Project: Wordpress Plugin Chalet Agent 0.2.9

Vulnerability: #7371212 (2018-01-13 00:21:09)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/chaletagent/class/main.php:181 (show/hide source)
161  	 */
162  	public function admin_options ()
163  	{
164  		if (!current_user_can('manage_options'))
165  		{
166  			wp_die(__( 'You do not have sufficient permissions to access this page.' ));
167  		}
168  
169  		// Variables for the field and option names
170  		$hidden_field 	= 'chaletagent_submit_hidden';
171  
172  		// Read in existing option value from database
173  		$saas_account = get_option('chaletagent_saas_account');
174  		//$custom_css = get_option('chaletagent_custom_css');
175  
176  		// See if the user has posted us some information
177  		// If they did, this hidden field will be set to 'Y'
178  		if (isset($_POST[$hidden_field]) && $_POST[$hidden_field] == 'Y')
179  		{
180  			// Read their posted value
181 $saas_account = $_POST['chaletagent_saas_account'];
182 //$custom_css = $_POST['chaletagent_custom_css']; 183
Threat level 2

Callstack:

ChaletAgent::admin_options /chaletagent/class/main.php:210 (show/hide source)
190  				<p><strong><?php _e('Settings saved OK!', 'menu-test' ); ?></strong></p>
191  			</div><?php
192  		}
193  
194  		// Now display the settings editing screen
195  		echo '<div class="wrap" style="height: 2000px;">';
196  		echo "<h2>" . __( 'ChaletAgent Settings', 'menu-test' ) . "</h2>";
197  
198  			// Settings form
199  			?>
200  			<p>Please configure the plugin here before use.</p>
201  
202  			<form name="form1" method="post" action="">
203  				<input type="hidden" name="<?php echo $hidden_field; ?>" value="Y">
204  				<?php if (empty($saas_account))
205  				{
206  					echo "<p style='color: #c00; font-weight: bold;'>You must define your account name before you can use the plugin.</p>";
207  				} ?>
208  				<p>
209  					<?php _e("ChaletAgent Account:", 'menu-test' ); ?>
210 <input type="text" name="chaletagent_saas_account" value="<?php echo $saas_account; ?>" size="20">
211 <b>.chaletagent.com</b> 212 </p>