Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928928 (2018-07-26 19:06:29)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink @FUNCTION::mysqli_query
Risk _REQUEST
/photo-video-store/includes/payments/paypal/notification.php:96 (show/hide source)
76  				exit();
77  			}
78  		}
79  
80  		//Items
81  		if (!is_wp_error($response) and strstr($response['body'], 'VERIFIED') and $_REQUEST["payment_status"] == "Completed" and ( $_REQUEST["txn_type"] ==
82  			"web_accept" or $_REQUEST["txn_type"] == "cart" or $_REQUEST["txn_type"] ==
83  			"send_money" ) ) {
84  			$transaction_id = pvs_transaction_add( "paypal", @$_REQUEST["txn_id"], $_REQUEST["product_type"],
85  				$_REQUEST["item_number"] );
86  
87  			if ( $_REQUEST["product_type"] == "credits" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'credits' ) )
88  			{
89  				pvs_credits_approve( $_REQUEST["item_number"], $transaction_id );
90  				pvs_send_notification( 'credits_to_user', $_REQUEST["item_number"] );
91  				pvs_send_notification( 'credits_to_admin', $_REQUEST["item_number"] );
92  			}
93  
94  			if ( $_REQUEST["product_type"] == "subscription" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'subscription' ) )
95  			{
96 pvs_subscription_approve( $_REQUEST["item_number"] );
97 pvs_send_notification( 'subscription_to_user', $_REQUEST["item_number"] ); 98 pvs_send_notification( 'subscription_to_admin', $_REQUEST["item_number"] );
Threat level 1

Callstack:

TMySQLConnection::execute /photo-video-store/includes/functions/mysqldb.php:19 (show/hide source)
1  <?php
2  // Exit if accessed directly.
3  if ( ! defined( 'ABSPATH' ) )
4  {
5  	exit;
6  }
7  
8  class TMySQLConnection
9  {
10  	var $connection;
11  
12  	function connect()
13  	{
14  		$this->connection = mysqli_connect( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
15  	}
16  
17  	function execute( $query )
18  	{
19 if ( $mysqli_result = mysqli_query( $this->connection, $query ) )
20 { 21 return $mysqli_result;
TMySQLQuery::open /photo-video-store/includes/functions/mysqldb.php:52 (show/hide source)
32  }
33  
34  class TMySQLQuery
35  {
36  	var $connection;
37  	var $result;
38  	var $row;
39  	var $trow;
40  	var $eof;
41  	var $addnew;
42  	var $source;
43  	var $rc;
44  
45  	function __construct()
46  	{
47  		$this->connection = new TMySQLConnection;
48  	}
49  
50  	function open( $query )
51  	{
52 $this->result = $this->connection->execute( $query );
53 $this->movenext(); 54 }
@FUNCTION::pvs_affiliate_add_commission /photo-video-store/includes/functions/functions.php:7698 (show/hide source)
7678  				{
7679  					$user_info2 = get_userdata($user_info->aff_referal);
7680  
7681  					$total = $total * $user_info2->aff_commission_buyer / 100;
7682  					$sql = "insert into " . PVS_DB_PREFIX .
7683  						"affiliates_signups (userid,types,types_id,rates,total,data,aff_referal,status) values (" .
7684  						$user_info->ID . ",'" . $type . "'," . $id . "," . $user_info2-> aff_commission_buyer .
7685  						"," . $total . "," . pvs_get_time( date( "H" ), date( "i" ), date( "s" ), date( "m" ),
7686  						date( "d" ), date( "Y" ) ) . "," . $user_info->aff_referal . ",1)";
7687  					$db->execute( $sql );
7688  					pvs_send_notification( "commission_to_affiliate", $user_info->ID, "C" . $id,
7689  						"", $total );
7690  				}
7691  			}
7692  		}
7693  
7694  		if ( $type == "orders")
7695  		{
7696  			$sql = "select user,total from " . PVS_DB_PREFIX . "orders where credits=0 and id=" . ( int )
7697  				$id;
7698 $dp->open( $sql );
7699 if ( ! $dp->eof ) 7700 {
@FUNCTION::pvs_subscription_approve /photo-video-store/includes/functions/functions.php:6950 (show/hide source)
6930  }
6931  
6932  
6933  
6934  
6935  
6936  /**
6937   * Approve subscription
6938   *
6939   * @param  int $pid subscription order ID.
6940   */
6941  function pvs_subscription_approve( $pid )
6942  {
6943  	global $db;
6944  
6945  	$sql = "update " . PVS_DB_PREFIX .
6946  		"subscription_list set approved=1,payments=1 where id_parent=" . ( int )$pid;
6947  	$db->execute( $sql );
6948  
6949  	//Affiliate commission
6950 pvs_affiliate_add_commission( $pid, "subscription" );
6951 6952 //Create invoice
@INLINE::/photo-video-store/includes/payments/paypal/notification.php /photo-video-store/includes/payments/paypal/notification.php:96 (show/hide source)
76  				exit();
77  			}
78  		}
79  
80  		//Items
81  		if (!is_wp_error($response) and strstr($response['body'], 'VERIFIED') and $_REQUEST["payment_status"] == "Completed" and ( $_REQUEST["txn_type"] ==
82  			"web_accept" or $_REQUEST["txn_type"] == "cart" or $_REQUEST["txn_type"] ==
83  			"send_money" ) ) {
84  			$transaction_id = pvs_transaction_add( "paypal", @$_REQUEST["txn_id"], $_REQUEST["product_type"],
85  				$_REQUEST["item_number"] );
86  
87  			if ( $_REQUEST["product_type"] == "credits" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'credits' ) )
88  			{
89  				pvs_credits_approve( $_REQUEST["item_number"], $transaction_id );
90  				pvs_send_notification( 'credits_to_user', $_REQUEST["item_number"] );
91  				pvs_send_notification( 'credits_to_admin', $_REQUEST["item_number"] );
92  			}
93  
94  			if ( $_REQUEST["product_type"] == "subscription" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'subscription' ) )
95  			{
96 pvs_subscription_approve( $_REQUEST["item_number"] );
97 pvs_send_notification( 'subscription_to_user', $_REQUEST["item_number"] ); 98 pvs_send_notification( 'subscription_to_admin', $_REQUEST["item_number"] );