CVE-2018-25436 CRITICAL

CVE-2018-25436: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload

Vendor Shipster
Product Baggage Freight Shipping Australia
Weakness CWE-434 · Unrestricted file upload
Published June 15, 2026
Last update June 15, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.

Explanation of Vulnerability in Simple Terms

02Summary

Shipster's Baggage Freight Shipping Australia product contains an unrestricted file upload vulnerability. An attacker can upload arbitrary files to the server without authentication. This allows execution of malicious code or replacement of legitimate files. Sites using this product should immediately disable it and contact the vendor for a patched version.

What an attacker can do

03Attacker Capabilities

Upload and execute arbitrary files on the server without authentication.

Potential impact on your site

04Site Impact

Attackers can run malicious code on your site, steal data, or deface content without needing a user account.

Conditions required to exploit

05Prerequisites

Network access to the upload endpoint; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

08Related CVE