漏洞概述 该漏洞涉及WordPress插件“Post Snippets”中的代码注入问题。具体来说,漏洞位于 文件中,攻击者可以通过构造特定的输入来执行恶意代码。 影响范围 受影响版本:4.1.1 受影响文件: 影响用户:所有使用该插件的WordPress网站管理员 修复方案 1. 更新插件:建议用户立即更新到最新版本,以修复已知的安全漏洞。 2. 代码审查:对插件代码进行详细审查,确保没有类似的安全问题。 3. 输入验证:对所有用户输入进行严格的验证和过滤,防止恶意代码注入。 POC代码 以下是从截图中提取的POC代码: ```php private function encodeSnippetForInlineScript($value) { return wp_json_encode( $value, JSON_HEX_TAG ); } public function _construct() { // TinyMCE button must not appear in description editor of an code, css and js edit pages. $page = (isset($_REQUEST['page'])) ? sanitize_text_field($_REQUEST['page']) : ''; if ( post-snippets-edit != $page && post-snippets-edit-js != $page && post-snippets-edit-css != $page && post-snippets-edit-php != $page ) { add_action('init', array($this, 'addTinyMCEbutton')); } // Add Editor QuickTag button add_action( 'admin_print_footer_scripts', array($this, 'addQuicktagbutton'), 100 ); } public function addTinyMCEbutton() { // Don't bother doing this stuff if the current user lacks permissions if (!current_user_can('edit_posts') && !current_user_can('edit_pages')) { return; } // Add only in Rich Editor mode if (get_user_option('rich_editing') == 'true') { add_filter( 'mce_external_plugins', array($this, 'registerTinyMCEplugin') ); add_filter( 'mce_buttons', array($this, 'registerTinyMCEbutton') ); } } public function registerTinyMCEbutton($buttons) { if ($this->isEditingPost()) { return $buttons; } array_push($buttons, 'separator', self::TINYMCE_PLUGIN_NAME); return $buttons; } public function registerTinyMCEplugin($plugins) { if ($this->isEditingPost()) { return $plugins; } // Load the TinyMCE plugin editor plugin.js into the array $plugins[self::TINYMCE_PLUGIN_NAME] = plugins_url('/assets/editor.plugin.js', WP_PLUGIN_DIR); return $plugins; } public function addQuicktagbutton() { if ($this->isEditingPost()) { return; } echo ''; echo ' if (typeof QTags != "undefined") { function qt_post_snippets() { post_snippets_caller = "HTML"; jQuery("#post-snippets-dialog").dialog("open"); } QTags.addButton("post_snippets_id", "Post Snippets", qt_post_snippets); } '; echo ''; } public function enqueueAssets() { wp_enqueue_script('jquery-ui-dialog'); wp_enqueue_script('jquery-ui-tabs'); wp_enqueue_style('jquery-ui-dialog'); // Add the CSS stylesheet for the jquery UI dialog $style_url = plugins_url('/assets/post-snippets.css', WP_PLUGIN_DIR); wp_register_style('post-snippets', $style_url, false, PS_VERSION); wp_enqueue_style('post-snippets'); } public function jqueryUIDialog() { if ($this->isEditingPost()) { return; } global $wpdb; $table_name = $wpdb->prefix . 'PostSnippets'; $snippets = $wpdb->get_results($wpdb->prepare("SELECT * FROM %s", $table_name), ARRAY_A); // Let other plugins change the snippets array $snippets = apply_filters('post_snippets_snippets_list', $snippets); $snippetStack = array(); foreach ($snippets as $key => $snippet) { if (!empty($snippet['snippet_shortcode']) && !empty($snippet['snippet_content'])) { $snippet_var = Shortcode::filterVarName($snippet['snippet_vars']); $variables = 1; if (empty($snippet_vars)) { foreach ($snippet_vars as $name => $val) { $variables .= ", $name = '$val', $name = '$val'"; } } $shortcode = $snippet['snippet_title'] . ', $variables'; $snippet_content = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippet = $snippet['snippet_content']; $snippe