Headline
CVE-2023-5433: message-ticker.php in message-ticker/trunk – WordPress Plugin Repository
The Message ticker plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
1<?php2/*3Plugin Name: Message ticker4Plugin URI: http://www.gopiplus.com/work/2010/07/18/message-ticker/5Description: This plugin will display the announcement or message with simple horizontal scroller or horizontal ticker.6Version: 9.27Author: Gopi Ramasamy8Author URI: http://www.gopiplus.com/work/2010/07/18/message-ticker/9Donate link: http://www.gopiplus.com/work/2010/07/18/message-ticker/10License: GPLv2 or later11License URI: http://www.gnu.org/licenses/gpl-2.0.html12Text Domain: message-ticker13Domain Path: /languages14*/1516if(preg_match(‘#’ . basename(__FILE__) . '#’, $_SERVER[‘PHP_SELF’])) { die(‘You are not allowed to call this page directly.’); }1718global $wpdb, $wp_version;19define("WP_mt_TABLE", $wpdb->prefix . “mt_plugin”);20define('WP_mt_FAV’, ‘http://www.gopiplus.com/work/2010/07/18/message-ticker/’);2122if ( ! defined( ‘WP_mt_PLUGIN_BASENAME’ ) )23 define( 'WP_mt_PLUGIN_BASENAME’, plugin_basename( __FILE__ ) );2425if ( ! defined( ‘WP_mt_PLUGIN_NAME’ ) )26 define( 'WP_mt_PLUGIN_NAME’, trim( dirname( WP_mt_PLUGIN_BASENAME ), ‘/’ ) );2728if ( ! defined( ‘WP_mt_PLUGIN_DIR’ ) )29 define( 'WP_mt_PLUGIN_DIR’, WP_PLUGIN_DIR . ‘/’ . WP_mt_PLUGIN_NAME );3031if ( ! defined( ‘WP_mt_PLUGIN_URL’ ) )32 define( 'WP_mt_PLUGIN_URL’, plugins_url() . ‘/’ . WP_mt_PLUGIN_NAME );33 34if ( ! defined( ‘WP_mt_ADMIN_URL’ ) )35 define( 'WP_mt_ADMIN_URL’, admin_url() . ‘options-general.php?page=message-ticker’ );3637function mt_show()38{39 global $wpdb;40 $mt = "";41 42 $sSql = "select mt_text from “.WP_mt_TABLE.” where mt_status=’YES’";43 $sSql = $sSql . " and ( mt_date >= NOW() or mt_date = ‘0000-00-00 00:00:00’ )";44 $sSql = $sSql . " Order by mt_order";45 46 $data = $wpdb->get_results($sSql);47 if ( ! empty($data) ) 48 {49 $count = 0; 50 foreach ( $data as $data ) 51 {52 $content = $data->mt_text;53 $mt = $mt . "mt_contents[$count]=’$content’;";54 $count++;55 }56 $mt_width = get_option(‘mt_width’);57 $mt_height = get_option(‘mt_height’);58 $mt_delay = get_option(‘mt_delay’);59 $mt_speed = get_option(‘mt_speed’);60 $siteurl = get_option(‘siteurl’);61 62 if(!is_numeric($mt_delay)){ $mt_delay = 3000;} 63 if(!is_numeric($mt_speed)){ $mt_speed = 5;} 64 65 if(!is_numeric($mt_width))66 { 67 $mt_width = "";68 }69 else 70 {71 $mt_width = "width:".$mt_width."px;";72 }73 74 if(!is_numeric($mt_height))75 { 76 $mt_height = "";77 }78 else 79 {80 $mt_height = “height:".$mt_height."px;";81 }82 83 ?>84 <div style="padding-top:5px;width:100%"> 85 <span id="mt_spancontant” style="position:absolute;<?php echo $mt_width.$mt_height; ?>"></span> 86 </div>87 <script type="text/javascript">88 var mt_contents=new Array()89 <?php echo $mt; ?>90 var mt_delay=<?php echo $mt_delay; ?> 91 var mt_speed=<?php echo $mt_speed; ?> 92 mt_start();93 </script>94 <?php95 }96 else97 {98 $mt_mt = get_option(‘mt_defaulttext’);99 echo $mt_mt;100 }101}102103function mt_deactivate() 104{105 // No action required.106}107108function mt_show_new( $group = "GROUP1", $width = “300", $height = “150” ) 109{110 $arr = array();111 $arr[“group”]=$group;112 $arr[“width”]=$width;113 $arr[“height”]=$height;114 echo mt_shortcode($arr);115}116117add_shortcode( 'message-ticker’, ‘mt_shortcode’ );118119function mt_shortcode( $atts ) 120{121 global $wpdb;122 $mt = “";123 $mt_mt = “";124 125 //[message-ticker group="group1” width="300” height="150”]126 if (! is_array( $atts ) )127 {128 return 'Please check your short code’;129 }130 $group = $atts[‘group’];131 $width = $atts[‘width’];132 $height = $atts[‘height’];133 134 $sSql = "select mt_text from “.WP_mt_TABLE.” where mt_status=’YES’";135 if($group <> “”)136 {137 $sSql = $sSql . " and mt_group=’$group’";138 }139 $sSql = $sSql . " and ( mt_date >= NOW() or mt_date = ‘0000-00-00 00:00:00’ )";140 $sSql = $sSql . " ORDER BY mt_order";141 142 $data = $wpdb->get_results($sSql);143 if ( ! empty($data) ) 144 {145 $count = 0; 146 foreach ( $data as $data ) 147 {148 $content = $data->mt_text;149 $mt = $mt . "mt_contents[$count]=’$content’;";150 $count++;151 }152 153 $mt_width = $width;154 $mt_height = $height;155 $mt_delay = get_option(‘mt_delay’);156 $mt_speed = get_option(‘mt_speed’);157 $siteurl = get_option(‘siteurl’);158 159 if(!is_numeric($mt_delay)){ $mt_delay = 3000;} 160 if(!is_numeric($mt_speed)){ $mt_speed = 5;} 161 162 if(!is_numeric($mt_width))163 { 164 $mt_width = "";165 }166 else 167 {168 $mt_width = "width:".$mt_width."px;";169 //$mt_width = "width:100%;";170 }171 172 if(!is_numeric($mt_height))173 { 174 $mt_height = "";175 }176 else 177 {178 $mt_height = “height:".$mt_height."px;";179 }180 181 $mt_mt = $mt_mt .’<div style="padding-top:5px;">’;182 $mt_mt = $mt_mt .’<span id="mt_spancontant” style="position:absolute;’.$mt_width.$mt_height.’"></span> ‘;183 $mt_mt = $mt_mt .’</div>’;184 $mt_mt = $mt_mt .’<script type="text/javascript">’ ;185 $mt_mt = $mt_mt .’var mt_contents=new Array(); ';186 $mt_mt = $mt_mt . $mt ;187 $mt_mt = $mt_mt .’var mt_delay=’.$mt_delay.’; ';188 $mt_mt = $mt_mt .’var mt_speed=’.$mt_speed.’; ';189 $mt_mt = $mt_mt .’mt_start(); ';190 $mt_mt = $mt_mt .’</script>’;191 }192 else193 {194 $mt_mt = get_option(‘mt_defaulttext’);195 }196 197 return $mt_mt;198}199200function mt_activation() 201{202 global $wpdb;203 204 if($wpdb->get_var("show tables like '". WP_mt_TABLE . “’”) != WP_mt_TABLE) 205 {206 $wpdb->query("207 CREATE TABLE IF NOT EXISTS `". WP_mt_TABLE . "` (208 `mt_id` int(11) NOT NULL auto_increment,209 `mt_text` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,210 `mt_order` int(11) NOT NULL default '0’,211 `mt_status` char(3) NOT NULL default 'No’,212 `mt_group` VARCHAR( 100 ) NOT NULL default 'GROUP1’,213 `mt_date` datetime NOT NULL default '0000-00-00 00:00:00’,214 PRIMARY KEY (`mt_id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8;215 ");216 $sSql = "INSERT INTO `". WP_mt_TABLE . "` (mt_text, mt_order, mt_status, mt_group, mt_date)"; 217 $sSql = $sSql . “VALUES ('This is sample text for message ticker. <br> Thanks & regards’, '1’, 'YES’, 'GROUP1’, ‘0000-00-00 00:00:00’);";218 $wpdb->query($sSql);219 }220 add_option('mt_title’, “Message”);221 add_option('mt_width’, “200”);222 add_option('mt_height’, “100”);223 add_option('mt_delay’, “3000”);224 add_option('mt_speed’, “5”);225 add_option('mt_defaulttext’, “No message available, Or messages are expired already.”);226}227228function