Project: Wordpress Plugin VerticalResponse Newsletter Widget 1.6

Vulnerability: #7524898 (2018-02-13 19:17:43)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/vertical-response-newsletter-widget/vertical-response-widget.php:259 (show/hide source)
239  			'button_bg_color'=>'#c0c0c0',
240  			'button_font_color'=>'#333333',
241  			'border_width'=>'1',
242  #			'legend' => '',
243  		);
244  		
245  	}
246  	if ($_POST['vr_form_submit']) {
247  		$options['title']=strip_tags($_POST["vr_form_title"]);
248  		$options['code']=strip_tags($_POST["vr_form_code"]);
249  #		$options['legend']=strip_tags(stripslashes($_POST["vr_form_legend"]));
250  		$options['showlegend']=strip_tags($_POST["vr_display_legend"]);
251  		$options['preface']=strip_tags($_POST["vr_form_preface"]);
252  		$options['button']=strip_tags($_POST["vr_form_button"]);
253  		$options['wrap']=strip_tags($_POST["vr_form_wrap"]);
254  		$options['defaultstyle'] = strip_tags($_POST["vr_defaultstyle"]);
255  		$options['showname'] = strip_tags($_POST["vr_showname"]);
256  		$options['required'] = strip_tags($_POST["vr_required"]);
257  		$options['show_vr_code'] = strip_tags($_POST["vr_show_vr_code"]);
258  		$options['credit'] = strip_tags(stripslashes($_POST["vr_credit"]));
259 $options['border_color'] = strip_tags(stripslashes($_POST["vr_border_color"]));
260 $options['bg_color'] = strip_tags(stripslashes($_POST["vr_bg_color"])); 261 $options['font_color'] = strip_tags(stripslashes($_POST["vr_font_color"]));
Threat level 2

Callstack:

@FUNCTION::widget_vr_options /vertical-response-newsletter-widget/vertical-response-widget.php:350 (show/hide source)
330  		<label for="vr_style_yes">Yes
331  		</label>
332  		  <input type="radio" id="vr_defaultstyle_yes" name="vr_defaultstyle" value="yes" <?php if(htmlspecialchars(stripslashes($options['defaultstyle'])) == 'yes' || htmlspecialchars(stripslashes($options['defaultstyle'])) == '') { echo 'checked="checked"';}; ?> />
333  		<label for="vr_style_no">No
334  		</label>
335  		  <input type="radio" id="vr_style_no" name="vr_defaultstyle" value="no" <?php if(htmlspecialchars(stripslashes($options['defaultstyle'])) == 'no') { echo 'checked="checked"';}; ?> />
336  		<br />
337  	<br />
338  		<fieldset>
339  		<legend><strong style="font-size:110%">Form Style &amp; Colors</strong></legend>
340  		If you know the <a href="http://en.wikipedia.org/wiki/List_of_colors" target="_blank" title="Go to a Wikipedia article with a list of colors. Opens in new window.">HEX value</a> or <a href="http://en.wikipedia.org/wiki/X11_color_names#Color_names_identical_between_X11_and_HTML.2FCSS" title="Go to a Wikipedia article with a list of X11 colors. Opens in new window.">X11 value</a> for the colors you want your widget to be, enter them below. Ex: <code>#3a3a3a</code>, <code>F4C2C2</code>, <code>blue</code> or <code>darkblue</code>.
341  		<br />
342  		<label for="vr_bg_color"><strong><?php _e('Background Color:'); ?></strong><br />
343  		  Change the widget's background color.
344  		</label>
345  		  <input style="width: 100%; margin-bottom:1em;" id="vr_bg_color" name="vr_bg_color" type="text" value="<?php echo htmlspecialchars(stripslashes($options['bg_color'])); ?>" />
346  		   <br /> 
347  		 <label for="vr_border_color"><strong><?php _e('Border Color:'); ?></strong><br />
348  		  Change the widget's border color.
349  		</label>
350 <input style="width: 100%; margin-bottom:1em;" id="vr_border_color" name="vr_border_color" type="text" value="<?php echo htmlspecialchars(stripslashes($options['border_color'])); ?>" />
351 <br /> 352