Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928944 (2018-07-26 19:06:57)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink @FUNCTION::mysqli_query
Risk _FILES
/photo-video-store/includes/functions/functions.php:3961 (show/hide source)
3941  
3942  /**
3943   * The function gets filename and file extention
3944   *
3945   * @param  string $filename - file path.
3946   * @param  string $type filename or extention.
3947   * @return string filename or extention
3948   */
3949  function pvs_get_file_info( $filename, $type )
3950  {
3951  	$fname = "";
3952  	$nf = explode( ".", $filename );
3953  	$fext = $nf[count( $nf ) - 1];
3954  
3955  	for ( $i = 0; $i < count( $nf ) - 1; $i++ )
3956  	{
3957  		if ( $fname != "" )
3958  		{
3959  			$fname .= ".";
3960  		}
3961 $fname .= $nf[$i];
3962 } 3963
Threat level 0

Callstack:

TMySQLConnection::execute /photo-video-store/includes/functions/mysqldb.php:19 (show/hide source)
1  <?php
2  // Exit if accessed directly.
3  if ( ! defined( 'ABSPATH' ) )
4  {
5  	exit;
6  }
7  
8  class TMySQLConnection
9  {
10  	var $connection;
11  
12  	function connect()
13  	{
14  		$this->connection = mysqli_connect( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
15  	}
16  
17  	function execute( $query )
18  	{
19 if ( $mysqli_result = mysqli_query( $this->connection, $query ) )
20 { 21 return $mysqli_result;
TMySQLQuery::open /photo-video-store/includes/functions/mysqldb.php:52 (show/hide source)
32  }
33  
34  class TMySQLQuery
35  {
36  	var $connection;
37  	var $result;
38  	var $row;
39  	var $trow;
40  	var $eof;
41  	var $addnew;
42  	var $source;
43  	var $rc;
44  
45  	function __construct()
46  	{
47  		$this->connection = new TMySQLConnection;
48  	}
49  
50  	function open( $query )
51  	{
52 $this->result = $this->connection->execute( $query );
53 $this->movenext(); 54 }
@INLINE::/photo-video-store/includes/functions/header.php /photo-video-store/includes/functions/header.php:96 (show/hide source)
76  		$social_mass["data"] = $rs->row["data"];
77  		if ( get_query_var('pvs_page') == 'photo' or get_query_var('pvs_page') == 'print') {
78  			$social_mass["image"] = pvs_show_preview( $rs->row["id"], "photo", 2, 1, $rs->row["server1"], $rs->row["id"] );
79  		}
80  		if ( get_query_var('pvs_page') == 'video') {
81  			$social_mass["image"] = pvs_show_preview( $rs->row["id"], "video", 1, 1, $rs->row["server1"], $rs->row["id"] );
82  		}
83  		if ( get_query_var('pvs_page') == 'audio') {
84  			$social_mass["image"] = pvs_show_preview( $rs->row["id"], "audio", 1, 1, $rs->row["server1"], $rs->row["id"] );
85  		}
86  		if ( get_query_var('pvs_page') == 'vector') {
87  			$social_mass["image"] = pvs_show_preview( $rs->row["id"], "vector", 2, 1, $rs->row["server1"], $rs->row["id"] );
88  		}
89  
90  		if ( ! preg_match( "/http/i", $social_mass["image"] ) ) {
91  			$social_mass["image"] = site_url() . $social_mass["image"];
92  		}
93  		
94  		$social_mass["category"] = '';
95  		$sql = "select title from " . PVS_DB_PREFIX . "category where id in (select category_id from " . PVS_DB_PREFIX . "category_items where publication_id=" . $rs->row["id"] . ")";
96 $ds->open( $sql );
97 while (!$ds->eof) { 98 if ($social_mass["category"] != '') {