Headline
CVE-2020-36726: Changeset 2409141 – WordPress Plugin Repository
The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.
Timestamp:
10/29/2020 02:50:27 PM (3 years ago)
Rustaurius
Message:
v2.1.33 and tagging
Location:
ultimate-reviews
Files:
- tags/2.1.33 (copied from ultimate-reviews/trunk)
- tags/2.1.33/Functions/EWD_URP_Submit_Review.php (2 diffs)
- tags/2.1.33/Functions/Process_Ajax.php (1 diff)
- tags/2.1.33/Main.php (1 diff)
- tags/2.1.33/Shortcodes/SelectReview.php (1 diff)
- tags/2.1.33/css/ewd-urp-styles.css (1 diff)
- tags/2.1.33/js/ewd-urp-dashboard-review-ask.js (1 diff)
- tags/2.1.33/readme.txt (1 diff)
- trunk/Functions/EWD_URP_Submit_Review.php (2 diffs)
- trunk/Functions/Process_Ajax.php (1 diff)
- trunk/Main.php (1 diff)
- trunk/Shortcodes/SelectReview.php (1 diff)
- trunk/css/ewd-urp-styles.css (1 diff)
- trunk/js/ewd-urp-dashboard-review-ask.js (1 diff)
- trunk/readme.txt (1 diff)
Legend:
Unmodified
Added
Removed
ultimate-reviews/tags/2.1.33/Functions/EWD_URP_Submit_Review.php
r2336954
r2409141
90
90
91
91
if ($One\_Review\_Per\_Product\_Person == "Yes") {
92
$Reviewed\_Products = (isset($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\]) ? unserialize(stripslashes($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\])) : array());
92
93
$Reviewed\_Products = isset($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\]) ? json\_decode($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\]) : array();
94
$Reviewed\_Products = is\_array( $Reviewed\_Products ) ? array\_map( 'sanitize\_text\_field', $Reviewed\_Products ) : array();
93
95
94
if (in\_array($Product\_Name, $Reviewed\_Products)) {
96
if ( in\_array($Product\_Name, $Reviewed\_Products) ) {
95
97
$user\_message = \_\_("You have already submitted a review for a product with that product name. Please select a different product to review.", 'ultimate-reviews');
96
98
return $user\_message;
…
…
99
101
$Reviewed\_Products\[\] = $Product\_Name;
100
102
101
setcookie('EWD\_URP\_Reviewed\_Products', serialize($Reviewed\_Products), time() + 365\*24\*3600, '/');
103
setcookie('EWD\_URP\_Reviewed\_Products', json\_encode($Reviewed\_Products), time() + 365\*24\*3600, '/');
102
104
}
103
105
ultimate-reviews/tags/2.1.33/Functions/Process_Ajax.php
r2336954
r2409141
69
69
else {update\_post\_meta( $Review\_ID, 'EWD\_URP\_Review\_Karma', $Karma + 1 );}
70
70
71
$EWD\_URP\_Karma\_IDs = unserialize(stripslashes($\_COOKIE\['EWD\_URP\_Karma\_IDs'\]));
71
$EWD\_URP\_Karma\_IDs = isset( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) ? json\_decode( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) : array();
72
$EWD\_URP\_Karma\_IDs = is\_array( $EWD\_URP\_Karma\_IDs ) ? array\_map( 'intval', $EWD\_URP\_Karma\_IDs ) : array();
72
73
$EWD\_URP\_Karma\_IDs\[\] = $Review\_ID;
73
74
74
setcookie('EWD\_URP\_Karma\_IDs', serialize($EWD\_URP\_Karma\_IDs), time()+3600\*24\*365, '/');
75
setcookie('EWD\_URP\_Karma\_IDs', json\_encode( $EWD\_URP\_Karma\_IDs ), time()+3600\*24\*365, '/');
75
76
}
76
77
add\_action('wp\_ajax\_urp\_update\_karma', 'EWD\_URP\_Update\_Karama');
ultimate-reviews/tags/2.1.33/Main.php
r2379758
r2409141
8
8
Terms and Conditions: http://www.etoilewebdesign.com/plugin-terms-and-conditions/
9
9
Text Domain: ultimate-reviews
10
Version: 2.1.32
10
Version: 2.1.33
11
11
\*/
12
12
ultimate-reviews/tags/2.1.33/Shortcodes/SelectReview.php
r2263410
r2409141
125
125
126
126
if ($Karma == "") {$Karma = 0;}
127
if(isset($\_COOKIE\['EWD\_URP\_Karma\_IDs'\])) {$EWD\_URP\_Karma\_IDs = unserialize(stripslashes($\_COOKIE\['EWD\_URP\_Karma\_IDs'\]));}
128
else {$EWD\_URP\_Karma\_IDs = array();}
129
if (!is\_array($EWD\_URP\_Karma\_IDs)) {$EWD\_URP\_Karma\_IDs = array();}
127
128
$EWD\_URP\_Karma\_IDs = isset( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) ? json\_decode( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) : array();
129
$EWD\_URP\_Karma\_IDs = is\_array( $EWD\_URP\_Karma\_IDs ) ? array\_map( 'intval', $EWD\_URP\_Karma\_IDs ) : array();
130
130
131
if (in\_array($Review->ID, $EWD\_URP\_Karma\_IDs)) {$Karma\_ID = "0";}
131
132
else {$Karma\_ID = $Review->ID;}
ultimate-reviews/tags/2.1.33/css/ewd-urp-styles.css
r2263410
r2409141
519
519
margin-top: 8px;
520
520
margin-bottom: 32px;
521
clear: both;
521
522
}
522
523
.ewd-urp-filtering-toggle {
ultimate-reviews/tags/2.1.33/js/ewd-urp-dashboard-review-ask.js
r2379758
r2409141
2
2
jQuery('.ewd-urp-main-dashboard-review-ask').css('display', 'block');
3
3
4
jQuery('.ewd-urp-main-dashboard-review-ask .notice-dismiss').on('click', function(event) {
5
var data = 'Ask\_Review\_Date=7&action=ewd\_urp\_hide\_review\_ask';
6
jQuery.post(ajaxurl, data, function() {});
7
});
4
jQuery(document).on('click', '.ewd-urp-main-dashboard-review-ask .notice-dismiss', function(event) {
5
var data = 'Ask\_Review\_Date=7&action=ewd\_urp\_hide\_review\_ask';
6
jQuery.post(ajaxurl, data, function() {});
7
});
8
8
9
9
jQuery('.ewd-urp-review-ask-yes').on('click', function() {
ultimate-reviews/tags/2.1.33/readme.txt
r2379758
r2409141
272
272
\== Changelog ==
273
273
274
\= 2.1.33 =
275
\- Updating cookie security
276
274
277
\= 2.1.32 =
275
278
\- Corrects recent issue causing the feedback notice to not dismiss correctly
ultimate-reviews/trunk/Functions/EWD_URP_Submit_Review.php
r2336954
r2409141
90
90
91
91
if ($One\_Review\_Per\_Product\_Person == "Yes") {
92
$Reviewed\_Products = (isset($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\]) ? unserialize(stripslashes($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\])) : array());
92
93
$Reviewed\_Products = isset($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\]) ? json\_decode($\_COOKIE\['EWD\_URP\_Reviewed\_Products'\]) : array();
94
$Reviewed\_Products = is\_array( $Reviewed\_Products ) ? array\_map( 'sanitize\_text\_field', $Reviewed\_Products ) : array();
93
95
94
if (in\_array($Product\_Name, $Reviewed\_Products)) {
96
if ( in\_array($Product\_Name, $Reviewed\_Products) ) {
95
97
$user\_message = \_\_("You have already submitted a review for a product with that product name. Please select a different product to review.", 'ultimate-reviews');
96
98
return $user\_message;
…
…
99
101
$Reviewed\_Products\[\] = $Product\_Name;
100
102
101
setcookie('EWD\_URP\_Reviewed\_Products', serialize($Reviewed\_Products), time() + 365\*24\*3600, '/');