mt_admin_options() 229{230 global $wpdb;231 $current_page = isset($_GET[‘ac’]) ? $_GET[‘ac’] : '’;232 switch($current_page)233 {234 case 'edit’:235 include(‘pages/content-management-edit.php’);236 break;237 case 'add’:238 include(‘pages/content-management-add.php’);239 break;240 case 'set’:241 include(‘pages/content-setting.php’);242 break;243 default:244 include(‘pages/content-management-show.php’);245 break;246 }247}248249function mt_add_to_menu() 250{251 add_options_page(__('Message ticker’, ‘message-ticker’), __('Message ticker’, ‘message-ticker’), 'manage_options’, 'message-ticker’, ‘mt_admin_options’ );252}253254if (is_admin()) 255{256 add_action('admin_menu’, ‘mt_add_to_menu’);257}258259function mt_widget($args) 260{261 extract($args);262 echo $before_widget . $before_title;263 echo get_option(‘mt_title’);264 echo $after_title;265 mt_show();266 echo $after_widget;267}268269function mt_control()270{271 echo '<p><b>’;272 _e('message ticker’, ‘message-ticker’);273 echo '.</b> ';274 _e('Check official website for more information’, ‘message-ticker’);275 ?> <a target="_blank” href="http://www.gopiplus.com/work/2010/07/18/message-ticker/"><?php _e('click here’, ‘message-ticker’); ?></a></p><?php276}277278function mt_widget_init() 279{280 if(function_exists(‘wp_register_sidebar_widget’)) 281 {282 wp_register_sidebar_widget('message-ticker’, __('message ticker’, ‘message-ticker’), ‘mt_widget’);283 }284 285 if(function_exists(‘wp_register_widget_control’)) 286 {287 wp_register_widget_control('message-ticker’, array( __('message ticker’, ‘message-ticker’), ‘widgets’), ‘mt_control’);288 } 289}290291function mt_add_javascript_files() 292{293 if (!is_admin())294 {295 wp_enqueue_script( ‘message-ticker’, WP_mt_PLUGIN_URL.’/message-ticker.js’);296 }297}298299function mt_textdomain() 300{301 load_plugin_textdomain( 'message-ticker’, false, dirname( plugin_basename( __FILE__ ) ) . ‘/languages/’ );302}303304function mt_adminscripts() 305{306 if( !empty( $_GET[‘page’] ) ) 307 {308 switch ( $_GET[‘page’] ) 309 {310 case 'message-ticker’:311 wp_register_script( 'mt-adminscripts’, plugins_url( 'pages/setting.js’, __FILE__ ), '’, '’, true );312 wp_enqueue_script( ‘mt-adminscripts’ );313 $mt_select_params = array(314 ‘mt_text’ => __( 'Please enter the text.’, 'mt-select’, ‘message-ticker’ ),315 ‘mt_status’ => __( 'Please select the display status.’, 'mt-select’, ‘message-ticker’ ),316 ‘mt_order’ => __( 'Please enter the display order, only number.’, 'mt-select’, ‘message-ticker’ ), 317 ‘mt_group’ => __( 'Please select the message group.’, 'mt-select’, ‘message-ticker’ ),318 ‘mt_date’ => __( 'Please enter the expiration date in this format YYYY-MM-DD’, 'mt-select’, ‘message-ticker’ ),319 ‘mt_delete’ => __( 'Do you want to delete this record?’, 'mt-select’, ‘message-ticker’ ),320 );321 wp_localize_script( 'mt-adminscripts’, 'mt_adminscripts’, $mt_select_params );322 break;323 }324 }325}326327add_action('plugins_loaded’, ‘mt_textdomain’);328add_action('init’, ‘mt_add_javascript_files’);329add_action("plugins_loaded", “mt_widget_init”);330register_activation_hook(__FILE__, ‘mt_activation’);331register_deactivation_hook( __FILE__, ‘mt_deactivate’ );332add_action( 'admin_enqueue_scripts’, ‘mt_adminscripts’ );333?>