Project: Wordpress Plugin ClickBank Affiliate Ads 1.9

Vulnerability: #8 (2017-03-15 16:48:03)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/clickbank-ads-clickbank-widget/clickbank-ads.php:43 (show/hide source)
23  $cbwec_version="1.9"; 
24  if (!class_exists("cbwec")) {
25    class cbwec {
26      var $opts; 
27      function cbwec() { $this->getOpts(); } 
28      function getOpts() { 
29        if (isset($this->opts) AND !empty($this->opts)) {return;} 
30        $this->opts=get_option("ClickBankWEC3"); 
31        if (!empty($this->opts)) {return;} 
32        $this->opts=Array ('title' => 'Related eBooks', 'name' => '', 'keywordbytitle2' => 'Title', 'border' => '','homepage'=>'1','onlypost'=>'1','runplugin'=>'1', 'bordcolor' => 'CCCCCC', 'bordstyle' => '1', 'adformat' => '1', 'width' => '100%', 'height' => '100%', 'linkcolor' => '0000ff','pos' => 'Top');
33      } 
34      function sanitize_entries($options){ return $options; } 
35      
36      function get_field_name($fieldname){return "cbwec[".$fieldname."]";}
37      function get_field_id($fieldname){return "cbwec-".$fieldname;}
38     
39      function admin_menu() {
40  	  global $cbwec_version;
41        if (isset($_POST["cbwec_submit"])) {
42  		foreach($_POST["cbwec"] as &$val)	{$val = sanitize_text_field($val);} 
43 $this->opts=$this->sanitize_entries($_POST['cbwec'], $sizes);
44 update_option('ClickBankWEC3',$this->opts); 45 echo '<div id="message" class="updated fade"><p><strong>Options Updated!</strong></p></div>';
Threat level 2

Callstack:

cbwec::admin_menu /clickbank-ads-clickbank-widget/clickbank-ads.php:122 (show/hide source)
102  	        	<option value="840" <?php if($this->opts['width']=="840") {echo 'selected';}?>>840 px</option>
103  	        	<option value="960" <?php if($this->opts['width']=="960") {echo 'selected';}?>>960 px</option>
104  		        <option value="1000" <?php if($this->opts['width']=="1000") {echo 'selected';}?>>1000 px</option>
105  		      </select>
106  		      OR
107  		      <input onchange="xg_pre_ewc=this.value;f_pre_ewc(this.value,0);" type="text" id="<?php echo $this->get_field_id('width'); ?>" name="<?php echo $this->get_field_name('width'); ?>" value="<?php echo $this->opts['width']; ?>" style="width:50px;" />
108  	    </div>
109  	    <div id="dthids2" style="overflow:hidden;display: <?php echo ($this->opts['adformat']=="6" or $this->opts['adformat']=="3" or $this->opts['adformat']=="4"?"block;":"none;");?>">
110  		    Height:<br />
111  		      <select onchange="document.getElementById('<?php echo $this->get_field_id('height'); ?>').value=this.value;yg_pre_ewc=this.value;f_pre_ewc(0,this.value);" size="1" id="<?php echo $this->get_field_id('height'); ?>2" name="<?php echo $this->get_field_name('height'); ?>2" style="width:100px;">
112  		        <option value="220" <?php if($this->opts['height']=="220") {echo 'selected';}?>>220 px</option>
113  		        <option value="440" <?php if($this->opts['height']=="440") {echo 'selected';}?>>440 px</option>
114  		        <option value="660" <?php if($this->opts['height']=="660") {echo 'selected';}?>>660 px</option>
115  		        <option value="880" <?php if($this->opts['height']=="880") {echo 'selected';}?>>880 px</option>
116  		        <option value="1000" <?php if($this->opts['height']=="1000") {echo 'selected';}?>>1000 px</option>
117  		        <option value="1200" <?php if($this->opts['height']=="1200") {echo 'selected';}?>>1200 px</option>
118  	        	<option value="1400" <?php if($this->opts['height']=="1400") {echo 'selected';}?>>1400 px</option>
119  	        	<option value="1600" <?php if($this->opts['height']=="1600") {echo 'selected';}?>>1600 px</option>
120  	      	</select>
121  		      OR 
122 <input onchange="yg_pre_ewc=this.value;f_pre_ewc(0,this.value);" type="text" id="<?php echo $this->get_field_id('height'); ?>" name="<?php echo $this->get_field_name('height'); ?>" value="<?php echo $this->opts['height']; ?>" style="width:50px;" />
123 </div> 124 <p>