Project: Wordpress Plugin ClickBank Affiliate Ads 1.9

Vulnerability: #9 (2017-03-15 16:48:03)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/clickbank-ads-clickbank-widget/clickbank-ads.php:43 (show/hide source)
23  $cbwec_version="1.9"; 
24  if (!class_exists("cbwec")) {
25    class cbwec {
26      var $opts; 
27      function cbwec() { $this->getOpts(); } 
28      function getOpts() { 
29        if (isset($this->opts) AND !empty($this->opts)) {return;} 
30        $this->opts=get_option("ClickBankWEC3"); 
31        if (!empty($this->opts)) {return;} 
32        $this->opts=Array ('title' => 'Related eBooks', 'name' => '', 'keywordbytitle2' => 'Title', 'border' => '','homepage'=>'1','onlypost'=>'1','runplugin'=>'1', 'bordcolor' => 'CCCCCC', 'bordstyle' => '1', 'adformat' => '1', 'width' => '100%', 'height' => '100%', 'linkcolor' => '0000ff','pos' => 'Top');
33      } 
34      function sanitize_entries($options){ return $options; } 
35      
36      function get_field_name($fieldname){return "cbwec[".$fieldname."]";}
37      function get_field_id($fieldname){return "cbwec-".$fieldname;}
38     
39      function admin_menu() {
40  	  global $cbwec_version;
41        if (isset($_POST["cbwec_submit"])) {
42  		foreach($_POST["cbwec"] as &$val)	{$val = sanitize_text_field($val);} 
43 $this->opts=$this->sanitize_entries($_POST['cbwec'], $sizes);
44 update_option('ClickBankWEC3',$this->opts); 45 echo '<div id="message" class="updated fade"><p><strong>Options Updated!</strong></p></div>';
Threat level 2

Callstack:

cbwec::admin_menu /clickbank-ads-clickbank-widget/clickbank-ads.php:145 (show/hide source)
125          <table border=0 cellspacing=0 cellpadding=0><tr><td><label for="<?php echo $this->get_field_id('pos'); ?>">Position on page:</label></td><td><div style="width:60px;" id=selpos><select style="width:60px;" id="<?php echo $this->get_field_id('pos'); ?>" name="<?php echo $this->get_field_name('pos'); ?>" size="1"><option<?php if($this->opts['pos']=="Top") echo(" selected"); ?>>Top</option><option<?php if($this->opts['pos']=="Right") echo(" selected"); ?>>Right</option><option<?php if($this->opts['pos']=="Left") echo(" selected"); ?>>Left</option><option<?php if($this->opts['pos']=="Bottom") echo(" selected"); ?>>Bottom</option></select></div></td></tr></table>
126        </p>
127        <script> 
128          var bg_ewci;
129          var bg_ewc=0;		
130          var n_ad_ch_ewcg;   
131          function f_car_ewc(n_ad_ch_ewc){
132            p_ad_ch_ewc=document.getElementById('dbgewc');
133            clearTimeout(bg_ewci);
134            if(n_ad_ch_ewc=="2"){bg_ewci=setTimeout("if(bg_ewc<48){bg_ewc++;p_ad_ch_ewc.style.backgroundPosition=-bg_ewc+'px 0'}else{bg_ewc=0};f_car_ewc(n_ad_ch_ewcg)", 40);}
135            if(n_ad_ch_ewc=="4"){bg_ewci=setTimeout("if(bg_ewc<60){bg_ewc++;p_ad_ch_ewc.style.backgroundPosition='0 '+bg_ewc+'px'}else{bg_ewc=0};f_car_ewc(n_ad_ch_ewcg)", 40);}
136            if (n_ad_ch_ewc!="4" && n_ad_ch_ewc!="2"){p_ad_ch_ewc.style.backgroundPosition='0 0';}
137          }
138          <?php 
139          if($this->opts['border']!="1") {echo "document.getElementById('d2bgewc').style.borderWidth='0px';";}
140  		if($this->opts['adformat']=="1") {echo 'var xg_pre_ewc="100%";var yg_pre_ewc="220";';}
141  		if($this->opts['adformat']=="2") {echo 'var xg_pre_ewc="100%";var yg_pre_ewc="220";';}
142          if($this->opts['adformat']=="3") {echo 'var xg_pre_ewc="160";var yg_pre_ewc="1000";';}
143          if($this->opts['adformat']=="4") {echo 'var xg_pre_ewc="160";var yg_pre_ewc="1000";';}
144  		if($this->opts['adformat']=="5") {echo 'var xg_pre_ewc="360";var yg_pre_ewc="440";';}
145 if($this->opts['adformat']=="6") {echo 'var xg_pre_ewc="'.$this->opts['width'].'";var yg_pre_ewc="'.$this->opts['height'].'";';}
146 ?> 147 var selposFull=document.getElementById('selpos').innerHTML;