php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit

profile photo of semgrepsemgrep
Author
unknown
Download Count*

These functions can lead to command execution if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.

Run Locally

Run in CI

Defintion

rules:
  - id: wp-command-execution-audit
    patterns:
      - pattern-either:
          - pattern: system(...)
          - pattern: exec(...)
          - pattern: passthru(...)
          - pattern: shell_exec(...)
    message: These functions can lead to command execution if the data inside them
      is user-controlled. Don't use the input directly or validate the data
      properly before passing it to these functions.
    paths:
      include:
        - wp-content/plugins/**/*.php
    languages:
      - php
    severity: WARNING
    metadata:
      category: security
      confidence: LOW
      likelihood: LOW
      impact: HIGH
      subcategory:
        - audit
      technology:
        - Wordpress Plugins
      references:
        - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#command-execution
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Command Injection

Examples

wp-command-execution-audit.php

<?php

// ruleid: wp-command-execution-audit
exec('rm -rf ' . $dir, $o, $r);

// ruleid: wp-command-execution-audit
$stderr = shell_exec($command);


// ok: wp-command-execution-audit
some_other_safe_function($args);


?>