Project: Wordpress Plugin Search Engine 0.5.9

Vulnerability: #7989846 (2018-04-16 16:09:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/search-engine/search-engine.php:1195 (show/hide source)
1175          if ( $pagination != 1 )
1176              $pagination = 0;
1177          $result_infobar = $atts[ 'result_infobar' ];
1178          if ( $result_infobar != 1 )
1179              $result_infobar = 0;
1180          $result_url = $atts[ 'result_url' ];
1181          if ( $result_url != 1 )
1182              $result_url = 0;
1183          $output = $atts[ 'output' ];
1184          if ( $output != 1 )
1185              $output = 0;
1186          $return_search = $atts[ 'return_search' ];
1187          if ( $return_search != 1 )
1188              $return_search = 0;
1189      }
1190      if(empty($site_ids)&&empty($template_ids))
1191          return;
1192      include_once SEARCH_ENGINE_DIR.'/classes/Search.class.php';
1193      $query = '';
1194      if(!wp_style_is('search-engine')&&isset($_GET['q']))
1195 $query = stripslashes($_GET['q']);
1196 elseif(isset($_GET['s'])) 1197 $query = stripslashes($_GET['s']);
Threat level 2

Callstack:

@FUNCTION::search_engine_content /search-engine/search-engine.php:1223 (show/hide source)
1203      $results = $search->search_build_query($query);
1204      if($search->page==1)
1205      {
1206          $elapsed = timer_stop(0,0);
1207          $api = new Search_Engine_API();
1208          $params = array('query'=>$query,'time'=>$time,'elapsed'=>$elapsed,'results'=>$search->total_results);
1209          $api->log_query($params);
1210      }
1211      if ( 1 == $output ) {
1212          if(!wp_style_is('search-engine')&&!isset($search_engine['css_output'])&&$css==1&&!defined('SEARCH_ENGINE_CUSTOM_CSS'))
1213          {
1214              $search_engine['css_output'] =1;
1215  ?>
1216  <link rel="stylesheet" type="text/css" href="<?php echo SEARCH_ENGINE_URL.'/assets/style.css'; ?>" />
1217  <?php
1218          }
1219  ?>
1220  <div id="search_engine_Area">
1221  <?php if ( 1 == $form ) { ?>
1222  <form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="get">
1223 <input name="<?php echo (!wp_style_is('search-engine')?'q':'s'); ?>" type="text" size="41" class="search_engine_Box" value="<?php echo htmlentities($query,ENT_COMPAT,get_bloginfo('charset')); ?>" />
1224 <input type="submit" value="Search" class="search_engine_Button" /><?php if(defined('SEARCH_ENGINE_ADVANCED_URL')){ ?><br /><br /><?php if(defined('SEARCH_ENGINE_ADVANCED_HTML')){ echo SEARCH_ENGINE_ADVANCED_HTML; }else{ ?> 1225 <a href="<?php echo SEARCH_ENGINE_ADVANCED_URL; ?>" class="search_engine_Advanced"><?php if(defined('SEARCH_ENGINE_ADVANCED_TEXT')){ echo SEARCH_ENGINE_ADVANCED_TEXT; }else{ ?>Go to Advanced Search<?php } ?></a><?php }} ?>