CVE-2018-25436
Description
WordPress Baggage Freight Shipping Australia 0.1.0 allows unauthenticated arbitrary file upload via upload-package.php, leading to RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Baggage Freight Shipping Australia 0.1.0 allows unauthenticated arbitrary file upload via upload-package.php, leading to RCE.
Vulnerability
The WordPress Plugin Baggage Freight Shipping Australia version 0.1.0 contains an unrestricted file upload vulnerability. The upload-package.php endpoint allows unauthenticated users to upload arbitrary files. The code moves uploaded files to the ../wp-content/plugins/baggage_shipping/upload/ directory without any validation of file type or extension [1][3][4]. The uploaded file is renamed using a timestamp but retains the original extension [3].
Exploitation
An unauthenticated attacker can send a POST request to /wp-content/plugins/baggage-freight/upload-package.php with a multipart form containing a file with an arbitrary extension (e.g., .php). No authentication or additional privileges are required. The example exploit shows the file being uploaded as file.php and saved to /wp-content/plugins/baggage_shipping/upload/{timestamp}_file.php [3].
Impact
Successful exploitation allows an attacker to upload a web shell or other malicious PHP file, leading to remote code execution on the WordPress server. The attacker can then execute arbitrary commands, access sensitive data, or further compromise the site [1][3][4].
Mitigation
As of the available references, no official patch has been released. The plugin version 0.1.0 is affected. Users should remove the plugin from their WordPress installation or restrict access to the vulnerable endpoint until a fix is provided [1][3][4].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing file extension and content-type validation in upload-package.php allows unauthenticated arbitrary file upload."
Attack vector
An unauthenticated attacker sends a POST request to `/wp-content/plugins/baggage-freight/upload-package.php` with a `multipart/form-data` body containing a file parameter whose filename ends in `.php`. The script moves the uploaded file to the plugin's upload directory without checking the extension, allowing arbitrary PHP code to be placed on the server [ref_id=1]. Because the file is served by the web server, the attacker can then request the uploaded PHP file to achieve remote code execution. No authentication or special configuration is required.
Affected code
The vulnerable endpoint is `upload-package.php` in the WordPress plugin Baggage Freight Shipping Australia 0.1.0. The file `upload-package.php` calls `move_uploaded_file()` on the user-supplied filename without any validation of the file extension or content type, and stores the result under `../wp-content/plugins/baggage_shipping/upload/` [ref_id=1].
What the fix does
The advisory does not include a patch. To remediate the vulnerability, the plugin must validate the uploaded file's extension against an allowlist (e.g. only image types), verify the MIME type server-side, and store files outside the web root or with a non-executable name. Without these checks, any unauthenticated user can upload and execute arbitrary PHP code [ref_id=1].
Preconditions
- configThe WordPress plugin Baggage Freight Shipping Australia version 0.1.0 must be installed and active.
- configThe web server must have write permissions on the plugin's upload directory.
- authNo authentication or prior access is required; the endpoint is publicly reachable.
- networkThe attacker must be able to send HTTP POST requests to the target server.
- inputThe attacker supplies a file with a .php (or other executable) extension in the multipart upload.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.