Headline
CVE-2022-2172: Diff [2750802:2754739] for linkworth-wp-plugin – WordPress Plugin Repository
The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.
linkworth-wp-plugin/trunk/LinkWorth_WordPress.php
r2750802
r2754739
5
5
Description: LinkWorth Easy Link Syndication for WordPress and WPMU
6
6
Author: LinkWorth
7
Version: 3.3.3
7
Version: 3.3.4
8
8
Author URI: http://www.linkworth.com/
9
9
License: GPLv2 or later
…
…
308
308
}
309
309
310
function get\_contents( $url )
311
{
312
global $lw\_debug\_information;
313
314
$lw\_debug\_information .= 'get\_contents() running - '.$url.'++';
315
316
if( !empty( $url ) )
317
{
318
$curl\_handle = curl\_init();
319
curl\_setopt( $curl\_handle, CURLOPT\_URL, $url );
320
curl\_setopt( $curl\_handle, CURLOPT\_CONNECTTIMEOUT, 30 );
321
curl\_setopt( $curl\_handle, CURLOPT\_RETURNTRANSFER, true );
322
323
if( @ini\_get('open\_basedir') == '' && @ini\_get('safe\_mode') == 'Off' )
324
{
325
curl\_setopt( $curl\_handle, CURLOPT\_FOLLOWLOCATION, true );
326
curl\_setopt( $curl\_handle, CURLOPT\_MAXREDIRS, 2 );
327
}
328
329
if( curl\_exec( $curl\_handle ) === false )
330
{
331
$curl\_error = 'Curl error: ' . curl\_error( $curl\_handle );
332
}
333
334
$string = curl\_exec( $curl\_handle );
335
curl\_close( $curl\_handle );
336
}
337
338
if( isset( $\_GET\['debug'\] ) )
339
{
340
if( !empty( $curl\_error ) )
341
{
342
$lw\_debug\_information .= $curl\_error.'++';
343
}
344
345
if( empty( $string ) )
346
{
347
$lw\_debug\_information .= 'get\_contents() empty++';
348
}
349
}
350
351
return $string;
352
}
310
function get\_contents($url)
311
{
312
global $lw\_debug\_information;
313
314
$string = '';
315
$wp\_remote\_get\_error = '';
316
317
$lw\_debug\_information .= 'get\_contents() running - '.$url.'++';
318
319
if (!empty($url)) {
320
321
$response = wp\_remote\_get($url);
322
$http\_code = wp\_remote\_retrieve\_response\_code($response);
323
324
if ($http\_code == '200') {
325
326
$string = wp\_remote\_retrieve\_body($response);
327
328
} else {
329
330
$wp\_remote\_get\_error = 'get\_contents() error: ' . wp\_remote\_retrieve\_header($response, 'status');
331
}
332
}
333
334
if (isset($\_GET\['debug'\])) {
335
336
if (!empty($wp\_remote\_get\_error)) {
337
338
$lw\_debug\_information .= $wp\_remote\_get\_error.'++';
339
}
340
341
if (empty($string)) {
342
343
$lw\_debug\_information .= 'get\_contents() empty++';
344
}
345
}
346
347
return $string;
348
}
353
349
354
350
// ---------------------------------------------------------------------------------------
…
…
651
647
}
652
648
653
if( function\_exists( 'curl\_init' ) )
649
if( function\_exists( 'wp\_remote\_get' ) )
654
650
{
655
651
$support\_array\['can\_get\_ads'\] = 1;
…
…
836
832
if( is\_numeric( $ad\['location'\] ) )
837
833
{
838
$page\_uri = $\_SERVER\['REQUEST\_URI'\];
834
$page\_uri = htmlspecialchars($\_SERVER\['REQUEST\_URI'\], ENT\_QUOTES, 'UTF-8');
839
835
840
836
if( is\_home() || is\_front\_page() )
…
…
1163
1159
{
1164
1160
//SET DEFAULT VARIABLES
1165
$current\_url = $\_SERVER\['SERVER\_NAME'\] . $\_SERVER\['REQUEST\_URI'\];
1161
$current\_url = $\_SERVER\['SERVER\_NAME'\] . htmlspecialchars($\_SERVER\['REQUEST\_URI'\], ENT\_QUOTES, 'UTF-8');
1166
1162
$links = array();
1167
1163
$tags = array();
…
…
1432
1428
if( isset( $\_POST\['linkw-submit'\] ) )
1433
1429
{
1434
$options\['title'\] = strip\_tags( stripslashes( $\_POST\['linkw-title'\] ) );
1430
$options\['title'\] = strip\_tags( stripslashes( htmlspecialchars($\_POST\['linkw-title'\], ENT\_QUOTES, 'UTF-8') ) );
