Headline
CVE-2023-5127: wp-font-awesome.php in wp-font-awesome/trunk – WordPress Plugin Repository
The WP Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping on ‘icon’ user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
1<?php2 /*3 Plugin Name: WP Font Awesome4 Plugin URI: https://wordpress.org/plugins/wp-font-awesome/5 Description: This plugin allows the easily embed Font Awesome to your site.6 Version: 1.7.97 Author: Zayed Baloch8 Author URI: https://www.zayedbaloch.com/9 License: GPL210 */1112defined(‘ABSPATH’) or die(“No script kiddies please!”);13define( 'ZB_FAWE_VERSION’, ‘1.7.9’ );14define( 'ZB_FAWE_URL’, plugins_url( '’, __FILE__ ) );15define( 'ZB_FAWE_TEXTDOMAIN’, ‘zb_font_awesome’ );1617function zb_wp_font_awesome() {18 load_plugin_textdomain( ZB_FAWE_TEXTDOMAIN );19}20add_action( 'init’, ‘zb_wp_font_awesome’ );21222324function wp_font_awesome_style() {2526 wp_register_style('fontawesome-css-6’, ZB_FAWE_URL . '/font-awesome/css/fontawesome-all.min.css’, array(), ZB_FAWE_VERSION);27 wp_enqueue_style(‘fontawesome-css-6’);2829 wp_register_style('fontawesome-css-4’, ZB_FAWE_URL . '/font-awesome/css/v4-shims.min.css’, array(), ZB_FAWE_VERSION);30 wp_enqueue_style(‘fontawesome-css-4’);31 32}33add_action('wp_enqueue_scripts’, ‘wp_font_awesome_style’);3435function wp_font_awesome_style_admin() {36 // TODO: Only Load on Edit Page37 wp_enqueue_style(‘wp-font-awesome-script-admin’, ZB_FAWE_URL.’/style.css’);38}3940add_action('admin_enqueue_scripts’, ‘wp_font_awesome_style_admin’);4142/*function wp_font_awesome_admin_script() {43 wp_enqueue_script( 'wp-font-awesome-script’, ZB_FAWE_URL . '/script.js’, array( ‘jquery’ ), ZB_FAWE_VERSION, true );44}45add_action( 'admin_enqueue_scripts’, ‘wp_font_awesome_admin_script’ );*/4647function wp_fa_shortcode( $atts ) {48 extract( shortcode_atts( array( ‘icon’ => 'home’, ‘size’ => '’, ‘color’ => '’, ‘sup’ => ‘’), $atts ) );49 if ( $size ) { $size = esc_attr(' fa-'.$size); } else{ $size = '’; }50 if ( $color ) { $color = ' style="color: '.esc_attr($color) ; } else{ $color = esc_attr(‘’); }5152 if ( strtolower($sup) === ‘yes’ ) {53 return '<sup><i class="fa fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i></sup>’;54 } else{55 return '<i class="fa fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i>’;56 }57}5859function wp_fa5s_shortcode( $atts ) {60 extract( shortcode_atts( array( ‘icon’ => 'home’, ‘size’ => '’, ‘color’ => '’, ‘sup’ => ‘’ ), $atts ) );61 if ( $size ) { $size = esc_attr(' fa-'.$size); }62 else{ $size = '’; }6364 if ( $color ) { $color = ' style="color: '.esc_attr($color) ; }65 else{ $color = '’; }6667 if ( strtolower($sup) === ‘yes’ ) {68 return '<sup><i class="fas fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i></sup>’;69 } else{70 return '<i class="fas fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i>’;71 }72}7374function wp_fa5r_shortcode( $atts ) {75 extract( shortcode_atts( array( ‘icon’ => 'home’, ‘size’ => '’, ‘color’ => '’, ‘sup’ => ‘’ ), $atts ) );76 if ( $size ) { $size = esc_attr(' fa-'.$size); }77 else{ $size = '’; }7879 if ( $color ) { $color = ' style="color: '.esc_attr($color) ; }80 else{ $color = '’; }8182 if ( strtolower($sup) === ‘yes’ ) {83 return '<sup><i class="far fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i></sup>’;84 } else{85 return '<i class="far fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i>’;86 }8788}8990function wp_fa5b_shortcode( $atts ) {91 extract( shortcode_atts( array( ‘icon’ => 'home’, ‘size’ => '’, ‘color’ => '’, ‘sup’ => ‘’ ), $atts ) );92 if ( $size ) { $size = esc_attr(' fa-'.