Project: Wordpress Plugin ClickBank Affiliate Ads 1.9

Vulnerability: #12 (2017-03-15 16:48:03)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/clickbank-ads-clickbank-widget/clickbank-ads.php:43 (show/hide source)
23  $cbwec_version="1.9"; 
24  if (!class_exists("cbwec")) {
25    class cbwec {
26      var $opts; 
27      function cbwec() { $this->getOpts(); } 
28      function getOpts() { 
29        if (isset($this->opts) AND !empty($this->opts)) {return;} 
30        $this->opts=get_option("ClickBankWEC3"); 
31        if (!empty($this->opts)) {return;} 
32        $this->opts=Array ('title' => 'Related eBooks', 'name' => '', 'keywordbytitle2' => 'Title', 'border' => '','homepage'=>'1','onlypost'=>'1','runplugin'=>'1', 'bordcolor' => 'CCCCCC', 'bordstyle' => '1', 'adformat' => '1', 'width' => '100%', 'height' => '100%', 'linkcolor' => '0000ff','pos' => 'Top');
33      } 
34      function sanitize_entries($options){ return $options; } 
35      
36      function get_field_name($fieldname){return "cbwec[".$fieldname."]";}
37      function get_field_id($fieldname){return "cbwec-".$fieldname;}
38     
39      function admin_menu() {
40  	  global $cbwec_version;
41        if (isset($_POST["cbwec_submit"])) {
42  		foreach($_POST["cbwec"] as &$val)	{$val = sanitize_text_field($val);} 
43 $this->opts=$this->sanitize_entries($_POST['cbwec'], $sizes);
44 update_option('ClickBankWEC3',$this->opts); 45 echo '<div id="message" class="updated fade"><p><strong>Options Updated!</strong></p></div>';
Threat level 2

Callstack:

cbwec::admin_menu /clickbank-ads-clickbank-widget/clickbank-ads.php:210 (show/hide source)
190              break;
191  	        case "5":
192              w_ad_ch_ewc.value=w_ad_ch_ewc2.value="360";
193  	          h_ad_ch_ewc.value=h_ad_ch_ewc2.value="440";
194              f_pre_ewc(360,440);
195              break;
196            default :
197              w_ad_ch_ewc.value=w_ad_ch_ewc2.value=xg_pre_ewc;
198              h_ad_ch_ewc.value=h_ad_ch_ewc2.value=yg_pre_ewc;
199              f_pre_ewc(xg_pre_ewc,yg_pre_ewc);
200            }
201            f_selpos(n_ad_ch_ewc)
202            f_car_ewc(n_ad_ch_ewc);
203            dthids=document.getElementById('dthids').style;
204            dthids2=document.getElementById('dthids2').style;
205            if(n_ad_ch_ewc==5 || n_ad_ch_ewc<3){dthids.dispaly='none';dthids2.display='none';}
206            if(n_ad_ch_ewc==6){dthids.display='block';dthids2.display='block';}
207            if(n_ad_ch_ewc==3 || n_ad_ch_ewc==4){dthids2.display='block';dthids.display='none';}
208          }
209          f_ad_ch_ewc(<?php echo $this->opts['adformat']?>)
210 <?php echo 'clearTimeout(bg_ewci);n_ad_ch_ewcg="'.$this->opts['adformat'].'";f_car_ewc("'.$this->opts['adformat'].'")';?> //start carousel
211 </script> 212 <p>