Headline
CVE-2023-2608: Diff [2905353:2910686] for multiple-pages-generator-by-porthas/trunk – WordPress Plugin Repository
The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries leading to resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link. Version 3.3.18 addresses the SQL Injection, which drastically reduced the severity.
Location:
multiple-pages-generator-by-porthas/trunk
Files:
- controllers/CoreController.php (4 diffs)
- controllers/ProjectsListManage.php (2 diffs)
- controllers/SearchController.php (1 diff)
- frontend/js/components/page-builder.js (2 diffs)
- frontend/js/components/spintax.js (2 diffs)
- porthas-multi-pages-generator.php (1 diff)
- readme.txt (1 diff)
- vendor/autoload.php (1 diff)
- vendor/composer/autoload_real.php (2 diffs)
- vendor/composer/autoload_static.php (2 diffs)
- vendor/composer/installed.php (2 diffs)
- views/project-builder/main/index.php (2 diffs)
- views/project-builder/spintax/index.php (1 diff)
- views/projects-list/projects.php (1 diff)
Legend:
Unmodified
Added
Removed
multiple-pages-generator-by-porthas/trunk/controllers/CoreController.php
r2905353
r2910686
248
248
$atts = array\_change\_key\_case((array) $atts, CASE\_LOWER);
249
249
250
if (isset($atts\['limit'\])) {
250
if ( isset( $atts\['limit'\] ) ) {
251
251
// фикс из-за того, что человек пишет лимит = 2, а получает 3 результата, ведь отсчет в массивах начинается с 0
252
252
$atts\['limit'\] = (int) $atts\['limit'\] - 1;
…
…
451
451
}
452
452
453
if ($limit && count($shortcode\_response\_data) > $limit) {
453
if ( ! is\_null( $limit ) && count( $shortcode\_response\_data ) > $limit ) {
454
454
break;
455
455
}
…
…
640
640
}
641
641
642
if (count($shortcode\_response\_data) > $limit) {
642
if ( ! is\_null( $limit ) && count( $shortcode\_response\_data ) > $limit ) {
643
643
break;
644
644
}
…
…
693
693
694
694
695
if (count($shortcode\_response\_data) > $limit) {
695
if ( ! is\_null( $limit ) && count( $shortcode\_response\_data ) > $limit ) {
696
696
break;
697
697
}
multiple-pages-generator-by-porthas/trunk/controllers/ProjectsListManage.php
r2905353
r2910686
27
27
$where = '';
28
28
if ( ! empty( $search ) ) {
29
$search = $wpdb::esc\_like( $search );
29
30
$where .= " WHERE name LIKE '%$search%'";
30
31
}
…
…
32
33
$orderby = 'ORDER BY name DESC';
33
34
if ( ! empty( $\_GET\['orderby'\] ) && ! empty( $\_GET\['order'\] ) ) {
34
$orderby = sanitize\_text\_field( wp\_unslash( $\_GET\['orderby'\] ) );
35
$order = strtoupper( sanitize\_text\_field( wp\_unslash( $\_GET\['order'\] ) ) );
36
$orderby = "ORDER by $orderby $order";
35
$get\_orderby = sanitize\_text\_field( wp\_unslash( $\_GET\['orderby'\] ) );
36
$order = strtoupper( sanitize\_text\_field( wp\_unslash( $\_GET\['order'\] ) ) );
37
if ( in\_array( $get\_orderby, array( 'name', 'created\_at' ), true ) && in\_array( $order, array( 'DESC', 'ASC' ), true ) ) {
38
$orderby = "ORDER by $get\_orderby $order";
39
}
37
40
}
38
$where .= " $orderby LIMIT $per\_page OFFSET $paged";
39
$table\_name = $wpdb->prefix . MPG\_Constant::MPG\_PROJECTS\_TABLE;
40
$retrieve\_data = $wpdb->get\_results( "SELECT \* FROM $table\_name" . $where ); // phpcs:ignore
41
$where .= sprintf( ' %s LIMIT %d OFFSET %d', $orderby, $per\_page, $paged );
42
$table\_name = $wpdb->prefix . MPG\_Constant::MPG\_PROJECTS\_TABLE;
43
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.PreparedSQL.NotPrepared, WordPress.DB.DirectDatabaseQuery
44
$retrieve\_data = $wpdb->get\_results( "SELECT \* FROM $table\_name" . $where );
41
45
return $retrieve\_data;
