Description

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Remediation

References

CVE-2018-14028

Related Vulnerabilities

WordPress Plugin AdSense Manager Cross-Site Scripting (4.0.3)

Oracle JRE CVE-2012-1531 Vulnerability (CVE-2012-1531)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-5597)

PHP Out-of-bounds Read Vulnerability (CVE-2017-12933)

Internet Information Services Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Vulnerability (CVE-2009-3023)

Severity

High

Classification

CVE-2018-14028 CWE-434 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities