Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/accelerated-mobile-pages/includes/options/redux-core/inc/class.redux_admin_notices.php:92 (show/hide source)
72                                  $pageName = '';
73                                  $curTab   = '';
74                                  if ( $pagenow == 'admin.php' || $pagenow == 'themes.php' ) {
75  
76                                      // Get the current page.  To avoid errors, we'll set
77                                      // the redux page slug if the GET is empty.
78                                      $pageName = empty( $_GET['page'] ) ? '&page=' . self::$_parent->args['page_slug'] : '&page=' . esc_attr( $_GET['page'] );
79  
80                                      // Ditto for the current tab.
81                                      $curTab = empty( $_GET['tab'] ) ? '&tab=0' : '&tab=' . esc_attr( $_GET['tab'] );
82                                  }
83  
84                                  global $wp_version;
85                                  // Print the notice with the dismiss link
86                                  if ( version_compare( $wp_version, '4.2', '>' ) ) {
87                                      $output    = "";
88                                      $css_id    = esc_attr( $notice['id'] ) . $pageName . $curTab;
89                                      $css_class = esc_attr( $notice['type'] ) . ' redux-notice notice is-dismissible redux-notice';
90                                      $output .= "<div {$add_style} id='$css_id' class='$css_class'> \n";
91                                      $nonce = wp_create_nonce( $notice['id'] . $userid . 'nonce' );
92 $output .= "<input type='hidden' class='dismiss_data' id='" . esc_attr( $notice['id'] ) . $pageName . $curTab . "' value='{$nonce}'> \n";
93 $output .= '<p>' . wp_kses_post( $notice['msg'] ) . '</p>'; 94 $output .= "</div> \n";
Threat level 2

Callstack:

Redux_Admin_Notices::adminNotices /accelerated-mobile-pages/includes/options/redux-core/inc/class.redux_admin_notices.php:95 (show/hide source)
75  
76                                      // Get the current page.  To avoid errors, we'll set
77                                      // the redux page slug if the GET is empty.
78                                      $pageName = empty( $_GET['page'] ) ? '&amp;page=' . self::$_parent->args['page_slug'] : '&amp;page=' . esc_attr( $_GET['page'] );
79  
80                                      // Ditto for the current tab.
81                                      $curTab = empty( $_GET['tab'] ) ? '&amp;tab=0' : '&amp;tab=' . esc_attr( $_GET['tab'] );
82                                  }
83  
84                                  global $wp_version;
85                                  // Print the notice with the dismiss link
86                                  if ( version_compare( $wp_version, '4.2', '>' ) ) {
87                                      $output    = "";
88                                      $css_id    = esc_attr( $notice['id'] ) . $pageName . $curTab;
89                                      $css_class = esc_attr( $notice['type'] ) . ' redux-notice notice is-dismissible redux-notice';
90                                      $output .= "<div {$add_style} id='$css_id' class='$css_class'> \n";
91                                      $nonce = wp_create_nonce( $notice['id'] . $userid . 'nonce' );
92                                      $output .= "<input type='hidden' class='dismiss_data' id='" . esc_attr( $notice['id'] ) . $pageName . $curTab . "' value='{$nonce}'> \n";
93                                      $output .= '<p>' . wp_kses_post( $notice['msg'] ) . '</p>';
94                                      $output .= "</div> \n";
95 echo $output;
96 } else { 97 echo '<div ' . $add_style . ' class="' . esc_attr( $notice['type'] ) . ' notice is-dismissable"><p>' . wp_kses_post( $notice['msg'] ) . '&nbsp;&nbsp;<a href="?dismiss=true&amp;id=' . esc_attr( $notice['id'] ) . $pageName . $curTab . '">' . esc_html__( 'Dismiss', 'redux-framework' ) . '</a>.</p></div>';