Headline
CVE-2022-2108: Changeset 2742109 – WordPress Plugin Repository
The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site.
review-buddypress-groups/trunk/assets/js/bgr-front.js
r2709110
r2742109
133
133
{
134
134
action: "bgr\_submit\_review",
135
nonce: bgr\_front\_js\_object.wbcom\_nonce,
135
136
data: jQuery(this).serialize(),
136
137
},
review-buddypress-groups/trunk/includes/bgr-ajax.php
r2729445
r2742109
334
334
\*/
335
335
public function bgr\_admin\_approve\_review() {
336
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
337
exit();
338
}
339
if ( isset( $\_POST\['action'\] ) && $\_POST\['action'\] == 'bgr\_admin\_approve\_review' ) {
336
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
337
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
338
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
339
wp\_send\_json\_error( $error );
340
}
341
if ( isset( $\_POST\['action'\] ) && 'bgr\_admin\_approve\_review' === $\_POST\['action'\] && current\_user\_can( 'administrator' ) ) {
340
342
$rid = isset( $\_POST\['review\_id'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['review\_id'\] ) ) : '';
341
343
$args = array(
…
…
357
359
\*/
358
360
public function bgr\_save\_admin\_criteria\_settings() {
359
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
360
exit();
361
}
362
if ( isset( $\_POST\['action'\] ) && $\_POST\['action'\] === 'bgr\_save\_admin\_criteria\_settings' ) {
361
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
362
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
363
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
364
wp\_send\_json\_error( $error );
365
}
366
if ( isset( $\_POST\['action'\] ) && 'bgr\_save\_admin\_criteria\_settings' === $\_POST\['action'\] && current\_user\_can( 'administrator' ) ) {
363
367
364
368
$rating\_fields = isset( $\_POST\['field\_values'\] ) ? array\_map( 'sanitize\_text\_field', wp\_unslash( $\_POST\['field\_values'\] ) ) : '';
…
…
385
389
\*/
386
390
public function bgr\_save\_admin\_general\_settings() {
387
388
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
389
exit();
390
}
391
if ( isset( $\_POST\['action'\] ) && $\_POST\['action'\] === 'bgr\_save\_admin\_general\_settings' ) {
391
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
392
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
393
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
394
wp\_send\_json\_error( $error );
395
}
396
if ( isset( $\_POST\['action'\] ) && 'bgr\_save\_admin\_general\_settings' === $\_POST\['action'\] && current\_user\_can( 'administrator' ) ) {
392
397
$multi\_reviews = isset( $\_POST\['multi\_reviews'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['multi\_reviews'\] ) ) : '';
393
398
$auto\_approve\_reviews = isset( $\_POST\['bgr\_auto\_approve\_reviews'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['bgr\_auto\_approve\_reviews'\] ) ) : '';
…
…
426
431
\*/
427
432
public function bgr\_save\_admin\_display\_settings() {
428
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
429
exit();
430
}
431
if ( isset( $\_POST\['action'\] ) && $\_POST\['action'\] === 'bgr\_save\_admin\_display\_settings' ) {
433
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
434
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
435
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
436
wp\_send\_json\_error( $error );
437
}
438
if ( isset( $\_POST\['action'\] ) && 'bgr\_save\_admin\_display\_settings' === $\_POST\['action'\] && current\_user\_can( 'administrator' ) ) {
432
439
433
440
$manage\_review\_label = isset( $\_POST\['manage\_review\_label'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['manage\_review\_label'\] ) ) : '';
…
…
453
460
\*/
454
461
public function bgr\_submit\_review() {
455
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
456
exit();
462
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
463
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
464
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
465
wp\_send\_json\_error( $error );
466
}
467
if ( ! is\_user\_logged\_in() ) {
468
return false;
457
469
}
458
470
global $bp;
…
…
586
598
\*/
587
599
public function bgr\_accept\_review() {
588
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
589
exit();
600
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
601
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
602
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
603
wp\_send\_json\_error( $error );
604
}
605
if ( ! is\_user\_logged\_in() ) {
606
return false;
590
607
}
591
608
global $bgr;
…
…
625
642
\*/
626
643
public function bgr\_deny\_review() {
627
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
628
exit();
644
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
645
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
646
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
647
wp\_send\_json\_error( $error );
648
}
649
if ( ! is\_user\_logged\_in() ) {
650
return false;
629
651
}
630
652
global $bgr;
…
…
664
686
\*/
665
687
public function bgr\_remove\_review() {
666
if ( isset( $\_POST\['nonce'\] ) && ! wp\_verify\_nonce( sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ), 'ajax-nonce' ) ) {
667
exit();
688
$nonce = isset( $\_POST\['nonce'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['nonce'\] ) ) : '';
689
if ( isset( $nonce ) && ! wp\_verify\_nonce( $nonce, 'ajax-nonce' ) ) {
690
$error = new WP\_Error( '001', 'Nonce not verified!', 'Some information' );
691
wp\_send\_json\_error( $error );
692
}
693
if ( ! is\_user\_logged\_in() ) {
694
return false;
668
695
}
669
696
$post\_id = isset( $\_POST\['remove\_review\_id'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['remove\_review\_id'\] ) ) : '';
review-buddypress-groups/trunk/includes/bgr-filters.php
r2712351
r2742109
52
52
\*/
53
53
public function bgr\_group\_header\_review\_btn() {
54
if ( ! is\_user\_logged\_in() ) {
55
return false;
56
}
54
57
global $bgr;
55
58
$review\_div = 'form';
review-buddypress-groups/trunk/includes/bgr-grp-extn.php
r2729445
r2742109
38
38
\*/
39
39
public function init( $args = array() ) {
40
40
if ( ! is\_user\_logged\_in() ) {
41
return false;
42
}
41
43
global $bp;
42
44
global $bgr;
review-buddypress-groups/trunk/includes/bgr-scripts.php
r2712351
r2742109
60
60
'view\_more\_text' => esc\_html\_\_( 'View More..', 'bp-group-reviews' ),
61
61
'view\_less\_text' => esc\_html\_\_( 'View Less..', 'bp-group-reviews' ),
62
'wbcom\_nonce' => wp\_create\_nonce( 'ajax-nonce' ),
62
63
)
63
64
);
review-buddypress-groups/trunk/readme.txt
r2709110
r2742109
4
4
Tags: buddypress, groups
5
5
Requires at least: 4.0
6
Tested up to: 5.9.3
7
Stable tag: 2.8.3
6
Tested up to: 6.0.0
7
Stable tag: 2.8.4
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
105
105
106
106
== Changelog ==
107
= 2.8.4 =
108
* Fix: Fixed security issue and added capability checks
109
* Fix: (#120) Hide add review tab for the logged-out user
110
107
111
= 2.8.3 =
108
112
* Fix: Fixed double activity is generating when auto approval is disabled
review-buddypress-groups/trunk/review-bp-grps.php
r2712351
r2742109
16
16
* Plugin URI: https://wbcomdesigns.com/contact/
17
17
* Description: This plugin allows the BuddyPress Members to give reviews to the BuddyPress groups on the site. The review form allows the users to give text review, even rate the group on the basis of multiple criterias.
18
* Version: 2.8.3
18
* Version: 2.8.4
19
19
* Author: Wbcom Designs
20
20
* Author URI: http://wbcomdesigns.com