Headline
CVE-2022-2437: Changeset 2754749 for feed-them-social – WordPress Plugin Repository
The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the ‘fts_url’ parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
feed-them-social/tags/2.9.8.6/feed-them.php
r2733194
r2754749
8
8
\* Plugin URI: https://feedthemsocial.com/
9
9
\* Description: Display a Custom Facebook feed, Instagram feed, Twitter feed and YouTube feed on pages, posts or widgets.
10
\* Version: 2.9.8.5
10
\* Version: 2.9.8.6
11
11
\* Author: SlickRemix
12
12
\* Author URI: https://www.slickremix.com/
…
…
15
15
\* Requires at least: WordPress 4.0.0
16
16
\* Tested up to: WordPress 6.0
17
\* Stable tag: 2.9.8.5
17
\* Stable tag: 2.9.8.6
18
18
\* License: GPLv2 or later
19
19
\* License URI: https://www.gnu.org/licenses/gpl-3.0.html
20
20
\*
21
\* @version 2.9.8.5
21
\* @version 2.9.8.6
22
22
\* @package FeedThemSocial/Core
23
23
\* @copyright Copyright (c) 2012-2022 SlickRemix
…
…
32
32
\* Makes sure any js or css changes are reloaded properly. Added to enqued css and js files throughout!
33
33
\*/
34
define( 'FTS\_CURRENT\_VERSION', '2.9.8.5' );
34
define( 'FTS\_CURRENT\_VERSION', '2.9.8.6' );
35
35
36
36
define( 'FEED\_THEM\_SOCIAL\_NOTICE\_STATUS', get\_option( 'rating\_fts\_slick\_notice', false ) );
feed-them-social/tags/2.9.8.6/feeds/twitter/class-fts-twitter-feed.php
r2710351
r2754749
248
248
}
249
249
250
$twitter\_external\_url = $\_REQUEST\['fts\_url'\];
251
$no\_video\_image\_check = $\_REQUEST\['fts\_no\_video\_image'\];
252
$fts\_popup \= $\_REQUEST\['fts\_popup'\];
250
$twitter\_external\_url = esc\_url\_raw( $\_REQUEST\['fts\_url'\] );
251
$no\_video\_image\_check = esc\_html( $\_REQUEST\['fts\_no\_video\_image'\] );
252
$fts\_popup = esc\_html( $\_REQUEST\['fts\_popup'\] );
253
253
254
254
// echo ' test ';
…
…
261
261
// If 1 or 2 are not found then we return nothing.
262
262
263
// FYI sometimes get\_meta\_tags will not work because a website will block it's usage.
264
$tags = get\_meta\_tags( $twitter\_external\_url );
263
// FYI sometimes get\_meta\_tags will not work because a website/server will block it's usage.
264
$tags = '' !== $twitter\_external\_url ? get\_meta\_tags( $twitter\_external\_url ) : '';
265
265
266
// First try and us the get\_meta\_tags php function because this is quicker
266
267
// Otherwise we use preg\_match to find what we need from the <meta properties"og:image" for example.
feed-them-social/tags/2.9.8.6/includes/feed-them-functions.php
r2713765
r2754749
1490
1490
if (d.getElementById(id)) return;
1491
1491
js = d.createElement(s); js.id = id;
1492
js.src = "//connect.facebook.net/' . esc\_html( $language\_option ) . '/sdk.js#xfbml=1&appId=&version=v3.1";
1492
js.src = "//connect.facebook.net/' . esc\_html( $language\_option ) . '/sdk.js#xfbml=1&appId=1123168491105924&version=v3.1";
1493
1493
fjs.parentNode.insertBefore(js, fjs);
1494
1494
}(document, "script", "facebook-jssd"));</script>';
…
…
3542
3542
public function fts\_refresh\_token\_ajax() {
3543
3543
3544
$fts\_refresh\_token\_nonce = wp\_create\_nonce( 'fts\_refresh\_token\_nonce' );
3545
3546
if ( wp\_verify\_nonce( $fts\_refresh\_token\_nonce, 'fts\_refresh\_token\_nonce' ) ) {
3547
3548
if ( isset( $\_REQUEST\['button\_pushed'\] ) && 'yes' === $\_REQUEST\['button\_pushed'\] ) {
3549
3550
if( 'youtube' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['refresh\_token'\] ) ){
3551
update\_option( 'youtube\_custom\_refresh\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['refresh\_token'\] ) ) );
3552
3553
}
3554
if ( 'instagram' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['access\_token'\] ) ){
3555
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3556
}
3557
}
3558
if ( !empty( $\_REQUEST\['access\_token'\] ) ) {
3559
3560
if( 'youtube' === $\_REQUEST\['feed'\] ){
3561
update\_option( 'youtube\_custom\_access\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3562
3563
}
3564
if ( 'instagram' === $\_REQUEST\['feed'\] ){
3565
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3566
}
3567
}
3544
// Check security token is set.
