Project: Wordpress Plugin WordPress Gift Voucher 1.0.2

Vulnerability: #8147157 (2018-05-16 19:16:31)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::insert
Risk _POST
/gift-voucher/include/pdf.php:41 (show/hide source)
21  	$address = sanitize_text_field(base64_decode($_POST['address']));
22  	$pincode = sanitize_text_field(base64_decode($_POST['pincode']));
23  	$paymentmethod = sanitize_text_field(base64_decode($_POST['paymentmethod']));
24  
25  	global $wpdb;
26  	$voucher_table 	= $wpdb->prefix . 'giftvouchers_list';
27  	$setting_table 	= $wpdb->prefix . 'giftvouchers_setting';
28  	$template_table = $wpdb->prefix . 'giftvouchers_template';
29  	$setting_options = $wpdb->get_row( "SELECT * FROM $setting_table WHERE id = 1" );
30  	$template_options = $wpdb->get_row( "SELECT * FROM $template_table WHERE id = $template" );
31  	$image_attributes = wp_get_attachment_image_src( $template_options->image, 'full' );
32  	$image_attributes = ($image_attributes) ? $image_attributes[0] : WPGIFT__PLUGIN_URL.'/assets/img/demo.png';
33  	$voucher_bgcolor = wpgv_hex2rgb($setting_options->voucher_bgcolor);
34  	$voucher_color = wpgv_hex2rgb($setting_options->voucher_color);
35  	$currency = ($setting_options->currency_position == 'Left') ? $setting_options->currency.''.$value : $value.''.$setting_options->currency;
36  
37  	$upload = wp_upload_dir();
38   	$upload_dir = $upload['basedir'];
39   	$upload_dir = $upload_dir . '/voucherpdfuploads/'.$_POST['code'].'.pdf';
40   	$upload_url = $upload['baseurl'];
41 $upload_url = $upload_url . '/voucherpdfuploads/'.$_POST['code'].'.pdf';
42 43 $pdf = new WPGV_PDF('P','pt',array(595,900));
Threat level 2

Callstack:

@FUNCTION::wpgv__doajax_pdf_save_func /gift-voucher/include/pdf.php:158 (show/hide source)
138  
139  	$expiryCard = ($setting_options->voucher_expiry_type == 'days') ? date('d.m.Y',strtotime('+'.$setting_options->voucher_expiry.' days',time())) . PHP_EOL : $setting_options->voucher_expiry;
140  
141  	$wpdb->insert(
142  		$voucher_table,
143  		array(
144  			'template_id' 		=> $template,
145  			'from_name' 		=> $for,
146  			'to_name' 			=> $from,
147  			'amount'			=> $value,
148  			'message'			=> $message,
149  			'firstname'			=> $firstname,
150  			'lastname'			=> $lastname,
151  			'email'				=> $email,
152  			'address'			=> $address,
153  			'postcode'			=> $pincode,
154  			'pay_method'		=> $paymentmethod,
155  			'expiry'			=> $expiryCard,
156  			'couponcode'		=> $code,
157  			'voucherpdf_link'	=> $upload_url,
158 'payment_status' => 'Not Pay'
159 ) 160 );