Project: Wordpress Plugin Islamic Content Archive 2.0

Vulnerability: #7371209 (2018-01-13 00:06:11)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/islamic-content-archive/lib/html_helper.php:68 (show/hide source)
48  		if (!empty($attr['label'])) {
49  			$html .= sprintf('<label for="%s">%s</label>', $attr['id'], $attr['label']);
50  		}
51  		switch ($type) {
52  			case 'select' :
53  				{
54  					$html .= $this ->_select($attr);
55  				}
56  				break;
57  			case 'radio' :
58  				{
59  					$html .= $this -> _radio($attr);
60  				}
61  				break;
62  			case 'textarea' :
63  				{
64  					$html .= sprintf('<textarea  name="%s" id="%s" >%s</textarea>', $type, $attr['name'], $attr['id'], $attr['value']);
65  				}
66  				break;
67  			case 'checkbox' :
68 $html .= $this -> _checkbox($attr);
69 break; 70 default :
Threat level 2

Callstack:

@INLINE::/islamic-content-archive/views/categories.php /islamic-content-archive/views/categories.php:23 (show/hide source)
3  global $categories,$ica_categories_lang;
4  $category_slug = esc_attr($_GET['cat_slug']);
5  
6  $ica_lang = get_option(ICA_Input_SLUG.'language');
7  $link = $ica_categories_lang[$ica_lang][$category_slug]['url'];
8  $jsoncaturl = $ica_categories_lang[$ica_lang][$category_slug]['cat'];
9  $slug = $category_slug.'_'.$ica_lang;
10  $cat_options = $Html->categoryFromTransient($jsoncaturl,$slug);
11  ?>
12  <div class="category-head">
13  	<table width="100%">
14  		<tr>
15  			<td width="80px"><span class="category-logo"><?php echo ica_cat_logo($category_slug,array('width'=>'80px','class'=>$category_slug)) ?></span></td>
16  			<td><h1 class="category-title"><a target="_blank" href="<?php echo $link; ?>"><?php echo $this->getLang($category_slug); ?></a></h1></td>
17  		</tr>
18  	</table>
19  
20  </div>
21  <hr />
22  <?php
23 echo $Html->Input('checkbox',array('name'=>'category_'.$ica_lang.'_'.$category_slug.'[]','options'=>$cat_options));
24 ?>