Project: Wordpress Plugin Advanced Access Manager 5.9.8

Vulnerability: #9252754 (2019-07-22 10:09:33)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::call_user_func
Risk _SERVER
/advanced-access-manager/application/Core/Request.php:73 (show/hide source)
53       *
54       * @access public
55       * @static
56       */
57      public static function request($param = null, $default = null) {
58          return self::readArray($_REQUEST, $param, $default);
59      }
60      
61      /**
62       * Get parameter from global _SERVER array
63       *
64       * @param string $param   SERVER Parameter
65       * @param mixed  $default Default value
66       *
67       * @return mixed
68       *
69       * @access public
70       * @static
71       */
72      public static function server($param = null, $default = null) {
73 return self::readArray($_SERVER, $param, $default);
74 } 75
Threat level 0

Callstack:

AAM_Core_API::redirect /advanced-access-manager/application/Core/API.php:371 (show/hide source)
351      /**
352       * Redirect request
353       * 
354       * Redirect user based on defined $rule
355       * 
356       * @param mixed $rule
357       * @param mixed $args
358       * 
359       * @access public
360       */
361      public static function redirect($rule, $args = null) {
362          $path = wp_parse_url($rule);
363          
364          if ($path && !empty($path['host'])) {
365              wp_redirect($rule, 307); exit;
366          } elseif (preg_match('/^[\d]+$/', $rule)) {
367              wp_safe_redirect(get_page_link($rule), 307); exit;
368          } elseif (is_callable($rule)) {
369              call_user_func($rule, $args);
370          } elseif (!empty($args['callback']) && is_callable($args['callback'])) {
371 call_user_func($args['callback'], $rule, '', array());
372 } else { 373 wp_die($rule);
AAM_Core_API::reject /advanced-access-manager/application/Core/API.php:344 (show/hide source)
324                  );
325              } elseif (!empty($type) && ($type !== 'default')) {
326                  $redirect = $object->get("{$area}.redirect.{$type}");
327              } else { //ConfigPress setup
328                  $redirect = AAM_Core_Config::get(
329                      "{$area}.access.deny.redirectRule", __('Access Denied', AAM_KEY)
330                  );
331              }
332              
333              $doRedirect = true;
334              
335              if ($type === 'page') {
336                  $page = self::getCurrentPost();
337                  $doRedirect = (empty($page) || ($page->ID !== intval($redirect)));
338              } elseif ($type === 'url') {
339                  $doRedirect = strpos($redirect, AAM_Core_Request::server('REQUEST_URI')) === false;
340              }
341              
342              if ($doRedirect) {
343                  do_action('aam-access-rejected-action', $area, $args);
344 self::redirect($redirect, $args);
345 } 346 } else {
AAM_Backend_Authorization::checkScreenAccess /advanced-access-manager/application/Backend/Authorization.php:72 (show/hide source)
52          //compile menu
53          $menu = $plugin_page;
54          
55          if (empty($menu)){
56              $menu     = basename(AAM_Core_Request::server('SCRIPT_NAME'));
57              $taxonomy = AAM_Core_Request::get('taxonomy');
58              $postType = AAM_Core_Request::get('post_type');
59              $page     = AAM_Core_Request::get('page');
60              
61              if (!empty($taxonomy)) {
62                  $menu .= '?taxonomy=' . $taxonomy;
63              } elseif (!empty($postType) && ($postType !== 'post')) {
64                  $menu .= '?post_type=' . $postType;
65              } elseif (!empty($page)) {
66                  $menu .= '?page=' . $page;
67              }
68          }
69          
70          if (AAM::getUser()->getObject('menu')->has($menu, true)) {
71              AAM_Core_API::reject(
72 'backend', array('hook' => 'access_backend_menu', 'id' => $menu)
73 ); 74 }