Project: Wordpress Plugin WordPress Gift Voucher 1.0.2

Vulnerability: #8147163 (2018-05-16 19:16:31)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink fake_wpdb::get_row
Risk _REQUEST
/gift-voucher/front.php:312 (show/hide source)
292      				</div>
293      				<div class="codeFormRight">
294      					<label>Coupon Code</label>
295      					<input type="text" name="codeCard" class="codeCard" readonly>
296      				</div>
297      				<div class="clearfix"></div>
298      				<div class="voucherSiteInfo"><a href="'.get_site_url() .'">'.$siteURL.'</a> | <a href="mailto:'.get_option('admin_email').'">'.get_option('admin_email').'</a></div>
299      				<div class="termsCard">* Cash payment is not possible. The terms and conditions apply.</div>
300      			</div></div>
301      		</div>
302      		<div class="voucherPreviewButton"><a href="#" data-src="'.get_site_url() .'/voucher-pdf-preview" target="_blank">Show Preview</a></div>
303      	</div>
304      </fieldset>
305  </form>';
306  	return $html;
307  }
308  
309  function wpgv__doajax_front_template() {
310  	global $wpdb;
311  	$template_table = $wpdb->prefix . 'giftvouchers_template';
312 $template_id = $_REQUEST['template_id'];
313 $template_options = $wpdb->get_row( "SELECT * FROM $template_table WHERE id = $template_id" ); 314 $image_attributes = wp_get_attachment_image_src( $template_options->image, 'voucher-medium' );
Threat level 2

Callstack:

@FUNCTION::wpgv__doajax_front_template /gift-voucher/front.php:313 (show/hide source)
293      				<div class="codeFormRight">
294      					<label>Coupon Code</label>
295      					<input type="text" name="codeCard" class="codeCard" readonly>
296      				</div>
297      				<div class="clearfix"></div>
298      				<div class="voucherSiteInfo"><a href="'.get_site_url() .'">'.$siteURL.'</a> | <a href="mailto:'.get_option('admin_email').'">'.get_option('admin_email').'</a></div>
299      				<div class="termsCard">* Cash payment is not possible. The terms and conditions apply.</div>
300      			</div></div>
301      		</div>
302      		<div class="voucherPreviewButton"><a href="#" data-src="'.get_site_url() .'/voucher-pdf-preview" target="_blank">Show Preview</a></div>
303      	</div>
304      </fieldset>
305  </form>';
306  	return $html;
307  }
308  
309  function wpgv__doajax_front_template() {
310  	global $wpdb;
311  	$template_table = $wpdb->prefix . 'giftvouchers_template';
312  	$template_id = $_REQUEST['template_id'];
313 $template_options = $wpdb->get_row( "SELECT * FROM $template_table WHERE id = $template_id" );
314 $image_attributes = wp_get_attachment_image_src( $template_options->image, 'voucher-medium' ); 315 $image_attributes = ($image_attributes) ? $image_attributes[0] : WPGIFT__PLUGIN_URL.'/assets/img/demo.png';