Project: Wordpress Plugin Site Search 360 0.6.93

Vulnerability: #9217751 (2018-08-28 03:44:09)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _SERVER
/site-search-360/sitesearch360-create-account.php:56 (show/hide source)
36    <?php
37    } else if ($result['action'] == 'ss360_register' && $result['status'] == 'failure') {
38    ?>
39  
40      <div class="wrap">
41        <h2>Wait a second</h2><br/>
42        <form name="ss360_settings" method="post" action="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>">
43        <?php wp_nonce_field(); ?>
44          <input type="hidden" name="action" value="ss360_connectAccount">
45  
46          <table class="widefat" style="width: 650px;">
47            <thead>
48              <tr>
49                <th class="row-title">Account already exists.</th>
50              </tr>
51            </thead>
52            <tbody>
53              <tr>
54                <td>
55                  <p>Looks like your account for the Email address <b><?php echo $result['email']; ?></b> exists already for the site <b><?php echo $result['siteId']; ?></b>. If you want to create a new account for another site, please <a href="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>&action=init">click here</a> and use a different Email address.</p>
56 <p>Otherwise, <a href="<?php echo esc_url(str_replace('&action=init', '', $_SERVER['REQUEST_URI'] ).'&action=configure') ; ?>">click here</a> to configure the WordPress plugin and go to your <a href="https://sitesearch360.com/control/">dashboard</a> to configure your indexing settings.</p>
57 <!--p>Do you already have an account under the given Email address? If so please connect your account by entering your account password:</p> 58 <br/>
Threat level 0

Callstack:

@INLINE::/site-search-360/sitesearch360-create-account.php /site-search-360/sitesearch360-create-account.php:56 (show/hide source)
36    <?php
37    } else if ($result['action'] == 'ss360_register' && $result['status'] == 'failure') {
38    ?>
39  
40      <div class="wrap">
41        <h2>Wait a second</h2><br/>
42        <form name="ss360_settings" method="post" action="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>">
43        <?php wp_nonce_field(); ?>
44          <input type="hidden" name="action" value="ss360_connectAccount">
45  
46          <table class="widefat" style="width: 650px;">
47            <thead>
48              <tr>
49                <th class="row-title">Account already exists.</th>
50              </tr>
51            </thead>
52            <tbody>
53              <tr>
54                <td>
55                  <p>Looks like your account for the Email address <b><?php echo $result['email']; ?></b> exists already for the site <b><?php echo $result['siteId']; ?></b>. If you want to create a new account for another site, please <a href="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>&action=init">click here</a> and use a different Email address.</p>
56 <p>Otherwise, <a href="<?php echo esc_url(str_replace('&action=init', '', $_SERVER['REQUEST_URI'] ).'&action=configure') ; ?>">click here</a> to configure the WordPress plugin and go to your <a href="https://sitesearch360.com/control/">dashboard</a> to configure your indexing settings.</p>
57 <!--p>Do you already have an account under the given Email address? If so please connect your account by entering your account password:</p> 58 <br/>