Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165769 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:228 (show/hide source)
208              $this->response(array(
209                  'success' => 0,
210                  'error' => $error,
211              ));
212          }
213      }
214  
215      public function reset()
216      {
217          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
218  
219          // Check if nonce is not set
220          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
221  
222          // Verify that the nonce is valid.
223          if(!wp_verify_nonce($wpnonce, 'rtprov_reset_password')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
224  
225          $email = isset($_POST['email']) ? sanitize_text_field($_POST['email']) : NULL;
226          $token = isset($_POST['token']) ? sanitize_text_field($_POST['token']) : NULL;
227          $password = isset($_POST['password']) ? sanitize_text_field($_POST['password']) : NULL;
228 $password_confirmation = isset($_POST['password_confirmation']) ? sanitize_text_field($_POST['password_confirmation']) : NULL;
229 230 // Init the API
Threat level 1

Callstack:

RTPROV_Api::call /realtyna-provisioning/app/includes/api.php:105 (show/hide source)
85  
86      public function call($route, $args = array(), $method = 'POST', $auth = true)
87      {
88          // API URL to Call
89          $url = $this->url($route);
90  
91          // Init the CURL
92          $curl = curl_init();
93  
94          // Request Method
95          if($method == 'POST')
96          {
97              curl_setopt($curl, CURLOPT_POST, 1);
98  
99              // Request Payload
100              if(is_array($args) and count($args)) curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($args));
101          }
102          else
103          {
104              // Request Payload
105 if(is_array($args) and count($args)) $url = sprintf("%s?%s", $url, http_build_query($args));
106 } 107
RTPROV_Api::postRequest /realtyna-provisioning/app/includes/api.php:78 (show/hide source)
58          $JSON = $this->getRequest('packages/'.$id.'/download', $args, true);
59          return $this->toArray($JSON);
60      }
61  
62      public function types($args = array())
63      {
64          $JSON = $this->getRequest('types', $args, true);
65          return $this->toArray($JSON);
66      }
67  
68      public function token()
69      {
70          $JSON = $this->postRequest('users/token', array('auth_token' => $this->getAuthKey()), false);
71  
72          $response = $this->toArray($JSON);
73          return isset($response['token']) ? $response['token'] : false;
74  	}
75  
76      public function postRequest($route, $args = array(), $auth = true)
77      {
78 return $this->call($route, $args, 'POST', $auth);
79 } 80
RTPROV_Api::resetPassword /realtyna-provisioning/app/includes/api.php:41 (show/hide source)
21      {
22  	}
23  
24      public function register($args = array())
25      {
26          return $this->postRequest('users', $args, false);
27  	}
28  
29      public function login($args = array())
30      {
31          return $this->postRequest('users/login', $args, false);
32      }
33  
34      public function forgotPassword($args = array())
35      {
36          return $this->postRequest('users/forgot', $args, false);
37      }
38  
39      public function resetPassword($args = array())
40      {
41 return $this->postRequest('users/reset', $args, false);
42 } 43
RTPROV_Menus_Dashboard::reset /realtyna-provisioning/app/includes/menus/dashboard.php:238 (show/hide source)
218  
219          // Check if nonce is not set
220          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
221  
222          // Verify that the nonce is valid.
223          if(!wp_verify_nonce($wpnonce, 'rtprov_reset_password')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
224  
225          $email = isset($_POST['email']) ? sanitize_text_field($_POST['email']) : NULL;
226          $token = isset($_POST['token']) ? sanitize_text_field($_POST['token']) : NULL;
227          $password = isset($_POST['password']) ? sanitize_text_field($_POST['password']) : NULL;
228          $password_confirmation = isset($_POST['password_confirmation']) ? sanitize_text_field($_POST['password_confirmation']) : NULL;
229  
230          // Init the API
231          $API = new RTPROV_Api();
232  
233          // Send the Reset Password Request to Server
234          $JSON = $API->resetPassword(array(
235              'email' => $email,
236              'token' => $token,
237              'password' => $password,
238 'password_confirmation' => $password_confirmation,
239 )); 240