Project: Wordpress Plugin ClickBank Affiliate Ads 1.9

Vulnerability: #7 (2017-03-15 16:48:03)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/clickbank-ads-clickbank-widget/clickbank-ads.php:43 (show/hide source)
23  $cbwec_version="1.9"; 
24  if (!class_exists("cbwec")) {
25    class cbwec {
26      var $opts; 
27      function cbwec() { $this->getOpts(); } 
28      function getOpts() { 
29        if (isset($this->opts) AND !empty($this->opts)) {return;} 
30        $this->opts=get_option("ClickBankWEC3"); 
31        if (!empty($this->opts)) {return;} 
32        $this->opts=Array ('title' => 'Related eBooks', 'name' => '', 'keywordbytitle2' => 'Title', 'border' => '','homepage'=>'1','onlypost'=>'1','runplugin'=>'1', 'bordcolor' => 'CCCCCC', 'bordstyle' => '1', 'adformat' => '1', 'width' => '100%', 'height' => '100%', 'linkcolor' => '0000ff','pos' => 'Top');
33      } 
34      function sanitize_entries($options){ return $options; } 
35      
36      function get_field_name($fieldname){return "cbwec[".$fieldname."]";}
37      function get_field_id($fieldname){return "cbwec-".$fieldname;}
38     
39      function admin_menu() {
40  	  global $cbwec_version;
41        if (isset($_POST["cbwec_submit"])) {
42  		foreach($_POST["cbwec"] as &$val)	{$val = sanitize_text_field($val);} 
43 $this->opts=$this->sanitize_entries($_POST['cbwec'], $sizes);
44 update_option('ClickBankWEC3',$this->opts); 45 echo '<div id="message" class="updated fade"><p><strong>Options Updated!</strong></p></div>';
Threat level 2

Callstack:

cbwec::admin_menu /clickbank-ads-clickbank-widget/clickbank-ads.php:107 (show/hide source)
87  		      </td>
88  		     </tr>
89  		    </table>
90          <div id="dthids" style="overflow:hidden;display: <?php echo ($this->opts['adformat']=="6"?"block;":"none;");?>">
91  		      Width:<br />
92  		      <select onchange="document.getElementById('<?php echo $this->get_field_id('width'); ?>').value=this.value;xg_pre_ewc=this.value;f_pre_ewc(this.value,0);" size="1" id="<?php echo $this->get_field_id('width2'); ?>" name="<?php echo $this->get_field_name('width2'); ?>" style="width:100px;">
93  	        	<option value="100%" <?php if($this->opts['width']=="100%") {echo 'selected';}?>>100% (auto)</option>
94  	        	<option value="120" <?php if($this->opts['width']=="120") {echo 'selected';}?>>120 px</option>
95  	        	<option value="160" <?php if($this->opts['width']=="160") {echo 'selected';}?>>160 px</option>
96  	        	<option value="200" <?php if($this->opts['width']=="200") {echo 'selected';}?>>200 px</option>
97  	        	<option value="240" <?php if($this->opts['width']=="240") {echo 'selected';}?>>240 px</option>
98  	        	<option value="360" <?php if($this->opts['width']=="360") {echo 'selected';}?>>360 px</option>
99  	        	<option value="480" <?php if($this->opts['width']=="480") {echo 'selected';}?>>480 px</option>
100  	        	<option value="600" <?php if($this->opts['width']=="600") {echo 'selected';}?>>600 px</option>
101  	        	<option value="720" <?php if($this->opts['width']=="720") {echo 'selected';}?>>720 px</option>
102  	        	<option value="840" <?php if($this->opts['width']=="840") {echo 'selected';}?>>840 px</option>
103  	        	<option value="960" <?php if($this->opts['width']=="960") {echo 'selected';}?>>960 px</option>
104  		        <option value="1000" <?php if($this->opts['width']=="1000") {echo 'selected';}?>>1000 px</option>
105  		      </select>
106  		      OR
107 <input onchange="xg_pre_ewc=this.value;f_pre_ewc(this.value,0);" type="text" id="<?php echo $this->get_field_id('width'); ?>" name="<?php echo $this->get_field_name('width'); ?>" value="<?php echo $this->opts['width']; ?>" style="width:50px;" />
108 </div> 109 <div id="dthids2" style="overflow:hidden;display: <?php echo ($this->opts['adformat']=="6" or $this->opts['adformat']=="3" or $this->opts['adformat']=="4"?"block;":"none;");?>">