CVE-2018-14028
published 2018-08-10CVE-2018-14028: In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is…
PriorityP276high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
17.72%
96.8th percentile
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | — | — |
| wordpress | wordpress | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for PHP file uploads to the wp-content/uploads directory via the WordPress admin plugin upload functionality, as non-ZIP files (e.g., raw .php files) are not rejected and will persist at a predictable path. ↗
- →Alert on HTTP requests executing PHP files located under wp-content/uploads/, as this path is not intended for executable PHP and indicates post-exploitation of this vulnerability. ↗
- ·This vulnerability is only exploitable in scenarios where wp-content/plugins directory permissions block new plugin installations, but wp-content/uploads remains writable and web-accessible. The risk is limited to attackers who already have the capability to upload plugins via the admin area. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.2HIGH
vulncheck7.2HIGH
vendor_debian7.2LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2018-14028: wordpress - In WordPress 4.9.7, plugins uploaded via the admin area are not verified as bein...
vendor_debian·2018·CVSS 7.2
CVE-2018-14028 [HIGH] CVE-2018-14028: wordpress - In WordPress 4.9.7, plugins uploaded via the admin area are not verified as bein...
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
GHSA-fm2w-6w3p-hhx6: In WordPress 4
ghsa_unreviewed·2022-05-14
CVE-2018-14028 [HIGH] CWE-434 GHSA-fm2w-6w3p-hhx6: In WordPress 4
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
OSV
CVE-2018-14028: In WordPress 4
osv·2018-08-10·CVSS 7.2
CVE-2018-14028 [HIGH] CVE-2018-14028: In WordPress 4
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
VulnCheck
WordPress wordpress Unrestricted Upload of File with Dangerous Type
vulncheck·2018·CVSS 7.2
CVE-2018-14028 [HIGH] WordPress wordpress Unrestricted Upload of File with Dangerous Type
WordPress wordpress Unrestricted Upload of File with Dangerous Type
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/105060https://core.trac.wordpress.org/ticket/44710https://github.com/rastating/wordpress-exploit-framework/pull/52https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/http://www.securityfocus.com/bid/105060https://core.trac.wordpress.org/ticket/44710https://github.com/rastating/wordpress-exploit-framework/pull/52https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/
2018-08-10
Published
Exploited in the wild