Project: Wordpress Plugin Pods – Custom Content Types and Fields 2.7.12

Vulnerability: #9251636 (2019-04-17 14:38:23)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_exists
Risk _GET
/pods/includes/data.php:348 (show/hide source)
328  
329  	$params = (object) array_merge( $defaults, (array) $params );
330  
331  	$output = null;
332  
333  	if ( null === $type || '' === $type ) {
334  		// Invalid $type
335  	} elseif ( is_array( $type ) ) {
336  		if ( isset( $type[ $var ] ) ) {
337  			$output = $type[ $var ];
338  		}
339  	} elseif ( is_object( $type ) ) {
340  		if ( isset( $type->{$var} ) ) {
341  			$output = $type->{$var};
342  		}
343  	} else {
344  		$type = strtolower( (string) $type );
345  		switch ( $type ) {
346  			case 'get':
347  				if ( isset( $_GET[ $var ] ) ) {
348 $output = pods_unslash( $_GET[ $var ] );
349 } 350 break;
Threat level 1

Callstack:

PodsForm::field_loader /pods/classes/PodsForm.php:1461 (show/hide source)
1441  		$class_name = ucfirst( $field_type );
1442  		$class_name = "PodsField_{$class_name}";
1443  
1444  		$content_dir   = realpath( WP_CONTENT_DIR );
1445  		$plugins_dir   = realpath( WP_PLUGIN_DIR );
1446  		$muplugins_dir = realpath( WPMU_PLUGIN_DIR );
1447  		$abspath_dir   = realpath( ABSPATH );
1448  		$pods_dir      = realpath( PODS_DIR );
1449  
1450  		if ( ! class_exists( $class_name ) ) {
1451  			if ( isset( self::$field_types[ $field_type ] ) && ! empty( self::$field_types[ $field_type ]['file'] ) ) {
1452  				$file = realpath( self::$field_types[ $field_type ]['file'] );
1453  			}
1454  
1455  			if ( ! empty( $file ) && 0 === strpos( $file, $abspath_dir ) && file_exists( $file ) ) {
1456  				include_once $file;
1457  			} else {
1458  				$file = str_replace( '../', '', apply_filters( 'pods_form_field_include', PODS_DIR . 'classes/fields/' . basename( $field_type ) . '.php', $field_type ) );
1459  				$file = realpath( $file );
1460  
1461 if ( file_exists( $file ) && ( 0 === strpos( $file, $pods_dir ) || 0 === strpos( $file, $content_dir ) || 0 === strpos( $file, $plugins_dir ) || 0 === strpos( $file, $muplugins_dir ) || 0 === strpos( $file, $abspath_dir ) ) ) {
1462 include_once $file; 1463 }
PodsForm::field_setup /pods/classes/PodsForm.php:867 (show/hide source)
847  			$core_defaults = array(
848  				'id'             => 0,
849  				'name'           => '',
850  				'label'          => '',
851  				'description'    => '',
852  				'help'           => '',
853  				'default'        => null,
854  				'attributes'     => array(),
855  				'class'          => '',
856  				'type'           => 'text',
857  				'group'          => 0,
858  				'grouped'        => 0,
859  				'developer_mode' => false,
860  				'dependency'     => false,
861  				'depends-on'     => array(),
862  				'excludes-on'    => array(),
863  				'options'        => array(),
864  			);
865  
866  			if ( null !== $type ) {
867 self::field_loader( $type );
868 869 if ( method_exists( self::$loaded[ $type ], 'options' ) ) {
PodsForm::fields_setup /pods/classes/PodsForm.php:815 (show/hide source)
795  				'help'           => '',
796  				'default'        => null,
797  				'attributes'     => array(),
798  				'class'          => '',
799  				'type'           => 'text',
800  				'group'          => 0,
801  				'grouped'        => 0,
802  				'developer_mode' => false,
803  				'dependency'     => false,
804  				'depends-on'     => array(),
805  				'excludes-on'    => array(),
806  				'options'        => array(),
807  			);
808  		}
809  
810  		if ( $single ) {
811  			$fields = array( $fields );
812  		}
813  
814  		foreach ( $fields as $f => $field ) {
815 $fields[ $f ] = self::field_setup( $field, $core_defaults, pods_v( 'type', $field, 'text' ) );
816 817 if ( ! $single && strlen( $fields[ $f ]['name'] ) < 1 ) {
PodsAPI::get_wp_object_fields /pods/classes/PodsAPI.php:1439 (show/hide source)
1419  				)
1420  			);
1421  		}
1422  
1423  		$fields = $this->do_hook( 'get_wp_object_fields', $fields, $object, $pod );
1424  
1425  		foreach ( $fields as $field => $options ) {
1426  			if ( ! isset( $options['alias'] ) ) {
1427  				$options['alias'] = array();
1428  			} else {
1429  				$options['alias'] = (array) $options['alias'];
1430  			}
1431  
1432  			if ( ! isset( $options['name'] ) ) {
1433  				$options['name'] = $field;
1434  			}
1435  
1436  			$fields[ $field ] = $options;
1437  		}
1438  
1439 $fields = PodsForm::fields_setup( $fields );
1440 1441 if ( did_action( 'init' ) && pods_api_cache() ) {
PodsAPI::get_table_info /pods/classes/PodsAPI.php:8527 (show/hide source)
8507  								AND `wpml_translations`.`language_code` = '{$current_language}'
8508  					";
8509  
8510  				$info['join']['wpml_languages'] = "
