Headline
CVE-2022-2443: freemind-wp-browser.php in freemind-wp-browser/trunk – WordPress Plugin Repository
The FreeMind WP Browser plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.2. This is due to missing nonce protection on the FreemindOptions() function found in the ~/freemind-wp-browser.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.
1<?php23/*4Plugin Name: Freemind WP Browser5Version: 1.26Plugin URI: http://lakm.us/logit/7Description: Embed `*.mm` Freemind mind-map Flash Browser to a WordPress blog by `[freemind file="path-to-some-file.mm" /]`. This has been a modification of Joshua Eldridge’ Flash Video Player. Powered by `visorFreemind.swf` from Flash Browser and `SWFObject` by Geoff Stearns.8Author: Arif Kusbandono9Author URI: http://lakm.us1011This program is free software; you can redistribute it and/or modify12it under the terms of the GNU General Public License as published by13the Free Software Foundation; either version 2 of the License, or14any later version.1516This program is distributed in the hope that it will be useful,17but WITHOUT ANY WARRANTY; without even the implied warranty of18MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the19GNU General Public License for more details.2021You should have received a copy of the GNU General Public License22along with this program; if not, write to the Free Software23Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA2425*/2627$videoid = 0;28$site_url = get_option(‘siteurl’);2930function FreemindMap_Parse($content) {31 $content = preg_replace_callback("/\[freemind ([^]]*)\/\]/i", “FreemindMap_Render", $content);32 return $content;33}3435function FreemindMap_Render($matches) {36 global $videoid, $site_url;37 $output = '’;38 $rss_output = '’;39 $matches[1] = str_replace(array(‘”’,’″’), '’, $matches[1]);40 preg_match_all('/([.\w]*)=(.*?) /i’, $matches[1], $attributes);41 $arguments = array();4243 foreach ( (array) $attributes[1] as $key => $value ) {44 // Strip out legacy quotes45 $arguments[$value] = str_replace('"’, '’, $attributes[2][$key]);46 }4748 if ( !array_key_exists('filename’, $arguments) && !array_key_exists('file’, $arguments) ) {49 return '<div style="background-color:#ff9;padding:10px;"><p>Error: Required parameter “file” is missing!</p></div>’;50 exit;51 }52 53 //Deprecate filename in favor of file. 54 if(array_key_exists('filename’, $arguments)) {55 $arguments[‘file’] = $arguments[‘filename’];56 }5758 $options = get_option(‘FreemindSettings’);5960 if(strpos($arguments[‘file’], ‘http://’) !== false || isset($arguments[‘streamer’]) || strpos($arguments[‘file’], ‘https://’) !== false) {61 // This is a remote file, so leave it alone but clean it up a little62 $arguments[‘file’] = str_replace('&’,’&’,$arguments[‘file’]);63 } else {64 $arguments[‘file’] = $site_url . ‘/’ . $arguments[‘file’];65 }66 $output .= “\n” . ‘<span id="video’ . $videoid . '” class="flashvideo">’ . "\n";67 $output .= ‘<a href="http://www.macromedia.com/go/getflashplayer">Get the Flash Player</a> to see this player.</span>’ . "\n";68 $output .= ‘<script type="text/javascript">’ . "\n";69 $output .= ‘var s’ . $videoid . ' = new SWFObject(“’ . $site_url . ‘/wp-content/plugins/freemind-wp-browser/mediaplayer/visorFreemind.swf’ . ‘","n’ . $videoid . ‘","’ . $options[‘width’] . ‘","’ . $options[‘height’] . '","6”);’ . "\n";7071 $output .= ‘s’ . $videoid . ‘.addParam("quality", “high”);’ . "\n";72 $output .= ‘s’ . $videoid . ‘.addParam("bgcolor", “#a0a0f0”);’ . “\n";73 $output .= ‘s’ . $videoid . ‘.addVariable("CSSFile", "’ . $site_url . ‘/wp-content/plugins/freemind-wp-browser/mediaplayer/flashfreemind.css’ . '”);’ . "\n";74 $output .= ‘s’ . $videoid . ‘.addVariable("openUrl", “_blank”);’ . "\n";75 $output .= ‘s’ . $videoid . ‘.addVariable(“startCollapsedToLevel","3”);’ . "\n";76 $output .= ‘s’ . $videoid . ‘.addVariable(“maxNodeWidth","200”);’ . "\n";77 $output .= ‘s’ . $videoid . ‘.addVariable(“mainNodeShape","elipse”);’ . "\n";78 $output .= ‘s’ . $videoid . ‘.addVariable(“justMap","false”);’ . “\n";79 $output .= ‘s’ . $videoid . ‘.addVariable("initLoadFile","’ . $arguments[‘file’] . '”);’ . "\n";80 $output .= ‘s’ . $videoid . ‘.addVariable("defaultToolTipWordWrap",200);’ . "\n";81 $output .= ‘s’ . $videoid . ‘.addVariable(“offsetX","left”);’ . "\n";82 $output .= ‘s’ . $videoid . ‘.addVariable(“offsetY","top”);’ . "\n";83 $output .= ‘s’ . $videoid . ‘.addVariable(“buttonsPos","top”);’ . "\n";84 $output .= ‘s’ . $videoid . ‘.addVariable("min_alpha_buttons",20);’ . "\n";85 $output .= ‘s’ . $videoid . ‘.addVariable("max_alpha_buttons",100);’ . “\n";86 $output .= ‘s’ . $videoid . ‘.addVariable(“scaleTooltips","false”);’ . “\n";878889 $output .= ‘s’ . $videoid . ‘.write("video’ . $videoid . '”);’ . “\n";90 $output .= ‘</script>’ . “\n";9192 $videoid++;93 if(is_feed()) {94 return $rss_output;95 } else {96 return $output;97 }98}99100function FreemindAddPage() {101 add_options_page('Freemind Options’, 'Freemind’, '8’, 'freemind-wp-browser.php’, ‘FreemindOptions’);102}103104function FreemindOptions() {105 global $site_url;106 $message = '’;107 $options = get_option(‘FreemindSettings’);108 if ($_POST) {109 if (isset($_POST[‘width’])) {110 $options[‘width’] = $_POST[‘width’];111 }112 if (isset($_POST[‘height’])) {113 $options[‘height’] = $_POST[‘height’];114 }115 116 update_option('FreemindSettings’, $options);117 $message = ‘<div class="updated"><p>’ . $options[‘width’] . ‘x’ . $options[‘height’] .’<strong> Options saved.</strong></p></div>’; 118 }119 echo '<div class="wrap">’;120 echo '<h2>Freemind Options</h2>’;121 echo $message;122 echo '<form method="post” action="options-general.php?page=freemind-wp-browser.php">’;123 echo “<p>Welcome to the Freemind WP Browser plugin options menu! Here you can set all width-height variables for your website.</p>";124 echo ‘<h3>Width-Height</h3>’ . “\n";125 echo ‘<table class="form-table">’ . “\n";126 echo ‘<tr><th scope="row">width</th><td>’ . “\n";127 echo '<input type="text” name="width” value="’ . $options[‘width’] . '” />’;128 echo ‘</td></tr>’ . “\n";129 echo ‘<tr><th scope="row">height</th><td>’ . “\n";130 echo '<input type="text” name="height” value="’ . $options[‘height’] . '” />’;131 echo ‘</td></tr>’ . “\n";132 echo ‘</table>’ . “\n";133134 echo '<p class="submit"><input class="button-primary” type="submit” method="post” value="Update Options"></p>’;135 echo '</form>’;136137138 echo '</div>’;139} 140141function FreemindLoadDefaults() {142 $freemind_preset = array();143 $freemind_preset[‘width’] = '800’;144 $freemind_preset[‘height’] = '400’;145 return $freemind_preset;146}147function FreemindMap_head() {148 global $site_url;149 echo '<script type="text/javascript” src="’ . $site_url . ‘/wp-content/plugins/freemind-wp-browser/swfobject.js"></script>’ . "\n";150}151152153function Freemind_activate() {154 update_option(‘FreemindSettings’, FreemindLoadDefaults());155}156157register_activation_hook(__FILE__,’Freemind_activate’);158159function Freemind_deactivate() {160 delete_option(‘FreemindSettings’);161}162163register_deactivation_hook(__FILE__,’Freemind_deactivate’);164165add_action('wp_head’, ‘FreemindMap_head’);166167// CONTENT FILTER168add_filter('the_content’, ‘FreemindMap_Parse’);169170add_action('admin_menu’, ‘FreemindAddPage’);171172?>
Related news
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Users Exporter plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.2 via the 'Export Users' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into profile information like First Names that will embed into the exported CSV file triggered by an administrator and can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the pabc_admin_slides_postback() function found in the ~/admin/admin.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Block' feature in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Media Image URL value that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post/page 'Title' value in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Caption - On Hover' value associated with images in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Cerber Security plugin for WordPress is vulnerable to security protection bypass in versions up to, and including 9.0, that makes user enumeration possible. This is due to improper validation on the value supplied through the 'author' parameter found in the ~/cerber-load.php file. In vulnerable versions, the plugin only blocks requests if the value supplied is numeric, making it possible for attackers to supply additional non-numeric characters to bypass the protection. The non-numeric characters are stripped and the user requested is displayed. This can be used by unauthenticated attackers to gather information about users that can targeted in further attacks.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' parameter added to images via the media uploader in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor and the ability to upload media files to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Video Link values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image URL' value found in the Media block in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Random Banner WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the category parameter found in the ~/include/models/model.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability.
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.
A vulnerability in the deleteCustomType function of the WP Upload Restriction WordPress plugin allows low-level authenticated users to delete custom extensions added by administrators. This issue affects versions 2.2.3 and prior.