CVE-2023-2416: vcita-ajax-function.php in meeting-scheduler-by-vcita/trunk – WordPress Plugin Repository

1<?php23add_action('wp_ajax_vcita_dismiss’, ‘vcita_dismiss’);4add_action('wp_ajax_vcita_logout’, ‘vcita_logout_callback’);5add_action('wp_ajax_vcita_check_auth’, ‘vcita_check_auth’);6add_action('wp_ajax_vcita_save_settings’, ‘vcita_save_settings_callback’);7add_action('wp_ajax_vcita_save_data’, ‘vcita_save_user_data_callback’);8add_action('wp_ajax_vcita_deactivate_others’, ‘vcita_vcita_deactivate_others_callback’);910function vcita_dismiss()11{12 if (isset($_GET[‘dismiss’])) {13 $wpshd_vcita_widget = (array)get_option(WPSHD_VCITA_WIDGET_KEY);14 $wpshd_vcita_widget[‘dismiss’] = true;15 $wpshd_vcita_widget[‘dismiss_time’] = microtime(true);16 update_option(WPSHD_VCITA_WIDGET_KEY, $wpshd_vcita_widget);17 echo 'dismissed’;18 wp_die();19 } else if (isset($_GET[‘dismiss_switch’])) {20 $wpshd_vcita_widget = (array)get_option(WPSHD_VCITA_WIDGET_KEY);21 $wpshd_vcita_widget[‘dismiss_switch’] = true;22 $wpshd_vcita_widget[‘dismiss_switch_time’] = microtime(true);23 update_option(WPSHD_VCITA_WIDGET_KEY, $wpshd_vcita_widget);24 echo 'dismissed’;25 wp_die();26 } else if (isset($_GET[‘switch_on’])) {27 $wpshd_vcita_widget = (array)get_option(WPSHD_VCITA_WIDGET_KEY);28 $wpshd_vcita_widget[‘dismiss_switch’] = false;29 unset($wpshd_vcita_widget[‘dismiss_switch_time’]);30 $wpshd_vcita_widget[‘show_on_site’] = 1;31 update_option(WPSHD_VCITA_WIDGET_KEY, $wpshd_vcita_widget);32 echo 'dismissed’;33 wp_die();34 }35}3637function vcita_check_auth()38{39 $wpshd_vcita_widget = (array)get_option(WPSHD_VCITA_WIDGET_KEY);40 echo json_encode($wpshd_vcita_widget);41 wp_die();42}4344function vcita_vcita_deactivate_others_callback()45{46 $av_plugin_list = wp_cache_get(‘WPSHD_VCITA_ANOTHER_PLUGIN_LIST’);47 $found = array();48 foreach ($av_plugin_list as $av_plugin) $found[] = $av_plugin[‘file’];49 deactivate_plugins($found);5051 echo 'success’;52 wp_die();53}5455function vcita_logout_callback()56{57 $wpshd_vcita_widget = wpshd_vcita_clean_expert_data();58 $wpshd_vcita_widget[‘dismiss’] = false;59 unset($wpshd_vcita_widget[‘dismiss_time’]);6061 if (isset($wpshd_vcita_widget[‘wp_id’]) && $wpshd_vcita_widget[‘wp_id’]) {62 vcita_send_get(‘https://us-central1-scheduler-272415.cloudfunctions.net/scheduler-proxy/logout/’ . $wpshd_vcita_widget[‘wp_id’]);63 }6465 update_option(WPSHD_VCITA_WIDGET_KEY, $wpshd_vcita_widget);66 echo 'logged out’;67 wp_die();68}6970function vcita_save_user_data_callback()71{72 header(‘Content-Type: application/json’);73 $response = array();7475 if (isset($_REQUEST[‘data_name’]) && isset($_REQUEST[‘data_val’])) {76 $wpshd_vcita_widget = (array)get_option(WPSHD_VCITA_WIDGET_KEY);77 $wpshd_vcita_widget[$_REQUEST[‘data_name’]] = $_REQUEST[‘data_val’];78 update_option(WPSHD_VCITA_WIDGET_KEY, $wpshd_vcita_widget);79 $response[‘success’] = true;80 } else {81 $response[‘error’] = 'Request invalid’;82 }8384 echo json_encode($response);85 wp_die();86}8788function vcita_save_settings_callback()89{90 header(‘Content-Type: application/json’);91 $response = array();9293 if (isset($_POST[‘btn_text’]) || isset($_POST[‘btn_color’]) || isset($_POST[‘txt_color’]) ||94 isset($_POST[‘show_on_site’]) || isset($_POST[‘widget_title’]) || isset($_POST[‘widget_title’]) ||95 