Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165772 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:79 (show/hide source)
59          include $path;
60  
61          // Get Buffer
62          $output = ob_get_clean();
63  
64          // Print the output
65          echo $output;
66      }
67  
68      public function register()
69      {
70          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
71  
72          // Check if nonce is not set
73          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
74  
75          // Verify that the nonce is valid.
76          if(!wp_verify_nonce($wpnonce, 'rtprov_register')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
77  
78          $email = isset($_POST['email']) ? sanitize_text_field($_POST['email']) : NULL;
79 $name = isset($_POST['name']) ? sanitize_text_field($_POST['name']) : NULL;
80 81 // Init the API
Threat level 1

Callstack:

RTPROV_Api::call /realtyna-provisioning/app/includes/api.php:105 (show/hide source)
85  
86      public function call($route, $args = array(), $method = 'POST', $auth = true)
87      {
88          // API URL to Call
89          $url = $this->url($route);
90  
91          // Init the CURL
92          $curl = curl_init();
93  
94          // Request Method
95          if($method == 'POST')
96          {
97              curl_setopt($curl, CURLOPT_POST, 1);
98  
99              // Request Payload
100              if(is_array($args) and count($args)) curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($args));
101          }
102          else
103          {
104              // Request Payload
105 if(is_array($args) and count($args)) $url = sprintf("%s?%s", $url, http_build_query($args));
106 } 107
RTPROV_Api::postRequest /realtyna-provisioning/app/includes/api.php:78 (show/hide source)
58          $JSON = $this->getRequest('packages/'.$id.'/download', $args, true);
59          return $this->toArray($JSON);
60      }
61  
62      public function types($args = array())
63      {
64          $JSON = $this->getRequest('types', $args, true);
65          return $this->toArray($JSON);
66      }
67  
68      public function token()
69      {
70          $JSON = $this->postRequest('users/token', array('auth_token' => $this->getAuthKey()), false);
71  
72          $response = $this->toArray($JSON);
73          return isset($response['token']) ? $response['token'] : false;
74  	}
75  
76      public function postRequest($route, $args = array(), $auth = true)
77      {
78 return $this->call($route, $args, 'POST', $auth);
79 } 80
RTPROV_Api::register /realtyna-provisioning/app/includes/api.php:26 (show/hide source)
6  
7  /**
8   * RTPROV Api Class.
9   *
10   * @class RTPROV_Api
11   * @version	1.0.0
12   */
13  class RTPROV_Api extends RTPROV_Base
14  {
15      private $endpoint = 'https://provisioning.realtyna.com/api';
16  
17      /**
18  	 * Constructor method
19  	 */
20  	public function __construct()
21      {
22  	}
23  
24      public function register($args = array())
25      {
26 return $this->postRequest('users', $args, false);
27 } 28
RTPROV_Menus_Dashboard::register /realtyna-provisioning/app/includes/menus/dashboard.php:88 (show/hide source)
68      public function register()
69      {
70          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
71  
72          // Check if nonce is not set
73          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
74  
75          // Verify that the nonce is valid.
76          if(!wp_verify_nonce($wpnonce, 'rtprov_register')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
77  
78          $email = isset($_POST['email']) ? sanitize_text_field($_POST['email']) : NULL;
79          $name = isset($_POST['name']) ? sanitize_text_field($_POST['name']) : NULL;
80  
81          // Init the API
82          $API = new RTPROV_Api();
83  
84          // Send the Register Request to Server
85          $JSON = $API->register(array(
86              'email' => $email,
87              'name' => $name,
88 'site' => trim(get_home_url(), '/ '),
89 )); 90