Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-3957: acf_photo_gallery_save.php in navz-photo-gallery/tags/1.9/includes – WordPress Plugin Repository

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the ‘apg_profile_update’ function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with subscriber-level permissions or above, to update the user metas arbitrarily. The meta value can only be a string.

CVE
Open in Source
#wordpress#php#auth

Line

1

<?php

2

3

// exit if accessed directly

4

if( ! defined( ‘ABSPATH’ ) ) exit;

5

6

//Fires off when the WordPress update button is clicked

7

function acf_photo_gallery_save( $post_id ){

8

9

    // If this is a revision, get real post ID

10

    if ( $parent\_id \= wp\_is\_post\_revision( $post\_id ) )

11

    $post\_id \= $parent\_id;

12

    // unhook this function so it doesn't loop infinitely

13

    remove\_action( 'save\_post', 'acf\_photo\_gallery\_save' );

14

15

    $field \= !empty($\_POST\['acf-photo-gallery-groups'\])? $\_POST\['acf-photo-gallery-groups'\]: array();

16

    $field \= array\_map('sanitize\_text\_field', $field );

17

18

    if( !empty($field) ){

19

            $field\_key \= sanitize\_text\_field($\_POST\['acf-photo-gallery-field'\]);

20

            foreach($field as $k \=> $v ){

21

                    $field\_id \= isset($\_POST\['acf-photo-gallery-groups'\]\[$k\])? sanitize\_text\_field($\_POST\['acf-photo-gallery-groups'\]\[$k\]): null;

22

        if (!empty($field\_id)) {

23

            $ids \= !empty($\_POST\[$field\_id\])? array\_map('sanitize\_text\_field', $\_POST\[$field\_id\]): null;

24

                            if (!empty($ids)) {

25

                $ids \= implode(',', $ids);

26

                update\_post\_meta($post\_id, $field\_id, $ids);

27

                acf\_update\_metadata($post\_id, $field\_id, $field\_key, true);

28

            } else {

29

                delete\_post\_meta($post\_id, $v);

30

                acf\_delete\_metadata($post\_id, $field\_id, true);

31

            }

32

        }

33

            }

34

    }

35

36

    // re-hook this function

37

    add\_action( 'save\_post', 'acf\_photo\_gallery\_save' );

38

}

39

add_action( 'save_post’, ‘acf_photo_gallery_save’ );

40

41

add_action( 'profile_update’, 'apg_profile_update’, 10, 2 );

42

function apg_profile_update( $user_id, $old_user_data ){

43

    $group \= $\_POST\['acf-photo-gallery-groups'\];

44

    if( is\_array($group) && count($group) \> 0 ){

45

            foreach($group as $item){

46

                    $d \= $\_POST\[$item\];

47

                    update\_user\_meta($user\_id, $item, implode(',', $d));

48

            }

49

    }

50

}

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE