Project: Wordpress Plugin ZodiacPress 1.5.7

Vulnerability: #7524910 (2018-02-13 19:25:12)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::unserialize
Risk _GET
/zodiacpress/image.php:39 (show/hide source)
19  		$speed[ $s ] = zpci_sanitize_data( $speed_raw[ $s ] );
20  	}
21  }
22  if ( isset( $_GET['zpo'] ) ) {
23  	$orbs_raw = unserialize( $_GET['zpo'] );
24  	foreach ( $orbs_raw as $key => $value ) {
25  		$zpci_orbs[ $key ] = zpci_sanitize_data( $value );
26  	}
27  }
28  if ( isset( $_GET['zpu'] ) ) {
29  	$unknown_time = zpci_sanitize_data( unserialize( $_GET['zpu'] ) );
30  }
31  if ( isset( $_GET['zpi'] ) ) {
32  	$i18n_raw = unserialize( $_GET['zpi'] );
33  
34  	foreach ( $i18n_raw as $key => $str ) {
35  		$i18n[ $key ] = zpci_sanitize_data( $str );
36  	}
37  }
38  if ( isset( $_GET['zpcustom'] ) ) {
39 $customizer_raw = unserialize( $_GET['zpcustom'] );
40 foreach ( $customizer_raw as $key => $value ) { 41 $hex = zpci_sanitize_data( $value );
Threat level 2

Callstack:

@INLINE::/zodiacpress/image.php /zodiacpress/image.php:39 (show/hide source)
19  		$speed[ $s ] = zpci_sanitize_data( $speed_raw[ $s ] );
20  	}
21  }
22  if ( isset( $_GET['zpo'] ) ) {
23  	$orbs_raw = unserialize( $_GET['zpo'] );
24  	foreach ( $orbs_raw as $key => $value ) {
25  		$zpci_orbs[ $key ] = zpci_sanitize_data( $value );
26  	}
27  }
28  if ( isset( $_GET['zpu'] ) ) {
29  	$unknown_time = zpci_sanitize_data( unserialize( $_GET['zpu'] ) );
30  }
31  if ( isset( $_GET['zpi'] ) ) {
32  	$i18n_raw = unserialize( $_GET['zpi'] );
33  
34  	foreach ( $i18n_raw as $key => $str ) {
35  		$i18n[ $key ] = zpci_sanitize_data( $str );
36  	}
37  }
38  if ( isset( $_GET['zpcustom'] ) ) {
39 $customizer_raw = unserialize( $_GET['zpcustom'] );
40 foreach ( $customizer_raw as $key => $value ) { 41 $hex = zpci_sanitize_data( $value );