BP Profile as Homepage - Reflected cross-site scripting (XSS)

 44 | function bpahp_settings_page()
 45 | {
 46 | if (!current_user_can('manage_options'))
 47 | {
 48 | wp_die( __('You do not have sufficient permissions to access this page.') );
 49 | }
 50 | $opt_name = 'bpahp_role_choice';
 51 | $hidden_field_name = 'bpahp_submit_hidden';
 52 | $data_field_name = 'bpahp_role_choice';
 53 |
 54 | $opt_val = get_option($opt_name);
 55 |
 56 | if( isset($_POST[ $hidden_field_name ]) && $_POST[ $hidden_field_name ] == 'Y' )
 57 | {
 58 | $opt_val = $_POST[ $data_field_name ];
 59 | update_option( $opt_name, $opt_val );
 60 | ?>
 61 | <div class=""updated""><p><strong><?php _e('settings saved.', 'bpahp-menu' ); ?></strong></p></div>
 62 | <?php
 63 |
 64 | }
 65 | echo '<div class=""wrap"">';
 66 | echo ""<h2>"" . __( 'BP Profile as Homepage Settings', 'bpahp-menu' ) . ""</h2>"";
 67 | ?>
 68 | <p>Using following option, you can disable the redirection for a particular user role.</p>
 69 | <form name=""bpahp-settings-form"" method=""post"" action="""">
 70 | <input type=""hidden"" name=""<?php echo $hidden_field_name; ?>"" value=""Y"">
 71 | <p><b>You have selected:</b>
 72 | <?php
 73 | if ($opt_val=='')
 74 | echo 'No One';
 75 | else
> 76 | echo $opt_val;
 77 | ?> <hr />
 78 | <?php _e(""Who can view Homepage:"", 'bpahp-menu' ); ?>
 79 | <select name=""<?php echo $data_field_name; ?>"">
 80 | <option value="""">None</option>
 81 | <option value=""administrator"">Administrators</option>
 82 | <option value=""editor"">Editors</option>
 83 | <option value=""author"">Authors</option>
 84 | <option value=""contributor"">Contributors</option>
 85 | <option value=""subscriber"">Subscribers</option>
 86 | </select>
 87 | </p>
 88 | <p class=""submit"">
 89 | <input type=""submit"" name=""Submit"" class=""button-primary"" value=""<?php esc_attr_e('Save Changes') ?>"" />
 90 | </p>
 91 | </form>
 92 | <hr />
 93 | <b> If you like my work, kindly support me to keep my blog working by donating a small amount. For helping me and donatio
 94 | <p><h2><u>My other plugins:</u></h2></p>
 95 | <ul>
 96 | <li>BP Login Redirect - Decide where to send your users after login</li>
 97 | <li>Force Post Category Selection - No More Uncategoriezed Posts, No More forgetting category selections</li>
 98 | <li>Force Post Title - No More Untitled Posts</li>
 99 | <li>AutoSet Featured Images for Posts - No need to set featured images manually.It will do it for you automatically.</li>
 100 | <li>Wordpress QRCODE Widget - Share your website with Style. It will generate dynamic QR Codes for whole website.</li>
 101 | <li>Wordpress Version Remover - Save your wordpress website from hackers. It will remove the wordpress version.</li>
 102 | <li>Schedule your Posts - Do not schedule posts now. Just schedule the content of the Post.One Post can show different co
 103 | <li><a href=""http://www.jpsays.com/search/label/wordpress"" alt=""www.jpsays.com"">Click here to see my plugins.</a></li>
 104 | </ul>
 105 | </div>
  106 | <?php
  107 | }
      ^ Col 0