Project: Wordpress Plugin WooCurrency 1.0.2

Vulnerability: #8830759 (2018-07-12 09:50:17)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::echo
Risk _REQUEST
/woocurrency/assets/lws-adminpanel/editlist/class-pager.php:73 (show/hide source)
53  		if( is_null($currentLimit) )
54  			$currentLimit = $this->readLimit();
55  		$last = false;
56  		if( $rcount >= 0 )
57  			$last = $this->page(max(0,$rcount-1), $currentLimit->count);
58  		$index = $this->page($currentLimit->offset, $currentLimit->count);
59  
60  		$str = "<div class='lws-tablenav'>";
61  		$str .= "<div class='lws-tablenav-ipp'>";
62  		$str .= $this->snippetPerPage($currentLimit->count);
63  		$str .= "</div>";
64  		$str .= "<div class='lws-tablenav-pages'>";
65  
66  		if( $last !== false ) // total
67  			$str .= $this->snippetTotal($rcount);
68  
69  		$str .= "<span class='lws-pagination-links'>";
70  		$str .= $this->navBtn("«", 1, $last, $index);
71  		$str .= $this->navBtn("‹", $index - 1, $last, $index);
72  		$str .= $this->snippetCurrentPage($index, $last, $index);
73 $str .= $this->navBtn("›", $index + 1, $last, $index);
74 $str .= $this->navBtn("»", $last, $last, $index); 75 $str .= "</span>"; // lws-pagination-links
Threat level 2

Callstack:

LWS\Adminpanel\EditList::filters /woocurrency/assets/lws-adminpanel/editlist.php:163 (show/hide source)
143  	protected function filters(&$rcount, &$limit, $above=true)
144  	{
145  		$class = $above ? " lws-editlist-above" : " lws-editlist-below";
146  		if( !is_null($this->m_PageDisplay) )
147  		{
148  			echo "<div class='lws-editlist-filters$class {$this->m_Id}-filters'>";
149  			echo "<div class='lws-editlist-filters-first-line'>";
150  			foreach( \apply_filters('lws_adminpanel_editlist_filters_'.$this->slug, $this->m_Filters) as $filter )
151  			{
152  				$c = $filter->cssClass();
153  				echo "<div class='$c'>";
154  				echo $filter->input();
155  				echo "</div>";
156  			}
157  			if( is_null($limit) )
158  			{
159  				$rcount = \apply_filters('lws_adminpanel_editlist_total_'.$this->slug, $this->m_Source->total());
160  				$limit = $this->m_PageDisplay->readLimit($rcount);
161  			}
162  			echo "</div>";
163 echo $this->m_PageDisplay->navDiv($rcount, $limit);
164 echo "</div>"; 165 }
LWS\Adminpanel\EditList::display /woocurrency/assets/lws-adminpanel/editlist.php:115 (show/hide source)
95  	/** Display list by page (default is true)
96  	 * @return this */
97  	public function setPageDisplay($yes=true)
98  	{
99  		if( $yes === false || is_null($yes) )
100  			$this->m_PageDisplay = null;
101  		else if( $yes === true )
102  			$this->m_PageDisplay = new EditList\Pager($this->m_Id);
103  		else if( is_a($yes, __NAMESPACE__ . '\EditList\Pager') )
104  			$this->m_PageDisplay = $yes;
105  		else
106  			$this->m_PageDisplay = null;
107  		return $this;
108  	}
109  
110  	/**	Echo the list as a <table> */
111  	public function display()
112  	{
113  		$rcount = -1;
114  		$limit = null;
115 $this->filters($rcount, $limit, true);
116 117 $head = $this->completeLabels(\apply_filters('lws_adminpanel_editlist_labels_'.$this->slug, $this->m_Source->labels()));