Headline
CVE-2022-1567: wp-js.php in wp-js/trunk – WordPress Plugin Repository
The WP-JS plugin for WordPress contains a script called wp-js.php with the function wp_js_admin, that accepts unvalidated user input and echoes it back to the user. This can be used for reflected Cross-Site Scripting in versions up to, and including, 2.0.6.
1<?php2/*3Plugin Name: WP JS4Plugin URI: http://www.halmatferello.com/lab/wp-js/5Description: Automatically GZIP your JS files and applies jsmin algorithm. Also add JavaScript files to specific posts/pages.6Author: Halmat Ferello7Author URI: http://www.halmatferello.com8Version: 2.0.6910Copyright © 2008 Halmat Ferello1112Released under the GPL v.2, http://www.gnu.org/copyleft/gpl.html1314This program is distributed in the hope that it will be useful,15but WITHOUT ANY WARRANTY; without even the implied warranty of16MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the17GNU General Public License for more details.18*/1920include_once(‘wp-js-functions.php’);2122define('WP_JS_VERSION’, ‘2.0.6’);23define(‘WP_JS_URL’, get_option(‘siteurl’).’/’.PLUGINDIR.’/wp-js’);24define(‘WP_JS_PATH’, ABSPATH.PLUGINDIR.’/wp-js’);25define(‘WP_JS_CACHE_PATH’, WP_JS_PATH.’/cache/’);2627define(‘TEMPLATEURL’, get_theme_root_uri().’/’.get_stylesheet());2829if ( !is_dir(WP_JS_CACHE_PATH) ) @mkdir(WP_JS_CACHE_PATH);3031if (!defined(‘WP_ADMIN’)) {32 wp_js_setting(array(33 ‘u’ => TEMPLATEURL,34 ‘p’ => get_theme_root().’/’.get_stylesheet(),35 ‘c’ => wp_js_cache_time()36 ));37}3839function wp_js($file, $echo = true)40{41 if (!file_exists(WP_JS_CACHE_PATH.’wp-js-settings.txt’)) {42 $url_array = array(43 ‘c’ => wp_js_cache_time(),44 ‘u’ => TEMPLATEURL,45 ‘p’ => TEMPLATEPATH46 );47 }48 49 $wp_js_attributes = wp_js_url($url_array);50 51 if (wp_js_activation() == ‘on’) {52 $string = get_settings(‘siteurl’) . ‘/wp-content/plugins/wp-js/wp-js-compress.php?f=’ . $file. $wp_js_attributes . ‘&t=’.wp_js_modified_time();53 } else if (wp_js_activation() == ‘off’) {54 $string = TEMPLATEURL.’/’ . $file;55 }56 57 if ($echo == true) {58 echo $string;59 } else {60 return $string;61 }62}6364function wp_js_url($array)65{66 if (count($array) > 0) {67 $string = '’;68 foreach ($array as $key => $value) {69 $string .= “&".$key."=".wp_js_encode_string($value);70 }71 return $string;72 } else {73 return FALSE;74 }75}7677function wp_js_file_structure()78{79 $js_files = wp_js_directory_map(WP_JS_CACHE_PATH);80 if (count($js_files) > 0 && !empty($js_files)) {81?>82<p>JavaScript files cached (/wp-content/themes/<?php echo get_stylesheet(); ?>):</p>83<ul>84 <?php foreach ($js_files as $file): ?>85 <?php86 $files_within_array = unserialize(file_get_contents(WP_JS_CACHE_PATH.$file));87 ?>88 <li>89 <?php if (count($files_within_array) > 1): ?><strong>(Grouped)</strong>90 <ul>91 <?php foreach ($files_within_array as $js_file):?><li><?php echo $js_file; ?></li><?php endforeach ?>92 </ul>93 <?php else: ?>94 <?php foreach ($files_within_array as $js_file): echo $js_file;?><?php endforeach ?>95 <?php endif ?>96 </li>97 <?php endforeach ?>98</ul>99<?php100 } else {101 echo “<p><strong>No JavaScript files are cached.</strong></p>";102 }103}104105function wp_js_admin()106{ 107 if ($_REQUEST[‘wp_js_clear_cache’]) {108 if (wp_js_is_directory_writable(WP_JS_CACHE_PATH)) {109 wp_js_delete();110 } else {111 $_REQUEST[‘wp_js_message’] = 'Unable to clear cache.’;112 }113 }114 115 if ($_REQUEST[‘wp_js_edit_expiry’]) {116 wp_js_modified_time(TRUE);117 update_option('wp_js_cache_time’, $_REQUEST[‘wp_js_cache_time’]);118 }119 if ($_REQUEST[‘wp_js_activation’]) {120 wp_js_activation(true);121 }122 if ($_REQUEST[‘wp_js_within_posts_activation’]) {123 wp_js_within_posts_activation(true);124 }125 126 $cache_time = wp_js_cache_time();127128 ?