Project: Wordpress Plugin Ultimate FAQ 1.8.23

Vulnerability: #9252710 (2019-05-24 21:48:11)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/ultimate-faqs/html/OptionsPage.php:125 (show/hide source)
105  	$UFAQ_Styling_Answer_Margin = get_option("EWD_UFAQ_Styling_Answer_Margin");
106  	$UFAQ_Styling_Answer_Padding = get_option("EWD_UFAQ_Styling_Answer_Padding");
107  	$UFAQ_Styling_Postdate_Font = get_option("EWD_UFAQ_Styling_Postdate_Font");
108  	$UFAQ_Styling_Postdate_Font_Size = get_option("EWD_UFAQ_Styling_Postdate_Font_Size");
109  	$UFAQ_Styling_Postdate_Font_Color = get_option("EWD_UFAQ_Styling_Postdate_Font_Color");
110  	$UFAQ_Styling_Postdate_Margin = get_option("EWD_UFAQ_Styling_Postdate_Margin");
111  	$UFAQ_Styling_Postdate_Padding = get_option("EWD_UFAQ_Styling_Postdate_Padding");
112  	$UFAQ_Styling_Category_Heading_Font = get_option("EWD_UFAQ_Styling_Category_Heading_Font");
113  	$UFAQ_Styling_Category_Heading_Font_Size = get_option("EWD_UFAQ_Styling_Category_Heading_Font_Size");
114  	$UFAQ_Styling_Category_Heading_Font_Color = get_option("EWD_UFAQ_Styling_Category_Heading_Font_Color");
115  	$UFAQ_Styling_Category_Font = get_option("EWD_UFAQ_Styling_Category_Font");
116  	$UFAQ_Styling_Category_Font_Size = get_option("EWD_UFAQ_Styling_Category_Font_Size");
117  	$UFAQ_Styling_Category_Font_Color = get_option("EWD_UFAQ_Styling_Category_Font_Color");
118  	$UFAQ_Styling_Category_Margin = get_option("EWD_UFAQ_Styling_Category_Margin");
119  	$UFAQ_Styling_Category_Padding = get_option("EWD_UFAQ_Styling_Category_Padding");
120  
121  	$UFAQ_Styling_Category_Heading_Type = get_option("EWD_UFAQ_Styling_Category_Heading_Type");
122  	$UFAQ_Styling_FAQ_Heading_Type = get_option("EWD_UFAQ_Styling_FAQ_Heading_Type");
123  	$Toggle_Symbol = get_option("EWD_UFAQ_Toggle_Symbol");
124  
125 if (isset($_POST['Display_Tab'])) {$Display_Tab = $_POST['Display_Tab'];}
126 else {$Display_Tab = "";} 127 ?>
Threat level 2

Callstack:

@INLINE::/ultimate-faqs/html/OptionsPage.php /ultimate-faqs/html/OptionsPage.php:146 (show/hide source)
126  	else {$Display_Tab = "";}
127  ?>
128  <div class="wrap ufaq-options-page-tabbed">
129  	<div class="ufaq-options-submenu-div">
130  		<ul class="ufaq-options-submenu ufaq-options-page-tabbed-nav">
131  			<li><a id="Basic_Menu" class="MenuTab options-subnav-tab <?php if ($Display_Tab == '' or $Display_Tab == 'Basic') {echo 'options-subnav-tab-active';}?>" onclick="ShowOptionTab('Basic');">Basic</a></li>
132  			<li><a id="Premium_Menu" class="MenuTab options-subnav-tab <?php if ($Display_Tab == 'Premium') {echo 'options-subnav-tab-active';}?>" onclick="ShowOptionTab('Premium');">Premium</a></li>
133  			<li><a id="Order_Menu" class="MenuTab options-subnav-tab <?php if ($Display_Tab == 'Order') {echo 'options-subnav-tab-active';}?>" onclick="ShowOptionTab('Order');">Ordering</a></li>
134  			<li><a id="Fields_Menu" class="MenuTab options-subnav-tab <?php if ($Display_Tab == 'Fields') {echo 'options-subnav-tab-active';}?>" onclick="ShowOptionTab('Fields');">Fields</a></li>
135  			<li><a id="Labelling_Menu" class="MenuTab options-subnav-tab <?php if ($Display_Tab == 'Labelling') {echo 'options-subnav-tab-active';}?>" onclick="ShowOptionTab('Labelling');">Labelling</a></li>
136  			<li><a id="Styling_Menu" class="MenuTab options-subnav-tab <?php if ($Display_Tab == 'Styling') {echo 'options-subnav-tab-active';}?>" onclick="ShowOptionTab('Styling');">Styling</a></li>
137  		</ul>
138  	</div>
139  
140  
141  <div class="ufaq-options-page-tabbed-content">
142  
143  <form method="post" action="admin.php?page=EWD-UFAQ-Options&DisplayPage=Options&Action=EWD_UFAQ_UpdateOptions">
144  <?php wp_nonce_field( 'EWD_UFAQ_Save_Options', 'EWD_UFAQ_Save_Options_Nonce' );  ?>
145  
146 <input type='hidden' name='Display_Tab' value='<?php echo $Display_Tab; ?>' />
147 148 <div id='Basic' class='ufaq-option-set<?php echo ( ($Display_Tab == '' or $Display_Tab == 'Basic') ? '' : ' ufaq-hidden' ); ?>'>