1435
1431
update\_option( 'lw\_widget', $options );
1436
1432
}
…
…
1438
1434
if( !empty( $options\['title'\] ) )
1439
1435
{
1440
$title = htmlspecialchars( $options\['title'\], ENT\_QUOTES );
1436
$title = $options\['title'\];
1441
1437
}
1442
1438
else
linkworth-wp-plugin/trunk/lw_includes/LinkWorth_admin.php
r2750802
r2754739
21
21
22
22
//UPDATE DEALS
23
if( isset( $\_POST\['lw\_update\_deal\_list'\] ) )
23
if( isset( $\_POST\['lw\_update\_deal\_list'\] ) && wp\_verify\_nonce($\_POST\['update\_general\_settings\_field'\], 'update\_general\_settings\_action') )
24
24
{
25
25
update\_option( 'lw\_cache\_time', 0 );
…
…
32
32
33
33
//DELETE SETTINGS
34
if( isset( $\_POST\['lw\_delete\_settings'\] ) )
34
if( isset( $\_POST\['lw\_delete\_settings'\] ) && wp\_verify\_nonce($\_POST\['update\_advanced\_options\_field'\], 'update\_advanced\_options\_action') )
35
35
{
36
36
delete\_option('lw\_linkintxts');
…
…
46
46
$billboard\_base = 'pages';
47
47
}
48
elseif( isset( $\_POST\['lw\_update\_settings'\] ) )
48
elseif( isset( $\_POST\['lw\_update\_settings'\] ) && wp\_verify\_nonce($\_POST\['update\_advanced\_options\_field'\], 'update\_advanced\_options\_action') )
49
49
{
50
50
//PROCESS POST BEFOR UPDATING
…
…
72
72
}
73
73
74
$updated\_lw\_options\['loop\_number'\] = $\_POST\['lw\_ops'\]\['loop\_number'\];
75
$updated\_lw\_options\['nocontentads'\] = $\_POST\['lw\_ops'\]\['nocontentads'\];
76
$updated\_lw\_options\['debug'\] = $\_POST\['lw\_ops'\]\['debug'\];
77
$updated\_lw\_options\['disable\_silent'\] = $\_POST\['lw\_ops'\]\['disable\_silent'\];
78
$updated\_lw\_options\['lw\_linkscale'\] = $\_POST\['lw\_ops'\]\['lw\_linkscale'\];
74
$updated\_lw\_options\['loop\_number'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['loop\_number'\]);
75
$updated\_lw\_options\['nocontentads'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['nocontentads'\]);
76
$updated\_lw\_options\['debug'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['debug'\]);
77
$updated\_lw\_options\['disable\_silent'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['disable\_silent'\]);
78
$updated\_lw\_options\['lw\_linkscale'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['lw\_linkscale'\]);
79
79
}
80
80
else
81
81
{
82
$updated\_lw\_options\['lw\_sidebar'\] = $\_POST\['lw\_ops'\]\['lw\_sidebar'\];
83
$updated\_lw\_options\['lw\_sidebarwidget'\] = $\_POST\['lw\_ops'\]\['lw\_sidebarwidget'\];
82
$updated\_lw\_options\['lw\_sidebar'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['lw\_sidebar'\]);
83
$updated\_lw\_options\['lw\_sidebarwidget'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['lw\_sidebarwidget'\]);
84
84
$updated\_lw\_options\['lw\_cssmod'\] = 0;
85
$updated\_lw\_options\['lw\_linktype'\] = $\_POST\['lw\_ops'\]\['lw\_linktype'\];
86
$updated\_lw\_options\['lw\_linkcolor'\] = $\_POST\['lw\_ops'\]\['lw\_linkcolor'\];
87
$updated\_lw\_options\['website\_id'\] = $\_POST\['lw\_ops'\]\['website\_id'\];
88
$updated\_lw\_options\['website\_hash'\] = $\_POST\['lw\_ops'\]\['website\_hash'\];
89
$updated\_lw\_options\['billboard\_base'\] = $\_POST\['lw\_ops'\]\['billboard\_base'\];
90
$updated\_lw\_options\['lw\_linksize'\] = $\_POST\['lw\_ops'\]\['lw\_linksize'\];
85
$updated\_lw\_options\['lw\_linktype'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['lw\_linktype'\]);
86
$updated\_lw\_options\['lw\_linkcolor'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['lw\_linkcolor'\]);
