Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-5086: Changeset 2969441 for copy-the-code – WordPress Plugin Repository

The Copy Anything to Clipboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ‘copy’ shortcode in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE
Open in Source
#xss#vulnerability#web#git#wordpress#php#auth

Timestamp:

09/20/2023 08:42:22 PM (4 weeks ago)

surror

Message:

Update to version 2.6.5 from GitHub

Location:

copy-the-code

Files:

  • tags/2.6.5 (copied from copy-the-code/trunk)
  • tags/2.6.5/classes/class-copy-the-code-shortcode.php (1 diff)
  • tags/2.6.5/copy-the-code.php (2 diffs)
  • tags/2.6.5/readme.txt (3 diffs)
  • trunk/classes/class-copy-the-code-shortcode.php (1 diff)
  • trunk/copy-the-code.php (2 diffs)
  • trunk/readme.txt (3 diffs)

Legend:

Unmodified

Added

Removed

  • copy-the-code/tags/2.6.5/classes/class-copy-the-code-shortcode.php

    r2941778

    r2969441

81

81

                $icon\_color = ! empty( $atts\['icon-color'\] ) ? $atts\['icon-color'\] : '#b5b5b5';

82

82

83

 

                $display\_content = '<svg style="fill: ' . $icon\_color . '" viewBox="-21 0 512 512" xmlns="http://www.w3.org/2000/svg"><path d="m186.667969 416c-49.984375 0-90.667969-40.683594-90.667969-90.667969v-218.664062h-37.332031c-32.363281 0-58.667969 26.300781-58.667969 58.664062v288c0 32.363281 26.304688 58.667969 58.667969 58.667969h266.664062c32.363281 0 58.667969-26.304688 58.667969-58.667969v-37.332031zm0 0"></path><path d="m469.332031 58.667969c0-32.40625-26.261719-58.667969-58.664062-58.667969h-224c-32.40625 0-58.667969 26.261719-58.667969 58.667969v266.664062c0 32.40625 26.261719 58.667969 58.667969 58.667969h224c32.402343 0 58.664062-26.261719 58.664062-58.667969zm0 0"></path></svg>';

 

83

                $display\_content = '<svg style="fill: ' . esc\_attr( $icon\_color ) . '" viewBox="-21 0 512 512" xmlns="http://www.w3.org/2000/svg"><path d="m186.667969 416c-49.984375 0-90.667969-40.683594-90.667969-90.667969v-218.664062h-37.332031c-32.363281 0-58.667969 26.300781-58.667969 58.664062v288c0 32.363281 26.304688 58.667969 58.667969 58.667969h266.664062c32.363281 0 58.667969-26.304688 58.667969-58.667969v-37.332031zm0 0"></path><path d="m469.332031 58.667969c0-32.40625-26.261719-58.667969-58.664062-58.667969h-224c-32.40625 0-58.667969 26.261719-58.667969 58.667969v266.664062c0 32.40625 26.261719 58.667969 58.667969 58.667969h224c32.402343 0 58.664062-26.261719 58.664062-58.667969zm0 0"></path></svg>';

84

84

            }

85

85

  • copy-the-code/tags/2.6.5/copy-the-code.php

    r2941778

    r2969441

4

4

 \* Plugin URI: https://github.com/maheshwaghmare/copy-the-code/

5

5

 \* Description: Copy the Text or HTML into the clipboard 📋 (clipboard). You can use it for Blockquote, Wishes, Messages, Shayari, Offer Codes, Special Symbols, Code Snippets, Hidden Content, Or anything which you want 🥳. Read more about <a href="https://wp.me/P4Ams0-9Sn/">Copy Anything to Clipboard</a>.

6

 

 \* Version: 2.6.4

 

6

 \* Version: 2.6.5

7

7

 \* Author: Mahesh M. Waghmare

8

8

 \* Author URI: https://maheshwaghmare.com/

…

…

 

15

15

// Set constants.