3545
if ( ! isset( $\_REQUEST\['fts\_security'\], $\_REQUEST\['fts\_time'\] ) ) {
3546
exit( 'Sorry, You can\\'t do that!' );
3547
}
3548
3549
// Verify Nonce Security.
3550
if ( ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_security'\] ) ) , sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_time'\] ) ) . 'fts\_refresh\_token\_nonce' ) ) {
3551
exit( 'Sorry, You can\\'t do that!' );
3552
}
3553
3554
if ( isset( $\_REQUEST\['button\_pushed'\] ) && 'yes' === $\_REQUEST\['button\_pushed'\] ) {
3555
3556
if( 'youtube' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['refresh\_token'\] ) ){
3557
update\_option( 'youtube\_custom\_refresh\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['refresh\_token'\] ) ) );
3558
3559
}
3560
if ( 'instagram' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['access\_token'\] ) ){
3561
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3562
}
3563
}
3564
if ( !empty( $\_REQUEST\['access\_token'\] ) ) {
3568
3565
3569
3566
if( 'youtube' === $\_REQUEST\['feed'\] ){
3570
3571
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? strtotime( '+' . $\_REQUEST\['expires\_in'\] . ' seconds' ) : '';
3572
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3573
update\_option( 'youtube\_custom\_token\_exp\_time', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3567
update\_option( 'youtube\_custom\_access\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3568
3574
3569
}
3575
3576
if( 'instagram' === $\_REQUEST\['feed'\] ){
3577
3578
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? $\_REQUEST\['expires\_in'\] : '';
3579
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3580
update\_option( 'fts\_instagram\_custom\_api\_token\_expires\_in', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3581
3582
echo wp\_unslash( $\_REQUEST\['expires\_in'\] );
3583
echo '<br/>';
3570
if ( 'instagram' === $\_REQUEST\['feed'\] ){
3571
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3584
3572
}
3585
3586
3587
// This only happens if the token is expired on the YouTube Options page and you go to re-save or refresh the page for some reason. It will also run this function if the cache is emptied and the token is found to be expired.
3588
if ( 'no' === $\_REQUEST\['button\_pushed'\] ) {
3589
echo 'Token Refreshed: ';
3590
// $output .= do\_shortcode('\[fts \_youtube vid\_count=3 large\_vid=no large\_vid\_title=no large\_vid\_description=no thumbs\_play\_in\_iframe=popup vids\_in\_row=3 space\_between\_videos=1px force\_columns=yes maxres\_thumbnail\_images=yes thumbs\_wrap\_color=#000 wrap=none video\_wrap\_display=none comments\_count=12 channel\_id=UCqhnX4jA0A5paNd1v-zEysw loadmore=button loadmore\_count=5 loadmore\_btn\_maxwidth=300px loadmore\_btn\_margin=10px\]');
3591
}
3592
}
3573
}
3574
3575
if( 'youtube' === $\_REQUEST\['feed'\] ){
3576
3577
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? strtotime( '+' . $\_REQUEST\['expires\_in'\] . ' seconds' ) : '';
3578
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3579
update\_option( 'youtube\_custom\_token\_exp\_time', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3580
}
3581
3582
if( 'instagram' === $\_REQUEST\['feed'\] ){
3583
3584
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? $\_REQUEST\['expires\_in'\] : '';
3585
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3586
update\_option( 'fts\_instagram\_custom\_api\_token\_expires\_in', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3587
3588
echo wp\_unslash( $\_REQUEST\['expires\_in'\] );
3589
echo '<br/>';
3590
}
3591
3592
// This only happens if the token is expired on the YouTube Options page and you go to re-save or refresh the page for some reason. It will also run this function if the cache is emptied and the token is found to be expired.
