Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928932 (2018-07-26 19:06:42)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink @FUNCTION::mysqli_query
Risk _REQUEST
/photo-video-store/includes/payments/paypal/notification.php:104 (show/hide source)
84  			$transaction_id = pvs_transaction_add( "paypal", @$_REQUEST["txn_id"], $_REQUEST["product_type"],
85  				$_REQUEST["item_number"] );
86  
87  			if ( $_REQUEST["product_type"] == "credits" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'credits' ) )
88  			{
89  				pvs_credits_approve( $_REQUEST["item_number"], $transaction_id );
90  				pvs_send_notification( 'credits_to_user', $_REQUEST["item_number"] );
91  				pvs_send_notification( 'credits_to_admin', $_REQUEST["item_number"] );
92  			}
93  
94  			if ( $_REQUEST["product_type"] == "subscription" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'subscription' ) )
95  			{
96  				pvs_subscription_approve( $_REQUEST["item_number"] );
97  				pvs_send_notification( 'subscription_to_user', $_REQUEST["item_number"] );
98  				pvs_send_notification( 'subscription_to_admin', $_REQUEST["item_number"] );
99  			}
100  
101  			if ( $_REQUEST["product_type"] == "order" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'order' ) )
102  			{
103  				pvs_order_approve( $_REQUEST["item_number"] );
104 pvs_commission_add( $_REQUEST["item_number"] );
105 106 pvs_coupons_add( pvs_order_user( $_REQUEST["item_number"] ) );
Threat level 1

Callstack:

TMySQLConnection::execute /photo-video-store/includes/functions/mysqldb.php:19 (show/hide source)
1  <?php
2  // Exit if accessed directly.
3  if ( ! defined( 'ABSPATH' ) )
4  {
5  	exit;
6  }
7  
8  class TMySQLConnection
9  {
10  	var $connection;
11  
12  	function connect()
13  	{
14  		$this->connection = mysqli_connect( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
15  	}
16  
17  	function execute( $query )
18  	{
19 if ( $mysqli_result = mysqli_query( $this->connection, $query ) )
20 { 21 return $mysqli_result;
TMySQLQuery::open /photo-video-store/includes/functions/mysqldb.php:52 (show/hide source)
32  }
33  
34  class TMySQLQuery
35  {
36  	var $connection;
37  	var $result;
38  	var $row;
39  	var $trow;
40  	var $eof;
41  	var $addnew;
42  	var $source;
43  	var $rc;
44  
45  	function __construct()
46  	{
47  		$this->connection = new TMySQLConnection;
48  	}
49  
50  	function open( $query )
51  	{
52 $this->result = $this->connection->execute( $query );
53 $this->movenext(); 54 }
@FUNCTION::pvs_commission_add /photo-video-store/includes/functions/functions.php:7172 (show/hide source)
7152  	$dp->connection = $db;
7153  	$dt = new TMySQLQuery;
7154  	$dt->connection = $db;
7155  	$dm = new TMySQLQuery;
7156  	$dm->connection = $db;
7157  	$dx = new TMySQLQuery;
7158  	$dx->connection = $db;
7159  
7160  	$user_order = "";
7161  	$sql = "select user from " . PVS_DB_PREFIX . "orders where id=" . ( int )$order_id;
7162  	$dp->open( $sql );
7163  	if ( ! $dp->eof )
7164  	{
7165  		$user_order = pvs_user_id_to_login($dp->row["user"]);
7166  	}
7167  
7168  	$sql = "select a.id,a.status,a.data,b.id,b.id_parent,b.price,b.item,b.quantity,b.prints,b.printslab,b.option1_id,b.option1_value,b.option2_id,b.option2_value,b.option3_id,b.option3_value,b.option4_id,b.option4_value,b.option5_id,b.option5_value,b.option6_id,b.option6_value,b.option7_id,b.option7_value,b.option8_id,b.option8_value,b.option9_id,b.option9_value,b.option10_id,b.option10_value from " .
7169  		PVS_DB_PREFIX . "orders a," . PVS_DB_PREFIX .
7170  		"orders_content b where a.id=b.id_parent and a.id=" . $order_id .
7171  		" order by a.data desc";
7172 $dp->open( $sql );
7173 while ( ! $dp->eof ) 7174 {
@INLINE::/photo-video-store/includes/payments/paypal/notification.php /photo-video-store/includes/payments/paypal/notification.php:104 (show/hide source)
84  			$transaction_id = pvs_transaction_add( "paypal", @$_REQUEST["txn_id"], $_REQUEST["product_type"],
85  				$_REQUEST["item_number"] );
86  
87  			if ( $_REQUEST["product_type"] == "credits" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'credits' ) )
88  			{
89  				pvs_credits_approve( $_REQUEST["item_number"], $transaction_id );
90  				pvs_send_notification( 'credits_to_user', $_REQUEST["item_number"] );
91  				pvs_send_notification( 'credits_to_admin', $_REQUEST["item_number"] );
92  			}
93  
94  			if ( $_REQUEST["product_type"] == "subscription" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'subscription' ) )
95  			{
96  				pvs_subscription_approve( $_REQUEST["item_number"] );
97  				pvs_send_notification( 'subscription_to_user', $_REQUEST["item_number"] );
98  				pvs_send_notification( 'subscription_to_admin', $_REQUEST["item_number"] );
99  			}
100  
101  			if ( $_REQUEST["product_type"] == "order" and ! pvs_is_order_approved( $_REQUEST["item_number"], 'order' ) )
102  			{
103  				pvs_order_approve( $_REQUEST["item_number"] );
104 pvs_commission_add( $_REQUEST["item_number"] );
105 106 pvs_coupons_add( pvs_order_user( $_REQUEST["item_number"] ) );