CVE-2018-14028
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
We have discovered 766,475 live websites that are affected by CVE-2018-14028.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 766,475 live websites (8.32% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 658 versions ( 70.68% of all versions) |
Details
- Published - Aug 10, 2018
- Updated - Aug 5, 2024
CVE References
CVE-2018-14028 usage by Country
 United States | 155,980 websites |
 Italy | 80,698 websites |
 Germany | 58,903 websites |
 Japan | 54,675 websites |
 France | 37,974 websites |
 Russia | 34,509 websites |
 GB | 33,496 websites |
 Australia | 32,580 websites |
 Poland | 27,491 websites |
 Netherlands | 24,032 websites |
CVE-2018-14028 usage by TLD
| .com | 282,905 websites |
| .it | 54,329 websites |
| .ru | 30,900 websites |
| .de | 27,243 websites |
| .org | 26,969 websites |
| .net | 24,830 websites |
| .com.au | 23,893 websites |
| .co.uk | 21,243 websites |
| .pl | 20,406 websites |
| .nl | 16,926 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2018-14028
Top websites that are affected by CVE-2018-14028. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.br |  Brazil | *** | |
| *****.com | United States | *,*** | |
| ****.***********.de | Germany | *,*** | |
| *************.com | United States | *,*** | |
| ************.org | United States | *,*** | |
| *****.****.br | Brazil | *,*** | |
| ********.****.br | Brazil | *,*** | |
| ********.eu |  Austria | *,*** | |
| ********************.ru | Russia | *,*** | |
| ********.de | Germany | *,*** |
FAQ
A total of 766,475 websites have been identified as vulnerable to CVE-2018-14028, discovered through global website indexing conducted by WebTechSurvey.
WordPress is susceptible to CVE-2018-14028 vulnerability.
WordPress versions before 4.9.7 are vulnerable to CVE-2018-14028.
Version 4.9.7 of WordPress addresses the CVE-2018-14028 security vulnerability.