>129 130 <style type="text/css” media="screen">131 fieldset {132 border: 1px solid #aaa;133 padding: 12px;134 }135 fieldset#activate-within-posts, fieldset#expiry-time, fieldset#clear-cache {136 margin-top: 12px;137 }138 </style>139 140 <?php if ($_REQUEST[‘wp_js_message’]) : ?>141 <div id="message” class="updated fade"><p><?php echo $_REQUEST[‘wp_js_message’]; ?></p></div>142 <?php endif; ?>143 144 <div id="wp-js" class="wrap">145 <h2 style="margin: 8px 0; padding-top: 0">WP JS <?php echo WP_JS_VERSION; ?></h2>146 147 <p style="color:#1CCD00;">URLs must be relative to your current theme.<br />For example: <code>wp_js(‘file.js’)</code> = <?php echo TEMPLATEURL; ?>/file.js</p>148 149 <fieldset id="activate"> 150 <legend>Activate</legend>151 <p>Turn the plugin on / off. wp_js() will still work but no caching or compressing is applied.</p>152 <?php153 echo '<form name="wp_js_active" action="’. $_SERVER[“REQUEST_URI”] . '" method="post">’;154 if (wp_js_activation() == ‘on’) {155 echo '<label for="wp_js_activation_on"><input type="radio" id="wp_js_activation_on" name="wp_js_activation" value="on" checked="checked" /> On</label>’;156 } else {157 echo '<label for="wp_js_activation_on"><input type="radio" id="wp_js_activation_on" name="wp_js_activation" value="on" /> On</label>’;158 }159 if (wp_js_activation() == ‘off’) {160 echo ' <label for="wp_js_activation_off"><input type="radio" name="wp_js_activation" id="wp_js_activation_off" value="off" checked="checked" /> Off</label><br />’;161 } else {162 echo ' <label for="wp_js_activation_off"><input type="radio" name="wp_js_activation" id="wp_js_activation_off" value="off" /> Off</label><br />’;163 }164 echo '<div class="submit"><input type="submit" value="Change activation »" name="wp_js_active" /></div>’;165 echo '<input type="hidden" name="wp_js_message" value="Plugin activation changed.">’;166 wp_nonce_field(‘wp-cache’);167 echo “</form>\n";168 ?></fieldset>169 170 171 <fieldset id="activate-within-posts">172 <legend>Activate within posts</legend>173 <p>Allows you to add JavaScript files to specific posts/pages.</p>174 <?php175 echo '<form name="wp_js_within_posts_activation” action="’. $_SERVER[“REQUEST_URI”] . '" method="post">’;176 if (wp_js_within_posts_activation() == ‘on’) {177 echo '<label for="wp_js_within_posts_activation_on"><input type="radio" id="wp_js_within_posts_activation_on" name="wp_js_within_posts_activation" value="on" checked="checked" /> On</label>’;178 } else {179 echo '<label for="wp_js_within_posts_activation_on"><input type="radio" id="wp_js_within_posts_activation_on" name="wp_js_within_posts_activation" value="on" /> On</label>’;180 }181 if (wp_js_within_posts_activation() == ‘off’) {182 echo ' <label for="wp_js_within_posts_activation_off"><input type="radio" name="wp_js_within_posts_activation" id="wp_js_within_posts_activation_off" value="off" checked="checked" /> Off</label><br />’;183 } else {184 echo ' <label for="wp_js_within_posts_activation_off"><input type="radio" name="wp_js_within_posts_activation" id="wp_js_within_posts_activation_off" value="off" /> Off</label><br />’;185 }186 echo '<div class="submit"><input type="submit" value="Change activation »" name="wp_js_active" /></div>’;187 echo '<input type="hidden" name="wp_js_message" value="Plugin within posts activation changed.">’;188 wp_nonce_field(‘wp-cache’);189 echo “</form>\n";190 ?