|Description||In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|buster, buster (security)||5.0.10+dfsg1-0+deb10u1||vulnerable|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[buster] - wordpress <postponed> (Minor issue, revisit when fixed upstream)
[stretch] - wordpress <postponed> (Minor issue, no sanctioned patch)
[jessie] - wordpress <postponed> (Minor issue, no sanctioned patch)