CVE-2023-5433: message-ticker.php in message-ticker/trunk – WordPress Plugin Repository

1<?php2/*3Plugin Name: Message ticker4Plugin URI: http://www.gopiplus.com/work/2010/07/18/message-ticker/5Description: This plugin will display the announcement or message with simple horizontal scroller or horizontal ticker.6Version: 9.27Author: Gopi Ramasamy8Author URI: http://www.gopiplus.com/work/2010/07/18/message-ticker/9Donate link: http://www.gopiplus.com/work/2010/07/18/message-ticker/10License: GPLv2 or later11License URI: http://www.gnu.org/licenses/gpl-2.0.html12Text Domain: message-ticker13Domain Path: /languages14*/1516if(preg_match(‘#’ . basename(__FILE__) . '#’, $_SERVER[‘PHP_SELF’])) { die(‘You are not allowed to call this page directly.’); }1718global $wpdb, $wp_version;19define("WP_mt_TABLE", $wpdb->prefix . “mt_plugin”);20define('WP_mt_FAV’, ‘http://www.gopiplus.com/work/2010/07/18/message-ticker/’);2122if ( ! defined( ‘WP_mt_PLUGIN_BASENAME’ ) )23 define( 'WP_mt_PLUGIN_BASENAME’, plugin_basename( __FILE__ ) );2425if ( ! defined( ‘WP_mt_PLUGIN_NAME’ ) )26 define( 'WP_mt_PLUGIN_NAME’, trim( dirname( WP_mt_PLUGIN_BASENAME ), ‘/’ ) );2728if ( ! defined( ‘WP_mt_PLUGIN_DIR’ ) )29 define( 'WP_mt_PLUGIN_DIR’, WP_PLUGIN_DIR . ‘/’ . WP_mt_PLUGIN_NAME );3031if ( ! defined( ‘WP_mt_PLUGIN_URL’ ) )32 define( 'WP_mt_PLUGIN_URL’, plugins_url() . ‘/’ . WP_mt_PLUGIN_NAME );33 34if ( ! defined( ‘WP_mt_ADMIN_URL’ ) )35 define( 'WP_mt_ADMIN_URL’, admin_url() . ‘options-general.php?page=message-ticker’ );3637function mt_show()38{39 global $wpdb;40 $mt = "";41 42 $sSql = "select mt_text from “.WP_mt_TABLE.” where mt_status=’YES’";43 $sSql = $sSql . " and ( mt_date >= NOW() or mt_date = ‘0000-00-00 00:00:00’ )";44 $sSql = $sSql . " Order by mt_order";45 46 $data = $wpdb->get_results($sSql);47 if ( ! empty($data) ) 48 {49 $count = 0; 50 foreach ( $data as $data ) 51 {52 $content = $data->mt_text;53 $mt = $mt . "mt_contents[$count]=’$content’;";54 $count++;55 }56 $mt_width = get_option(‘mt_width’);57 $mt_height = get_option(‘mt_height’);58 $mt_delay = get_option(‘mt_delay’);59 $mt_speed = get_option(‘mt_speed’);60 $siteurl = get_option(‘siteurl’);61 62 if(!is_numeric($mt_delay)){ $mt_delay = 3000;} 63 if(!is_numeric($mt_speed)){ $mt_speed = 5;} 64 65 if(!is_numeric($mt_width))66 { 67 $mt_width = "";68 }69 else 70 {71 $mt_width = "width:".$mt_width."px;";72 }73 74 if(!is_numeric($mt_height))75 { 76 $mt_height = "";77 }78 else 79 {80 $mt_height = “height:".$mt_height."px;";81 }82 83 ?>84 <div style="padding-top:5px;width:100%"> 85 <span id="mt_spancontant” style="position:absolute;<?php echo $mt_width.$mt_height; ?>"></span> 86 </div>87 <script type="text/javascript">88 var mt_contents=new Array()89 <?php echo $mt; ?>90 var mt_delay=<?php echo $mt_delay; ?> 91 var mt_speed=<?php echo $mt_speed; ?