Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

**phpMyFAQ Cross-site Scripting vulnerability**

Critical severity GitHub Reviewed Published Sep 30, 2023 to the GitHub Advisory Database • Updated Oct 2, 2023

GHSA-pp4w-g5p4-85p2: phpMyFAQ Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

**phpMyFaq Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Sep 30, 2023 to the GitHub Advisory Database • Updated Oct 2, 2023

GHSA-5jwv-m8h3-69cg: phpMyFaq Cross-site Scripting vulnerability

GHSA-58v7-58c2-qwm9: phpMyFAQ Cross-site Scripting vulnerability

**phpMyFAQ Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Sep 30, 2023 to the GitHub Advisory Database • Updated Oct 2, 2023

GHSA-j5ww-5xf4-hqm2: phpMyFAQ Cross-site Scripting vulnerability

Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

**phpMyFAQ allows unrestricted file types in image field**

Moderate severity GitHub Reviewed Published Sep 30, 2023 to the GitHub Advisory Database • Updated Oct 2, 2023

GHSA-qcjg-hvg6-hxcp: phpMyFAQ allows unrestricted file types in image field

The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'vivafbcomment' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

1<?php2if ( ! defined( 'ABSPATH' ) ) exit;3add\_action('wp\_head', 'vi\_fbopengraph');4add\_action('wp\_footer', 'vi\_fbmlsetting');5add\_filter ('the\_content', 'vi\_commentscode');6add\_filter('language\_attributes', 'vi\_fbcomment\_schema');7add\_shortcode('vivafbcomment', 'vi\_commentshortcode');89global $fboptn;101112function vi\_fbmlsetting() {13        $fboptn \= get\_option('fbcomment');14        15if (!isset($fboptn\['fbml'\])) {$fboptn\['fbml'\] \= "";}16if ($fboptn\['fbml'\] \== 'on') {17        ?>18<div id="fb-root"></div>19<script>(function(d, s, id) {20  var js, fjs = d.getElementsByTagName(s)\[0\];21  if (d.getElementById(id)) return;22  js = d.createElement(s); js.id = id;23  js.src = "//connect.facebook.net/<?php echo $fboptn\['lang'\]; ?>/sdk.js#xfbml=1&appId=<?php echo $fboptn\['appID'\]; ?>&version=v2.0";24  fjs.parentNode.insertBefore(js, fjs);25}(document, 'script', 'facebook-jssdk'));</script>26<?php   }27} 282930function vi\_fbcomment\_schema($attr) {31        $fboptn \= get\_option('fbcomment');32if (!isset($fboptn\['fbns'\])) {$fboptn\['fbns'\] \= "";}33if (!isset($fboptn\['opengraph'\])) {$fboptn\['opengraph'\] \= "";}34        if ($fboptn\['opengraph'\] \== 'on') {$attr .= "\\n xmlns:og=\\"http://opengraphprotocol.org/schema/\\"";}35        if ($fboptn\['fbns'\] \== 'on') {$attr .= "\\n xmlns:fb=\\"http://www.facebook.com/2008/fbml\\"";}36        return $attr;37}3839 40// ----Code for Adding Open Graph meta41 function vi\_fbopengraph() {42        $fboptn \= get\_option('fbcomment'); ?>43<meta property="fb:app\_id" content="<?php echo $fboptn\['appID'\]; ?>"/>44<meta property="fb:admins" content="<?php echo $fboptn\['mods'\]; ?>"/>45<meta property="og:locale" content="<?php echo $fboptn\['lang'\]; ?>" />46<meta property="og:locale:alternate" content="<?php echo $fboptn\['lang'\]; ?