8511  						LEFT JOIN `{$wpdb->prefix}icl_languages` AS `wpml_languages`
8512  							ON `wpml_languages`.`code` = `wpml_translations`.`language_code` AND `wpml_languages`.`active` = 1
8513  					";
8514  
8515  				$info['where']['wpml_languages'] = "`wpml_languages`.`code` IS NOT NULL";
8516  			} elseif ( ( function_exists( 'PLL' ) || is_object( $polylang ) ) && ! empty( $current_language ) && ! empty( $current_language_tl_tt_id ) && function_exists( 'pll_is_translated_taxonomy' ) && pll_is_translated_taxonomy( $taxonomy ) ) {
8517  				// Polylang support
8518  				$info['join']['polylang_languages'] = "
8519  					LEFT JOIN `{$wpdb->term_relationships}` AS `polylang_languages`
8520  						ON `polylang_languages`.`object_id` = `t`.`term_id`
8521  							AND `polylang_languages`.`term_taxonomy_id` = {$current_language_tl_tt_id}
8522  				";
8523  
8524  				$info['where']['polylang_languages'] = "`polylang_languages`.`object_id` IS NOT NULL";
8525  			}
8526  
8527 $info['object_fields'] = $this->get_wp_object_fields( $object_type, $info['pod'] );
8528 } elseif ( 'user' === $object_type || 'user' === pods_var_raw( 'type', $info['pod'] ) ) { 8529 $info['table'] = $wpdb->users;
PodsAPI::load_field /pods/classes/PodsAPI.php:6836 (show/hide source)
6816  
6817  				if ( isset( $field['options']['sister_id'] ) ) {
6818  					$field['sister_id'] = $field['options']['sister_id'];
6819  
6820  					unset( $field['options']['sister_id'] );
6821  				}
6822  
6823  				if ( isset( $field['options']['sister_field_id'] ) ) {
6824  					unset( $field['options']['sister_field_id'] );
6825  				}
6826  
6827  				if ( pods_api_cache() && ( isset( $pod['name'] ) || isset( $_field['pod'] ) ) ) {
6828  					pods_transient_set( 'pods_field_' . pods_var( 'name', $pod, pods_var( 'pod', $_field ), null, true ) . '_' . $field['name'], $field );
6829  				}
6830  			}
6831  		}
6832  
6833  		$field['table_info'] = array();
6834  
6835  		if ( 'pick' === $field['type'] && $params->table_info ) {
6836 $field['table_info'] = $this->get_table_info( $field['pick_object'], $field['pick_val'], null, null, $field );
6837 } 6838
PodsAPI::load_pod /pods/classes/PodsAPI.php:6203 (show/hide source)
6183  		if ( 'pod' !== $pod['type'] ) {
6184  			$pod['object_fields'] = $this->get_wp_object_fields( $pod['type'], $pod );
6185  		}
6186  
6187  		$fields = get_posts( array(
6188  			'post_type'      => '_pods_field',
6189  			'posts_per_page' => - 1,
6190  			'nopaging'       => true,
6191  			'post_parent'    => $pod['id'],
6192  			'orderby'        => 'menu_order',
6193  			'order'          => 'ASC'
6194  		) );
6195  
6196  		if ( ! empty( $fields ) ) {
6197  			foreach ( $fields as $field ) {
6198  				$field->pod          = $pod['name'];
6199  				$field->table_info   = $table_info;
6200  				$field->bypass_cache = $bypass_cache;
6201  
6202  				if ( $load_fields ) {
6203 $field = $this->load_field( $field );
6204 6205 $field = PodsForm::field_setup( $field, null, $field['type'] );
PodsAPI::__construct /pods/classes/PodsAPI.php:122 (show/hide source)
102  	 *
103  	 * @param string $pod    (optional) The pod name
104  	 * @param string $format (deprecated) Format for import/export, "php" or "csv"
105  	 *
106  	 * @return \PodsAPI
107  	 *
108  	 * @license http://www.gnu.org/licenses/gpl-2.0.html
109  	 * @since   1.7.1
110  	 */
111  	public function __construct( $pod = null, $format = null ) {
112  
113  		if ( null !== $pod && 0 < strlen( (string) $pod ) ) {
114  			if ( null !== $format ) {
115  				$this->format = $format;
116  
117  				pods_deprecated( 'pods_api( $pod, $format )', '2.0', 'pods_api( $pod )' );
118  			}
119  
120  			$pod = pods_clean_name( $pod );
121  
122 $pod = $this->load_pod( array( 'name' => $pod, 'table_info' => true ), false );
123 124 if ( ! empty( $pod ) ) {
PodsAPI::init /pods/classes/PodsAPI.php:89 (show/hide source)
69  	 * @since 2.5.0
70  	 *
71  	 */
72  	private static $related_item_cache = array();
73  
74  	/**
75  	 * Singleton-ish handling for a basic pods_api() request
76  	 *
77  	 * @param string $pod    (optional) The pod name
78  	 * @param string $format (deprecated) Format for import/export, "php" or "csv"
79  	 *
80  	 * @return \PodsAPI
81  	 *
82  	 * @since 2.3.5
83  	 */
84  	public static function init( $pod = null, $format = null ) {
85  
86  		if ( null !== $pod || null !== $format ) {
87  			if ( ! isset( self::$instances[ $pod ] ) ) {
88  				// Cache API singleton per Pod
89 self::$instances[ $pod ] = new PodsAPI( $pod, $format );
90 } 91
@FUNCTION::pods_api /pods/includes/classes.php:73 (show/hide source)
53  	return new PodsUI( $obj, $deprecated );
54  }
55  
56  /**
57   * Include and get the PodsAPI object, for use with all calls that Pods makes for add, save, delete, and more.
