Project: Wordpress Plugin Islamic Content Archive 2.0

Vulnerability: #7371203 (2018-01-13 00:06:11)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::insert
Risk _GET
/islamic-content-archive/views/categories.php:4 (show/hide source)
1  <?php
2  $Html = new html_helper();
3  global $categories,$ica_categories_lang;
4 $category_slug = esc_attr($_GET['cat_slug']);
5 6 $ica_lang = get_option(ICA_Input_SLUG.'language');
Threat level 2

Callstack:

@FUNCTION::ica_set_transient /islamic-content-archive/lib/function.php:94 (show/hide source)
74  
75  }
76  
77  if (!function_exists('ica_get_data')) {
78  	function ica_get_data($url = NULL) {
79  
80  		if ($url) {
81  			return @file_get_contents($url);
82  		}
83  		return;
84  	}
85  
86  }
87  
88  if (!function_exists('ica_set_transient')) {
89  	function ica_set_transient($slug, $data) {
90  		global $wpdb;
91  		if (is_array($data)) {
92  			$data = json_encode($data);
93  		}
94 return $wpdb -> insert($wpdb -> prefix . ICA_DB_Table, array('ica_key' => $slug, 'ica_value' => $data), array('%s', '%s'));
95 } 96
html_helper::categoryFromTransient /islamic-content-archive/lib/html_helper.php:186 (show/hide source)
166  					}
167  				}else{
168  					$catList[$value->slug] = $value->title;//.sprintf('<b> %s </b>',$value->post_count);
169  				}
170  				
171  				
172  			}
173  			return $catList;
174  		}
175  		
176  		return array();
177  	}
178  	
179  	public function categoryFromTransient($url=NULL,$slug)
180  	{
181  		$oldData = ica_get_transient($slug);
182  		if(!empty($oldData)){
183  			return (array)$oldData['ica_value'];	
184  		}else{
185  			$set_data = $this->format_category_json($url);
186 ica_set_transient($slug,$set_data);
187 return $set_data; 188 }
@INLINE::/islamic-content-archive/views/categories.php /islamic-content-archive/views/categories.php:10 (show/hide source)
1  <?php
2  $Html = new html_helper();
3  global $categories,$ica_categories_lang;
4  $category_slug = esc_attr($_GET['cat_slug']);
5  
6  $ica_lang = get_option(ICA_Input_SLUG.'language');
7  $link = $ica_categories_lang[$ica_lang][$category_slug]['url'];
8  $jsoncaturl = $ica_categories_lang[$ica_lang][$category_slug]['cat'];
9  $slug = $category_slug.'_'.$ica_lang;
10 $cat_options = $Html->categoryFromTransient($jsoncaturl,$slug);
11 ?> 12 <div class="category-head">