’, ‘up-down-image-slideshow-gallery’);136 ?> <a target="_blank” href="<?php echo WP_UDISG_FAV; ?>"><?php _e('click here’, ‘up-down-image-slideshow-gallery’); ?></a></p><?php137}138139function udisg_widget($args) 140{141 extract($args);142 echo $before_widget . $before_title;143 echo get_option(‘udisg_Title’);144 echo $after_title;145 udisg();146 echo $after_widget;147}148149function udisg_admin_options() 150{151 global $wpdb;152 $current_page = isset($_GET[‘ac’]) ? $_GET[‘ac’] : '’;153 switch($current_page)154 {155 case 'edit’:156 include(‘pages/image-management-edit.php’);157 break;158 case 'add’:159 include(‘pages/image-management-add.php’);160 break;161 case 'set’:162 include(‘pages/image-setting.php’);163 break;164 default:165 include(‘pages/image-management-show.php’);166 break;167 }168}169170add_shortcode( 'up-slideshow’, ‘udisg_shortcode’ );171172function udisg_shortcode( $atts ) 173{174 global $wpdb;175 176 //[up-slideshow type="sample” width="250” height="170” pause="3000” random="YES”]177 if ( ! is_array( $atts ) ) { return ‘’; }178 $udisg_type = $atts[‘type’];179 $udisg_width = $atts[‘width’];180 $udisg_height = $atts[‘height’];181 $udisg_pause = $atts[‘pause’];182 $udisg_random = $atts[‘random’];183184 $udisg_persist = get_option(‘udisg_persist’);185 186 if($udisg_persist == “true”)187 {188 $udisg_persist = "true";189 }190 else191 {192 $udisg_persist = "false";193 }194 195 $udisg_cycles = get_option(‘udisg_cycles’);196 $udisg_slideduration = get_option(‘udisg_slideduration’);197 198 if(!is_numeric($udisg_width)) { @$udisg_width = 250 ;}199 if(!is_numeric($udisg_height)) { @$udisg_height = 200; }200 if(!is_numeric($udisg_cycles)) { @$udisg_cycles = 5; }201 if(!is_numeric($udisg_slideduration)) { @$udisg_slideduration = 300; }202 if(!is_numeric($udisg_pause)) { @$udisg_pause = 2000; }203 204 $sSql = "select udisg_path,udisg_link,udisg_target,udisg_title from “.WP_udisg_TABLE.” where 1=1";205 if($udisg_type <> “”){ $sSql = $sSql . " and udisg_type=’".$udisg_type."’"; }206 if($udisg_random == “YES”){ $sSql = $sSql . " ORDER BY RAND()"; }else{ $sSql = $sSql . " ORDER BY udisg_order"; }207 208 $data = $wpdb->get_results($sSql);209 $udisg_package = "";210 $Lr = "";211 if ( ! empty($data) ) 212 {213 foreach ( $data as $data ) 214 {215 $udisg_package = $udisg_package .’["’.$data->udisg_path.’", "’.$data->udisg_link.’", “’.$data->udisg_target.’”],’;216 }217 $udisg_package = substr($udisg_package,0,(strlen($udisg_package)-1));218 $type = "auto";219 $wrapperid = $udisg_type;220 $Lr = $Lr .’<script type="text/javascript">’;221 $Lr = $Lr .’var udisg_SlideShow=new udisg_Show({udisg_Wrapperid: "’.$wrapperid.’",udisg_WidthHeight: ['.$udisg_width.’, ‘.$udisg_height.’], udisg_ImageArray: [ ‘.$udisg_package.’ ],udisg_Displaymode: {type:"’.$type.’", pause:’.$udisg_pause.’, cycles:’.$udisg_cycles.’, pauseonmouseover:true},udisg_Orientation: "v",udisg_Persist: '.$udisg_persist.’,udisg_Slideduration: ‘.$udisg_slideduration.’ })';222 $Lr = $Lr .’</script>’;223 $Lr = $Lr .’<div id="’.$wrapperid.’"