Project: Wordpress Plugin Search Engine 0.5.9

Vulnerability: #7989857 (2018-04-16 16:09:10)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _GET
/search-engine/search-engine.php:1201 (show/hide source)
1181          if ( $result_url != 1 )
1182              $result_url = 0;
1183          $output = $atts[ 'output' ];
1184          if ( $output != 1 )
1185              $output = 0;
1186          $return_search = $atts[ 'return_search' ];
1187          if ( $return_search != 1 )
1188              $return_search = 0;
1189      }
1190      if(empty($site_ids)&&empty($template_ids))
1191          return;
1192      include_once SEARCH_ENGINE_DIR.'/classes/Search.class.php';
1193      $query = '';
1194      if(!wp_style_is('search-engine')&&isset($_GET['q']))
1195          $query = stripslashes($_GET['q']);
1196      elseif(isset($_GET['s']))
1197          $query = stripslashes($_GET['s']);
1198      timer_start();
1199      $search = new Search_Engine_Search($site_ids,$template_ids);
1200      if(isset($_GET['pg'])&&ctype_digit($_GET['pg'])&&0<$_GET['pg'])
1201 $search->page = $_GET['pg'];
1202 $search->results_per_page = 10; 1203 $results = $search->search_build_query($query);
Threat level 2

Callstack:

@FUNCTION::search_engine_content /search-engine/search-engine.php:1331 (show/hide source)
1311  <?php
1312                  }
1313                  if (1 < ($search->page - 10))
1314                  {
1315  ?>
1316              <span class="gap">...</span>
1317              <a href="<?php echo $request_uri; ?>pg=<?php echo ($search->page - 10); ?>" class="page page-numbers"><?php echo ($search->page - 10); ?></a>
1318              <span class="gap">...</span>
1319  <?php
1320                  }
1321                  for ($i = 2; $i > 0; $i--)
1322                  {
1323                      if (1 < ($search->page - $i))
1324                      {
1325  ?>
1326              <a href="<?php echo $request_uri; ?>pg=<?php echo ($search->page - $i); ?>" class="page page-numbers"><?php echo ($search->page - $i); ?></a>
1327  <?php
1328                      }
1329                  }
1330  ?>
1331 <span class="page page-numbers current"><?php echo $search->page; ?></span>
1332 <?php 1333 for ($i = 1; $i < 3; $i++)