These functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully.
Run in CI
rules: - id: wp-file-manipulation-audit patterns: - pattern-either: - pattern: unlink(...) - pattern: wp_delete_file(...) message: These functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully. paths: include: - wp-content/plugins/**/*.php languages: - php severity: WARNING metadata: category: security confidence: LOW likelihood: LOW impact: HIGH subcategory: - audit technology: - Wordpress Plugins references: - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#file-manipulation owasp: - A01:2021 - Broken Access Control - A08:2021 - Software and Data Integrity Failures cwe: - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" - "CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations." - "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')" license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/JpwW