WordPress Core < 6.4.3 - Authenticated(Administrator+) PHP File Upload

6.6
Unrestricted Upload of File with Dangerous Type
CVE CVE-2018-14028
CVSS 6.6 (Medium)
Publicly Published August 4, 2018
Last Updated August 2, 2024
Researcher Vinicius Marangoni

Description

In all current versions of WordPress Core before 6.4.3, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins. Please note that this requires administrator or super administrator permissions(on multisite installations) and only impacts heavily locked-down installations where even these users cannot install new plugins. CVE-2024-31210 may be a duplicate of this issue.

References

Share

1 affected software package

Software Type Core
Patched? Yes
Remediation Update to one of the following versions, or a newer patched version: 4.1.40, 4.2.37, 4.3.33, 4.4.32, 4.5.31, 4.6.28, 4.7.28, 4.8.24, 4.9.25, 5.0.21, 5.1.18, 5.2.20, 5.3.17, 5.4.15, 5.5.14, 5.6.13, 5.7.11, 5.8.9, 5.9.9, 6.0.7, 6.1.5, 6.2.4, 6.3.3, 6.4.3
Affected Versions
  • < 4.1
  • 5.8 - 5.8.8
  • 5.9 - 5.9.8
  • 6.0 - 6.0.6
Expand to see 21 more affected version ranges.
  • 6.1 - 6.1.4
  • 6.2 - 6.2.3
  • 6.3 - 6.3.2
  • 6.4 - 6.4.2
  • 4.1 - 4.1.39
  • 4.2 - 4.2.36
  • 4.3 - 4.3.32
  • 4.4 - 4.4.31
  • 4.5 - 4.5.30
  • 4.6 - 4.6.27
  • 4.7 - 4.7.27
  • 4.8 - 4.8.23
  • 4.9 - 4.9.24
  • 5.0 - 5.0.20
  • 5.1 - 5.1.17
  • 5.2 - 5.2.19
  • 5.3 - 5.3.16
  • 5.4 - 5.4.14
  • 5.5 - 5.5.13
  • 5.6 - 5.6.12
  • 5.7 - 5.7.10
Patched Versions
  • 4.1.40
  • 4.2.37
  • 4.3.33
  • 4.4.32
Expand to see 20 more patched versions.
  • 4.5.31
  • 4.6.28
  • 4.7.28
  • 4.8.24
  • 4.9.25
  • 5.0.21
  • 5.1.18
  • 5.2.20
  • 5.3.17
  • 5.4.15
  • 5.5.14
  • 5.6.13
  • 5.7.11
  • 5.8.9
  • 5.9.9
  • 6.0.7
  • 6.1.5
  • 6.2.4
  • 6.3.3
  • 6.4.3

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation