Project: Wordpress Plugin Jetpack by WordPress.com 6.6.1

Vulnerability: #9217771 (2018-10-30 08:59:03)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _POST
/jetpack/class.jetpack.php:5459 (show/hide source)
5439  			$user = new WP_User( $user_id );
5440  			if ( ! $user || ! $user->exists() ) {
5441  				return false;
5442  			}
5443  		}
5444  
5445  		$token = Jetpack_Data::get_access_token( $user_id );
5446  		if ( ! $token ) {
5447  			return false;
5448  		}
5449  
5450  		$token_check = "$token_key.";
5451  		if ( ! hash_equals( substr( $token->secret, 0, strlen( $token_check ) ), $token_check ) ) {
5452  			return false;
5453  		}
5454  
5455  		require_once JETPACK__PLUGIN_DIR . 'class.jetpack-signature.php';
5456  
5457  		$jetpack_signature = new Jetpack_Signature( $token->secret, (int) Jetpack_Options::get_option( 'time_diff' ) );
5458  		if ( isset( $_POST['_jetpack_is_multipart'] ) ) {
5459 $post_data = $_POST;
5460 $file_hashes = array(); 5461 foreach ( $post_data as $post_data_key => $post_data_value ) {
Threat level 1

Callstack:

Jetpack::verify_xml_rpc_signature /jetpack/class.jetpack.php:5476 (show/hide source)
5456  
5457  		$jetpack_signature = new Jetpack_Signature( $token->secret, (int) Jetpack_Options::get_option( 'time_diff' ) );
5458  		if ( isset( $_POST['_jetpack_is_multipart'] ) ) {
5459  			$post_data   = $_POST;
5460  			$file_hashes = array();
5461  			foreach ( $post_data as $post_data_key => $post_data_value ) {
5462  				if ( 0 !== strpos( $post_data_key, '_jetpack_file_hmac_' ) ) {
5463  					continue;
5464  				}
5465  				$post_data_key = substr( $post_data_key, strlen( '_jetpack_file_hmac_' ) );
5466  				$file_hashes[$post_data_key] = $post_data_value;
5467  			}
5468  
5469  			foreach ( $file_hashes as $post_data_key => $post_data_value ) {
5470  				unset( $post_data["_jetpack_file_hmac_{$post_data_key}"] );
5471  				$post_data[$post_data_key] = $post_data_value;
5472  			}
5473  
5474  			ksort( $post_data );
5475  
5476 $body = http_build_query( stripslashes_deep( $post_data ) );
5477 } elseif ( is_null( $this->HTTP_RAW_POST_DATA ) ) { 5478 $body = file_get_contents( 'php://input' );
Jetpack::__construct /jetpack/class.jetpack.php:556 (show/hide source)
536  		add_action( 'init', array( $this, 'load_jetpack_gutenberg' ) );
537  
538  		add_action( 'set_user_role', array( $this, 'maybe_clear_other_linked_admins_transient' ), 10, 3 );
539  
540  		// Unlink user before deleting the user from .com
541  		add_action( 'deleted_user', array( $this, 'unlink_user' ), 10, 1 );
542  		add_action( 'remove_user_from_blog', array( $this, 'unlink_user' ), 10, 1 );
543  
544  		if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST && isset( $_GET['for'] ) && 'jetpack' == $_GET['for'] ) {
545  			@ini_set( 'display_errors', false ); // Display errors can cause the XML to be not well formed.
546  
547  			require_once JETPACK__PLUGIN_DIR . 'class.jetpack-xmlrpc-server.php';
548  			$this->xmlrpc_server = new Jetpack_XMLRPC_Server();
549  
550  			$this->require_jetpack_authentication();
551  
552  			if ( Jetpack::is_active() ) {
553  				// Hack to preserve $HTTP_RAW_POST_DATA
554  				add_filter( 'xmlrpc_methods', array( $this, 'xmlrpc_methods' ) );
555  
556 $signed = $this->verify_xml_rpc_signature();
557 if ( $signed && ! is_wp_error( $signed ) ) { 558 // The actual API methods.
Jetpack::init /jetpack/class.jetpack.php:352 (show/hide source)
332  	public $json_api_authorization_request = array();
333  
334  	/**
335  	 * @var string Transient key used to prevent multiple simultaneous plugin upgrades
336  	 */
337  	public static $plugin_upgrade_lock_key = 'jetpack_upgrade_lock';
338  
339  	/**
340  	 * Holds the singleton instance of this class
341  	 * @since 2.3.3
342  	 * @var Jetpack
343  	 */
344  	static $instance = false;
345  
346  	/**
347  	 * Singleton
348  	 * @static
349  	 */
350  	public static function init() {
351  		if ( ! self::$instance ) {
352 self::$instance = new Jetpack;
353 354 self::$instance->plugin_upgrade();
Jetpack_Admin_Page::__construct /jetpack/_inc/lib/admin-pages/class.jetpack-admin-page.php:31 (show/hide source)
11  	// Enqueue and localize page specific scripts
12  	abstract function page_admin_scripts();
13  
14  	// Render page specific HTML
15  	abstract function page_render();
16  
17  	/**
18  	 * Should we block the page rendering because the site is in IDC?
19  	 * @var bool
20  	 */
21  	static $block_page_rendering_for_idc;
22  
23  	/**
24  	 * Function called after admin_styles to load any additional needed styles.
25  	 *
26  	 * @since 4.3.0
27  	 */
28  	function additional_styles() {}
29  
30  	function __construct() {
31 $this->jetpack = Jetpack::init();
32 self::$block_page_rendering_for_idc = ( 33 Jetpack::validate_sync_error_idc_option() && ! Jetpack_Options::get_option( 'safe_mode_confirmed' )
Jetpack_Admin::__construct /jetpack/class.jetpack-admin.php:37 (show/hide source)
17  	static function init() {
18  		if( isset( $_GET['page'] ) && $_GET['page'] === 'jetpack' ) {
19  			add_filter( 'nocache_headers', array( 'Jetpack_Admin', 'add_no_store_header' ), 100 );
20  		}
21  
22  		if ( is_null( self::$instance ) ) {
23  			self::$instance = new Jetpack_Admin;
24  		}
25  		return self::$instance;
26  	}
27  
28  	static function add_no_store_header( $headers ) {
29  		$headers['Cache-Control'] .= ', no-store';
30  		return $headers;
31  	}
32  
33  	private function __construct() {
34  		$this->jetpack = Jetpack::init();
35  
36  		jetpack_require_lib( 'admin-pages/class.jetpack-react-page' );
37 $this->jetpack_react = new Jetpack_React_Page;
38 39 jetpack_require_lib( 'admin-pages/class.jetpack-settings-page' );
Jetpack_Admin::init /jetpack/class.jetpack-admin.php:23 (show/hide source)
3  
4  // Build the Jetpack admin menu as a whole
5  class Jetpack_Admin {
6  
7  	/**
8  	 * @var Jetpack_Admin
9  	 **/
10  	private static $instance = null;
11  
12  	/**
13  	 * @var Jetpack
14  	 **/
15  	private $jetpack;
16  
17  	static function init() {
18  		if( isset( $_GET['page'] ) && $_GET['page'] === 'jetpack' ) {
19  			add_filter( 'nocache_headers', array( 'Jetpack_Admin', 'add_no_store_header' ), 100 );
20  		}
21  
22  		if ( is_null( self::$instance ) ) {
23 self::$instance = new Jetpack_Admin;
24 } 25 return self::$instance;
Jetpack_Modules_List_Table::__construct /jetpack/class.jetpack-modules-list-table.php:19 (show/hide source)
1  <?php
2  
3  if ( ! class_exists( 'WP_List_Table' ) )
4  	require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
5  
6  class Jetpack_Modules_List_Table extends WP_List_Table {
7  
8  	function __construct() {
9  		parent::__construct();
10  
11  		Jetpack::init();
12  
13  		// In WP 4.2 WP_List_Table will be sanitizing which values are __set()
14  		global $wp_version;
15  		if ( version_compare( $wp_version, '4.2-z', '>=' ) && $this->compat_fields && is_array( $this->compat_fields ) ) {
16  			array_push( $this->compat_fields, 'all_items' );
17  		}
18  
19 $this->items = $this->all_items = Jetpack_Admin::init()->get_modules();
20 $this->items = $this->filter_displayed_table_items( $this->items ); 21 /**