Headline
CVE-2023-5201: shortcodes.php in thesis-openhook/tags/4.3.1/inc – WordPress Plugin Repository
The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the ‘php’ shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the [php] shortcode setting to be enabled on the vulnerable site.
1<?php2/**3 * Contains shortcode functions4 *5 * @since 4.06 */78# Prevent direct access to this file9if ( 1 == count( get_included_files() ) ) {10 header( ‘HTTP/1.1 403 Forbidden’ );11 return;12}1314class OpenHook_ShortCodes {15 /**16 * PHP shortcode to process PHP in posts17 *18 * @global object $openhook Main OpenHook class object19 */20 public function php( $atts, $content = null ) {21 global $openhook;2223 # Prevent access to the shortcode via Ajax24 if ( defined( ‘DOING_AJAX’ ) && DOING_AJAX ) {25 return;26 }2728 # Only process this shortcode if the author of the post has the authority29 if ( author_can( get_the_ID(), $openhook->get_auth_level() ) ) {30 # Buffer the output of the PHP as we don’t want to echo anything here31 ob_start();3233 eval( “?>$content<?php " );34 35 return ob_get_clean();36 } else {37 return;38 }39 }4041 /**42 * Obfuscates a given email address to provide additional protection43 * against email harvesters44 */45 public function email( $atts , $content = null ) {46 return antispambot( $content );47 }4849 /**50 * Global custom fields, adapted from51 * http://digwp.com/2009/09/global-custom-fields/52 */53 public function globals($atts) {54 # Get the desired key55 extract( shortcode_atts( array( ‘key’ => false ), $atts ) );5657 # Determine the source of our global values58 $options = get_option( ‘openhook_shortcodes’ );59 $source = ( isset( $options[ ‘global_source’ ] ) && $options[ ‘global_source’ ] ) ? $options[ ‘global_source’ ] : false;6061 # Only attempt to pull a global if both a key & source page are set62 if ( (string) $key && $source ) {63 return get_post_meta( $source, $key, true );64 } else {65 return;66 }67 }6869 /**70 * [snap] - Website snapshot shortcode71 *72 * @via https://www.rickbeckman.org/73 * @inspiredby http://www.geekeries.fr/snippet/creer-automatiquement-miniatures-sites-wordpress/74 */75 public function snap( $atts, $content = null ) {76 # Default values77 $defaults = [78 ‘url’ => 'https://www.example.com/’, # URL to be snapshotted79 ‘alt’ => __( 'Website Snapshot’, ‘thesis-openhook’ ), # Alt text for snapshot image80 ‘w’ => 400, # Width of snapshot81 ‘h’ => 300, # Height of snapshot82 ‘class’ => ‘’, # CSS class(es), space separated83 ];8485 # Parse attributes86 $atts = shortcode_atts( $defaults, $atts, ‘snap’ ); # @filter: shortcode_atts_snap8788 # Sanity checks to ensure proper variables89 $url = urlencode( wp_http_validate_url( $atts[‘url’] ) ?: $defaults[‘url’] );90 $alt = esc_attr( $atts[‘alt’] );91 $w = absint( $atts[‘w’] ) ?: $defaults[‘w’];92 $h = absint( $atts[‘h’] ) ?: $defaults[‘h’];93 $class = ! empty( $atts[‘class’] ) ? esc_attr( $atts[‘class’] ) . ' website_snapshot’ : 'website_snapshot’;9495 # Put together our IMG tag to be output, with final data sanitation96 $img = ‘<img src="https://s.wordpress.com/mshots/v1/’ . $url . ‘?w=’ . $w . ‘&h=’ . $h . '” alt="’ . $alt . ‘" class="’ . $class . '">’;9798 return $img;99 }100}