></div>’;224 } 225 else226 { 227 $Lr = " Please check the short code ";228 }229 230 return $Lr;231}232233function udisg_add_to_menu() 234{235 if (is_admin()) 236 {237 add_options_page( __('Up down image slideshow gallery’, ‘up-down-image-slideshow-gallery’), 238 __('Up down slideshow’, ‘up-down-image-slideshow-gallery’), 'manage_options’, 'up-down-image-slideshow-gallery’, ‘udisg_admin_options’ );239 }240}241242function udisg_init()243{244 if(function_exists(‘wp_register_sidebar_widget’)) 245 {246 wp_register_sidebar_widget('up-down-image-slideshow-gallery’, __('Up down image slideshow gallery’, ‘up-down-image-slideshow-gallery’), ‘udisg_widget’);247 }248 249 if(function_exists(‘wp_register_widget_control’)) 250 {251 wp_register_widget_control('up-down-image-slideshow-gallery’, array(__('Up down image slideshow gallery’, ‘up-down-image-slideshow-gallery’), ‘widgets’), ‘udisg_control’);252 } 253}254255function udisg_deactivation() 256{257 // No action required.258}259260function udisg_add_javascript_files() 261{262 if (!is_admin())263 {264 wp_enqueue_script(‘jquery’);265 wp_enqueue_script( ‘up-down-image-slideshow-gallery’, WP_UDISG_PLUGIN_URL.’/inc/up-down-image-slideshow-gallery.js’);266 }267}268269function udisg_textdomain() 270{271 load_plugin_textdomain( 'up-down-image-slideshow-gallery’, false, dirname( plugin_basename( __FILE__ ) ) . ‘/languages/’ );272}273274function udisg_adminscripts() 275{276 if( !empty( $_GET[‘page’] ) ) 277 {278 switch ( $_GET[‘page’] ) 279 {280 case 'up-down-image-slideshow-gallery’:281 wp_register_script( 'udisg-adminscripts’, plugins_url( 'pages/setting.js’, __FILE__ ), '’, '’, true );282 wp_enqueue_script( ‘udisg-adminscripts’ );283 $udisg_select_params = array(284 ‘udisg_path’ => __( 'Please enter the image path.’, 'udisg-select’, ‘up-down-image-slideshow-gallery’ ),285 ‘udisg_link’ => __( 'Please enter the target link.’, 'udisg-select’, ‘up-down-image-slideshow-gallery’ ),286 ‘udisg_target’ => __( 'Please enter the target option.’, 'udisg-select’, ‘up-down-image-slideshow-gallery’ ),287 ‘udisg_order’ => __( 'Please enter the display order, only number.’, 'udisg-select’, ‘up-down-image-slideshow-gallery’ ),288 ‘udisg_status’ => __( 'Please select the display status.’, 'udisg-select’, ‘up-down-image-slideshow-gallery’ ),289 ‘udisg_type’ => __( 'Please enter the gallery type.’, 'udisg-select’, ‘up-down-image-slideshow-gallery’ ),290 ‘udisg_delete’ => __( 'Do you want to delete this record?’, 'udisg-select’, ‘up-down-image-slideshow-gallery’ ),291 );292 wp_localize_script( 'udisg-adminscripts’, 'udisg_adminscripts’, $udisg_select_params );293 break;294 }295 }296}297298add_action('plugins_loaded’, ‘udisg_textdomain’);299add_action('wp_enqueue_scripts’, ‘udisg_add_javascript_files’);300add_action("plugins_loaded", “udisg_init”);301register_activation_hook(__FILE__, ‘udisg_install’);302register_deactivation_hook(__FILE__, ‘udisg_deactivation’);303add_action('admin_menu’, ‘udisg_add_to_menu’);304add_action( 'admin_enqueue_scripts’, ‘udisg_adminscripts’ );305?>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907