CVE-2018-25335 Overview
CVE-2018-25335 is an arbitrary file upload vulnerability in the WordPress Peugeot Music plugin version 1.0. The flaw resides in the upload.php endpoint, which accepts POST requests without authentication or file type validation. Attackers can manipulate the name parameter to upload files with arbitrary extensions, including PHP scripts. Once uploaded, the attacker executes the payload directly from the WordPress uploads directory. This results in remote code execution under the privileges of the web server process. The weakness is classified as Missing Authentication for Critical Function [CWE-306].
Critical Impact
Unauthenticated remote attackers can upload arbitrary files to the WordPress server and execute code, leading to full site compromise.
Affected Products
- WordPress Peugeot Music Plugin 1.0
- WordPress installations with the Peugeot Music plugin enabled
- Any site exposing the plugin's upload.php endpoint to the internet
Discovery Timeline
- 2026-05-17 - CVE-2018-25335 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2018-25335
Vulnerability Analysis
The Peugeot Music plugin exposes an upload.php script that processes incoming POST requests without verifying the requester's identity or session. The handler reads a name parameter supplied by the client and uses it to construct the destination filename on disk. Because the script omits both authentication checks and extension allow-listing, attackers control the saved filename, including its extension. A request supplying a .php extension results in an executable script being written into the plugin's uploads directory. The attacker then issues a direct HTTP GET request to the uploaded file to trigger code execution.
Root Cause
The root cause is the absence of authentication on a security-sensitive function [CWE-306]. The plugin treats the upload endpoint as a public interface and performs no capability check such as current_user_can() and no nonce validation through check_admin_referer(). Compounding the issue, the script does not validate the file extension, MIME type, or magic bytes of the uploaded content.
Attack Vector
The attack is conducted over the network with low complexity and requires no privileges or user interaction. An attacker sends a multipart POST request to the plugin's upload.php endpoint with a crafted name parameter and an arbitrary file body. The server writes the file to a web-accessible directory under wp-content/uploads/. The attacker then requests the uploaded PHP file directly to execute commands on the host. Public exploitation details are documented in the Exploit-DB advisory #44737 and the VulnCheck WordPress Advisory.
No verified code examples are available. See the linked advisories for technical reproduction details.
Detection Methods for CVE-2018-25335
Indicators of Compromise
- POST requests to /wp-content/plugins/peugeot-music/upload.php from external IP addresses
- New .php, .phtml, or .phar files appearing in wp-content/uploads/ directories
- Outbound connections from the web server process to unfamiliar IP addresses following file uploads
- Web shell signatures or obfuscated PHP code within uploaded files
Detection Strategies
- Inspect web server access logs for unauthenticated POST requests targeting plugin upload handlers
- Apply file integrity monitoring to the WordPress wp-content/uploads/ directory to detect new executable scripts
- Deploy web application firewall (WAF) rules that block requests containing PHP extensions in upload parameters
- Scan WordPress installations for the presence of the Peugeot Music plugin version 1.0
Monitoring Recommendations
- Alert on any creation of script files (.php, .phtml, .phar, .htaccess) within upload directories
- Monitor web server processes for child process spawns such as sh, bash, curl, or wget
- Correlate file upload events with subsequent inbound GET requests to the same filename
How to Mitigate CVE-2018-25335
Immediate Actions Required
- Remove or deactivate the Peugeot Music plugin from all WordPress installations
- Block external access to /wp-content/plugins/peugeot-music/upload.php at the web server or WAF layer
- Audit the wp-content/uploads/ directory for unauthorized PHP files and remove any web shells found
- Rotate WordPress administrator credentials and database passwords if compromise is suspected
Patch Information
No official vendor patch is available for the Peugeot Music plugin 1.0. The plugin appears to be abandoned. Site operators should uninstall the plugin and select a maintained alternative.
Workarounds
- Configure the web server to deny execution of PHP files within wp-content/uploads/ using directory-level rules
- Restrict access to the plugin directory by IP address or remove it entirely from the filesystem
- Place the site behind a WAF with rules blocking arbitrary file upload attempts targeting WordPress plugins
# Apache: prevent PHP execution in the uploads directory
# Place in wp-content/uploads/.htaccess
<FilesMatch "\.(php|phtml|phar|php3|php4|php5|php7)$">
Require all denied
</FilesMatch>
# Nginx equivalent in server block
location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
deny all;
return 403;
}
# Remove the vulnerable plugin
rm -rf /var/www/html/wp-content/plugins/peugeot-music/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
