Headline
CVE-2022-3991: photospace.php in photospace/trunk – WordPress Plugin Repository
The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
1<?php2/*3Plugin Name: Photospace4Plugin URI: http://thriveweb.com.au/the-lab/wordpress-gallery-plugin-photospace-2/5Description: A image gallery plugin for WordPress built using Galleriffic. 6<a href="http://www.twospy.com/galleriffic/>galleriffic</a>7Author: Dean Oakley8Author URI: http://deanoakley.com/9Version: 2.3.510Text Domain: photospace11*/1213/* Copyright 2010 Dean Oakley (email : [email protected])1415 This program is free software; you can redistribute it and/or modify16 it under the terms of the GNU General Public License, version 2, as 17 published by the Free Software Foundation.18 19 This program is distributed in the hope that it will be useful,20 but WITHOUT ANY WARRANTY; without even the implied warranty of21 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the22 GNU General Public License for more details.2324 You should have received a copy of the GNU General Public License25 along with this program; if not, write to the Free Software26 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA27*/2829if(preg_match(‘#’ . basename(__FILE__) . '#’, $_SERVER[‘PHP_SELF’])) { 30 die(‘Illegal Entry’); 31}3233//============================== Photospace options ========================//34class photospace_plugin_options {3536 public static function PS_getOptions() {37 $options = get_option(‘ps_options’);38 39 if (!is_array($options)) {40 41 $options[‘use_paging’] = false;42 43 $options[‘enable_history’] = false;44 45 $options[‘num_thumb’] = '9’;46 47 $options[‘show_captions’] = false;48 49 $options[‘show_download’] = false;50 51 $options[‘show_controls’] = false;52 53 $options[‘show_bg’] = false;54 55 $options[‘auto_play’] = false; 56 $options[‘delay’] = 3500;57 58 $options[‘button_size’] = 50;59 60 $options[‘hide_thumbs’] = false;61 62 $options[‘reset_css’] = false;63 64 $options[‘thumbnail_margin’] = 10;65 66 $options[‘thumbnail_width’] = 50;67 $options[‘thumbnail_height’] = 50;68 $options[‘thumbnail_crop’] = true; 69 70 $options[‘thumb_col_width’] = '181’; 71 $options[‘main_col_width’] = '400’;72 $options[‘main_col_height’] = '500’;73 $options[‘gallery_width’] = '600’;74 75 $options[‘play_text’] = 'Play Slideshow’;76 $options[‘pause_text’] = 'Pause Slideshow’;77 $options[‘previous_text’] = '‹ Previous Photo’;78 $options[‘next_text’] = 'Next Photo ›’;79 $options[‘download_text’] = 'Download Original’; 80 81 82 update_option('ps_options’, $options);83 }84 return $options;85 }8687 public static function update() {88 if(isset($_POST[‘ps_save’])) {89 $options = photospace_plugin_options::PS_getOptions();90 91 $options[‘num_thumb’] = stripslashes($_POST[‘num_thumb’]);92 $options[‘thumbnail_margin’] = stripslashes($_POST[‘thumbnail_margin’]);93 $options[‘thumbnail_width’] = stripslashes($_POST[‘thumbnail_width’]);94 $options[‘thumbnail_height’] = stripslashes($_POST[‘thumbnail_height’]); 95 96 97 $options[‘thumb_col_width’] = stripslashes($_POST[‘thumb_col_width’]);98 $options[‘main_col_width’] = stripslashes($_POST[‘main_col_width’]);99 $options[‘main_col_height’] = stripslashes($_POST[‘main_col_height’]);100 101 $options[‘gallery_width’] = stripslashes($_POST[‘gallery_width’]);102 103 $options[‘delay’] = stripslashes($_POST[‘delay’]);104 105 $options[‘button_size’] = stripslashes($_POST[‘button_size’]);106107 if (isset($_POST[‘enable_history’])) {108 $options[‘enable_history’] = (bool)true;109 } else {110 $options[‘enable_history’] = (bool)false;111 } 112 113 if (isset($_POST[‘use_paging’])) {114 $options[‘use_paging’] = (bool)true;115 } else {116 $options[‘use_paging’] = (bool)false;117 } 118 119 if (isset($_POST[‘thumbnail_crop’])) {120 $options[‘thumbnail_crop’] = (bool)true;121 } else {122 $options[‘thumbnail_crop’] = (bool)false;123 } 124 125 if (isset($_POST[‘show_controls’])) {126 $options[‘show_controls’] = (bool)true;127 } else {128 $options[‘show_controls’] = (bool)false;129 } 130 131 if (isset($_POST[‘show_download’])) {132 $options[‘show_download’] = (bool)true;133 } else {134 $options[‘show_download’] = (bool)false;135 } 136 137 if (isset($_POST[‘show_captions’])) {138 $options[‘show_captions’] = (bool)true;139 } else {140 $options[‘show_captions’] = (bool)false;141 }142 143 if (isset($_POST[‘show_bg’])) {144 $options[‘show_bg’] = (bool)true;145 } else {146 $options[‘show_bg’] = (bool)false;147 } 148 149 if (isset($_POST[‘auto_play’])) {150 $options[‘auto_play’] = (bool)true;151 } else {152 $options[‘auto_play’] = (bool)false;153 }154 155 if (isset($_POST[‘hide_thumbs’])) {156 $options[‘hide_thumbs’] = (bool)true;157 } else {158 $options[‘hide_thumbs’] = (bool)false;159 }160 161 if (isset($_POST[‘reset_css’])) {162 $options[‘reset_css’] = (bool)true;163 } else {164 $options[‘reset_css’] = (bool)false;165 }166 167 $options[‘play_text’] = stripslashes($_POST[‘play_text’]);168 $options[‘pause_text’] = stripslashes($_POST[‘pause_text’]);169 $options[‘previous_text’] = stripslashes($_POST[‘previous_text’]);170 $options[‘next_text’] = stripslashes($_POST[‘next_text’]);171 $options[‘download_text’] = stripslashes($_POST[‘download_text’]);172 173 update_option('ps_options’, $options);174175 } else {176 photospace_plugin_options::PS_getOptions();177 }178179 add_submenu_page( 'options-general.php’, 'Photospace options’, 'Photospace Gallery Options’, 'edit_theme_options’, basename(__FILE__), array('photospace_plugin_options’, ‘display’));180 }181 182183 public static function display() {184 185 $options = photospace_plugin_options::PS_getOptions();186 ?>187 188 <div id="photospace_admin" class="wrap">189 190 <h2>Photospace Options</h2>191 192 <form method="post" action="#" enctype="multipart/form-data"> 193 194 <div class="wp-menu-separator" style="clear:both; padding-bottom:15px; border-bottom:solid 1px #e6e6e6" ></div>195 196 <p><label><input name="show_download" type="checkbox" value="checkbox" <?php if($options[‘show_download’]) echo “checked=’checked’"; ?> /> Show download link</label></p> 197 198 <p><label><input name="show_controls” type="checkbox" value="checkbox" <?php if($options[‘show_controls’]) echo “checked=’checked’"; ?> /> Show controls</label></p> 199 200 <p><label><input name="use_paging” type="checkbox" value="checkbox" <?php if($options[‘use_paging’]) echo “checked=’checked’"; ?> /> Use paging </label></p> 201 202 <p><label><input name="enable_history” type="checkbox" value="checkbox" <?php if($options[‘enable_history’]) echo “checked=’checked’"; ?> /> Enable history </label></p> 203 204 205 <p><label><input name="show_captions” type="checkbox" value="checkbox" <?php if($options[‘show_captions’]) echo “checked=’checked’"; ?> /> Show Title / Caption / Desc under image</label></p>206 207 <p><label><input name="reset_css” type="checkbox" value="checkbox" <?php if($options[‘reset_css’]) echo “checked=’checked’"; ?> /> Try to clear current theme image css / formatting</label></p>208209210 <p><label><input name="show_bg” type="checkbox" value="checkbox" <?php if($options[‘show_bg’]) echo “checked=’checked’"; ?> /> Show background colours for layout testing</label></p>211 212 213 214 <div class="ps_border” ></div>215 216 <div class="fl_box"> 217 <p><label><input name="auto_play" type="checkbox" value="checkbox" <?php if($options[‘auto_play’]) echo “checked=’checked’"; ?> /> Auto play slide show</label></p>218 </div>219 <div class="fl_box"> 220 <p><label><input name="hide_thumbs” type="checkbox" value="checkbox" <?php if($options[‘hide_thumbs’]) echo “checked=’checked’"; ?> /> Hide thumbnails</label></p>221 </div>222223 224 <div class="fl_box"> 225 <p>Slide delay in milliseconds</p>226 <p><input type="text” name="delay" value="<?php echo($options[‘delay’]); ?>" /></p>227 </div>228 229 <div class="fl_box"> 230 <p>Page button size</p>231 <p><input type="text" name="button_size" value="<?php echo($options[‘button_size’]); ?>" /></p>232 </div> 233234235 236 <div style="clear:both; padding-bottom:15px; border-bottom:solid 1px #e6e6e6" ></div>237 238 <h3 style="font-style:italic; font-weight:normal; color:grey " >Images that are already on the server will not change size until you regenerate the thumbnails. Use <a title="http://wordpress.org/extend/plugins/ajax-thumbnail-rebuild/" href="http://wordpress.org/extend/plugins/ajax-thumbnail-rebuild/">AJAX thumbnail rebuild</a> or <a title="http://wordpress.org/extend/plugins/regenerate-thumbnails/" href="http://wordpress.org/extend/plugins/regenerate-thumbnails/">Regenerate Thumbnails</a> </h3>239240 <div class="fl_box"> 241 <p>Thumbnail Width</p>242 <p><input type="text" name="thumbnail_width" value="<?php echo($options[‘thumbnail_width’]); ?>" /></p>243 </div>244 245 <div class="fl_box"> 246 <p>Thumbnail Height</p>247 <p><input type="text" name="thumbnail_height" value="<?php echo($options[‘thumbnail_height’]); ?>" /></p>248 </div>249 250 <div class="fl_box">251 <p>Main image width</p>252 <p><input type="text" name="main_col_width" value="<?php echo($options[‘main_col_width’]); ?>" /></p>253 </div>254 255 <div class="fl_box">256 <p>Main image height</p>257 <p><input type="text" name="main_col_height" value="<?php echo($options[‘main_col_height’]); ?>" /></p>258 </div>259 260 <div class="fl_box">261 <p>Crop thumnails</p>262 <p><label><input name="thumbnail_crop" type="checkbox" value="checkbox" <?php if($options[‘thumbnail_crop’]) echo “checked=’checked’"; ?> /></label></p>263264 </div> 265266 <div style="clear:both; padding-bottom:15px; border-bottom:solid 1px #e6e6e6” ></div>267 268 <div class="fl_box"> 269 <p>Number of thumbnails</p>270 <p><input type="text" name="num_thumb" value="<?php echo($options[‘num_thumb’]); ?>" /></p>271 </div>272 273 274 <div class="fl_box"> 275 <p>Thumbnail column width</p>276 <p><input type="text" name="thumb_col_width" value="<?php echo($options[‘thumb_col_width’]); ?>" /></p>277 </div>278 279 <div class="fl_box"> 280 <p>Thumbnail margin</p>281 <p><input type="text" name="thumbnail_margin" value="<?php echo($options[‘thumbnail_margin’]); ?>" /></p>282 </div>283 284 285 <div style="clear:both; padding-bottom:15px; border-bottom:solid 1px #e6e6e6" ></div>286 287 288 289 <h3>Gallery width (at least Thumbnail column + Main image width)</h3>290 <p><input type="text" name="gallery_width" value="<?php echo($options[‘gallery_width’]); ?