CVE-2023-1844: send-email.php in subscribe2/trunk/admin – WordPress Plugin Repository

1<?php2if ( ! function_exists( ‘add_action’ ) ) {3 exit();4}56global $current_user;78$s2_admin = ! empty( $_POST[‘s2_admin’] ) ? sanitize_key( $_POST[‘s2_admin’] ) : '’;910// was anything POSTed?11if ( ‘mail’ === $s2_admin ) {12 if ( ! current_user_can( ‘manage_options’ ) ) {13 die( ‘<p>’ . esc_html__( 'Security error! You are not able to send email.’, ‘subscribe2’ ) . ‘</p>’ );14 }1516 if ( ! isset( $_REQUEST[‘_wpnonce’] ) || ! wp_verify_nonce( sanitize_key( $_REQUEST[‘_wpnonce’] ), ‘subscribe2-write_subscribers’ . S2VERSION ) ) {17 die( ‘<p>’ . esc_html__( 'Security error! Your request cannot be completed.’, ‘subscribe2’ ) . ‘</p>’ );18 }1920 $subject = html_entity_decode( stripslashes( wp_kses( $this->substitute( $_POST[‘subject’] ), ‘’ ) ), ENT_QUOTES );21 $body = wpautop( $this->substitute( stripslashes( $_POST[‘content’] ) ), true );22 if ( ‘’ !== $current_user->display_name || ‘’ !== $current_user->user_email ) {23 $this->myname = html_entity_decode( $current_user->display_name, ENT_QUOTES );24 $this->myemail = $current_user->user_email;25 }26 if ( isset( $_POST[‘send’] ) ) {27 if ( ‘confirmed’ === $_POST[‘what’] ) {28 $recipients = $this->get_public();29 } elseif ( ‘unconfirmed’ === $_POST[‘what’] ) {30 $recipients = $this->get_public( 0 );31 } elseif ( ‘public’ === $_POST[‘what’] ) {32 $confirmed = $this->get_public();33 $unconfirmed = $this->get_public( 0 );34 $recipients = array_merge( (array) $confirmed, (array) $unconfirmed );35 } elseif ( is_numeric( $_POST[‘what’] ) ) {36 $category = intval( $_POST[‘what’] );37 $recipients = $this->get_registered( “cats=$category” );38 } elseif ( ‘all_users’ === $_POST[‘what’] ) {39 $recipients = $this->get_all_registered();40 } elseif ( ‘all’ === $_POST[‘what’] ) {41 $confirmed = $this->get_public();42 $unconfirmed = $this->get_public( 0 );43 $registered = $this->get_all_registered();44 $recipients = array_merge( (array) $confirmed, (array) $unconfirmed, (array) $registered );45 } else {46 $recipients = $this->get_registered();47 }48 } elseif ( isset( $_POST[‘preview’] ) ) {49 global $user_email;50 $recipients[] = $user_email;51 }5253 $uploads = array();54 if ( ! empty( $_FILES ) ) {55 foreach ( $_FILES[‘file’][‘name’] as $key => $value ) {56 if ( 0 === $_FILES[‘file’][‘error’][ $key ] ) {57 $file = array(58 ‘name’ => $_FILES[‘file’][‘name’][ $key ],59 ‘type’ => $_FILES[‘file’][‘type’][ $key ],60 ‘tmp_name’ => $_FILES[‘file’][‘tmp_name’][ $key ],61 ‘error’ => $_FILES[‘file’][‘error’][ $key ],62 ‘size’ => $_FILES[‘file’][‘size’][ $key ],63 );6465 $uploads[] = wp_handle_upload(66 $file,67 array(68 ‘test_form’ => false,69 )70 );71 }72 }73 }74 $attachments = array();75 if ( ! empty( $uploads ) ) {76 foreach ( $uploads as $upload ) {77 if ( ! isset( $upload[‘error’] ) ) {78 $attachments[] = $upload[‘file’];79 } else {80 $upload_error = $upload[‘error’];81 }82 }83 }8485 if ( empty( $body ) ) {86 $error_message = __( 'Your email was empty’, ‘subscribe2’ );87 $success = false;88 } elseif ( isset( $upload_error ) ) {89 $error_message = $upload_error;90 $success = false;91 } else {92 $success = $this->mail( $recipients, $subject, $body, 'html’, $attachments );93 $error_message = __( 'Check your settings and check with your hosting provider’, ‘subscribe2’ );94 }9596 if ( $success ) {97 if ( isset( $_POST[‘preview’] ) ) {98 $message = ‘<p class="s2_message">’ . __( 'Preview message sent!’, ‘subscribe2’ ) . '</p>’;99 } elseif ( isset( $_POST[‘send’] ) ) {100 $message = ‘<p class="s2_message">’ . __( 'Message sent!’, ‘subscribe2’ ) . '</p>’;101 }102 } else {103 global $phpmailer;104105 $mailer_error = ! empty( $phpmailer->ErrorInfo ) ? $phpmailer->ErrorInfo : '’;106 $message = ‘<p class="s2_error">’ . __( ‘Message failed!’, ‘subscribe2’ ) . ‘</p>’ . $error_message . $mailer_error;107 }108109 echo ‘<div id="message" class="’ . ( $success ? ‘updated’ : ‘error’ ) . ‘"><strong><p>’ . wp_kses_post( $message ) . ‘</p></strong></div>’ . “\r\n";110}111112// show our form113echo '<div class="wrap">’;114echo ‘<h1>’ . esc_html__( ‘Send an email to subscribers’, ‘subscribe2’ ) . ‘</h1>’ . “\r\n";115echo '<form method="post” enctype="multipart/form-data">’ . “\r\n";116117wp_nonce_field( ‘subscribe2-write_subscribers’ . S2VERSION );118119$body = ! empty( $_POST[‘content’] ) ? esc_textarea( $_POST[‘content’] ) : '’;120if ( isset( $_POST[‘subject’] ) ) {121 $subject = stripslashes( esc_html( $_POST[‘subject’] ) );122} else {123 $subject = __( 'A message from’, ‘subscribe2’ ) . ' ' . html_entity_decode( get_option( ‘blogname’ ), ENT_QUOTES );124}125126echo ‘<p>’ . esc_html__( 'Subject’, ‘subscribe2’ ) . ': <input type="text” size="69” name="subject" value="’ . esc_attr( $subject ) . '" /> <br><br>’;127echo ‘<textarea rows="12" cols="75" name="content">’ . $body . '</textarea>’;128echo “<br><div id=\"upload_files\"><input type=\"file\” name=\"file[]\" onChange=\"remove_selected_image()\"></div>\r\n";129echo ‘<input type="button" class="button-secondary" name="addmore" value="’ . esc_attr( __( 'Add More Files’, ‘subscribe2’ ) ) . “\” onClick=\"add_file_upload();\" />\r\n";130echo “<br><br>\r\n";131echo esc_html__( 'Recipients:’, ‘subscribe2’ ) . ' ';132$this->display_subscriber_dropdown( apply_filters( 's2_subscriber_dropdown_default’, ‘registered’ ), false );133echo '<input type="hidden” name="s2_admin" value="mail" />’;134echo ‘<p class="submit"><input type="submit" class="button-secondary" name="preview" value="’ . esc_attr( __( 'Preview’, ‘subscribe2’ ) ) . ‘" /> <input type="submit" class="button-primary" name="send" value="’ . esc_attr( __( 'Send’, ‘subscribe2’ ) ) . '" /></p>’;135echo ‘</form></div>’ . "\r\n";136echo '<div style="clear: both;"><p> </p></div>’;137?>138<script type="text/javascript">139 //<![CDATA[140 function add_file_upload() {141 const fileUploadContainer = document.getElementById(‘upload_files’),142 fileNode = document.createElement(‘input’),143 spanNode = document.createElement(‘span’),144 lineBreak = document.createElement(‘br’);145146 // Insert multiple file.147 if (!Boolean(fileNode.value)) {148 fileNode.type = 'file’;149 fileNode.name = 'file[]';150 spanNode.classList.add('dashicons’, ‘dashicons-no-alt’);151 spanNode.style.marginTop = '4px’;152153 fileUploadContainer.appendChild(lineBreak);154 fileUploadContainer.appendChild(fileNode);155 fileUploadContainer.appendChild(spanNode);156 }157158 // Remove uploaded image if selected otherwise remove field.159 spanNode.addEventListener('click’, function () {160 if (Boolean(fileNode.value)) {161 fileNode.value = '’;162 return;163 }164165 fileNode.remove();166 spanNode.remove();167 lineBreak.remove();168 });169 }170171 // Handle first selected image.172 function remove_selected_image() {173 const fileUploadContainer = document.getElementById(‘upload_files’),174 firstFile = fileUploadContainer.getElementsByTagName(‘input’)[0],175 spanNode = document.createElement(‘span’);176177 if (!Boolean(firstFile.nextSibling)) {178 spanNode.style.marginTop = '4px’;179 spanNode.classList.add('dashicons’, ‘dashicons-no-alt’);180 firstFile.after(spanNode);181 }182183 spanNode.addEventListener('click’, function () {184 firstFile.value = '’;185 this.remove();186 });187 }188 //]]>189</script>190<?php191require ABSPATH . 'wp-admin/admin-footer.php’;192// just to be sure193die;