3593
if ( 'no' === $\_REQUEST\['button\_pushed'\] ) {
3594
echo 'Token Refreshed: ';
3595
// $output .= do\_shortcode('\[fts \_youtube vid\_count=3 large\_vid=no large\_vid\_title=no large\_vid\_description=no thumbs\_play\_in\_iframe=popup vids\_in\_row=3 space\_between\_videos=1px force\_columns=yes maxres\_thumbnail\_images=yes thumbs\_wrap\_color=#000 wrap=none video\_wrap\_display=none comments\_count=12 channel\_id=UCqhnX4jA0A5paNd1v-zEysw loadmore=button loadmore\_count=5 loadmore\_btn\_maxwidth=300px loadmore\_btn\_margin=10px\]');
3596
}
3593
3597
3594
3598
echo wp\_unslash( $\_REQUEST\['access\_token'\] );
3595
3596
3599
3597
3600
wp\_die();
…
…
3656
3659
//console.log( '<?php print\_r($response\['body'\]) ? >' );
3657
3660
3661
$time = time();
3662
$nonce = wp\_create\_nonce( $time . 'fts\_refresh\_token\_nonce' );
3663
3658
3664
?>
3659
3665
<script>
3660
3666
jQuery(document).ready(function () {
3661
3667
3668
var fts\_time = "<?php echo esc\_js( $time ); ?>";
3669
var fts\_security = "<?php echo esc\_js( $nonce ); ?>";
3662
3670
3663
3671
jQuery.ajax({
…
…
3667
3675
expires\_in: '<?php echo esc\_js( $expires\_in ); ?>',
3668
3676
button\_pushed: '<?php echo esc\_js( $button\_pushed ); ?>',
3677
fts\_security: fts\_security,
3678
fts\_time: fts\_time,
3669
3679
feed: 'instagram'
3670
3680
},
feed-them-social/tags/2.9.8.6/readme.txt
r2733194
r2754749
4
4
Requires at least: 3.6.0
5
5
Tested up to: 6.0
6
Stable tag: 2.9.8.5
6
Stable tag: 2.9.8.6
7
7
License: GPLv2 or later
8
8
…
…
73
73
74
74
\== Changelog ==
75
\= Version 2.9.8.6 Monday, July 11th, 2022 =
76
\* FIX: Facebook Feed: Share option was throwing invalid APP ID error.
77
\* FIX: XSS Vulnerability: Instagram Refresh Token.
78
\* FIX: Phar Vulnerability: Twitter Share url check.
79
75
80
\= Version 2.9.8.5 Saturday, May 28th, 2022 =
76
81
\* FIX: Combined Streams: Twitter User Name not linking properly.
feed-them-social/trunk/feed-them.php
r2733194
r2754749
8
8
\* Plugin URI: https://feedthemsocial.com/
9
9
\* Description: Display a Custom Facebook feed, Instagram feed, Twitter feed and YouTube feed on pages, posts or widgets.
10
\* Version: 2.9.8.5
10
\* Version: 2.9.8.6
11
11
\* Author: SlickRemix
12
12
\* Author URI: https://www.slickremix.com/
…
…
15
15
\* Requires at least: WordPress 4.0.0
16
16
\* Tested up to: WordPress 6.0
17
\* Stable tag: 2.9.8.5
17
\* Stable tag: 2.9.8.6
18
18
\* License: GPLv2 or later
19
19
\* License URI: https://www.gnu.org/licenses/gpl-3.0.html
20
20
\*
21
\* @version 2.9.8.5
21
\* @version 2.9.8.6
22
22
\* @package FeedThemSocial/Core
23
23
\* @copyright Copyright (c) 2012-2022 SlickRemix
…
…
32
32
\* Makes sure any js or css changes are reloaded properly. Added to enqued css and js files throughout!
33
33
\*/
34
define( 'FTS\_CURRENT\_VERSION', '2.9.8.5' );
34
define( 'FTS\_CURRENT\_VERSION', '2.9.8.6' );
35
35
36
36
define( 'FEED\_THEM\_SOCIAL\_NOTICE\_STATUS', get\_option( 'rating\_fts\_slick\_notice', false ) );
feed-them-social/trunk/feeds/twitter/class-fts-twitter-feed.php
r2710351
r2754749
248
248
}
249
249
250
$twitter\_external\_url = $\_REQUEST\['fts\_url'\];
251
$no\_video\_image\_check = $\_REQUEST\['fts\_no\_video\_image'\];
252
$fts\_popup \= $\_REQUEST\['fts\_popup'\];
250
$twitter\_external\_url = esc\_url\_raw( $\_REQUEST\['fts\_url'\] );
251
$no\_video\_image\_check = esc\_html( $\_REQUEST\['fts\_no\_video\_image'\] );
252
$fts\_popup = esc\_html( $\_REQUEST\['fts\_popup'\] );
253
253
254
254
// echo ' test ';
…
…
261
261
// If 1 or 2 are not found then we return nothing.
262
262
263
// FYI sometimes get\_meta\_tags will not work because a website will block it's usage.
