Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956609 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/experitus-form/includes/views/form.php:50 (show/hide source)
30  		
31  		<?php foreach( $this->options['request_attributes']['request'] as $category => $categoryAttributes ): ?>
32  			<?php if (!$categoryAttributes) continue; ?>
33  			
34  			<div class="attributes_category" id="<?= $category ?>_category">
35  				<h3>
36  					<?php switch($category) {
37  						case 'customer':
38  							echo __( 'Customer' );
39  							break;
40  						case 'accommodation':
41  							echo __( 'Accommodation' );
42  							break;
43  					} ?>
44  				</h3>
45  				
46  				<?php foreach ($categoryAttributes as $attribute => $data): ?>
47  					
48  					<?php if ( isset( $data['type'] ) && $data['type'] == 'hidden_field' ): ?>
49  						<?php if ( isset( $_GET[$attribute] ) ): ?>
50 <input class="request_<?php echo $attribute; ?>" value="<?php echo $_GET[$attribute]; ?>" type="hidden" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]" />
51 <?php endif; ?> 52
Threat level 2

Callstack:

@INLINE::/experitus-form/includes/views/form.php /experitus-form/includes/views/form.php:50 (show/hide source)
30  		
31  		<?php foreach( $this->options['request_attributes']['request'] as $category => $categoryAttributes ): ?>
32  			<?php if (!$categoryAttributes) continue; ?>
33  			
34  			<div class="attributes_category" id="<?= $category ?>_category">
35  				<h3>
36  					<?php switch($category) {
37  						case 'customer':
38  							echo __( 'Customer' );
39  							break;
40  						case 'accommodation':
41  							echo __( 'Accommodation' );
42  							break;
43  					} ?>
44  				</h3>
45  				
46  				<?php foreach ($categoryAttributes as $attribute => $data): ?>
47  					
48  					<?php if ( isset( $data['type'] ) && $data['type'] == 'hidden_field' ): ?>
49  						<?php if ( isset( $_GET[$attribute] ) ): ?>
50 <input class="request_<?php echo $attribute; ?>" value="<?php echo $_GET[$attribute]; ?>" type="hidden" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]" />
51 <?php endif; ?> 52