Headline
CVE-2023-2279: Diff [2905046:2905795] for wpdirectorykit/trunk – WordPress Plugin Repository
The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the ‘admin_page_display’ function. This makes it possible for unauthenticated attackers to delete or change plugin settings, import demo data, modify or delete Directory Kit related posts and terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Partial patches were made avilable in versions 1.2.0 and 1.2.1 but the issue was not fully patched until 1.2.2
wpdirectorykit/trunk/README.txt
r2905046
r2905795
5
5
Requires at least: 5.2
6
6
Tested up to: 6.2
7
Stable tag: 1.2.1
7
Stable tag: 1.2.2
8
8
Requires PHP: 5.6
9
9
License: GPLv2 or later
…
…
153
153
154
154
\== Changelog ==
155
156
\= 1.2.2 =
157
\* Small security improvement
158
\* Category elementor widget improvement
159
\* Location elementor widget improvement
155
160
156
161
\= 1.2.1 =
wpdirectorykit/trunk/admin/js/wdk-dependfields-edit.js
r2905046
r2905795
68
68
data.push({ name: 'page', value: "wdk\_backendajax" });
69
69
data.push({ name: 'function', value: "update\_depend" });
70
data.push({ name: '\_wpnonce', value: this\_form.find('input\[name="\_wpnonce"\]').val() });
70
71
data.push({ name: 'main\_field', value: this\_form.find('input\[name="main\_field"\]').val() });
71
72
data.push({ name: 'field\_id', value: this\_form.find('input\[name="field\_id"\]').val() });
wpdirectorykit/trunk/application/controllers/Wdk_backendajax.php
r2905046
r2905795
30
30
$data\['rss'\] = array();
31
31
32
/\* protect \*/
33
if(current\_user\_can( 'read' ) && !wmvc\_user\_in\_role('administrator')) {
34
$this->output($data);
35
}
36
32
37
//https://wpdirectorykit.com/wp/last\_news.php?f=news.json
33
38
34
$request \= wp\_remote\_get('https://wpdirectorykit.com/wp/last\_news.php?f=news.json');
39
$request \= wp\_remote\_get('https://wpdirectorykit.com/wp/last\_news.php?f=news.json');
35
40
36
41
// request failed
…
…
70
75
$data\['success'\] = false;
71
76
77
/\* protect \*/
78
if(current\_user\_can( 'install\_plugins' ) && !wmvc\_user\_in\_role('administrator')) {
79
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
80
$this->output($data);
81
}
82
83
// Check \_wpnonce
84
check\_admin\_referer( 'wdk-plugin\_upgrader', '\_wpnonce' );
85
72
86
ob\_start();
73
87
…
…
120
134
$data\['success'\] = false;
121
135
136
137
/\* protect \*/
138
if(current\_user\_can( 'install\_plugins' ) && !wmvc\_user\_in\_role('administrator')) {
139
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
140
$this->output($data);
141
}
142
143
// Check \_wpnonce
144
check\_admin\_referer( 'wdk-install\_content', '\_wpnonce' );
145
122
146
ob\_start();
123
147
…
…
178
202
$data\['message'\] = \_\_('No message returned!', 'wpdirectorykit');
179
203
$data\['success'\] = false;
204
205
/\* protect \*/
206
if(current\_user\_can( 'install\_plugins' ) && !wmvc\_user\_in\_role('administrator')) {
207
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
208
$this->output($data);
209
}
210
211
// Check \_wpnonce
212
check\_admin\_referer( 'wdk-install\_listings', '\_wpnonce' );
180
213
181
214
ob\_start();
…
…
202
235
$data\['parameters'\] = $\_POST;
203
236
$data\['success'\] = false;
237
238
/\* protect \*/
239
if(!wmvc\_user\_in\_role('administrator')) {
240
