Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928912 (2018-07-26 19:05:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_get_contents
Risk _GET
/photo-video-store/templates/check_vk.php:28 (show/hide source)
8  if ( $pvs_global_settings["auth_vkontakte"] ) {
9  
10  	$client_id = $pvs_global_settings["auth_vkontakte_key"];
11  	$client_secret = $pvs_global_settings["auth_vkontakte_secret"];
12  	$my_url = site_url() . "/check-vk/";
13  
14  	if ( isset( $_SERVER["HTTP_REFERER"] ) and preg_match( "/checkout/i", $_SERVER["HTTP_REFERER"] ) ) {
15  		$_SESSION["redirect_url"] = "checkout";
16  	}
17  
18  	if ( ! isset( $_GET["code"] ) ) {
19  		$url = "https://oauth.vk.com/authorize?client_id=" . $client_id .
20  			"&scope=&redirect_uri=" . $my_url . "&response_type=code";
21  		header( "location:" . $url );
22  
23  		exit();
24  	}
25  
26  	if ( isset( $_GET["code"] ) ) {
27  		$token_url = "https://oauth.vk.com/access_token?client_id=" . $client_id .
28 "&client_secret=" . $client_secret . "&code=" . $_GET['code'] . "&redirect_uri=" .
29 $my_url; 30
Threat level 2

Callstack:

@INLINE::/photo-video-store/templates/check_vk.php /photo-video-store/templates/check_vk.php:31 (show/hide source)
11  	$client_secret = $pvs_global_settings["auth_vkontakte_secret"];
12  	$my_url = site_url() . "/check-vk/";
13  
14  	if ( isset( $_SERVER["HTTP_REFERER"] ) and preg_match( "/checkout/i", $_SERVER["HTTP_REFERER"] ) ) {
15  		$_SESSION["redirect_url"] = "checkout";
16  	}
17  
18  	if ( ! isset( $_GET["code"] ) ) {
19  		$url = "https://oauth.vk.com/authorize?client_id=" . $client_id .
20  			"&scope=&redirect_uri=" . $my_url . "&response_type=code";
21  		header( "location:" . $url );
22  
23  		exit();
24  	}
25  
26  	if ( isset( $_GET["code"] ) ) {
27  		$token_url = "https://oauth.vk.com/access_token?client_id=" . $client_id .
28  			"&client_secret=" . $client_secret . "&code=" . $_GET['code'] . "&redirect_uri=" .
29  			$my_url;
30  
31 $resp = file_get_contents( $token_url );
32 $data = json_decode( $resp, true ); 33 $_SESSION["access_token"] = $data['access_token'];