87
$updated\_lw\_options\['website\_id'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['website\_id'\]);
88
$updated\_lw\_options\['website\_hash'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['website\_hash'\]);
89
$updated\_lw\_options\['billboard\_base'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['billboard\_base'\]);
90
$updated\_lw\_options\['lw\_linksize'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['lw\_linksize'\]);
91
91
92
92
if( isset( $\_POST\['lw\_ops'\]\['site\_id'\] ) && isset( $\_POST\['lw\_ops'\]\['site\_hash'\] ) )
93
93
{
94
$updated\_lw\_options\['site\_id'\] = $\_POST\['lw\_ops'\]\['site\_id'\];
95
$updated\_lw\_options\['site\_hash'\] = $\_POST\['lw\_ops'\]\['site\_hash'\];
94
$updated\_lw\_options\['site\_id'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['site\_id'\]);
95
$updated\_lw\_options\['site\_hash'\] = sanitize\_text\_field($\_POST\['lw\_ops'\]\['site\_hash'\]);
96
96
}
97
97
}
…
…
284
284
<td style="color:#333333; font-weight:bold; background-color:#EAF2FA;"> What is THIS website's SITE ID?</td>
285
285
<td colspan="2">
286
<input type="text" name="lw\_ops\[website\_id\]" size="10" id="website\_id" value="<?php if(defined('LW\_WEBSITE\_ID')) { echo LW\_WEBSITE\_ID; } ?>"<?php echo $disabled\_option ?> />
286
<input type="text" name="lw\_ops\[website\_id\]" size="10" id="website\_id" value="<?php if(defined('LW\_WEBSITE\_ID')) { echo LW\_WEBSITE\_ID; } ?>"<?php echo esc\_attr($disabled\_option) ?> />
287
287
</td>
288
288
</tr>
…
…
290
290
<td style="color:#333333; font-weight:bold; background-color:#EAF2FA;"> What is THIS website's HASH ID?</td>
291
291
<td colspan="2">
292
<input type="text" name="lw\_ops\[website\_hash\]" size="35" id="website\_hash" value="<?php if(defined('LW\_HASH')) { echo LW\_HASH; } ?>"<?php echo $disabled\_option ?> />
292
<input type="text" name="lw\_ops\[website\_hash\]" size="35" id="website\_hash" value="<?php if(defined('LW\_HASH')) { echo LW\_HASH; } ?>"<?php echo esc\_attr($disabled\_option) ?> />
293
293
</td>
294
294
</tr>
…
…
362
362
<select name="lw\_ops\[lw\_linkcolor\]" style="width:100px;">
363
363
<option value="">Select One</option>
364
<option value="1"<?php echo $lw\_color\_array\_selected\[1\] ?>>AquaMarine</option>
365
<option value="2"<?php echo $lw\_color\_array\_selected\[2\] ?>>Forest</option>
366
<option value="3"<?php echo $lw\_color\_array\_selected\[3\] ?>>Winter</option>
367
<option value="4"<?php echo $lw\_color\_array\_selected\[4\] ?>>Summer</option>
368
<option value="5"<?php echo $lw\_color\_array\_selected\[5\] ?>>Fruity</option>
369
<option value="6"<?php echo $lw\_color\_array\_selected\[6\] ?>>Baby</option>
370
<option value="7"<?php echo $lw\_color\_array\_selected\[7\] ?>>Highway</option>
364
<option value="1"<?php echo esc\_attr($lw\_color\_array\_selected\[1\]) ?>>AquaMarine</option>
365
<option value="2"<?php echo esc\_attr($lw\_color\_array\_selected\[2\]) ?>>Forest</option>
366
<option value="3"<?php echo esc\_attr($lw\_color\_array\_selected\[3\]) ?>>Winter</option>
367
<option value="4"<?php echo esc\_attr($lw\_color\_array\_selected\[4\]) ?>>Summer</option>
368
<option value="5"<?php echo esc\_attr($lw\_color\_array\_selected\[5\]) ?>>Fruity</option>
369
<option value="6"<?php echo esc\_attr($lw\_color\_array\_selected\[6\]) ?>>Baby</option>
370
<option value="7"<?php echo esc\_attr($lw\_color\_array\_selected\[7\]) ?>>Highway</option>
371
371
</select>
372
372