>" /></p>291 <br />292 293 <div style="clear:both; padding-bottom:15px; border-bottom:solid 1px #e6e6e6" ></div>294 295 296 <div class="fl_box">297 <p>Play text</p> 298 <p><input type="text" name="play_text" value="<?php echo($options[‘play_text’]); ?>" /></p>299 </div>300 301 <div class="fl_box">302 <p>Pause text</p> 303 <p><input type="text" name="pause_text" value="<?php echo($options[‘pause_text’]); ?>" /></p>304 </div>305 306 <div class="fl_box"> 307 <p>Previous text</p> 308 <p><input type="text" name="previous_text" value="<?php echo($options[‘previous_text’]); ?>" /></p>309 </div>310311 <div class="fl_box"> 312 <p>Next text</p> 313 <p><input type="text" name="next_text" value="<?php echo($options[‘next_text’]); ?>" /></p>314 </div>315 316 <div class="fl_box"> 317 <p>Download link text</p> 318 <p><input type="text" name="download_text" value="<?php echo($options[‘download_text’]); ?>" /></p>319 </div>320321 <div style="clear:both; padding-bottom:15px; border-bottom:solid 1px #e6e6e6" ></div>322323 324 <p><input class="button-primary" type="submit" name="ps_save" value="Save Changes" /></p>325 326 </form>327 328 </div>329 330 <?php331 } 332} 333334function PS_getOption($option) {335 global $mytheme;336 return $mytheme->option[$option];337}338339// register functions340add_action('admin_menu’, array('photospace_plugin_options’, ‘update’));341342343$options = get_option(‘ps_options’);344345add_theme_support( ‘post-thumbnails’ );346add_image_size(‘photospace_thumbnails’, $options[‘thumbnail_width’], $options[‘thumbnail_height’], $options[‘thumbnail_crop’]);347add_image_size(‘photospace_full’, $options[‘main_col_width’], $options[‘main_col_height’]);348349function photospace_admin_register_head() {350 $url = site_url()."/wp-content/plugins/photospace" . ‘/admin.css’;351 echo "<link rel=’stylesheet’ type=’text/css’ href=’$url’ />\n";352}353add_action('admin_head’, ‘photospace_admin_register_head’);354355356//============================== insert HTML header tag ========================//357358function photospace_scripts_method() {359 wp_enqueue_script(‘jquery’); 360 $photospace_wp_plugin_path = site_url()."/wp-content/plugins/photospace"; 361 wp_enqueue_style( 'photospace-styles’, $photospace_wp_plugin_path . ‘/gallery.css’);362 wp_enqueue_script( 'galleriffic’, $photospace_wp_plugin_path . ‘/jquery.galleriffic.js’);363}364add_action('wp_enqueue_scripts’, ‘photospace_scripts_method’);365366function photospace_scripts_method_history() { 367 $photospace_wp_plugin_path = site_url()."/wp-content/plugins/photospace"; 368 wp_enqueue_script( 'history’, $photospace_wp_plugin_path . ‘/jquery.history.js’); 369}370if ($options[‘enable_history’]) {371 add_action('wp_enqueue_scripts’, ‘photospace_scripts_method_history’);372} 373374function photospace_wp_headers() {375 376 $options = get_option(‘ps_options’);377 378 echo “<!-- photospace [ START ] --> \n";379 380 echo '<style type="text/css">’; 381 382 if($options[‘reset_css’]){ 383 384 echo '385 /* reset */ 386 .photospace img,387 .photospace ul.thumbs,388 .photospace ul.thumbs li,389 .photospace ul.thumbs li a{390 padding:0;391 margin:0;392 border:none !important;393 background:none !important;394 height:auto !important;395 width:auto !important;396 }397 .photospace span{398 padding:0; 399 margin:0;400 border:none !important;401 background:none !important;402 }403 ';404 }405 406 if(!empty($options[‘button_size’]))407 echo '408 .photospace .thumnail_col a.pageLink {409 width:’.$options[‘button_size’] .’px;410 height:’.$options[‘button_size’] .’px;411 }412 '; 413 414 if(!empty($options[‘main_col_width’]))415 echo ' .photospace .gal_content,416 .photospace .loader,417 .photospace .slideshow a.advance-link{418 width:’. $options[‘main_col_width’] .’px;419 }420 ';421422 if(!empty($options[‘gallery_width’]))423 echo ' .photospace{424 width:’. $options[‘gallery_width’] .’px;425 }426 ';427 428 if(!empty($options[‘main_col_height’]))429 echo ' .photospace{430 height:’. $options[‘main_col_height’] .’px;431 }432 ';433 434 if(!empty($options[‘thumbnail_margin’]))435 echo ' .photospace ul.thumbs li {436 margin-bottom:’. $options[‘thumbnail_margin’] .’px !important;437 margin-right:’. $options[‘thumbnail_margin’] .’px !important; 438 }439 ';440 441 if(!empty($options[‘main_col_height’]))442 echo ' .photospace .loader {443 height: '. $options[‘main_col_height’] / 2 . 'px;444 }445 ';446 447 if(!empty($options[‘main_col_width’]))448 echo ' .photospace .loader {449 width: '. $options[‘main_col_width’] . 'px;450 }451 ';452453 if(!empty($options[‘main_col_height’]))454 echo ' .photospace .slideshow a.advance-link,455 .photospace .slideshow span.image-wrapper {456 height:’. $options[‘main_col_height’] .’px;457 }458 ';459 460 if(!empty($options[‘main_col_height’]))461 echo ' .photospace .slideshow-container {462 height:’. $options[‘main_col_height’] .’px;463 }464 ';465 466 if($options[‘show_bg’]){ 467 468 echo '469 .photospace{470 background-color:#fbefd7;471 }472 473 .photospace .thumnail_col {474 background-color:#e7cf9f;475 }476 477 .photospace .gal_content,478 .photospace .loader,479 .photospace .slideshow a.advance-link {480 background-color:#e7cf9f;481 }’; 482 }483 484 if($options[‘hide_thumbs’]){ 485 echo '486 .photospace .thumnail_col{487 display:none !important;488 }489 '; 490 }491 if($options[‘use_paging’]){ 492 echo '493 .pageLink{494 display:none !important;495 }496 .photospace{497 margin-top:43px;498 }499 '; 500 }501502 echo '</style>’; 503 504 echo “<!-- photospace [ END ] --> \n";505}506add_action( 'wp_head’, 'photospace_wp_headers’, 10 );507508add_shortcode( 'gallery’, ‘photospace_shortcode’ );509add_shortcode( 'photospace’, ‘photospace_shortcode’ );510511function photospace_shortcode( $atts ) {512 513 global $post;514 global $photospace_count;515 516 $options = get_option(‘ps_options’);517 518 if ( ! empty( $atts[‘ids’] ) ) {519 // ‘ids’ is explicitly ordered, unless you specify otherwise.520 if ( empty( $atts[‘orderby’] ) )521 $atts[‘orderby’] = 'post__in’;522 $atts[‘include’] = $atts[‘ids’];523 }524 525 extract(shortcode_atts(array(526 ‘id’ => intval($post->ID),527 ‘num_thumb’ => $options[‘num_thumb’],528 ‘num_preload’ => $options[‘num_thumb’],529 ‘show_captions’ => $options[‘show_captions’],530 ‘show_download’ => $options[‘show_download’],531 ‘show_controls’ => $options[‘show_controls’],532 ‘auto_play’ => $options[‘auto_play’],533 ‘delay’ => $options[‘delay’],534 ‘hide_thumbs’ => $options[‘hide_thumbs’],535 ‘use_paging’ => $options[‘use_paging’],536 ‘horizontal_thumb’ => 0,537 ‘order’ => 'ASC’,538 ‘orderby’ => 'menu_order ID’,539 ‘include’ => '’,540 ‘exclude’ => '’,541 ‘sync_transitions’ => 1542 543 ), $atts));544 545 $photospace_count += 1;546 $post_id = intval($post->ID) . ‘_’ . $photospace_count; 547 548 if ( ‘RAND’ == $order )549 $orderby = 'none’;550 551 $hide_thumb_style = '’;552 if($hide_thumbs){553 $hide_thumb_style = 'hide_me’;554 }555 556 $thumb_style_init = 'display:none’;557 $thumb_style_on = “’display’, 'block’";558 $thumb_style_off = “’display’, 'none’";559560 561 $photospace_wp_plugin_path = site_url()."