Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2018-25436

CVE-2018-25436: WordPress Baggage Freight Plugin RCE Flaw

CVE-2018-25436 is a remote code execution vulnerability in WordPress Baggage Freight Shipping Australia plugin 0.1.0. Unauthenticated attackers can upload malicious files via upload-package.php. This article covers technical details, impact, and mitigation.

Published:

CVE-2018-25436 Overview

CVE-2018-25436 is an unrestricted file upload vulnerability in the WordPress Plugin Baggage Freight Shipping Australia version 0.1.0. The flaw resides in the upload-package.php endpoint, which accepts arbitrary files without validating extension, MIME type, or authentication. Unauthenticated attackers submit a POST request to the upload handler, and the script moves the supplied file directly into the plugin upload directory. Once a PHP file is placed under the webroot, attackers request it to gain remote code execution on the underlying WordPress host. The vulnerability is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.

Critical Impact

Unauthenticated remote code execution on any WordPress site running Baggage Freight Shipping Australia 0.1.0, leading to full site takeover.

Affected Products

  • WordPress Plugin Baggage Freight Shipping Australia 0.1.0
  • WordPress installations with the plugin enabled
  • Any web server hosting the vulnerable plugin endpoint upload-package.php

Discovery Timeline

  • 2026-06-15 - CVE-2018-25436 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2018-25436

Vulnerability Analysis

The Baggage Freight Shipping Australia plugin exposes upload-package.php as a publicly reachable endpoint. The script accepts a multipart POST request containing a file parameter and calls move_uploaded_file() to relocate the upload into the plugin directory. The handler performs no authentication check, no nonce verification, and no validation of the file extension or content type. Attackers upload a PHP webshell, then issue an HTTP request to the resulting URL inside wp-content/plugins/baggage-freight/ to execute arbitrary commands. The exploit is documented in Exploit-DB #46061 and the VulnCheck Advisory.

Root Cause

The root cause is missing access control combined with absent file-type validation on the upload handler. The plugin trusts client-supplied filenames and extensions, allowing .php and other server-executable formats to be written into a web-accessible directory.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker crafts a POST request to /wp-content/plugins/baggage-freight/upload-package.php with a malicious payload, then accesses the uploaded file directly to trigger execution. See the VulnCheck Advisory for technical details on the request structure.

Detection Methods for CVE-2018-25436

Indicators of Compromise

  • POST requests to /wp-content/plugins/baggage-freight/upload-package.php from external IPs
  • Newly created .php, .phtml, or .phar files inside the plugin upload directory
  • Outbound connections from the web server process (php-fpm, apache2, nginx worker) to unfamiliar hosts following an upload event
  • Webshell artifacts containing eval(), system(), passthru(), or base64_decode() patterns in plugin folders

Detection Strategies

  • Monitor web access logs for POST requests targeting upload-package.php and correlate with subsequent GET requests to the same path
  • Deploy file integrity monitoring on the wp-content/plugins/baggage-freight/ directory to alert on any new executable files
  • Enable WordPress audit logging to capture plugin activity and unauthenticated file operations

Monitoring Recommendations

  • Forward web server and PHP error logs to a centralized SIEM for correlation across hosts
  • Alert on web server processes spawning shells (sh, bash, cmd.exe) or executing reconnaissance commands
  • Track HTTP response codes and payload sizes on the plugin upload endpoint to surface anomalous activity

How to Mitigate CVE-2018-25436

Immediate Actions Required

  • Deactivate and remove the Baggage Freight Shipping Australia plugin from all WordPress installations
  • Audit wp-content/plugins/baggage-freight/ and adjacent upload paths for unauthorized PHP files and remove any webshells
  • Rotate WordPress admin credentials, database passwords, and API keys if compromise is suspected
  • Restore from a known-good backup if webshell execution is confirmed

Patch Information

No vendor patch is referenced in the available advisories. The WordPress plugin page and the VulnCheck Advisory should be consulted for any updated release. Removing the plugin is the recommended remediation.

Workarounds

  • Block external access to /wp-content/plugins/baggage-freight/upload-package.php at the web server or WAF layer
  • Configure the web server to disable PHP execution inside wp-content/uploads/ and plugin upload subdirectories
  • Restrict write permissions on plugin directories so the web server user cannot create new files
  • Deploy a WAF rule that blocks multipart uploads containing .php, .phtml, or .phar extensions to the affected endpoint
bash
# Apache: deny direct access to the vulnerable upload handler
<Files "upload-package.php">
    Require all denied
</Files>

# Nginx: block the endpoint and disable PHP execution in plugin uploads
location ~* /wp-content/plugins/baggage-freight/upload-package\.php$ {
    deny all;
    return 403;
}
location ~* /wp-content/plugins/baggage-freight/.*\.php$ {
    deny all;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne