Description
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Baggage Freight Shipping Australia plugin allows any user to submit a file to the upload-package.php endpoint without validation. An attacker can send a POST request with a malicious file that the plugin then moves directly to its upload directory. Because the file is executed by the web server, this flaw permits unrestricted execution of arbitrary code on the affected WordPress site.

Affected Systems

WordPress sites that have the Shipster Baggage Freight Shipping Australia plugin version 0.1.0 installed are affected. The vulnerability is limited to installations running this specific plugin version, which places the plugin’s upload directory in a web‑accessible location.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score is not available, meaning current exploit probability data is lacking. The vulnerability is listed as not in the CISA KEV catalog. Attackers only need network access to the WordPress site; no authentication or privileged access is required. By sending a crafted file to the unprotected endpoint, an attacker can achieve remote code execution, compromising confidentiality, integrity, and availability of the entire host.

Generated by OpenCVE AI on June 16, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Baggage Freight Shipping Australia plugin to a patched release or deactivate and uninstall it if no update is available.
  • Configure the WordPress installation to block file uploads for unauthenticated users, or restrict the allowed file mime types to image formats only.
  • Deploy a web application firewall rule that blocks POST requests to upload-package.php containing disallowed file extensions, thereby preventing arbitrary file uploads.

Generated by OpenCVE AI on June 16, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
Title WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T16:19:36.564Z

Reserved: 2026-06-15T11:33:30.294Z

Link: CVE-2018-25436

cve-icon Vulnrichment

Updated: 2026-06-15T16:19:14.322Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:32.223

Modified: 2026-06-15T20:50:47.973

Link: CVE-2018-25436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:00:04Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type