42
46
}
multiple-pages-generator-by-porthas/trunk/controllers/SearchController.php
r2905353
r2910686
154
154
$limit = isset($args\['limit'\]) ? (int) $args\['limit'\] : 10;
155
155
$base\_url = isset($atts\['base-url'\]) ? (string) $atts\['base-url'\] : MPG\_Helper::mpg\_get\_base\_url(true);
156
$case\_sensitive = isset($args\['case\_sensitive'\]) ?? $args\['case\_sensitive'\] === '1';
156
$case\_sensitive = isset( $args\['case\_sensitive'\] ) && $args\['case\_sensitive'\] === '1' ? true : false;
157
157
158
158
multiple-pages-generator-by-porthas/trunk/frontend/js/components/page-builder.js
r2905353
r2910686
197
197
}
198
198
199
jQuery( this ).next('span.spinner').addClass( 'is-active' );
200
jQuery( this ).attr( 'disabled', true );
199
201
200
202
let dataObject = {
…
…
467
469
const templateId = jQuery('#mpg\_set\_template\_dropdown').val();
468
470
const applyCondition = jQuery('#mpg\_apply\_condition').val();
469
471
const submitButton = jQuery( this ).find( 'button' );
472
submitButton.next('span.spinner').addClass( 'is-active' );
473
submitButton.attr( 'disabled', true );
470
474
let response = await jQuery.post(ajaxurl, {
471
475
action: 'mpg\_upsert\_project\_main',
multiple-pages-generator-by-porthas/trunk/frontend/js/components/spintax.js
r2905353
r2910686
9
9
10
10
const spintaxString = inputTextarea.val();
11
12
jQuery( this ).next('span.spinner').addClass( 'is-active' );
13
jQuery( this ).attr( 'disabled', true );
11
14
12
15
const spintaxRawResponse = await jQuery.post(ajaxurl, {
…
…
23
26
outputTextarea.html(spintaxResponse.data);
24
27
}
28
jQuery( this ).next('span.spinner').removeClass( 'is-active' );
29
jQuery( this ).removeAttr( 'disabled' );
25
30
});
26
31
multiple-pages-generator-by-porthas/trunk/porthas-multi-pages-generator.php
r2905353
r2910686
9
9
\* Author: Themeisle
10
10
\* Author URI: https://themeisle.com
11
\* Version: 3.3.17
11
\* Version: 3.3.18
12
12
\*/
13
13
if ( ! defined( 'ABSPATH' ) ) {
multiple-pages-generator-by-porthas/trunk/readme.txt
r2905353
r2910686
201
201
202
202
\== Changelog ==
203
204
##### Version 3.3.18 (2023-05-10)
205
206
\- Fixed project data-saving issue
207
\- Fixed shortcode limit attribute issue
208
\- PHP versions compatibility
209
\- Enhanced security
210
211
212
203
213
204
214
##### Version 3.3.17 (2023-04-20)
multiple-pages-generator-by-porthas/trunk/vendor/autoload.php
r2905353
r2910686
23
23
require\_once \_\_DIR\_\_ . '/composer/autoload\_real.php';
24
24
25
return ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d::getLoader();
25
return ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a::getLoader();
multiple-pages-generator-by-porthas/trunk/vendor/composer/autoload_real.php
r2905353
r2910686
3
3
// autoload\_real.php @generated by Composer
4
4
5
class ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d
5
class ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a
6
6
{
7
7
private static $loader;
…
…
23
23
}
24
24
25
spl\_autoload\_register(array('ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d', 'loadClassLoader'), true, true);
25
spl\_autoload\_register(array('ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a', 'loadClassLoader'), true, true);
26
26
self::$loader = $loader = new \\Composer\\Autoload\\ClassLoader(\\dirname(\_\_DIR\_\_));
27
spl\_autoload\_unregister(array('ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d', 'loadClassLoader'));
27
spl\_autoload\_unregister(array('ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a', 'loadClassLoader'));
28
28
29
29
