cbcvebase.
CVE-2018-14028
published 2018-08-10

CVE-2018-14028: In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is…

PriorityP276high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
17.72%
96.8th percentile
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianwordpress
wordpresswordpress

Detection & IOCsextracted from sources · hover to see the quote

pathwp-content/uploads
  • Monitor for PHP file uploads to the wp-content/uploads directory via the WordPress admin plugin upload functionality, as non-ZIP files (e.g., raw .php files) are not rejected and will persist at a predictable path.
  • Alert on HTTP requests executing PHP files located under wp-content/uploads/, as this path is not intended for executable PHP and indicates post-exploitation of this vulnerability.
  • ·This vulnerability is only exploitable in scenarios where wp-content/plugins directory permissions block new plugin installations, but wp-content/uploads remains writable and web-accessible. The risk is limited to attackers who already have the capability to upload plugins via the admin area.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv7.2HIGH
vulncheck7.2HIGH
vendor_debian7.2LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.