/wp-content/plugins/photospace";562 563 $output_buffer =’564 565 <div class="gallery_clear"></div> 566 <div id="gallery_’.$post_id.’” class="photospace"> 567 568 <!-- Start Advanced Gallery Html Containers -->569 <div class="thumbs_wrap2">570 <div class="thumbs_wrap">571 <div id="thumbs_’.$post_id.’” class="thumnail_col '. $hide_thumb_style . '” >572 ';573 574 if($horizontal_thumb){ 575 $output_buffer .=’<a class="pageLink prev” style="’. $thumb_style_init . ‘" href="#" title="Previous Page"></a>’;576 }577 578 $output_buffer .=’ 579 <ul class="thumbs noscript"> 580 ';581 582 if ( !empty($include) ) { 583 $include = preg_replace( '/[^0-9,]+/’, '’, $include );584 $_attachments = get_posts( array(‘include’ => $include, ‘post_status’ => 'inherit’, ‘post_type’ => 'attachment’, ‘post_mime_type’ => 'image’, ‘order’ => $order, ‘orderby’ => $orderby) );585 586 $attachments = array();587 foreach ( $_attachments as $key => $val ) {588 $attachments[$val->ID] = $_attachments[$key];589 }590 } elseif ( !empty($exclude) ) {591 $exclude = preg_replace( '/[^0-9,]+/’, '’, $exclude );592 $attachments = get_children( array(‘post_parent’ => $id, ‘exclude’ => $exclude, ‘post_status’ => 'inherit’, ‘post_type’ => 'attachment’, ‘post_mime_type’ => 'image’, ‘order’ => $order, ‘orderby’ => $orderby) );593 } else {594 $attachments = get_children( array(‘post_parent’ => $id, ‘post_status’ => 'inherit’, ‘post_type’ => 'attachment’, ‘post_mime_type’ => 'image’, ‘order’ => $order, ‘orderby’ => $orderby) );595 }596 597 if ( !empty($attachments) ) {598 foreach ( $attachments as $aid => $attachment ) {599 $img = wp_get_attachment_image_src( $aid , ‘photospace_full’);600 $thumb = wp_get_attachment_image_src( $aid , ‘photospace_thumbnails’);601 $full = wp_get_attachment_image_src( $aid , ‘full’);602 $_post = get_post($aid); 603 604 $image_title = esc_attr($_post->post_title);605 $image_alttext = get_post_meta($aid, ‘_wp_attachment_image_alt’, true);606 $image_caption = $_post->post_excerpt;607 $image_description = $_post->post_content; 608 609 $output_buffer .=’610 <li><a class="thumb" href="’ . $img[0] . ‘" title="’ . $image_title . ‘" > 611 <img src="’ . $thumb[0] . ‘" alt="’ . $image_alttext . ‘" title="’ . $image_title . '" />612 </a>613 ';614 615 $output_buffer .=’616 <div class="caption">617 ‘;618 if($show_captions){ 619 620 if($image_caption != ‘’){621 $output_buffer .=’622 <div class="image-caption">’ . $image_caption . '</div>623 ‘;624 }625 626 if($image_description != ‘’){627 $output_buffer .=’628 <div class="image-desc">’ . $image_description . '</div>629 ';630 } 631 }632 633 if($show_download){ 634 $output_buffer .=’635 <div class="download"><a href="’.$full[0].’" title="’. $options[“download_text”] .’" ><span>’. $options[“download_text”] .’</span></a></div>636 ';637 }638 639 $output_buffer .=’640 </div>641 ';642 643 644 $output_buffer .=’645 </li>646 ';647 } 648 } 649 650 $output_buffer .=’651 </ul>’;652 653 654 if(!$horizontal_thumb){ 655 $output_buffer .=’656 <div class="photospace_clear"></div>657 <a class="pageLink prev" style="’.$thumb_style_init.’" href="#" title="Previous Page"></a>’;658 }659 660 $output_buffer .=’661 <a class="pageLink next" style="’.$thumb_style_init.’" href="#" title="Next Page"></a>662 </div>663 </div>664 </div>665 666 <!-- Start Advanced Gallery Html Containers -->667 <div class="gal_content">668 ';669 670 if($show_controls){ 671 $output_buffer .=’<div id="controls_’.$post_id.’" class="controls"></div>’;672 }673 674 $output_buffer .=’675 <div class="slideshow-container">676 <div id="loading_’.$post_id.’" class="loader"></div>677 <div id="slideshow_’.$post_id.’" class="slideshow"></div>678 <div id="caption_’.$post_id.’" class="caption-container"></div>679 </div>680 681 </div>682 683 </div>684 685 <div class="gallery_clear"></div>686 687 ';688 689 $output_buffer .= "690 691 <script type=’text/javascript’>692 693 jQuery(document).ready(function($) {694 695 // We only want these styles applied when javascript is enabled696 $(‘.gal_content’).css('display’, ‘block’);697 ";698 699 if(!$horizontal_thumb){700 $output_buffer .= "$(‘.thumnail_col’).css('width’, ‘". $options[‘thumb_col_width’] . "px’);";701 }702 703 $output_buffer .= "704 705 // Initialize Advanced Galleriffic Gallery 706 var gallery = $(‘#thumbs_".$post_id."’).galleriffic({ 707 delay: " . intval($delay) . ",708 numThumbs: " . intval($num_thumb) . ",709 preloadAhead: " . intval($num_preload) . ",710 enableTopPager: " . intval($use_paging) . ",711 enableBottomPager: false,712 imageContainerSel: '#slideshow_".$post_id."’,713 controlsContainerSel: '#controls_".$post_id."’,714 captionContainerSel: '#caption_".$post_id."’, 715 loadingContainerSel: '#loading_".$post_id."’,716 renderSSControls: true,717 renderNavControls: true,718 playLinkText: '". $options[‘play_text’] ."’,719 pauseLinkText: '". $options[‘pause_text’] ."’,720 prevLinkText: '". $options[‘previous_text’] ."’,721 nextLinkText: '". $options[‘next_text’] ."’,722 nextPageLinkText: '›’,723 prevPageLinkText: ‘‹’,724 enableHistory: " . intval($options[‘enable_history’]) . ",725 autoStart: " . intval($auto_play) . ",726 enableKeyboardNavigation: true,727 syncTransitions: " . intval($sync_transitions) . ",728 defaultTransitionDuration: 300,729 730 onTransitionOut: function(slide, caption, isSync, callback) {731 slide.fadeTo(this.getDefaultTransitionDuration(isSync), 0.0, callback);732 caption.fadeTo(this.getDefaultTransitionDuration(isSync), 0.0);733 },734 onTransitionIn: function(slide, caption, isSync) {735 var duration = this.getDefaultTransitionDuration(isSync);736 slide.fadeTo(duration, 1.0);737 738 // Position the caption at the bottom of the image and set its opacity739 var slideImage = slide.find(‘img’);740 caption.width(slideImage.width())741 .css({742 //’bottom’ : Math.floor((slide.height() - slideImage.outerHeight()) / 2 - 40),743 ‘top’ : slideImage.outerHeight(),744 ‘left’ : Math.floor((slide.width() - slideImage.width()) / 2) + slideImage.outerWidth() - slideImage.width()745 })746 .fadeTo(duration, 1.0);747 748 },749 onPageTransitionOut: function(callback) {750 this.hide();751 setTimeout(callback, 100); // wait a bit752 },753 onPageTransitionIn: function() {754 var prevPageLink = this.find(‘a.prev’).css(“.$thumb_style_off.”);755 var nextPageLink = this.find(‘a.next’).css(“.$thumb_style_off.”);756 757 // Show appropriate next / prev page links758 if (this.displayedPage > 0)759 prevPageLink.css(“.$thumb_style_on.”);760 761 var lastPage = this.getNumPages() - 1;762 if (this.displayedPage < lastPage)763 nextPageLink.css(“.$thumb_style_on.”);764 765 this.fadeTo('fast’, 1.0);766 }767 768 }); 769 770 ";771 772 if ($options[‘enable_history’]) { 773 774 $output_buffer .