Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956607 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _SERVER
/experitus-form/includes/views/form.php:28 (show/hide source)
8  
9  <div id="experitus_request_container">
10  	<script src="https://www.google.com/recaptcha/api.js" async defer></script>
11  	<?php $this->render('_notifications'); ?>
12  	
13  	<div style="display: none;" id="expertus-form-data"
14  		data-alias=<?= $this->options['connection_data']['company_alias']; ?>
15  		<?php if ( $this->payment_method ): ?>
16  			data-pay="1"
17  			<?= isset( $this->options['payments_data']['payment_type'] ) ? 'data-payment-type="'.$this->options['payments_data']['payment_type'].'"' : '' ?>
18  			<?= $this->payment_method == 'stripe' ? 'data-stripe-key="'.$this->options['payments_data']['stripe_public_key'].'"' : ''; ?>
19  			<?= isset( $this->options['payments_data']['prices'] ) ? 'data-prices="'.htmlspecialchars( json_encode( $this->options['payments_data']['prices'] ) ).'"' : '' ?>
20  			<?= isset( $this->options['payments_data']['price_types'] ) ? 'data-price-types="'.htmlentities( json_encode( $this->options['payments_data']['price_types'] ) ).'"' : '' ?>
21  			<?= isset( $this->options['payments_data']['deposits'] ) ? 'data-deposits="'.htmlentities( json_encode( $this->options['payments_data']['deposits'] ) ).'"' : '' ?>
22  			<?= isset( $this->options['payments_data']['currency'] ) ? 'data-currency="'.$this->options['payments_data']['currency'].'"' : '' ?>
23  		<?php else: ?>
24  			data-pay="0"
25  		<?php endif; ?>></div>
26  		
27  	
28 <form id="experitus_request_form" action="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>" method="post">
29 <?php wp_nonce_field( 'experitus_order_request', 'experitus_non_ce' ); ?> 30
Threat level 0

Callstack:

@INLINE::/experitus-form/includes/views/form.php /experitus-form/includes/views/form.php:28 (show/hide source)
8  
9  <div id="experitus_request_container">
10  	<script src="https://www.google.com/recaptcha/api.js" async defer></script>
11  	<?php $this->render('_notifications'); ?>
12  	
13  	<div style="display: none;" id="expertus-form-data"
14  		data-alias=<?= $this->options['connection_data']['company_alias']; ?>
15  		<?php if ( $this->payment_method ): ?>
16  			data-pay="1"
17  			<?= isset( $this->options['payments_data']['payment_type'] ) ? 'data-payment-type="'.$this->options['payments_data']['payment_type'].'"' : '' ?>
18  			<?= $this->payment_method == 'stripe' ? 'data-stripe-key="'.$this->options['payments_data']['stripe_public_key'].'"' : ''; ?>
19  			<?= isset( $this->options['payments_data']['prices'] ) ? 'data-prices="'.htmlspecialchars( json_encode( $this->options['payments_data']['prices'] ) ).'"' : '' ?>
20  			<?= isset( $this->options['payments_data']['price_types'] ) ? 'data-price-types="'.htmlentities( json_encode( $this->options['payments_data']['price_types'] ) ).'"' : '' ?>
21  			<?= isset( $this->options['payments_data']['deposits'] ) ? 'data-deposits="'.htmlentities( json_encode( $this->options['payments_data']['deposits'] ) ).'"' : '' ?>
22  			<?= isset( $this->options['payments_data']['currency'] ) ? 'data-currency="'.$this->options['payments_data']['currency'].'"' : '' ?>
23  		<?php else: ?>
24  			data-pay="0"
25  		<?php endif; ?>></div>
26  		
27  	
28 <form id="experitus_request_form" action="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>" method="post">
29 <?php wp_nonce_field( 'experitus_order_request', 'experitus_non_ce' ); ?> 30