External risk intelligence

WordPress Plugin Baggage Freight Shipping Australia Unrestricted File Upload Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2018-25436

A WordPress plugin has an unrestricted file upload vulnerability, allowing unauthenticated attackers to upload arbitrary files. This could lead to remote code execution if the `upload-package.php` endpoint is reachable. You should care because it enables attackers to run malicious code on your systems without authentic

4Halo Surface Signal

Unrestricted File Upload

External exposure likelihood

Halo Surface Signal score for CVE-2018-25436

The vulnerability resides in a WordPress plugin that exposes an file upload endpoint. WordPress sites are commonly deployed as public-facing web applications, making endpoints within plugins accessible to the internet by default.

PCI scan relevance

PCI Relevance for CVE-2018-25436

Yes

CVE-2018-25436 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to upload arbitrary files, which can lead to remote code execution and is a direct cause for PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a WordPress plugin that allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. The issue stems from improper validation of uploaded files through a specific plugin endpoint.

  • Unauthenticated attackers can upload malicious files.
  • This could allow unauthorized code execution on affected systems.
  • Confirm relevance and assess exposure to these specific WordPress plugins.

Attack Path

How an attacker could exploit the issue

An attacker can reach this vulnerability without needing any credentials by sending a crafted request to a specific plugin endpoint on a WordPress site. This allows them to upload arbitrary files, which can then be used to execute malicious code on the server.

  • Unauthenticated access to a web server.
  • Uploading a malicious file.
  • Remote code execution on the server.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to upload arbitrary files to a WordPress site, potentially leading to the execution of malicious code. This could occur when an attacker submits a specially crafted POST request to the `upload-package.php` endpoint.

  • Arbitrary files could be uploaded.
  • Exploits an unvalidated upload endpoint.
  • Enables remote code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The WordPress plugin Baggage Freight Shipping Australia has an unrestricted file upload vulnerability. The first practical move is to identify all WordPress instances using this plugin, determine their exposure and business criticality, and then assign ownership for remediation.

  • WordPress application owners are responsible.
  • Verify plugin usage and exposure.
  • Plan remediation or mitigate risk.

Frequently asked questions

What is the Baggage Freight Shipping Australia plugin?

This is a WordPress plugin designed to help site owners manage shipping logistics and freight calculations for customers in Australia. It functions as an extension to a WordPress site, adding specific e-commerce or shipping functionality directly into the site's environment. Like other plugins, it runs as part of the web application, meaning any security weaknesses within its code become part of the overall site's attack surface.

What does CWE-434 mean for CVE-2018-25436?

CWE-434 refers to Unrestricted Upload of File with Dangerous Type. In simple terms, the plugin fails to check or filter the files a user sends to the server. Because the application does not verify if a file is safe before saving it, an attacker can upload malicious scripts. This weakness allows the server to treat those uploaded files as part of its own code, which is how remote code execution occurs.

How is this file upload vulnerability triggered?

An attacker triggers this by sending a specially crafted POST request to the plugin's upload-package.php file. This action does not require the attacker to be logged in or have any special permissions. It is important to note that simply visiting the site or viewing a page does not trigger the bug; the attacker must specifically target and interact with that particular upload endpoint.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a likely risk because WordPress sites are typically deployed as public-facing web applications. Since the plugin's upload endpoint is accessible to the internet by default, any site running the vulnerable version is effectively exposed to remote, unauthenticated access. If your WordPress site is reachable from the internet, the plugin's features are generally reachable as well.

What should I do if I use this plugin?

The immediate priority is to locate all instances of this plugin within your WordPress environment. Once identified, evaluate the criticality of the sites where it is installed. Since the plugin allows arbitrary file uploads, you should consider the risk to those specific servers high. Coordinate with your team to determine if the plugin is still necessary and plan for removal or other risk-mitigation steps.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished