Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928922 (2018-07-26 19:06:14)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink @FUNCTION::mysqli_query
Risk _REQUEST
/photo-video-store/includes/payments/paypal/notification.php:84 (show/hide source)
64  							{
65  								$sql = "update " . PVS_DB_PREFIX .
66  									"subscription_list set bandwidth=0,data2=data2+" . ( 3600 * 24 * $rs->row["days"] ) .
67  									",payments=payments+1,recurring_data=" . pvs_get_time( date( "H" ), date( "i" ),
68  									date( "s" ), date( "m" ), date( "d" ), date( "Y" ) ) . " where id_parent=" . ( int )
69  									$_REQUEST["item_number"];
70  								$db->execute( $sql );
71  							}
72  						}
73  					}
74  				}
75  
76  				exit();
77  			}
78  		}
79  
80  		//Items
81  		if (!is_wp_error($response) and strstr($response['body'], 'VERIFIED') and $_REQUEST["payment_status"] == "Completed" and ( $_REQUEST["txn_type"] ==
82  			"web_accept" or $_REQUEST["txn_type"] == "cart" or $_REQUEST["txn_type"] ==
83  			"send_money" ) ) {
84 $transaction_id = pvs_transaction_add( "paypal", @$_REQUEST["txn_id"], $_REQUEST["product_type"],
85 $_REQUEST["item_number"] ); 86
Threat level 1

Callstack:

TMySQLConnection::execute /photo-video-store/includes/functions/mysqldb.php:19 (show/hide source)
1  <?php
2  // Exit if accessed directly.
3  if ( ! defined( 'ABSPATH' ) )
4  {
5  	exit;
6  }
7  
8  class TMySQLConnection
9  {
10  	var $connection;
11  
12  	function connect()
13  	{
14  		$this->connection = mysqli_connect( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
15  	}
16  
17  	function execute( $query )
18  	{
19 if ( $mysqli_result = mysqli_query( $this->connection, $query ) )
20 { 21 return $mysqli_result;
TMySQLQuery::open /photo-video-store/includes/functions/mysqldb.php:52 (show/hide source)
32  }
33  
34  class TMySQLQuery
35  {
36  	var $connection;
37  	var $result;
38  	var $row;
39  	var $trow;
40  	var $eof;
41  	var $addnew;
42  	var $source;
43  	var $rc;
44  
45  	function __construct()
46  	{
47  		$this->connection = new TMySQLConnection;
48  	}
49  
50  	function open( $query )
51  	{
52 $this->result = $this->connection->execute( $query );
53 $this->movenext(); 54 }
@FUNCTION::pvs_transaction_add /photo-video-store/includes/functions/functions.php:5196 (show/hide source)
5176  		$sql = "select id,total,user from " . PVS_DB_PREFIX . "orders where id=" . ( int )
5177  			$pid;
5178  		$dp->open( $sql );
5179  		if ( ! $dp->eof )
5180  		{
5181  			$title = "Order #" . $pid;
5182  			$total = $dp->row["total"];
5183  			$user = pvs_user_id_to_login($dp->row["user"]);
5184  		}
5185  	}
5186  
5187  	$sql = "insert into " . PVS_DB_PREFIX .
5188  		"payments (data,user,total,ip,processor,tnumber,ptype,pid) values (" .
5189  		pvs_get_time( date( "H" ), date( "i" ), date( "s" ), date( "m" ), date( "d" ),
5190  		date( "Y" ) ) . ",'" . $user . "','" . $total . "','" . $_SERVER["REMOTE_ADDR"] .
5191  		"','" . $processor . "','" . $tid . "','" . $ptype . "'," . $pid . ")";
5192  	$db->execute( $sql );
5193  
5194  	$sql = "select id_parent from " . PVS_DB_PREFIX . "payments where user='" . $user .
5195  		"' order by id_parent desc";
5196 $dt->open( $sql );
5197 $id = $dt->row['id_parent']; 5198
@INLINE::/photo-video-store/includes/payments/paypal/notification.php /photo-video-store/includes/payments/paypal/notification.php:85 (show/hide source)
65  								$sql = "update " . PVS_DB_PREFIX .
66  									"subscription_list set bandwidth=0,data2=data2+" . ( 3600 * 24 * $rs->row["days"] ) .
67  									",payments=payments+1,recurring_data=" . pvs_get_time( date( "H" ), date( "i" ),
68  									date( "s" ), date( "m" ), date( "d" ), date( "Y" ) ) . " where id_parent=" . ( int )
69  									$_REQUEST["item_number"];
70  								$db->execute( $sql );
71  							}
72  						}
73  					}
74  				}
75  
76  				exit();
77  			}
78  		}
79  
80  		//Items
81  		if (!is_wp_error($response) and strstr($response['body'], 'VERIFIED') and $_REQUEST["payment_status"] == "Completed" and ( $_REQUEST["txn_type"] ==
82  			"web_accept" or $_REQUEST["txn_type"] == "cart" or $_REQUEST["txn_type"] ==
83  			"send_money" ) ) {
84  			$transaction_id = pvs_transaction_add( "paypal", @$_REQUEST["txn_id"], $_REQUEST["product_type"],
85 $_REQUEST["item_number"] );
86 87 if ( $_REQUEST["product_type"] == "credits" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'credits' ) )