Headline
CVE-2020-36746: Changeset 2368729 for menu-swapper – WordPress Plugin Repository
The Menu Swapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0.2. This is due to missing or incorrect nonce validation on the mswp_save_meta() function. This makes it possible for unauthenticated attackers to save meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
menu-swapper/trunk/includes/meta-box.php
r1241808
r2368729
1
1
<?php
2
2
3
function mswp_add_swap_meta_box() {
3
function mswp_add_swap_meta_box() {
4
4
$post\_types = array(
5
5
'post',
…
…
11
11
foreach( $post\_types as $post\_type ){
12
12
13
add\_meta\_box(
14
'mswp\_meta\_box', // $id
15
'Menu Swapper', // $title
16
'mswp\_show\_swap\_meta\_box', // $callback
17
$post\_type, // $page
18
'side', // $context
19
'default' // $priority
20
);
13
add\_meta\_box(
14
'mswp\_meta\_box', // $id
15
'Menu Swapper', // $title
16
'mswp\_show\_swap\_meta\_box', // $callback
17
$post\_type, // $page
18
'side', // $context
19
'default' // $priority
20
);
21
21
}
22
}
23
add_action( 'add_meta_boxes’, ‘mswp_add_swap_meta_box’ );
22
}
23
add_action( 'add_meta_boxes’, ‘mswp_add_swap_meta_box’ );
24
24
25
25
26
function mswp_show_swap_meta_box() {
27
global $post;
26
function mswp_show_swap_meta_box() {
27
global $post;
28
28
$target\_loc = get\_post\_meta( $post->ID, MSWP\_TARGET\_POST\_META, true );
29
29
$current\_loc = get\_post\_meta( $post->ID, MSWP\_LOC\_POST\_META, true );
…
…
34
34
?>
35
35
<input type="hidden" name="swap\_meta\_box\_nonce" value="<?php echo wp\_create\_nonce(basename(\_\_FILE\_\_)); ?>" />
36
36
37
37
<h4>Replace this Theme Location</h4>
38
38
<select name="mswp-target-theme-loc">
39
<option value="none">None (Swapper will not affect menu)</option>
39
<option value="none">None (Swapper disabled)</option>
40
40
<option value="all" <?php if( $target\_loc == 'all' ): ?>selected="selected"<?php endif;?> >Any/All (will affect all menus)</option>
41
41
<?php foreach( $theme\_locations as $slug => $name ): ?>
42
42
<option value="<?php echo $slug;?>" <?php if( $target\_loc == $slug ): ?>selected="selected"<?php endif; ?> ><?php echo $name; ?></option>
43
<?php endforeach; ?>
43
<?php endforeach; ?>
44
44
</select>
45
45
<p><small><em>(The one set in wp\_nav\_menu in your template)</em></small></p>
…
…
49
49
<?php foreach( $theme\_locations as $slug => $name ): ?>
50
50
<option value="<?php echo $slug;?>" <?php if( $current\_loc == $slug ): ?>selected="selected"<?php endif; ?> ><?php echo $name; ?></option>
51
<?php endforeach; ?>
51
<?php endforeach; ?>
52
52
</select>
53
53
<p><small><em>(The one that you want to display on the page)</em></small></p>
…
…
57
57
58
58
59
function mswp_save_meta( $post_id ) {
59
function mswp_save_meta( $post_id ) {
60
60
61
if( !isset( $\_POST\[ 'mswp-swap-theme-loc' \] ) )
61
if( !isset( $\_POST\[ 'mswp-swap-theme-loc' \] ) )
62
62
return $post\_id;
63
63
64
// verify nonce
65
if( isset( $\_POST\['swap\_meta\_box\_nonce'\] ) && !wp\_verify\_nonce( $\_POST\['swap\_meta\_box\_nonce'\], basename(\_\_FILE\_\_) ) )
66
return $post\_id;
67
// check autosave
64
// verify nonce
65
if( !isset( $\_POST\['swap\_meta\_box\_nonce'\] ) || !wp\_verify\_nonce( $\_POST\['swap\_meta\_box\_nonce'\], basename(\_\_FILE\_\_) ) )
66
return $post\_id;
67
// check autosave
68
68
if( defined( 'DOING\_AUTOSAVE' ) && DOING\_AUTOSAVE )
69
return $post\_id;
70
// check permissions
71
if( isset( $\_POST\['post\_type'\] ) && 'page' == $\_POST\['post\_type'\]) {
72
if( !current\_user\_can( 'edit\_page', $post\_id ) )
73