264
$tags = get\_meta\_tags( $twitter\_external\_url );
263
// FYI sometimes get\_meta\_tags will not work because a website/server will block it's usage.
264
$tags = '' !== $twitter\_external\_url ? get\_meta\_tags( $twitter\_external\_url ) : '';
265
265
266
// First try and us the get\_meta\_tags php function because this is quicker
266
267
// Otherwise we use preg\_match to find what we need from the <meta properties"og:image" for example.
feed-them-social/trunk/includes/feed-them-functions.php
r2713765
r2754749
1490
1490
if (d.getElementById(id)) return;
1491
1491
js = d.createElement(s); js.id = id;
1492
js.src = "//connect.facebook.net/' . esc\_html( $language\_option ) . '/sdk.js#xfbml=1&appId=&version=v3.1";
1492
js.src = "//connect.facebook.net/' . esc\_html( $language\_option ) . '/sdk.js#xfbml=1&appId=1123168491105924&version=v3.1";
1493
1493
fjs.parentNode.insertBefore(js, fjs);
1494
1494
}(document, "script", "facebook-jssd"));</script>';
…
…
3542
3542
public function fts\_refresh\_token\_ajax() {
3543
3543
3544
$fts\_refresh\_token\_nonce = wp\_create\_nonce( 'fts\_refresh\_token\_nonce' );
3545
3546
if ( wp\_verify\_nonce( $fts\_refresh\_token\_nonce, 'fts\_refresh\_token\_nonce' ) ) {
3547
3548
if ( isset( $\_REQUEST\['button\_pushed'\] ) && 'yes' === $\_REQUEST\['button\_pushed'\] ) {
3549
3550
if( 'youtube' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['refresh\_token'\] ) ){
3551
update\_option( 'youtube\_custom\_refresh\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['refresh\_token'\] ) ) );
3552
3553
}
3554
if ( 'instagram' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['access\_token'\] ) ){
3555
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3556
}
3557
}
3558
if ( !empty( $\_REQUEST\['access\_token'\] ) ) {
3559
3560
if( 'youtube' === $\_REQUEST\['feed'\] ){
3561
update\_option( 'youtube\_custom\_access\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3562
3563
}
3564
if ( 'instagram' === $\_REQUEST\['feed'\] ){
3565
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3566
}
3567
}
3544
// Check security token is set.
3545
if ( ! isset( $\_REQUEST\['fts\_security'\], $\_REQUEST\['fts\_time'\] ) ) {
3546
exit( 'Sorry, You can\\'t do that!' );
3547
}
3548
3549
// Verify Nonce Security.
3550
if ( ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_security'\] ) ) , sanitize\_text\_field( wp\_unslash( $\_REQUEST\['fts\_time'\] ) ) . 'fts\_refresh\_token\_nonce' ) ) {
3551
exit( 'Sorry, You can\\'t do that!' );
3552
}
3553
3554
if ( isset( $\_REQUEST\['button\_pushed'\] ) && 'yes' === $\_REQUEST\['button\_pushed'\] ) {
3555
3556
if( 'youtube' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['refresh\_token'\] ) ){
3557
update\_option( 'youtube\_custom\_refresh\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['refresh\_token'\] ) ) );
3558
3559
}
3560
if ( 'instagram' === $\_REQUEST\['feed'\] && !empty( $\_REQUEST\['access\_token'\] ) ){
3561
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3562
}
3563
}
3564
if ( !empty( $\_REQUEST\['access\_token'\] ) ) {
3568
3565
3569
3566
if( 'youtube' === $\_REQUEST\['feed'\] ){
3570
3571
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? strtotime( '+' . $\_REQUEST\['expires\_in'\] . ' seconds' ) : '';
3572
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3573
update\_option( 'youtube\_custom\_token\_exp\_time', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3567
update\_option( 'youtube\_custom\_access\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3568
3574
3569
}
3575
3576
if( 'instagram' === $\_REQUEST\['feed'\] ){
3577
3578
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? $\_REQUEST\['expires\_in'\] : '';
3579
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3580
update\_option( 'fts\_instagram\_custom\_api\_token\_expires\_in', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3581
3582
echo wp\_unslash( $\_REQUEST\['expires\_in'\] );
3583
echo '<br/>';
3570
if ( 'instagram' === $\_REQUEST\['feed'\] ){
3571
update\_option( 'fts\_instagram\_custom\_api\_token', sanitize\_text\_field( wp\_unslash( $\_REQUEST\['access\_token'\] ) ) );
3584
3572
}
3585
3586
3587
// This only happens if the token is expired on the YouTube Options page and you go to re-save or refresh the page for some reason. It will also run this function if the cache is emptied and the token is found to be expired.
