Will there be a Security Patch?

  • Are there plans to patch this plugin or no? I’d like to know so I can plan accordingly.

    Thanks

    Problem:
    The Add Custom Body Class plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_custom_body_class’ value in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Viewing 1 replies (of 1 total)
  • Thread Starter Aaron Kittredge

    (@kittyridge)

    In case this helps, I tried making the following changes to the code:

    In the save_custom_body_class_post_meta_boxes function, I added the $post_id parameter and sanitized the input using sanitize_text_field to prevent XSS.

    In the add_custom_body_class_box function, I used esc_attr to escape the value when displaying it in the input field.

    In the add_custom_field_body_class function, I used esc_attr to escape the custom body class before adding it to the classes array.

    I think these changes should help prevent the stored XSS vulnerability in the plugin, but I’m not 100% sure:

    <?php
/**
 * Plugin Name: Add Custom Body Class
 * Author: Anil Ankola
 * Version: 1.4.1
 * Description: Use this plugin to add a custom class in the HTML body tag.
 * Text Domain: add-custom-body-class
 */
if (!defined('ABSPATH')) exit; // Prevent Direct Browsing

// Add Custom meta box
function add_custom_body_class_post_meta_boxes()
{
    $screens = get_post_types();
    foreach ($screens as $screen) {
        add_meta_box('add_custom_body_class_box', 'Add Custom Body Class', 'add_custom_body_class_box', $screen, 'side', 'default');
    }
}
add_action("admin_init", "add_custom_body_class_post_meta_boxes");

function save_custom_body_class_post_meta_boxes($post_id)
{
    if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) {
        return;
    }
    if (get_post_status($post_id) === 'auto-draft') {
        return;
    }
    
    // Sanitize the input
    $custom_body_class = sanitize_text_field($_POST["add_custom_body_class"]);

    update_post_meta($post_id, "add_custom_body_class", $custom_body_class);
}
add_action('save_post', 'save_custom_body_class_post_meta_boxes');

function add_custom_body_class_box($post)
{
    $get_class_value = get_post_custom($post->ID);
    
    // Initialize the value with an empty string
    $add_custom_body_class = '';

    if (isset($get_class_value['add_custom_body_class'][0])) {
        $add_custom_body_class = $get_class_value['add_custom_body_class'][0];
    }
    ?>
    <input type="text" id="add_custom_body_class" name="add_custom_body_class" value="<?php echo esc_attr($add_custom_body_class); ?>">
    <?php
}

// Display body class function
add_filter('body_class', 'add_custom_field_body_class');
function add_custom_field_body_class($classes)
{
    if (function_exists('is_shop') && is_shop()) {
        $post_id = get_option('woocommerce_shop_page_id');
    } elseif (is_home()) {
        $post_id = get_option('page_for_posts');
    } else {
        $post_id = get_the_ID();
    }
    
    // Get the custom body class and escape it
    $show_body_class = get_post_meta($post_id, 'add_custom_body_class', true);
    if ($show_body_class) {
        $classes[] = esc_attr($show_body_class);
    }
    
    // Return the $classes array
    return $classes;
}
Viewing 1 replies (of 1 total)
  • The topic ‘Will there be a Security Patch?’ is closed to new replies.