Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165792 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:129 (show/hide source)
109              foreach($errors as $err) foreach($err as $er) $error .= '<li>'.$er.'</li>';
110              $error .= '</ul>';
111  
112              $this->response(array(
113                  'success' => 0,
114                  'error' => $error,
115              ));
116          }
117      }
118  
119      public function login()
120      {
121          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
122  
123          // Check if nonce is not set
124          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
125  
126          // Verify that the nonce is valid.
127          if(!wp_verify_nonce($wpnonce, 'rtprov_login')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
128  
129 $email = isset($_POST['email']) ? sanitize_text_field($_POST['email']) : NULL;
130 $password = isset($_POST['password']) ? sanitize_text_field($_POST['password']) : NULL; 131
Threat level 1

Callstack:

RTPROV_Api::call /realtyna-provisioning/app/includes/api.php:105 (show/hide source)
85  
86      public function call($route, $args = array(), $method = 'POST', $auth = true)
87      {
88          // API URL to Call
89          $url = $this->url($route);
90  
91          // Init the CURL
92          $curl = curl_init();
93  
94          // Request Method
95          if($method == 'POST')
96          {
97              curl_setopt($curl, CURLOPT_POST, 1);
98  
99              // Request Payload
100              if(is_array($args) and count($args)) curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($args));
101          }
102          else
103          {
104              // Request Payload
105 if(is_array($args) and count($args)) $url = sprintf("%s?%s", $url, http_build_query($args));
106 } 107
RTPROV_Api::postRequest /realtyna-provisioning/app/includes/api.php:78 (show/hide source)
58          $JSON = $this->getRequest('packages/'.$id.'/download', $args, true);
59          return $this->toArray($JSON);
60      }
61  
62      public function types($args = array())
63      {
64          $JSON = $this->getRequest('types', $args, true);
65          return $this->toArray($JSON);
66      }
67  
68      public function token()
69      {
70          $JSON = $this->postRequest('users/token', array('auth_token' => $this->getAuthKey()), false);
71  
72          $response = $this->toArray($JSON);
73          return isset($response['token']) ? $response['token'] : false;
74  	}
75  
76      public function postRequest($route, $args = array(), $auth = true)
77      {
78 return $this->call($route, $args, 'POST', $auth);
79 } 80
RTPROV_Api::forgotPassword /realtyna-provisioning/app/includes/api.php:36 (show/hide source)
16  
17      /**
18  	 * Constructor method
19  	 */
20  	public function __construct()
21      {
22  	}
23  
24      public function register($args = array())
25      {
26          return $this->postRequest('users', $args, false);
27  	}
28  
29      public function login($args = array())
30      {
31          return $this->postRequest('users/login', $args, false);
32      }
33  
34      public function forgotPassword($args = array())
35      {
36 return $this->postRequest('users/forgot', $args, false);
37 } 38
RTPROV_Menus_Dashboard::forgot /realtyna-provisioning/app/includes/menus/dashboard.php:187 (show/hide source)
167          }
168      }
169  
170      public function forgot()
171      {
172          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
173  
174          // Check if nonce is not set
175          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
176  
177          // Verify that the nonce is valid.
178          if(!wp_verify_nonce($wpnonce, 'rtprov_forgot_password')) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
179  
180          $email = isset($_POST['email']) ? sanitize_text_field($_POST['email']) : NULL;
181  
182          // Init the API
183          $API = new RTPROV_Api();
184  
185          // Send the Forgot Password Request to Server
186          $JSON = $API->forgotPassword(array(
187 'email' => $email,
188 )); 189