Project: Wordpress Plugin Search Engine 0.5.9

Vulnerability: #7989856 (2018-04-16 16:09:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _SERVER
/search-engine/search-engine.php:1242 (show/hide source)
1222  <form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="get">
1223      <input name="<?php echo (!wp_style_is('search-engine')?'q':'s'); ?>" type="text" size="41" class="search_engine_Box" value="<?php echo htmlentities($query,ENT_COMPAT,get_bloginfo('charset')); ?>" />
1224      <input type="submit" value="Search" class="search_engine_Button" /><?php if(defined('SEARCH_ENGINE_ADVANCED_URL')){ ?><br /><br /><?php if(defined('SEARCH_ENGINE_ADVANCED_HTML')){ echo SEARCH_ENGINE_ADVANCED_HTML; }else{ ?>
1225          <a href="<?php echo SEARCH_ENGINE_ADVANCED_URL; ?>" class="search_engine_Advanced"><?php if(defined('SEARCH_ENGINE_ADVANCED_TEXT')){ echo SEARCH_ENGINE_ADVANCED_TEXT; }else{ ?>Go to Advanced Search<?php } ?></a><?php }} ?>
1226  </form>
1227  <?php
1228          }
1229  
1230          if(0<strlen($query))
1231          {
1232              if ( 1 == $result_infobar ) {
1233  ?>
1234  <div class="search_engine_InfoBar">
1235  <?php
1236              }
1237              if ( $search->total_results < count( $results ) && 0 < count( $results ) )
1238                  $search->total_results = count( $results );
1239              $search->total_pages = ceil($search->total_results / $search->results_per_page);
1240              $search->begin = ($search->results_per_page*$search->page)-($search->results_per_page-1);
1241              $search->end = ($search->total_pages==$search->page?$search->total_results:($search->results_per_page*$search->page));
1242 $request_uri = $_SERVER['REQUEST_URI'];
1243 $explode = explode('?',$request_uri); 1244 $explode = @end($explode);
Threat level 0

Callstack:

@FUNCTION::search_engine_content /search-engine/search-engine.php:1326 (show/hide source)
1306                  {
1307  ?>
1308              <span class="gap">...</span>
1309              <a href="<?php echo $request_uri; ?>pg=<?php echo ($search->page - 100); ?>" class="page page-numbers"><?php echo ($search->page - 100); ?></a>
1310              <span class="gap">...</span>
1311  <?php
1312                  }
1313                  if (1 < ($search->page - 10))
1314                  {
1315  ?>
1316              <span class="gap">...</span>
1317              <a href="<?php echo $request_uri; ?>pg=<?php echo ($search->page - 10); ?>" class="page page-numbers"><?php echo ($search->page - 10); ?></a>
1318              <span class="gap">...</span>
1319  <?php
1320                  }
1321                  for ($i = 2; $i > 0; $i--)
1322                  {
1323                      if (1 < ($search->page - $i))
1324                      {
1325  ?>
1326 <a href="<?php echo $request_uri; ?>pg=<?php echo ($search->page - $i); ?>" class="page page-numbers"><?php echo ($search->page - $i); ?></a>
1327 <?php 1328 }