Headline
CVE-2021-25055: Changeset 2662665 – WordPress Plugin Repository
The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) within the “visibility” parameter.
Timestamp:
01/23/2022 09:56:47 PM (5 weeks ago)
radgeek
Message:
Ver. 2022.0123 / small bug fixes and an IMPORTANT SECURITY FIX to a disclosed vulnerability based on malicious URLs in the admin interface; please upgrade ASAP.
Location:
feedwordpress/trunk
Files:
- feedwordpress.php (3 diffs)
- feedwordpresssyndicationpage.class.php (8 diffs)
- readme.txt (3 diffs)
- syndicatedpost.class.php (6 diffs)
Legend:
Unmodified
Added
Removed
feedwordpress/trunk/feedwordpress.php
r2563479
r2662665
4
4
Plugin URI: http://feedwordpress.radgeek.com/
5
5
Description: simple and flexible Atom/RSS syndication for WordPress
6
Version: 2021.0713
6
Version: 2022.0123
7
7
Author: C. Johnson
8
8
Author URI: https://feedwordpress.radgeek.com/contact/
…
…
12
12
/\*\*
13
13
\* @package FeedWordPress
14
\* @version 2021.0713
14
\* @version 2022.0123
15
15
\*/
16
16
…
…
31
31
####################################################################################
32
32
33
define ('FEEDWORDPRESS\_VERSION', '2021.0713');
33
define ('FEEDWORDPRESS\_VERSION', '2022.0123');
34
34
define ('FEEDWORDPRESS\_AUTHOR\_CONTACT', 'http://feedwordpress.radgeek.com/contact');
35
35
feedwordpress/trunk/feedwordpresssyndicationpage.class.php
r2563479
r2662665
58
58
endif;
59
59
60
// this may be output into HTML, and it should really only ever be Y or N...
60
61
$visibility = (
61
62
isset($\_REQUEST\['visibility'\])
62
? $\_REQUEST\['visibility'\]
63
? preg\_replace('/\[^YyNn\]+/', '', strip\_tags($\_REQUEST\['visibility'\]))
63
64
: $defaultVisibility
64
65
);
65
66
66
return $visibility;
67
return (strlen($visibility) > 0 ? $visibility : $defaultVisibility);
67
68
} /\* FeedWordPressSyndicationPage::visibility\_toggle() \*/
68
69
…
…
476
477
477
478
// Hey ho, let's go...
479
$syndicatedLinks\_formAction = esc\_url( sprintf('%s&visibility=%s', $hrefPrefix, urlencode($visibility)) );
478
480
?>
479
481
<div style="float: left; background: #F5F5F5; padding-top: 5px; padding-right: 5px;"><a href="<?php print $this->form\_action(); ?>"><img src="<?php print esc\_url(plugins\_url( "feedwordpress.png", \_\_FILE\_\_ ) ); ?>" alt="" /></a></div>
…
…
528
530
<?php endif; ?>
529
531
530
<form id="syndicated-links" action="<?php print $hrefPrefix; ?>&visibility=<?php print $visibility; ?>" method="post">
532
<form id="syndicated-links" action="<?php print $syndicatedLinks\_formAction; ?>" method="post">
531
533
<div class="container"><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?>
532
534
<label for="add-uri">Add:
…
…
552
554
$visibility = $this->visibility\_toggle();
553
555
$showInactive = $this->show\_inactive();
554
556
555
557
$hrefPrefix = $this->form\_action();
558
$formHref = esc\_url( sprintf( '%s&visibility=%s', $hrefPrefix, urlencode($visibility) ) );
556
559
?>
557
560
<div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
…
…
559
562
560
563
<div id="add-multiple-uri" class="hide-if-js">
561
<form action="<?php print $hrefPrefix; ?>&visibility=<?php print $visibility; ?>" method="post">
564
<form action="<?php print $formHref; ?>" method="post">
562
565
<div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
563
566
<h4>Add Multiple Sources</h4>
…
…
578
581
computer.</p>
579
582
580
<form enctype="multipart/form-data" action="<?php print $hrefPrefix; ?>&visibility=<?php print $visibility; ?>" method="post">
583
<form enctype="multipart/form-data" action="<?php print $formHref; ?>" method="post">
581
584
<div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?><input type="hidden" name="MAX\_FILE\_SIZE" value="100000" /></div>
582
585
<div style="clear: both"><label for="opml-lookup" style="float: left; width: 8.0em; margin-top: 5px;">From URL:</label> <input type="text" id="opml-lookup" name="opml\_lookup" value="OPML document" /></div>
…
…
591
594
592
595
<div id="add-single-uri" class="alignright">
593
<form id="syndicated-links" action="<?php print $hrefPrefix; ?>&visibility=<?php print $visibility; ?>" method="post">
596
<form id="syndicated-links" action="<?php print $formHref; ?>" method="post">
594
597
<div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
595
598
<ul class="subsubsub">
…
…
619
622
</div> <!-- class="tablenav" -->
620
623
621
<form id="syndicated-links" action="<?php print $hrefPrefix; ?>&visibility=<?php print $visibility; ?>" method="post">
624
<form id="syndicated-links" action="<?php print $formHref; ?>" method="post">
622
625
<div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
623
626
feedwordpress/trunk/readme.txt
r2563479
r2662665
4
4
Tags: syndication, aggregation, feed, atom, rss
5
5
Requires at least: 4.5
6
Tested up to: 5.7.2
7
Stable tag: 2021.0713
6
Tested up to: 5.9
7
Stable tag: 2022.0123
8
8
License: GPLv2 or later
9
9
License URI: https://www.gnu.org/licenses/gpl-2.0.html
…
…
65
65
66
66
\== Changelog ==
67
68
\= 2022.0123 =
69
70
\* IMPORTANT SECURITY FIX: This version includes an important fix for a security vulnerability reported to me through WPScan and WordPress support channels.
