CVE-2018-14028

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
VendorProductVersion
wordpresswordpress
4.9.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
wordpress
bullseye (security)
vulnerable
bullseye
postponed
bookworm
postponed
buster
postponed
stretch
postponed
jessie
postponed
bookworm (security)
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
wordpress
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needs-triage
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/105060
https://core.trac.wordpress.org/ticket/44710
https://github.com/rastating/wordpress-exploit-framework/pull/52
https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/
http://www.securityfocus.com/bid/105060
https://core.trac.wordpress.org/ticket/44710
https://github.com/rastating/wordpress-exploit-framework/pull/52
https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/