CVE-2018-14028

Name of the Vulnerable Software and Affected Versions WordPress version 4.9.7

Description The issue allows for the upload of PHP files via the admin area without proper verification as ZIP files. Once uploaded, even though the plugin extraction fails, the PHP file remains in a predictable location within wp-content/uploads, enabling an attacker to execute the file. This poses a security risk, particularly in scenarios where an attacker cannot upload arbitrary PHP code into a valid plugin ZIP file due to restricted permissions in the wp-content/plugins directory.

Recommendations For WordPress version 4.9.7, update to a version that includes the fix for this issue to prevent the upload and execution of unauthorized PHP files.