3588
if ( 'no' === $\_REQUEST\['button\_pushed'\] ) {
3589
echo 'Token Refreshed: ';
3590
// $output .= do\_shortcode('\[fts \_youtube vid\_count=3 large\_vid=no large\_vid\_title=no large\_vid\_description=no thumbs\_play\_in\_iframe=popup vids\_in\_row=3 space\_between\_videos=1px force\_columns=yes maxres\_thumbnail\_images=yes thumbs\_wrap\_color=#000 wrap=none video\_wrap\_display=none comments\_count=12 channel\_id=UCqhnX4jA0A5paNd1v-zEysw loadmore=button loadmore\_count=5 loadmore\_btn\_maxwidth=300px loadmore\_btn\_margin=10px\]');
3591
}
3592
}
3573
}
3574
3575
if( 'youtube' === $\_REQUEST\['feed'\] ){
3576
3577
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? strtotime( '+' . $\_REQUEST\['expires\_in'\] . ' seconds' ) : '';
3578
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3579
update\_option( 'youtube\_custom\_token\_exp\_time', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3580
}
3581
3582
if( 'instagram' === $\_REQUEST\['feed'\] ){
3583
3584
$startoftime = isset( $\_REQUEST\['expires\_in'\] ) ? $\_REQUEST\['expires\_in'\] : '';
3585
$start\_of\_time\_final = false !== $startoftime ? sanitize\_key( $startoftime ) : '';
3586
update\_option( 'fts\_instagram\_custom\_api\_token\_expires\_in', sanitize\_text\_field( wp\_unslash( $start\_of\_time\_final ) ) );
3587
3588
echo wp\_unslash( $\_REQUEST\['expires\_in'\] );
3589
echo '<br/>';
3590
}
3591
3592
// This only happens if the token is expired on the YouTube Options page and you go to re-save or refresh the page for some reason. It will also run this function if the cache is emptied and the token is found to be expired.
3593
if ( 'no' === $\_REQUEST\['button\_pushed'\] ) {
3594
echo 'Token Refreshed: ';
3595
// $output .= do\_shortcode('\[fts \_youtube vid\_count=3 large\_vid=no large\_vid\_title=no large\_vid\_description=no thumbs\_play\_in\_iframe=popup vids\_in\_row=3 space\_between\_videos=1px force\_columns=yes maxres\_thumbnail\_images=yes thumbs\_wrap\_color=#000 wrap=none video\_wrap\_display=none comments\_count=12 channel\_id=UCqhnX4jA0A5paNd1v-zEysw loadmore=button loadmore\_count=5 loadmore\_btn\_maxwidth=300px loadmore\_btn\_margin=10px\]');
3596
}
3593
3597
3594
3598
echo wp\_unslash( $\_REQUEST\['access\_token'\] );
3595
3596
3599
3597
3600
wp\_die();
…
…
3656
3659
//console.log( '<?php print\_r($response\['body'\]) ? >' );
3657
3660
3661
$time = time();
3662
$nonce = wp\_create\_nonce( $time . 'fts\_refresh\_token\_nonce' );
3663
3658
3664
?>
3659
3665
<script>
3660
3666
jQuery(document).ready(function () {
3661
3667
3668
var fts\_time = "<?php echo esc\_js( $time ); ?>";
3669
var fts\_security = "<?php echo esc\_js( $nonce ); ?>";
3662
3670
3663
3671
jQuery.ajax({
…
…
3667
3675
expires\_in: '<?php echo esc\_js( $expires\_in ); ?>',
3668
3676
button\_pushed: '<?php echo esc\_js( $button\_pushed ); ?>',
3677
fts\_security: fts\_security,
3678
fts\_time: fts\_time,
3669
3679
feed: 'instagram'
3670
3680
},
feed-them-social/trunk/readme.txt
r2733194
r2754749
4
4
Requires at least: 3.6.0
5
5
Tested up to: 6.0
6
Stable tag: 2.9.8.5
6
Stable tag: 2.9.8.6
7
7
License: GPLv2 or later
8
8
…
…
73
73
74
74
\== Changelog ==
75
\= Version 2.9.8.6 Monday, July 11th, 2022 =
76
\* FIX: Facebook Feed: Share option was throwing invalid APP ID error.
77
\* FIX: XSS Vulnerability: Instagram Refresh Token.
78
\* FIX: Phar Vulnerability: Twitter Share url check.
79
75
80
\= Version 2.9.8.5 Saturday, May 28th, 2022 =
76
81
\* FIX: Combined Streams: Twitter User Name not linking properly.