Project: Wordpress Plugin Jetpack by WordPress.com 6.6.1

Vulnerability: #9217764 (2018-10-30 08:58:36)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _POST
/jetpack/class.jetpack.php:5459 (show/hide source)
5439  			$user = new WP_User( $user_id );
5440  			if ( ! $user || ! $user->exists() ) {
5441  				return false;
5442  			}
5443  		}
5444  
5445  		$token = Jetpack_Data::get_access_token( $user_id );
5446  		if ( ! $token ) {
5447  			return false;
5448  		}
5449  
5450  		$token_check = "$token_key.";
5451  		if ( ! hash_equals( substr( $token->secret, 0, strlen( $token_check ) ), $token_check ) ) {
5452  			return false;
5453  		}
5454  
5455  		require_once JETPACK__PLUGIN_DIR . 'class.jetpack-signature.php';
5456  
5457  		$jetpack_signature = new Jetpack_Signature( $token->secret, (int) Jetpack_Options::get_option( 'time_diff' ) );
5458  		if ( isset( $_POST['_jetpack_is_multipart'] ) ) {
5459 $post_data = $_POST;
5460 $file_hashes = array(); 5461 foreach ( $post_data as $post_data_key => $post_data_value ) {
Threat level 1

Callstack:

Jetpack::verify_xml_rpc_signature /jetpack/class.jetpack.php:5476 (show/hide source)
5456  
5457  		$jetpack_signature = new Jetpack_Signature( $token->secret, (int) Jetpack_Options::get_option( 'time_diff' ) );
5458  		if ( isset( $_POST['_jetpack_is_multipart'] ) ) {
5459  			$post_data   = $_POST;
5460  			$file_hashes = array();
5461  			foreach ( $post_data as $post_data_key => $post_data_value ) {
5462  				if ( 0 !== strpos( $post_data_key, '_jetpack_file_hmac_' ) ) {
5463  					continue;
5464  				}
5465  				$post_data_key = substr( $post_data_key, strlen( '_jetpack_file_hmac_' ) );
5466  				$file_hashes[$post_data_key] = $post_data_value;
5467  			}
5468  
5469  			foreach ( $file_hashes as $post_data_key => $post_data_value ) {
5470  				unset( $post_data["_jetpack_file_hmac_{$post_data_key}"] );
5471  				$post_data[$post_data_key] = $post_data_value;
5472  			}
5473  
5474  			ksort( $post_data );
5475  
5476 $body = http_build_query( stripslashes_deep( $post_data ) );
5477 } elseif ( is_null( $this->HTTP_RAW_POST_DATA ) ) { 5478 $body = file_get_contents( 'php://input' );
Jetpack::__construct /jetpack/class.jetpack.php:568 (show/hide source)
548  			$this->xmlrpc_server = new Jetpack_XMLRPC_Server();
549  
550  			$this->require_jetpack_authentication();
551  
552  			if ( Jetpack::is_active() ) {
553  				// Hack to preserve $HTTP_RAW_POST_DATA
554  				add_filter( 'xmlrpc_methods', array( $this, 'xmlrpc_methods' ) );
555  
556  				$signed = $this->verify_xml_rpc_signature();
557  				if ( $signed && ! is_wp_error( $signed ) ) {
558  					// The actual API methods.
559  					add_filter( 'xmlrpc_methods', array( $this->xmlrpc_server, 'xmlrpc_methods' ) );
560  				} else {
561  					// The jetpack.authorize method should be available for unauthenticated users on a site with an
562  					// active Jetpack connection, so that additional users can link their account.
563  					add_filter( 'xmlrpc_methods', array( $this->xmlrpc_server, 'authorize_xmlrpc_methods' ) );
564  				}
565  			} else {
566  				// The bootstrap API methods.
567  				add_filter( 'xmlrpc_methods', array( $this->xmlrpc_server, 'bootstrap_xmlrpc_methods' ) );
568 $signed = $this->verify_xml_rpc_signature();
569 if ( $signed && ! is_wp_error( $signed ) ) { 570 // the jetpack Provision method is available for blog-token-signed requests
