Headline
CVE-2023-1602: Changeset 2931815 for shorten-url/trunk/shorten-url.php – WordPress Plugin Repository
The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the ‘comment’ parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
shorten-url/trunk/shorten-url.php
r2654759
r2931815
15
15
\* Plugin URI: https://wordpress.org/plugins/shorten-url/
16
16
\* Description: Short URL helps you beautify, manage, share & cloak any links on or off of your WordPress website. Create links that look how you want using your own domain name!
17
\* Version: 1.6.4
17
\* Version: 1.6.5
18
18
\* Author: KaizenCoders
19
19
\* Author URI: https://kaizencoders.com/
20
\* Tested up to: 5.8.3
20
\* Tested up to: 6.2.2
21
21
\* License: GPL-3.0+
22
22
\* License URI: http://www.gnu.org/licenses
…
…
459
459
460
460
if (isset($\_POST\['add'\])) {
461
$url\_ext = str\_replace("'", "", $\_POST\['url\_externe'\]) ;
462
$comment = str\_replace("'", "", $\_POST\['comment'\]) ;
461
$url\_ext = sanitize\_text\_field(str\_replace("'", "", $\_POST\['url\_externe'\])) ;
462
$comment = sanitize\_text\_field(str\_replace("'", "", $\_POST\['comment'\])) ;
463
463
if (!preg\_match("/^http/i", $url\_ext)) {
464
464
$url\_ext = "http://".$url\_ext ;
…
…
694
694
$idLink = $\_POST\['idLink'\];
695
695
// Empty the database for the given idLink
696
$q = "DELETE FROM {$table\_name} WHERE id\_post=".$idLink ;
696
$q = $wpdb->prepare("DELETE FROM {$table\_name} WHERE id\_post=%d", $idLink);
697
697
$wpdb->query( $q ) ;
698
698
// Create a new entry
…
…
1261
1261
}
1262
1262
1263
if ( ! defined( 'KC\_SU\_MIN\_PHP\_VER' ) ) {
1264
define( 'KC\_SU\_MIN\_PHP\_VER', '5.6' );
1265
}
1266
1267
if ( ! defined( 'KC\_SU\_MAX\_PHP\_VER' ) ) {
1268
define( 'KC\_SU\_MAX\_PHP\_VER', '7.4.22' );
1269
}
1270
1271
if ( ! function\_exists( 'kc\_su\_fail\_php\_version\_notice' ) ) {
1272
/\*\*
1273
\* Shorten URL admin notice for minimum & maximum PHP version.
1274
\*
1275
\* Warning when the site doesn't have the minimum required PHP version.
1276
\*
1277
\* @return void
1278
\* @since 1.6.5
1279
\*
1280
\*/
1281
function kc\_su\_fail\_php\_version\_notice() {
1282
/\* translators: %s: PHP version \*/
1283
$message = sprintf( esc\_html\_\_( 'Shorten URL requires PHP version between %s & %s, plugin is currently NOT RUNNING.', 'shorten-url' ), KC\_SU\_MIN\_PHP\_VER, KC\_SU\_MAX\_PHP\_VER);
1284
$html\_message = sprintf( '<div class="error">%s</div>', wpautop( $message ) );
1285
echo wp\_kses\_post( $html\_message );
1286
}
1287
}
1288
1289
if ( ! function\_exists( 'kc\_su\_migrate\_to\_url\_shortify' ) ) {
1290
/\*\*
1291
\* Shorten URL admin notice for minimum & maximum PHP version.
1292
\*
1293
\* Warning when the site doesn't have the minimum required PHP version.
1294
\*
1295
\* @return void
1296
\* @since 1.6.5
1297
\*
1298
\*/
1299
function kc\_su\_migrate\_to\_url\_shortify() {
1300
/\* translators: %s: PHP version \*/
1301
$message = sprintf( \_\_('We are retiring Shorten URL plugin and will continue to develop <a href="%s" target="\_blank">URL Shortify</a>. We will provide help to migrate to URL Shortify. <a href="mailto:[email protected]">Contact us</a> for migration.','shorten-url'), 'https://wordpress.org/plugins/url-shortify/');
1302
$html\_message = sprintf( '<div class="notice notice-info">%s</div>', wpautop( $message ) );
1303
echo wp\_kses\_post( $html\_message );
1304
}
1305
}
1306
1307
add\_action( 'admin\_notices', 'kc\_su\_migrate\_to\_url\_shortify' );
1308
1309
if ( ! version\_compare( PHP\_VERSION, KC\_SU\_MIN\_PHP\_VER, '>=' ) || ! version\_compare( PHP\_VERSION, KC\_SU\_MAX\_PHP\_VER, '<=' )) {
1310
add\_action( 'admin\_notices', 'kc\_su\_fail\_php\_version\_notice' );
1311
1312
return;
1313
}
1314
1315
1316
1263
1317
$shorturl = shorturl::getInstance();
1264
1318