Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165789 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::rmdir
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:347 (show/hide source)
327              );
328  
329              $this->response(array(
330                  'success' => 0,
331                  'messages' => $messages,
332              ));
333          }
334      }
335  
336      public function install()
337      {
338          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
339          $package_id = isset($_POST['id']) ? $_POST['id'] : 0;
340  
341          // Check if nonce is not set
342          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
343  
344          // Verify that the nonce is valid.
345          if(!wp_verify_nonce($wpnonce, 'rtprov-install-do-'.$package_id)) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
346  
347 $package = isset($_POST['package']) ? $_POST['package'] : NULL;
348 $destination = str_replace('package.zip', '', $package); 349
Threat level 1

Callstack:

RTPROV_Folder::delete /realtyna-provisioning/app/includes/folder.php:65 (show/hide source)
45      {
46          return is_dir($path);
47      }
48  
49      public static function create($path, $mode = 0755)
50      {
51          return mkdir($path, $mode);
52      }
53  
54      public static function delete($path)
55      {
56          if(substr($path, strlen($path) - 1, 1) != '/') $path .= '/';
57  
58          $files = glob($path.'*', GLOB_MARK);
59          foreach($files as $file)
60          {
61              if(is_dir($file)) RTPROV_Folder::delete($file);
62              else unlink($file);
63          }
64  
65 return rmdir($path);
66 } 67
RTPROV_Menus_Dashboard::install /realtyna-provisioning/app/includes/menus/dashboard.php:412 (show/hide source)
392                  'messages' => array(
393                      array('text' => __("We couldn't find the installer class!", 'realtyna-provisioning'), 'type' => 'danger'),
394                  ),
395              ));
396          }
397  
398          $installer = new RTPROV_Installer();
399          if($installer->run())
400          {
401              // Remove the Package
402              RTPROV_Folder::delete($destination);
403  
404              $this->response(array(
405                  'success' => 1,
406                  'messages' => $installer->getLogs(),
407              ));
408          }
409          else
410          {
411              // Remove the Package
412 RTPROV_Folder::delete($destination);
413 414 $this->response(array(