{"id":"CVE-2018-14028","details":"In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.","modified":"2026-04-10T04:05:46.251763Z","published":"2018-08-10T16:29:00.343Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105060"},{"type":"ADVISORY","url":"https://core.trac.wordpress.org/ticket/44710"},{"type":"ADVISORY","url":"https://github.com/rastating/wordpress-exploit-framework/pull/52"},{"type":"ADVISORY","url":"https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"last_affected":"d1802a68ec7a3536f744d45afb72660e4fef0292"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.9.7"}]}}],"versions":["4.9.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14028.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}