Critical

CVE-2018-25436: Security Advisory

CVE-2018-25436 CVSS 9.8
Who it affects
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint.
What to do
Apply the vendor's update in your next patch window.
Deploy the fix with Action1AutomoxManageEngine Patch Manager PlusManageEngine Endpoint Central Are you exposed? Compare patch tools →

CVE-2018-25436 is a critical-severity vulnerability (CVSS 9.8).

Summary

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.

Remediation

Apply the vendor’s update during your next patch window and verify exposure. Patch-management tools that can deploy and verify the fix include Action1, Automox, ManageEngine Patch Manager Plus, ManageEngine Endpoint Central. See our best patch management ranking.

Sources

Data as of June 16, 2026. Sources: nvd.nist.gov, kaimi.io, wordpress.org, exploit-db.com, vulncheck.com. Figures are pulled from public vendor and security data and refreshed automatically.