></fieldset>191 192 193 <fieldset id="expiry-time">194 <legend>Expiry Time</legend>195 <p>Set the time for when the browser downloads a fresh copy of your JavaScript files.</p>196 <?php197 echo '<form name="wp_js_edit_expiry” action="’. $_SERVER[“REQUEST_URI”] . '" method="post">’;198 echo '<label for="wp_expiry">Expire time:</label> ';199 echo '<input type="text" size="6" name="wp_js_cache_time" value="’.$cache_time.’" /> seconds<br />’;200 echo '<div class="submit"><input type="submit" value="Change expiration »" name="wp_js_edit_expiry" /></div>’;201 echo '<input type="hidden" name="wp_js_message" value="Cache expiry changed">’;202 wp_nonce_field(‘wp-cache’);203 echo “</form>\n";204 ?></fieldset>205 206 <fieldset id="clear-cache"> 207 <legend>Clear cache</legend>208 209 <?php if (!wp_js_is_directory_writable(WP_JS_CACHE_PATH)): ?>210 <p style="border: 1px solid #f00; padding: 2px; color: #f00;"><strong>Cache not available</strong><br/>The <code>wp-js</code> folder <strong>is not writable</strong>. Please change the plugin folder permissions to <code>777</code>.</p>211 <?php endif ?>212 213 <p>Clear your cache if you have updated your JavaScript files.</p>214 <?php wp_js_file_structure(); ?>215 <?php216 echo '<form name="wp_js_clear_cache” action="’. $_SERVER[“REQUEST_URI”] . '" method="post">’;217 echo '<div class="submit"><input type="submit" value="Clear Cache" name="wp_js_clear_cache" /></div>’;218 echo '<input type="hidden" name="wp_js_message" value="Cached cleared">’;219 wp_nonce_field(‘wp-cache’);220 echo "</form>\n";221 ?></fieldset>222 </div><?php223}224225 // Admin Panel 226function wp_js_add_pages()227{228 add_options_page('WP JS options’, 'WP JS’, 8, __FILE__, ‘wp_js_admin’); 229}230231// Add Options Page232add_action('admin_menu’, ‘wp_js_add_pages’);233234if (wp_js_within_posts_activation() == ‘on’) {235 include_once(‘wp-js-files-list.php’);236}237238239?>
Related news
The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Editor' block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Caption - On Hover' value associated with images in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Media Image URL value that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.
The WordPress plugin Gallery for Social Photo is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.0.27 due to failure to properly check for the existence of a nonce in the function gifeed_duplicate_feed. This make it possible for unauthenticated attackers to duplicate existing posts or pages granted they can trick a site administrator into performing an action such as clicking on a link.
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The Sticky Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ popup_title' parameter in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin level capabilities and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue mostly affects sites where unfiltered_html has been disabled for administrators and on multi-site installations where unfiltered_html is disabled for administrators.
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
The Mitsol Social Post Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.10 due to insufficient input sanitization and output escaping on the application id parameters. This makes it possible for authenticated (admin+) attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html is disabled.
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5.
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.6.
The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability.
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior.