FROM wordpress:6.2-php8.1-apache

# CVE-2016-15041: MainWP Dashboard 3.1.2 - Unauthenticated Stored XSS
# Vulnerable version obtained from WordPress SVN revision r1394563 (April 14, 2016)
# Fix was applied in r1406725 (April 29, 2016) with version 3.1.3
# 
# The plugin has been patched for PHP 8.x compatibility:
# - Removed deprecated __autoload() fallback (spl_autoload_register remains)
# - Fixed curly brace array access syntax
# 
# The XSS vulnerability (missing esc_attr in view-mainwp-extensions-view.php line 74) 
# is NOT affected by these compatibility changes.

RUN apt-get update && apt-get install -y unzip netcat-openbsd && rm -rf /var/lib/apt/lists/*

# Install WP-CLI
RUN curl -sO https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && \
    chmod +x wp-cli.phar && \
    mv wp-cli.phar /usr/local/bin/wp

# Create plugins directory
RUN mkdir -p /var/www/html/wp-content/plugins

# Copy and extract the vulnerable MainWP plugin
COPY mainwp-3.1.2-vulnerable.zip /tmp/
RUN unzip -q /tmp/mainwp-3.1.2-vulnerable.zip -d /tmp/ && \
    mv /tmp/mainwp-vuln /var/www/html/wp-content/plugins/mainwp && \
    rm /tmp/mainwp-3.1.2-vulnerable.zip

# Set proper permissions
RUN chown -R www-data:www-data /var/www/html/wp-content

# Copy custom entrypoint
COPY docker-entrypoint-custom.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint-custom.sh

EXPOSE 80

ENTRYPOINT ["docker-entrypoint-custom.sh"]
CMD ["apache2-foreground"]