return $post\_id;
74
}
75
elseif( !current\_user\_can('edit\_post', $post\_id ) ) {
76
return $post\_id;
69
return $post\_id;
70
// check permissions
71
if( isset( $\_POST\['post\_type'\] ) && 'page' == $\_POST\['post\_type'\]) {
72
if( !current\_user\_can( 'edit\_page', $post\_id ) )
73
return $post\_id;
77
74
}
78
75
elseif( !current\_user\_can('edit\_post', $post\_id ) ) {
76
return $post\_id;
77
}
78
79
79
80
80
//SWAP
81
$old = get\_post\_meta( $post\_id, MSWP\_LOC\_POST\_META, true );
82
$new = $\_POST\[ 'mswp-swap-theme-loc' \];
83
if( $new && $new != $old) {
84
update\_post\_meta( $post\_id, MSWP\_LOC\_POST\_META, $new );
85
}
86
elseif( '' == $new && $old ) {
87
delete\_post\_meta( $post\_id, MSWP\_LOC\_POST\_META, $old );
88
}
81
$old = get\_post\_meta( $post\_id, MSWP\_LOC\_POST\_META, true );
82
$new = $\_POST\[ 'mswp-swap-theme-loc' \];
83
if( $new && $new != $old) {
84
update\_post\_meta( $post\_id, MSWP\_LOC\_POST\_META, $new );
85
}
86
elseif( '' == $new && $old ) {
87
delete\_post\_meta( $post\_id, MSWP\_LOC\_POST\_META, $old );
88
}
89
89
90
90
//TARGET
91
$old = get\_post\_meta( $post\_id, MSWP\_TARGET\_POST\_META, true );
92
$new = $\_POST\[ 'mswp-target-theme-loc' \];
93
if( $new && $new != $old) {
94
update\_post\_meta( $post\_id, MSWP\_TARGET\_POST\_META, $new );
95
}
96
elseif( '' == $new && $old ) {
97
delete\_post\_meta( $post\_id, MSWP\_TARGET\_POST\_META, $old );
91
$old = get\_post\_meta( $post\_id, MSWP\_TARGET\_POST\_META, true );
92
$new = $\_POST\[ 'mswp-target-theme-loc' \];
93
if( $new && $new != $old) {
94
update\_post\_meta( $post\_id, MSWP\_TARGET\_POST\_META, $new );
98
95
}
99
}
100
add_action( 'save_post’, ‘mswp_save_meta’ );
96
elseif( '' == $new && $old ) {
97
delete\_post\_meta( $post\_id, MSWP\_TARGET\_POST\_META, $old );
98
}
99
}
100
add_action( 'save_post’, ‘mswp_save_meta’ );
menu-swapper/trunk/menu-swapper.php
r1241808
r2368729
2
2
/*
3
3
Plugin Name: Menu Swapper
4
Plugin URI: http://sevenspark.com
4
Plugin URI: https://sevenspark.com
5
5
Description: Register custom theme locations and swap menus on each Post or Page
6
6
Author: Chris Mavricos, SevenSpark
7
Author URI: http://sevenspark.com
8
Version: 1.1.0.2
7
Author URI: https://sevenspark.com
8
Version: 1.1.1
9
9
Text Domain: menuswap
10
10
*/
…
…
39
39
40
40
if( ! defined( 'MSWP\_VERSION' ) )
41
define( 'MSWP\_VERSION', '1.1.0.2' );
41
define( 'MSWP\_VERSION', '1.1.1' );
42
42
43
43
// Plugin Folder URL
…
…
53
53
define( 'MSWP\_PLUGIN\_FILE', \_\_FILE\_\_ );
54
54
55
define( 'MSWP\_LOC\_POST\_META' , 'mswp-swap-loc' );
56
define( 'MSWP\_TARGET\_POST\_META' , 'mswp-target-loc' );
55
define( 'MSWP\_LOC\_POST\_META' , 'mswp-swap-loc' );
56
define( 'MSWP\_TARGET\_POST\_META' , 'mswp-target-loc' );
57
57
define( 'MSWP\_THEME\_LOC\_OPTION' , 'mswp\_theme\_locations' );
58
58
}
…
…
74
74
require\_once MSWP\_PLUGIN\_DIR . 'includes/admin-page.php';
75
75
require\_once MSWP\_PLUGIN\_DIR . 'includes/meta-box.php';
76
76
77
77
} else {
78
78
//require\_once KB\_PLUGIN\_DIR . 'includes/process-download.php';
…
…
100
100
101
101
MSWP();
102
menu-swapper/trunk/readme.txt
r1241808
r2368729
4
4
Tags: menu, switch, swap, change
5
5
Requires at least: 4.0
6
Tested up to: 4.3
7
Stable tag: 1.1.0.2
6
Tested up to: 5.5
7
Stable tag: 1.1.1
8
8
License: GPLv2 or later
9
9
License URI: http://www.gnu.org/licenses/gpl-2.0.html
…
…
43
43
== Changelog ==
44
44
45
= 1.1.1 =
46
47
* Security fix: make sure nonce is always checked
48
45
49
= 1.1.0.2 =
46
50
…
…
64
68
= 1.0 =
65
69
* Initial submission
66
67