Headline
CVE-2021-39310: real-wysiwyg.php in real-wysiwyg/tags/0.0.2 – WordPress Plugin Repository
The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHP_SELF in the ~/real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2.
1<?php2/*3Plugin Name: Real WYSIWYG4Plugin URI: http://windyroad.org/software/wordpress/real-wysiwyg-plugin/5Description: Turn the TinyMCE Visual Editor in to a real WYSIWYG editor.6Version: 0.0.27Author: Windy Road8Author URI: http://windyroad.org910Copyright ©2007 Windy Road1112This program is free software; you can redistribute it and/or13modify it under the terms of the GNU General Public License14as published by the Free Software Foundation; either version 215of the License, or (at your option) any later version.1617This program is distributed in the hope that it will be useful,18but WITHOUT ANY WARRANTY; without even the implied warranty of19MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the20GNU General Public License for more details.2122You should have received a copy of the GNU General Public License23along with this program; if not, write to the Free Software24Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.This work is licensed under a Creative Commons Attribution 2.5 Australia License http://creativecommons.org/licenses/by/2.5/au/2526*/ 2728function real_wysiwyg_get_theme_styles() {29 $styles = array();30 $styles[] = get_stylesheet_uri();31 $styles = array_merge($styles, real_wysiwyg_extra_styles() );32 return apply_filters( 'real_wysiwyg_style_sheets’, $styles );33}3435function real_wysiwyg_get_theme_styles_ie() {36 $styles = array();37 $styles = array_merge($styles, real_wysiwyg_extra_styles_ie() );38 return apply_filters( ‘real_wysiwyg_style_sheets_ie’, $styles );39}404142function real_wysiwyg_init_options() {43 $css = real_wysiwyg_extra_css();44 $style_sheets = real_wysiwyg_get_theme_styles();45 $style_sheets_ie = real_wysiwyg_get_theme_styles_ie();46?>47var before_real_wysiwyg = null;48if( initArray.init_instance_callback == undefined ) {49 initArray.init_instance_callback = “on_mce_init_real_wysiwyg";50}51else {52 before_real_wysiwyg = initArray.init_instance_callback;53 initArray.init_instance_callback = “on_mce_init_real_wysiwyg";54}5556function on_mce_init_real_wysiwyg(inst) {57 if( before_real_wysiwyg != null ) {58 tinyMCE.settings[ ‘init_instance_callback’ ] = before_real_wysiwyg;59 tinyMCE.dispatchCallback(inst, 'init_instance_callback’, 'initInstance’, inst);60 tinyMCE.settings[ ‘init_instance_callback’ ] = “on_mce_init_real_wysiwyg";61 }62 <?php63 foreach( $style_sheets as $style ) {64 $style = trim( $style );65 if( !empty( $style ) ) {66 ?>67 tinyMCE.importCSS(inst.getDoc(),68 ‘<?php echo $style ?>’);69 70 <?php71 }72 } ?>73 if( navigator.userAgent.indexOf(‘MSIE 6’) != -1 ) {74 <?php foreach( $style_sheets_ie as $style ) {75 $style = trim( $style );76 if( !empty( $style ) ) {77 ?>78 tinyMCE.importCSS(inst.getDoc(),79 ‘<?php echo $style ?>’);80 <?php 81 }82 } ?>83 }84 tinyMCE.importCSS(inst.getDoc(),85 ‘…/wp-content/plugins/real-wysiwyg/extra-style.css.php?style=<?php echo urlencode( $css ) ?>’);86 87}8889<?php90}9192if ( !function_exists(‘wp_nonce_field’) ) {93 define('REAL_WYSIWYG_NONCE’, -1);94 function real_wysiwyg_nonce_field() { return; } 95} 96else {97 define('REAL_WYSIWYG_NONCE’, ‘real-wysiwyg-update-key’);98 function real_wysiwyg_nonce_field() { return wp_nonce_field(REAL_WYSIWYG_NONCE); }99}100101102add_action('tinymce_before_init’, ‘real_wysiwyg_init_options’);103104function real_wysiwyg_save_options( $curr_options ) {105 // create array106 $mfg_options = $curr_options;107 $mfg_options[ get_stylesheet() ] = array();108 $mfg_options[ get_stylesheet() ][‘extra_css’] = stripslashes( $_POST[‘real_wysiwyg_extra_css’] );109 $mfg_options[ get_stylesheet() ][‘extra_styles’] = explode( “\n", stripslashes( $_POST[‘real_wysiwyg_extra_styles’] ) );110 $mfg_options[ get_stylesheet() ][‘extra_styles_ie’] = explode( “\n", stripslashes( $_POST[‘real_wysiwyg_extra_styles_ie’] ) );111 if( $curr_options != $mfg_options )112 update_option('real_wysiwyg_options’, $mfg_options);113 return $mfg_options;114}115function real_wysiwyg_extra_css() {116 $real_wysiwyg = get_option(‘real_wysiwyg_options’);117 $extra_css = “";118 if( isset( $real_wysiwyg[ get_stylesheet() ][ “extra_css” ] )119 && !empty( $real_wysiwyg[ get_stylesheet() ][ “extra_css” ] ) ) {120 $extra_css = $real_wysiwyg[ get_stylesheet() ][ “extra_css” ];121 }122 else if( get_stylesheet() == ‘default’ ) {123 $extra_css = <<<REAL_WYSIWYG_DATA124.mceContentBody {125 line-height:1.4em;126 text-align:justify;127 font-size:75%;128 margin:2.5ex auto;129 padding: 0pt;130 width:450px;131 