Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165783 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::include
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:347 (show/hide source)
327              );
328  
329              $this->response(array(
330                  'success' => 0,
331                  'messages' => $messages,
332              ));
333          }
334      }
335  
336      public function install()
337      {
338          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
339          $package_id = isset($_POST['id']) ? $_POST['id'] : 0;
340  
341          // Check if nonce is not set
342          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
343  
344          // Verify that the nonce is valid.
345          if(!wp_verify_nonce($wpnonce, 'rtprov-install-do-'.$package_id)) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
346  
347 $package = isset($_POST['package']) ? $_POST['package'] : NULL;
348 $destination = str_replace('package.zip', '', $package); 349
Threat level 2

Callstack:

RTPROV_Menus_Dashboard::install /realtyna-provisioning/app/includes/menus/dashboard.php:382 (show/hide source)
362                      array('text' => __("We couldn't extract the package content. Please make sure ZipArchive PHP Extension is enabled on your server!", 'realtyna-provisioning'), 'type' => 'danger'),
363                  ),
364              ));
365          }
366  
367          // Installer File Couldn't Find!
368          if(!$file->exists($destination.'installer.php'))
369          {
370              // Remove the Package
371              RTPROV_Folder::delete($destination);
372  
373              $this->response(array(
374                  'success' => 0,
375                  'messages' => array(
376                      array('text' => __("We couldn't find the package installer file!", 'realtyna-provisioning'), 'type' => 'danger'),
377                  ),
378              ));
379          }
380  
381          // Include the Installer
382 include_once $destination.'installer.php';
383 384 // Installer Class Couldn't Find!