WordPress Core < 6.4.3 - Authenticated(Administrator+) PHP File Upload

Unrestricted Upload of File with Dangerous Type
CVE CVE-2018-14028
CVSS Medium (6.6)
Publicly Published August 4, 2018
Last Updated August 2, 2024
Researcher Vinicius Marangoni
Description

In all current versions of WordPress Core before 6.4.3, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins. Please note that this requires administrator or super administrator permissions(on multisite installations) and only impacts heavily locked-down installations where even these users cannot install new plugins. CVE-2024-31210 may be a duplicate of this issue.

References

1 affected software package

Software Type Core
Software Slug wordpress (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 4.1
  • 4.1 - 4.1.39
  • 4.2 - 4.2.36
  • 4.3 - 4.3.32
  • 4.4 - 4.4.31
  • 4.5 - 4.5.30
  • 4.6 - 4.6.27
  • 4.7 - 4.7.27
  • 4.8 - 4.8.23
  • 4.9 - 4.9.24
  • 5.0 - 5.0.20
  • 5.1 - 5.1.17
  • 5.2 - 5.2.19
  • 5.3 - 5.3.16
  • 5.4 - 5.4.14
  • 5.5 - 5.5.13
  • 5.6 - 5.6.12
  • 5.7 - 5.7.10
  • 5.8 - 5.8.8
  • 5.9 - 5.9.8
  • 6.0 - 6.0.6
  • 6.1 - 6.1.4
  • 6.2 - 6.2.3
  • 6.3 - 6.3.2
  • 6.4 - 6.4.2
Patched Version
  • 4.1.40
  • 4.2.37
  • 4.3.33
  • 4.4.32
  • 4.5.31
  • 4.6.28
  • 4.7.28
  • 4.8.24
  • 4.9.25
  • 5.0.21
  • 5.1.18
  • 5.2.20
  • 5.3.17
  • 5.4.15
  • 5.5.14
  • 5.6.13
  • 5.7.11
  • 5.8.9
  • 5.9.9
  • 6.0.7
  • 6.1.5
  • 6.2.4
  • 6.3.3
  • 6.4.3
This record contains material that is subject to copyright

Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. License Detail.