Project: Wordpress Plugin ClickBank Affiliate Ads 1.9

Vulnerability: #14 (2017-03-15 16:48:03)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/clickbank-ads-clickbank-widget/clickbank-ads.php:43 (show/hide source)
23  $cbwec_version="1.9"; 
24  if (!class_exists("cbwec")) {
25    class cbwec {
26      var $opts; 
27      function cbwec() { $this->getOpts(); } 
28      function getOpts() { 
29        if (isset($this->opts) AND !empty($this->opts)) {return;} 
30        $this->opts=get_option("ClickBankWEC3"); 
31        if (!empty($this->opts)) {return;} 
32        $this->opts=Array ('title' => 'Related eBooks', 'name' => '', 'keywordbytitle2' => 'Title', 'border' => '','homepage'=>'1','onlypost'=>'1','runplugin'=>'1', 'bordcolor' => 'CCCCCC', 'bordstyle' => '1', 'adformat' => '1', 'width' => '100%', 'height' => '100%', 'linkcolor' => '0000ff','pos' => 'Top');
33      } 
34      function sanitize_entries($options){ return $options; } 
35      
36      function get_field_name($fieldname){return "cbwec[".$fieldname."]";}
37      function get_field_id($fieldname){return "cbwec-".$fieldname;}
38     
39      function admin_menu() {
40  	  global $cbwec_version;
41        if (isset($_POST["cbwec_submit"])) {
42  		foreach($_POST["cbwec"] as &$val)	{$val = sanitize_text_field($val);} 
43 $this->opts=$this->sanitize_entries($_POST['cbwec'], $sizes);
44 update_option('ClickBankWEC3',$this->opts); 45 echo '<div id="message" class="updated fade"><p><strong>Options Updated!</strong></p></div>';
Threat level 2

Callstack:

cbwec::admin_menu /clickbank-ads-clickbank-widget/clickbank-ads.php:228 (show/hide source)
208          }
209          f_ad_ch_ewc(<?php echo $this->opts['adformat']?>)
210  		    <?php echo 'clearTimeout(bg_ewci);n_ad_ch_ewcg="'.$this->opts['adformat'].'";f_car_ewc("'.$this->opts['adformat'].'")';?>  //start carousel     
211        </script>
212        <p>
213        <label for="<?php echo $this->get_field_id('border'); ?>">Show Border:</label>
214        <input onclick="dthidm=document.getElementById('dthid').style;if(this.checked){dthidm.display='block';document.getElementById('d2bgewc').style.borderWidth='1px';}else{dthidm.display='none';document.getElementById('d2bgewc').style.borderWidth='0px';}" type="checkbox" <?php if($this->opts['border']=="1") {echo 'checked';}?> id="<?php echo $this->get_field_id('border'); ?>" name="<?php echo $this->get_field_name('border'); ?>" value="1" style="border:0px;" />
215          <div id="dthid" style="overflow:hidden;display: <?php echo ($this->opts['border']=="1"?"block;":"none;");?>">
216           Border Style:
217          <br />
218          <table border=0 width=200 cellspacing=0 cellpadding=0>
219  	        <tr>
220  		        <td width=50% valign=top align=center style="padding:0 10px 10px 0;">
221  				<div class="cbwecb10" style="padding:3px;background:#ffffff; border-radius:5px 5px 5px 5px;">
222  				<table border=0 cellspacing=0 cellpadding=0><tr><td><label for="<?php echo $this->get_field_id('bordstyle'); ?>"><u class="cbwecb11">Style</u> 1 </label></td><td>&nbsp;<input type="radio" <?php if($this->opts['bordstyle']=="1") {echo 'checked';}?> value="1" id="<?php echo $this->get_field_id('bordstyle'); ?>"  name="<?php echo $this->get_field_name('bordstyle'); ?>" style="margin-top:3px;border:0px;" /></td></tr></table>
223  				</div>
224  				</td>
225  				<td width=50% valign=top align=center style="padding:0 0 10px 10px;"><div class="cbwecb10" style="padding:3px;background:#ffffff;"><table border=0 cellspacing=0 cellpadding=0><tr><td><label for="<?php echo $this->get_field_id('bordstyle'); ?>2"><u class="cbwecb11">Style</u> 2 </label></td><td><input type="radio" <?php if($this->opts['bordstyle']=="2") {echo 'checked';}?> value="2" id="<?php echo $this->get_field_id('bordstyle'); ?>2" name="<?php echo $this->get_field_name('bordstyle'); ?>" style="margin-top:3px;border:0px;" /></td></tr></table></div></td>
226            </tr>
227          </table>
228 <table border=0 cellspacing=0 cellpadding=0><tr><td width=90><label for="<?php echo $this->get_field_id('bordcolor'); ?>">Border Color: </label></td><td>#<input onblur="var e = document.getElementsByTagName('div');for(var i=0; i<e.length; i+=1) {if(e[i].className && e[i].className=='cbwecb10'){e[i].style.borderColor = '#'+this.value;}}" onmouseover="jscolor.bind()" class="color" type="text" id="<?php echo $this->get_field_id('bordcolor'); ?>" name="<?php echo $this->get_field_name('bordcolor'); ?>" value="<?php echo $this->opts['bordcolor']; ?>" style="width:70px;" /></td></tr></table>
229 </div> 230 <table border=0 cellspacing=0 cellpadding=0><tr><td width=90><label for="<?php echo $this->get_field_id('linkcolor'); ?>"><u class="cbwecb11">Link Color: </u></label></td><td>#</span><input onblur="var e = document.getElementsByTagName('u');for(var i=0; i<e.length; i+=1) {if(e[i].className && e[i].className=='cbwecb11') {e[i].style.color = '#'+this.value;}}" onmouseover="jscolor.bind()" class="color" type="text" id="<?php echo $this->get_field_id('linkcolor'); ?>" name="<?php echo $this->get_field_name('linkcolor'); ?>" value="<?php echo $this->opts['linkcolor']; ?>" style="width:70px;" /></td></tr></table>