>" />47<?php48}4950// ----Code for hideWpComments51$fboptn \= get\_option('fbcomment');5253if (!isset($fboptn\['postshideWpComments'\])) {$fboptn\['postshideWpComments'\] \= "off";}54if (!isset($fboptn\['pageshideWpComments'\])) {$fboptn\['pageshideWpComments'\] \= "off";}5556if ($fboptn\['postshideWpComments'\] \== 'on' ) {57   function vi\_posts\_enqueueHideWpCommentsCss() 58     {59        wp\_register\_style('posts-front-css', plugins\_url('css/fb-comments-hidewpcomments-posts.css',\_\_FILE\_\_));60        wp\_enqueue\_style('posts-front-css');61     }                          62    add\_action('init', 'vi\_posts\_enqueueHideWpCommentsCss');63   }646566if ( $fboptn\['pageshideWpComments'\] \== 'on' ) {6768function vi\_pages\_enqueueHideWpCommentsCss() 69{70   wp\_register\_style('pages-front-css', plugins\_url('css/fb-comments-hidewpcomments-pages.css',\_\_FILE\_\_));71   wp\_enqueue\_style('pages-front-css');72}                               73add\_action('init', 'vi\_pages\_enqueueHideWpCommentsCss');74}757677if (!isset($fboptn\['hideWpComments'\])) {$fboptn\['hideWpComments'\] \= "";}7879        if ($fboptn\['hideWpComments'\] \== "on" ) {80                function vi\_fbComments\_enqueueHideWpCommentsCss() {81                        82         wp\_register\_style('front-css', plugins\_url('css/fb-comments-hidewpcomments.css',\_\_FILE\_\_));83         wp\_enqueue\_style('front-css');84                }85                add\_action('init', 'vi\_fbComments\_enqueueHideWpCommentsCss');86}878889function vi\_commentscode($content) {90$fboptn \= get\_option('fbcomment');91$pages \= $fboptn\['pagesid'\];92$totalpages \= explode(",",$pages);93 $allpage\=get\_all\_page\_ids();9495 $allpage\=array\_diff($allpage,$totalpages);9697if (!isset($fboptn\['html5'\])) {$fboptn\['html5'\] \= "off";}98if (!isset($fboptn\['pluginsite'\])) {$fboptn\['pluginsite'\] \= "off";}99if (!isset($fboptn\['posts'\])) {$fboptn\['posts'\] \= "off";}100if (!isset($fboptn\['pages'\])) {$fboptn\['pages'\] \= "off";}101if (!isset($fboptn\['homepage'\])) {$fboptn\['homepage'\] \= "off";}102if (!isset($fboptn\['count'\])) {$fboptn\['count'\] \= "off";}103if (!isset($fboptn\['countmsg'\])) {$fboptn\['countmsg'\] \= "0";}104        if ((is\_single() && $fboptn\['posts'\] \== 'on') ||105       (is\_page($allpage) && $fboptn\['pages'\] \== 'on') ||106       ((is\_home() || is\_front\_page()) && $fboptn\['homepage'\] \== 'on')) {107if($fboptn\['appID'\] != "") {108                if ($fboptn\['count'\] \== 'on') {109                        110                         $commentcount \= "<p class='commentcount'>";111                         $commentcount .= "<fb:comments-count href=\\"".get\_permalink()."\\"\></fb:comments-count>"." ".$fboptn\['countmsg'\]."</p>";112                         ?>113        114                <?php115                }116                if ($fboptn\['title'\] != '') {117                        118                                $commenttitle \= "<h3 class='coments-title'>";119                        $commenttitle .= $fboptn\['title'\]."</h3>";120                }121                $content .= "".$commenttitle.$commentcount;122123        if ($fboptn\['html5'\] \== 'on') {124                        $content .=     "<div class=\\"fb-comments\\" data-href=\\"".get\_permalink()."\\" data-numposts=\\"".$fboptn\['num'\]."\\" data-width=\\"".$fboptn\['width'\]."\\" data-colorscheme=\\"".$fboptn\['scheme'\]."\\"\></div>";125126    } else {127    128    $content .= "<fb:comments href=\\"".get\_permalink()."\\" num\_posts=\\"".$fboptn\['num'\]."\\" width=\\"".$fboptn\['width'\]."\\" colorscheme=\\"".