16

16

define( 'COPY\_THE\_CODE\_TITLE', esc\_html\_\_( 'Copy Anything to Clipboard', 'copy-the-code' ) );

17

 

define( 'COPY\_THE\_CODE\_VER', '2.6.4' );

 

17

define( 'COPY\_THE\_CODE\_VER', '2.6.5' );

18

18

define( 'COPY\_THE\_CODE\_FILE', \_\_FILE\_\_ );

19

19

define( 'COPY\_THE\_CODE\_BASE', plugin\_basename( COPY\_THE\_CODE\_FILE ) );

  • copy-the-code/tags/2.6.5/readme.txt

    r2941778

    r2969441

3

3

Donate link: https://www.paypal.me/mwaghmare7/

4

4

Tags: Copy, Paste, Copy to Clipboard, Clipboard, Copy Anything to Clipboard

5

 

Tested up to: 6.2.2

6

 

Stable tag: 2.6.4

 

5

Tested up to: 6.3.1

 

6

Stable tag: 2.6.5

7

7

Requires PHP: 5.6

8

8

Requires at least: 4.4

…

…

 

10

10

\== Description ==

11

11

12

 

\*\*Copy Anything to Clipboard\*\* is the #1 WordPress plugin with \*\*1,00,000+\*\* downloads 🚀

 

12

\*\*Copy Anything to Clipboard\*\* is the #1 WordPress plugin with \*\*1,15,813+\*\* downloads 🚀

13

13

14

14

You can use plugin to copy anything including:

…

…

 

127

127

\== Changelog ==

128

128

 

129

\= 2.6.5 =

 

130

 

131

\* Improvement: Compatibility to WordPress 6.3.1.

 

132

\* Improvement: Address a reflected Cross-Site Scripting vulnerability from \`icon-color\` shortcode parameter.

 

133

129

134

\= 2.6.4 =

130

135

131

136

\* Improvement: Avoided the HTML markup from the \`content\` shortcode parameter.

132

 

\* Improvement: Updated Freemius SDK version 2.5.10 to address a Reflected Cross-Site Scripting vulnerability via fs\_request\_get. Reported by @richardfromnz

 

137

\* Improvement: Updated Freemius SDK version 2.5.10 to address a Reflected Cross-Site Scripting vulnerability via fs\_request\_get.

133

138

134

139

\= 2.6.3 =

  • copy-the-code/trunk/classes/class-copy-the-code-shortcode.php

    r2941778

    r2969441

81

81

                $icon\_color = ! empty( $atts\['icon-color'\] ) ? $atts\['icon-color'\] : '#b5b5b5';

82

82

83

 

                $display\_content = '<svg style="fill: ' . $icon\_color . '" viewBox="-21 0 512 512" xmlns="http://www.w3.org/2000/svg"><path d="m186.667969 416c-49.984375 0-90.667969-40.683594-90.667969-90.667969v-218.664062h-37.332031c-32.363281 0-58.667969 26.300781-58.667969 58.664062v288c0 32.363281 26.304688 58.667969 58.667969 58.667969h266.664062c32.363281 0 58.667969-26.304688 58.667969-58.667969v-37.332031zm0 0"></path><path d="m469.332031 58.667969c0-32.40625-26.261719-58.667969-58.664062-58.667969h-224c-32.40625 0-58.667969 26.261719-58.667969 58.667969v266.664062c0 32.40625 26.261719 58.667969 58.667969 58.667969h224c32.402343 0 58.664062-26.261719 58.664062-58.667969zm0 0"></path></svg>';

 