103
setcookie('EWD\_URP\_Reviewed\_Products', json\_encode($Reviewed\_Products), time() + 365\*24\*3600, '/');
102
104
}
103
105
ultimate-reviews/trunk/Functions/Process_Ajax.php
r2336954
r2409141
69
69
else {update\_post\_meta( $Review\_ID, 'EWD\_URP\_Review\_Karma', $Karma + 1 );}
70
70
71
$EWD\_URP\_Karma\_IDs = unserialize(stripslashes($\_COOKIE\['EWD\_URP\_Karma\_IDs'\]));
71
$EWD\_URP\_Karma\_IDs = isset( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) ? json\_decode( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) : array();
72
$EWD\_URP\_Karma\_IDs = is\_array( $EWD\_URP\_Karma\_IDs ) ? array\_map( 'intval', $EWD\_URP\_Karma\_IDs ) : array();
72
73
$EWD\_URP\_Karma\_IDs\[\] = $Review\_ID;
73
74
74
setcookie('EWD\_URP\_Karma\_IDs', serialize($EWD\_URP\_Karma\_IDs), time()+3600\*24\*365, '/');
75
setcookie('EWD\_URP\_Karma\_IDs', json\_encode( $EWD\_URP\_Karma\_IDs ), time()+3600\*24\*365, '/');
75
76
}
76
77
add\_action('wp\_ajax\_urp\_update\_karma', 'EWD\_URP\_Update\_Karama');
ultimate-reviews/trunk/Main.php
r2379758
r2409141
8
8
Terms and Conditions: http://www.etoilewebdesign.com/plugin-terms-and-conditions/
9
9
Text Domain: ultimate-reviews
10
Version: 2.1.32
10
Version: 2.1.33
11
11
\*/
12
12
ultimate-reviews/trunk/Shortcodes/SelectReview.php
r2263410
r2409141
125
125
126
126
if ($Karma == "") {$Karma = 0;}
127
if(isset($\_COOKIE\['EWD\_URP\_Karma\_IDs'\])) {$EWD\_URP\_Karma\_IDs = unserialize(stripslashes($\_COOKIE\['EWD\_URP\_Karma\_IDs'\]));}
128
else {$EWD\_URP\_Karma\_IDs = array();}
129
if (!is\_array($EWD\_URP\_Karma\_IDs)) {$EWD\_URP\_Karma\_IDs = array();}
127
128
$EWD\_URP\_Karma\_IDs = isset( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) ? json\_decode( $\_COOKIE\['EWD\_URP\_Karma\_IDs'\] ) : array();
129
$EWD\_URP\_Karma\_IDs = is\_array( $EWD\_URP\_Karma\_IDs ) ? array\_map( 'intval', $EWD\_URP\_Karma\_IDs ) : array();
130
130
131
if (in\_array($Review->ID, $EWD\_URP\_Karma\_IDs)) {$Karma\_ID = "0";}
131
132
else {$Karma\_ID = $Review->ID;}
ultimate-reviews/trunk/css/ewd-urp-styles.css
r2263410
r2409141
519
519
margin-top: 8px;
520
520
margin-bottom: 32px;
521
clear: both;
521
522
}
522
523
.ewd-urp-filtering-toggle {
ultimate-reviews/trunk/js/ewd-urp-dashboard-review-ask.js
r2379758
r2409141
2
2
jQuery('.ewd-urp-main-dashboard-review-ask').css('display', 'block');
3
3
4
jQuery('.ewd-urp-main-dashboard-review-ask .notice-dismiss').on('click', function(event) {
5
var data = 'Ask\_Review\_Date=7&action=ewd\_urp\_hide\_review\_ask';
6
jQuery.post(ajaxurl, data, function() {});
7
});
4
jQuery(document).on('click', '.ewd-urp-main-dashboard-review-ask .notice-dismiss', function(event) {
5
var data = 'Ask\_Review\_Date=7&action=ewd\_urp\_hide\_review\_ask';
6
jQuery.post(ajaxurl, data, function() {});
7
});
8
8
9
9
jQuery('.ewd-urp-review-ask-yes').on('click', function() {
ultimate-reviews/trunk/readme.txt
r2379758
r2409141
272
272
\== Changelog ==
273
273
274
\= 2.1.33 =
275
\- Updating cookie security
276
274
277
\= 2.1.32 =
275
278
\- Corrects recent issue causing the feedback notice to not dismiss correctly
Note: See TracChangeset for help on using the changeset viewer.