Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165785 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::rmdir
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:347 (show/hide source)
327              );
328  
329              $this->response(array(
330                  'success' => 0,
331                  'messages' => $messages,
332              ));
333          }
334      }
335  
336      public function install()
337      {
338          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
339          $package_id = isset($_POST['id']) ? $_POST['id'] : 0;
340  
341          // Check if nonce is not set
342          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
343  
344          // Verify that the nonce is valid.
345          if(!wp_verify_nonce($wpnonce, 'rtprov-install-do-'.$package_id)) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
346  
347 $package = isset($_POST['package']) ? $_POST['package'] : NULL;
348 $destination = str_replace('package.zip', '', $package); 349
Threat level 1

Callstack:

RTPROV_Folder::delete /realtyna-provisioning/app/includes/folder.php:65 (show/hide source)
45      {
46          return is_dir($path);
47      }
48  
49      public static function create($path, $mode = 0755)
50      {
51          return mkdir($path, $mode);
52      }
53  
54      public static function delete($path)
55      {
56          if(substr($path, strlen($path) - 1, 1) != '/') $path .= '/';
57  
58          $files = glob($path.'*', GLOB_MARK);
59          foreach($files as $file)
60          {
61              if(is_dir($file)) RTPROV_Folder::delete($file);
62              else unlink($file);
63          }
64  
65 return rmdir($path);
66 } 67
RTPROV_Menus_Dashboard::install /realtyna-provisioning/app/includes/menus/dashboard.php:388 (show/hide source)
368          if(!$file->exists($destination.'installer.php'))
369          {
370              // Remove the Package
371              RTPROV_Folder::delete($destination);
372  
373              $this->response(array(
374                  'success' => 0,
375                  'messages' => array(
376                      array('text' => __("We couldn't find the package installer file!", 'realtyna-provisioning'), 'type' => 'danger'),
377                  ),
378              ));
379          }
380  
381          // Include the Installer
382          include_once $destination.'installer.php';
383  
384          // Installer Class Couldn't Find!
385          if(!class_exists('RTPROV_Installer'))
386          {
387              // Remove the Package
388 RTPROV_Folder::delete($destination);
389 390 $this->response(array(