83

                $display\_content = '<svg style="fill: ' . esc\_attr( $icon\_color ) . '" viewBox="-21 0 512 512" xmlns="http://www.w3.org/2000/svg"><path d="m186.667969 416c-49.984375 0-90.667969-40.683594-90.667969-90.667969v-218.664062h-37.332031c-32.363281 0-58.667969 26.300781-58.667969 58.664062v288c0 32.363281 26.304688 58.667969 58.667969 58.667969h266.664062c32.363281 0 58.667969-26.304688 58.667969-58.667969v-37.332031zm0 0"></path><path d="m469.332031 58.667969c0-32.40625-26.261719-58.667969-58.664062-58.667969h-224c-32.40625 0-58.667969 26.261719-58.667969 58.667969v266.664062c0 32.40625 26.261719 58.667969 58.667969 58.667969h224c32.402343 0 58.664062-26.261719 58.664062-58.667969zm0 0"></path></svg>';

84

84

            }

85

85

  • copy-the-code/trunk/copy-the-code.php

    r2941778

    r2969441

4

4

 \* Plugin URI: https://github.com/maheshwaghmare/copy-the-code/

5

5

 \* Description: Copy the Text or HTML into the clipboard 📋 (clipboard). You can use it for Blockquote, Wishes, Messages, Shayari, Offer Codes, Special Symbols, Code Snippets, Hidden Content, Or anything which you want 🥳. Read more about <a href="https://wp.me/P4Ams0-9Sn/">Copy Anything to Clipboard</a>.

6

 

 \* Version: 2.6.4

 

6

 \* Version: 2.6.5

7

7

 \* Author: Mahesh M. Waghmare

8

8

 \* Author URI: https://maheshwaghmare.com/

…

…

 

15

15

// Set constants.

16

16

define( 'COPY\_THE\_CODE\_TITLE', esc\_html\_\_( 'Copy Anything to Clipboard', 'copy-the-code' ) );

17

 

define( 'COPY\_THE\_CODE\_VER', '2.6.4' );

 

17

define( 'COPY\_THE\_CODE\_VER', '2.6.5' );

18

18

define( 'COPY\_THE\_CODE\_FILE', \_\_FILE\_\_ );

19

19

define( 'COPY\_THE\_CODE\_BASE', plugin\_basename( COPY\_THE\_CODE\_FILE ) );

  • copy-the-code/trunk/readme.txt

    r2941778

    r2969441

3

3

Donate link: https://www.paypal.me/mwaghmare7/

4

4

Tags: Copy, Paste, Copy to Clipboard, Clipboard, Copy Anything to Clipboard

5

 

Tested up to: 6.2.2

6

 

Stable tag: 2.6.4

 

5

Tested up to: 6.3.1

 

6

Stable tag: 2.6.5

7

7

Requires PHP: 5.6

8

8

Requires at least: 4.4

…

…

 

10

10

\== Description ==

11

11

12

 

\*\*Copy Anything to Clipboard\*\* is the #1 WordPress plugin with \*\*1,00,000+\*\* downloads 🚀

 

12

\*\*Copy Anything to Clipboard\*\* is the #1 WordPress plugin with \*\*1,15,813+\*\* downloads 🚀

13

13

14

14

You can use plugin to copy anything including:

…

…

 

127

127

\== Changelog ==

128

128

 

129

\= 2.6.5 =

 

130

 

131

\* Improvement: Compatibility to WordPress 6.3.1.

 

132

\* Improvement: Address a reflected Cross-Site Scripting vulnerability from \`icon-color\` shortcode parameter.

 

133

129

134

\= 2.6.4 =

130

135

131

136

\* Improvement: Avoided the HTML markup from the \`content\` shortcode parameter.

132

 

\* Improvement: Updated Freemius SDK version 2.5.10 to address a Reflected Cross-Site Scripting vulnerability via fs\_request\_get. Reported by @richardfromnz

 

137

\* Improvement: Updated Freemius SDK version 2.5.10 to address a Reflected Cross-Site Scripting vulnerability via fs\_request\_get.

133

138

134

139

\= 2.6.3 =

Note: See TracChangeset for help on using the changeset viewer.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE