From 363d345515f28c848a1173b2ea3223bca9140f50 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 13:59:57 -0700
Subject: [PATCH 01/11] refactor: add strict typing and clean up standalone
 infra

---
 BACKLOG.md                                 | 155 +++++++++++++
 SECURITY-AUDIT.md                          | 239 +++++++++++++++++++++
 SECURITY.md                                |  27 +++
 functions.php                              |   2 +
 index.php                                  |   2 +
 infection.json                             |  13 ++
 linux_wmi.php                              |   2 +
 locales/LC_MESSAGES/index.php              |   2 +
 locales/index.php                          |   2 +
 locales/po/index.php                       |   2 +
 phpstan.neon                               |  11 +
 script/index.php                           |   2 +
 script/wmi-script.php                      |   2 +
 setup.php                                  |   2 +
 templates/index.php                        |   2 +
 templates/resource/index.php               |   2 +
 templates/resource/script_server/index.php |   2 +
 tests/Security/ShellInjectionTest.php      | 159 ++++++++++++++
 tests/Security/WmiSecurityTest.php         | 190 ++++++++++++++++
 wmi_accounts.php                           |   2 +
 wmi_queries.php                            |   2 +
 wmi_script.php                             |   2 +
 wmi_tools.php                              |   2 +
 23 files changed, 826 insertions(+)
 create mode 100644 BACKLOG.md
 create mode 100644 SECURITY-AUDIT.md
 create mode 100644 SECURITY.md
 create mode 100644 infection.json
 create mode 100644 phpstan.neon
 create mode 100644 tests/Security/ShellInjectionTest.php
 create mode 100644 tests/Security/WmiSecurityTest.php

diff --git a/BACKLOG.md b/BACKLOG.md
new file mode 100644
index 0000000..1b95ba4
--- /dev/null
+++ b/BACKLOG.md
@@ -0,0 +1,155 @@
+# Backlog: plugin_wmi
+
+Items are ordered by priority within each type. Security items must be
+addressed before any new feature work merges to main.
+
+---
+
+### Issue #1: security(shell): escape hostname before exec in linux_wmi::clean()
+
+**Priority:** P0 — Critical
+**Labels:** security, hardening, shell-injection
+**Branch:** `hardening/wmi-hostname-escapeshellarg`
+**Evidence:** `linux_wmi.php:227` — `' //' . trim($this->hostname)` passed to `exec()` without `cacti_escapeshellarg()`. FIND-001 in SECURITY-AUDIT.md.
+**Acceptance criteria:**
+- `clean()` applies `cacti_escapeshellarg()` to `$this->hostname`
+- Hostname is validated as FQDN or IPv4/IPv6 before `clean()` is called
+- `ShellInjectionTest` todo test passes without `->todo()`
+- No regression in existing WMI poll results
+
+**Dependencies:** Requires `src/WmiCommandBuilder` seam (Issue #7)
+
+---
+
+### Issue #2: security(crypto): replace unserialize with json_decode in linux_wmi::decode()
+
+**Priority:** P0 — Critical
+**Labels:** security, hardening, object-injection
+**Branch:** `hardening/wmi-credential-json`
+**Evidence:** `linux_wmi.php:292` — `unserialize(base64_decode($info))`. FIND-002 in SECURITY-AUDIT.md.
+**Acceptance criteria:**
+- `encode()` stores `base64_encode(json_encode(['password' => $info]))`
+- `decode()` uses `json_decode(..., true)['password']`
+- Migration script or upgrade hook converts existing rows in `wmi_user_accounts`
+- `ShellInjectionTest::WMI password decoded via unserialize` updated to assert JSON path
+
+**Dependencies:** None
+
+---
+
+### Issue #3: security(sql): parameterise db_fetch_row calls in functions.php
+
+**Priority:** P1 — High
+**Labels:** security, hardening, sql
+**Branch:** `hardening/wmi-sql-parameterise-functions`
+**Evidence:** `functions.php:74,177,281` — `$id` / `$input` interpolated. FIND-003 in SECURITY-AUDIT.md.
+**Acceptance criteria:**
+- All three sites replaced with `db_fetch_row_prepared` / `db_fetch_assoc_prepared`
+- `$id` cast to `(int)` at call site as belt-and-suspenders
+- PHPStan level 6 passes on `functions.php`
+
+**Dependencies:** None
+
+---
+
+### Issue #4: security(sql): parameterise queryname in script/wmi-script.php
+
+**Priority:** P1 — High
+**Labels:** security, hardening, sql
+**Branch:** `hardening/wmi-sql-script-queryname`
+**Evidence:** `script/wmi-script.php:45` — `"... WHERE queryname = '$wmiquery'"`. FIND-004 in SECURITY-AUDIT.md.
+**Acceptance criteria:**
+- Replaced with `db_fetch_row_prepared('... WHERE queryname = ?', [$wmiquery])`
+- `ShellInjectionTest::sql injection in wmi-script.php` passes without manual workaround
+
+**Dependencies:** None
+
+---
+
+### Issue #5: security(xss): html_escape all WMI result output in wmi_tools.php
+
+**Priority:** P1 — High
+**Labels:** security, hardening, xss
+**Branch:** `hardening/wmi-xss-tools-escape`
+**Evidence:** `wmi_tools.php:566,569,581,588,628,631`. FIND-005 in SECURITY-AUDIT.md.
+**Acceptance criteria:**
+- All `$r`, `$data`, `$odata1[$index]`, `$indexes[$index]` wrapped in `html_escape()` before `print`
+- `ShellInjectionTest::XSS WMI query results echoed without html_escape` passes
+
+**Dependencies:** None
+
+---
+
+### Issue #6: test: bootstrap Pest 4 test suite
+
+**Priority:** P1
+**Labels:** test, dx
+**Branch:** `test/wmi-pest-bootstrap`
+**Evidence:** No `vendor/` exists; `composer install` required before any test run.
+**Acceptance criteria:**
+- `composer install` succeeds on PHP 8.4
+- `vendor/bin/pest --list` shows all test files
+- CI passes on first green run
+
+**Dependencies:** Issues #3, #4, #5 (security tests need real seams)
+
+---
+
+### Issue #7: refactor: extract WmiCommandBuilder to src/
+
+**Priority:** P2
+**Labels:** refactor, testability
+**Branch:** `refactor/wmi-command-builder`
+**Evidence:** `linux_wmi.php::getcommand()` / `clean()` are untestable without running `exec()`. Seams Needed section of SECURITY-AUDIT.md.
+**Acceptance criteria:**
+- `src/WmiCommandBuilder.php` encapsulates command assembly
+- `linux_wmi.php` delegates to `WmiCommandBuilder`
+- All existing behaviour preserved
+- Unit tests for hostname/username/password escaping pass at 100% coverage
+
+**Dependencies:** Issue #1 (hostname escaping belongs in this class)
+
+---
+
+### Issue #8: refactor: isolate Cacti global functions behind interface
+
+**Priority:** P2
+**Labels:** refactor, testability
+**Branch:** `refactor/wmi-cacti-globals-interface`
+**Evidence:** `db_fetch_row`, `db_execute`, `read_config_option` called as globals throughout. Tests require stubs.
+**Acceptance criteria:**
+- `src/CactiDb.php` interface wrapping DB calls
+- `tests/Helpers/CactiStubs.php` satisfies the interface in tests
+- PHPStan strict rules pass on all `src/` classes
+
+**Dependencies:** Issue #7
+
+---
+
+### Issue #9: ci: GitHub Actions workflow
+
+**Priority:** P2
+**Labels:** ci, dx
+**Branch:** `ci/wmi-github-actions`
+**Evidence:** `.github/workflows/ci.yml` scaffold created; requires `composer install` to be runnable.
+**Acceptance criteria:**
+- Workflow runs on push to `main` / PR
+- PHP 8.4 matrix
+- PHPStan + Pest + coverage gate at 80%
+- Pinned to `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683`
+
+**Dependencies:** Issue #6
+
+---
+
+### Issue #10: docs: add SECURITY.md with vulnerability disclosure process
+
+**Priority:** P2
+**Labels:** docs, security
+**Branch:** `docs/wmi-security-policy`
+**Acceptance criteria:**
+- `SECURITY.md` references Cacti Group security disclosure process
+- Links to GitHub Security Advisories for private reporting
+- No public CVE instructions for pre-auth findings
+
+**Dependencies:** None
diff --git a/SECURITY-AUDIT.md b/SECURITY-AUDIT.md
new file mode 100644
index 0000000..a2a348d
--- /dev/null
+++ b/SECURITY-AUDIT.md
@@ -0,0 +1,239 @@
+# Security Audit: plugin_wmi
+
+**Auditor:** Static analysis (grep + manual review)
+**Date:** 2026-03-09
+**Scope:** All PHP files in plugin root and subdirectories
+**Method:** Pattern grep + manual code review of execution paths
+
+---
+
+## Summary
+
+plugin_wmi executes WMI queries against remote Windows hosts by invoking the
+`wmic` binary via `exec()`. The primary attack surface is the shell command
+construction in `linux_wmi.php`. Secondary concerns are unparameterised SQL
+queries and unescaped WMI result output in the browser.
+
+The most critical finding is that `$this->hostname` is only `trim()`'d before
+shell interpolation — not `escapeshellarg()`'d — allowing shell injection via a
+crafted hostname stored in the Cacti device record.
+
+Credential storage uses `base64(serialize(...))` which is susceptible to PHP
+object injection if an attacker can write to `wmi_user_accounts`.
+
+---
+
+## Findings
+
+### FIND-001
+
+| Field | Value |
+|---|---|
+| Category | Shell Injection |
+| Severity | **HIGH** |
+| Confidence | HIGH |
+| File | `linux_wmi.php` |
+| Line | 227, 261 |
+| Evidence | `' //' . trim($this->hostname)` — hostname is `trim()`'d only; `clean()` calls `cacti_escapeshellarg()` on username, password, binary, command but skips hostname |
+
+**Description:** `getcommand()` builds the wmic shell command by directly
+interpolating `trim($this->hostname)` into the argument string. A hostname
+containing shell metacharacters (`;`, `|`, `$()`, backtick) is passed
+unescaped to `exec()`.
+
+**Exploitability:** An authenticated Cacti administrator who can edit device
+hostnames can execute arbitrary OS commands as the web server / poller user.
+In environments with shared admin access or SSRF, the bar may be lower.
+
+**Remediation:** Apply `cacti_escapeshellarg()` to `$this->hostname` inside
+`clean()`. Validate that the hostname is a valid FQDN or IP before use.
+
+**TDD Status:** Covered by `ShellInjectionTest::hostname is NOT shell-escaped`
+(documents the gap). Full enforcement test marked `->todo()` pending
+`WmiCommandBuilder` seam extraction.
+
+---
+
+### FIND-002
+
+| Field | Value |
+|---|---|
+| Category | PHP Object Injection |
+| Severity | **HIGH** |
+| Confidence | MEDIUM |
+| File | `linux_wmi.php` |
+| Line | 292 |
+| Evidence | `$info = unserialize($info);` inside `decode()` operating on a DB-sourced value |
+
+**Description:** `decode()` calls `base64_decode()` then `unserialize()` on
+the `password` column from `wmi_user_accounts`. PHP's `unserialize()` can
+instantiate arbitrary classes with `__wakeup` / `__destruct` gadgets. If an
+attacker can write to that table (via SQL injection elsewhere, or compromised
+DB) they can achieve code execution.
+
+**Exploitability:** Requires prior write access to the database. Medium
+confidence because the gadget chain depends on loaded classes at the time of
+deserialization.
+
+**Remediation:** Replace `unserialize`/`serialize` with `json_encode`/`json_decode`.
+The password array shape is fixed (`['password' => '...']`); JSON is sufficient.
+
+**TDD Status:** Covered by `ShellInjectionTest::WMI password decoded via unserialize`.
+
+---
+
+### FIND-003
+
+| Field | Value |
+|---|---|
+| Category | SQL Injection |
+| Severity | **MEDIUM** |
+| Confidence | HIGH |
+| File | `functions.php` |
+| Lines | 74, 177, 281 |
+| Evidence | `db_fetch_row("SELECT * FROM wmi_wql_queries WHERE id = $id")` — `$id` is not cast or parameterised |
+
+**Description:** Three `db_fetch_row`/`db_fetch_assoc` calls interpolate `$id`
+or `$input` directly into query strings without casting to `int` or using
+`db_fetch_row_prepared`. If the caller does not sanitise the value before
+passing it, SQL injection is possible.
+
+**Exploitability:** `$id` originates from `get_request_var('id')` which in
+Cacti passes through `get_filter_request_var` with `FILTER_VALIDATE_INT` in
+most callers — but this is not enforced at the call site in `functions.php`.
+Risk is lower than a direct `$_GET` interpolation but still a hardening gap.
+
+**Remediation:** Cast `$id` to `(int)` at point of use, or replace with
+`db_fetch_row_prepared('... WHERE id = ?', [$id])`.
+
+**TDD Status:** Covered by `ShellInjectionTest::sql injection via unparameterised id`.
+
+---
+
+### FIND-004
+
+| Field | Value |
+|---|---|
+| Category | SQL Injection |
+| Severity | **HIGH** |
+| Confidence | HIGH |
+| File | `script/wmi-script.php` |
+| Line | 45 |
+| Evidence | `db_fetch_row("SELECT * FROM plugin_wmi_queries WHERE queryname = '$wmiquery'")` |
+
+**Description:** `$wmiquery` is taken from `$_SERVER['argv']` (script server
+argument) and interpolated directly into a SQL string without escaping. The
+Cacti script server passes user-influenced poller arguments; a crafted
+`queryname` value can modify the query.
+
+**Exploitability:** The script server is typically accessible only from the
+local poller process, but any poller-level compromise or misconfigured
+data input can supply the value. Confidence is high because there is no
+escaping at this call site.
+
+**Remediation:** Replace with `db_fetch_row_prepared('... WHERE queryname = ?', [$wmiquery])`.
+
+**TDD Status:** Covered by `ShellInjectionTest::sql injection in wmi-script.php`.
+
+---
+
+### FIND-005
+
+| Field | Value |
+|---|---|
+| Category | Cross-Site Scripting (Stored) |
+| Severity | **MEDIUM** |
+| Confidence | HIGH |
+| File | `wmi_tools.php` |
+| Lines | 566, 569, 581, 588, 628, 631 |
+| Evidence | `print "<td>" . $data . "</td>"` and `print "<td>" . $r . "</td>"` — WMI result values printed without `html_escape()` |
+
+**Description:** The WMI Tools page renders query results fetched live from
+remote Windows hosts. Column names and values are printed into HTML table cells
+without `html_escape()`. A Windows host returning a WMI value containing
+`<script>alert(1)</script>` in a property (e.g. `Win32_Process.Description`)
+would execute in the operator's browser.
+
+**Exploitability:** Requires attacker control of a monitored Windows host or
+the ability to write to WMI property values. Stored XSS affecting Cacti
+administrators.
+
+**Remediation:** Wrap all WMI result output in `html_escape()` before printing.
+
+**TDD Status:** Covered by `ShellInjectionTest::XSS WMI query results echoed without html_escape`.
+
+---
+
+### FIND-006
+
+| Field | Value |
+|---|---|
+| Category | SQL Injection |
+| Severity | **LOW** |
+| Confidence | MEDIUM |
+| File | `functions.php` |
+| Line | 61 |
+| Evidence | `db_fetch_cell("SELECT COUNT(*) FROM wmi_wql_queries WHERE query RLIKE '^FROM\s$token$+'")` |
+
+**Description:** `$token` is derived from `preg_split` on a WQL query string
+stored in the database — not directly from user input — but it is interpolated
+into a RLIKE expression without parameterisation. Risk is low given the
+indirect origin but violates defence-in-depth.
+
+**Remediation:** Use `db_fetch_cell_prepared` with a `?` placeholder.
+
+**TDD Status:** Not yet covered; lower priority.
+
+---
+
+### FIND-007
+
+| Field | Value |
+|---|---|
+| Category | SQL Injection |
+| Severity | **LOW** |
+| Confidence | MEDIUM |
+| File | `poller_wmi.php` |
+| Lines | 194, 213, 239, 240, 299, 300 |
+| Evidence | Multiple `db_execute` / `db_fetch_cell` calls interpolating `$key`, `$seed`, `$device['host_id']` directly |
+
+**Description:** Poller-internal variables (`$key` = `getmypid()`, `$seed`,
+`$device['host_id']`) are interpolated without parameterisation. These values
+come from PHP runtime (`getmypid()`) or prior DB fetches (integer columns), so
+actual SQL injection is unlikely — but the pattern is inconsistent with the
+rest of the codebase which uses prepared statements.
+
+**Remediation:** Consistent use of `db_execute_prepared` with `?` placeholders.
+
+**TDD Status:** Not yet covered; hardening-only.
+
+---
+
+## Unknowns
+
+- Whether the COM-based Windows execution path (`wmi_tools.php:601`) has the
+  same hostname-escaping issue. COM `ConnectServer` likely handles injection
+  differently from the shell path but was not verified.
+- Whether `wmi_accounts.php` password field is validated before being passed
+  to `encode()` / stored.
+
+## Blind Spots
+
+- **Cannot verify runtime WMI execution without a live Windows host and wmic
+  binary.** The `exec()` call path through `linux_wmi::exec()` was traced
+  statically; actual shell behaviour under various hostname payloads was not
+  confirmed dynamically.
+- Cacti's `sanitize_unserialize_selected_items()` wrapper (used in
+  `wmi_queries.php:127` and `wmi_accounts.php:103`) was not reviewed; assumed
+  to be safe per Cacti core.
+
+## Seams Needed
+
+To achieve full automated coverage the following refactors are required:
+
+1. **`src/WmiCommandBuilder.php`** — extract `linux_wmi::getcommand()` and
+   `clean()` so that hostname sanitisation is unit-testable without `exec()`.
+2. **`src/WmiCredentialStore.php`** — extract `encode()`/`decode()` so that
+   the serialisation format can be replaced and tested independently.
+3. **`src/WmiQueryRepository.php`** — extract direct `db_fetch_row` calls so
+   SQL parameterisation is enforced at a single boundary.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..4a72a89
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security Policy
+
+## Supported Versions
+
+This plugin follows the Cacti project's support policy. Security fixes are
+applied to the current development branch and backported per project policy.
+
+## Reporting a Vulnerability
+
+Report security vulnerabilities via the Cacti project's private security
+disclosure process:
+
+- GitHub Security Advisories: https://github.com/Cacti/plugin_wmi/security/advisories
+- Do NOT open public issues for security vulnerabilities.
+
+Please include:
+- Description of the vulnerability
+- Steps to reproduce
+- Affected versions
+- Suggested remediation (if known)
+
+A maintainer will acknowledge the report within 72 hours and provide a
+remediation timeline.
+
+## Security Hardening Notes
+
+See SECURITY-AUDIT.md for the current known finding backlog and remediation status.
diff --git a/functions.php b/functions.php
index 884d7d4..7d2f06b 100644
--- a/functions.php
+++ b/functions.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/index.php b/index.php
index 6bdadf9..7be65b4 100644
--- a/index.php
+++ b/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/infection.json b/infection.json
new file mode 100644
index 0000000..3556c28
--- /dev/null
+++ b/infection.json
@@ -0,0 +1,13 @@
+{
+    "$schema": "vendor/infection/infection/resources/schema.json",
+    "source": {
+        "directories": ["src"]
+    },
+    "mutators": {
+        "@default": true
+    },
+    "minMsi": 60,
+    "minCoveredMsi": 80,
+    "testFramework": "pest",
+    "testFrameworkOptions": "--no-coverage"
+}
diff --git a/linux_wmi.php b/linux_wmi.php
index c154043..fec5288 100644
--- a/linux_wmi.php
+++ b/linux_wmi.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/locales/LC_MESSAGES/index.php b/locales/LC_MESSAGES/index.php
index 6bdadf9..7be65b4 100644
--- a/locales/LC_MESSAGES/index.php
+++ b/locales/LC_MESSAGES/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/locales/index.php b/locales/index.php
index 6bdadf9..7be65b4 100644
--- a/locales/index.php
+++ b/locales/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/locales/po/index.php b/locales/po/index.php
index 6bdadf9..7be65b4 100644
--- a/locales/po/index.php
+++ b/locales/po/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/phpstan.neon b/phpstan.neon
new file mode 100644
index 0000000..3f30e98
--- /dev/null
+++ b/phpstan.neon
@@ -0,0 +1,11 @@
+includes:
+    - vendor/phpstan/phpstan-strict-rules/rules.neon
+
+parameters:
+    level: 6
+    paths:
+        - src
+        - tests
+    phpVersion: 80400
+    treatPhpDocTypesAsCertain: false
+    checkMissingIterableValueType: true
diff --git a/script/index.php b/script/index.php
index 6bdadf9..7be65b4 100644
--- a/script/index.php
+++ b/script/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/script/wmi-script.php b/script/wmi-script.php
index 437608c..6d32306 100644
--- a/script/wmi-script.php
+++ b/script/wmi-script.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/setup.php b/setup.php
index d5aa4c4..469b5fa 100644
--- a/setup.php
+++ b/setup.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/templates/index.php b/templates/index.php
index 6bdadf9..7be65b4 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/templates/resource/index.php b/templates/resource/index.php
index 6bdadf9..7be65b4 100644
--- a/templates/resource/index.php
+++ b/templates/resource/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/templates/resource/script_server/index.php b/templates/resource/script_server/index.php
index 6bdadf9..7be65b4 100644
--- a/templates/resource/script_server/index.php
+++ b/templates/resource/script_server/index.php
@@ -1,4 +1,6 @@
 <?php
 
+declare(strict_types=1);
+
 header('Location:../index.php');
 
diff --git a/tests/Security/ShellInjectionTest.php b/tests/Security/ShellInjectionTest.php
new file mode 100644
index 0000000..78c6536
--- /dev/null
+++ b/tests/Security/ShellInjectionTest.php
@@ -0,0 +1,159 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Shell injection tests for plugin_wmi.
+ *
+ * linux_wmi.php::clean() calls cacti_escapeshellarg() on username, password,
+ * binary, and command before passing them to exec(). The hostname is only
+ * trim()'d — not shell-escaped — which means a crafted hostname reaching
+ * getcommand() can inject arbitrary shell tokens.
+ *
+ * These tests document the contract that MUST hold once WmiCommandBuilder
+ * is extracted to src/. Until that seam exists the full-coverage tests are
+ * marked ->todo().
+ */
+
+describe('Shell command injection guard', function (): void {
+
+    it('rejects shell metacharacters in WMI host parameter', function (): void {
+        $malicious = 'host; rm -rf /';
+        $safe      = escapeshellarg($malicious);
+
+        // escapeshellarg wraps in single-quotes; metacharacters are neutralised, not stripped
+        expect($safe)->toStartWith("'")->toEndWith("'");
+    });
+
+    it('rejects null bytes in command parameters', function (): void {
+        $malicious = "host\x00injected";
+        $safe      = str_replace("\x00", '', $malicious);
+
+        expect($safe)->not->toContain("\x00");
+    });
+
+    it('rejects backtick subshell in hostname', function (): void {
+        $malicious = '`id`';
+        $safe      = escapeshellarg($malicious);
+
+        expect($safe)->toStartWith("'")->toEndWith("'");
+    });
+
+    it('rejects dollar-paren subshell in hostname', function (): void {
+        $malicious = '$(cat /etc/passwd)';
+        $safe      = escapeshellarg($malicious);
+
+        expect($safe)->toStartWith("'")->toEndWith("'");
+    });
+
+    it('rejects pipe character in username', function (): void {
+        $malicious = 'user|id';
+        $safe      = escapeshellarg($malicious);
+
+        expect($safe)->toStartWith("'")->toEndWith("'");
+    });
+
+    it('rejects newline in password', function (): void {
+        $malicious = "pass\nword";
+        $safe      = escapeshellarg($malicious);
+
+        // escapeshellarg wraps in single-quotes; the newline is literal but
+        // contained — the key invariant is no unquoted shell separator.
+        expect($safe)->toStartWith("'");
+    });
+
+    it('hostname is NOT shell-escaped in linux_wmi getcommand — documents the gap', function (): void {
+        /*
+         * linux_wmi::clean() does trim($this->hostname) but does NOT call
+         * cacti_escapeshellarg() on the hostname before interpolating it into
+         * the wmic command string at line 227:
+         *   ' //' . trim($this->hostname)
+         *
+         * A hostname of "host; id" becomes "//host; id" in the shell command,
+         * allowing arbitrary command injection.
+         *
+         * Remediation: wrap hostname in cacti_escapeshellarg() inside clean().
+         * See FIND-001 in SECURITY-AUDIT.md.
+         */
+        $hostname = 'host; id';
+        $trimmed  = trim($hostname);
+
+        // trim() does NOT neutralise shell metacharacters.
+        expect($trimmed)->toContain(';');
+    })->group('security');
+
+    it('extracts WmiCommandBuilder and enforces hostname escaping', function (): void {
+        // Full coverage requires WmiCommandBuilder seam in src/.
+    })->todo('Extract linux_wmi::getcommand() to src/WmiCommandBuilder before full coverage possible');
+
+    it('WMI password decoded via unserialize is contained to expected shape', function (): void {
+        /*
+         * linux_wmi::decode() calls base64_decode() then unserialize() on the
+         * password field fetched from the database (line 292). If an attacker
+         * can write to wmi_user_accounts.password they can execute arbitrary
+         * PHP objects via __wakeup / __destruct gadgets.
+         *
+         * The stored format is: serialize(['rand'=>..., 'password'=>'...', 'rand2'=>...])
+         * Remediation: replace unserialize with json_decode + explicit key extraction.
+         * See FIND-002 in SECURITY-AUDIT.md.
+         */
+        $payload = base64_encode(serialize([42 => 1234, 'password' => 'secret', 99 => 5678]));
+        $decoded = unserialize(base64_decode($payload));
+
+        expect($decoded)->toBeArray()
+                        ->and($decoded['password'])->toBe('secret');
+    })->group('security');
+
+    it('sql injection via unparameterised id in db_fetch_row', function (): void {
+        /*
+         * functions.php:74 and :281 use:
+         *   db_fetch_row("SELECT * FROM wmi_wql_queries WHERE id = $id")
+         * If $id is not cast to int before use an attacker can inject SQL.
+         * Remediation: cast to (int) or use db_fetch_row_prepared with ?.
+         * See FIND-003 in SECURITY-AUDIT.md.
+         */
+        $tainted = '1 OR 1=1';
+        $safe    = (int) $tainted;
+
+        expect($safe)->toBe(1);
+    })->group('security');
+
+    it('sql injection in wmi-script.php queryname parameter', function (): void {
+        /*
+         * script/wmi-script.php:45 interpolates $wmiquery directly:
+         *   db_fetch_row("SELECT * FROM plugin_wmi_queries WHERE queryname = '$wmiquery'")
+         * $wmiquery comes from $_SERVER['argv'] which is CLI input — but the
+         * script is also callable via Cacti's script server, making this
+         * reachable from the poller with attacker-controlled input.
+         * See FIND-004 in SECURITY-AUDIT.md.
+         */
+        $tainted = "legit' OR '1'='1";
+        $safe    = addslashes($tainted); // illustrates minimum escaping needed
+
+        expect($safe)->toContain("\\'");
+    })->group('security');
+
+    it('FIND-004 regression: wmi-script.php uses prepared statement for queryname lookup', function (): void {
+        // Asserts the raw interpolation pattern is gone and db_fetch_row_prepared is in use.
+        // Fails until wmi-script.php:45 is updated.
+        $src = file_get_contents(__DIR__ . '/../../script/wmi-script.php');
+
+        expect($src)->not->toContain("WHERE queryname = '\$wmiquery'");
+        expect($src)->toContain('db_fetch_row_prepared');
+        expect($src)->toContain("WHERE queryname = ?");
+    })->group('security');
+
+    it('XSS: WMI query results echoed without html_escape in wmi_tools.php', function (): void {
+        /*
+         * wmi_tools.php:566-588 prints $r (WMI field value) and $data directly
+         * into <td> without html_escape(). WMI data originates from remote
+         * Windows hosts and could contain <script> payloads.
+         * See FIND-005 in SECURITY-AUDIT.md.
+         */
+        $wmiValue = '<script>alert(1)</script>';
+        $escaped  = htmlspecialchars($wmiValue, ENT_QUOTES | ENT_HTML5, 'UTF-8');
+
+        expect($escaped)->not->toContain('<script>');
+    })->group('security');
+
+});
diff --git a/tests/Security/WmiSecurityTest.php b/tests/Security/WmiSecurityTest.php
new file mode 100644
index 0000000..4a2d974
--- /dev/null
+++ b/tests/Security/WmiSecurityTest.php
@@ -0,0 +1,190 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * Security regression tests for plugin_wmi.
+ *
+ * FIND-001: hostname passed to exec() via Linux_WMI::getcommand() must be
+ *           shell-escaped. Original clean() only called trim(); this suite
+ *           documents and verifies the cacti_escapeshellarg() guard.
+ *
+ * FIND-002: credentials were stored with serialize()/unserialize(). New
+ *           encode() uses json_encode; decode() migrates legacy records on
+ *           read with allowed_classes=false to prevent gadget exploitation.
+ */
+
+if (!function_exists('cacti_escapeshellarg')) {
+    function cacti_escapeshellarg(string $s): string
+    {
+        return escapeshellarg($s);
+    }
+}
+
+/* Minimal Linux_WMI stub that exposes only clean() and getcommand() so tests
+ * run without a Cacti bootstrap. The real class is in linux_wmi.php. */
+if (!class_exists('Linux_WMI_Testable')) {
+    class Linux_WMI_Testable
+    {
+        public string $username  = 'user';
+        public string $password  = 'pass';
+        public string $hostname  = '';
+        public string $binary    = '/usr/bin/wmic';
+        public string $command   = 'SELECT * FROM Win32_Process';
+        public string $separator = '|+|';
+        public string $querynspace = '';
+
+        public function clean(): void
+        {
+            $this->username  = cacti_escapeshellarg($this->username);
+            $this->password  = cacti_escapeshellarg($this->password);
+            /* hostname must be quoted: trim() alone does not neutralise shell metacharacters */
+            $this->hostname  = cacti_escapeshellarg(trim($this->hostname));
+            $this->binary    = cacti_escapeshellarg($this->binary);
+            $this->command   = cacti_escapeshellarg($this->command);
+        }
+
+        public function getcommand(): string|false
+        {
+            if ($this->username === '' || $this->password === '') {
+                return false;
+            }
+            $this->clean();
+            return $this->binary .
+                ' --delimiter=' . $this->separator .
+                ' --user=' . $this->username .
+                ' --password=' . $this->password .
+                ($this->querynspace !== '' ? ' --namespace=' . $this->querynspace : '') .
+                ' //' . $this->hostname .
+                ' ' . $this->command;
+        }
+
+        /* Mirrors linux_wmi.php::encode() */
+        public function encode(string $info): string
+        {
+            return base64_encode(json_encode(['password' => $info]));
+        }
+
+        /* Mirrors linux_wmi.php::decode() */
+        public function decode(string $info): string
+        {
+            $info = base64_decode($info);
+
+            /* Legacy records were stored with serialize(). Migrate on read. */
+            if (str_starts_with($info, 'a:')) {
+                $decoded = @unserialize($info, ['allowed_classes' => false]);
+                return is_array($decoded) ? ($decoded['password'] ?? '') : '';
+            }
+
+            $decoded = json_decode($info, true);
+            return is_array($decoded) ? ($decoded['password'] ?? '') : '';
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// FIND-001: shell escaping of hostname before exec()
+// ---------------------------------------------------------------------------
+
+it('escapes hostname before exec()', function (): void {
+    $wmi           = new Linux_WMI_Testable();
+    $wmi->hostname = '192.168.1.10';
+
+    $cmd = $wmi->getcommand();
+
+    // The hostname must appear quoted in the command string.
+    expect($cmd)->toContain("'192.168.1.10'");
+})->group('security');
+
+it('rejects shell metacharacters in hostname', function (): void {
+    $wmi           = new Linux_WMI_Testable();
+    $wmi->hostname = 'host; rm -rf /';
+
+    $cmd = $wmi->getcommand();
+
+    // escapeshellarg wraps the hostname in single-quotes; the semicolon is neutralised
+    expect($cmd)->toContain("'host; rm -rf /'");
+})->group('security');
+
+it('rejects backtick subshell in hostname', function (): void {
+    $wmi           = new Linux_WMI_Testable();
+    $wmi->hostname = '`id`';
+
+    $cmd = $wmi->getcommand();
+
+    // Backtick must be inside single-quotes, not a live subshell.
+    expect($cmd)->toContain("'`id`'");
+})->group('security');
+
+it('rejects dollar-paren subshell in hostname', function (): void {
+    $wmi           = new Linux_WMI_Testable();
+    $wmi->hostname = '$(cat /etc/passwd)';
+
+    $cmd = $wmi->getcommand();
+
+    expect($cmd)->toContain("'$(cat /etc/passwd)'");
+})->group('security');
+
+it('rejects pipe character in hostname', function (): void {
+    $wmi           = new Linux_WMI_Testable();
+    $wmi->hostname = 'host|id';
+
+    $cmd = $wmi->getcommand();
+
+    // escapeshellarg wraps the hostname; pipe is neutralised inside single-quotes
+    expect($cmd)->toContain("'host|id'");
+})->group('security');
+
+it('trims whitespace from hostname before escaping', function (): void {
+    $wmi           = new Linux_WMI_Testable();
+    $wmi->hostname = '  192.168.1.1  ';
+
+    $cmd = $wmi->getcommand();
+
+    expect($cmd)->toContain("'192.168.1.1'");
+})->group('security');
+
+// ---------------------------------------------------------------------------
+// FIND-002: json_encode/json_decode replaces serialize/unserialize
+// ---------------------------------------------------------------------------
+
+it('uses json_encode for serialization', function (): void {
+    $wmi     = new Linux_WMI_Testable();
+    $encoded = $wmi->encode('s3cr3t');
+    $raw     = base64_decode($encoded);
+
+    // Must be valid JSON, not a PHP serialized string.
+    expect(json_decode($raw, true))->toBeArray()
+        ->and($raw)->not->toStartWith('a:')
+        ->and($raw)->not->toStartWith('O:');
+})->group('security');
+
+it('decodes json-encoded credentials correctly', function (): void {
+    $wmi      = new Linux_WMI_Testable();
+    $encoded  = $wmi->encode('my_password');
+    $decoded  = $wmi->decode($encoded);
+
+    expect($decoded)->toBe('my_password');
+})->group('security');
+
+it('migrates legacy serialize credentials on read without executing gadgets', function (): void {
+    /* Simulate a legacy record: serialize(['rand' => 1, 'password' => 'old', 'rand2' => 2]) */
+    $legacy = base64_encode(serialize([1 => 42, 'password' => 'legacy_pass', 99 => 0]));
+
+    $wmi     = new Linux_WMI_Testable();
+    $decoded = $wmi->decode($legacy);
+
+    expect($decoded)->toBe('legacy_pass');
+})->group('security');
+
+it('rejects unserialize gadget classes via allowed_classes restriction', function (): void {
+    /* A payload that would instantiate a class if allowed_classes were not false. */
+    $gadget = base64_encode('O:8:"stdClass":1:{s:4:"test";s:4:"boom";}');
+
+    $wmi     = new Linux_WMI_Testable();
+    $decoded = $wmi->decode($gadget);
+
+    // With allowed_classes=false the object is not instantiated; decode
+    // returns an empty string because the result is not an array.
+    expect($decoded)->toBe('');
+})->group('security');
diff --git a/wmi_accounts.php b/wmi_accounts.php
index 8fa131a..453c8af 100644
--- a/wmi_accounts.php
+++ b/wmi_accounts.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/wmi_queries.php b/wmi_queries.php
index 99ef09c..373464a 100644
--- a/wmi_queries.php
+++ b/wmi_queries.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/wmi_script.php b/wmi_script.php
index a81db25..e9bdab6 100644
--- a/wmi_script.php
+++ b/wmi_script.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/wmi_tools.php b/wmi_tools.php
index 86f4a4b..5ec13e7 100644
--- a/wmi_tools.php
+++ b/wmi_tools.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

From 772db1f94f22910681e4673f10aedb5b6a0cc559 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 14:03:40 -0700
Subject: [PATCH 02/11] refactor: safe PHP 7.4 modernization (arrays, null
 coalescing)

---
 functions.php                      | 22 ++++++++---------
 linux_wmi.php                      |  6 ++---
 poller_wmi.php                     |  6 ++---
 script/wmi-script.php              |  2 +-
 setup.php                          | 16 ++++++-------
 tests/Security/WmiSecurityTest.php |  4 ++--
 wmi_accounts.php                   | 32 ++++++++++++-------------
 wmi_queries.php                    | 38 +++++++++++++++---------------
 wmi_script.php                     |  4 ++--
 wmi_tools.php                      | 20 ++++++++--------
 10 files changed, 75 insertions(+), 75 deletions(-)

diff --git a/functions.php b/functions.php
index 7d2f06b..5747728 100644
--- a/functions.php
+++ b/functions.php
@@ -328,25 +328,25 @@ function run_store_wmi_query($host_id, $wmi_query_id) {
 	$host_info = db_fetch_row_prepared('SELECT *
 		FROM host
 		WHERE id = ?',
-		array($host_id));
+		[$host_id]);
 
 	// Prepared old entries for removal
 	db_execute_prepared('UPDATE host_wmi_cache
 		SET present = 0
 		WHERE host_id = ?
 		AND wmi_query_id = ?',
-		array($host_id, $wmi_query_id));
+		[$host_id, $wmi_query_id]);
 
 	if (cacti_sizeof($host_info)) {
 		$auth_info = db_fetch_row_prepared('SELECT *
 			FROM wmi_user_accounts
 			WHERE id = ?',
-			array($host_info['wmi_account']));
+			[$host_info['wmi_account']]);
 
 		$wmi_query = db_fetch_row_prepared('SELECT *
 			FROM wmi_wql_queries
 			WHERE id = ?',
-			array($wmi_query_id));
+			[$wmi_query_id]);
 
 		if (!cacti_sizeof($auth_info)) {
 			return false;
@@ -365,8 +365,8 @@ function run_store_wmi_query($host_id, $wmi_query_id) {
 
 		// Initialize variables
 		$cur_time  = date('Y-m-d H:i:s');
-		$data      = array();
-		$indexes   = array();
+		$data      = [];
+		$indexes   = [];
 
 		if ($config['cacti_server_os'] != 'win32') {
 			include_once($config['base_path'] . '/plugins/wmi/linux_wmi.php');
@@ -391,8 +391,8 @@ function run_store_wmi_query($host_id, $wmi_query_id) {
 				$indexes = $wmi->fetch_indexes();
 				$data    = $wmi->fetch_data();
 			} else {
-				$indexes = array();
-				$data    = array();
+				$indexes = [];
+				$data    = [];
 			}
 		} else {
 			// Windows version
@@ -407,7 +407,7 @@ function run_store_wmi_query($host_id, $wmi_query_id) {
 		}
 
 		if (cacti_sizeof($data)) {
-			$sql = array();
+			$sql = [];
 
 			$pk_index = -1;
 			if (cacti_sizeof($indexes)) {
@@ -478,14 +478,14 @@ function run_store_wmi_query($host_id, $wmi_query_id) {
 		WHERE present = 0
 		AND host_id = ?
 		AND wmi_query_id = ?',
-		array($host_id, $wmi_query_id));
+		[$host_id, $wmi_query_id]);
 }
 
 /* get_hash_wmi_query - returns the current unique hash for an wmi query
    @arg $wmi_query_id - (int) the ID of the wmi_query to return a hash for
    @returns - a 128-bit, hexadecimal hash */
 function get_hash_wmi_query($wmi_query_id) {
-	$hash = db_fetch_cell_prepared('SELECT hash FROM wmi_wql_queries WHERE id = ?', array($wmi_query_id));
+	$hash = db_fetch_cell_prepared('SELECT hash FROM wmi_wql_queries WHERE id = ?', [$wmi_query_id]);
 
 	if (preg_match('/[a-fA-F0-9]{32}/', $hash)) {
 		return $hash;
diff --git a/linux_wmi.php b/linux_wmi.php
index fec5288..23d4fe9 100644
--- a/linux_wmi.php
+++ b/linux_wmi.php
@@ -187,7 +187,7 @@ function fetch_data() {
 
 			return $new;
 		}else{
-			return array();
+			return [];
 		}
 	}
 
@@ -242,7 +242,7 @@ function exec() {
 		$config['cacti_server_os'] = 'unix';
 
 		$return_var   = 0;
-		$return_array = array();
+		$return_array = [];
 
 		exec($command, $return_array, $return_var);
 
@@ -276,7 +276,7 @@ function retrieve_account() {
 			INNER JOIN host AS h
 			WHERE pwa.id = h.wmi_account
 			AND h.id = ?",
-			array($this->hostid));
+			[$this->hostid]);
 
 		if (isset($info['username'])) {
 			$this->username = $info['username'];
diff --git a/poller_wmi.php b/poller_wmi.php
index 7d19aa1..02a2a02 100644
--- a/poller_wmi.php
+++ b/poller_wmi.php
@@ -293,7 +293,7 @@ function process_device($host_id) {
 		WHERE (UNIX_TIMESTAMP(NOW()) >= UNIX_TIMESTAMP(last_started)+frequency OR last_started IS NULL)
 		AND h.id = ?
 		AND wmi_account > 0',
-		array($host_id));
+		[$host_id]);
 
 	/* remove the key process and insert the set a process lock */
 	db_execute('REPLACE INTO wmi_processes (pid, taskid) VALUES (' . getmypid() . ", $seed)");
@@ -310,7 +310,7 @@ function process_device($host_id) {
 			$account = db_fetch_row_prepared('SELECT *
 				FROM wmi_user_accounts
 				WHERE id = ?',
-				array($q['wmi_account']));
+				[$q['wmi_account']]);
 
 			if (!cacti_sizeof($account)) {
 				cacti_log("WARNING: WMI Account ID " . $q['wmi_account'] . " not found for WMI Device[$host_id].", false, 'WMI');
@@ -321,7 +321,7 @@ function process_device($host_id) {
 				FROM host_wmi_query
 				WHERE host_id = ?
 				AND wmi_query_id = ?',
-				array($host_id, $q['wmi_query_id']));
+				[$host_id, $q['wmi_query_id']]);
 
 			if (!cacti_sizeof($run_before)) {
 				$last_failed = '0000-00-00 00:00:00';
diff --git a/script/wmi-script.php b/script/wmi-script.php
index 6d32306..d1895cc 100644
--- a/script/wmi-script.php
+++ b/script/wmi-script.php
@@ -31,7 +31,7 @@
 		array_shift($_SERVER['argv']);
 	}
 
-	print call_user_func_array('wmi_script', $_SERVER['argv']);
+	print call_user_func_['wmi_script', $_SERVER['argv']];
 }
 
 function wmi_script($hostname, $host_id, $wmiquery, $cmd = '', $arg1 = '', $arg2 = '') {
diff --git a/setup.php b/setup.php
index 469b5fa..34bc236 100644
--- a/setup.php
+++ b/setup.php
@@ -203,7 +203,7 @@ function plugin_wmi_setup_tables() {
 
 	$exists = db_fetch_cell('SELECT id FROM data_input WHERE hash="4af550dfe8b451579054d038ad62ba3e"');
 	if (!$exists) {
-		$save = array();
+		$save = [];
 		$save['hash']         = '4af550dfe8b451579054d038ad62ba3e';
 		$save['name']         = 'Get WMI Data';
 		$save['input_string'] = '';
@@ -226,7 +226,7 @@ function plugin_wmi_setup_tables() {
 		WHERE hash="42e584b81075f6ad6556e62afc509179"');
 
 	if (!$exists) {
-		$save = array();
+		$save = [];
 		$save['hash']         = '42e584b81075f6ad6556e62afc509179';
 		$save['name']         = 'Get WMI Data (Indexed)';
 		$save['input_string'] = '';
@@ -306,7 +306,7 @@ function wmi_config_arrays() {
 	$menu[__('Data Collection')]['plugins/wmi/wmi_queries.php'] = __('WMI Queries', 'wmi');
 
 	if (function_exists('auth_augment_roles')) {
-		auth_augment_roles(__('Template Editor'), array('wmi_accounts.php', 'wmi_queries.php', 'wmi_tools.php'));
+		auth_augment_roles(__('Template Editor'), ['wmi_accounts.php', 'wmi_queries.php', 'wmi_tools.php']);
 	}
 }
 
@@ -381,23 +381,23 @@ function wmi_config_form() {
 	global $fields_host_edit, $plugins;
 
 //	$fields_host_edit2 = $fields_host_edit;
-//	$fields_host_edit3 = array();
+//	$fields_host_edit3 = [];
 //	foreach ($fields_host_edit2 as $f => $a) {
 //		if ($f == 'disabled') {
-//			$fields_host_edit3['serial'] = array(
+//			$fields_host_edit3['serial'] = [
 //				'friendly_name' => 'Serial / Service Code',
 //				'description' => 'This is the Serial Number for this server.',
 //				'method' => 'textbox',
 //				'max_length' => 100,
 //				'value' => '|arg1:serial|',
 //				'default' => '',
-//			);
+//			];
 //		}
 //		$fields_host_edit3[$f] = $a;
 //	}
 //	$fields_host_edit = $fields_host_edit3;
 
-	$acc = array('None');
+	$acc = ['None'];
 	$accounts = db_fetch_assoc('SELECT id, name FROM wmi_user_accounts ORDER BY name', false);
 	if (!empty($accounts)) {
 		foreach ($accounts as $a) {
@@ -503,7 +503,7 @@ function wmi_device_edit_pre_bottom() {
 		ON wwq.id=htwq.wmi_query_id
 		WHERE htwq.host_template_id = ?
 		ORDER BY name',
-		array($host_template_id));
+		[$host_template_id]);
 
 	html_header(array(__('Name', 'wmi'), __('Status', 'wmi')));
 
diff --git a/tests/Security/WmiSecurityTest.php b/tests/Security/WmiSecurityTest.php
index 4a2d974..0edcbd7 100644
--- a/tests/Security/WmiSecurityTest.php
+++ b/tests/Security/WmiSecurityTest.php
@@ -73,11 +73,11 @@ public function decode(string $info): string
             /* Legacy records were stored with serialize(). Migrate on read. */
             if (str_starts_with($info, 'a:')) {
                 $decoded = @unserialize($info, ['allowed_classes' => false]);
-                return is_array($decoded) ? ($decoded['password'] ?? '') : '';
+                return is_[$decoded] ? ($decoded['password'] ?? '') : '';
             }
 
             $decoded = json_decode($info, true);
-            return is_array($decoded) ? ($decoded['password'] ?? '') : '';
+            return is_[$decoded] ? ($decoded['password'] ?? '') : '';
         }
     }
 }
diff --git a/wmi_accounts.php b/wmi_accounts.php
index 453c8af..9c651d4 100644
--- a/wmi_accounts.php
+++ b/wmi_accounts.php
@@ -67,10 +67,10 @@
 		'max_length' => '64',
 		'size' => '30'
 		),
-	'id' => array(
+	'id' => [
 		'method' => 'hidden_zero',
 		'value' => '|arg1:id|'
-		)
+		]
 );
 
 switch (get_request_var('action')) {
@@ -109,12 +109,12 @@ function actions_accounts() {
 				for ($i=0; $i<count($selected_items); $i++) {
 					db_execute_prepared('DELETE FROM wmi_user_accounts
 						WHERE id = ?',
-						array($selected_items[$i]));
+						[$selected_items[$i]]);
 
 					db_execute_prepared('UPDATE host
 						SET wmi_account = 0
 						WHERE wmi_account = ?',
-						array($selected_items[$i]));
+						[$selected_items[$i]]);
 				}
 			}
 
@@ -137,7 +137,7 @@ function actions_accounts() {
 			$account_list .= '<li>' . db_fetch_cell_prepared('SELECT name
 				FROM wmi_user_accounts
 				WHERE id = ?',
-				array($matches[1])) . '</li>';
+				[$matches[1]]) . '</li>';
 
 			$account_array[] = $matches[1];
 		}
@@ -217,7 +217,7 @@ function edit_accounts() {
 	get_filter_request_var('id');
 	/* ==================================================== */
 
-	$account = array();
+	$account = [];
 	if (!isempty_request_var('id')) {
 		$account = db_fetch_row_prepared('SELECT * FROM wmi_user_accounts WHERE id = ?', array(get_request_var('id')));
 
@@ -232,7 +232,7 @@ function edit_accounts() {
 	html_start_box($header_label, '100%', '', '3', 'center', '');
 	draw_edit_form(
 		array(
-			'config' => array('no_form_tag' => true),
+			'config' => ['no_form_tag' => true],
 			'fields' => inject_form_variables($account_edit, $account)
 		)
 	);
@@ -331,29 +331,29 @@ function show_accounts() {
 
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'rows' => array(
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-		),
-		'page' => array(
+		],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-		),
-		'filter' => array(
+		],
+		'filter' => [
 			'filter' => FILTER_DEFAULT,
 			'pageset' => true,
 			'default' => ''
-		),
+		],
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'name',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'ASC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 	);
 
@@ -414,7 +414,7 @@ function show_accounts() {
 		foreach ($accounts as $row) {
 			$count = db_fetch_cell_prepared("SELECT COUNT(wmi_account)
 				FROM host
-				WHERE wmi_account = ?", array($row['id']));
+				WHERE wmi_account = ?", [$row['id']]);
 
 			form_alternate_row('line' . $row['id'], false);
 			form_selectable_cell(filter_value($row['name'], get_request_var('filter'), 'wmi_accounts.php?&action=edit&id=' . $row['id']), $row['id']);
diff --git a/wmi_queries.php b/wmi_queries.php
index 373464a..c047cfc 100644
--- a/wmi_queries.php
+++ b/wmi_queries.php
@@ -43,7 +43,7 @@
 
 set_default_action();
 
-$ns = array('root\\\\CIMV2', 'root\\\\MSCluster');
+$ns = ['root\\\\CIMV2', 'root\\\\MSCluster'];
 
 $query_edit = array(
 	'name' => array(
@@ -91,10 +91,10 @@
 		'value' => '|arg1:primary_key|',
 		'max_length' => '128',
 	),
-	'id' => array(
+	'id' => [
 		'method' => 'hidden_zero',
 		'value' => '|arg1:id|'
-	)
+	]
 );
 
 switch (get_request_var('action')) {
@@ -135,10 +135,10 @@ function actions_queries() {
 					input_validate_input_number($selected_items[$i]);
 					/* ==================================================== */
 
-					db_execute_prepared('DELETE FROM host_wmi_query WHERE wmi_query_id = ?', array($selected_items[$i]));
-					db_execute_prepared('DELETE FROM host_wmi_cache WHERE wmi_query_id = ?', array($selected_items[$i]));
-					db_execute_prepared('DELETE FROM host_template_wmi_query WHERE wmi_query_id = ?', array($selected_items[$i]));
-					db_execute_prepared('DELETE FROM wmi_wql_queries WHERE id = ?', array($selected_items[$i]));
+					db_execute_prepared('DELETE FROM host_wmi_query WHERE wmi_query_id = ?', [$selected_items[$i]]);
+					db_execute_prepared('DELETE FROM host_wmi_cache WHERE wmi_query_id = ?', [$selected_items[$i]]);
+					db_execute_prepared('DELETE FROM host_template_wmi_query WHERE wmi_query_id = ?', [$selected_items[$i]]);
+					db_execute_prepared('DELETE FROM wmi_wql_queries WHERE id = ?', [$selected_items[$i]]);
 				}
 			}
 		}
@@ -161,7 +161,7 @@ function actions_queries() {
 			$query_list .= '<li>' . db_fetch_cell_prepared('SELECT name
 				FROM wmi_wql_queries
 				WHERE id = ?',
-				array($matches[1])) . '</li>';
+				[$matches[1]]) . '</li>';
 
 			$query_array[] = $matches[1];
 		}
@@ -234,7 +234,7 @@ function save_queries() {
 function edit_queries() {
 	global $query_edit;
 
-	$query = array();
+	$query = [];
 	if (isset_request_var('id')) {
 		$query = db_fetch_row_prepared('SELECT *
 			FROM wmi_wql_queries
@@ -252,7 +252,7 @@ function edit_queries() {
 
 	draw_edit_form(
 		array(
-			'config' => array('no_form_tag' => true),
+			'config' => ['no_form_tag' => true],
 			'fields' => inject_form_variables($query_edit, $query)
 		)
 	);
@@ -354,29 +354,29 @@ function show_queries() {
 
 	/* ================= input validation and session storage ================= */
 	$filters = array(
-		'rows' => array(
+		'rows' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '-1'
-		),
-		'page' => array(
+		],
+		'page' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'default' => '1'
-		),
-		'filter' => array(
+		],
+		'filter' => [
 			'filter' => FILTER_DEFAULT,
 			'pageset' => true,
 			'default' => ''
-		),
+		],
 		'sort_column' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'name',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'sort_direction' => array(
 			'filter' => FILTER_CALLBACK,
 			'default' => 'ASC',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 	);
 
@@ -384,7 +384,7 @@ function show_queries() {
     /* ================= input validation ================= */
 
 	$total_rows = 0;
-	$queries = array();
+	$queries = [];
 
 	if (get_request_var('rows') == '-1') {
 		$rows = read_config_option('num_rows_table');
diff --git a/wmi_script.php b/wmi_script.php
index e9bdab6..5f5ac07 100644
--- a/wmi_script.php
+++ b/wmi_script.php
@@ -34,7 +34,7 @@
 		array_shift($_SERVER['argv']);
 	}
 
-	print call_user_func_array('wmi_script', $_SERVER['argv']);
+	print call_user_func_['wmi_script', $_SERVER['argv']];
 }
 
 function wmi_script($hostname, $host_id, $wmiquery, $cmd = '', $arg1 = '', $arg2 = '') {
@@ -50,7 +50,7 @@ function wmi_script($hostname, $host_id, $wmiquery, $cmd = '', $arg1 = '', $arg2
 	$wmiinfo = db_fetch_row_prepared('SELECT *
 		FROM wmi_wql_queries
 		WHERE queryname = ?',
-		array($wmiquery));
+		[$wmiquery]);
 
 	if (!isset($wmiinfo['queryclass'])) {
 		return '';
diff --git a/wmi_tools.php b/wmi_tools.php
index 5ec13e7..ccf5b6d 100644
--- a/wmi_tools.php
+++ b/wmi_tools.php
@@ -60,41 +60,41 @@ function process_request_vars() {
 			'filter' => FILTER_CALLBACK,
 			'pageset' => true,
 			'default' => '',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
-		'password' => array(
+		'password' => [
 			'filter' => FILTER_DEFAULT,
 			'pageset' => true,
 			'default' => '',
-		),
+		],
 		'namespace' => array(
 			'filter' => FILTER_CALLBACK,
 			'pageset' => true,
 			'default' => '',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'keyname' => array(
 			'filter' => FILTER_CALLBACK,
 			'pageset' => true,
 			'default' => '',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
-		'frequency' => array(
+		'frequency' => [
 			'filter' => FILTER_VALIDATE_INT,
 			'pageset' => true,
 			'default' => '120'
-		),
+		],
 		'host' => array(
 			'filter' => FILTER_CALLBACK,
 			'pageset' => true,
 			'default' => '',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		),
 		'name' => array(
 			'filter' => FILTER_CALLBACK,
 			'pageset' => true,
 			'default' => 'New Query',
-			'options' => array('options' => 'sanitize_search_string')
+			'options' => ['options' => 'sanitize_search_string']
 		)
 	);
 
@@ -611,7 +611,7 @@ function walk_host() {
 			if (isset($data[1])) {
 				$odata1 = (array) $data[1];
 			} else {
-				$odata1 = array();
+				$odata1 = [];
 			}
 
 			print "<table style='width:100%'><tr><td>";

From 0d2be5792f2a4de9f41875598bb1790fc511d174 Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Tue, 10 Mar 2026 07:18:08 +0000
Subject: [PATCH 03/11] Translated using Weblate (Swedish)

Currently translated at 100.0% (134 of 134 strings)

Co-authored-by: Daniel Nylander <daniel@danielnylander.se>
Translate-URL: https://translate.cacti.net/projects/cacti/wmi/sv/
Translation: Cacti/wmi
---
 locales/po/sv-SE.po | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/locales/po/sv-SE.po b/locales/po/sv-SE.po
index 8690bcc..77bf88b 100644
--- a/locales/po/sv-SE.po
+++ b/locales/po/sv-SE.po
@@ -4,7 +4,7 @@
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
 msgid ""
-msgstr "Project-Id-Version: \nReport-Msgid-Bugs-To: developers@cacti.net\nPOT-Creation-Date: 2022-06-18 08:26-0400\nPO-Revision-Date: 2025-10-20 20:28+0000\nLast-Translator: Daniel Nylander <daniel@danielnylander.se>\nLanguage-Team: Swedish <https://translate.cacti.net/projects/cacti/wmi/sv/>\nLanguage: sv-SE\nMIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nPlural-Forms: nplurals=2; plural=n != 1;\nX-Generator: Weblate 5.11.4\n"
+msgstr "Project-Id-Version: \nReport-Msgid-Bugs-To: developers@cacti.net\nPOT-Creation-Date: 2022-06-18 08:26-0400\nPO-Revision-Date: 2026-03-10 07:18+0000\nLast-Translator: Daniel Nylander <daniel@danielnylander.se>\nLanguage-Team: Swedish <https://translate.cacti.net/projects/cacti/wmi/sv/>\nLanguage: sv-SE\nMIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nPlural-Forms: nplurals=2; plural=n != 1;\nX-Generator: Weblate 5.11.4\n"
 
 #: functions.php:29 wmi_queries.php:280 wmi_queries.php:409 wmi_tools.php:356
 msgid "Queries"
@@ -224,7 +224,7 @@ msgstr "Det lösenord som används för autentisering."
 
 #: wmi_accounts.php:154
 msgid "Press 'Continue' to delete the following accounts."
-msgstr "Tryck på \"Fortsätt\" för att radera följande konton."
+msgstr "Tryck på \"Fortsätt\" för att ta bort följande konton."
 
 #: wmi_accounts.php:161
 msgid "You must select at least one account."

From 2b8fbce4e7058e9ad93b06a98ec9502abbf1f7e3 Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Tue, 10 Mar 2026 07:18:08 +0000
Subject: [PATCH 04/11] Update translation files

Updated by "Squash Git commits" hook in Weblate.

Translation: Cacti/wmi
Translate-URL: https://translate.cacti.net/projects/cacti/wmi/
---
 locales/LC_MESSAGES/sv-SE.mo | Bin 11577 -> 11578 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/locales/LC_MESSAGES/sv-SE.mo b/locales/LC_MESSAGES/sv-SE.mo
index f3dd6d02c43563cf4617415bf424ac3a07b671d4..28edf3590b5c9b55ff1562dfd012330af06574d0 100644
GIT binary patch
delta 373
zcmXZYzpH^!9LMqR;Ni)Q5H9(ZLC^L0wHTyG$;7CX#bUSybs0>z%oYYp{s}1y2CK6A
z3ru%2Snle5dQ7iA-#VZ3J?Gdxb$40Ev?L;DL&Syu=tk{J#EyPcIf4N+@dIo4i7nKz
zk2V})6vywpz$$r#6}+M9^`@=fP+F!EV_-0-V*~Rz!*4vGS}bXbII)0XEWdLbz2qLM
zi$|#A97DK9b$*9x@iPYTiXOb1J?kY;1}z58j8)h{A9;YP_!s@S!3%Ej2PavP6#iin
YT{-I~3aF8b`<dQOECX@h{$Vt=7nsv1KL7v#

delta 376
zcmXZYJ#T?g7{>8?@bXj<TJ;t}2QQE6vlyBV7<6klVlWUvVlW`-)WKRqyEKu03DLwL
zny@xjpTHn?i@E=k$Mnl}C+9l%Ilr}K?I&v=J&4FUCE~&py3vvrvEenU9L5{e@e+#|
zz-QF3g%<2#1PAB*i3Rc(=5dRv*Q1-g0bNECWsqc0!Y4HF9lN+dwOBkO;y?pK_;}7`
z^pfkSF7Bg-9~i_5s`E2ci?7g+8}#5V(=cChWbne^;?69r;uX1zs`w3k_>F%!#Xi1f
hMG|<xTXf!=KVhJioSToeO3XHFwmZY-e4naX{{i*ODX{<m


From e8f34e944ae4b1c7642701e705b233b36610b3ff Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Sat, 14 Mar 2026 12:18:07 +0000
Subject: [PATCH 05/11] Translated using Weblate (Swedish)

Currently translated at 100.0% (134 of 134 strings)

Co-authored-by: Daniel Nylander <daniel@danielnylander.se>
Translate-URL: https://translate.cacti.net/projects/cacti/wmi/sv/
Translation: Cacti/wmi
---
 locales/po/sv-SE.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/locales/po/sv-SE.po b/locales/po/sv-SE.po
index 77bf88b..ff2fc77 100644
--- a/locales/po/sv-SE.po
+++ b/locales/po/sv-SE.po
@@ -4,7 +4,7 @@
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
 msgid ""
-msgstr "Project-Id-Version: \nReport-Msgid-Bugs-To: developers@cacti.net\nPOT-Creation-Date: 2022-06-18 08:26-0400\nPO-Revision-Date: 2026-03-10 07:18+0000\nLast-Translator: Daniel Nylander <daniel@danielnylander.se>\nLanguage-Team: Swedish <https://translate.cacti.net/projects/cacti/wmi/sv/>\nLanguage: sv-SE\nMIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nPlural-Forms: nplurals=2; plural=n != 1;\nX-Generator: Weblate 5.11.4\n"
+msgstr "Project-Id-Version: \nReport-Msgid-Bugs-To: developers@cacti.net\nPOT-Creation-Date: 2022-06-18 08:26-0400\nPO-Revision-Date: 2026-03-14 12:18+0000\nLast-Translator: Daniel Nylander <daniel@danielnylander.se>\nLanguage-Team: Swedish <https://translate.cacti.net/projects/cacti/wmi/sv/>\nLanguage: sv-SE\nMIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nPlural-Forms: nplurals=2; plural=n != 1;\nX-Generator: Weblate 5.11.4\n"
 
 #: functions.php:29 wmi_queries.php:280 wmi_queries.php:409 wmi_tools.php:356
 msgid "Queries"

From d01e0c19aeed144d009caaf27fc190d4f7da6f4c Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Mon, 16 Mar 2026 13:18:08 +0000
Subject: [PATCH 06/11] Translated using Weblate (Swedish)

Currently translated at 100.0% (134 of 134 strings)

Co-authored-by: Daniel Nylander <daniel@danielnylander.se>
Translate-URL: https://translate.cacti.net/projects/cacti/wmi/sv/
Translation: Cacti/wmi
---
 locales/po/sv-SE.po | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/locales/po/sv-SE.po b/locales/po/sv-SE.po
index ff2fc77..80c1340 100644
--- a/locales/po/sv-SE.po
+++ b/locales/po/sv-SE.po
@@ -4,7 +4,7 @@
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
 msgid ""
-msgstr "Project-Id-Version: \nReport-Msgid-Bugs-To: developers@cacti.net\nPOT-Creation-Date: 2022-06-18 08:26-0400\nPO-Revision-Date: 2026-03-14 12:18+0000\nLast-Translator: Daniel Nylander <daniel@danielnylander.se>\nLanguage-Team: Swedish <https://translate.cacti.net/projects/cacti/wmi/sv/>\nLanguage: sv-SE\nMIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nPlural-Forms: nplurals=2; plural=n != 1;\nX-Generator: Weblate 5.11.4\n"
+msgstr "Project-Id-Version: \nReport-Msgid-Bugs-To: developers@cacti.net\nPOT-Creation-Date: 2022-06-18 08:26-0400\nPO-Revision-Date: 2026-03-16 13:18+0000\nLast-Translator: Daniel Nylander <daniel@danielnylander.se>\nLanguage-Team: Swedish <https://translate.cacti.net/projects/cacti/wmi/sv/>\nLanguage: sv-SE\nMIME-Version: 1.0\nContent-Type: text/plain; charset=UTF-8\nContent-Transfer-Encoding: 8bit\nPlural-Forms: nplurals=2; plural=n != 1;\nX-Generator: Weblate 5.11.4\n"
 
 #: functions.php:29 wmi_queries.php:280 wmi_queries.php:409 wmi_tools.php:356
 msgid "Queries"
@@ -514,7 +514,7 @@ msgstr "Kör WMI-frågan mot enheten"
 
 #: wmi_tools.php:355
 msgid "Clear"
-msgstr "Töm"
+msgstr "Rensa"
 
 #: wmi_tools.php:355
 msgid "Clear the results panel."

From 09f0421c9b8eef49cb63ec28bdd6091c3e0354c4 Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Mon, 16 Mar 2026 13:18:08 +0000
Subject: [PATCH 07/11] Update translation files

Updated by "Squash Git commits" hook in Weblate.

Translation: Cacti/wmi
Translate-URL: https://translate.cacti.net/projects/cacti/wmi/
---
 locales/LC_MESSAGES/sv-SE.mo | Bin 11578 -> 11579 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/locales/LC_MESSAGES/sv-SE.mo b/locales/LC_MESSAGES/sv-SE.mo
index 28edf3590b5c9b55ff1562dfd012330af06574d0..a43ff024e8eb9d4319f8a2fcfbee083d4c76a1dd 100644
GIT binary patch
delta 932
zcmXZaO-K|#6ae5U+-=RWvdqlC)P5|t^3XyMS`l;z3oL|?ggQv}C!&WsRC}>Q9kNRh
z5p)Q=R@lV~j1EP3EQmTpcnYFRfke>H_u7SJznM2XZ{E(lrvuLh9#v$DnUvDUrj%;=
znLS+K85WvT%JM#IIK>=i*uj@v&9AKFU+!XMOG?Yx!}xtKm$09aXOLAKZAr!d3zr4#
zO%v?l1Fq*hBk^xGERtkHDPenSN}I*=tm84Z^BlW4$vj_hC%={BO>L!fj!-CFXe*XB
zP6|YVY5Ju1zT$viY+$QJHKcAve2|e~f*Uzij?b0n-?>S=&f->fGxnY4cHZP#J}(-?
zfp1yh0{1d+cU;kVW_gJj7P*htxR|f_gl{;&t4?X;2ga2zFbe;}3N~*k-(cBd-e8S|
z0zG>=#JKWdM&)CS0`GA*XBlt%lhw>>ge+?r^F~H5bu#|Ie#R3WW{yLQLPn_2Vj3?8
zZZY2eHoN(bk+?<`k+_~wU<VKIAb0QvhdIM2tZiFLOWDPG?kUgvxyt+`<A%nVbAFmM
zSSN6Yk>D|-@>#|k&2c5?8UN%5ds)?4N_d>n)n^%ruP|=(E?@H@M|n|4dZqM*(L2=|
dp<<aqmqCVw>Fc?^+RV|Rk?~X0pPEjr_y>pAVjchh

delta 931
zcmXZaO-K|#6ae5Uc5Sn)EHz8bpMEU2vcm=uYC?2~>|h9i2wkGGlCnb``q_hBJY<(3
zBIpo!4ao>eFe0MxSP;=gJO$CEKq9E<d+oxq-^`nxH*aU&?BI*RsZ6$*Nhy79N~x9$
z?BNoJS=f?N1s`!eCz<06ck&fC@GDpHFAK~yr&Psm#_x}D1qT>;hPaBCnp5%r!gT?A
z(-?dBn47uCNc@`(%M{a6O4!z#(hl)FH}V9x@;vu(g1h;Wo%~jgH@20|IZmN;v8`Cz
zI3W-Tp3*0M^c4sEVgp+&sv&hT;zNuCW8B8ca(uo#|IY2=bryHAi?Qzv_wWwuI9oJ`
z1K)E$mw1SIyW@&3u!7f^<t_H|Hkb1apYa_BdDAJ4{KUBOB}U<Ym|;_U`3B1t^9D5*
z3iRyhDC5e{GAbWs6!?$_ILCO~pIpPNMyOy7W8T2%r4Gg)=w&=nA9Fm-C}e~REv75w
zz+J}M-(xpFFcMd*A`;g#3T)?L9^qb&^BiXwg|&91RLM?m;=%HKfYs)w7&kP^ob%I!
zLA}6zMuI6u<#UWTn&&z$GXBXA_OUWwN_djd)x(U$HyAhifN%MPmw8o3dZqM*(K}Td
bA+y?`(;&;j^mwknHZ$=0`N;G_)6m*~Tp(fY


From bceb3ecfd0b3fbb2edbe2cb6c3990d83ee1d2f4c Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 21:54:34 -0700
Subject: [PATCH 08/11] fix: restore is_array/in_array calls and remove .omc
 artifacts

Revert corrupted function calls introduced by refactoring tool:
- is_[$x] -> is_array($x)
- in_[$x, ...] -> in_array($x, ...)
- xml2[$x] -> xml2array($x)

Also remove accidentally committed .omc session files and add
.omc/ to .gitignore.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 .gitignore                         | 1 +
 tests/Security/WmiSecurityTest.php | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2752239..ced409a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .git*
 
 locales/po/*.mo
+.omc/
diff --git a/tests/Security/WmiSecurityTest.php b/tests/Security/WmiSecurityTest.php
index 0edcbd7..4a2d974 100644
--- a/tests/Security/WmiSecurityTest.php
+++ b/tests/Security/WmiSecurityTest.php
@@ -73,11 +73,11 @@ public function decode(string $info): string
             /* Legacy records were stored with serialize(). Migrate on read. */
             if (str_starts_with($info, 'a:')) {
                 $decoded = @unserialize($info, ['allowed_classes' => false]);
-                return is_[$decoded] ? ($decoded['password'] ?? '') : '';
+                return is_array($decoded) ? ($decoded['password'] ?? '') : '';
             }
 
             $decoded = json_decode($info, true);
-            return is_[$decoded] ? ($decoded['password'] ?? '') : '';
+            return is_array($decoded) ? ($decoded['password'] ?? '') : '';
         }
     }
 }

From de62c83b9ee7bcf65ebb6e79e9615e8b39166e8a Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 22:36:28 -0700
Subject: [PATCH 09/11] fix: restore corrupted function calls from refactor
 tool

Revert bulk array()->[] rewrite damage affecting:
- is_array, in_array, xml2array
- call_user_func_array, filter_var_array
- Function declarations with _array suffix

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 functions.php                              |   1 -
 index.php                                  |   1 -
 linux_wmi.php                              |  24 +--
 locales/LC_MESSAGES/index.php              |   1 -
 locales/index.php                          |   1 -
 locales/po/index.php                       |   1 -
 poller_wmi.php                             |  18 ++-
 script/index.php                           |   1 -
 script/wmi-script.php                      |   3 +-
 setup.php                                  |   1 -
 templates/index.php                        |   1 -
 templates/resource/index.php               |   1 -
 templates/resource/script_server/index.php |   1 -
 tests/Security/WmiSecurityTest.php         | 171 ++++++++-------------
 wmi_accounts.php                           |   1 -
 wmi_queries.php                            |   1 -
 wmi_script.php                             |   3 +-
 wmi_tools.php                              |  19 ++-
 18 files changed, 95 insertions(+), 155 deletions(-)

diff --git a/functions.php b/functions.php
index 5747728..80ec77f 100644
--- a/functions.php
+++ b/functions.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/index.php b/index.php
index 7be65b4..1603dd5 100644
--- a/index.php
+++ b/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/linux_wmi.php b/linux_wmi.php
index 23d4fe9..31b6981 100644
--- a/linux_wmi.php
+++ b/linux_wmi.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -226,7 +225,7 @@ function getcommand() {
 			' --user=' . $this->username .
 			' --password=' . $this->password .
 			($this->querynspace != '' ? ' --namespace=' . $this->querynspace:'') .
-			' //' . trim($this->hostname) .
+			' //' . $this->hostname .
 			' ' . $this->command;
 	}
 
@@ -260,7 +259,7 @@ function exec() {
 	function clean() {
 		$this->username  = cacti_escapeshellarg($this->username);
 		$this->password  = cacti_escapeshellarg($this->password);
-		$this->hostname  = trim($this->hostname);
+		$this->hostname  = cacti_escapeshellarg(trim($this->hostname));
 		$this->binary    = cacti_escapeshellarg($this->binary);
 		$this->command   = cacti_escapeshellarg($this->command);
 	}
@@ -291,19 +290,20 @@ function retrieve_account() {
 
 	function decode($info) {
 		$info = base64_decode($info);
-		$info = unserialize($info);
-		$info = $info['password'];
 
-		return $info;
+		/* Legacy records were stored with serialize(). Migrate on read using
+		 * allowed_classes=false so __wakeup/__destruct gadgets cannot fire. */
+		if (is_string($info) && strncmp($info, 'a:', 2) === 0) {
+			$decoded = @unserialize($info, ['allowed_classes' => false]);
+			return is_array($decoded) && isset($decoded['password']) ? $decoded['password'] : '';
+		}
+
+		$decoded = json_decode($info, true);
+		return is_array($decoded) && isset($decoded['password']) ? $decoded['password'] : '';
 	}
 
 	function encode($info) {
-		$a = array(rand(1,time()) => rand(1,time()),'password' => '', rand(1,time()) => rand(1,time()));
-		$a['password'] = $info;
-		$a = serialize($a);
-		$a = base64_encode($a);
-
-		return $a;
+		return base64_encode(json_encode(['password' => $info]));
 	}
 }
 
diff --git a/locales/LC_MESSAGES/index.php b/locales/LC_MESSAGES/index.php
index 7be65b4..1603dd5 100644
--- a/locales/LC_MESSAGES/index.php
+++ b/locales/LC_MESSAGES/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/locales/index.php b/locales/index.php
index 7be65b4..1603dd5 100644
--- a/locales/index.php
+++ b/locales/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/locales/po/index.php b/locales/po/index.php
index 7be65b4..1603dd5 100644
--- a/locales/po/index.php
+++ b/locales/po/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/poller_wmi.php b/poller_wmi.php
index 02a2a02..8288f36 100644
--- a/poller_wmi.php
+++ b/poller_wmi.php
@@ -191,7 +191,8 @@ function process_all_devices() {
 					/* put a placeholder in place to prevent overloads on slow systems */
 					$key = rand();
 
-					db_execute("INSERT INTO wmi_processes (pid, taskid, started) VALUES ($key, $seed, NOW())");
+					db_execute_prepared('INSERT INTO wmi_processes (pid, taskid, started) VALUES (?, ?, NOW())',
+						array($key, $seed));
 
 					print "NOTE: Launching WMI Collector For: '" . $device['description'] . '[' . $device['hostname'] . "]'" . PHP_EOL;
 
@@ -236,8 +237,10 @@ function process_all_devices() {
 
 		if (sizeof($dead_devices)) {
 			foreach($dead_devices as $device) {
-				db_execute('DELETE FROM host_wmi_cache WHERE host_id='. $device['host_id']);
-				db_execute('DELETE FROM host_wmi_query WHERE host_id='. $device['host_id']);
+				db_execute_prepared('DELETE FROM host_wmi_cache WHERE host_id = ?',
+					array($device['host_id']));
+				db_execute_prepared('DELETE FROM host_wmi_query WHERE host_id = ?',
+					array($device['host_id']));
 				print "Purged WMI Device with ID '" . $device['host_id'] . "'" . PHP_EOL;
 			}
 		}
@@ -296,8 +299,10 @@ function process_device($host_id) {
 		[$host_id]);
 
 	/* remove the key process and insert the set a process lock */
-	db_execute('REPLACE INTO wmi_processes (pid, taskid) VALUES (' . getmypid() . ", $seed)");
-	db_execute("DELETE FROM wmi_processes WHERE pid = $key AND taskid = $seed");
+	db_execute_prepared('REPLACE INTO wmi_processes (pid, taskid) VALUES (?, ?)',
+		array(getmypid(), $seed));
+	db_execute_prepared('DELETE FROM wmi_processes WHERE pid = ? AND taskid = ?',
+		array($key, $seed));
 
 	$qstart  = date('Y-m-d H:i:s');
 
@@ -355,7 +360,8 @@ function process_device($host_id) {
 	}
 
 	/* remove the process lock */
-	db_execute('DELETE FROM wmi_processes WHERE pid=' . getmypid());
+	db_execute_prepared('DELETE FROM wmi_processes WHERE pid = ?',
+		array(getmypid()));
 
 	if ($wmi_errors > 0) {
 		cacti_log("WARNING: WMI Device[$host_id] experienced $wmi_errors WMI Errors while performing data collection.  Increase logging to HIGH for this device to see the errors.", false, 'WMI');
diff --git a/script/index.php b/script/index.php
index 7be65b4..1603dd5 100644
--- a/script/index.php
+++ b/script/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/script/wmi-script.php b/script/wmi-script.php
index d1895cc..11f81ee 100644
--- a/script/wmi-script.php
+++ b/script/wmi-script.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -31,7 +30,7 @@
 		array_shift($_SERVER['argv']);
 	}
 
-	print call_user_func_['wmi_script', $_SERVER['argv']];
+	print call_user_func_array('wmi_script', $_SERVER['argv']);
 }
 
 function wmi_script($hostname, $host_id, $wmiquery, $cmd = '', $arg1 = '', $arg2 = '') {
diff --git a/setup.php b/setup.php
index 34bc236..219997c 100644
--- a/setup.php
+++ b/setup.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/templates/index.php b/templates/index.php
index 7be65b4..1603dd5 100644
--- a/templates/index.php
+++ b/templates/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/templates/resource/index.php b/templates/resource/index.php
index 7be65b4..1603dd5 100644
--- a/templates/resource/index.php
+++ b/templates/resource/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/templates/resource/script_server/index.php b/templates/resource/script_server/index.php
index 7be65b4..1603dd5 100644
--- a/templates/resource/script_server/index.php
+++ b/templates/resource/script_server/index.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 
 header('Location:../index.php');
 
diff --git a/tests/Security/WmiSecurityTest.php b/tests/Security/WmiSecurityTest.php
index 4a2d974..e9ba53d 100644
--- a/tests/Security/WmiSecurityTest.php
+++ b/tests/Security/WmiSecurityTest.php
@@ -7,184 +7,133 @@
  *
  * FIND-001: hostname passed to exec() via Linux_WMI::getcommand() must be
  *           shell-escaped. Original clean() only called trim(); this suite
- *           documents and verifies the cacti_escapeshellarg() guard.
+ *           verifies the cacti_escapeshellarg() guard on the real class.
  *
  * FIND-002: credentials were stored with serialize()/unserialize(). New
  *           encode() uses json_encode; decode() migrates legacy records on
  *           read with allowed_classes=false to prevent gadget exploitation.
+ *
+ * These tests load the real linux_wmi.php and instantiate the real
+ * Linux_WMI class so coverage is against production code. FIND-001 tests
+ * skip when cacti_escapeshellarg() is not available (no Cacti bootstrap)
+ * rather than polyfilling a security-sensitive core function inside the
+ * test. FIND-002 tests run unconditionally because encode()/decode() have
+ * no Cacti dependency.
  */
 
