Description
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Baggage Freight Shipping Australia plugin allows any user to submit a file to the upload-package.php endpoint without validation. An attacker can send a POST request with a malicious file that the plugin then moves directly to its upload directory. Because the file is executed by the web server, it implies that the upload directory is web‑accessible; this inference is not explicitly stated but deduced. This flaw permits unrestricted execution of arbitrary code on the affected WordPress site.

Affected Systems

WordPress sites that have the Shipster Baggage Freight Shipping Australia plugin version 0.1.0 installed are affected. The vulnerability is limited to installations running this specific plugin version, which places the plugin’s upload directory in a web‑accessible location.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score of 0.00661 indicates a very low probability of exploitation. The vulnerability is listed as not in the CISA KEV catalog. Attackers only need network access to the WordPress site; this is inferred, no authentication or privileged access is required. By sending a crafted file to the unprotected endpoint, an attacker can achieve remote code execution, compromising confidentiality, integrity, and availability of the entire host.

Generated by OpenCVE AI on June 18, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Baggage Freight Shipping Australia plugin to a patched release or deactivate and uninstall it if no update is available.
  • Configure the WordPress installation to block file uploads for unauthenticated users, or restrict the allowed file mime types to image formats only.
  • Deploy a web application firewall rule that blocks POST requests to upload-package.php containing disallowed file extensions, thereby preventing arbitrary file uploads.

Generated by OpenCVE AI on June 18, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Shipster
Shipster baggage Freight Shipping Australia
Wordpress
Wordpress wordpress
Vendors & Products Shipster
Shipster baggage Freight Shipping Australia
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
Title WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Shipster Baggage Freight Shipping Australia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T16:19:36.564Z

Reserved: 2026-06-15T11:33:30.294Z

Link: CVE-2018-25436

cve-icon Vulnrichment

Updated: 2026-06-15T16:19:14.322Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T14:16:32.223

Modified: 2026-06-15T20:50:47.973

Link: CVE-2018-25436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:09:11Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type