</td>
…
…
383
383
<tr>
384
384
<td colspan='2'>
385
<a href="#" style="color:<?php echo $test\_color\[0\];?>; font-size:<?php echo $lw\_linksize.$lw\_linkscale;?>;">Link 1</a>
386
<a href="#" style="color:<?php echo $test\_color\[1\];?>; font-size:<?php echo $lw\_linksize.$lw\_linkscale;?>;">Another Link</a>
387
<a href="#" style="color:<?php echo $test\_color\[2\];?>; font-size:<?php echo $lw\_linksize.$lw\_linkscale;?>;">Anchor 4</a>
385
<a href="#" style="color:<?php echo esc\_attr($test\_color\[0\]);?>; font-size:<?php echo esc\_attr($lw\_linksize.$lw\_linkscale);?>;">Link 1</a>
386
<a href="#" style="color:<?php echo esc\_attr($test\_color\[1\]);?>; font-size:<?php echo esc\_attr($lw\_linksize.$lw\_linkscale);?>;">Another Link</a>
387
<a href="#" style="color:<?php echo esc\_attr($test\_color\[2\]);?>; font-size:<?php echo esc\_attr($lw\_linksize.$lw\_linkscale);?>;">Anchor 4</a>
388
388
<br />
389
<a href="#" style="color:<?php echo $test\_color\[3\];?>; font-size:<?php echo $lw\_linksize.$lw\_linkscale;?>;">A Link</a>
390
<a href="#" style="color:<?php echo $test\_color\[4\];?>; font-size:<?php echo $lw\_linksize.$lw\_linkscale;?>;">Click me</a>
391
<a href="#" style="color:<?php echo $test\_color\[5\];?>; font-size:<?php echo $lw\_linksize.$lw\_linkscale;?>;">Another Anchor</a>
389
<a href="#" style="color:<?php echo esc\_attr($test\_color\[3\]);?>; font-size:<?php echo esc\_attr($lw\_linksize.$lw\_linkscale);?>;">A Link</a>
390
<a href="#" style="color:<?php echo esc\_attr($test\_color\[4\]);?>; font-size:<?php echo esc\_attr($lw\_linksize.$lw\_linkscale);?>;">Click me</a>
391
<a href="#" style="color:<?php echo esc\_attr($test\_color\[5\]);?>; font-size:<?php echo esc\_attr($lw\_linksize.$lw\_linkscale);?>;">Another Anchor</a>
392
392
</td>
393
393
</tr>
…
…
426
426
<p style="display:inline-block; margin-top:0;"><small><em>(Overview of published adverts.)</em></small></p>
427
427
<p>Information listed here has been generated based on the lists of approved ads in your LinkWorth account on our servers.</p>
428
428
429
429
<table cellspacing="0" cellpadding="0" class="widefat">
430
430
<thead>
…
…
474
474
?>
475
475
<tr>
476
<td><a href="<?php echo $protocol.$ad\['url'\]?>"><?php echo $ad\['anchor'\]?></a></td>
477
<td><?php echo $lw\_humanloc ?></td>
478
<td><?php echo ((!is\_array($ad\['description'\]) || !empty($ad\['description'\])) ? $ad\['description'\] : '');?></td>
476
<td><a href="<?php echo esc\_url($protocol.$ad\['url'\])?>"><?php echo esc\_html($ad\['anchor'\])?></a></td>
477
<td><?php echo esc\_html($lw\_humanloc) ?></td>
478
<td><?php echo ((!is\_array($ad\['description'\]) || !empty($ad\['description'\])) ? esc\_html($ad\['description'\]) : '');?></td>
479
479
</tr>
480
480
<?php
…
…
514
514
?>
515
515
<tr>
516
<td><a href="<?php echo $ad\['url'\] ?>"><?php echo $ad\['anchor'\] ?></a></td>
517
<td><?php echo $lw\_humanloc ?></td>
518
<td><?php echo $ad\['pagename'\] ?> <?php echo $ad\['description'\] ?></td>
516
<td><a href="<?php echo esc\_url($ad\['url'\]) ?>"><?php echo esc\_html($ad\['anchor'\]) ?></a></td>
517
<td><?php echo esc\_html($lw\_humanloc) ?></td>
518
<td><?php echo esc\_html($ad\['pagename'\]) ?> <?php echo esc\_html($ad\['description'\]) ?></td>
519
519
</tr>
520
520
<?php
…
…
553
553
?>
554
554
<tr>
555
<td style="vertical-align:top;"><a href="<?php echo $protocol.$example\_ad\['url'\] ?>" title="<?php echo $example\_ad\['description'\] ?>"><?php echo $example\_ad\['anchor'\] ?></a></td>