$size); }93 else{ $size = '’; }9495 if ( $color ) { $color = ' style="color: '.esc_attr($color) ; }96 else{ $color = '’; }9798 if ( strtolower($sup) === ‘yes’ ) {99 return '<sup><i class="fab fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i></sup>’;100 } else{101 return '<i class="fab fa-'.str_replace('fa-',’’,$icon). $size. '"’.$color .’"></i>’;102 }103104}105106add_shortcode( 'wpfa’, ‘wp_fa_shortcode’ );107add_shortcode( 'wpfa5s’, ‘wp_fa5s_shortcode’ );108add_shortcode( 'wpfa5r’, ‘wp_fa5r_shortcode’ );109add_shortcode( 'wpfa5b’, ‘wp_fa5b_shortcode’ );110111add_filter('wp_nav_menu_items’, ‘do_shortcode’);112add_filter('widget_text’, ‘do_shortcode’);113add_filter('widget_title’, ‘do_shortcode’);114115function wpfa_add_shortcode_to_title( $title ){116 return do_shortcode($title);117}118add_filter( 'the_title’, ‘wpfa_add_shortcode_to_title’ );119120121function wpfontawesome_register_setting_page() {122 add_options_page('WP Font Awesome’, 'WP Font Awesome’, 'manage_options’, 'wpFontAwesome’, ‘wpfontawesome_setting_page’);123}124add_action('admin_menu’, ‘wpfontawesome_register_setting_page’);125126function wpfontawesome_setting_page(){127?>128129 <h2>WP Font Awesome <span style="font-size:50%;font-weight: normal;">Version: 1.7</span></h2>130 <p>This plugin allows you to easily embed Font Awesome icon to your site with simple shortcodes.</p>131132 <h2>Shortcodes</h2>133<p>Introduced three new shortcode for Font Awesome support.</p>134135<strong>Font Awesome 5</strong>136<p><code>[wpfa5s icon="home" size="3x" color"#336699"]</code> for Solid style.</p>137<p><code>[wpfa5r icon="user" color="red"]</code> for Regular style. <em>support only in few icon</em>.</p>138<p><code>[wpfa5b icon="wordpress" size="5x" color="#3B5998"]</code> for Brands.</p>139<br/>140<strong>Font Awesome 4.7</strong>141<p><code>[wpfa icon="gear" color="green"]</code>.</p>142143<br/>144<h2>Size</h2>145<p><code>xs</code>, <code>sm</code>, <code>lg</code>, <code>2x</code>, <code>3x</code>, <code>5x</code>, <code>7x</code>, <code>10x</code></p>146147<br/><hr/>148<p><strong>Note</strong>: The <code>fa</code> prefix has been deprecated in version 5. The new default is the <code>fas</code> solid style <code>far</code> regular style and the <code>fab</code> style for brands.</p>149150<em>WP Font Awesome plugin still support Font Awesome version 4</em>151152<?php153}154155// Add custom action links156add_filter( ‘plugin_action_links_’ . plugin_basename( __FILE__ ), ‘wpfontawesome_zb_action_link’ );157158function wpfontawesome_zb_action_link( $links ) {159 $plugin_links = array(160 ‘<a href="’ . admin_url( ‘options-general.php?page=wpFontAwesome’ ) . ‘">’ . __( 'Help’, ZB_FAWE_TEXTDOMAIN ) . '</a>’,161 );162 return array_merge( $plugin_links, $links );163}164165166function wp_font_awesome_add_mce_button() {167 // check user permissions168 if ( !current_user_can( ‘edit_posts’ ) && !current_user_can( ‘edit_pages’ ) ) {169 return;170 }171 // check if WYSIWYG is enabled172 if ( ‘true’ == get_user_option( ‘rich_editing’ ) ) {173 add_filter( 'mce_external_plugins’, ‘wp_font_awesome_add_tinymce_plugin’ );174 add_filter( 'mce_buttons’, ‘wp_font_awesome_register_mce_button’ );175 }176}177add_action('admin_head’, ‘wp_font_awesome_add_mce_button’);178179// register new button in the editor180function wp_font_awesome_register_mce_button( $buttons ) {181 array_push( $buttons, ‘shortcode_wp_font_awesome_insert’ );182 return $buttons;183}184185186// declare a script for the new button187// the script will insert the shortcode on the click event188function wp_font_awesome_add_tinymce_plugin( $plugin_array ) {189 $plugin_array[‘shortcode_wp_font_awesome_insert’] = ZB_FAWE_URL .’/script.js’;190 return $plugin_array;191}