Project: Wordpress Plugin Islamic Content Archive 2.0

Vulnerability: #7371202 (2018-01-13 00:06:11)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::get_row
Risk _GET
/islamic-content-archive/views/categories.php:4 (show/hide source)
1  <?php
2  $Html = new html_helper();
3  global $categories,$ica_categories_lang;
4 $category_slug = esc_attr($_GET['cat_slug']);
5 6 $ica_lang = get_option(ICA_Input_SLUG.'language');
Threat level 2

Callstack:

@FUNCTION::ica_get_transient /islamic-content-archive/lib/function.php:104 (show/hide source)
84  	}
85  
86  }
87  
88  if (!function_exists('ica_set_transient')) {
89  	function ica_set_transient($slug, $data) {
90  		global $wpdb;
91  		if (is_array($data)) {
92  			$data = json_encode($data);
93  		}
94  		return $wpdb -> insert($wpdb -> prefix . ICA_DB_Table, array('ica_key' => $slug, 'ica_value' => $data), array('%s', '%s'));
95  	}
96  
97  }
98  
99  if (!function_exists('ica_get_transient')) {
100  	function ica_get_transient($slug) {
101  		global $wpdb;
102  		$result = array();
103  		$tablename = $wpdb -> prefix . ICA_DB_Table;
104 $return = $wpdb -> get_row("SELECT * FROM `$tablename` WHERE `ica_key`='$slug'");
105 if ($return) { 106 $result['id'] = $return -> id;
html_helper::categoryFromTransient /islamic-content-archive/lib/html_helper.php:181 (show/hide source)
161  		if($source->status == 'ok' && !empty($source->categories)){
162  			foreach ($source->categories as $key => $value) {
163  				if(is_array($value)){
164  					foreach ($value as $_key => $_value) {
165  						$catList[$_value->slug] =  $_value->title;
166  					}
167  				}else{
168  					$catList[$value->slug] = $value->title;//.sprintf('<b> %s </b>',$value->post_count);
169  				}
170  				
171  				
172  			}
173  			return $catList;
174  		}
175  		
176  		return array();
177  	}
178  	
179  	public function categoryFromTransient($url=NULL,$slug)
180  	{
181 $oldData = ica_get_transient($slug);
182 if(!empty($oldData)){ 183 return (array)$oldData['ica_value'];
@INLINE::/islamic-content-archive/views/categories.php /islamic-content-archive/views/categories.php:10 (show/hide source)
1  <?php
2  $Html = new html_helper();
3  global $categories,$ica_categories_lang;
4  $category_slug = esc_attr($_GET['cat_slug']);
5  
6  $ica_lang = get_option(ICA_Input_SLUG.'language');
7  $link = $ica_categories_lang[$ica_lang][$category_slug]['url'];
8  $jsoncaturl = $ica_categories_lang[$ica_lang][$category_slug]['cat'];
9  $slug = $category_slug.'_'.$ica_lang;
10 $cat_options = $Html->categoryFromTransient($jsoncaturl,$slug);
11 ?> 12 <div class="category-head">