Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956626 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _GET
/experitus-form/includes/controllers/experitus-form-controller.php:83 (show/hide source)
63  							echo '<script type="text/javascript">window.location.href="'.$response['redirect_url'].'"</script>';
64  							exit;
65  						}
66  						if ($response['result'] == 'success') {
67  							$this->add_notification( 'success', __( 'Your order was successfully submited! We will contact you as soon as possible.' ) );
68  						}
69  						elseif (isset( $response['errors'] )) {
70  							$this->add_notification( 'error', implode( ' ', $response['errors'] ) );
71  						}
72  						else {
73  							$this->add_notification( 'error', __( 'Something went wrong! Your order was not submitted.' ) ); 
74  						}
75  					}
76  				}
77  			}
78  		}
79  		
80  		// after paypal case
81  		if ( isset( $_GET['referrer_paypal'] ) && isset( $_GET['request_id'] ) ) {
82  			$this->add_notification( 'success', __( 'Your order was successfully submited! We will contact you as soon as possible.' ) );
83 $server_response = $this->make_api_request( 'request/get', 'GET', null, ['id' => $_GET['request_id']] );
84 $response = json_decode( $server_response['body'], true ); 85 if ( $response['result'] == 'success' ) {
Threat level 1

Callstack:

experitusBaseController::make_api_request /experitus-form/includes/controllers/experitus-base-controller.php:70 (show/hide source)
50  	/** 
51  	 * Generates and returns api action url
52  	 */
53  	protected function get_api_url( $action, $company_alias = null ) {
54  		if ( !$company_alias )
55  			$company_alias = $this->options['connection_data']['company_alias'];
56  		return EXPERITUS_URL . 'en/' . $company_alias . '/api/' . $action . '/';
57  	}
58  	
59  	/** 
60  	 * Performs API request
61  	 */
62  	 protected function make_api_request( $action, $method = 'GET', $company_alias = null, array $params = array(), array $args = array() ) {
63  		$api_url = $this->get_api_url( $action, $company_alias );
64  		if ( !isset($args['sslverify']) || !$args['sslverify'] )
65  			$args['sslverify'] = (bool) $this->options['ssl_verifypeer'];
66  		$args['timeout'] = 10;
67  		if ( !isset($params['api_key']) || !$params['api_key'] )
68  			$params['api_key'] = $this->options['connection_data']['api_key'];
69  		if (strtoupper($method) == 'GET') {
70 $url = $api_url . '?' . http_build_query( $params );
71 return wp_remote_get( $url, $args ); 72 }
experitusFormController::handle_shortcode /experitus-form/includes/controllers/experitus-form-controller.php:83 (show/hide source)
63  							echo '<script type="text/javascript">window.location.href="'.$response['redirect_url'].'"</script>';
64  							exit;
65  						}
66  						if ($response['result'] == 'success') {
67  							$this->add_notification( 'success', __( 'Your order was successfully submited! We will contact you as soon as possible.' ) );
68  						}
69  						elseif (isset( $response['errors'] )) {
70  							$this->add_notification( 'error', implode( ' ', $response['errors'] ) );
71  						}
72  						else {
73  							$this->add_notification( 'error', __( 'Something went wrong! Your order was not submitted.' ) ); 
74  						}
75  					}
76  				}
77  			}
78  		}
79  		
80  		// after paypal case
81  		if ( isset( $_GET['referrer_paypal'] ) && isset( $_GET['request_id'] ) ) {
82  			$this->add_notification( 'success', __( 'Your order was successfully submited! We will contact you as soon as possible.' ) );
83 $server_response = $this->make_api_request( 'request/get', 'GET', null, ['id' => $_GET['request_id']] );
84 $response = json_decode( $server_response['body'], true ); 85 if ( $response['result'] == 'success' ) {