background:transparent url(‘…/…/themes/default/images/kubrickbg-ltr.jpg’) repeat-y scroll center top;132 background-color:#e7e7e7;133}134135.mceContentBody p {136 font-size:1.05em;137 line-height:1.34em;138}139140.mceContentBody ul li:before {141 content: “\\00BB \\0020";142}143144html>body.mceContentBody ul {145 list-style-image:none;146 list-style-position:outside;147 list-style-type:none;148 margin-left:0px;149 padding:0pt 0pt 0pt 10px;150 text-indent:-10px;151}152153html>body.mceContentBody li {154 margin:7px 0pt 8px 10px;155}156157158159.mceContentBody ol {160 padding: 0 0 0 35px;161 margin: 0;162}163164.mceContentBody ol li {165 margin: 0;166 padding: 0;167}168169.mceContentBody pre {170 font-family:’Courier New’,Courier,Fixed;171 font-size:85%;172 line-height:1.65em;173}174175REAL_WYSIWYG_DATA;176 }177 else if( get_stylesheet() == ‘classic’ ) {178 $extra_css = <<<REAL_WYSIWYG_DATA179.mceContentBody {180 border: none;181}182REAL_WYSIWYG_DATA;183 }184 return apply_filters( 'real_wysiwyg_extra_css’, $extra_css );185}186187function real_wysiwyg_extra_styles() {188 $real_wysiwyg = get_option(‘real_wysiwyg_options’);189 $extra_styles = array();190 if( isset( $real_wysiwyg[ get_stylesheet() ][ “extra_styles” ] ) ) {191 $extra_styles = $real_wysiwyg[ get_stylesheet() ][ “extra_styles” ];192 }193 return $extra_styles;194}195196function real_wysiwyg_extra_styles_ie() {197 $real_wysiwyg = get_option(‘real_wysiwyg_options’);198 $extra_styles_ie = array();199 if( isset( $real_wysiwyg[ get_stylesheet() ][ “extra_styles_ie” ] ) ) {200 $extra_styles_ie = $real_wysiwyg[ get_stylesheet() ][ “extra_styles_ie” ];201 }202 return $extra_styles_ie;203 204}205206function real_wysiwyg_options_page() { 207 $options = get_option(‘real_wysiwyg_options’);208 if( isset( $_GET[ ‘activated’ ] ) && $_GET[ ‘activated’ ] == “true” ){209 ?><div class="updated"><p><strong>Options saved.</strong></p></div><?php210 }211 ?><div class="wrap” id="real_wysiwyg-options"><?php212 ?><h2>Real WYSIWYG Options</h2><?php213 ?><form method="post” action="<?php echo $_SERVER[‘PHP_SELF’]."?".$_SERVER[‘QUERY_STRING’]; ?>"><?php214 ?><fieldset><?php215 ?><input type="hidden” name="action” value="real_wysiwyg_save_options” /><?php216 217 ?><p><label for="real_wysiwyg_extra_css” style="font-weight: bold;"><?php _e( 'Extra CSS:’, REAL_WYSIWYG_DOMAIN ); ?></label><br/><?php218 ?><textarea name="real_wysiwyg_extra_css” rows=’15’ style="width: 100%"/><?php echo real_wysiwyg_extra_css(); ?></textarea><br/><?php219 ?>Add any css here for your current them, so it will display propery within a body element with a class of <code>.mceContentBody</code>.</p><?php220221 ?><p><label for="real_wysiwyg_extra_styles" style="font-weight: bold;"><?php _e( ‘Extra StyleSheets:’, REAL_WYSIWYG_DOMAIN ); ?></label><br/><?php222 ?><textarea name="real_wysiwyg_extra_styles" rows=’15’ style="width: 100%"/><?php echo implode(“\n", real_wysiwyg_extra_styles() ); ?></textarea><br/><?php223 ?>If the theme you are using has more than one stylesheet, then you may need to add it here, seperated by a new line.</p><?php224225 ?><p><label for="real_wysiwyg_extra_styles_ie” style="font-weight: bold;"><?php _e( ‘Extra StyleSheets for IE 6:’, REAL_WYSIWYG_DOMAIN ); ?></label><br/><?php226 ?><textarea name="real_wysiwyg_extra_styles_ie" rows=’15’ style="width: 100%"/><?php echo implode(“\n", real_wysiwyg_extra_styles_ie() ); ?></textarea><br/><?php227 ?>If the theme you are using has stylesheets just for IE 6, then add them here, seperated by a new line.</p><?php228229 real_wysiwyg_nonce_field();230 ?></fieldset><?php231 ?><p class="submit"><?php232 ?><input type="submit” name="submit" value="Update Options »" /><?php233 ?></p><?php234 ?></form><?php235 ?></div><?php236}237238239function real_wysiwyg_add_admin() {240 // Add a new menu under Options:241 add_options_page('Real WYSIWYG’, 'Real WYSIWYG’, 8, basename(__FILE__), ‘real_wysiwyg_options_page’);242}243244add_action('admin_menu’, ‘real_wysiwyg_add_admin’); // Insert the Admin panel.245246function real_wysiwyg_process_options() {247 $curr_options = get_option(‘real_wysiwyg_options’);248 if ( isset($_POST[‘submit’]) 249 && isset($_POST[‘action’]) 250 && $_POST[‘action’] == ‘real_wysiwyg_save_options’ ) {251252 if ( function_exists(‘current_user_can’) && !current_user_can(‘manage_options’) )253 die(__(‘Cheatin uh?’));254 255 check_admin_referer(REAL_WYSIWYG_NONCE);256 257 real_wysiwyg_save_options( $curr_options );258 $url = add_query_arg( 'activated’, 'true’, $_SERVER[ ‘HTTP_REFERER’ ] );259 wp_redirect( $url );260 } 261}262263add_action('init’, ‘real_wysiwyg_process_options’); //Process the post options for the admin page.264265?>