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
241
$this->output($data);
242
}
243
244
// Check \_wpnonce
245
check\_admin\_referer( 'wdk-generated\_listings\_images\_path', '\_wpnonce' );
204
246
205
247
$this->load->load\_helper('listing');
…
…
280
322
$data\['success'\] = false;
281
323
324
/\* protect \*/
325
if(!wmvc\_user\_in\_role('administrator')) {
326
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
327
$this->output($data);
328
}
329
330
// Check \_wpnonce
331
check\_admin\_referer( 'wdk-optimization\_listingfields\_table', '\_wpnonce' );
332
282
333
$this->load->load\_helper('listing');
283
334
$this->load->model('listingfield\_m');
…
…
330
381
$data\['success'\] = false;
331
382
$data\['parameters'\] = $\_POST;
383
384
/\* protect \*/
385
if(!wmvc\_user\_in\_role('administrator')) {
386
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
387
$this->output($data);
388
}
389
390
// Check \_wpnonce
391
check\_admin\_referer( 'wdk-update\_depend', '\_wpnonce' );
332
392
333
393
$this->load->load\_helper('listing');
…
…
367
427
$data\['parameters'\] = $\_POST;
368
428
$data\['success'\] = false;
429
430
/\* protect \*/
431
if(!wmvc\_user\_in\_role('administrator')) {
432
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
433
$this->output($data);
434
}
435
436
// Check \_wpnonce
437
check\_admin\_referer( 'wdk-backendajax', '\_wpnonce' );
369
438
370
439
global $wp\_filesystem;
…
…
491
560
$data\['success'\] = false;
492
561
$data\['results'\] = array();
562
563
/\* protect \*/
564
if(!current\_user\_can('edit\_own\_listings') && !wmvc\_user\_in\_role('administrator')) {
565
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
566
$this->output($data);
567
}
568
569
// Check \_wpnonce
570
check\_admin\_referer( 'wdk-backendajax', '\_wpnonce' );
493
571
494
572
$listing\_id = intval(wmvc\_show\_data('listing\_id', $data\['parameters'\]));
…
…
544
622
$data\['results'\] = array();
545
623
624
/\* protect \*/
625
if(!current\_user\_can('edit\_own\_listings') && !wmvc\_user\_in\_role('administrator')) {
626
$data\['message'\] = \_\_('Disabled for current user', 'wpdirectorykit');
627
$this->output($data);
628
}
629
630
// Check \_wpnonce
631
check\_admin\_referer( 'wdk-backendajax', '\_wpnonce' );
632
546
633
$listing\_id = intval(wmvc\_show\_data('listing\_id', $data\['parameters'\]));
547
634
wpdirectorykit/trunk/application/controllers/Wdk_demo_import.php
r2905046
r2905795
36
36
'slug' => 'elementor', // The plugin slug (typically the folder name).
37
37
'required' => false, // If false, the plugin is only 'recommended' instead of required.
38
'version' => '3.5.3', // E.g. 1.0.0. If set, the active plugin must be this version or higher. If the plugin version is higher than the plugin version installed, the user will be notified to update the plugin.
38
'version' => '3.12.2', // E.g. 1.0.0. If set, the active plugin must be this version or higher. If the plugin version is higher than the plugin version installed, the user will be notified to update the plugin.
39
39
'force\_activation' => false, // If true, plugin is activated upon theme activation and cannot be deactivated until theme switch.
40
40
'force\_deactivation' => false, // If true, plugin is deactivated upon theme switch, useful for theme-specific plugins.
