php.wordpress-plugins.security.audit.wp-command-execution-audit.wp-command-execution-audit

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

These functions can lead to command execution if the data inside them is user-controlled. Don't use the input directly or validate the data properly before passing it to these functions.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: wp-command-execution-audit
    patterns:
      - pattern-either:
          - pattern: system(...)
          - pattern: exec(...)
          - pattern: passthru(...)
          - pattern: shell_exec(...)
    message: These functions can lead to command execution if the data inside them
      is user-controlled. Don't use the input directly or validate the data
      properly before passing it to these functions.
    paths:
      include:
        - wp-content/plugins/**/*.php
    languages:
      - php
    severity: WARNING
    metadata:
      category: security
      confidence: LOW
      likelihood: LOW
      impact: HIGH
      subcategory:
        - audit
      technology:
        - Wordpress Plugins
      references:
        - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#command-execution
      owasp:
        - A03:2021 - Injection
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS
          Command ('OS Command Injection')"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]