Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956619 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/experitus-form/includes/views/form.php:3 (show/hide source)
1  <?php function get_input_value($attribute) {
2  	if ( isset( $_POST['Request'][$attribute] ) )
3 return $_POST['Request'][$attribute];
4 if ( isset( $_POST['RequestItem'][0][$attribute] ) ) 5 return $_POST['RequestItem'][0][$attribute];
Threat level 2

Callstack:

@INLINE::/experitus-form/includes/views/form.php /experitus-form/includes/views/form.php:118 (show/hide source)
98  					<div class="experitus_request_field <?= $data['required'] ? 'is-required' : ''; ?>" id="experitus_request_item_0_field_<?php echo $attribute; ?>">
99  						<?php if ( !isset( $data['type'] ) || $data['type'] != 'checkbox' ): ?>
100  							<label for="request_item_0_<?php echo $attribute; ?>"><?php echo $data['label']; ?></label>
101  						<?php endif; ?>
102  					
103  						<?php if ( $attribute == 'comments' ): ?>
104  							<textarea class="request_item_<?php echo $attribute; ?>" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]"><?php echo get_input_value($attribute); ?></textarea>
105  						
106  						<?php elseif ( $attribute == 'inventory_id' ): ?>
107  							<select class="request_item_<?php echo $attribute; ?>" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]">
108  								<option value=""></option>
109  								<?php foreach( $this->options['request_items'] as $id => $item): ?>
110  									<option value="<?php echo $id; ?>" <?php echo $id == get_input_value($attribute) ? 'selected="selected"' : ''; ?>><?php echo $item; ?></option>
111  								<?php endforeach; ?>
112  							</select>
113  						
114  						<?php elseif ( $attribute == 'date' ): ?>
115  							<input class="request_item_<?php echo $attribute; ?>" value="<?php echo get_input_value($attribute); ?>" type="text" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]" data-block-dates="<?php echo $this->options['block_dates'] ? $this->options['block_dates'] : ''; ?>" />
116  						
117  						<?php elseif ( isset( $data['type'] ) && $data['type'] == 'text_area' ): ?>
118 <textarea class="request_item_<?php echo $attribute; ?>" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]"><?php echo get_input_value($attribute); ?></textarea>
119 120 <?php elseif ( isset( $data['type'] ) && $data['type'] == 'checkbox' ): ?>