556
<td style="vertical-align:top;"><?php echo $lw\_humanloc ?></td>
555
<td style="vertical-align:top;"><a href="<?php echo esc\_url($protocol.$example\_ad\['url'\]) ?>" title="<?php echo esc\_attr($example\_ad\['description'\]) ?>"><?php echo esc\_html($example\_ad\['anchor'\]) ?></a></td>
556
<td style="vertical-align:top;"><?php echo esc\_html($lw\_humanloc) ?></td>
557
557
<td>
558
558
<?php
…
…
564
564
$protocol = ($hyperlink\['use\_https'\])? 'https://' : 'http://';
565
565
?>
566
<a href="<?php echo $protocol.$hyperlink\['url'\] ?>" title="<?php echo $hyperlink\['description'\] ?>"><?php echo $hyperlink\['anchor'\] ?></a><?php echo (($current\_count < $hyperlink\_count) ? ' ,' : '')?>
566
<a href="<?php echo esc\_url($protocol.$hyperlink\['url'\]) ?>" title="<?php echo esc\_attr($hyperlink\['description'\]) ?>"><?php echo esc\_html($hyperlink\['anchor'\]) ?></a><?php echo (($current\_count < $hyperlink\_count) ? ' ,' : '')?>
567
567
<?php
568
568
$current\_count++;
…
…
596
596
?>
597
597
<tr>
598
<td><a href="<?php echo $protocol.$ad\['url'\] ?>"><?php echo $ad\['anchor'\] ?></a></td>
599
<td><?php echo $ad\['webpageurl'\] ?></td>
598
<td><a href="<?php echo esc\_url($protocol.$ad\['url'\]) ?>"><?php echo esc\_html($ad\['anchor'\]) ?></a></td>
599
<td><?php echo esc\_html($ad\['webpageurl'\]) ?></td>
600
600
<td></td>
601
601
</tr>
…
…
618
618
</tr>
619
619
</table>
620
<?php wp\_nonce\_field( 'update\_general\_settings\_action', 'update\_general\_settings\_field' ); ?>
620
621
</form>
621
622
</fieldset>
…
…
663
664
<div id="message" class="updated fade">
664
665
<p style="font-weight:bold;">
665
Your theme has <?php echo $loop\_count ?> loop.
666
Your theme has <?php echo $loop\_count ?> loop.
666
667
If you do not have a static page as your home page, your theme could be using more then one instance of 'The Loop.'
667
668
The number of loops could be higher then <?php echo $loop\_count ?>.
…
…
693
694
<h2>LinkWorth Advanced Configuration</h2>
694
695
695
<form method="post" action="<?php echo $\_SERVER\['REQUEST\_URI'\] ?>">
696
<form method="post" action="<?php echo htmlspecialchars($\_SERVER\['REQUEST\_URI'\], ENT\_QUOTES, 'UTF-8') ?>">
696
697
<table cellspacing="0" cellpadding="0" class="widefat" style="width:auto;">
697
698
<thead>
…
…
723
724
?>
724
725
<select name="lw\_ops\[lw\_linkscale\]">
725
<option value="px"<?php echo $lw\_size\_array\_selected\['px'\] ?>>Pixels</option>
726
<option value="pt"<?php echo $lw\_size\_array\_selected\['pt'\] ?>>Points</option>
727
<option value="em"<?php echo $lw\_size\_array\_selected\['em'\] ?>>Ems</option>
726
<option value="px"<?php echo esc\_attr($lw\_size\_array\_selected\['px'\]) ?>>Pixels</option>
727
<option value="pt"<?php echo esc\_attr($lw\_size\_array\_selected\['pt'\]) ?>>Points</option>
728
<option value="em"<?php echo esc\_attr($lw\_size\_array\_selected\['em'\]) ?>>Ems</option>
728
729
</select>
729
730
</td>
…
…
770
771
771
772
<input type="hidden" name="updating\_advanced\_options" value="1" />
773
<?php wp\_nonce\_field( 'update\_advanced\_options\_action', 'update\_advanced\_options\_field' ); ?>
772
774
</form>
773
775
</fieldset>
linkworth-wp-plugin/trunk/readme.txt
r2750802
r2754739
4
4
Tags: ads, sidebar, post, content, ad, text links, links
5
5
Requires at least: 2.3
6
Tested up to: 5.9
7
Stable tag: 3.3
6
Tested up to: 6.0
7
Stable tag: 3.3.3
8
8
9
9
Easily publish different types of text link products and in-content ads from linkworth.com.