Project: Wordpress Plugin Events Calendar Registration 1.7

Vulnerability: #7524894 (2018-02-13 19:17:37)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _SERVER
/events-calendar-registration-booking-by-events-plus/eventplus/funx/evrplus_calendar.php:183 (show/hide source)
163          $fut = 1;
164          $p = '';
165          $f = '';
166          while ($past > 0) {
167              $p .= '<option value="';
168  
169              $p .= date("Y", evrplus_time_offset()) - $past;
170              $p .= '"' . evrplus_year_compare(date("Y", evrplus_time_offset()) - $past) . '>';
171              $p .= date("Y", evrplus_time_offset()) - $past . '</option>';
172              $past = $past - 1;
173          }
174          while ($fut < $future) {
175  
176              $f .= '<option value="';
177  
178              $f .= date("Y", evrplus_time_offset()) + $fut;
179              $f .= '"' . evrplus_year_compare(date("Y", evrplus_time_offset()) + $fut) . '>';
180              $f .= date("Y", evrplus_time_offset()) + $fut . '</option>';
181              $fut = $fut + 1;
182          }
183 $calendar_body .= $p;
184 $calendar_body .= '<option value="' . date("Y", evrplus_time_offset()) . '"' . evrplus_year_compare(date("Y", evrplus_time_offset())) . '>' . date("Y", evrplus_time_offset()) . '</option>'; 185 $calendar_body .= $f;
Threat level 0

Callstack:

@FUNCTION::evrplus_display_calendar /events-calendar-registration-booking-by-events-plus/eventplus/funx/evrplus_calendar.php:282 (show/hide source)
262                  $i++;
263                  $category_id = $row['id'];
264                  $category_name = $row['category_name'];
265                  $category_identifier = $row['category_identifier'];
266                  $category_desc = $row['category_desc'];
267                  $display_category_desc = $row['display_desc'];
268                  $category_color = $row['category_color'];
269                  $font_color = $row['font_color'];
270                  if ($i % 8 != 0) {
271                      $calendar_body .= '<td colspan="1" style="background-color:' . $category_color . ';font-size:0.9em; color:' . $font_color . '; ">' . $category_name . '</td>';
272                  } else {
273                      $calendar_body.='</tr><tr><td colspan="1" style="background-color:' . $category_color . ';font-size:0.9em; color:' . $font_color . '; ">' . $category_name . '</td>';
274                  }
275              }
276          }
277      }
278  
279      $calendar_body .= '</table>';
280      //$calendar_body .= evrplus_colorbox_cal_content($grabbed_events_popup);
281  
282 echo $calendar_body;
283 284 do_action('wpeventslite_powered_by');
@FUNCTION::evrplus_calendar_replace /events-calendar-registration-booking-by-events-plus/eventplus/funx/evrplus_calendar.php:28 (show/hide source)
8  $evrplus_date_format = EventPlus_Helpers_Funx::getDateFormat();
9  
10  
11  /* * **Function to return a prefix which will allow the correct , placement of arguments into the query string. ** */
12  
13  /* * ***************************** Display the Calendar in a page ************************* */
14  
15  function evrplus_calendar_replace($content) {
16      if (preg_match('[PLUS_CALENDAR:([A-Za-z])\w+]', $content, $matches)) {
17          $evr = $matches[0];
18          $pos = strpos($evr, ':');
19          $cat = substr($evr, $pos + 1);
20          ob_start();
21  
22          evrplus_display_calendar($cat); //function with main content
23          $buffer = ob_get_contents();
24          ob_end_clean();
25          $content = str_replace('[PLUS_CALENDAR:' . $cat . ']', $buffer, $content);
26      } elseif (preg_match('[PLUS_CALENDAR]', $content)) {
27          ob_start();
28 evrplus_display_calendar(); //function with main content
29 $buffer = ob_get_contents(); 30 ob_end_clean();