CVE-2018-25436 | THREATINT

Description

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.

PUBLISHED Reserved 2026-06-15 | Published 2026-06-15 | Updated 2026-06-15 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Unrestricted Upload of File with Dangerous Type

Product status

0.1.0

affected

Credits

Kaimi finder

References

www.exploit-db.com/exploits/46061 (ExploitDB-46061) exploit

kaimi.io (Official Product Homepage) product

wordpress.org/plugins/baggage-freight/ (Product Reference) product

www.vulncheck.com/...hipping-australia-arbitrary-file-upload (VulnCheck Advisory: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload) third-party-advisory

cve.org (CVE-2018-25436)

nvd.nist.gov (CVE-2018-25436)

Download JSON