$fboptn\['scheme'\]."\\"\></fb:comments>";129     }130131    if (!empty($fboptn\['pluginsite'\])) {132        if($fboptn\['pluginsite'\] \== 'on'){133      $content .= '<p class="pluginsite">'.\_\_( 'FB Comments Plugin Powered by', 'facebook-comment-by-vivacity' ). '<a href="https://www.startbitsolutions.com"  target="\_blank" >Startbit IT Solutions Pvt. Ltd.</a></p>';134        }}135    136    }137else {138        $fb\_adminUrl \= get\_admin\_url()."options-general.php?page=fbcomment";139   $content .= '<div class="error" style="color:#FF0000; font-weight:bold;">140            <p>'. \_\_( 'Please Enter Your Facebook App ID. Required for FB Comments.', 'facebook-comment-by-vivacity' ). ' <a href="'.$fb\_adminUrl.'">'. \_\_( 'Click here for FB Comments Settings page', 'facebook-comment-by-vivacity' )141            .'</a></p>142            </div>';143   }144  }145   return $content;146}147148149// -------Add facebook shortcode------150function vi\_commentshortcode($fbsrt) {151    extract(shortcode\_atts(array(152                "fbsrtcode" \=> get\_option('fbcomment'),153                "url" \=> get\_permalink(),154    ), $fbsrt));155    if (!empty($fbsrt)) {156        foreach ($fbsrt as $key \=> $option)157            $fbsrtcode\[$key\] \= $option;158        }159        if($fbsrtcode\['appID'\] != "") {160                if ($fbsrtcode\['count'\] \== 'on') {161                        162                        $commentcount \= "<p class='commentcount'>";163                        $commentcount .= "<fb:comments-count href=".$url."></fb:comments-count> ".$fbsrtcode\['countmsg'\]."</p>";164                }165                if ($fbsrtcode\['title'\] != '') {166                        $commenttitle \= "<h3>";167                        $commenttitle .= $fbcomment\['title'\]."</h3>";168                }169                $contentshortcode \= $commenttitle.$commentcount;170171        if ($fbsrtcode\['html5'\] \== 'on') {172                        $contentshortcode .=    "<div class=\\"fb-comments\\" data-href=\\"".$url."\\" data-num-posts=\\"".$fbsrtcode\['num'\]."\\" data-width=\\"".$fbsrtcode\['width'\]."\\" data-colorscheme=\\"".$fbsrtcode\['scheme'\]."\\"\></div>";173174    } else {175    $contentshortcode .= "<fb:comments href=\\"".$url."\\" num\_posts=\\"".$fbsrtcode\['num'\]."\\" width=\\"".$fbsrtcode\['width'\]."\\" colorscheme=\\"".$fbsrtcode\['scheme'\]."\\"\></fb:comments>";176     }177178        if (!empty($fbsrtcode\['pluginsite'\])) {179                if($fbsrtcode\['pluginsite'\] \== 'on'){180      $contentshortcode .= '<p class="pluginsite">'.\_\_( 'FB Comments Plugin Powered by', 'facebook-comment-by-vivacity' ). '<a href="https://www.startbitsolutions.com"  target="\_blank" >Startbit IT Solutions Pvt. Ltd.</a></p>';181        }}182        183        }184        else {185       $fb\_adminUrl \= get\_admin\_url()."options-general.php?page=fbcomment";186   $contentshortcode .= '<div class="error" style="color:red; font-weight:bold;">187            <p>'. \_\_( 'Please Enter Your Facebook App ID. Required for FB Comments.', 'facebook-comment-by-vivacity' ). ' <a href="'.$fb\_adminUrl.'">'. \_\_( 'Click here for FB Comments Settings page', 'facebook-comment-by-vivacity' )188            .'</a></p>189            </div>';190        }191  return $contentshortcode;192}193?>

CVE-2023-5295: user-file.php in facebook-comment-by-vivacity/tags/1.4 – WordPress Plugin Repository

The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the [php] shortcode setting to be enabled on the vulnerable site.

1<?php2/\*\*3 \* Contains shortcode functions4 \*5 \* @since 4.06 \*/78\# Prevent direct access to this file9if ( 1 \== count( get\_included\_files() ) ) {10        header( 'HTTP/1.1 403 Forbidden' );11        return;12}1314class OpenHook\_ShortCodes {15        /\*\*16         \* PHP shortcode to process PHP in posts17         \*18         \* @global object $openhook Main OpenHook class object19         \*/20        public function php( $atts, $content \= null ) {21                global $openhook;2223                \# Prevent access to the shortcode via Ajax24                if ( defined( 'DOING\_AJAX' ) && DOING\_AJAX ) {25                        return;26                }2728                \# Only process this shortcode if the author of the post has the authority29                if ( author\_can( get\_the\_ID(), $openhook\->get\_auth\_level() ) ) {30                        \# Buffer the output of the PHP as we don't want to echo anything here31                        ob\_start();3233                        eval( "?>$content<?php " );34                35                        return ob\_get\_clean();36                } else {37                        return;38                }39        }4041        /\*\*42         \* Obfuscates a given email address to provide additional protection43         \* against email harvesters44         \*/45        public function email( $atts , $content \= null ) {46                return antispambot( $content );47        }4849        /\*\*50         \* Global custom fields, adapted from51         \* http://digwp.com/2009/09/global-custom-fields/52         \*/53        public function globals($atts) {54                \# Get the desired key55                extract( shortcode\_atts( array( 'key' \=> false ), $atts ) );5657                \# Determine the source of our global values58                $options \= get\_option( 'openhook\_shortcodes' );59                $source \= ( isset( $options\[ 'global\_source' \] ) && $options\[ 'global\_source' \] ) ? $options\[ 'global\_source' \] : false;6061                \# Only attempt to pull a global if both a key & source page are set62                if ( (string) $key && $source ) {63                        return get\_post\_meta( $source, $key, true );64                } else {65                        return;66                }67        }6869        /\*\*70         \* \[snap\] - Website snapshot shortcode71         \*72         \* @via https://www.rickbeckman.org/73         \* @inspiredby http://www.geekeries.fr/snippet/creer-automatiquement-miniatures-sites-wordpress/74         \*/75        public function snap( $atts, $content \= null ) {76                \# Default values77                $defaults \= \[78                        'url' \=> 'https://www.example.com/', \# URL to be snapshotted79                        'alt' \=> \_\_( 'Website Snapshot', 'thesis-openhook' ), \# Alt text for snapshot image80                        'w' \=> 400, \# Width of snapshot81                        'h' \=> 300, \# Height of snapshot82                        'class' \=> '', \# CSS class(es), space separated83                \];8485                \# Parse attributes86                $atts \= shortcode\_atts( $defaults, $atts, 'snap' ); \# @filter: shortcode\_atts\_snap8788                \# Sanity checks to ensure proper variables89                $url \= urlencode( wp\_http\_validate\_url( $atts\['url'\] ) ?: $defaults\['url'\] );90                $alt \= esc\_attr( $atts\['alt'\] );91                $w \= absint( $atts\['w'\] ) ?: $defaults\['w'\];92                $h \= absint( $atts\['h'\] ) ?: $defaults\['h'\];93                $class \= ! empty( $atts\['class'\] ) ? esc\_attr( $atts\['class'\] ) . ' website\_snapshot' : 'website\_snapshot';9495                \# Put together our IMG tag to be output, with final data sanitation96                $img \= '<img src="https://s.wordpress.com/mshots/v1/' . $url . '?w=' . $w . '&h=' . $h . '" alt="' . $alt . '" class="' . $class . '">';9798                return $img;99        }100}

CVE-2023-5201: shortcodes.php in thesis-openhook/tags/4.3.1/inc – WordPress Plugin Repository

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

*   Notifications
*   Fork 263

*   Code
*   Issues 22
*   Pull requests 1
*   Discussions
*   Actions
*   Projects 1
*   Security
*   Insights

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

fix: only URLs should be allowed

*   Loading branch information

Showing **2 changed files** with **9 additions** and **2 deletions**.

*   *   ajax.config\_list.php
    *   configuration.php

4 changes: 2 additions & 2 deletions phpmyfaq/admin/ajax.config\_list.php

Expand Up

@@ -86,8 +86,8 @@ function renderInputForm($key, $type)

$type = 'url';

break;

default:

$type = 'text';

break;

$type = 'text';

break;

}

  

printf(

Expand Down

7 changes: 7 additions & 0 deletions phpmyfaq/admin/configuration.php

Expand Up

@@ -58,6 +58,13 @@

unset($editData\['edit'\]\['main.currentVersion'\]); // don't update the version number

}

  

if (

isset($editData\['edit'\]\['main.referenceURL'\]) &&

is\_null(Filter::filterVar($editData\['edit'\]\['main.referenceURL'\], FILTER\_VALIDATE\_URL))

) {

unset($editData\['edit'\]\['main.referenceURL'\]);

}

  

foreach ($editData\['edit'\] as $key => $value) {

// Remove forbidden characters

$newConfigValues\[$key\] = str\_replace($forbiddenValues, '', $value);

Expand Down

**0 comments on commit e923695**

Please sign in to comment.

CVE-2023-5320: fix: only URLs should be allowed · thorsten/phpMyFAQ@e923695

Expand Up

@@ -70,7 +70,7 @@

  

// Collect updated data for database

$updatedData = \[\];

$updatedData\['url'\] = Filter::filterInput(INPUT\_POST, 'url', FILTER\_UNSAFE\_RAW);

$updatedData\['url'\] = Filter::filterInput(INPUT\_POST, 'url', FILTER\_VALIDATE\_URL);

$updatedData\['instance'\] = Filter::filterInput(INPUT\_POST, 'instance', FILTER\_UNSAFE\_RAW);

$updatedData\['comment'\] = Filter::filterInput(INPUT\_POST, 'comment', FILTER\_UNSAFE\_RAW);

  

Expand All

@@ -81,27 +81,36 @@

$moveInstance = true;

}

  

if ($updatedClient\->updateInstance($instanceId, $updatedData)) {

if (is\_null($updatedData\['url'\])) {

printf(

'<p class="alert alert-danger">%s%s<br/>%s</p>',

'<a class="close" data-dismiss="alert" href="#">&times;</a>',

$PMF\_LANG\['ad\_entryins\_fail'\],

$faqConfig\->getDb()->error()

);

} else {

if ($updatedClient\->updateInstance($instanceId, $updatedData)) {

if ($moveInstance) {

try {

$updatedClient\->moveClientFolder($originalData\->url, $updatedData\['url'\]);

$updatedClient\->deleteClientFolder($originalData\->url);

} catch (Exception $e) {

// handle exception

}

try {

$updatedClient\->moveClientFolder($originalData\->url, $updatedData\['url'\]);

$updatedClient\->deleteClientFolder($originalData\->url);

} catch (Exception $e) {

// handle exception

}

}

printf(

'<p class="alert alert-success">%s%s</p>',

'<a class="close" data-dismiss="alert" href="#">&times;</a>',

$PMF\_LANG\['ad\_config\_saved'\]

);

} else {

} else {

printf(

'<p class="alert alert-danger">%s%s<br/>%s</p>',

'<a class="close" data-dismiss="alert" href="#">&times;</a>',

$PMF\_LANG\['ad\_entryins\_fail'\],

$faqConfig\->getDb()->error()

);

}

}

}

?>

Expand Down

CVE-2023-5317: fix: allow only valid URLs for instances · thorsten/phpMyFAQ@ec551bd

Expand Up

@@ -22,6 +22,7 @@

use phpMyFAQ\\Helper\\AdministrationHelper;

use phpMyFAQ\\Helper\\LanguageHelper;

use phpMyFAQ\\Helper\\PermissionHelper;

use phpMyFAQ\\Strings;

use phpMyFAQ\\System;

use phpMyFAQ\\Utils;

  

Expand Down Expand Up

@@ -95,7 +96,7 @@ function renderInputForm($key, $type)

is\_numeric($value) ? 'number' : $type,

$key,

$key,

$value

Strings::htmlentities($value)

);

if ('api.apiClientToken' === $key) {

echo '<div class="input-group-append">';

Expand Down Expand Up

@@ -143,7 +144,7 @@ function renderInputForm($key, $type)

printf(

'<input class="form-control" type="password" autocomplete="off" name="edit\[%s\]" value="%s">',

$key,

$faqConfig\->get($key)

Strings::htmlentities($faqConfig\->get($key))

);

echo "</div>\\n";

break;

Expand Down

Tag

#php