58   *
59   * @see   PodsAPI
60   *
61   * @param string $pod    (optional) (deprecated) The Pod name
62   * @param string $format (optional) (deprecated) Format used in import() and export()
63   *
64   * @return PodsAPI
65   *
66   * @since 2.0.0
67   * @link  https://pods.io/docs/pods-api/
68   */
69  function pods_api( $pod = null, $format = null ) {
70  
71  	require_once PODS_DIR . 'classes/PodsAPI.php';
72  
73 return PodsAPI::init( $pod, $format );
74 } 75
Pods::__construct /pods/classes/Pods.php:313 (show/hide source)
293  					$pod = $queried_object->post_type;
294  				} elseif ( isset( $queried_object->taxonomy ) ) {
295  					// Term Archive.
296  					$pod = $queried_object->taxonomy;
297  				} elseif ( isset( $queried_object->user_login ) ) {
298  					// Author Archive.
299  					$pod = 'user';
300  				} elseif ( isset( $queried_object->public, $queried_object->name ) ) {
301  					// Post Type Archive.
302  					$pod = $queried_object->name;
303  
304  					$id_lookup = false;
305  				}
306  
307  				if ( null === $id && $id_lookup ) {
308  					$id = get_queried_object_id();
309  				}
310  			}//end if
311  		}//end if
312  
313 $this->api = pods_api( $pod );
314 $this->api->display_errors =& $this->display_errors; 315
@FUNCTION::pods /pods/includes/classes.php:22 (show/hide source)
2  /**
3   * @package Pods\Global\Functions\Classes
4   */
5  /**
6   * Include and Init the Pods class
7   *
8   * @see   Pods
9   *
10   * @param string $type   The pod name
11   * @param mixed  $id     (optional) The ID or slug, to load a single record; Provide array of $params to run 'find'
12   * @param bool   $strict (optional) If set to true, return false instead of an object if the Pod doesn't exist
13   *
14   * @return bool|\Pods returns false if $strict, WP_DEBUG, PODS_STRICT or (PODS_DEPRECATED && PODS_STRICT_MODE) are true
15   * @since 2.0.0
16   * @link  https://pods.io/docs/pods/
17   */
18  function pods( $type = null, $id = null, $strict = null ) {
19  
20  	require_once PODS_DIR . 'classes/Pods.php';
21  
22 $pod = new Pods( $type, $id );
23 24 if ( null === $strict ) {
PodsUI::__construct /pods/classes/PodsUI.php:482 (show/hide source)
462  
463  			if ( is_object( $object ) && ( 'Pods' == get_class( $object ) || 'Pod' == get_class( $object ) ) ) {
464  				$this->pod =& $object;
465  			}
466  		}
467  
468  		if ( ! is_array( $options ) ) {
469  			// @todo need to come back to this and allow for multi-dimensional strings
470  			// like: option=value&option2=value2&option3=key[val],key2[val2]&option4=this,that,another
471  			if ( false !== strpos( $options, '=' ) || false !== strpos( $options, '&' ) ) {
472  				parse_str( $options, $options );
473  			} else {
474  				$options = array( 'pod' => $options );
475  			}
476  		}
477  
478  		if ( ! is_object( $object ) && isset( $options['pod'] ) ) {
479  			if ( is_object( $options['pod'] ) ) {
480  				$this->pod = $options['pod'];
481  			} elseif ( isset( $options['id'] ) ) {
482 $this->pod = pods( $options['pod'], $options['id'] );
483 } else { 484 $this->pod = pods( $options['pod'] );