Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956613 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/experitus-form/includes/views/form.php:5 (show/hide source)
1  <?php function get_input_value($attribute) {
2  	if ( isset( $_POST['Request'][$attribute] ) )
3  		return $_POST['Request'][$attribute];
4  	if ( isset( $_POST['RequestItem'][0][$attribute] ) )
5 return $_POST['RequestItem'][0][$attribute];
6 return ''; 7 } ?>
Threat level 2

Callstack:

@INLINE::/experitus-form/includes/views/form.php /experitus-form/includes/views/form.php:75 (show/hide source)
55  							<?php if ( !isset( $data['type'] ) || $data['type'] != 'checkbox' ): ?>
56  								<label for="request_<?php echo $attribute; ?>"><?php echo $data['label']; ?></label>
57  							<?php endif; ?>
58  							
59  							<?php if ( $attribute == 'country' ): ?>
60  								<select class="request_<?php echo $attribute; ?>" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]">
61  									<option value=""></option>
62  									<?php foreach( $this->options['countries'] as $code => $country) { ?>
63  										<option value="<?php echo $code; ?>" <?php echo $code == get_input_value($attribute) ? 'selected="selected"' : ''; ?>><?php echo $country; ?></option>
64  									<?php } ?>
65  								</select>
66  							
67  							<?php elseif ( isset( $data['type'] ) && $data['type'] == 'text_area' ): ?>
68  								<textarea class="request_<?php echo $attribute; ?>" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]"><?php echo get_input_value($attribute); ?></textarea>
69  							
70  							<?php elseif ( isset( $data['type'] ) && $data['type'] == 'checkbox' ): ?>
71  								<input class="request_<?php echo $attribute; ?>" type="checkbox" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]" <?php echo get_input_value($attribute) ? 'checked="checked"' : ''; ?> />
72  								<label for="request_<?php echo $attribute; ?>"><?php echo $data['label']; ?></label>
73  							
74  							<?php else: ?>
75 <input class="request_<?php echo $attribute; ?>" value="<?php echo get_input_value($attribute); ?>" type="text" id="request_<?php echo $attribute; ?>" name="Request[<?php echo $attribute; ?>]" />
76 77 <?php endif; ?>