Project: Wordpress Plugin Pods – Custom Content Types and Fields 2.7.12

Vulnerability: #9251614 (2019-04-17 14:34:23)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink PHP::include
Risk _COOKIE
/pods/includes/data.php:575 (show/hide source)
555  					if ( isset( $_SERVER[ $var ] ) ) {
556  						$output = pods_unslash( $_SERVER[ $var ] );
557  					} elseif ( isset( $_SERVER[ strtoupper( $var ) ] ) ) {
558  						$output = pods_unslash( $_SERVER[ strtoupper( $var ) ] );
559  					}
560  				}
561  				break;
562  			case 'session':
563  				if ( isset( $_SESSION[ $var ] ) ) {
564  					$output = $_SESSION[ $var ];
565  				}
566  				break;
567  			case 'global':
568  			case 'globals':
569  				if ( isset( $GLOBALS[ $var ] ) ) {
570  					$output = $GLOBALS[ $var ];
571  				}
572  				break;
573  			case 'cookie':
574  				if ( isset( $_COOKIE[ $var ] ) ) {
575 $output = pods_unslash( $_COOKIE[ $var ] );
576 } 577 break;
Threat level 2

Callstack:

PodsForm::field_loader /pods/classes/PodsForm.php:1462 (show/hide source)
1442  		$class_name = "PodsField_{$class_name}";
1443  
1444  		$content_dir   = realpath( WP_CONTENT_DIR );
1445  		$plugins_dir   = realpath( WP_PLUGIN_DIR );
1446  		$muplugins_dir = realpath( WPMU_PLUGIN_DIR );
1447  		$abspath_dir   = realpath( ABSPATH );
1448  		$pods_dir      = realpath( PODS_DIR );
1449  
1450  		if ( ! class_exists( $class_name ) ) {
1451  			if ( isset( self::$field_types[ $field_type ] ) && ! empty( self::$field_types[ $field_type ]['file'] ) ) {
1452  				$file = realpath( self::$field_types[ $field_type ]['file'] );
1453  			}
1454  
1455  			if ( ! empty( $file ) && 0 === strpos( $file, $abspath_dir ) && file_exists( $file ) ) {
1456  				include_once $file;
1457  			} else {
1458  				$file = str_replace( '../', '', apply_filters( 'pods_form_field_include', PODS_DIR . 'classes/fields/' . basename( $field_type ) . '.php', $field_type ) );
1459  				$file = realpath( $file );
1460  
1461  				if ( file_exists( $file ) && ( 0 === strpos( $file, $pods_dir ) || 0 === strpos( $file, $content_dir ) || 0 === strpos( $file, $plugins_dir ) || 0 === strpos( $file, $muplugins_dir ) || 0 === strpos( $file, $abspath_dir ) ) ) {
1462 include_once $file;
1463 } 1464 }
PodsForm::field_setup /pods/classes/PodsForm.php:867 (show/hide source)
847  			$core_defaults = array(
848  				'id'             => 0,
849  				'name'           => '',
850  				'label'          => '',
851  				'description'    => '',
852  				'help'           => '',
853  				'default'        => null,
854  				'attributes'     => array(),
855  				'class'          => '',
856  				'type'           => 'text',
857  				'group'          => 0,
858  				'grouped'        => 0,
859  				'developer_mode' => false,
860  				'dependency'     => false,
861  				'depends-on'     => array(),
862  				'excludes-on'    => array(),
863  				'options'        => array(),
864  			);
865  
866  			if ( null !== $type ) {
867 self::field_loader( $type );
868 869 if ( method_exists( self::$loaded[ $type ], 'options' ) ) {
PodsForm::fields_setup /pods/classes/PodsForm.php:815 (show/hide source)
795  				'help'           => '',
796  				'default'        => null,
797  				'attributes'     => array(),
798  				'class'          => '',
799  				'type'           => 'text',
800  				'group'          => 0,
801  				'grouped'        => 0,
802  				'developer_mode' => false,
803  				'dependency'     => false,
804  				'depends-on'     => array(),
805  				'excludes-on'    => array(),
806  				'options'        => array(),
807  			);
808  		}
809  
810  		if ( $single ) {
811  			$fields = array( $fields );
812  		}
813  
814  		foreach ( $fields as $f => $field ) {
815 $fields[ $f ] = self::field_setup( $field, $core_defaults, pods_v( 'type', $field, 'text' ) );
816 817 if ( ! $single && strlen( $fields[ $f ]['name'] ) < 1 ) {
PodsAPI::get_wp_object_fields /pods/classes/PodsAPI.php:1439 (show/hide source)
1419  				)
1420  			);
1421  		}
1422  
1423  		$fields = $this->do_hook( 'get_wp_object_fields', $fields, $object, $pod );
1424  
1425  		foreach ( $fields as $field => $options ) {
1426  			if ( ! isset( $options['alias'] ) ) {
1427  				$options['alias'] = array();
1428  			} else {
1429  				$options['alias'] = (array) $options['alias'];
1430  			}
1431  
1432  			if ( ! isset( $options['name'] ) ) {
1433  				$options['name'] = $field;
1434  			}
1435  
1436  			$fields[ $field ] = $options;
1437  		}
1438  
1439 $fields = PodsForm::fields_setup( $fields );
1440 1441 if ( did_action( 'init' ) && pods_api_cache() ) {
PodsAPI::get_table_info /pods/classes/PodsAPI.php:8545 (show/hide source)
8525  			}
8526  
8527  			$info['object_fields'] = $this->get_wp_object_fields( $object_type, $info['pod'] );
8528  		} elseif ( 'user' === $object_type || 'user' === pods_var_raw( 'type', $info['pod'] ) ) {
8529  			$info['table']      = $wpdb->users;
8530  			$info['meta_table'] = $wpdb->usermeta;
8531  			$info['pod_table']  = $wpdb->prefix . 'pods_user';
8532  
8533  			$info['field_id']    = 'ID';
8534  			$info['field_index'] = 'display_name';
8535  			$info['field_slug']  = 'user_nicename';
8536  
8537  			$info['meta_field_id']    = 'user_id';
8538  			$info['meta_field_index'] = 'meta_key';
8539  			$info['meta_field_value'] = 'meta_value';
8540  
8541  			$info['where'] = array(
8542  				'user_status' => '`t`.`user_status` = 0'
8543  			);
8544  
8545 $info['object_fields'] = $this->get_wp_object_fields( $object_type, $info['pod'] );
8546 } elseif ( 'comment' === $object_type || 'comment' === pods_var_raw( 'type', $info['pod'] ) ) { 8547 //$info[ 'object_hierarchical' ] = true;
PodsAPI::load_field /pods/classes/PodsAPI.php:6836 (show/hide source)
6816  
6817  				if ( isset( $field['options']['sister_id'] ) ) {
6818  					$field['sister_id'] = $field['options']['sister_id'];
6819  
6820  					unset( $field['options']['sister_id'] );
6821  				}
6822  
6823  				if ( isset( $field['options']['sister_field_id'] ) ) {
6824  					unset( $field['options']['sister_field_id'] );
6825  				}
6826  
6827  				if ( pods_api_cache() && ( isset( $pod['name'] ) || isset( $_field['pod'] ) ) ) {
6828  					pods_transient_set( 'pods_field_' . pods_var( 'name', $pod, pods_var( 'pod', $_field ), null, true ) . '_' . $field['name'], $field );
6829  				}
6830  			}
6831  		}
6832  
6833  		$field['table_info'] = array();
6834  
6835  		if ( 'pick' === $field['type'] && $params->table_info ) {
6836 $field['table_info'] = $this->get_table_info( $field['pick_object'], $field['pick_val'], null, null, $field );
6837 } 6838
PodsAPI::load_pod /pods/classes/PodsAPI.php:6203 (show/hide source)
6183  		if ( 'pod' !== $pod['type'] ) {
6184  			$pod['object_fields'] = $this->get_wp_object_fields( $pod['type'], $pod );
6185  		}
6186  
6187  		$fields = get_posts( array(
6188  			'post_type'      => '_pods_field',
6189  			'posts_per_page' => - 1,
6190  			'nopaging'       => true,
6191  			'post_parent'    => $pod['id'],
6192  			'orderby'        => 'menu_order',
6193  			'order'          => 'ASC'
6194  		) );
6195  
6196  		if ( ! empty( $fields ) ) {
6197  			foreach ( $fields as $field ) {
6198  				$field->pod          = $pod['name'];
6199  				$field->table_info   = $table_info;
6200  				$field->bypass_cache = $bypass_cache;
6201  
6202  				if ( $load_fields ) {
6203 $field = $this->load_field( $field );
6204 6205 $field = PodsForm::field_setup( $field, null, $field['type'] );
PodsAPI::__construct /pods/classes/PodsAPI.php:122 (show/hide source)
102  	 *
103  	 * @param string $pod    (optional) The pod name
104  	 * @param string $format (deprecated) Format for import/export, "php" or "csv"
105  	 *
106  	 * @return \PodsAPI
107  	 *
108  	 * @license http://www.gnu.org/licenses/gpl-2.0.html
109  	 * @since   1.7.1
110  	 */
111  	public function __construct( $pod = null, $format = null ) {
112  
113  		if ( null !== $pod && 0 < strlen( (string) $pod ) ) {
114  			if ( null !== $format ) {
115  				$this->format = $format;
116  
117  				pods_deprecated( 'pods_api( $pod, $format )', '2.0', 'pods_api( $pod )' );
118  			}
119  
120  			$pod = pods_clean_name( $pod );
121  
122 $pod = $this->load_pod( array( 'name' => $pod, 'table_info' => true ), false );
123 124 if ( ! empty( $pod ) ) {
PodsAPI::init /pods/classes/PodsAPI.php:94 (show/hide source)
74  	/**
75  	 * Singleton-ish handling for a basic pods_api() request
76  	 *
77  	 * @param string $pod    (optional) The pod name
78  	 * @param string $format (deprecated) Format for import/export, "php" or "csv"
79  	 *
80  	 * @return \PodsAPI
81  	 *
82  	 * @since 2.3.5
83  	 */
84  	public static function init( $pod = null, $format = null ) {
85  
86  		if ( null !== $pod || null !== $format ) {
87  			if ( ! isset( self::$instances[ $pod ] ) ) {
88  				// Cache API singleton per Pod
89  				self::$instances[ $pod ] = new PodsAPI( $pod, $format );
90  			}
91  
92  			return self::$instances[ $pod ];
93  		} elseif ( ! is_object( self::$instance ) ) {
94 self::$instance = new PodsAPI();
95 } 96
@FUNCTION::pods_api /pods/includes/classes.php:73 (show/hide source)
53  	return new PodsUI( $obj, $deprecated );
54  }
55  
56  /**
57   * Include and get the PodsAPI object, for use with all calls that Pods makes for add, save, delete, and more.
58   *
59   * @see   PodsAPI
60   *
61   * @param string $pod    (optional) (deprecated) The Pod name
62   * @param string $format (optional) (deprecated) Format used in import() and export()
63   *
64   * @return PodsAPI
65   *
66   * @since 2.0.0
67   * @link  https://pods.io/docs/pods-api/
68   */
69  function pods_api( $pod = null, $format = null ) {
70  
71  	require_once PODS_DIR . 'classes/PodsAPI.php';
72  
73 return PodsAPI::init( $pod, $format );
74 } 75
PodsUpgrade::__construct /pods/sql/upgrade/PodsUpgrade.php:33 (show/hide source)
13  	/**
14  	 * @var array
15  	 */
16  	protected $progress = array();
17  
18  	/**
19  	 * @var PodsAPI
20  	 */
21  	protected $api = null;
22  
23  	/**
24  	 * @var string
25  	 */
26  	protected $version = null;
27  
28  	/**
29  	 *
30  	 */
31  	public function __construct() {
32  
33 $this->api = pods_api();
34 35 $this->get_tables();