require \_\_DIR\_\_ . '/autoload\_static.php';
30
call\_user\_func(\\Composer\\Autoload\\ComposerStaticInit82e69c55f23ccad60a724bc03493275d::getInitializer($loader));
30
call\_user\_func(\\Composer\\Autoload\\ComposerStaticInit8243251c19e227487d0b043ae59a733a::getInitializer($loader));
31
31
32
32
$loader->register(true);
33
33
34
$filesToLoad = \\Composer\\Autoload\\ComposerStaticInit82e69c55f23ccad60a724bc03493275d::$files;
34
$filesToLoad = \\Composer\\Autoload\\ComposerStaticInit8243251c19e227487d0b043ae59a733a::$files;
35
35
$requireFile = \\Closure::bind(static function ($fileIdentifier, $file) {
36
36
if (empty($GLOBALS\['\_\_composer\_autoload\_files'\]\[$fileIdentifier\])) {
multiple-pages-generator-by-porthas/trunk/vendor/composer/autoload_static.php
r2905353
r2910686
5
5
namespace Composer\\Autoload;
6
6
7
class ComposerStaticInit82e69c55f23ccad60a724bc03493275d
7
class ComposerStaticInit8243251c19e227487d0b043ae59a733a
8
8
{
9
9
public static $files = array (
…
…
18
18
{
19
19
return \\Closure::bind(function () use ($loader) {
20
$loader->classMap = ComposerStaticInit82e69c55f23ccad60a724bc03493275d::$classMap;
20
$loader->classMap = ComposerStaticInit8243251c19e227487d0b043ae59a733a::$classMap;
21
21
22
22
}, null, ClassLoader::class);
multiple-pages-generator-by-porthas/trunk/vendor/composer/installed.php
r2905353
r2910686
2
2
'root' => array(
3
3
'name' => 'codeinwp/multi-pages-plugin',
4
'pretty\_version' => 'v3.3.17',
5
'version' => '3.3.17.0',
6
'reference' => '158f7152ad369b234b6c74bb0690f54bbbe282ad',
4
'pretty\_version' => 'v3.3.18',
5
'version' => '3.3.18.0',
6
'reference' => 'c8e30e0cf51f6894d26a8b4730240887cf69753e',
7
7
'type' => 'wordpress-plugin',
8
8
'install\_path' => \_\_DIR\_\_ . '/../../',
…
…
12
12
'versions' => array(
13
13
'codeinwp/multi-pages-plugin' => array(
14
'pretty\_version' => 'v3.3.17',
15
'version' => '3.3.17.0',
16
'reference' => '158f7152ad369b234b6c74bb0690f54bbbe282ad',
14
'pretty\_version' => 'v3.3.18',
15
'version' => '3.3.18.0',
16
'reference' => 'c8e30e0cf51f6894d26a8b4730240887cf69753e',
17
17
'type' => 'wordpress-plugin',
18
18
'install\_path' => \_\_DIR\_\_ . '/../../',
multiple-pages-generator-by-porthas/trunk/views/project-builder/main/index.php
r2905353
r2910686
88
88
<div class="save-changes-block" style="border-bottom: 1px solid silver;">
89
89
<button type="submit" class=" blue-gradient-btn btn btn-primary"><?php \_e('Save changes', 'mpg'); ?></button>
90
<span class="spinner"></span>
90
91
</div>
91
92
…
…
362
363
<div class="save-changes-block">
363
364
<button class="save-changes btn btn-primary"><?php \_e('Save changes', 'mpg'); ?></button>
365
<span class="spinner"></span>
364
366
</div>
365
367
multiple-pages-generator-by-porthas/trunk/views/project-builder/spintax/index.php
r2905353
r2910686
13
13
</div>
14
14
<div class="save-changes-block">
15
<input type="button" id="mpg\_spin" class="btn btn-primary" value="<?php \_e('Spin!', 'mpg'); ?>" />
15
<div class="mpg-spin-btn">
16
<input type="button" id="mpg\_spin" class="btn btn-primary" value="<?php \_e('Spin!', 'mpg'); ?>" />
17
<span class="spinner"></span>
18
</div>
16
19
17
20
<input type="button" class="copy-spintax-output btn btn-outline-primary" value="<?php \_e('Copy expression', 'mpg'); ?>" />
multiple-pages-generator-by-porthas/trunk/views/projects-list/projects.php
r2905353
r2910686
13
13
'page',
14
14
'mpg-dataset-library',
15
admin\_url( 'admin.php' ),
15
admin\_url( 'admin.php' )
16
16
);
17
17
?>
Note: See TracChangeset for help on using the changeset viewer.