= "775 776 /**** Functions to support integration of galleriffic with the jquery.history plugin ****/777 778 // PageLoad function779 // This function is called when:780 // 1. after calling $.historyInit();781 // 2. after calling $.historyLoad();782 // 3. after pushing Go Back button of a browser783 function pageload(hash) {784 // alert('pageload: ' + hash);785 // hash doesn’t contain the first # character.786 if(hash) {787 $.galleriffic.gotoImage(hash);788 } else {789 gallery.gotoIndex(0);790 }791 }792 793 // Initialize history plugin.794 // The callback is called at once by present location.hash. 795 $.historyInit(pageload, ‘advanced.html’);796 797 // set onlick event for buttons using the jQuery 1.3 live method798 $('a[rel=history]').live('click’, function(e) {799 if (e.button != 0) return true;800 801 var hash = this.href;802 hash = hash.replace(/^.*#/, ‘’);803 804 // moves to a new page. 805 // pageload is called at once. 806 $.historyLoad(hash);807 808 return false;809 });810 811 /****************************************************************************************/812 813 814 ";815 }816 817 818 819 $output_buffer .= "820 821 /**************** Event handlers for custom next / prev page links **********************/822 823 gallery.find(‘a.prev’).click(function(e) {824 gallery.previousPage();825 e.preventDefault();826 });827 828 gallery.find(‘a.next’).click(function(e) {829 gallery.nextPage(); 830 e.preventDefault();831 });832 833 });834 </script>835 836 ";837 838 return $output_buffer;839}
Related news
The Chained Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dn' parameter on the 'chainedquiz_list' page in versions up to, and including, 1.3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Simple:Press plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sforum_[md5 hash of the WordPress URL]' cookie value in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This would be highly complex to exploit as it would require the attacker to set the cookie a cookie for the targeted user.
The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page.
The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when responding to forum threads that will execute whenever a user accesses an injected page.
The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to inject arbitrary web scripts in pages when modifying a profile signature that will execute whenever a user accesses an injected page.
The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie.
The Quiz and Survey Master plugin for WordPress is vulnerable to iFrame Injection via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input sanitization and output escaping that allowed iframe tags to be injected. This makes it possible for unauthenticated attackers to inject iFrames in pages that will execute whenever a user accesses an injected page.
The Quiz and Survey Master plugin for WordPress is vulnerable to input validation bypass via the 'question[id]' parameter in versions up to, and including, 8.0.4 due to insufficient input validation that allows attackers to inject content other than the specified value (i.e. a number, file path, etc..). This makes it possible attackers to submit values other than the intended input type.
The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers.
The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.
The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..