Project: Wordpress Plugin Realtyna Provisioning 1.0.0

Vulnerability: #9165795 (2018-08-19 15:19:20)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_get_contents
Risk _GET
/realtyna-provisioning/app/html/menus/dashboard/steps/install.php:5 (show/hide source)
1  <?php
2  // no direct access
3  defined('ABSPATH') or die();
4  
5 $package_id = isset($_GET['install']) ? sanitize_text_field($_GET['install']) : 0;
6 $nonce = isset($_GET['_wpnonce']) ? sanitize_text_field($_GET['_wpnonce']) : NULL; 7
Threat level 2

Callstack:

RTPROV_File::download /realtyna-provisioning/app/includes/file.php:89 (show/hide source)
69                      curl_setopt($ch, CURLOPT_USERPWD, $authentication);
70                  }
71  
72                  $result = curl_exec($ch);
73                  curl_close($ch);
74              }
75          }
76  
77          // Doing FGC
78          if($result == false)
79          {
80              $http = array();
81  
82              if($post)
83              {
84                  $http['method'] = 'POST';
85                  $http['header'] = 'Content-Type: application/x-www-form-urlencoded';
86                  $http['content'] = (is_array($post) === true) ? http_build_query($post) : $post;
87              }
88  
89 $result = @file_get_contents($url, false, stream_context_create(array('http' => $http)));
90 } 91