CVE-2018-14028
HIGH EXPLOITEDWordPress 4.9.7 - Authenticated Unrestricted PHP File Upload via Plugin Uploader
Title source: llmExploitation Summary
CVE-2018-14028 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://core.trac.wordpress.org/ticket/44710
Third Party Advisory x_refsource_misc
https://github.com/rastating/wordpress-exploit-framework/pull/52
Third Party Advisory x_refsource_misc
https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105060
Scores
CVSS v3
7.2
EPSS
0.1772
EPSS Percentile
96.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2026-04-15
CWE
CWE-434
Status
published
Products (1)
wordpress/wordpress
4.9.7
Published
Aug 10, 2018
Tracked Since
Feb 18, 2026