CVE-2018-25436
published 2026-06-15CVE-2018-25436: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
47.0th percentile
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shipster | baggage_freight_shipping_australia | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Shipster Baggage Freight Shipping Australia 0.1.0 on WordPress File Extension upload-package.php unrestricted upload (Exploit 46061 / EDB-46061)
vuldb·2026-06-15·CVSS 9.8
CVE-2018-25436 [CRITICAL] Shipster Baggage Freight Shipping Australia 0.1.0 on WordPress File Extension upload-package.php unrestricted upload (Exploit 46061 / EDB-46061)
A vulnerability was found in Shipster Baggage Freight Shipping Australia 0.1.0 on WordPress. It has been classified as critical. The affected element is an unknown function of the file upload-package.php of the component File Extension Handler. Performing a manipulation results in unrestricted upload.
This vulnerability was named CVE-2018-25436. The attack may be initiated remotely. In addition, an exploit is available.
GHSA
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-pa
ghsa_unreviewed·2026-06-15
CVE-2018-25436 [CRITICAL] CWE-434 WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-pa
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-15
Published