Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::print
Risk _GET
/accelerated-mobile-pages/includes/options/redux-core/inc/class.p.php:289 (show/hide source)
269                  }
270  
271                  // Propagate all cURL request / response info to the JSON data object.
272                  if ( isset( $_GET['full_status'] ) && $_GET['full_status'] ) {
273                      $data['status'] = $status;
274                  } else {
275                      $data['status']              = array();
276                      $data['status']['http_code'] = $status['http_code'];
277                  }
278  
279                  // Set the JSON data object contents, decoding it from JSON if possible.
280                  $decoded_json     = json_decode( $contents );
281                  $data['contents'] = str_replace( 'e(window).width()', 'window.innerWidth||e(window).width()', $decoded_json ? $decoded_json : $contents );
282  
283                  // Generate appropriate content-type header.
284  
285                  $is_xhr = isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) ? strtolower( $_SERVER['HTTP_X_REQUESTED_WITH'] ) : 'xmlhttprequest';
286                  header( 'Content-type: application/' . ( $is_xhr ? 'json' : 'x-javascript' ) );
287  
288                  // Get JSONP callback.
289 $jsonp_callback = $enable_jsonp && isset( $_GET['callback'] ) ? $_GET['callback'] : null;
290 291 // Generate JSON/JSONP string
Threat level 2

Callstack:

Redux_P::proxy /accelerated-mobile-pages/includes/options/redux-core/inc/class.p.php:294 (show/hide source)
274                  } else {
275                      $data['status']              = array();
276                      $data['status']['http_code'] = $status['http_code'];
277                  }
278  
279                  // Set the JSON data object contents, decoding it from JSON if possible.
280                  $decoded_json     = json_decode( $contents );
281                  $data['contents'] = str_replace( 'e(window).width()', 'window.innerWidth||e(window).width()', $decoded_json ? $decoded_json : $contents );
282  
283                  // Generate appropriate content-type header.
284  
285                  $is_xhr = isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) ? strtolower( $_SERVER['HTTP_X_REQUESTED_WITH'] ) : 'xmlhttprequest';
286                  header( 'Content-type: application/' . ( $is_xhr ? 'json' : 'x-javascript' ) );
287  
288                  // Get JSONP callback.
289                  $jsonp_callback = $enable_jsonp && isset( $_GET['callback'] ) ? $_GET['callback'] : null;
290  
291                  // Generate JSON/JSONP string
292                  $json = json_encode( $data );
293  
294 print $jsonp_callback ? "$jsonp_callback($json)" : $json;
295 296 }