Project: Wordpress Plugin Ultimate Post Type Manager 1.6.9

Vulnerability: #6956606 (2017-12-07 12:25:49)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/ultimate-post-type-manager/cptcreate.php:259 (show/hide source)
239  		{?><label for='<?php echo $xy_arr['name'] ?>' style="display:inline;font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
240  			<select id='<?php echo $xy_arr['name']; ?>' name='<?php echo $xy_arr['name'] ?>' class='postform' style="float:right;width:100px;margin-right:5%">
241  				<option value='true' <?php if($xy_arr['default']=='true' && !is_array($xydac_edit)) {echo 'selected';}elseif(is_array($xydac_edit)) { if(count($atemp)==2) {if($xydac_edit[substr($atemp[1],0,-1)]=='true')echo ' Selected';}elseif(count($atemp)==3) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]=='true')echo ' Selected';} elseif(count($atemp)==4) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]=='true') echo 'selected'; }}  ?>><?php _e('True','xydac_cpt'); ?></option>
242  				<option value='false' <?php if($xy_arr['default']=='false' && !is_array($xydac_edit)){ echo 'selected';}elseif(is_array($xydac_edit)) { if(count($atemp)==2) {if($xydac_edit[substr($atemp[1],0,-1)]=='false')echo ' Selected';}elseif(count($atemp)==3) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]=='false')echo ' Selected';} elseif(count($atemp)==4) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]=='false') echo 'selected';} } ?>><?php _e('False','xydac_cpt'); ?></option>
243  			</select>
244  		<?php } elseif($xy_arr['type']=='array') { ?>
245  			<label for='<?php echo $xy_arr['name'] ?>' style="display:inline;font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
246  			<select id='<?php echo $xy_arr['name']; ?>' name='<?php echo $xy_arr['name'] ?>' class='postform' style="float:right;width:150px;margin-right:5%">
247  				<?php  foreach($xy_arr['values'] as $n=>$c) {   ?>
248  					<option value='<?php echo $n; ?>' <?php if($xy_arr['default']==$n && !is_array($xydac_edit)) {echo 'selected';}elseif(is_array($xydac_edit)) { if(count($atemp)==2) {if($xydac_edit[substr($atemp[1],0,-1)]==$n)echo ' Selected';}elseif(count($atemp)==3) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]==$n)echo ' Selected';} elseif(count($atemp)==4) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]==$n) echo 'selected'; }}  ?>><?php echo $c ?></option>
249  					<?php } ?>
250  			</select>
251  		<?php } elseif($xy_arr['type']=='string') { ?><label for='<?php echo $xy_arr['name'] ?>' style="font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
252  			<input type='text' name='<?php echo $xy_arr['name'] ?>' class='name' id='<?php echo $xy_arr['name'] ?>' value="<?php if(is_array($xydac_edit)) { if(count($atemp)==3) echo $xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]; elseif(count($atemp)==4) echo $xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]; } ?>"/>
253  		<?php } elseif($xy_arr['type']=='textarea') { ?><label for='<?php echo $xy_arr['name'] ?>' style="font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
254  			<textarea style="height:300px" name='<?php echo $xy_arr['name'] ?>' class='name' id='<?php echo $xy_arr['name'] ?>'> <?php if(is_array($xydac_edit)) {echo $xydac_edit['content_html']; } ?></textarea>
255  		<?php } ?>
256  		<p><?php echo $xy_arr['desc'] ?></p>
257  		</div>
258  		<?php  } } if(is_array($xydac_edit)) {?>
259 <input type="hidden" name="cpt_name" value="<?php if(isset($_GET['cptname'])) echo $_GET['cptname']; ?>">
260 <?php } ?> 261 </div>
Threat level 2

Callstack:

@FUNCTION::cpt_col_left /ultimate-post-type-manager/cptcreate.php:259 (show/hide source)
239  		{?><label for='<?php echo $xy_arr['name'] ?>' style="display:inline;font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
240  			<select id='<?php echo $xy_arr['name']; ?>' name='<?php echo $xy_arr['name'] ?>' class='postform' style="float:right;width:100px;margin-right:5%">
241  				<option value='true' <?php if($xy_arr['default']=='true' && !is_array($xydac_edit)) {echo 'selected';}elseif(is_array($xydac_edit)) { if(count($atemp)==2) {if($xydac_edit[substr($atemp[1],0,-1)]=='true')echo ' Selected';}elseif(count($atemp)==3) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]=='true')echo ' Selected';} elseif(count($atemp)==4) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]=='true') echo 'selected'; }}  ?>><?php _e('True','xydac_cpt'); ?></option>
242  				<option value='false' <?php if($xy_arr['default']=='false' && !is_array($xydac_edit)){ echo 'selected';}elseif(is_array($xydac_edit)) { if(count($atemp)==2) {if($xydac_edit[substr($atemp[1],0,-1)]=='false')echo ' Selected';}elseif(count($atemp)==3) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]=='false')echo ' Selected';} elseif(count($atemp)==4) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]=='false') echo 'selected';} } ?>><?php _e('False','xydac_cpt'); ?></option>
243  			</select>
244  		<?php } elseif($xy_arr['type']=='array') { ?>
245  			<label for='<?php echo $xy_arr['name'] ?>' style="display:inline;font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
246  			<select id='<?php echo $xy_arr['name']; ?>' name='<?php echo $xy_arr['name'] ?>' class='postform' style="float:right;width:150px;margin-right:5%">
247  				<?php  foreach($xy_arr['values'] as $n=>$c) {   ?>
248  					<option value='<?php echo $n; ?>' <?php if($xy_arr['default']==$n && !is_array($xydac_edit)) {echo 'selected';}elseif(is_array($xydac_edit)) { if(count($atemp)==2) {if($xydac_edit[substr($atemp[1],0,-1)]==$n)echo ' Selected';}elseif(count($atemp)==3) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]==$n)echo ' Selected';} elseif(count($atemp)==4) {if($xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]==$n) echo 'selected'; }}  ?>><?php echo $c ?></option>
249  					<?php } ?>
250  			</select>
251  		<?php } elseif($xy_arr['type']=='string') { ?><label for='<?php echo $xy_arr['name'] ?>' style="font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
252  			<input type='text' name='<?php echo $xy_arr['name'] ?>' class='name' id='<?php echo $xy_arr['name'] ?>' value="<?php if(is_array($xydac_edit)) { if(count($atemp)==3) echo $xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)]; elseif(count($atemp)==4) echo $xydac_edit[substr($atemp[1],0,-1)][substr($atemp[2],0,-1)][substr($atemp[3],0,-1)]; } ?>"/>
253  		<?php } elseif($xy_arr['type']=='textarea') { ?><label for='<?php echo $xy_arr['name'] ?>' style="font-weight:bold;"><?php echo $xy_arr['arr_label'] ?></label>
254  			<textarea style="height:300px" name='<?php echo $xy_arr['name'] ?>' class='name' id='<?php echo $xy_arr['name'] ?>'> <?php if(is_array($xydac_edit)) {echo $xydac_edit['content_html']; } ?></textarea>
255  		<?php } ?>
256  		<p><?php echo $xy_arr['desc'] ?></p>
257  		</div>
258  		<?php  } } if(is_array($xydac_edit)) {?>
259 <input type="hidden" name="cpt_name" value="<?php if(isset($_GET['cptname'])) echo $_GET['cptname']; ?>">
260 <?php } ?> 261 </div>