Headline
CVE-2023-5618: Changeset 2980695 for modern-footnotes – WordPress Plugin Repository
The Modern Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcode in versions up to, and including, 1.4.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
modern-footnotes/trunk/modern-footnotes.php
r2879914
r2980695
5
5
Text Domain: modern-footnotes
6
6
Description: Add inline footnotes to your post via the footnote icon on the toolbar for editing posts and pages. Or, use the [mfn] or [modern_footnote] shortcodes [mfn]like this[/mfn].
7
Version: 1.4.16
7
Version: 1.4.17
8
8
Author: Prism Tech Studios
9
9
Author URI: http://prismtechstudios.com/
…
…
15
15
defined( ‘ABSPATH’ ) or die( ‘No script kiddies please!’ );
16
16
17
$modern_footnotes_version = '1.4.16’;
17
$modern_footnotes_version = '1.4.17’;
18
18
19
19
$modern_footnotes_options = get_option(‘modern_footnotes_settings’);
…
…
140
140
// If additional space-seperated classes are provided to an individual footnote using [mfn class="some-class"], they are added to the footnote
141
141
if (isset($atts[‘class’])) {
142
$additional\_classes .= $atts\['class'\].' ';
142
$additional\_classes .= esc\_attr($atts\['class'\]).' ';
143
143
}
144
144
…
…
166
166
if (isset($atts\['referencenumber'\])) {
167
167
$display\_number = $atts\['referencenumber'\];
168
$additional\_attributes = 'refnum="' . $display\_number . '"';
168
$additional\_attributes = 'refnum="' . esc\_attr($display\_number) . '"';
169
169
} else if (!isset($modern\_footnotes\_all\_posts\_data\[$scope\_id\]) || count($modern\_footnotes\_all\_posts\_data\[$scope\_id\]\['used\_reference\_numbers'\]) == 0) {
170
170
$display\_number = 1;
…
…
199
199
200
200
//create a unique ID to use in HTML
201
$content_id = "mfn-content-" . $scope_id . '-' . preg_replace('/[^a-zA-Z0-9-_]/i’, '’, $display_number);
201
$content_id = "mfn-content-" . $scope_id . '-' . preg_replace('/[^a-zA-Z0-9-_]/i’, '’, esc_attr($display_number));
202
202
203
203
if (isset($atts[‘for_rss_feed’]) && $atts[‘for_rss_feed’]) {
204
$content = '<sup class="modern-footnotes-footnote ' . $additional\_classes . '">' . $display\_number . '</sup>'; // only display the superscript for RSS feeds
204
$content = '<sup class="modern-footnotes-footnote ' . $additional\_classes . '">' . esc\_html($display\_number) . '</sup>'; // only display the superscript for RSS feeds
205
205
} else {
206
$content = '<sup class="modern-footnotes-footnote ' . $additional\_classes . '" data-mfn="' . str\_replace('"',"\\\\\\"", $display\_number) . '" data-mfn-post-scope="' . $scope\_id . '">' .
206
$content = '<sup class="modern-footnotes-footnote ' . $additional\_classes . '" data-mfn="' . str\_replace('"',"\\\\\\"", esc\_attr($display\_number)) . '" data-mfn-post-scope="' . $scope\_id . '">' .
207
207
'<a href="javascript:void(0)" ' . $additional\_attributes . ' role="button" aria-pressed="false" aria-describedby="' . $content\_id . '">' . $display\_number . '</a>' .
208
208
'</sup>' .
modern-footnotes/trunk/readme.txt
r2889657
r2980695
3
3
Tags: footnotes, citations, inline footnotes, inline citations, mobile-friendly citations, mobile-friendly footnotes
4
4
Requires at least: 4.6
5
Tested up to: 6.2
6
Stable tag: 1.4.16
5
Tested up to: 6.3.2
6
Stable tag: 1.4.17
7
7
License: GNU General Public License v2
8
8
License URI: https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html
…
…
84
84
== Changelog ==
85
85
86
= 1.4.17 =
87
* Security fix for XSS issue. Thanks to cleantalk and Dmitrii Ignatyev for identifying the issue.
88
86
89
= 1.4.16 =
87
90
* Security fix for XSS issue. Thanks to Rio Darmawan for identifying the issue.