Description
In plugins/faustwp/includes/blocks/functions.php, the process_and_replace_blocks() function moves an uploaded file to the target directory, then attempts to unzip it. If unzip_uploaded_file() fails, the function returns the WP_Error immediately without deleting the moved file:
$move_result = move_uploaded_file( $wp_filesystem, $file, $target_file );
if ( is_wp_error( $move_result ) ) {
return $move_result;
}
$unzip_result = unzip_uploaded_file( $target_file, $dirs['target'] );
if ( is_wp_error( $unzip_result ) ) {
return $unzip_result; // $target_file left on disk
}The orphaned file remains at a predictable path under wp-content/uploads/faustwp/blocks/. While the endpoint requires secret key authentication, leftover files accumulate on repeated failed uploads and are not cleaned up.
Expected Behavior
The uploaded file should be deleted from the target directory before returning the error, so failed uploads don't leave artifacts on disk.
CWE Classification
CWE-459: Incomplete Cleanup
Environment
- FaustWP plugin v1.8.6
canary branch
Description
In
plugins/faustwp/includes/blocks/functions.php, theprocess_and_replace_blocks()function moves an uploaded file to the target directory, then attempts to unzip it. Ifunzip_uploaded_file()fails, the function returns theWP_Errorimmediately without deleting the moved file:The orphaned file remains at a predictable path under
wp-content/uploads/faustwp/blocks/. While the endpoint requires secret key authentication, leftover files accumulate on repeated failed uploads and are not cleaned up.Expected Behavior
The uploaded file should be deleted from the target directory before returning the error, so failed uploads don't leave artifacts on disk.
CWE Classification
CWE-459: Incomplete Cleanup
Environment
canarybranch