Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::insert
Risk _POST
/social-booster/admin/class-rx-sb-ajax.php:74 (show/hide source)
54  
55    /*
56     * Schedule post
57     */
58    function rx_sb_schedule() {
59  
60      $postid = sanitize_text_field($_POST['postid']);
61      $post_status = get_post_status($postid);
62      if ($post_status != 'publish') {
63        wp_send_json_error('<span>Warning:</span> This post is not published yet');
64      }
65      $message = "";
66      $message = $_POST['message'];
67      $media = $_POST['media'];
68      $post_permalink = get_permalink($postid);
69      $post_meta = array(
70        'message'=> $message,
71        'link'=> $post_permalink,
72      );
73      $post_meta = serialize($post_meta);
74 $schedule = $_POST['schedule'];
75 $current_time = current_time('mysql', false); 76
Threat level 2

Callstack:

Rx_Sb_Ajax::rx_sb_schedule /social-booster/admin/class-rx-sb-ajax.php:201 (show/hide source)
181                  if ($info->network == 'tumblr') {
182                    $data_post = $tumblr->sb_send_feed_to_tumblr($postid, $info->profile_id, $info->id, $message, $post_permalink);
183                  }
184                  if ($info->network == 'linkedin') {
185                    $linkedin = new Rx_Sb_Linkedin();
186                    $data_post = $linkedin->sb_send_feed_to_linkedin($postid, $info->profile_id, $info->id, $message, $post_permalink);
187                  }
188                  if ($info->network == 'reddit') {
189                    $reddit = new Rx_Sb_Reddit();
190                    $data_post = $reddit->sb_send_feed_to_reddit($postid, $info->profile_id, $info->id, $message, $post_permalink);
191                  }
192                  $wpdb->insert(
193                      $schedule_table,
194                      array(
195                          'post_id' => $postid,
196                          'post_meta' => $post_meta,
197                          'profile_id' => $info->profile_id,
198                          'network_id' => $info->id,
199                          'share_type' => 'scheduled',
200                          'schedule_type' => $schedule,
201 'schedule_time' => $schedule_time,
202 ) 203 );