CVE Catalog

CVE-2018-25436

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.66%

47th percentile — higher than 47% of all known CVEs

Summary

The WordPress Plugin Baggage Freight Shipping Australia version 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions, enabling remote code execution.

Risk Assessment

This vulnerability poses a serious risk to organizations as it allows attackers to upload malicious code to the server, potentially leading to system compromise.

Recommendation

It is recommended to immediately update the plugin to the latest version or remove it to mitigate the risks associated with this vulnerability.

Original NVD description (English source)

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS