Project: Wordpress Plugin Photo Video Store 18.05

Vulnerability: #8928945 (2018-07-26 19:06:58)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink @FUNCTION::mysqli_query
Risk _FILES
/photo-video-store/includes/functions/functions.php:3961 (show/hide source)
3941  
3942  /**
3943   * The function gets filename and file extention
3944   *
3945   * @param  string $filename - file path.
3946   * @param  string $type filename or extention.
3947   * @return string filename or extention
3948   */
3949  function pvs_get_file_info( $filename, $type )
3950  {
3951  	$fname = "";
3952  	$nf = explode( ".", $filename );
3953  	$fext = $nf[count( $nf ) - 1];
3954  
3955  	for ( $i = 0; $i < count( $nf ) - 1; $i++ )
3956  	{
3957  		if ( $fname != "" )
3958  		{
3959  			$fname .= ".";
3960  		}
3961 $fname .= $nf[$i];
3962 } 3963
Threat level 0

Callstack:

TMySQLConnection::execute /photo-video-store/includes/functions/mysqldb.php:19 (show/hide source)
1  <?php
2  // Exit if accessed directly.
3  if ( ! defined( 'ABSPATH' ) )
4  {
5  	exit;
6  }
7  
8  class TMySQLConnection
9  {
10  	var $connection;
11  
12  	function connect()
13  	{
14  		$this->connection = mysqli_connect( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
15  	}
16  
17  	function execute( $query )
18  	{
19 if ( $mysqli_result = mysqli_query( $this->connection, $query ) )
20 { 21 return $mysqli_result;
TMySQLQuery::open /photo-video-store/includes/functions/mysqldb.php:52 (show/hide source)
32  }
33  
34  class TMySQLQuery
35  {
36  	var $connection;
37  	var $result;
38  	var $row;
39  	var $trow;
40  	var $eof;
41  	var $addnew;
42  	var $source;
43  	var $rc;
44  
45  	function __construct()
46  	{
47  		$this->connection = new TMySQLConnection;
48  	}
49  
50  	function open( $query )
51  	{
52 $this->result = $this->connection->execute( $query );
53 $this->movenext(); 54 }
@INLINE::/photo-video-store/includes/functions/header.php /photo-video-store/includes/functions/header.php:841 (show/hide source)
821  
822  if ( get_query_var('pvs_page') == "contacts" ) {
823  	$pvs_pagename .= $pvs_pagename_separator . pvs_word_lang( "contacts" );
824  	$pvs_path = $pvs_path_left . pvs_word_lang( "contacts" ) . $pvs_path_right;
825  }
826  if ( get_query_var('pvs_page') == "support" ) {
827  	$pvs_pagename .= $pvs_pagename_separator . pvs_word_lang( "support" );
828  	$pvs_path = $pvs_path_left . pvs_word_lang( "support" ) . $pvs_path_right;
829  }
830  if ( get_query_var('pvs_page') == "cart" ) {
831  	$pvs_pagename .= $pvs_pagename_separator . pvs_word_lang( "shopping cart" );
832  	$pvs_path = $pvs_path_left . pvs_word_lang( "shopping cart" ) . $pvs_path_right;
833  }
834  if ( get_query_var('pvs_page') == "checkout" ) {
835  	$pvs_pagename .= $pvs_pagename_separator . pvs_word_lang( "checkout" );
836  	$pvs_path = $pvs_path_left . pvs_word_lang( "checkout" ) . $pvs_path_right;
837  }
838  
839  if ( get_query_var('pvs_page') == "photo" or get_query_var('pvs_page') == "print" or get_query_var('pvs_page') == "video" or get_query_var('pvs_page') == "audio" or get_query_var('pvs_page') == "vector") {
840  	$sql="select title from " . PVS_DB_PREFIX . "media where id=" . (int)get_query_var('pvs_id');
841 $ds->open($sql);
842 if(!$ds->eof) { 843 $pvs_pagename = $pvs_pagename_separator . $ds->row["title"];