// For flags

CVE-2018-14028

WordPress Core < 6.4.3 - Authenticated(Administrator+) PHP File Upload

Severity Score

6.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

En WordPress 4.9.7, los plugins subidos mediante el área de admin no se verifican como archivos ZIP. Esto permite la subida de archivos PHP. Una vez se sube un archivo PHP, la extracción del plugin falla, pero el archivo PHP se mantiene en una ubicación wp-content/uploads predecible, lo que permite que un atacante ejecute el archivo. Esto representa un riesgo para la seguridad en escenarios limitados en los que un atacante (que tiene las capacidades requeridas para subir plugins) no puede colocar código PHP arbitrario en un archivo ZIP de plugin válido, debido a que los permisos del directorio wp-content/plugins de una máquina se configuraron para bloquear todos los nuevos plugins.

In all current versions of WordPress Core before 6.4.3, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins. Please note that this requires administrator or super administrator permissions(on multisite installations) and only impacts heavily locked-down installations where even these users cannot install new plugins. CVE-2024-31210 may be a duplicate of this issue.

*Credits: Vinicius Marangoni
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-07-12 CVE Reserved
  • 2018-08-04 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-25 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wordpress
Search vendor "Wordpress"
Wordpress
Search vendor "Wordpress" for product "Wordpress"
4.9.7
Search vendor "Wordpress" for product "Wordpress" and version "4.9.7"
-
Affected