isset($_POST[‘txt_color’]) || isset($_POST[‘widget_show’]) || isset($_POST[‘widget_text’]) ||96 isset($_FILES[‘widget_img’]) || isset($_POST[‘calendar_page_active’]) || isset($_POST[‘contact_page_active’]) ||97 isset($_POST[‘hover_color’]) || isset($_POST[‘vcita_design’])98 ) {99 $wpshd_vcita_widget = (array)get_option(WPSHD_VCITA_WIDGET_KEY);100101 if (isset($_POST[‘show_on_site’])) {102 $wpshd_vcita_widget[‘show_on_site’] = $_POST[‘show_on_site’];103104 if ($_POST[‘show_on_site’]) {105 $wpshd_vcita_widget[‘dismiss_switch’] = false;106 unset($wpshd_vcita_widget[‘dismiss_switch_time’]);107 }108 }109110 if (isset($_POST[‘vcita_design’])) {111 $wpshd_vcita_widget[‘vcita_design’] = $_POST[‘vcita_design’];112 }113114 if (isset($_POST[‘btn_text’])) {115 $wpshd_vcita_widget[‘btn_text’] = htmlentities($_POST[‘btn_text’]);116 }117118 if (isset($_POST[‘btn_color’])) {119 $wpshd_vcita_widget[‘btn_color’] = $_POST[‘btn_color’];120 }121122 if (isset($_POST[‘txt_color’])) {123 $wpshd_vcita_widget[‘txt_color’] = $_POST[‘txt_color’];124 }125126 if (isset($_POST[‘hover_color’])) {127 $wpshd_vcita_widget[‘hover_color’] = $_POST[‘hover_color’];128 }129130 if (isset($_POST[‘widget_title’])) {131 $wpshd_vcita_widget[‘widget_title’] = htmlentities($_POST[‘widget_title’]);132 }133134 if (isset($_POST[‘txt_color’])) {135 $wpshd_vcita_widget[‘txt_color’] = $_POST[‘txt_color’];136 }137138 if (isset($_POST[‘widget_show’])) {139 $wpshd_vcita_widget[‘widget_show’] = $_POST[‘widget_show’];140 }141142 if (isset($_POST[‘widget_text’])) {143 $wpshd_vcita_widget[‘widget_text’] = htmlentities($_POST[‘widget_text’]);144 }145146 if (isset($_POST[‘widget_img_clear’]) && $_POST[‘widget_img_clear’]) {147 if (!empty($wpshd_vcita_widget[‘widget_img’])) {148 wp_delete_attachment($wpshd_vcita_widget[‘widget_img’], true);149 $wpshd_vcita_widget[‘widget_img’] = '’;150 }151 }152153 if (isset($_POST[‘calendar_page_active’])) {154 if ($_POST[‘calendar_page_active’] && $wpshd_vcita_widget[‘uid’]) {155 wpshd_vcita_make_sure_calendar_page_published($wpshd_vcita_widget, true);156 $wpshd_vcita_widget[‘calendar_page_active’] = 1;157 } else {158 wpshd_vcita_trash_current_calendar_page($wpshd_vcita_widget);159 $wpshd_vcita_widget[‘calendar_page_active’] = 0;160 }161 }162163 if (isset($_POST[‘contact_page_active’])) {164 if ($_POST[‘contact_page_active’] && $wpshd_vcita_widget[‘uid’]) {165 wpshd_vcita_make_sure_page_published($wpshd_vcita_widget, true);166 $wpshd_vcita_widget[‘contact_page_active’] = 1;167 } else {168 wpshd_vcita_trash_contact_page($wpshd_vcita_widget);169 $wpshd_vcita_widget[‘contact_page_active’] = 0;170 }171 }172173 if (isset($_FILES[‘widget_img’]) && $_FILES[‘widget_img’][‘error’] == UPLOAD_ERR_OK) {174 require_once($_SERVER[‘DOCUMENT_ROOT’] . ‘/wp-load.php’);175176 $wordpress_upload_dir = wp_upload_dir();177 $i = 1;178179 $widget_img = $_FILES[‘widget_img’];180 $new_file_path = $wordpress_upload_dir[‘path’] . ‘/’ . $widget_img[‘name’];181 $new_file_mime = mime_content_type($widget_img[‘tmp_name’]);182 $_error = false;183184 if (empty($widget_img)) $_error = true;185 if ($widget_img[‘error’]) $_error = true;186 if ($widget_img[‘size’] > wp_max_upload_size()) $_error = true;187 if (!in_array($new_file_mime, get_allowed_mime_types())) $_error = true;188189 while (file_exists($new_file_path)) {190 $i++;191 $new_file_path = $wordpress_upload_dir[‘path’] . ‘/’ . $i . ‘_’ . $widget_img[‘name’];192 }193194 if ($_error) {195 file_put_contents(dirname(__FILE__) . '/debug.log’, print_r($_FILES[‘widget_img’], TRUE), FILE_APPEND);196 file_put_contents(dirname(__FILE__) . '/debug.log’, 'error occured’, FILE_APPEND);197 }198199 if (move_uploaded_file($widget_img[‘tmp_name’], $new_file_path) && $_error === false) {200 $upload_id = wp_insert_attachment(array(201 ‘guid’ => $new_file_path,202 ‘post_mime_type’ => $new_file_mime,203 ‘post_title’ => preg_replace('/\.[^.]+$/’, '’, $widget_img[‘name’]),204 ‘post_content’ => '’,205 ‘post_status’ => 'inherit’206 ), $new_file_path);207208 require_once(ABSPATH . ‘wp-admin/includes/image.php’);209210 wp_update_attachment_metadata($upload_id, wp_generate_attachment_metadata($upload_id, $new_file_path));211 $wpshd_vcita_widget[‘widget_img’] = $upload_id;212 $response[‘widget_img’] = wp_get_attachment_image($upload_id);213 }214 }215216 if (!isset($response[‘error’]) || !$response[‘error’]) {217 $response[‘success’] = true;218 }219220 update_option(WPSHD_VCITA_WIDGET_KEY, $wpshd_vcita_widget);221 } else {222 $response[‘error’] = 'Nothing to change’;223 }224225 echo json_encode($response);226 wp_die();227}228229function vcita_send_get($url, $options = array())230{231 $ch = curl_init();232 curl_setopt($ch, CURLOPT_URL, $url);233 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);234 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);235 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);236237 if (isset($options[‘auth_token’])) {238 curl_setopt($ch, CURLOPT_HTTPHEADER, array(239 'Authorization: Bearer ' . $options[‘auth_token’]));240 }241242 $output = curl_exec($ch);243 $error = curl_error($ch);244 $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);245 curl_close($ch);246247 if (empty($error) && $httpcode === 200) {248 return json_decode($output, true);249 } else if (empty($error)) {250 return array(251 ‘error’ => $output,252 ‘description’ => 'Request was not successful’,253 ‘http_code’ => $httpcode254 );255 } else {256 return array(257 ‘error’ => $error,258 ‘description’ => 'request was not successful’259 );260 }261}262263function vcita_send_post($url, $options = array())264{265 $ch = curl_init();266 curl_setopt($ch, CURLOPT_URL, $url);267 curl_setopt($ch, CURLOPT_POST, 1);268 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);269 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);270 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);271272 if ($options[‘post_data’]) {273 curl_setopt($ch, CURLOPT_POSTFIELDS, $options[‘post_data’]);274 }275276 if (isset($options[‘auth_token’])) {277 curl_setopt($ch, CURLOPT_HTTPHEADER, array(278 'Content-Type: application/json’,279 'Authorization: Bearer ' . $options[‘auth_token’]));280 }281282 $output = curl_exec($ch);283 $error = curl_error($ch);284 $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE);285 curl_close($ch);286287 if (empty($error) && $httpcode === 200) {288 return json_decode($output, true);289 } else if (empty($error)) {290 return array(291 ‘error’ => $output,292 ‘description’ => 'Request was not successful’,293 ‘status’ => $httpcode294 );295 } else {296 return array(297 ‘error’ => $error,298 ‘description’ => 'request was not successful’,299 ‘status’ => $httpcode300 );301 }302}303304?>