In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine’s wp-content/plugins directory permissions were set up to block all new plugins.

CVSS Score
6.5
Confidentiality ImpactPartial (There is considerable informational disclosure.)
Integrity ImpactPartial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability ImpactPartial (There is reduced performance or interruptions in resource availability.)
Access ComplexityLow (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
AuthenticationSingle system (The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).)
Gained AccessNone
Vulnerability Type(s)Execute Code
CWE ID434