Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956616 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/experitus-form/includes/views/form.php:5 (show/hide source)
1  <?php function get_input_value($attribute) {
2  	if ( isset( $_POST['Request'][$attribute] ) )
3  		return $_POST['Request'][$attribute];
4  	if ( isset( $_POST['RequestItem'][0][$attribute] ) )
5 return $_POST['RequestItem'][0][$attribute];
6 return ''; 7 } ?>
Threat level 2

Callstack:

@INLINE::/experitus-form/includes/views/form.php /experitus-form/includes/views/form.php:104 (show/hide source)
84  			</div>
85  			
86  		<?php endforeach; ?>
87  		
88  		<div class="attributes_category" id="<?= $category ?>_category">
89  			<h3><?php echo __( 'Item' ); ?></h3>
90  			<?php foreach ( $this->options['request_attributes']['item'] as $attribute => $data ): ?>
91  				
92  				<?php if ( isset( $data['type'] ) && $data['type'] == 'hidden_field' ): ?>
93  					<?php if ( isset( $_GET[$attribute] ) ): ?>
94  						<input class="request_item_<?php echo $attribute; ?>" value="<?php echo $_GET[$attribute]; ?>" type="hidden" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]" />
95  					<?php endif; ?>
96  				
97  				<?php else: ?>
98  					<div class="experitus_request_field <?= $data['required'] ? 'is-required' : ''; ?>" id="experitus_request_item_0_field_<?php echo $attribute; ?>">
99  						<?php if ( !isset( $data['type'] ) || $data['type'] != 'checkbox' ): ?>
100  							<label for="request_item_0_<?php echo $attribute; ?>"><?php echo $data['label']; ?></label>
101  						<?php endif; ?>
102  					
103  						<?php if ( $attribute == 'comments' ): ?>
104 <textarea class="request_item_<?php echo $attribute; ?>" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]"><?php echo get_input_value($attribute); ?></textarea>
105 106 <?php elseif ( $attribute == 'inventory_id' ): ?>