Project: Wordpress Plugin Experitus Booking Form 0.4

Vulnerability: #6956622 (2017-12-07 12:52:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/experitus-form/includes/views/form.php:5 (show/hide source)
1  <?php function get_input_value($attribute) {
2  	if ( isset( $_POST['Request'][$attribute] ) )
3  		return $_POST['Request'][$attribute];
4  	if ( isset( $_POST['RequestItem'][0][$attribute] ) )
5 return $_POST['RequestItem'][0][$attribute];
6 return ''; 7 } ?>
Threat level 2

Callstack:

@INLINE::/experitus-form/includes/views/form.php /experitus-form/includes/views/form.php:125 (show/hide source)
105  						
106  						<?php elseif ( $attribute == 'inventory_id' ): ?>
107  							<select class="request_item_<?php echo $attribute; ?>" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]">
108  								<option value=""></option>
109  								<?php foreach( $this->options['request_items'] as $id => $item): ?>
110  									<option value="<?php echo $id; ?>" <?php echo $id == get_input_value($attribute) ? 'selected="selected"' : ''; ?>><?php echo $item; ?></option>
111  								<?php endforeach; ?>
112  							</select>
113  						
114  						<?php elseif ( $attribute == 'date' ): ?>
115  							<input class="request_item_<?php echo $attribute; ?>" value="<?php echo get_input_value($attribute); ?>" type="text" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]" data-block-dates="<?php echo $this->options['block_dates'] ? $this->options['block_dates'] : ''; ?>" />
116  						
117  						<?php elseif ( isset( $data['type'] ) && $data['type'] == 'text_area' ): ?>
118  							<textarea class="request_item_<?php echo $attribute; ?>" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]"><?php echo get_input_value($attribute); ?></textarea>
119  						
120  						<?php elseif ( isset( $data['type'] ) && $data['type'] == 'checkbox' ): ?>
121  							<input class="request_item_<?php echo $attribute; ?>" type="checkbox" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]" <?php echo get_input_value($attribute) ? 'checked="checked"' : ''; ?> />
122  							<label for="request_item_0_<?php echo $attribute; ?>"><?php echo $data['label']; ?></label>
123  						
124  						<?php else: ?>
125 <input class="request_item_<?php echo $attribute; ?>" value="<?php echo get_input_value($attribute); ?>" type="text" id="request_item_0_<?php echo $attribute; ?>" name="RequestItem[0][<?php echo $attribute; ?>]" />
126 127 <?php endif; ?>