Project: Wordpress Plugin Fleet 1.2.5

Vulnerability: #9224056 (2018-11-21 14:31:05)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::header
Risk _FILES
/fleet/vendor/iworks/fleet/posttypes/result.php:984 (show/hide source)
964  		return 0 < $val;
965  	}
966  
967  	public function upload() {
968  		if ( ! isset( $_POST['id'] ) ) {
969  			wp_send_json_error();
970  		}
971  		$post_id = intval( $_POST['id'] );
972  		if ( empty( $post_id ) ) {
973  			return;
974  		}
975  		if ( ! isset( $_POST['_wpnonce'] ) ) {
976  			wp_send_json_error();
977  		}
978  		if ( ! wp_verify_nonce( $_POST['_wpnonce'], 'upload-races' ) ) {
979  			wp_send_json_error();
980  		}
981  		if ( empty( $_FILES ) || ! isset( $_FILES['file'] ) ) {
982  			wp_send_json_error();
983  		}
984 $file = $_FILES['file'];
985 if ( 'text/csv' != $file['type'] ) { 986 wp_send_json_error();
Threat level 0

Callstack:

iworks_fleet_posttypes_result::download /fleet/vendor/iworks/fleet/posttypes/result.php:160 (show/hide source)
140  		add_filter( 'get_next_post_join', array( $this, 'adjacent_post_join' ), 10, 5 );
141  		/**
142  		 * adjust dates
143  		 */
144  		add_filter( 'iworks_fleet_result_adjust_dates', array( $this, 'adjacent_dates' ), 10, 3 );
145  	}
146  
147  	/**
148  	 * allow to download results
149  	 */
150  	public function download() {
151  		global $wpdb;
152  		if ( ! is_singular( $this->post_type_name ) ) {
153  			return;
154  		}
155  		$action = filter_input( INPUT_GET, 'fleet', FILTER_SANITIZE_STRING );
156  		switch ( $action ) {
157  			case 'download':
158  				$file = sanitize_title( get_the_title() ).'.csv';
159  				header( 'Content-Type: text/csv' );
160 header( 'Content-Disposition: attachment; filename='.$file );
161 $out = fopen( 'php://output', 'w' ); 162 $post_id = get_the_ID();