Project: Wordpress Plugin Search Engine 0.5.9

Vulnerability: #7989849 (2018-04-16 16:09:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/search-engine/search-engine.php:1197 (show/hide source)
1177          $result_infobar = $atts[ 'result_infobar' ];
1178          if ( $result_infobar != 1 )
1179              $result_infobar = 0;
1180          $result_url = $atts[ 'result_url' ];
1181          if ( $result_url != 1 )
1182              $result_url = 0;
1183          $output = $atts[ 'output' ];
1184          if ( $output != 1 )
1185              $output = 0;
1186          $return_search = $atts[ 'return_search' ];
1187          if ( $return_search != 1 )
1188              $return_search = 0;
1189      }
1190      if(empty($site_ids)&&empty($template_ids))
1191          return;
1192      include_once SEARCH_ENGINE_DIR.'/classes/Search.class.php';
1193      $query = '';
1194      if(!wp_style_is('search-engine')&&isset($_GET['q']))
1195          $query = stripslashes($_GET['q']);
1196      elseif(isset($_GET['s']))
1197 $query = stripslashes($_GET['s']);
1198 timer_start(); 1199 $search = new Search_Engine_Search($site_ids,$template_ids);
Threat level 2

Callstack:

@FUNCTION::search_engine_content /search-engine/search-engine.php:1254 (show/hide source)
1234  <div class="search_engine_InfoBar">
1235  <?php
1236              }
1237              if ( $search->total_results < count( $results ) && 0 < count( $results ) )
1238                  $search->total_results = count( $results );
1239              $search->total_pages = ceil($search->total_results / $search->results_per_page);
1240              $search->begin = ($search->results_per_page*$search->page)-($search->results_per_page-1);
1241              $search->end = ($search->total_pages==$search->page?$search->total_results:($search->results_per_page*$search->page));
1242              $request_uri = $_SERVER['REQUEST_URI'];
1243              $explode = explode('?',$request_uri);
1244              $explode = @end($explode);
1245              parse_str($explode,$replace);
1246              if(isset($replace['pg']))
1247                  unset($replace['pg']);
1248              if(isset($replace['submit']))
1249                  unset($replace['submit']);
1250              $replace = http_build_query($replace);
1251              $request_uri = str_replace($explode,$replace,$request_uri).'&';
1252              if ( 1 == $result_infobar ) {
1253  ?>
1254 <p>Result<?php echo ($search->total_results==1&&!empty($results))?'':'s'; ?> <strong><?php if($search->total_results<1&&empty($results)){ echo 0; } else { echo $search->begin; ?> - <?php echo $search->end; } ?></strong> of <strong><?php if($search->total_results<1&&empty($results)){ echo 0; } else { echo $search->total_results; } ?></strong> for <strong><?php echo htmlentities($query,ENT_COMPAT,get_bloginfo('charset')); ?></strong></p>
1255 </div> 1256 <?php