-if (!function_exists('cacti_escapeshellarg')) {
-    function cacti_escapeshellarg(string $s): string
-    {
-        return escapeshellarg($s);
-    }
+if (!class_exists('Linux_WMI', false)) {
+    require_once __DIR__ . '/../../linux_wmi.php';
 }
 
-/* Minimal Linux_WMI stub that exposes only clean() and getcommand() so tests
- * run without a Cacti bootstrap. The real class is in linux_wmi.php. */
-if (!class_exists('Linux_WMI_Testable')) {
-    class Linux_WMI_Testable
-    {
-        public string $username  = 'user';
-        public string $password  = 'pass';
-        public string $hostname  = '';
-        public string $binary    = '/usr/bin/wmic';
-        public string $command   = 'SELECT * FROM Win32_Process';
-        public string $separator = '|+|';
-        public string $querynspace = '';
-
-        public function clean(): void
-        {
-            $this->username  = cacti_escapeshellarg($this->username);
-            $this->password  = cacti_escapeshellarg($this->password);
-            /* hostname must be quoted: trim() alone does not neutralise shell metacharacters */
-            $this->hostname  = cacti_escapeshellarg(trim($this->hostname));
-            $this->binary    = cacti_escapeshellarg($this->binary);
-            $this->command   = cacti_escapeshellarg($this->command);
-        }
-
-        public function getcommand(): string|false
-        {
-            if ($this->username === '' || $this->password === '') {
-                return false;
-            }
-            $this->clean();
-            return $this->binary .
-                ' --delimiter=' . $this->separator .
-                ' --user=' . $this->username .
-                ' --password=' . $this->password .
-                ($this->querynspace !== '' ? ' --namespace=' . $this->querynspace : '') .
-                ' //' . $this->hostname .
-                ' ' . $this->command;
-        }
-
-        /* Mirrors linux_wmi.php::encode() */
-        public function encode(string $info): string
-        {
-            return base64_encode(json_encode(['password' => $info]));
-        }
-
-        /* Mirrors linux_wmi.php::decode() */
-        public function decode(string $info): string
-        {
-            $info = base64_decode($info);
-
-            /* Legacy records were stored with serialize(). Migrate on read. */
-            if (str_starts_with($info, 'a:')) {
-                $decoded = @unserialize($info, ['allowed_classes' => false]);
-                return is_array($decoded) ? ($decoded['password'] ?? '') : '';
-            }
-
-            $decoded = json_decode($info, true);
-            return is_array($decoded) ? ($decoded['password'] ?? '') : '';
-        }
-    }
-}
+$needsCactiBootstrap = static fn (): bool => !function_exists('cacti_escapeshellarg');
+$bootstrapReason     = 'Cacti bootstrap required: cacti_escapeshellarg() not loaded';
 
 // ---------------------------------------------------------------------------
 // FIND-001: shell escaping of hostname before exec()
 // ---------------------------------------------------------------------------
 
 it('escapes hostname before exec()', function (): void {
-    $wmi           = new Linux_WMI_Testable();
+    $wmi           = new Linux_WMI();
+    $wmi->username = 'user';
+    $wmi->password = 'pass';
     $wmi->hostname = '192.168.1.10';
+    $wmi->binary   = '/usr/bin/wmic';
+    $wmi->command  = 'SELECT * FROM Win32_Process';
 
-    $cmd = $wmi->getcommand();
-
-    // The hostname must appear quoted in the command string.
-    expect($cmd)->toContain("'192.168.1.10'");
-})->group('security');
+    expect($wmi->getcommand())->toContain("'192.168.1.10'");
+})->skip($needsCactiBootstrap, $bootstrapReason)->group('security');
 
 it('rejects shell metacharacters in hostname', function (): void {
-    $wmi           = new Linux_WMI_Testable();
+    $wmi           = new Linux_WMI();
+    $wmi->username = 'user';
+    $wmi->password = 'pass';
     $wmi->hostname = 'host; rm -rf /';
+    $wmi->binary   = '/usr/bin/wmic';
+    $wmi->command  = 'SELECT * FROM Win32_Process';
 
-    $cmd = $wmi->getcommand();
-
-    // escapeshellarg wraps the hostname in single-quotes; the semicolon is neutralised
-    expect($cmd)->toContain("'host; rm -rf /'");
-})->group('security');
+    expect($wmi->getcommand())->toContain("'host; rm -rf /'");
+})->skip($needsCactiBootstrap, $bootstrapReason)->group('security');
 
 it('rejects backtick subshell in hostname', function (): void {
-    $wmi           = new Linux_WMI_Testable();
+    $wmi           = new Linux_WMI();
+    $wmi->username = 'user';
+    $wmi->password = 'pass';
     $wmi->hostname = '`id`';
+    $wmi->binary   = '/usr/bin/wmic';
+    $wmi->command  = 'SELECT * FROM Win32_Process';
 
-    $cmd = $wmi->getcommand();
-
-    // Backtick must be inside single-quotes, not a live subshell.
-    expect($cmd)->toContain("'`id`'");
-})->group('security');
+    expect($wmi->getcommand())->toContain("'`id`'");
+})->skip($needsCactiBootstrap, $bootstrapReason)->group('security');
 
 it('rejects dollar-paren subshell in hostname', function (): void {
-    $wmi           = new Linux_WMI_Testable();
+    $wmi           = new Linux_WMI();
+    $wmi->username = 'user';
+    $wmi->password = 'pass';
     $wmi->hostname = '$(cat /etc/passwd)';
+    $wmi->binary   = '/usr/bin/wmic';
+    $wmi->command  = 'SELECT * FROM Win32_Process';
 
-    $cmd = $wmi->getcommand();
-
-    expect($cmd)->toContain("'$(cat /etc/passwd)'");
-})->group('security');
+    expect($wmi->getcommand())->toContain("'$(cat /etc/passwd)'");
+})->skip($needsCactiBootstrap, $bootstrapReason)->group('security');
 
 it('rejects pipe character in hostname', function (): void {
-    $wmi           = new Linux_WMI_Testable();
+    $wmi           = new Linux_WMI();
+    $wmi->username = 'user';
+    $wmi->password = 'pass';
     $wmi->hostname = 'host|id';
+    $wmi->binary   = '/usr/bin/wmic';
+    $wmi->command  = 'SELECT * FROM Win32_Process';
 
-    $cmd = $wmi->getcommand();
-
-    // escapeshellarg wraps the hostname; pipe is neutralised inside single-quotes
-    expect($cmd)->toContain("'host|id'");
-})->group('security');
+    expect($wmi->getcommand())->toContain("'host|id'");
+})->skip($needsCactiBootstrap, $bootstrapReason)->group('security');
 
 it('trims whitespace from hostname before escaping', function (): void {
-    $wmi           = new Linux_WMI_Testable();
+    $wmi           = new Linux_WMI();
+    $wmi->username = 'user';
+    $wmi->password = 'pass';
     $wmi->hostname = '  192.168.1.1  ';
+    $wmi->binary   = '/usr/bin/wmic';
+    $wmi->command  = 'SELECT * FROM Win32_Process';
 
-    $cmd = $wmi->getcommand();
-
-    expect($cmd)->toContain("'192.168.1.1'");
-})->group('security');
+    expect($wmi->getcommand())->toContain("'192.168.1.1'");
+})->skip($needsCactiBootstrap, $bootstrapReason)->group('security');
 
 // ---------------------------------------------------------------------------
 // FIND-002: json_encode/json_decode replaces serialize/unserialize
 // ---------------------------------------------------------------------------
 
 it('uses json_encode for serialization', function (): void {
-    $wmi     = new Linux_WMI_Testable();
+    $wmi     = new Linux_WMI();
     $encoded = $wmi->encode('s3cr3t');
     $raw     = base64_decode($encoded);
 
-    // Must be valid JSON, not a PHP serialized string.
     expect(json_decode($raw, true))->toBeArray()
         ->and($raw)->not->toStartWith('a:')
         ->and($raw)->not->toStartWith('O:');
 })->group('security');
 
 it('decodes json-encoded credentials correctly', function (): void {
-    $wmi      = new Linux_WMI_Testable();
-    $encoded  = $wmi->encode('my_password');
-    $decoded  = $wmi->decode($encoded);
+    $wmi     = new Linux_WMI();
+    $encoded = $wmi->encode('my_password');
+    $decoded = $wmi->decode($encoded);
 
     expect($decoded)->toBe('my_password');
 })->group('security');
 
 it('migrates legacy serialize credentials on read without executing gadgets', function (): void {
-    /* Simulate a legacy record: serialize(['rand' => 1, 'password' => 'old', 'rand2' => 2]) */
     $legacy = base64_encode(serialize([1 => 42, 'password' => 'legacy_pass', 99 => 0]));
 
-    $wmi     = new Linux_WMI_Testable();
+    $wmi     = new Linux_WMI();
     $decoded = $wmi->decode($legacy);
 
     expect($decoded)->toBe('legacy_pass');
 })->group('security');
 
 it('rejects unserialize gadget classes via allowed_classes restriction', function (): void {
-    /* A payload that would instantiate a class if allowed_classes were not false. */
     $gadget = base64_encode('O:8:"stdClass":1:{s:4:"test";s:4:"boom";}');
 
-    $wmi     = new Linux_WMI_Testable();
+    $wmi     = new Linux_WMI();
     $decoded = $wmi->decode($gadget);
 
-    // With allowed_classes=false the object is not instantiated; decode
-    // returns an empty string because the result is not an array.
     expect($decoded)->toBe('');
 })->group('security');
diff --git a/wmi_accounts.php b/wmi_accounts.php
index 9c651d4..3a7efbc 100644
--- a/wmi_accounts.php
+++ b/wmi_accounts.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/wmi_queries.php b/wmi_queries.php
index c047cfc..d8fe40a 100644
--- a/wmi_queries.php
+++ b/wmi_queries.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
diff --git a/wmi_script.php b/wmi_script.php
index 5f5ac07..c47c0b7 100644
--- a/wmi_script.php
+++ b/wmi_script.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -34,7 +33,7 @@
 		array_shift($_SERVER['argv']);
 	}
 
-	print call_user_func_['wmi_script', $_SERVER['argv']];
+	print call_user_func_array('wmi_script', $_SERVER['argv']);
 }
 
 function wmi_script($hostname, $host_id, $wmiquery, $cmd = '', $arg1 = '', $arg2 = '') {
diff --git a/wmi_tools.php b/wmi_tools.php
index ccf5b6d..9527e83 100644
--- a/wmi_tools.php
+++ b/wmi_tools.php
@@ -1,6 +1,5 @@
 <?php
 
-declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -551,7 +550,7 @@ function walk_host() {
 			$class   = $wmi->fetch_class();
 			$data    = $wmi->fetch_data();
 
-			print "<h4>" . __('WMI Query Results for Device: %s, Class: %s, Columns: %s, Rows: %s', $host, $class, sizeof($indexes), sizeof($data), 'wmi') . "</h4>";
+			print "<h4>" . __('WMI Query Results for Device: %s, Class: %s, Columns: %s, Rows: %s', html_escape($host), html_escape($class), sizeof($indexes), sizeof($data), 'wmi') . "</h4>";
 
 			print "<p>" . __('Showing columns and first one or two rows of data.', 'wmi') . "</p>";
 
@@ -565,10 +564,10 @@ function walk_host() {
 					foreach($data[0] as $index => $r) {
 						form_alternate_row('line' . $index, true);
 
-						print "<td style='font-weight:bold;'>" . $indexes[$index] . "</td><td>" . $r . "</td>";
+						print "<td style='font-weight:bold;'>" . html_escape($indexes[$index]) . "</td><td>" . html_escape($r) . "</td>";
 
 						if (isset($data[1][$index])) {
-							print "<td style='font-weight:bold;'>" . $indexes[$index] . "</td><td>" . $data[1][$index] . "</td>";
+							print "<td style='font-weight:bold;'>" . html_escape($indexes[$index]) . "</td><td>" . html_escape($data[1][$index]) . "</td>";
 						}
 
 						form_end_row();
@@ -580,14 +579,14 @@ function walk_host() {
 					if (cacti_sizeof($indexes)) {
 						print "<tr>";
 						foreach($indexes as $col) {
-							print "<th>" . $col . "</th>";
+							print "<th>" . html_escape($col) . "</th>";
 						}
 						print "</tr>";
 					}
 
 					print "<tr>";
 					foreach($row as $data) {
-						print "<td>" . $data . "</td>";
+						print "<td>" . html_escape($data) . "</td>";
 					}
 					print "</tr>";
 				}
@@ -595,7 +594,7 @@ function walk_host() {
 
 			print "</table>";
 		} else {
-			print $wmi->error;
+			print html_escape($wmi->error);
 		}
 	} else {
 		// Windows version
@@ -616,7 +615,7 @@ function walk_host() {
 
 			print "<table style='width:100%'><tr><td>";
 
-			print "<h4>" . __('WMI Query Results for Device: %s, Class: %s, Columns: %s, Rows: %s', $host, $namespace, sizeof($indexes), sizeof($data), 'wmi') . "</h4>";
+			print "<h4>" . __('WMI Query Results for Device: %s, Class: %s, Columns: %s, Rows: %s', html_escape($host), html_escape($namespace), sizeof($indexes), sizeof($data), 'wmi') . "</h4>";
 
 			print "<p>" . __('Showing columns and first one or two rows of data.', 'wmi') . "</p>";
 
@@ -627,10 +626,10 @@ function walk_host() {
 				foreach($odata as $index => $r) {
 					form_alternate_row('line' . $index, true);
 
-					print "<td style='font-weight:bold;'>" . $indexes[$index] . "</td><td>" . $r . "</td>";
+					print "<td style='font-weight:bold;'>" . html_escape($indexes[$index]) . "</td><td>" . html_escape($r) . "</td>";
 
 					if (cacti_sizeof($odata1)) {
-						print "<td style='font-weight:bold;'>" . $indexes[$index] . "</td><td>" . $odata1[$index] . "</td>";
+						print "<td style='font-weight:bold;'>" . html_escape($indexes[$index]) . "</td><td>" . html_escape($odata1[$index]) . "</td>";
 					}
 
 					form_end_row();

From 91eeb9c68900909fc44ffba47ec9f303051ac935 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 06:43:41 -0700
Subject: [PATCH 10/11] fix: default seed and key in process_device to avoid
 undefined globals

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 poller_wmi.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/poller_wmi.php b/poller_wmi.php
index 8288f36..d0ec9a6 100644
--- a/poller_wmi.php
+++ b/poller_wmi.php
@@ -282,6 +282,13 @@ function process_background_device($host_id, $seed, $key) {
 function process_device($host_id) {
 	global $config, $start, $seed, $key, $snmp_errors;
 
+	if (empty($seed)) {
+		$seed = rand();
+	}
+	if (empty($key)) {
+		$key = getmypid();
+	}
+
 	$wmi_errors = 0;
 
 	$queries_to_run = db_fetch_assoc_prepared('SELECT h.id, h.wmi_account, htwq.wmi_query_id, wwq.*

From aaabf5aa990b515affcb1accd1bc5629f64589cc Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sat, 11 Apr 2026 13:41:49 -0700
Subject: [PATCH 11/11] fix(security): harden wmi sql and confirmation handling

---
 functions.php                                 |  7 ++--
 script/wmi-script.php                         |  3 +-
 ...test_wmi_confirmation_and_query_wiring.php | 23 ++++++++++++
 tests/Unit/test_wmi_security_guards.php       | 37 +++++++++++++++++++
 ...t_wmi_no_raw_sql_or_confirmation_reuse.php | 35 ++++++++++++++++++
 wmi_accounts.php                              |  7 ++--
 wmi_queries.php                               |  7 ++--
 7 files changed, 105 insertions(+), 14 deletions(-)
 create mode 100644 tests/Integration/test_wmi_confirmation_and_query_wiring.php
 create mode 100644 tests/Unit/test_wmi_security_guards.php
 create mode 100644 tests/e2e/test_wmi_no_raw_sql_or_confirmation_reuse.php

diff --git a/functions.php b/functions.php
index 80ec77f..fb1f5b5 100644
--- a/functions.php
+++ b/functions.php
@@ -59,7 +59,7 @@ function plugin_wmi_query_exists($query) {
 
 	foreach($tokens as $token) {
 		if ($next_ic) {
-			$exists = db_fetch_cell("SELECT COUNT(*) FROM wmi_wql_queries WHERE query RLIKE '^FROM\s$token$+'");
+			$exists = db_fetch_cell_prepared('SELECT COUNT(*) FROM wmi_wql_queries WHERE query RLIKE ?', array('^FROM\\s' . preg_quote($token, '/') . '$+'));
 		}
 
 		if (strtolower($token) == 'from') {
@@ -72,7 +72,7 @@ function plugin_wmi_create_dataquery_xml($id) {
 	global $config;
 
 	include_once($config['base_path'] . '/lib/export.php');
-	$wmic = db_fetch_row("SELECT * FROM wmi_wql_queries WHERE id = $id");
+	$wmic = db_fetch_row_prepared('SELECT * FROM wmi_wql_queries WHERE id = ?', array((int)$id));
 	$data = '';
 	if (isset($wmic['id'])) {
 		$data = "<cacti>\n";
@@ -279,7 +279,7 @@ function plugin_wmi_create_dataquery_xml($id) {
 }
 
 function plugin_wmi_create_resource_xml($id) {
-	$wmic = db_fetch_row("SELECT * FROM wmi_wql_queries WHERE id = $id");
+	$wmic = db_fetch_row_prepared('SELECT * FROM wmi_wql_queries WHERE id = ?', array((int)$id));
 	$data = '';
 	if (isset($wmic['id'])) {
 		$data = "<WMIQuery>\n";
@@ -492,4 +492,3 @@ function get_hash_wmi_query($wmi_query_id) {
 		return generate_hash();
 	}
 }
-
diff --git a/script/wmi-script.php b/script/wmi-script.php
index 11f81ee..26ceffb 100644
--- a/script/wmi-script.php
+++ b/script/wmi-script.php
@@ -43,7 +43,7 @@ function wmi_script($hostname, $host_id, $wmiquery, $cmd = '', $arg1 = '', $arg2
 	$wmi->binary   = $config['base_path'] . '/plugins/wmi/wmic';
 
 	/* Fetch the info for this WMI query from the database, exit if not found */
-	$wmiinfo = db_fetch_row("SELECT * FROM plugin_wmi_queries WHERE queryname = '$wmiquery'", FALSE);
+	$wmiinfo = db_fetch_row_prepared('SELECT * FROM plugin_wmi_queries WHERE queryname = ?', array($wmiquery), FALSE);
 	if (!isset($wmiinfo['queryclass'])) {
 		return '';
 	}
@@ -79,4 +79,3 @@ function wmi_script($hostname, $host_id, $wmiquery, $cmd = '', $arg1 = '', $arg2
 		echo $wmi->fetch_value($arg1, $arg2);
 	}
 }
-
diff --git a/tests/Integration/test_wmi_confirmation_and_query_wiring.php b/tests/Integration/test_wmi_confirmation_and_query_wiring.php
new file mode 100644
index 0000000..22b574c
--- /dev/null
+++ b/tests/Integration/test_wmi_confirmation_and_query_wiring.php
@@ -0,0 +1,23 @@
+<?php
+
+$functions = file_get_contents(dirname(__DIR__, 2) . '/functions.php');
+$script    = file_get_contents(dirname(__DIR__, 2) . '/script/wmi-script.php');
+$accounts  = file_get_contents(dirname(__DIR__, 2) . '/wmi_accounts.php');
+$queries   = file_get_contents(dirname(__DIR__, 2) . '/wmi_queries.php');
+
+$checks = array(
+	$functions !== false && strpos($functions, "db_fetch_cell_prepared('SELECT COUNT(*) FROM wmi_wql_queries WHERE query RLIKE ?', array('^FROM\\\\s' . preg_quote(\$token, '/') . '\$+'))") !== false,
+	$functions !== false && substr_count($functions, "db_fetch_row_prepared('SELECT * FROM wmi_wql_queries WHERE id = ?', array((int)\$id))") === 2,
+	$script !== false && strpos($script, "db_fetch_row_prepared('SELECT * FROM plugin_wmi_queries WHERE queryname = ?', array(\$wmiquery), FALSE)") !== false,
+	$accounts !== false && strpos($accounts, "html_escape(get_request_var('drp_action'))") !== false,
+	$queries !== false && strpos($queries, "html_escape(get_request_var('drp_action'))") !== false,
+);
+
+foreach ($checks as $passed) {
+	if (!$passed) {
+		fwrite(STDERR, "WMI security wiring check failed\n");
+		exit(1);
+	}
+}
+
+echo "OK\n";
diff --git a/tests/Unit/test_wmi_security_guards.php b/tests/Unit/test_wmi_security_guards.php
new file mode 100644
index 0000000..860e4ca
--- /dev/null
+++ b/tests/Unit/test_wmi_security_guards.php
@@ -0,0 +1,37 @@
+<?php
+
+$checks = array(
+	'functions.php' => array(
+		"db_fetch_cell_prepared('SELECT COUNT(*) FROM wmi_wql_queries WHERE query RLIKE ?', array('^FROM\\\\s' . preg_quote(\$token, '/') . '\$+'))",
+		"db_fetch_row_prepared('SELECT * FROM wmi_wql_queries WHERE id = ?', array((int)\$id))",
+	),
+	'script/wmi-script.php' => array(
+		"db_fetch_row_prepared('SELECT * FROM plugin_wmi_queries WHERE queryname = ?', array(\$wmiquery), FALSE)",
+	),
+	'wmi_accounts.php' => array(
+		"html_escape(db_fetch_cell_prepared('SELECT name",
+		"html_escape(get_request_var('drp_action'))",
+	),
+	'wmi_queries.php' => array(
+		"html_escape(db_fetch_cell_prepared('SELECT name",
+		"html_escape(get_request_var('drp_action'))",
+	),
+);
+
+foreach ($checks as $file => $needles) {
+	$source = file_get_contents(dirname(__DIR__, 2) . '/' . $file);
+
+	if ($source === false) {
+		fwrite(STDERR, "Unable to read $file\n");
+		exit(1);
+	}
+
+	foreach ($needles as $needle) {
+		if (strpos($source, $needle) === false) {
+			fwrite(STDERR, "Missing expected guard in $file\n");
+			exit(1);
+		}
+	}
+}
+
+echo "OK\n";
diff --git a/tests/e2e/test_wmi_no_raw_sql_or_confirmation_reuse.php b/tests/e2e/test_wmi_no_raw_sql_or_confirmation_reuse.php
new file mode 100644
index 0000000..8e76470
--- /dev/null
+++ b/tests/e2e/test_wmi_no_raw_sql_or_confirmation_reuse.php
@@ -0,0 +1,35 @@
+<?php
+
+$files = array(
+	'functions.php',
+	'script/wmi-script.php',
+	'wmi_accounts.php',
+	'wmi_queries.php',
+);
+
+$legacy_needles = array(
+	'db_fetch_row("SELECT * FROM wmi_wql_queries WHERE id = $id")',
+	'db_fetch_row("SELECT * FROM plugin_wmi_queries WHERE queryname = \'$wmiquery\'", FALSE)',
+	'db_fetch_cell("SELECT COUNT(*) FROM wmi_wql_queries WHERE query RLIKE \'^FROM\\s$token$+\'")',
+	"<input type='hidden' name='drp_action' value='\" . get_request_var('drp_action') . \"'>",
+	"db_fetch_cell_prepared('SELECT name\n\t\t\t\tFROM wmi_user_accounts\n\t\t\t\tWHERE id = ?',\n\t\t\t\t[\$matches[1]]) . '</li>'",
+	"db_fetch_cell_prepared('SELECT name\n\t\t\t\tFROM wmi_wql_queries\n\t\t\t\tWHERE id = ?',\n\t\t\t\t[\$matches[1]]) . '</li>'",
+);
+
+foreach ($files as $file) {
+	$source = file_get_contents(dirname(__DIR__, 2) . '/' . $file);
+
+	if ($source === false) {
+		fwrite(STDERR, "Unable to read $file\n");
+		exit(1);
+	}
+
+	foreach ($legacy_needles as $needle) {
+		if (strpos($source, $needle) !== false) {
+			fwrite(STDERR, "Found legacy insecure pattern in $file\n");
+			exit(1);
+		}
+	}
+}
+
+echo "OK\n";
diff --git a/wmi_accounts.php b/wmi_accounts.php
index 3a7efbc..b2b7e48 100644
--- a/wmi_accounts.php
+++ b/wmi_accounts.php
@@ -133,10 +133,10 @@ function actions_accounts() {
 			input_validate_input_number($matches[1]);
 			/* ==================================================== */
 
-			$account_list .= '<li>' . db_fetch_cell_prepared('SELECT name
+			$account_list .= '<li>' . html_escape(db_fetch_cell_prepared('SELECT name
 				FROM wmi_user_accounts
 				WHERE id = ?',
-				[$matches[1]]) . '</li>';
+				[$matches[1]])) . '</li>';
 
 			$account_array[] = $matches[1];
 		}
@@ -169,7 +169,7 @@ function actions_accounts() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($account_array) ? serialize($account_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			<input type='button' value='" . __('Cancel', 'wmi') . "' onClick='cactiReturnTo()'>
 			$save_html
 		</td>
@@ -436,4 +436,3 @@ function show_accounts() {
 
 	form_end();
 }
-
diff --git a/wmi_queries.php b/wmi_queries.php
index d8fe40a..e93963a 100644
--- a/wmi_queries.php
+++ b/wmi_queries.php
@@ -157,10 +157,10 @@ function actions_queries() {
 			input_validate_input_number($matches[1]);
 			/* ==================================================== */
 
-			$query_list .= '<li>' . db_fetch_cell_prepared('SELECT name
+			$query_list .= '<li>' . html_escape(db_fetch_cell_prepared('SELECT name
 				FROM wmi_wql_queries
 				WHERE id = ?',
-				[$matches[1]]) . '</li>';
+				[$matches[1]])) . '</li>';
 
 			$query_array[] = $matches[1];
 		}
@@ -192,7 +192,7 @@ function actions_queries() {
 		<td class='saveRow'>
 			<input type='hidden' name='action' value='actions'>
 			<input type='hidden' name='selected_items' value='" . (isset($query_array) ? serialize($query_array) : '') . "'>
-			<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+			<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 			$save_html
 		</td>
 	</tr>";
@@ -475,4 +475,3 @@ function show_queries() {
 	form_end();
 }
 
-