wpdirectorykit/trunk/application/controllers/Wdk_listing.php
r2905046
r2905795
177
177
'field' => 'listing\_images',
178
178
'label' => \_\_('Listing images', 'wpdirectorykit'),
179
'rules' => ''
179
'rules' => (wdk\_get\_option('wdk\_listings\_images\_required\_enable')) ? 'required' : ''
180
180
),
181
181
array(
wpdirectorykit/trunk/application/controllers/Wdk_settings.php
r2905046
r2905795
216
216
if($this->searchform\_m->get() || $this->resultitem\_m->get()){
217
217
$this->data\['db\_data'\]\['import\_visual\_data'\] = 0;
218
$this->import\_settings();
219
218
}
220
219
…
…
287
286
// Check \_wpnonce
288
287
check\_admin\_referer( 'wdk-settings\_import', '\_wpnonce' );
289
288
290
289
// Save procedure for basic data
291
290
$data = $this->input->post();
292
291
292
$this->import\_settings();
293
293
294
if( !empty($data\['import\_locations'\])) {
294
295
$this->import\_locations();
wpdirectorykit/trunk/application/models/Category_m.php
r2905046
r2905795
51
51
$this->load->model('listing\_m');
52
52
53
$this->db->select($this->\_table\_name.'.\*, COUNT('.$this->listing\_m->\_table\_name.'.post\_id) AS listings\_counter');
54
$this->db->from($this->\_table\_name);
55
56
$this->db->join($this->listing\_m->\_table\_name.' ON '.$this->listing\_m->\_table\_name.'.category\_id = '.$this->\_table\_name.'.idcategory', TRUE, 'LEFT');
53
$this->db->select($this->\_table\_name.'.\*, COUNT(DISTINCT '.$this->listing\_m->\_table\_name.'.post\_id) AS listings\_counter, MAX('.$this->\_table\_name.'.level) as level');
54
55
$this->db->join($this->\_table\_name.' AS category\_table ON (CONCAT(",", category\_table.parent\_path, ",") LIKE CONCAT("%,", '.$this->\_table\_name.'.idcategory ,",%"))', TRUE, 'LEFT');
56
$this->db->join($this->listing\_m->\_table\_name.' ON (
57
('.$this->listing\_m->\_table\_name.'.is\_activated = 1 AND '.$this->listing\_m->\_table\_name.'.is\_approved = 1) AND
58
('.$this->listing\_m->\_table\_name.'.category\_id = '.$this->\_table\_name.'.idcategory
59
OR '.$this->listing\_m->\_table\_name.'.category\_id = category\_table.idcategory)
60
61
)', TRUE, 'LEFT');
62
63
$this->db->from($this->\_table\_name);
57
64
58
65
$this->db->where($where);
wpdirectorykit/trunk/application/models/Location_m.php
r2905046
r2905795
51
51
$this->load->model('listing\_m');
52
52
53
$this->db->select($this->\_table\_name.'.\*, COUNT('.$this->listing\_m->\_table\_name.'.post\_id) AS listings\_counter');
54
$this->db->from($this->\_table\_name);
55
56
$this->db->join($this->listing\_m->\_table\_name.' ON '.$this->listing\_m->\_table\_name.'.location\_id = '.$this->\_table\_name.'.idlocation', TRUE, 'LEFT');
53
54
$this->db->select($this->\_table\_name.'.\*, COUNT(DISTINCT '.$this->listing\_m->\_table\_name.'.post\_id) AS listings\_counter, MAX('.$this->\_table\_name.'.level) as level');
55
56
$this->db->join($this->\_table\_name.' AS location\_table ON (CONCAT(",", location\_table.parent\_path, ",") LIKE CONCAT("%,", '.$this->\_table\_name.'.idlocation ,",%"))', TRUE, 'LEFT');
57
$this->db->join($this->listing\_m->\_table\_name.' ON (
58
('.$this->listing\_m->\_table\_name.'.is\_activated = 1 AND '.$this->listing\_m->\_table\_name.'.is\_approved = 1) AND
59
('.$this->listing\_m->\_table\_name.'.location\_id = '.$this->\_table\_name.'.idlocation
60
