Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::insert
Risk _POST
/social-booster/admin/class-rx-sb-ajax.php:74 (show/hide source)
54  
55    /*
56     * Schedule post
57     */
58    function rx_sb_schedule() {
59  
60      $postid = sanitize_text_field($_POST['postid']);
61      $post_status = get_post_status($postid);
62      if ($post_status != 'publish') {
63        wp_send_json_error('<span>Warning:</span> This post is not published yet');
64      }
65      $message = "";
66      $message = $_POST['message'];
67      $media = $_POST['media'];
68      $post_permalink = get_permalink($postid);
69      $post_meta = array(
70        'message'=> $message,
71        'link'=> $post_permalink,
72      );
73      $post_meta = serialize($post_meta);
74 $schedule = $_POST['schedule'];
75 $current_time = current_time('mysql', false); 76
Threat level 2

Callstack:

Rx_Sb_Ajax::rx_sb_schedule /social-booster/admin/class-rx-sb-ajax.php:146 (show/hide source)
126                  $data_post = $reddit->sb_send_feed_to_reddit($postid, $info->profile_id, $info->id, $message, $post_permalink);
127                }
128              }
129            }
130          }
131        }
132        elseif($schedule == 'none') {
133          if ($_POST['scdatetime'] != "none") {
134            if (!in_array($info->id, $media)) {
135              if ($info->auth_status == 'active' && $info->auth_con == 'active') {
136                if(array_key_exists($info->network, $premium_networks)) {
137                  $wpdb->insert(
138                      $schedule_table,
139                      array(
140                          'post_id' => $postid,
141                          'post_meta' => $post_meta,
142                          'profile_id' => $info->profile_id,
143                          'network_id' => $info->id,
144                          'share_type' => 'scheduled',
145                          'schedule_type' => $schedule,
146 'schedule_time' => $schedule_time,
147 ) 148 );