Headline
CVE-2023-1509: gmace.php in gmace/trunk – WordPress Plugin Repository
The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing nonce validation on the gmace_manager_server function called via the wp_ajax_gmace_manager AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
1<?php2/*3 Plugin Name: GMAce4 Plugin URI: http://wordpress.org/plugins/gmace/5 Description: Free PHP-editor code Wordpress. A variety of themes, syntax highlighting and a built file manager6 Version: 1.5.17 Author: German Mesky8 Author URI: http://vk.com/dr.gmes9*/10define('GMACE_DIR’, plugin_dir_path(__FILE__));11define('GMACE_URL’, plugin_dir_url(__FILE__));12define('GMACEPATH’, ABSPATH);13141516if($_GET[‘gm-download-file’])17{18 include(ABSPATH . “/wp-includes/pluggable.php”);19 include(GMACE_DIR . “inc/download-manager.php”);20}21222324function gmace_init()25{26 if(!$_POST)27 {28 include(GMACE_DIR . “inc/filemanager.php”);29 }3031 if(file_exists(GMACE_DIR . “/inc/tmpflag”)) unlink(GMACE_DIR . “/inc/tmpflag”);32}33add_action('plugins_loaded’, ‘gmace_init’);34353637function gmace_add_to_menu()38{39 if(!is_user_logged_in() || !current_user_can(‘administrator’))40 {41 return;42 }43 44 $page = add_menu_page("GMAce Editor", "GMAce", 8, "gmace-editor", "gmace_spread_page", “dashicons-editor-code”);45 add_action('admin_print_scripts-'.$page, ‘gmace_enqueue_script’);46 47}48add_action('admin_menu’, ‘gmace_add_to_menu’);49505152function gmace_enqueue_script()53{54 if(!is_user_logged_in() || !current_user_can(‘administrator’))55 {56 return;57 }58 59 wp_enqueue_script(“jquery-ui-core”);60 61 wp_enqueue_script("gmace-emmet-core", GMACE_URL . “/assets/js/emmet.js”);62 wp_enqueue_script("gmace-ace-js", GMACE_URL . “/assets/js/ace/ace.js”);63 wp_enqueue_script("gmace-ace-emmet", GMACE_URL . “/assets/js/ace/ext-emmet.js”);64 wp_enqueue_script("gmace-ace-statusbar", GMACE_URL . “/assets/js/ace/ext-statusbar.js”);65 wp_enqueue_script("gmace-ace-language_tools", GMACE_URL . “/assets/js/ace/ext-language_tools.js”);66 wp_enqueue_script("gmace-head-js", GMACE_URL . "/assets/js/scripts.js", array(‘jquery’));67 68 wp_enqueue_style("gmace-head-styles", GMACE_URL . “/assets/css/style.css”);69 wp_enqueue_style('gmace-fontawesome’, “http://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css", “1.0”);70}71727374function gmace_spread_page()75{76 global $wpdb, $_GMACE_CCS;7778 include(GMACE_DIR . “inc/code-completer-array.php”);79 include(GMACE_DIR."inc/editor.php”);80}81828384function gmace_manager_client()85{86 include_once(GMACE_DIR . “inc/filemanager.php”);8788 gmace_manager_server($_POST[‘_op’]);89}90add_action('wp_ajax_gmace_manager’, ‘gmace_manager_client’);91?>