CVE-2018-14028

EUVD-2018-5958
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
wordpresswordpress
4.9.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
wordpress
bookworm
postponed
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
buster
postponed
jessie
postponed
sid
vulnerable
stretch
postponed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
wordpress
bionic
needs-triage
cosmic
ignored
disco
ignored
eoan
ignored
focal
needs-triage
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
needs-triage
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/105060
https://core.trac.wordpress.org/ticket/44710
https://github.com/rastating/wordpress-exploit-framework/pull/52
https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/
http://www.securityfocus.com/bid/105060
https://core.trac.wordpress.org/ticket/44710
https://github.com/rastating/wordpress-exploit-framework/pull/52
https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/