OR '.$this->listing\_m->\_table\_name.'.location\_id = location\_table.idlocation)
61
62
)', TRUE, 'LEFT');
57
63
58
64
$this->db->from($this->\_table\_name);
wpdirectorykit/trunk/application/models/Settings_m.php
r2905046
r2905795
203
203
'rules' => '',
204
204
),
205
array(
206
'field' => 'wdk\_listings\_images\_required\_enable',
207
'field\_label' => \_\_('Listing Images required', 'wpdirectorykit'),
208
'field\_type' => 'CHECKBOX',
209
'rules' => '',
210
),
205
211
);
206
212
wpdirectorykit/trunk/application/views/wdk/index.php
r2905046
r2905795
277
277
"action": 'wdk\_public\_action',
278
278
"listing\_id": listing\_id,
279
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-backendajax'));?>',
279
280
};
280
281
…
…
349
350
"action": 'wdk\_public\_action',
350
351
"listing\_id": listing\_id,
352
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-backendajax'));?>',
351
353
};
352
354
wpdirectorykit/trunk/application/views/wdk_demo_import/step_1.php
r2905046
r2905795
99
99
"slug": slug,
100
100
"source": source,
101
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-plugin\_upgrader'));?>',
101
102
};
102
103
wpdirectorykit/trunk/application/views/wdk_demo_import/step_2.php
r2905046
r2905795
69
69
"function": 'install\_content',
70
70
"action": 'wdk\_public\_action',
71
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-install\_content'));?>',
71
72
};
72
73
…
…
122
123
"function": 'install\_listings',
123
124
"action": 'wdk\_public\_action',
125
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-install\_listings'));?>',
124
126
};
125
127
wpdirectorykit/trunk/application/views/wdk_resultitem/resultitem_edit.php
r2905046
r2905795
35
35
<tr>
36
36
<th scope="row"><label for="resultitem\_name"><?php echo \_\_('Name','wpdirectorykit'); ?></label></th>
37
<td><input name="resultitem\_name" type="text" id="resultitem\_name" value="<?php echo wmvc\_show\_data('resultitem\_name', $db\_data, ''); ?>" class="regular-text"></td>
37
<td><input name="resultitem\_name" type="text" id="resultitem\_name" value="<?php echo esc\_attr(wmvc\_show\_data('resultitem\_name', $db\_data, '')); ?>" class="regular-text"></td>
38
38
</tr>
39
39
<tr>
wpdirectorykit/trunk/application/views/wdk_settings/index.php
r2905046
r2905795
90
90
"function": 'generated\_listings\_images\_path',
91
91
"action": 'wdk\_public\_action',
92
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-generated\_listings\_images\_path'));?>',
92
93
};
93
94
$.post("<?php echo admin\_url( 'admin-ajax.php' );?>", ajax\_param,
…
…
129
130
"function": 'optimization\_listingfields\_table',
130
131
"action": 'wdk\_public\_action',
132
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-optimization\_listingfields\_table'));?>',
131
133
};
132
134
$.post("<?php echo admin\_url( 'admin-ajax.php' );?>", ajax\_param,
…
…
168
170
"function": self.data('function'),
169
171
"action": 'wdk\_public\_action',
172
"\_wpnonce": '<?php echo esc\_js(wp\_create\_nonce( 'wdk-backendajax'));?>',
170
173
};
171
174
$.post("<?php echo admin\_url( 'admin-ajax.php' );?>", ajax\_param,
wpdirectorykit/trunk/demo-data/real-estate.xml
r2905046
r2905795
156
156
</section>
157
157
<field\_label>
158
Property Size
158
Size
159
159
</field\_label>
160
160
<field\_type>
wpdirectorykit/trunk/elementor-elements/elementor-init.php
r2905046
r2905795