> 92 mt_start();93 </script>94 <?php95 }96 else97 {98 $mt_mt = get_option(‘mt_defaulttext’);99 echo $mt_mt;100 }101}102103function mt_deactivate() 104{105 // No action required.106}107108function mt_show_new( $group = "GROUP1", $width = “300", $height = “150” ) 109{110 $arr = array();111 $arr[“group”]=$group;112 $arr[“width”]=$width;113 $arr[“height”]=$height;114 echo mt_shortcode($arr);115}116117add_shortcode( 'message-ticker’, ‘mt_shortcode’ );118119function mt_shortcode( $atts ) 120{121 global $wpdb;122 $mt = “";123 $mt_mt = “";124 125 //[message-ticker group="group1” width="300” height="150”]126 if (! is_array( $atts ) )127 {128 return 'Please check your short code’;129 }130 $group = $atts[‘group’];131 $width = $atts[‘width’];132 $height = $atts[‘height’];133 134 $sSql = "select mt_text from “.WP_mt_TABLE.” where mt_status=’YES’";135 if($group <> “”)136 {137 $sSql = $sSql . " and mt_group=’$group’";138 }139 $sSql = $sSql . " and ( mt_date >= NOW() or mt_date = ‘0000-00-00 00:00:00’ )";140 $sSql = $sSql . " ORDER BY mt_order";141 142 $data = $wpdb->get_results($sSql);143 if ( ! empty($data) ) 144 {145 $count = 0; 146 foreach ( $data as $data ) 147 {148 $content = $data->mt_text;149 $mt = $mt . "mt_contents[$count]=’$content’;";150 $count++;151 }152 153 $mt_width = $width;154 $mt_height = $height;155 $mt_delay = get_option(‘mt_delay’);156 $mt_speed = get_option(‘mt_speed’);157 $siteurl = get_option(‘siteurl’);158 159 if(!is_numeric($mt_delay)){ $mt_delay = 3000;} 160 if(!is_numeric($mt_speed)){ $mt_speed = 5;} 161 162 if(!is_numeric($mt_width))163 { 164 $mt_width = "";165 }166 else 167 {168 $mt_width = "width:".$mt_width."px;";169 //$mt_width = "width:100%;";170 }171 172 if(!is_numeric($mt_height))173 { 174 $mt_height = "";175 }176 else 177 {178 $mt_height = “height:".$mt_height."px;";179 }180 181 $mt_mt = $mt_mt .’<div style="padding-top:5px;">’;182 $mt_mt = $mt_mt .’<span id="mt_spancontant” style="position:absolute;’.$mt_width.$mt_height.’"></span> ‘;183 $mt_mt = $mt_mt .’</div>’;184 $mt_mt = $mt_mt .’<script type="text/javascript">’ ;185 $mt_mt = $mt_mt .’var mt_contents=new Array(); ';186 $mt_mt = $mt_mt . $mt ;187 $mt_mt = $mt_mt .’var mt_delay=’.$mt_delay.’; ';188 $mt_mt = $mt_mt .’var mt_speed=’.$mt_speed.’; ';189 $mt_mt = $mt_mt .’mt_start(); ';190 $mt_mt = $mt_mt .’</script>’;191 }192 else193 {194 $mt_mt = get_option(‘mt_defaulttext’);195 }196 197 return $mt_mt;198}199200function mt_activation() 201{202 global $wpdb;203 204 if($wpdb->get_var("show tables like '". WP_mt_TABLE . “’”) != WP_mt_TABLE) 205 {206 $wpdb->query("207 CREATE TABLE IF NOT EXISTS `". WP_mt_TABLE . "` (208 `mt_id` int(11) NOT NULL auto_increment,209 `mt_text` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,210 `mt_order` int(11) NOT NULL default '0’,211 `mt_status` char(3) NOT NULL default 'No’,212 `mt_group` VARCHAR( 100 ) NOT NULL default 'GROUP1’,213 `mt_date` datetime NOT NULL default '0000-00-00 00:00:00’,214 PRIMARY KEY (`mt_id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;215 ");216 $sSql = "INSERT INTO `". WP_mt_TABLE . "` (mt_text, mt_order, mt_status, mt_group, mt_date)"; 217 $sSql = $sSql . “VALUES ('This is sample text for message ticker. <br> Thanks & regards’, '1’, 'YES’, 'GROUP1’, ‘0000-00-00 00:00:00’);";218 $wpdb->query($sSql);219 }220 add_option('mt_title’, “Message”);221 add_option('mt_width’, “200”);222 add_option('mt_height’, “100”);223 add_option('mt_delay’, “3000”);224 add_option('mt_speed’, “5”);225 add_option('mt_defaulttext’, “No message available, Or messages are expired already.”);226}227228function mt_admin_options() 229{230 