WordPress.org
Get WordPress

Plugin Directory

Changeset 2944510


Ignore:
Timestamp:
07/28/2023 08:06:30 AM (3 years ago)
Author:
tstephenson
Message:

fix(CVE-2022-47606): admin xss issue

Location:
wp-cors/trunk
Files:
1 deleted
2 edited

Legend:

Unmodified
Added
Removed

  • wp-cors/trunk/readme.txt

    r1225425 r2944510  
    44Requires at least: 3.6
    55Tested up to: 4.3
    6 Stable tag: 0.2.1
     6Stable tag: 0.2.2
    77License: GPLv2 or later
    88License URI: http://www.gnu.org/licenses/gpl-2.0.html
     
    1212== Description ==
    1313
    14 AJAX requests to this site from another (those containing an Origin header) will be allowed for any domains listed in the plugin's Settings page.
     14My use case is to allow content authors to write help pages in WordPress.
     15This content is fetched and embedded into a single page application hosted on another domain.
     16
     17AJAX requests to this site from another are typically disallowed by the browser's security model.
     18To permit legitimate uses the requesting browser may include an Origin header containing its domain.
     19This plugin uses the Origin header to decide whether to allow the request or not.
     20Allowed domains can be specified in the plugin's Settings page.
    1521
    1622== Installation ==
     
    4551== Changelog ==
    4652
     53= 0.2.2 =
     54Tested up to WordPress 4.3
     55Prevent cross-site script injection on Settings page (CVE-2022-47606).
     56Note this vulnerability may only be exploited if the user is already logged in with Admin privilege.
     57
    4758= 0.2.1 =
    4859Tested up to WordPress 4.3

  • wp-cors/trunk/wp-cors.php

    r1225425 r2944510  
    66 *   AJAX calls to integrate your content using the CORS standard.
    77 * Author: Tim Stephenson
    8  * Version: 0.2.1
     8 * Version: 0.2.2
    99 * Author URI: http://knowprocess.com
    1010 * License: GPLv2 or later
     
    1212
    1313  define("CORS_ID", 'wp-cors');
    14   define("CORS_VERSION", "0.2.1");
     14  define("CORS_VERSION", "0.2.2");
    1515  define("CORS_NAME", 'CORS');
    16   define("CORS_DEBUG", false);
     16  define("CORS_DEBUG", true);
    1717  //require_once("includes/shortcodes.php");
    1818
     
    6464        <tr valign="top">
    6565          <th scope="row">Allowed domains</th>
    66           <td><input type="text" name="cors_domains" value="<?php echo get_option('cors_domains'); ?>" /></td>
     66          <td><input type="text" name="cors_domains"
     67                     value="<?php echo esc_attr(get_option('cors_domains')); ?>" /></td>
    6768        </tr>
    6869      </table>
     
    8687
    8788  function cors_change_domains() {
    88     if (!empty($_POST['cors_domains'])) {
    89       //error_log('Request to change subscription WITH expected params: cors_domains: '.$_POST['cors_domains']);
     89    $cors_domains = sanitize_url($_POST['cors_domains']);
     90    if (!empty($cors_domains)) {
     91      if (CORS_DEBUG) error_log('Request to change subscription WITH expected params: cors_domains: '.$cors_domains);
    9092      $user = wp_get_current_user();
    9193
    92       update_option( $user->ID, 'cors_domains', $_POST['cors_domains']);
     94      update_option( $user->ID, 'cors_domains', $cors_domains);
    9395      die();
    9496    } else {
Note: See TracChangeset for help on using the changeset viewer.