Project: Wordpress Plugin WordPress Gift Voucher 1.0.2

Vulnerability: #8147151 (2018-05-16 19:16:31)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::insert
Risk _POST
/gift-voucher/include/pdf.php:19 (show/hide source)
1  <?php
2  
3  // namespace Sofort\SofortLib;
4  
5  if( !defined( 'ABSPATH' ) ) exit;  // Exit if accessed directly
6  
7  function wpgv__doajax_pdf_save_func() {
8  	if ( ! wp_verify_nonce( $_POST['nonce'], 'voucher_form_verify' ) ) {
9       	die( 'Security check' ); 
10  	}
11  	$template = sanitize_text_field(base64_decode($_POST['template']));
12  	$for = sanitize_text_field(base64_decode($_POST['for']));
13  	$from = sanitize_text_field(base64_decode($_POST['from']));
14  	$value = sanitize_text_field(base64_decode($_POST['value']));
15  	$message = sanitize_textarea_field(base64_decode($_POST['message']));
16  	$expiry = base64_decode($_POST['expiry']);
17  	$code = sanitize_text_field(base64_decode($_POST['code']));
18  	$firstname = sanitize_text_field(base64_decode($_POST['firstname']));
19 $lastname = sanitize_text_field(base64_decode($_POST['lastname']));
20 $email = sanitize_email(base64_decode($_POST['email'])); 21 $address = sanitize_text_field(base64_decode($_POST['address']));
Threat level 2

Callstack:

@FUNCTION::wpgv__doajax_pdf_save_func /gift-voucher/include/pdf.php:158 (show/hide source)
138  
139  	$expiryCard = ($setting_options->voucher_expiry_type == 'days') ? date('d.m.Y',strtotime('+'.$setting_options->voucher_expiry.' days',time())) . PHP_EOL : $setting_options->voucher_expiry;
140  
141  	$wpdb->insert(
142  		$voucher_table,
143  		array(
144  			'template_id' 		=> $template,
145  			'from_name' 		=> $for,
146  			'to_name' 			=> $from,
147  			'amount'			=> $value,
148  			'message'			=> $message,
149  			'firstname'			=> $firstname,
150  			'lastname'			=> $lastname,
151  			'email'				=> $email,
152  			'address'			=> $address,
153  			'postcode'			=> $pincode,
154  			'pay_method'		=> $paymentmethod,
155  			'expiry'			=> $expiryCard,
156  			'couponcode'		=> $code,
157  			'voucherpdf_link'	=> $upload_url,
158 'payment_status' => 'Not Pay'
159 ) 160 );