Headline
CVE-2023-0583: class-vk-blocks-entrypoint.php in vk-blocks/trunk/inc/vk-blocks/App/RestAPI/BlockMeta – WordPress Plugin Repository
The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST ‘update_vk_blocks_options’ function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons.
Last change on this file was 2862433, checked in by , 4 months ago
Update to version 1.51.0.0 from GitHub
File size: 1.1 KB
Line
1
<?php
2
/**
3
* VK Blocks REST API Init Actions
4
*
5
* @package vk_blocks
6
*/
7
8
/**
9
* Vk_Blocks_EntryPoint
10
*/
11
class Vk_Blocks_EntryPoint {
12
/\*\*
13
\* Constructor
14
\*/
15
public function \_\_construct() {
16
add\_action( 'rest\_api\_init', array( $this, 'vk\_blocks\_rest\_api\_init' ) );
17
}
18
19
/\*\*
20
\* Vk Blocks Rest Api Init
21
\*
22
\* @return void
23
\*/
24
public function vk\_blocks\_rest\_api\_init() {
25
register\_rest\_route(
26
'vk-blocks/v1',
27
'/update\_vk\_blocks\_options',
28
array(
29
array(
30
'methods' \=> 'POST',
31
'callback' \=> array( $this, 'update\_vk\_blocks\_options' ),
32
'permission\_callback' \=> function () {
33
return current\_user\_can( 'edit\_posts' );
34
},
35
),
36
)
37
);
38
}
39
40
/\*\*
41
\* VK Blocks Rest Update Callback
42
\*
43
\* @param object $request — .
44
\* @return \\WP\_REST\_Response|\\WP\_Error
45
\*/
46
public function update\_vk\_blocks\_options( $request ) {
47
$json\_params \= $request\->get\_json\_params();
48
update\_option( 'vk\_blocks\_options', $json\_params\['vkBlocksOption'\] );
49
return rest\_ensure\_response(
50
array(
51
'success' \=> true,
52
)
53
);
54
}
55
56
}
Note: See TracBrowser for help on using the repository browser.