71
72
Vulnerability CVE-2021-25055 allowed for an XSS (Cross-Site Scripting) attack using a specially crafted URL for a page within the FeedWordPress admin interface. (To be exploited, an existing user with login credentials that allow them to access the FeedWordPress dashboard would have to follow the malicious URL and log in.) This vulnerability has been corrected in the current version; to protect your site's security PLEASE BE SURE TO UPGRADE AS SOON AS POSSIBLE to version 2022.0123 or later, via the WordPress Plugin Repository or via Github.
73
74
\* BUG FIXES: Fixes a number of small possible bugs when creating new syndicated posts under unusual conditions -- a sanity check is built in to avoid infinite loops in case of certain unexpected error outcomes when creating new users; some more possible sources of PHP 8 "Countable" warnings are eliminated, etc.
67
75
68
76
\= 2021.0713 =
…
…
166
174
The first is a common problem across several plugins due to an ambiguity in the WordPress documentation and a change in the behavior of WordPress's built-in add\_query\_arg() and remove\_query\_arg() functions which could, under certain low-probability conditions, allow for potential XSS attack vectors. This fixes issue # 39 reported at <https://github.com/radgeek/feedwordpress/issues/39> Thanks to github.com/quassy
167
175
168
The second is a security vulnerability fixes a security vulnerability that was reported to me privately (thanks to Adrián M. F.) which, under other low-probability conditions, could allow for SQL insertion attacks by a malicious user with access to login credentials, which would compromise data security.
176
The second fixes a security vulnerability that was reported to me privately (thanks to Adrián M. F.) which, under other low-probability conditions, could allow for SQL insertion attacks by a malicious user with access to login credentials, which would compromise data security.
169
177
170
178
It is \*IMPORTANT\* and worth your while to upgrade FeedWordPress as soon as possible in order to eliminate these vulnerabilities. If you have any questions or if there is something blocking you from making the upgrade which you need my help with, don't hesitate to get in touch.
feedwordpress/trunk/syndicatedpost.class.php
r2364449
r2662665
699
699
$link = $this->permalink();
700
700
if (is\_null($link)) : $link = $this->link->uri(); endif;
701
$guid .= '://'.md5($link.'/'.$this->item\['title'\]);
701
$guid .= '://'.md5($link.'/'.$this->title());
702
702
endif;
703
703
endif;
…
…
1332
1332
$frozen = ('yes' == $this->link->setting('freeze updates', 'freeze\_updates', NULL));
1333
1333
if (!$frozen) :
1334
$frozen\_values = get\_post\_custom\_values('\_syndication\_freeze\_updates', $old\_post->ID);
1335
$frozen = (count($frozen\_values) > 0 and 'yes' == $frozen\_values\[0\]);
1334
$frozen\_value = get\_post\_meta($old\_post->ID, '\_syndication\_freeze\_updates', /\*single=\*/ true);
1335
$frozen = (!is\_null($frozen\_value) and ('yes' == $frozen\_value));
1336
1336
1337
1337
if ($frozen) :
…
…
2340
2340
#-- loop. Keep trying to add the user until you get it
2341
2341
#-- right. Or until PHP crashes, I guess.
2342
$insanity = 0;
2342
2343
do {
2343
2344
$id = wp\_insert\_user($userdata);
…
…
2347
2348
case 'empty\_user\_login' :
2348
2349
case 'existing\_user\_login' :
2350
case 'invalid\_username' :
2349
2351
// Add a random disambiguator
2350
2352
$userdata\['user\_login'\] .= substr(md5(uniqid(microtime())), 0, 6);
2353
break;
2354
case 'user\_login\_too\_long' :
2355
// Limit length to 53 characters; if we end up needing a random disambiguator,
2356
// we should still have space to add it.
2357
$userdata\['user\_login'\] = mb\_substr( $userdata\['user\_login'\], 0, 53 );
2351
2358
break;
2352
2359
case 'user\_nicename\_too\_long' :
…
…
2364
2371
$userdata\['user\_email'\] = $parts\[0\].'@'.$parts\[1\];
2365
2372
break;
2373
default :
2374
if ( $insanity > 10 ) :
2375
// Try some settings that are unlikely to cause complaint...
2376
$url = parse\_url($hostUrl);
2377
2378
$userdata\['user\_login'\] = substr(md5(uniqid(microtime())), 0, 6);
2379
$userdata\['user\_nicename'\] = $userdata\['user\_login'\];
2380
$userdata\['user\_email'\] = 'noreply@' . $url\['host'\];
2381
elseif ( $insanity > 50 ) :
2382
// Stop doing the same thing and expecting a different result
2383
break;
2384
endif;
2366
2385
endswitch;
2367
2386
endif;
2387
$insanity = $insanity + 1;
2368
2388
} while (is\_wp\_error($id));
2369
2389
…
…
2373
2393
// suggestion of @boonebgorges, in case we need to process,
2374
2394
// winnow, filter, or merge syndicated author accounts, &c.
2375
add\_user\_meta($id, 'feedwordpress\_generated', 1);
2376
2395
if (!is\_wp\_error($id)) :
2396
add\_user\_meta($id, 'feedwordpress\_generated', 1);
2397
else :
2398
$id = null;
2399
endif;
2400
2377
2401
elseif (is\_numeric($unfamiliar\_author) and get\_userdata((int) $unfamiliar\_author)) :
2378
2402
$id = (int) $unfamiliar\_author;
Note: See TracChangeset for help on using the changeset viewer.