Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165762 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _GET
/realtyna-provisioning/app/html/menus/dashboard/steps/search.php:9 (show/hide source)
1  <?php
2  // no direct access
3  defined('ABSPATH') or die();
4  
5  // Search Term
6  $term = isset($_GET['s']) ? sanitize_text_field($_GET['s']) : NULL;
7  
8  // Package Types
9 $type = isset($_GET['type']) ? sanitize_text_field($_GET['type']) : NULL;
10 11 // Search Query
Threat level 1

Callstack:

RTPROV_Api::call /realtyna-provisioning/app/includes/api.php:105 (show/hide source)
85  
86      public function call($route, $args = array(), $method = 'POST', $auth = true)
87      {
88          // API URL to Call
89          $url = $this->url($route);
90  
91          // Init the CURL
92          $curl = curl_init();
93  
94          // Request Method
95          if($method == 'POST')
96          {
97              curl_setopt($curl, CURLOPT_POST, 1);
98  
99              // Request Payload
100              if(is_array($args) and count($args)) curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($args));
101          }
102          else
103          {
104              // Request Payload
105 if(is_array($args) and count($args)) $url = sprintf("%s?%s", $url, http_build_query($args));
106 } 107
RTPROV_Api::getRequest /realtyna-provisioning/app/includes/api.php:83 (show/hide source)
63      {
64          $JSON = $this->getRequest('types', $args, true);
65          return $this->toArray($JSON);
66      }
67  
68      public function token()
69      {
70          $JSON = $this->postRequest('users/token', array('auth_token' => $this->getAuthKey()), false);
71  
72          $response = $this->toArray($JSON);
73          return isset($response['token']) ? $response['token'] : false;
74  	}
75  
76      public function postRequest($route, $args = array(), $auth = true)
77      {
78          return $this->call($route, $args, 'POST', $auth);
79  	}
80  
81      public function getRequest($route, $args = array(), $auth = true)
82      {
83 return $this->call($route, $args, 'GET', $auth);
84 } 85
RTPROV_Api::packages /realtyna-provisioning/app/includes/api.php:46 (show/hide source)
26          return $this->postRequest('users', $args, false);
27  	}
28  
29      public function login($args = array())
30      {
31          return $this->postRequest('users/login', $args, false);
32      }
33  
34      public function forgotPassword($args = array())
35      {
36          return $this->postRequest('users/forgot', $args, false);
37      }
38  
39      public function resetPassword($args = array())
40      {
41          return $this->postRequest('users/reset', $args, false);
42      }
43  
44      public function packages($args = array())
45      {
46 $JSON = $this->getRequest('packages', $args, true);
47 return $this->toArray($JSON); 48 }
@INLINE::/realtyna-provisioning/app/html/menus/dashboard/steps/search.php /realtyna-provisioning/app/html/menus/dashboard/steps/search.php:16 (show/hide source)
1  <?php
2  // no direct access
3  defined('ABSPATH') or die();
4  
5  // Search Term
6  $term = isset($_GET['s']) ? sanitize_text_field($_GET['s']) : NULL;
7  
8  // Package Types
9  $type = isset($_GET['type']) ? sanitize_text_field($_GET['type']) : NULL;
10  
11  // Search Query
12  $query = array('s' => $term, 'limit' => 500);
13  if($type) $query['types'] = array($type);
14  
15  $API = new RTPROV_Api();
16 $response = $API->packages($query);
17 $packages = isset($response['data']) ? $response['data'] : array(); 18