Catch Import Export - Insecure deserialization

 337 | static private function _import( $wp_customize )
 338 | {
 339 | // Make sure we have a valid nonce.
 340 | if ( ! wp_verify_nonce( $_REQUEST['cie-import'], 'cie-importing' ) ) {
 341 | return;
 342 | }
 343 |
 344 | // Make sure WordPress upload support is loaded.
 345 | if ( ! function_exists( 'wp_handle_upload' ) ) {
 346 | require_once( ABSPATH . 'wp-admin/includes/file.php' );
 347 | }
 348 |
 349 | // Load the export/import option class.
 350 | require_once plugin_dir_path( __FILE__ ) . 'classes/class-catch-import-export-option.php';
 351 |
 352 | // Setup global vars.
 353 | global $wp_customize;
 354 | global $cie_error;
 355 | global $settings_page;
 356 |
 357 | // Setup internal vars.
 358 | $settings_page = false;
 359 | $cie_error = false;
 360 | $template = get_template();
 361 | $overrides = array( 'test_form' => false, 'test_type' => false, 'mimes' => array('dat' => 'text/plain') );
 362 | $file = wp_handle_upload( $_FILES['cie-import-file'], $overrides );
 363 |
 364 | // Make sure the form is submitted through admin settings page.
 365 | if( isset( $_REQUEST['settings-page'] ) && true == $_REQUEST['settings-page'] ){
 366 | $settings_page = true;
 367 | }
 368 |
 369 | // Make sure we have an uploaded file.
 370 | if ( isset( $file['error'] ) ) {
 371 | $cie_error = $file['error'];
 372 | return;
 373 | }
 374 | if ( ! file_exists( $file['file'] ) ) {
 375 | $cie_error = __( 'Error importing settings! Please try again.', 'catch-import-export' );
 376 | return;
 377 | }
 378 |
 379 | // Get the upload data.
 380 | $raw = file_get_contents( $file['file'] );
> 381 | $data = @unserialize( $raw );
 382 |
 383 | // Remove the uploaded file.
 384 | unlink( $file['file'] );
 385 |
 386 |
 387 | // Data checks.
 388 | if ( 'array' != gettype( $data ) ) {
 389 | $cie_error = __( 'Error importing settings! Please check that you uploaded a customizer export file.', 'catch-import-e
 390 | return;
 391 | }
 392 | if ( ! isset( $data['template'] ) || ! isset( $data['mods'] ) ) {
 393 | $cie_error = __( 'Error importing settings! Please check that you uploaded a customizer export file.', 'catch-import-e
 394 | return;
 395 | }
 396 | if ( $data['template'] != $template ) {
 397 | $cie_error = __( 'Error importing settings! The settings you uploaded are not for the current theme.', 'catch-import-e
 398 | return;
 399 | }
 400 |
 401 | // Import images.
 402 | if ( isset( $_REQUEST['cie-import-images'] ) ) {
 403 | $data['mods'] = self::_import_images( $data['mods'] );
 404 | }
 405 |
 406 | // Import custom options.
 407 | if ( isset( $data['options'] ) ) {
 408 |
 409 | foreach ( $data['options'] as $option_key => $option_value ) {
 410 |
 411 | $option = new Catch_Import_Export_Option( $wp_customize, $option_key, array(
 412 | 'default' => '',
 413 | 'type' => 'option',
 414 | 'capability' => 'edit_theme_options'
 415 | ) );
 416 |
 417 | $option->import( $option_value );
 418 | }
 419 | }
 420 |
 421 | // If wp_css is set then import it.
 422 | if( function_exists( 'wp_update_custom_css_post' ) && isset( $data['wp_css'] ) && '' !== $data['wp_css'] ) {
 423 | wp_update_custom_css_post( $data['wp_css'] );
 424 | }
 425 |
 426 | // Call the customize_save action.
 427 | do_action( 'customize_save', $wp_customize );
 428 |
 429 | // Loop through the mods.
 430 | foreach ( $data['mods'] as $key => $val ) {
  431 |
  432 |    // Call the customize_save_ dynamic action.
  433 |    do_action( 'customize_save_' . $key );
  434 |
  435 |    // Save the mod.
  436 |    set_theme_mod( $key, $val );
  437 |   }
  438 |
  439 |   // Call the customize_save_after action.
  440 |   do_action( 'customize_save_after', $wp_customize );
  441 |   if( isset( $_REQUEST['settings-page'] ) && true == $_REQUEST['settings-page'] ){
  442 |    $url = admin_url( 'admin.php?page=catch-import-export' );
  443 |    wp_redirect( esc_url( $url ) );
  444 |    exit;
  445 |   }
  446 |  }
      ^ Col 0