Project: Wordpress Plugin Islamic Content Archive 2.0

Vulnerability: #7371204 (2018-01-13 00:06:11)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/islamic-content-archive/lib/html_helper.php:54 (show/hide source)
34  		// ====================== Default Attr Start ======================
35  		if (!array_key_exists('id', $attr)) {
36  			$attr['id'] = ucfirst($attr['name']);
37  		}
38  		// ====================== Default Attr End ========================
39  
40  		return $attr;
41  	}
42  
43  	public function Input($type = 'text', $attr = array()) {
44  		$html = '';
45  		$attr = $this -> formateAttr($attr);
46  		$type = strtolower($type);
47  
48  		if (!empty($attr['label'])) {
49  			$html .= sprintf('<label for="%s">%s</label>', $attr['id'], $attr['label']);
50  		}
51  		switch ($type) {
52  			case 'select' :
53  				{
54 $html .= $this ->_select($attr);
55 } 56 break;
Threat level 2

Callstack:

@INLINE::/islamic-content-archive/views/categories.php /islamic-content-archive/views/categories.php:23 (show/hide source)
3  global $categories,$ica_categories_lang;
4  $category_slug = esc_attr($_GET['cat_slug']);
5  
6  $ica_lang = get_option(ICA_Input_SLUG.'language');
7  $link = $ica_categories_lang[$ica_lang][$category_slug]['url'];
8  $jsoncaturl = $ica_categories_lang[$ica_lang][$category_slug]['cat'];
9  $slug = $category_slug.'_'.$ica_lang;
10  $cat_options = $Html->categoryFromTransient($jsoncaturl,$slug);
11  ?>
12  <div class="category-head">
13  	<table width="100%">
14  		<tr>
15  			<td width="80px"><span class="category-logo"><?php echo ica_cat_logo($category_slug,array('width'=>'80px','class'=>$category_slug)) ?></span></td>
16  			<td><h1 class="category-title"><a target="_blank" href="<?php echo $link; ?>"><?php echo $this->getLang($category_slug); ?></a></h1></td>
17  		</tr>
18  	</table>
19  
20  </div>
21  <hr />
22  <?php
23 echo $Html->Input('checkbox',array('name'=>'category_'.$ica_lang.'_'.$category_slug.'[]','options'=>$cat_options));
24 ?>