Project: Wordpress Plugin Pods – Custom Content Types and Fields 2.7.12

Vulnerability: #9251591 (2019-04-17 14:31:43)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::include
Risk _SERVER
/pods/includes/data.php:558 (show/hide source)
538  						$path = $var[0];
539  					} elseif ( isset( $var[1] ) ) {
540  						$scheme = $var[1];
541  					}
542  				} else {
543  					$path = $var;
544  				}
545  
546  				$output = user_admin_url( $path, $scheme );
547  				break;
548  			case 'prefix':
549  				global $wpdb;
550  
551  				$output = $wpdb->prefix;
552  				break;
553  			case 'server':
554  				if ( ! pods_strict() ) {
555  					if ( isset( $_SERVER[ $var ] ) ) {
556  						$output = pods_unslash( $_SERVER[ $var ] );
557  					} elseif ( isset( $_SERVER[ strtoupper( $var ) ] ) ) {
558 $output = pods_unslash( $_SERVER[ strtoupper( $var ) ] );
559 } 560 }
Threat level 0

Callstack:

PodsForm::field_loader /pods/classes/PodsForm.php:1462 (show/hide source)
1442  		$class_name = "PodsField_{$class_name}";
1443  
1444  		$content_dir   = realpath( WP_CONTENT_DIR );
1445  		$plugins_dir   = realpath( WP_PLUGIN_DIR );
1446  		$muplugins_dir = realpath( WPMU_PLUGIN_DIR );
1447  		$abspath_dir   = realpath( ABSPATH );
1448  		$pods_dir      = realpath( PODS_DIR );
1449  
1450  		if ( ! class_exists( $class_name ) ) {
1451  			if ( isset( self::$field_types[ $field_type ] ) && ! empty( self::$field_types[ $field_type ]['file'] ) ) {
1452  				$file = realpath( self::$field_types[ $field_type ]['file'] );
1453  			}
1454  
1455  			if ( ! empty( $file ) && 0 === strpos( $file, $abspath_dir ) && file_exists( $file ) ) {
1456  				include_once $file;
1457  			} else {
1458  				$file = str_replace( '../', '', apply_filters( 'pods_form_field_include', PODS_DIR . 'classes/fields/' . basename( $field_type ) . '.php', $field_type ) );
1459  				$file = realpath( $file );
1460  
1461  				if ( file_exists( $file ) && ( 0 === strpos( $file, $pods_dir ) || 0 === strpos( $file, $content_dir ) || 0 === strpos( $file, $plugins_dir ) || 0 === strpos( $file, $muplugins_dir ) || 0 === strpos( $file, $abspath_dir ) ) ) {
1462 include_once $file;
1463 } 1464 }
PodsForm::field_setup /pods/classes/PodsForm.php:867 (show/hide source)
847  			$core_defaults = array(
848  				'id'             => 0,
849  				'name'           => '',
850  				'label'          => '',
851  				'description'    => '',
852  				'help'           => '',
853  				'default'        => null,
854  				'attributes'     => array(),
855  				'class'          => '',
856  				'type'           => 'text',
857  				'group'          => 0,
858  				'grouped'        => 0,
859  				'developer_mode' => false,
860  				'dependency'     => false,
861  				'depends-on'     => array(),
862  				'excludes-on'    => array(),
863  				'options'        => array(),
864  			);
865  
866  			if ( null !== $type ) {
867 self::field_loader( $type );
868 869 if ( method_exists( self::$loaded[ $type ], 'options' ) ) {
PodsForm::fields_setup /pods/classes/PodsForm.php:815 (show/hide source)
795  				'help'           => '',
796  				'default'        => null,
797  				'attributes'     => array(),
798  				'class'          => '',
799  				'type'           => 'text',
800  				'group'          => 0,
801  				'grouped'        => 0,
802  				'developer_mode' => false,
803  				'dependency'     => false,
804  				'depends-on'     => array(),
805  				'excludes-on'    => array(),
806  				'options'        => array(),
807  			);
808  		}
809  
810  		if ( $single ) {
811  			$fields = array( $fields );
812  		}
813  
814  		foreach ( $fields as $f => $field ) {
815 $fields[ $f ] = self::field_setup( $field, $core_defaults, pods_v( 'type', $field, 'text' ) );
816 817 if ( ! $single && strlen( $fields[ $f ]['name'] ) < 1 ) {
PodsAPI::get_wp_object_fields /pods/classes/PodsAPI.php:1439 (show/hide source)
1419  				)
1420  			);
1421  		}
1422  
1423  		$fields = $this->do_hook( 'get_wp_object_fields', $fields, $object, $pod );
1424  
1425  		foreach ( $fields as $field => $options ) {
1426  			if ( ! isset( $options['alias'] ) ) {
1427  				$options['alias'] = array();
1428  			} else {
1429  				$options['alias'] = (array) $options['alias'];
1430  			}
1431  
1432  			if ( ! isset( $options['name'] ) ) {
1433  				$options['name'] = $field;
1434  			}
1435  
1436  			$fields[ $field ] = $options;
1437  		}
1438  
1439 $fields = PodsForm::fields_setup( $fields );
1440 1441 if ( did_action( 'init' ) && pods_api_cache() ) {
PodsAPI::load_pod /pods/classes/PodsAPI.php:6184 (show/hide source)
6164  		unset( $pod['options']['alias'] );
6165  
6166  		if ( $table_info ) {
6167  			$pod = array_merge( $this->get_table_info( $pod['type'], $pod['object'], $pod['name'], $pod ), $pod );
6168  		}
6169  
6170  		// Override old 'none' storage type
6171  		if ( 'taxonomy' === $pod['type'] && 'none' === $pod['storage'] && function_exists( 'get_term_meta' ) ) {
6172  			$pod['storage'] = 'meta';
6173  		}
6174  
6175  		if ( isset( $pod['pod'] ) ) {
6176  			unset( $pod['pod'] );
6177  		}
6178  
6179  		$pod['fields'] = array();
6180  
6181  		$pod['object_fields'] = array();
6182  
6183  		if ( 'pod' !== $pod['type'] ) {
6184 $pod['object_fields'] = $this->get_wp_object_fields( $pod['type'], $pod );
6185 } 6186
PodsAPI::__construct /pods/classes/PodsAPI.php:122 (show/hide source)
102  	 *
103  	 * @param string $pod    (optional) The pod name
104  	 * @param string $format (deprecated) Format for import/export, "php" or "csv"
105  	 *
106  	 * @return \PodsAPI
107  	 *
108  	 * @license http://www.gnu.org/licenses/gpl-2.0.html
109  	 * @since   1.7.1
110  	 */
111  	public function __construct( $pod = null, $format = null ) {
112  
113  		if ( null !== $pod && 0 < strlen( (string) $pod ) ) {
114  			if ( null !== $format ) {
115  				$this->format = $format;
116  
117  				pods_deprecated( 'pods_api( $pod, $format )', '2.0', 'pods_api( $pod )' );
118  			}
119  
120  			$pod = pods_clean_name( $pod );
121  
122 $pod = $this->load_pod( array( 'name' => $pod, 'table_info' => true ), false );
123 124 if ( ! empty( $pod ) ) {
PodsAPI::init /pods/classes/PodsAPI.php:94 (show/hide source)
74  	/**
75  	 * Singleton-ish handling for a basic pods_api() request
76  	 *
77  	 * @param string $pod    (optional) The pod name
78  	 * @param string $format (deprecated) Format for import/export, "php" or "csv"
79  	 *
80  	 * @return \PodsAPI
81  	 *
82  	 * @since 2.3.5
83  	 */
84  	public static function init( $pod = null, $format = null ) {
85  
86  		if ( null !== $pod || null !== $format ) {
87  			if ( ! isset( self::$instances[ $pod ] ) ) {
88  				// Cache API singleton per Pod
89  				self::$instances[ $pod ] = new PodsAPI( $pod, $format );
90  			}
91  
92  			return self::$instances[ $pod ];
93  		} elseif ( ! is_object( self::$instance ) ) {
94 self::$instance = new PodsAPI();
95 } 96
@FUNCTION::pods_api /pods/includes/classes.php:73 (show/hide source)
53  	return new PodsUI( $obj, $deprecated );
54  }
55  
56  /**
57   * Include and get the PodsAPI object, for use with all calls that Pods makes for add, save, delete, and more.
58   *
59   * @see   PodsAPI
60   *
61   * @param string $pod    (optional) (deprecated) The Pod name
62   * @param string $format (optional) (deprecated) Format used in import() and export()
63   *
64   * @return PodsAPI
65   *
66   * @since 2.0.0
67   * @link  https://pods.io/docs/pods-api/
68   */
69  function pods_api( $pod = null, $format = null ) {
70  
71  	require_once PODS_DIR . 'classes/PodsAPI.php';
72  
73 return PodsAPI::init( $pod, $format );
74 } 75
PodsUpgrade::__construct /pods/sql/upgrade/PodsUpgrade.php:33 (show/hide source)
13  	/**
14  	 * @var array
15  	 */
16  	protected $progress = array();
17  
18  	/**
19  	 * @var PodsAPI
20  	 */
21  	protected $api = null;
22  
23  	/**
24  	 * @var string
25  	 */
26  	protected $version = null;
27  
28  	/**
29  	 *
30  	 */
31  	public function __construct() {
32  
33 $this->api = pods_api();
34 35 $this->get_tables();