Headline
CVE-2021-24920: Changeset 2664933 – WordPress Plugin Repository
The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
official-statcounter-plugin-for-wordpress/trunk/StatCounter-Wordpress-Plugin.php
r1808879
r2664933
2
2
/*
3
3
* Plugin Name: Official StatCounter Plugin
4
* Version: 2.0.6
4
* Version: 2.0.7
5
5
* Plugin URI: http://statcounter.com/
6
6
* Description: Adds the StatCounter tracking code to your blog. <br>To get setup: 1) Activate this plugin 2) Enter your StatCounter Project ID and Security Code in the <a href="options-general.php?page=StatCounter-Wordpress-Plugin.php"><strong>options page</strong></a>.
…
…
74
74
75
75
// Update the Project ID
76
$sc\_project = trim($\_POST\[key\_sc\_project\]);
77
if ($sc\_project == '') {
78
$sc\_project = sc\_project\_default;
79
}
80
update\_option(key\_sc\_project, $sc\_project);
76
$sc\_project = sanitize\_text\_field(trim($\_POST\[key\_sc\_project\]));
77
if (ctype\_digit($sc\_project) == 0) {
78
echo "<script>alert('Project ID should be numbers only')</script>";
79
} else {
80
if ($sc\_project == '') {
81
$sc\_project = sc\_project\_default;
82
}
83
if (strlen($sc\_project) > 16) {
84
echo "<script>alert('Project ID is invalid')</script>";
85
} else {
86
update\_option(key\_sc\_project, $sc\_project);
87
}
88
}
81
89
82
90
// Update the Security ID
83
$sc\_security = trim($\_POST\[key\_sc\_security\]);
84
if ($sc\_security =='') {
85
$sc\_security = sc\_security\_default;
86
}
87
update\_option(key\_sc\_security, $sc\_security);
91
$sc\_security = sanitize\_text\_field(trim($\_POST\[key\_sc\_security\]));
92
$sc\_security = str\_replace('"', '', $sc\_security);
93
$sc\_security = stripslashes($sc\_security);
94
if (ctype\_alnum(trim($sc\_security, '"')) == 0) {
95
echo "<script>alert('Security code should be numbers and letters only')</script>";
96
} else {
97
if ($sc\_security =='') {
98
$sc\_security = sc\_security\_default;
99
}
100
if (strlen($sc\_security) > 16) {
101
echo "<script>alert('Security code is invalid')</script>";
102
} else {
103
update\_option(key\_sc\_security, $sc\_security);
104
}
105
}
88
106
89
107
// Update the position
…
…
227
245
<script>
228
246
<!--
229
var sc\_project=<?php echo $sc\_project; ?>;
230
var sc\_security="<?php echo $sc\_security; ?>";
247
var sc\_project=<?php echo esc\_html($sc\_project); ?>;
248
var sc\_security="<?php echo esc\_html($sc\_security); ?>";
231
249
<?php
232
250
if($sc\_invisible==1) {
…
…
259
277
}
260
278
}?>
261
<noscript><div class="statcounter"><a title="web analytics" href="<?php echo $protocol; ?>//statcounter.com/"><img class="statcounter" src="<?php echo $protocol; ?>//c.statcounter.com/<?php echo $sc\_project; ?>/0/<?php echo $sc\_security; ?>/<?php echo $sc\_invisible; ?>/" alt="web analytics" /></a></div></noscript>
279
<noscript><div class="statcounter"><a title="web analytics" href="<?php echo $protocol; ?>//statcounter.com/"><img class="statcounter" src="<?php echo $protocol; ?>//c.statcounter.com/<?php echo esc\_html($sc\_project); ?>/0/<?php echo $sc\_security; ?>/<?php echo $sc\_invisible; ?>/" alt="web analytics" /></a></div></noscript>
262
280
<!-- End of StatCounter Code -->
263
281
<?php
official-statcounter-plugin-for-wordpress/trunk/readme.txt
r2545594
r2664933
4
4
Tags: web, statistics, stats, hit, counter, visitor, ip, tracker, analytics
5
5
Requires at least: 2.0.2
6
Tested up to: 5.7
7
Stable tag: 2.0.6
6
Tested up to: 5.8.3
7
Stable tag: 2.0.7
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
70
70
71
71
== Changelog ==
72
= 2.0.7 =
73
Added additional sanitation to prevent XSS attacks
74
72
75
= 2.0.6 =
73
76
Readme fix
…
…
142
145
== Upgrade Notice ==
143
146
147
= 2.0.7 =
148
Added additional sanitation to prevent XSS attacks
149
144
150
= 1.6.9 =
145
151
Fixed small bug with form