Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/accelerated-mobile-pages/includes/options/redux-core/inc/class.redux_admin_notices.php:81 (show/hide source)
61                              // Get user ID
62                              $userid = $current_user->ID;
63  
64                              if ( ! get_user_meta( $userid, 'ignore_' . $notice['id'] ) ) {
65  
66                                  // Check if we are on admin.php.  If we are, we have
67                                  // to get the current page slug and tab, so we can
68                                  // feed it back to Wordpress.  Why>  admin.php cannot
69                                  // be accessed without the page parameter.  We add the
70                                  // tab to return the user to the last panel they were
71                                  // on.
72                                  $pageName = '';
73                                  $curTab   = '';
74                                  if ( $pagenow == 'admin.php' || $pagenow == 'themes.php' ) {
75  
76                                      // Get the current page.  To avoid errors, we'll set
77                                      // the redux page slug if the GET is empty.
78                                      $pageName = empty( $_GET['page'] ) ? '&page=' . self::$_parent->args['page_slug'] : '&page=' . esc_attr( $_GET['page'] );
79  
80                                      // Ditto for the current tab.
81 $curTab = empty( $_GET['tab'] ) ? '&tab=0' : '&tab=' . esc_attr( $_GET['tab'] );
82 } 83
Threat level 2

Callstack:

Redux_Admin_Notices::adminNotices /accelerated-mobile-pages/includes/options/redux-core/inc/class.redux_admin_notices.php:97 (show/hide source)
77                                      // the redux page slug if the GET is empty.
78                                      $pageName = empty( $_GET['page'] ) ? '&page=' . self::$_parent->args['page_slug'] : '&page=' . esc_attr( $_GET['page'] );
79  
80                                      // Ditto for the current tab.
81                                      $curTab = empty( $_GET['tab'] ) ? '&tab=0' : '&tab=' . esc_attr( $_GET['tab'] );
82                                  }
83  
84                                  global $wp_version;
85                                  // Print the notice with the dismiss link
86                                  if ( version_compare( $wp_version, '4.2', '>' ) ) {
87                                      $output    = "";
88                                      $css_id    = esc_attr( $notice['id'] ) . $pageName . $curTab;
89                                      $css_class = esc_attr( $notice['type'] ) . ' redux-notice notice is-dismissible redux-notice';
90                                      $output .= "<div {$add_style} id='$css_id' class='$css_class'> \n";
91                                      $nonce = wp_create_nonce( $notice['id'] . $userid . 'nonce' );
92                                      $output .= "<input type='hidden' class='dismiss_data' id='" . esc_attr( $notice['id'] ) . $pageName . $curTab . "' value='{$nonce}'> \n";
93                                      $output .= '<p>' . wp_kses_post( $notice['msg'] ) . '</p>';
94                                      $output .= "</div> \n";
95                                      echo $output;
96                                  } else {
97 echo '<div ' . $add_style . ' class="' . esc_attr( $notice['type'] ) . ' notice is-dismissable"><p>' . wp_kses_post( $notice['msg'] ) . '&nbsp;&nbsp;<a href="?dismiss=true&amp;id=' . esc_attr( $notice['id'] ) . $pageName . $curTab . '">' . esc_html__( 'Dismiss', 'redux-framework' ) . '</a>.</p></div>';
98 } 99 }