Viniciusmarangoni

**Name of the Vulnerable Software and Affected Versions** WordPress version 4.9.7 **Description** The issue allows for the upload of PHP files via the admin area without proper verification as ZIP files. Once uploaded, even though the plugin extraction fails, the PHP file remains in a predictable location within `wp-content/uploads`, enabling an attacker to execute the file. This poses a security risk, particularly in scenarios where an attacker cannot upload arbitrary PHP code into a valid plugin ZIP file due to restricted permissions in the `wp-content/plugins` directory. **Recommendations** For WordPress version 4.9.7, update to a version that includes the fix for this issue to prevent the upload and execution of unauthorized PHP files.