Project: Wordpress Plugin WordPress Gift Voucher 1.0.2

Vulnerability: #8147159 (2018-05-16 19:16:31)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _POST
/gift-voucher/include/pdf.php:184 (show/hide source)
164  	$cancel_url = get_site_url() .'/voucher-payment-cancel/?voucheritem='.$lastid;
165  	$notify_url = get_site_url() .'/voucher-payment-successful/?voucheritem='.$lastid;
166  
167  	if ($paymentmethod == 'Paypal') {
168  
169  		$paypal_email = $setting_options->paypal_email;
170  
171  		$querystring = '';
172  		if($setting_options->test_mode) {
173  			$querystring .= 'https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_xclick';
174  		} else {
175  			$querystring .= 'https://www.paypal.com/cgi-bin/webscr?cmd=_xclick';
176  		}
177  		$querystring .= "&business=".urlencode($paypal_email)."&";
178  		$querystring .= "item_name=".urlencode($template_options->title.' Voucher')."&";
179      	$querystring .= "item_number=".urlencode($lastid)."&";
180      	$querystring .= "amount=".urlencode($value)."&";
181      	$querystring .= "currency_code=$setting_options->currency_code&";
182      	$querystring .= "first_name=".urlencode($firstname)."&";
183      	$querystring .= "last_name=".urlencode($lastname)."&";
184 $querystring .= "email=".urlencode($email)."&";
185 $querystring .= "custom=".urlencode($lastid)."&"; 186 $querystring .= "return=".urlencode(stripslashes($return_url))."&";
Threat level 2

Callstack:

@FUNCTION::wpgv__doajax_pdf_save_func /gift-voucher/include/pdf.php:190 (show/hide source)
170  
171  		$querystring = '';
172  		if($setting_options->test_mode) {
173  			$querystring .= 'https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_xclick';
174  		} else {
175  			$querystring .= 'https://www.paypal.com/cgi-bin/webscr?cmd=_xclick';
176  		}
177  		$querystring .= "&business=".urlencode($paypal_email)."&";
178  		$querystring .= "item_name=".urlencode($template_options->title.' Voucher')."&";
179      	$querystring .= "item_number=".urlencode($lastid)."&";
180      	$querystring .= "amount=".urlencode($value)."&";
181      	$querystring .= "currency_code=$setting_options->currency_code&";
182      	$querystring .= "first_name=".urlencode($firstname)."&";
183      	$querystring .= "last_name=".urlencode($lastname)."&";
184      	$querystring .= "email=".urlencode($email)."&";
185      	$querystring .= "custom=".urlencode($lastid)."&";
186      	$querystring .= "return=".urlencode(stripslashes($return_url))."&";
187      	$querystring .= "cancel_return=".urlencode(stripslashes($cancel_url))."&";
188      	$querystring .= "notify_url=".urlencode($notify_url);
189  
190 echo $querystring;
191 192 } else if($paymentmethod == 'Sofortuberweisung') {