global $wpdb;231 $current_page = isset($_GET[‘ac’]) ? $_GET[‘ac’] : '’;232 switch($current_page)233 {234 case 'edit’:235 include(‘pages/content-management-edit.php’);236 break;237 case 'add’:238 include(‘pages/content-management-add.php’);239 break;240 case 'set’:241 include(‘pages/content-setting.php’);242 break;243 default:244 include(‘pages/content-management-show.php’);245 break;246 }247}248249function mt_add_to_menu() 250{251 add_options_page(__('Message ticker’, ‘message-ticker’), __('Message ticker’, ‘message-ticker’), 'manage_options’, 'message-ticker’, ‘mt_admin_options’ );252}253254if (is_admin()) 255{256 add_action('admin_menu’, ‘mt_add_to_menu’);257}258259function mt_widget($args) 260{261 extract($args);262 echo $before_widget . $before_title;263 echo get_option(‘mt_title’);264 echo $after_title;265 mt_show();266 echo $after_widget;267}268269function mt_control()270{271 echo '<p><b>’;272 _e('message ticker’, ‘message-ticker’);273 echo '.</b> ';274 _e('Check official website for more information’, ‘message-ticker’);275 ?> <a target="_blank” href="http://www.gopiplus.com/work/2010/07/18/message-ticker/"><?php _e('click here’, ‘message-ticker’); ?></a></p><?php276}277278function mt_widget_init() 279{280 if(function_exists(‘wp_register_sidebar_widget’)) 281 {282 wp_register_sidebar_widget('message-ticker’, __('message ticker’, ‘message-ticker’), ‘mt_widget’);283 }284 285 if(function_exists(‘wp_register_widget_control’)) 286 {287 wp_register_widget_control('message-ticker’, array( __('message ticker’, ‘message-ticker’), ‘widgets’), ‘mt_control’);288 } 289}290291function mt_add_javascript_files() 292{293 if (!is_admin())294 {295 wp_enqueue_script( ‘message-ticker’, WP_mt_PLUGIN_URL.’/message-ticker.js’);296 }297}298299function mt_textdomain() 300{301 load_plugin_textdomain( 'message-ticker’, false, dirname( plugin_basename( __FILE__ ) ) . ‘/languages/’ );302}303304function mt_adminscripts() 305{306 if( !empty( $_GET[‘page’] ) ) 307 {308 switch ( $_GET[‘page’] ) 309 {310 case 'message-ticker’:311 wp_register_script( 'mt-adminscripts’, plugins_url( 'pages/setting.js’, __FILE__ ), '’, '’, true );312 wp_enqueue_script( ‘mt-adminscripts’ );313 $mt_select_params = array(314 ‘mt_text’ => __( 'Please enter the text.’, 'mt-select’, ‘message-ticker’ ),315 ‘mt_status’ => __( 'Please select the display status.’, 'mt-select’, ‘message-ticker’ ),316 ‘mt_order’ => __( 'Please enter the display order, only number.’, 'mt-select’, ‘message-ticker’ ), 317 ‘mt_group’ => __( 'Please select the message group.’, 'mt-select’, ‘message-ticker’ ),318 ‘mt_date’ => __( 'Please enter the expiration date in this format YYYY-MM-DD’, 'mt-select’, ‘message-ticker’ ),319 ‘mt_delete’ => __( 'Do you want to delete this record?’, 'mt-select’, ‘message-ticker’ ),320 );321 wp_localize_script( 'mt-adminscripts’, 'mt_adminscripts’, $mt_select_params );322 break;323 }324 }325}326327add_action('plugins_loaded’, ‘mt_textdomain’);328add_action('init’, ‘mt_add_javascript_files’);329add_action("plugins_loaded", “mt_widget_init”);330register_activation_hook(__FILE__, ‘mt_activation’);331register_deactivation_hook( __FILE__, ‘mt_deactivate’ );332add_action( 'admin_enqueue_scripts’, ‘mt_adminscripts’ );333?>