Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165794 (2018-08-19 15:19:19)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_put_contents
Risk _POST
/realtyna-provisioning/app/includes/menus/dashboard.php:347 (show/hide source)
327              );
328  
329              $this->response(array(
330                  'success' => 0,
331                  'messages' => $messages,
332              ));
333          }
334      }
335  
336      public function install()
337      {
338          $wpnonce = isset($_POST['_wpnonce']) ? $_POST['_wpnonce'] : NULL;
339          $package_id = isset($_POST['id']) ? $_POST['id'] : 0;
340  
341          // Check if nonce is not set
342          if(!trim($wpnonce)) $this->response(array('success'=>0, 'code'=>'NONCE_MISSING', 'message'=>__('Security Nonce is Missed!', 'realtyna-provisioning')));
343  
344          // Verify that the nonce is valid.
345          if(!wp_verify_nonce($wpnonce, 'rtprov-install-do-'.$package_id)) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
346  
347 $package = isset($_POST['package']) ? $_POST['package'] : NULL;
348 $destination = str_replace('package.zip', '', $package); 349
Threat level 2

Callstack:

RTPROV_File::write /realtyna-provisioning/app/includes/file.php:34 (show/hide source)
14  {
15      /**
16  	 * Constructor method
17  	 */
18  	public function __construct()
19      {
20  	}
21  
22      public static function read($path)
23      {
24          return file_get_contents($path);
25      }
26  
27      public static function exists($path)
28      {
29          return file_exists($path);
30      }
31  
32      public static function write($path, $content)
33      {
34 return file_put_contents($path, $content);
35 } 36
RTPROV_Menus_Dashboard::download /realtyna-provisioning/app/includes/menus/dashboard.php:296 (show/hide source)
276  
277          // Verify that the nonce is valid.
278          if(!wp_verify_nonce($wpnonce, 'rtprov-install-do-'.$package_id)) $this->response(array('success'=>0, 'code'=>'NONCE_IS_INVALID', 'message'=>__('Security Nonce is Invalid!', 'realtyna-provisioning')));
279  
280          // Init the API
281          $API = new RTPROV_Api();
282  
283          // Send the Download Request to Server
284          $response = $API->download($package_id, array(
285              'site' => trim(get_home_url(), '/ '),
286          ));
287  
288          if(isset($response['download']))
289          {
290              $file = new RTPROV_File();
291              $folder = new RTPROV_Folder();
292  
293              $buffer = $file->download($response['download']);
294              $destination = $folder->getTempDirectory().'/package.zip';
295  
296 $wrote = $file->write($destination, $buffer);
297 298 if($wrote)