Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/accelerated-mobile-pages/includes/options/redux-core/inc/class.redux_admin_notices.php:92 (show/hide source)
72                                  $pageName = '';
73                                  $curTab   = '';
74                                  if ( $pagenow == 'admin.php' || $pagenow == 'themes.php' ) {
75  
76                                      // Get the current page.  To avoid errors, we'll set
77                                      // the redux page slug if the GET is empty.
78                                      $pageName = empty( $_GET['page'] ) ? '&page=' . self::$_parent->args['page_slug'] : '&page=' . esc_attr( $_GET['page'] );
79  
80                                      // Ditto for the current tab.
81                                      $curTab = empty( $_GET['tab'] ) ? '&tab=0' : '&tab=' . esc_attr( $_GET['tab'] );
82                                  }
83  
84                                  global $wp_version;
85                                  // Print the notice with the dismiss link
86                                  if ( version_compare( $wp_version, '4.2', '>' ) ) {
87                                      $output    = "";
88                                      $css_id    = esc_attr( $notice['id'] ) . $pageName . $curTab;
89                                      $css_class = esc_attr( $notice['type'] ) . ' redux-notice notice is-dismissible redux-notice';
90                                      $output .= "<div {$add_style} id='$css_id' class='$css_class'> \n";
91                                      $nonce = wp_create_nonce( $notice['id'] . $userid . 'nonce' );
92 $output .= "<input type='hidden' class='dismiss_data' id='" . esc_attr( $notice['id'] ) . $pageName . $curTab . "' value='{$nonce}'> \n";
93 $output .= '<p>' . wp_kses_post( $notice['msg'] ) . '</p>'; 94 $output .= "</div> \n";
Threat level 2

Callstack:

Redux_Admin_Notices::adminNotices /accelerated-mobile-pages/includes/options/redux-core/inc/class.redux_admin_notices.php:95 (show/hide source)
75  
76                                      // Get the current page.  To avoid errors, we'll set
77                                      // the redux page slug if the GET is empty.
78                                      $pageName = empty( $_GET['page'] ) ? '&amp;page=' . self::$_parent->args['page_slug'] : '&amp;page=' . esc_attr( $_GET['page'] );
79  
80                                      // Ditto for the current tab.
81                                      $curTab = empty( $_GET['tab'] ) ? '&amp;tab=0' : '&amp;tab=' . esc_attr( $_GET['tab'] );
82                                  }
83  
84                                  global $wp_version;
85                                  // Print the notice with the dismiss link
86                                  if ( version_compare( $wp_version, '4.2', '>' ) ) {
87                                      $output    = "";
88                                      $css_id    = esc_attr( $notice['id'] ) . $pageName . $curTab;
89                                      $css_class = esc_attr( $notice['type'] ) . ' redux-notice notice is-dismissible redux-notice';
90                                      $output .= "<div {$add_style} id='$css_id' class='$css_class'> \n";
91                                      $nonce = wp_create_nonce( $notice['id'] . $userid . 'nonce' );
92                                      $output .= "<input type='hidden' class='dismiss_data' id='" . esc_attr( $notice['id'] ) . $pageName . $curTab . "' value='{$nonce}'> \n";
93                                      $output .= '<p>' . wp_kses_post( $notice['msg'] ) . '</p>';
94                                      $output .= "</div> \n";
95 echo $output;
96 } else { 97 echo '<div ' . $add_style . ' class="' . esc_attr( $notice['type'] ) . ' notice is-dismissable"><p>' . wp_kses_post( $notice['msg'] ) . '&nbsp;&nbsp;<a href="?dismiss=true&amp;id=' . esc_attr( $notice['id'] ) . $pageName . $curTab . '">' . esc_html__( 'Dismiss', 'redux-framework' ) . '</a>.</p></div>';
ReduxFramework::_admin_notices /accelerated-mobile-pages/includes/options/redux-core/framework.php:605 (show/hide source)
585                  if ( ! empty ( $data ) ) {
586                      $this->set_options( $data );
587                  }
588  
589                  wp_redirect( add_query_arg( array(
590                      'page'    => $this->args['page_slug'],
591                      'updated' => 'true'
592                  ), network_admin_url( 'settings.php' ) ) );
593                  exit ();
594              }
595  
596              public function _update_check() {
597                  // Only one notice per instance please
598                  if ( ! isset ( $GLOBALS['redux_update_check'] ) ) {
599                      Redux_Functions::updateCheck( self::$_version );
600                      $GLOBALS['redux_update_check'] = 1;
601                  }
602              }
603  
604              public function _admin_notices() {
605 Redux_Admin_Notices::adminNotices( $this->admin_notices );
606 } 607