Headline
CVE-2021-25032: Changeset 2640161 – WordPress Plugin Repository
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin’s settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
Timestamp:
12/06/2021 04:40:59 PM (5 weeks ago)
kevinB
Message:
- Fixed : Security issue
- Fixed : PHP Notice on Capabilities screen
Release 2.3.1
Location:
capability-manager-enhanced/trunk
Files:
- capsman-enhanced.php (4 diffs)
- includes/admin.php (1 diff)
- includes/settings-handler.php (1 diff)
- readme.txt (8 diffs)
Legend:
Unmodified
Added
Removed
capability-manager-enhanced/trunk/capsman-enhanced.php
r2621618
r2640161
4
4
\* Plugin URI: https://publishpress.com/capability-manager/
5
5
\* Description: Manage WordPress role definitions, per-site or network-wide. Organizes post capabilities by post type and operation.
6
\* Version: 2.3
6
\* Version: 2.3.1
7
7
\* Author: PublishPress
8
8
\* Author URI: https://publishpress.com/
…
…
26
26
\* @license GNU General Public License version 3
27
27
\* @link https://publishpress.com/
28
\* @version 2.3
28
\* @version 2.3.1
29
29
\*/
30
30
31
31
if (!defined('CAPSMAN\_VERSION')) {
32
define('CAPSMAN\_VERSION', '2.3');
33
define('CAPSMAN\_ENH\_VERSION', '2.3');
34
define('PUBLISHPRESS\_CAPS\_VERSION', '2.3');
32
define('CAPSMAN\_VERSION', '2.3.1');
33
define('CAPSMAN\_ENH\_VERSION', '2.3.1');
34
define('PUBLISHPRESS\_CAPS\_VERSION', '2.3.1');
35
35
}
36
36
…
…
146
146
if (
147
147
((defined('WP\_DEBUG') && defined('CAPSMAN\_INSTALL\_PERMISSIONS')) || (!cme\_is\_plugin\_active('press-permit-core.php') && !cme\_is\_plugin\_active('presspermit-pro.php')))
148
&& !isset($\_GET\['pp-after-click'\])
148
&& !isset( $\_GET\['pp-after-click'\])
149
149
&& !defined('CAPSMAN\_DISABLE\_PERMISSIONS\_PROMO')
150
150
) {
…
…
157
157
) {
158
158
require\_once ( dirname(\_\_FILE\_\_) . '/includes-core/pp-capabilities-permissions.php' );
159
}
159
}
160
160
});
161
161
}
capability-manager-enhanced/trunk/includes/admin.php
r2621618
r2640161
694
694
}
695
695
696
if (empty($caps\_manager\_postcaps\_section)) {
697
$caps\_manager\_postcaps\_section = '';
698
}
699
696
700
do\_action('publishpress-caps\_manager\_postcaps\_section', compact('current', 'rcaps', 'pp\_metagroup\_caps', 'is\_administrator', 'default\_caps', 'custom\_types', 'defined', 'unfiltered', 'pp\_metagroup\_caps','caps\_manager\_postcaps\_section', 'active\_tab\_id'));
697
701
capability-manager-enhanced/trunk/includes/settings-handler.php
r2589382
r2640161
8
8
9
9
add\_action('init', function() {
10
11
if (!empty($\_POST\['all\_options'\])) {
12
foreach(explode(',', $\_POST\['all\_options'\]) as $option\_name) {
13
$value = isset($\_POST\[$option\_name\]) ? $\_POST\[$option\_name\] : '';
14
15
if (!is\_array($value)) {
16
$value = trim($value);
17
}
18
19
update\_option($option\_name, stripslashes\_deep($value));
20
}
10
if (wp\_verify\_nonce($\_REQUEST\['\_wpnonce'\], 'pp-capabilities-settings') && current\_user\_can('manage\_capabilities')) {
11
if (!empty($\_POST\['all\_options'\])) {
12
foreach(explode(',', $\_POST\['all\_options'\]) as $option\_name) {
13
foreach (\['cme\_', 'capsman', 'pp\_capabilities'\] as $prefix) {
14
if (0 === strpos($option\_name, $prefix)) {
15
$value = isset($\_POST\[$option\_name\]) ? $\_POST\[$option\_name\] : '';
16
17
if (!is\_array($value)) {
18
$value = trim($value);
19
}
20
21
update\_option($option\_name, stripslashes\_deep($value));
22
}
23
}
24
}
25
}
26
27
do\_action('pp-capabilities-update-settings');
21
28
}
22
23
do\_action('pp-capabilities-update-settings');
24
29
});
capability-manager-enhanced/trunk/readme.txt
r2621618
r2640161
8
8
Tested up to: 5.8
9
9
Requires PHP: 5.6.20
10
Stable tag: 2.3
10
Stable tag: 2.3.1
11
11
License: GPLv3
12
12
License URI: https://www.gnu.org/licenses/gpl-3.0.html
…
…
48
48
49
49
Many WordPress users have sites with custom post types. This can be done using custom code, a theme, or with a plugin. No matter how your post type is created, PublishPress Capabilities lets you enforce and assign distinct capabilities for your post type.
50
50
51
\[Click here to see how to control post type permissions\](https://publishpress.com/knowledge-base/custom-post-types-capability/).
51
52
…
…
66
67
67
68
Every time you change your permissions, the PublishPress Capabilities plugin will now automatically create a backup. If you make a mistake, go to the "Backup" menu link and you'll be able to roll back to a previous version.
69
68
70
\[Click here to see how to backup permissions\](https://publishpress.com/knowledge-base/backup-restore-permissions/).
69
71
…
…
71
73
72
74
With PublishPress Capabilities you can create or copy any existing WordPress user role. These roles can be customized in exactly the same way as the default WordPress roles. These new roles can be added to single sites or to an entire multisite network.
75
73
76
\[Click here to see how to create or copy user roles\](https://publishpress.com/knowledge-base/create-or-copy-user-roles/).
74
77
…
…
88
91
89
92
PublishPress Capabilities enables you to decide who can upload, edit and delete files from your site's Media Library. By default, only Administrators are able to delete files in your Media Library. Subscribers and Contributors are not even allowed to upload files. You can customize these permissions for the Media Library and also the Featured Image box.
93
90
94
\[Click here to learn about Media Library permissions\](https://publishpress.com/knowledge-base/control-media-library-access/).
91
95
…
…
93
97
94
98
We mentioned earlier that PublishPress Capabilities has special support for WooCommerce taxonomies. This is true for the rest of WooCommerce also. With PublishPress Capabilities you can control permissions for WooCommerce products, orders and coupons.
99
95
100
\[Click here to learn about WooCommerce permissions\](https://publishpress.com/knowledge-base/woocommerce-permissons/).
96
101
…
…
98
103
99
104
PublishPress Capabilities allows you to control permissions on a single site or across your whole network. Every time you update permissions in PublishPress Capabilities, you can choose to sync those changes across your multisite network.
105
100
106
\[Click here to learn about multisite permissions\](https://publishpress.com/knowledge-base/multisite-network/).
101
107
…
…
150
156
Fixed : Non-administrators with user editing capabilities could add new Administrators
151
157
158
\= 2.3.1 =
159
Fixed : Security issue. Please update.
160
152
161
\== Changelog ==
162
163
\= 2.3.1 - 6 Dec 2021 =
164
\* Fixed : Security issue
165
\* Fixed : PHP Notice on Capabilities screen
153
166
154
167
\= 2.3 - 28 Oct 2021 =
Note: See TracChangeset for help on using the changeset viewer.