A Capture Contact Form (and tab) - Insecure deserialization

 56 | function awebvoice_setup() {
 57 | $awebvoice_data = unserialize(get_option(""awebvoice_data""));
 58 |
 59 | if ($_POST) {
> 60 | $awebvoice_data = unserialize(stripslashes($_POST[""awebvoice_data""]));
 61 | $awebvoice_action = $awebvoice_data[""action""];
 62 | unset($awebvoice_data[""action""]);
 63 |
 64 | if ($awebvoice_action == ""save_account"") { // save initial email and set up contact page
 65 | $old_data = unserialize(get_option('awebvoice_data'));
 66 | if ($old_data[""wp_page_id""]) wp_delete_post($old_data[""wp_page_id""]);
 67 | if ($awebvoice_data[""publish_page""] == ""true"") {
 68 | if (!get_post($awebvoice_data[""wp_page_id""])) {
 69 | $awebvoice_page_id = wp_insert_post(array(
 70 | 'post_status' => 'publish',
 71 | 'post_type' => 'page',
 72 | 'post_name' => $awebvoice_data[""button""][""label""],
 73 | 'post_title' => $awebvoice_data[""button""][""label""],
 74 | 'comment_status' => 'closed',
 75 | 'post_content' => '<iframe src=""'.$awebvoice_data[""embed_src""].'"" frameborder=""0"" scrolling=""no"" allowtransparency=
 76 | ));
 77 | $awebvoice_data[""wp_page_id""] = $awebvoice_page_id;
 78 | }
 79 | }
 80 | update_option(""awebvoice_data"", serialize($awebvoice_data));
 81 | }
 82 | elseif ($awebvoice_action == ""save_settings"") { // save just configuration settings
 83 | if (get_option('awebvoice_data')) {
 84 | $awebvoice_data = array_merge(unserialize(get_option('awebvoice_data')), $awebvoice_data);
 85 | }
 86 |
 87 | if ($awebvoice_data[""publish_page""] == ""true"") {
 88 | if (!get_post($awebvoice_data[""wp_page_id""])) {
 89 | $awebvoice_page_id = wp_insert_post(array(
 90 | 'post_status' => 'publish',
 91 | 'post_type' => 'page',
 92 | 'post_name' => $awebvoice_data[""button""][""label""],
 93 | 'post_title' => $awebvoice_data[""button""][""label""],
 94 | 'comment_status' => 'closed',
 95 | 'post_content' => '<iframe src=""'.$awebvoice_data[""embed_src""].'"" frameborder=""0"" scrolling=""no"" allowtransparency=
 96 | ));
 97 | $awebvoice_data[""wp_page_id""] = $awebvoice_page_id;
 98 | } else {
 99 | $awebvoice_page_id = wp_update_post(array(
 100 | 'ID' => $awebvoice_data[""wp_page_id""],
 101 | 'post_status' => 'publish',
 102 | 'post_type' => 'page',
 103 | 'post_name' => $awebvoice_data[""button""][""label""],
 104 | 'post_title' => $awebvoice_data[""button""][""label""],
 105 | 'comment_status' => 'closed',
 106 | 'post_content' => '<iframe src=""'.$awebvoice_data[""embed_src""].'"" frameborder=""0"" scrolling=""no"" allowtransparency=
 107 | ));
 108 | $awebvoice_data[""wp_page_id""] = $awebvoice_page_id;
 109 | }
 110 | } else {
 111 | wp_delete_post($awebvoice_data[""wp_page_id""]);
 112 | unset($awebvoice_data[""wp_page_id""]);
 113 | }
 114 | update_option(""awebvoice_data"", serialize($awebvoice_data));
 115 | }
 116 | }
 117 | ?>
 118 | <script type=""text/javascript"" src=""http://www.awebvoice.com/jscripts/jquery.ba-postmessage.js""></script>
 119 | <script type=""text/javascript"">
 120 |
 121 | jQuery(function(){
 122 | jQuery.receiveMessage(
 123 | function(e){
 124 | jQuery('#awebvoice_data').val(e.data);
 125 | jQuery(""#awebvoice_form"").submit();
 126 | },
 127 | 'http://www.awebvoice.com'
 128 | );
 129 |
 130 | });
 131 |
 132 | </script>
 133 |
 134 |
 135 | <form method=""post"" id=""awebvoice_form"" action="""">
 136 | <input type=""hidden"" id=""awebvoice_data"" name=""awebvoice_data"" value="""" />
 137 | </form>
 138 |
 139 | <iframe id=""awebvoice_frame"" src=""http://www.awebvoice.com/wordpress?l=<?php echo get_bloginfo('wpurl')?>&<?php echo http
  140 | <?php
  141 | }
      ^ Col 0