Project: Wordpress Plugin WordPress Gift Voucher 1.0.2

Vulnerability: #8147145 (2018-05-16 19:16:31)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_put_contents
Risk _POST
/gift-voucher/include/pdf.php:39 (show/hide source)
19  	$lastname = sanitize_text_field(base64_decode($_POST['lastname']));
20  	$email = sanitize_email(base64_decode($_POST['email']));
21  	$address = sanitize_text_field(base64_decode($_POST['address']));
22  	$pincode = sanitize_text_field(base64_decode($_POST['pincode']));
23  	$paymentmethod = sanitize_text_field(base64_decode($_POST['paymentmethod']));
24  
25  	global $wpdb;
26  	$voucher_table 	= $wpdb->prefix . 'giftvouchers_list';
27  	$setting_table 	= $wpdb->prefix . 'giftvouchers_setting';
28  	$template_table = $wpdb->prefix . 'giftvouchers_template';
29  	$setting_options = $wpdb->get_row( "SELECT * FROM $setting_table WHERE id = 1" );
30  	$template_options = $wpdb->get_row( "SELECT * FROM $template_table WHERE id = $template" );
31  	$image_attributes = wp_get_attachment_image_src( $template_options->image, 'full' );
32  	$image_attributes = ($image_attributes) ? $image_attributes[0] : WPGIFT__PLUGIN_URL.'/assets/img/demo.png';
33  	$voucher_bgcolor = wpgv_hex2rgb($setting_options->voucher_bgcolor);
34  	$voucher_color = wpgv_hex2rgb($setting_options->voucher_color);
35  	$currency = ($setting_options->currency_position == 'Left') ? $setting_options->currency.''.$value : $value.''.$setting_options->currency;
36  
37  	$upload = wp_upload_dir();
38   	$upload_dir = $upload['basedir'];
39 $upload_dir = $upload_dir . '/voucherpdfuploads/'.$_POST['code'].'.pdf';
40 $upload_url = $upload['baseurl']; 41 $upload_url = $upload_url . '/voucherpdfuploads/'.$_POST['code'].'.pdf';
Threat level 2

Callstack:

FPDF::Output /gift-voucher/library/fpdf/fpdf.php:1021 (show/hide source)
1001  			{
1002  				// We send to a browser
1003  				header('Content-Type: application/pdf');
1004  				header('Content-Disposition: inline; '.$this->_httpencode('filename',$name,$isUTF8));
1005  				header('Cache-Control: private, max-age=0, must-revalidate');
1006  				header('Pragma: public');
1007  			}
1008  			echo $this->buffer;
1009  			break;
1010  		case 'D':
1011  			// Download file
1012  			$this->_checkoutput();
1013  			header('Content-Type: application/x-download');
1014  			header('Content-Disposition: attachment; '.$this->_httpencode('filename',$name,$isUTF8));
1015  			header('Cache-Control: private, max-age=0, must-revalidate');
1016  			header('Pragma: public');
1017  			echo $this->buffer;
1018  			break;
1019  		case 'F':
1020  			// Save to local file
1021 if(!file_put_contents($name,$this->buffer))
1022 $this->Error('Unable to create output file: '.$name); 1023 break;
@FUNCTION::wpgv__doajax_pdf_save_func /gift-voucher/include/pdf.php:137 (show/hide source)
117  	$pdf->SetTextColor($voucher_color[0],$voucher_color[1],$voucher_color[2]);
118  	$pdf->SetFontSize(12);
119  	$pdf->Cell(0,0,'Coupon Code',0,1,'L',0);
120  	//Coupon Code Input
121  	$pdf->SetXY(313, 780);
122  	$pdf->SetFillColor(255,255,255);
123  	$pdf->SetTextColor(85,85,85);
124  	$pdf->SetFontSize(16);
125  	$pdf->Cell(265,30,' '.$code,0,1,'L',1);
126  	//Company Details
127  	$pdf->SetXY(30, 840);
128  	$pdf->SetTextColor(255,255,255);
129  	$pdf->SetFontSize(11);
130  	$pdf->Cell(0,0,get_site_url().' | '.get_option('admin_email'),0,1,'C',0);
131  	//Terms
132  	$pdf->SetXY(0, 0);
133  	$pdf->SetTextColor(255,255,255);
134  	$pdf->SetFontSize(9);
135  	$pdf->RotatedText(20,850,'* Cash payment is not possible. The terms and conditions apply.',90);
136  
137 $pdf->Output('F',$upload_dir);
138 139 $expiryCard = ($setting_options->voucher_expiry_type == 'days') ? date('d.m.Y',strtotime('+'.$setting_options->voucher_expiry.' days',time())) . PHP_EOL : $setting_options->voucher_expiry;