Jetpack::init /jetpack/class.jetpack.php:352 (show/hide source)
332  	public $json_api_authorization_request = array();
333  
334  	/**
335  	 * @var string Transient key used to prevent multiple simultaneous plugin upgrades
336  	 */
337  	public static $plugin_upgrade_lock_key = 'jetpack_upgrade_lock';
338  
339  	/**
340  	 * Holds the singleton instance of this class
341  	 * @since 2.3.3
342  	 * @var Jetpack
343  	 */
344  	static $instance = false;
345  
346  	/**
347  	 * Singleton
348  	 * @static
349  	 */
350  	public static function init() {
351  		if ( ! self::$instance ) {
352 self::$instance = new Jetpack;
353 354 self::$instance->plugin_upgrade();
Jetpack::activate_module /jetpack/class.jetpack.php:2911 (show/hide source)
2891  		 *
2892  		 * @param string $min_version Minimum version number required to use modules.
2893  		 * @param string $max_version Maximum version number required to use modules.
2894  		 * @param array $other_modules Array of other modules to activate alongside the default modules.
2895  		 */
2896  		do_action( 'jetpack_activate_default_modules', $min_version, $max_version, $other_modules );
2897  	}
2898  
2899  	public static function activate_module( $module, $exit = true, $redirect = true ) {
2900  		/**
2901  		 * Fires before a module is activated.
2902  		 *
2903  		 * @since 2.6.0
2904  		 *
2905  		 * @param string $module Module slug.
2906  		 * @param bool $exit Should we exit after the module has been activated. Default to true.
2907  		 * @param bool $redirect Should the user be redirected after module activation? Default to true.
2908  		 */
2909  		do_action( 'jetpack_pre_activate_module', $module, $exit, $redirect );
2910  
2911 $jetpack = Jetpack::init();
2912 2913 if ( ! strlen( $module ) )
Jetpack_Search_Widget::activate_search /jetpack/modules/widgets/search.php:106 (show/hide source)
86  
87  		add_action( 'jetpack_search_render_filters_widget_title', array( 'Jetpack_Search_Template_Tags', 'render_widget_title' ), 10, 3 );
88  		add_action( 'jetpack_search_render_filters', array( 'Jetpack_Search_Template_Tags', 'render_available_filters' ), 10, 2 );
89  	}
90  
91  	/**
92  	 * Check whether search is currently active
93  	 *
94  	 * @since 6.3
95  	 */
96  	public function is_search_active() {
97  		return Jetpack::is_module_active( 'search' );
98  	}
99  
100  	/**
101  	 * Activate search
102  	 *
103  	 * @since 6.3
104  	 */
105  	public function activate_search() {
106 Jetpack::activate_module( 'search', false, false );
107 } 108
Jetpack_Search_Widget::__construct /jetpack/modules/widgets/search.php:78 (show/hide source)
58  	 * @since 5.0.0
59  	 */
60  	public function __construct( $name = null ) {
61  		if ( empty( $name ) ) {
62  			$name = esc_html__( 'Search', 'jetpack' );
63  		}
64  		parent::__construct(
65  			Jetpack_Search_Helpers::FILTER_WIDGET_BASE,
66  			/** This filter is documented in modules/widgets/facebook-likebox.php */
67  			apply_filters( 'jetpack_widget_name', $name ),
68  			array(
69  				'classname'   => 'jetpack-filters widget_search',
70  				'description' => __( 'Replaces the default search with an Elasticsearch-powered search interface and filters.', 'jetpack' ),
71  			)
72  		);
73  
74  		if (
75  			Jetpack_Search_Helpers::is_active_widget( $this->id ) &&
76  			! $this->is_search_active()
77  		) {
78 $this->activate_search();
79 } 80