Headline

CVE-2020-36747: Changeset 2368387 for sidebar-manager – WordPress Plugin Repository

The Lightweight Sidebar Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the metabox_save() function. This makes it possible for unauthenticated attackers to save metbox data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

1 year ago

CVE

Open in Source

#git #wordpress #php #auth

Timestamp:

08/25/2020 07:21:48 AM (3 years ago)

brainstormworg

Message:

Update to version 1.1.5 from GitHub

Location:

sidebar-manager

Files:

tags/1.1.5 (copied from sidebar-manager/trunk)
tags/1.1.5/classes/class-bsf-sb-metabox.php (1 diff)
tags/1.1.5/readme.txt (2 diffs)
tags/1.1.5/sidebar-manager.php (2 diffs)
trunk/classes/class-bsf-sb-metabox.php (1 diff)
trunk/readme.txt (2 diffs)
trunk/sidebar-manager.php (2 diffs)

Legend:

Unmodified

Added

Removed

sidebar-manager/tags/1.1.5/classes/class-bsf-sb-metabox.php

r2237571

r2368387

82

82

        public function metabox\_save( $post\_id ) {

83

83

 

84

            if( ! isset( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \] ) ) {

 

85

                return;

 

86

            }

 

87

84

88

            if ( get\_post\_type() != BSF\_SB\_POST\_TYPE

85

 

                || ( isset( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \] ) && ! wp\_verify\_nonce( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \], BSF\_SB\_POST\_TYPE ) )

 

89

                || ! wp\_verify\_nonce( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \], BSF\_SB\_POST\_TYPE )

86

90

            ) {

87

91

                return $post\_id;

sidebar-manager/tags/1.1.5/readme.txt

r2363849

r2368387

5

5

Requires at least: 4.0

6

6

Tested up to: 5.5

7

 

Stable tag: 1.1.4

 

7

Stable tag: 1.1.5

8

8

License: GPLv2 or later

9

9

License URI: https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

52

52

\== Changelog ==

53

53

 

54

\= 1.1.5 =

 

55

\- Fix: Security hardening.

 

56

54

57

\= 1.1.4 =

55

58

\- Fix: Fixed compatibility with other plugins with respect to the admin notice.

sidebar-manager/tags/1.1.5/sidebar-manager.php

r2363849

r2368387

4

4

 \* Plugin URI:      http://www.brainstormforce.com

5

5

 \* Description:     This is the plugin to create custom siderbars to your site.

6

 

 \* Version:         1.1.4

 

6

 \* Version:         1.1.5

7

7

 \* Author:          Brainstorm Force

8

8

 \* Author URI:      https://www.brainstormforce.com/

…

…

 

26

26

define( 'BSF\_SB\_DIR', plugin\_dir\_path( BSF\_SB\_FILE ) );

27

27

define( 'BSF\_SB\_URL', plugins\_url( '/', BSF\_SB\_FILE ) );

28

 

define( 'BSF\_SB\_VER', '1.1.4' );

 

28

define( 'BSF\_SB\_VER', '1.1.5' );

29

29

define( 'BSF\_SB\_PREFIX', 'bsf-sb' );

30

30

define( 'BSF\_SB\_POST\_TYPE', 'bsf-sidebar' );

sidebar-manager/trunk/classes/class-bsf-sb-metabox.php

r2237571

r2368387

82

82

        public function metabox\_save( $post\_id ) {

83

83

 

84

            if( ! isset( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \] ) ) {

 

85

                return;

 

86

            }

 

87

84

88

            if ( get\_post\_type() != BSF\_SB\_POST\_TYPE

85

 

                || ( isset( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \] ) && ! wp\_verify\_nonce( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \], BSF\_SB\_POST\_TYPE ) )

 

89

                || ! wp\_verify\_nonce( $\_POST\[ BSF\_SB\_POST\_TYPE . '-nonce' \], BSF\_SB\_POST\_TYPE )

86

90

            ) {

87

91

                return $post\_id;

sidebar-manager/trunk/readme.txt

r2363849

r2368387

5

5

Requires at least: 4.0

6

6

Tested up to: 5.5

7

 

Stable tag: 1.1.4

 

7

Stable tag: 1.1.5

8

8

License: GPLv2 or later

9

9

License URI: https://www.gnu.org/licenses/gpl-2.0.html

…

…

 

52

52

\== Changelog ==

53

53

 

54

\= 1.1.5 =

 

55

\- Fix: Security hardening.

 

56

54

57

\= 1.1.4 =

55

58

\- Fix: Fixed compatibility with other plugins with respect to the admin notice.

sidebar-manager/trunk/sidebar-manager.php

r2363849

r2368387

4

4

 \* Plugin URI:      http://www.brainstormforce.com

5

5

 \* Description:     This is the plugin to create custom siderbars to your site.

6

 

 \* Version:         1.1.4

 

6

 \* Version:         1.1.5

7

7

 \* Author:          Brainstorm Force

8

8

 \* Author URI:      https://www.brainstormforce.com/

…

…

 

26

26

define( 'BSF\_SB\_DIR', plugin\_dir\_path( BSF\_SB\_FILE ) );

27

27

define( 'BSF\_SB\_URL', plugins\_url( '/', BSF\_SB\_FILE ) );

28

 

define( 'BSF\_SB\_VER', '1.1.4' );

 

28

define( 'BSF\_SB\_VER', '1.1.5' );

29

29

define( 'BSF\_SB\_PREFIX', 'bsf-sb' );

30

30

define( 'BSF\_SB\_POST\_TYPE', 'bsf-sidebar' );

Note: See TracChangeset for help on using the changeset viewer.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago