CVE-2018-25436 CRITICAL

CVE-2018-25436: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload

Vendor Shipster

Product Baggage Freight Shipping Australia

Weakness CWE-434 · Unrestricted file upload

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.

Key dates

Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated