CVE-2018-14028
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-14028
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14028.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-14028
- Downstream
- Published
- 2018-08-10T16:29:00Z
- Modified
- 2025-11-16T11:33:02Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
- References