Project: Wordpress Plugin VerticalResponse Newsletter Widget 1.6

Vulnerability: #7524903 (2018-02-13 19:17:43)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/vertical-response-newsletter-widget/vertical-response-widget.php:265 (show/hide source)
245  	}
246  	if ($_POST['vr_form_submit']) {
247  		$options['title']=strip_tags($_POST["vr_form_title"]);
248  		$options['code']=strip_tags($_POST["vr_form_code"]);
249  #		$options['legend']=strip_tags(stripslashes($_POST["vr_form_legend"]));
250  		$options['showlegend']=strip_tags($_POST["vr_display_legend"]);
251  		$options['preface']=strip_tags($_POST["vr_form_preface"]);
252  		$options['button']=strip_tags($_POST["vr_form_button"]);
253  		$options['wrap']=strip_tags($_POST["vr_form_wrap"]);
254  		$options['defaultstyle'] = strip_tags($_POST["vr_defaultstyle"]);
255  		$options['showname'] = strip_tags($_POST["vr_showname"]);
256  		$options['required'] = strip_tags($_POST["vr_required"]);
257  		$options['show_vr_code'] = strip_tags($_POST["vr_show_vr_code"]);
258  		$options['credit'] = strip_tags(stripslashes($_POST["vr_credit"]));
259  		$options['border_color'] = strip_tags(stripslashes($_POST["vr_border_color"]));
260  		$options['bg_color'] = strip_tags(stripslashes($_POST["vr_bg_color"]));
261  		$options['font_color'] = strip_tags(stripslashes($_POST["vr_font_color"]));
262  		$options['label_color'] = strip_tags(stripslashes($_POST["vr_label_color"]));
263  		$options['button_bg_color'] = strip_tags(stripslashes($_POST["vr_button_bg_color"]));
264  		$options['button_font_color'] = strip_tags(stripslashes($_POST["vr_button_font_color"]));
265 $options['button_border_color'] = strip_tags(stripslashes($_POST["vr_button_border_color"]));
266 $options['border_width'] = strip_tags(stripslashes($_POST["vr_border_width"])); 267 update_option('widget_vr', $options);
Threat level 2

Callstack:

@FUNCTION::widget_vr_options /vertical-response-newsletter-widget/vertical-response-widget.php:405 (show/hide source)
385  		  Change the color of widget labels (next to input fields).
386  		</label>
387  		  <input style="width: 100%; margin-bottom:1em;" id="vr_label_color" name="vr_label_color" type="text" value="<?php echo htmlspecialchars(stripslashes($options['label_color'])); ?>" />
388  		  
389  		  <br /> 
390  		 <label for="vr_button_bg_color"><strong><?php _e('Button Color:'); ?></strong><br />
391  		 Change the color of the button's background.
392  		</label>
393  		  <input style="width: 100%; margin-bottom:1em;" id="vr_button_bg_color" name="vr_button_bg_color" type="text" value="<?php echo htmlspecialchars(stripslashes($options['button_bg_color'])); ?>" />
394  		  
395  		  <br /> 
396  		 <label for="vr_button_font_color"><strong><?php _e('Button Text Color:'); ?></strong><br />
397  		  Change the color for the button's text.
398  		</label>
399  		  <input style="width: 100%; margin-bottom:1em;" id="vr_button_font_color" name="vr_button_font_color" type="text" value="<?php echo htmlspecialchars(stripslashes($options['button_font_color'])); ?>" />
400  		  
401  		   <br /> 
402  		 <label for="vr_button_border_color"><strong><?php _e('Button Border Color:'); ?></strong><br />
403  		  Change the color of the button's border.
404  		</label>
405 <input style="width: 100%; margin-bottom:1em;" id="vr_button_border_color" name="vr_button_border_color" type="text" value="<?php echo htmlspecialchars(stripslashes($options['button_border_color'])); ?>" />
406 </fieldset> 407