142
142
require\_once plugin\_dir\_path( \_\_FILE\_\_ ) . 'classes/wdk-categories-grid.php';
143
143
require\_once plugin\_dir\_path( \_\_FILE\_\_ ) . 'classes/wdk-categories-list.php';
144
require\_once plugin\_dir\_path( \_\_FILE\_\_ ) . 'classes/wdk-categories-tree.php';
145
require\_once plugin\_dir\_path( \_\_FILE\_\_ ) . 'classes/wdk-locations-tree.php';
144
146
require\_once plugin\_dir\_path( \_\_FILE\_\_ ) . 'classes/wdk-locations-list.php';
145
147
require\_once plugin\_dir\_path( \_\_FILE\_\_ ) . 'classes/wdk-listings-results.php';
…
…
250
252
$this->add\_widget('Wdk\\Elementor\\Widgets\\WdkLocationsList');
251
253
$this->add\_widget('Wdk\\Elementor\\Widgets\\WdkCategoriesList');
254
$this->add\_widget('Wdk\\Elementor\\Widgets\\WdkCategoriesTree');
255
$this->add\_widget('Wdk\\Elementor\\Widgets\\WdkLocationsTree');
252
256
$this->add\_widget('Wdk\\Elementor\\Widgets\\WdkListingsResults');
253
257
$this->add\_widget('Wdk\\Elementor\\Widgets\\WdkListingsCarousel');
wpdirectorykit/trunk/extensions/wdk-dependfields.php
r2905046
r2905795
100
100
<div class="inside">
101
101
<form method="post" action="#" novalidate="novalidate" class="wdk-depend-fields" enctype="multipart/form-data">
102
<input name="\_wpnonce" type="hidden" value="<?php echo esc\_attr(wp\_create\_nonce( 'wdk-update\_depend'));?>" class="regular-text">
102
103
<input name="main\_field" type="hidden" value="categories" class="regular-text">
103
104
<input name="field\_id" type="hidden" value="<?php echo esc\_attr(wmvc\_show\_data('idcategory', $data));?>" class="regular-text">
wpdirectorykit/trunk/public/class-wpdirectorykit-public.php
r2905046
r2905795
105
105
wp\_register\_style( 'wdk-categories-grid', WPDIRECTORYKIT\_URL. 'elementor-elements/assets/css/widgets/wdk-categories-grid.css', array(), $this->version, 'all' );
106
106
wp\_register\_style( 'wdk-categories-list', WPDIRECTORYKIT\_URL. 'elementor-elements/assets/css/widgets/wdk-categories-list.css', array(), $this->version, 'all' );
107
wp\_register\_style( 'wdk-locations-tree', WPDIRECTORYKIT\_URL. 'elementor-elements/assets/css/widgets/wdk-locations-tree.css', array(), $this->version, 'all' );
108
wp\_register\_style( 'wdk-categories-tree', WPDIRECTORYKIT\_URL. 'elementor-elements/assets/css/widgets/wdk-categories-tree.css', array(), $this->version, 'all' );
107
109
wp\_register\_style( 'wdk-locations-list', WPDIRECTORYKIT\_URL. 'elementor-elements/assets/css/widgets/wdk-locations-list.css', array(), $this->version, 'all' );
108
110
wp\_register\_style( 'wdk-listings-map', WPDIRECTORYKIT\_URL. 'elementor-elements/assets/css/widgets/wdk-map.css', array(), $this->version, 'all' );
wpdirectorykit/trunk/wpdirectorykit.php
r2905046
r2905795
17
17
\* Plugin URI: https://wpdirectorykit.com/plugins/wpdirectorykit.html
18
18
\* Description: Build your Directory portal, demos for Real Estate Agency and Car Dealership included
19
\* Version: 1.2.1
19
\* Version: 1.2.2
20
20
\* Requires PHP: 5.6
21
21
\* Author: wpdirectorykit.com
…
…
41
41
\* Rename this for your plugin and update it as you release new versions.
42
42
\*/
43
define( 'WPDIRECTORYKIT\_VERSION', '1.2.0' );
43
define( 'WPDIRECTORYKIT\_VERSION', '1.2.2' );
44
44
define( 'WPDIRECTORYKIT\_NAME', 'wdk' );
45
45
define( 'WPDIRECTORYKIT\_PATH', plugin\_dir\_path( \_\_FILE\_\_ ) );