Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956610 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/experitus-form/includes/views/form.php:3 (show/hide source)
1  <?php function get_input_value($attribute) {
2  	if ( isset( $_POST['Request'][$attribute] ) )
3 return $_POST['Request'][$attribute];
4 if ( isset( $_POST['RequestItem'][0][$attribute] ) ) 5 return $_POST['RequestItem'][0][$attribute];
Threat level 2

Callstack:

@INLINE::/experitus-form/includes/views/form.php /experitus-form/includes/views/form.php:68 (show/hide source)
48  					<?php if ( isset( $data['type'] ) && $data['type'] == 'hidden_field' ): ?>
49  						<?php if ( isset( $_GET[$attribute] ) ): ?>
50  							<input class="request_<?php echo $attribute; ?>" value="<?php echo $_GET[$attribute]; ?>" type="hidden" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]" />
51  						<?php endif; ?>
52  				
53  					<?php else: ?>
54  						<div class="experitus_request_field <?= $data['required'] ? 'is-required' : ''; ?>" id="experitus_request_field_<?php echo $attribute; ?>">
55  							<?php if ( !isset( $data['type'] ) || $data['type'] != 'checkbox' ): ?>
56  								<label for="request_<?php echo $attribute; ?>"><?php echo $data['label']; ?></label>
57  							<?php endif; ?>
58  							
59  							<?php if ( $attribute == 'country' ): ?>
60  								<select class="request_<?php echo $attribute; ?>" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]">
61  									<option value=""></option>
62  									<?php foreach( $this->options['countries'] as $code => $country) { ?>
63  										<option value="<?php echo $code; ?>" <?php echo $code == get_input_value($attribute) ? 'selected="selected"' : ''; ?>><?php echo $country; ?></option>
64  									<?php } ?>
65  								</select>
66  							
67  							<?php elseif ( isset( $data['type'] ) && $data['type'] == 'text_area' ): ?>
68 <textarea class="request_<?php echo $attribute; ?>" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]"><?php echo get_input_value($attribute); ?></textarea>
69 70 <?php elseif ( isset( $data['type'] ) && $data['type'] == 'checkbox' ): ?>