Project: Wordpress Plugin Social Media Auto Post and Schedule Plugin – Social Booster 3.3.2

Vulnerability: #9253350 (2019-10-08 06:39:55)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::insert
Risk _POST
/social-booster/admin/class-rx-sb-ajax.php:60 (show/hide source) 
40            if ($info->network == 'facebook') {
41              $data_post = $facebook->sb_send_feed_to_facebook($postid, $info->profile_id, $info->id, $message, $post_permalink);
42            }
43            if ($info->network == 'twitter') {
44              $data_post = $twitter->sb_send_feed_to_twitter($postid, $info->profile_id, $info->id, $message, $post_permalink);
45            }
46            if ($info->network == 'tumblr') {
47              $data_post = $tumblr->sb_send_feed_to_tumblr($postid, $info->profile_id, $info->id, $message, $post_permalink);
48            }
49          }
50        }
51      }
52      die();
53    }
54  
55    /*
56     * Schedule post
57     */
58    function rx_sb_schedule() {
59  

60      $postid = sanitize_text_field($_POST['postid']);

61      $post_status = get_post_status($postid);
62      if ($post_status != 'publish') {
Threat level 2

Callstack:

Rx_Sb_Ajax::rx_sb_schedule /social-booster/admin/class-rx-sb-ajax.php:146 (show/hide source) 
126                  $data_post = $reddit->sb_send_feed_to_reddit($postid, $info->profile_id, $info->id, $message, $post_permalink);
127                }
128              }
129            }
130          }
131        }
132        elseif($schedule == 'none') {
133          if ($_POST['scdatetime'] != "none") {
134            if (!in_array($info->id, $media)) {
135              if ($info->auth_status == 'active' && $info->auth_con == 'active') {
136                if(array_key_exists($info->network, $premium_networks)) {
137                  $wpdb->insert(
138                      $schedule_table,
139                      array(
140                          'post_id' => $postid,
141                          'post_meta' => $post_meta,
142                          'profile_id' => $info->profile_id,
143                          'network_id' => $info->id,
144                          'share_type' => 'scheduled',
145                          'schedule_type' => $schedule,

146                          'schedule_time' => $schedule_time,

147                      )
148                  );
Donations: BTC: 3Ad7PMcMXD5jAbCVhPVzhwPxiyQ5u141UT ETH: 0x8986ebDE686FEF47C724320EEE0C39B7C0fBf7f1 XMR: 46Fu9dwcPuDXZD5yqzqD7Y8VUBdGCscgCbVEeNSnS67zRu2hRhBMyi1KR3LAsisSXhaMNk9mihfFQ7utVjfs562PReYAnpG

Copyright (C) 2018 by php-grinder.com