Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956625 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _POST
/experitus-form/includes/controllers/experitus-form-controller.php:48 (show/hide source)
28  		if ( is_ssl() && $this->options['payments_data'] && isset( $this->options['payments_data']['gateway'] ) ) {
29  			if ( $this->options['payments_data']['gateway'] == 'paypal' ) {
30  				$this->payment_method = 'paypal';
31  			}
32  			elseif ( $this->options['payments_data']['gateway'] == 'stripe' && isset( $this->options['payments_data']['stripe_public_key'] ) ) {
33  				$this->payment_method = 'stripe';
34  			}
35  		}
36  		
37  		//submitted form processing
38  		if ( isset( $_POST['Request'] ) && isset( $_POST['RequestItem'] ) ) {
39  			if ( !wp_verify_nonce( $_POST['experitus_non_ce'], 'experitus_order_request' ) ) {
40  				wp_nonce_ays ( 'experitus_order_request' );
41  			}
42  			else {
43  				$validation_result = $this->validate_form();
44  				if ( $validation_result === true ) {
45  					$request_data = $this->sanitize_form($_POST['Request']);
46  					$request_data['items'][0] = $this->sanitize_form($_POST['RequestItem'][0]);
47  					if ( $this->payment_method == 'stripe' && $_POST['stripe_token'] ) {
48 $request_data['stripe_token'] = $_POST['stripe_token'];
49 } 50 elseif ( $this->payment_method == 'paypal' ) {
Threat level 1

Callstack:

experitusBaseController::make_api_request /experitus-form/includes/controllers/experitus-base-controller.php:70 (show/hide source)
50  	/** 
51  	 * Generates and returns api action url
52  	 */
53  	protected function get_api_url( $action, $company_alias = null ) {
54  		if ( !$company_alias )
55  			$company_alias = $this->options['connection_data']['company_alias'];
56  		return EXPERITUS_URL . 'en/' . $company_alias . '/api/' . $action . '/';
57  	}
58  	
59  	/** 
60  	 * Performs API request
61  	 */
62  	 protected function make_api_request( $action, $method = 'GET', $company_alias = null, array $params = array(), array $args = array() ) {
63  		$api_url = $this->get_api_url( $action, $company_alias );
64  		if ( !isset($args['sslverify']) || !$args['sslverify'] )
65  			$args['sslverify'] = (bool) $this->options['ssl_verifypeer'];
66  		$args['timeout'] = 10;
67  		if ( !isset($params['api_key']) || !$params['api_key'] )
68  			$params['api_key'] = $this->options['connection_data']['api_key'];
69  		if (strtoupper($method) == 'GET') {
70 $url = $api_url . '?' . http_build_query( $params );
71 return wp_remote_get( $url, $args ); 72 }
experitusFormController::handle_shortcode /experitus-form/includes/controllers/experitus-form-controller.php:55 (show/hide source)
35  		}
36  		
37  		//submitted form processing
38  		if ( isset( $_POST['Request'] ) && isset( $_POST['RequestItem'] ) ) {
39  			if ( !wp_verify_nonce( $_POST['experitus_non_ce'], 'experitus_order_request' ) ) {
40  				wp_nonce_ays ( 'experitus_order_request' );
41  			}
42  			else {
43  				$validation_result = $this->validate_form();
44  				if ( $validation_result === true ) {
45  					$request_data = $this->sanitize_form($_POST['Request']);
46  					$request_data['items'][0] = $this->sanitize_form($_POST['RequestItem'][0]);
47  					if ( $this->payment_method == 'stripe' && $_POST['stripe_token'] ) {
48  						$request_data['stripe_token'] = $_POST['stripe_token'];
49  					}
50  					elseif ( $this->payment_method == 'paypal' ) {
51  						$request_data['is_wordpress_plugin'] = 1;
52  						$request_data['referrer'] = urlencode( 'http'.(is_ssl() ? 's' : '').'://'.$_SERVER["HTTP_HOST"] . $_SERVER['REQUEST_URI'] );
53  					}
54  					
55 $server_response = $this->make_api_request('request/add', 'POST', null, $request_data);
56 57 if ( is_wp_error( $server_response ) ) {