CVE-2018-25436 | WordPress Plugin Baggage Freight Shipping Australia 0.1.0 co… | CVSS 9.8 CRITICAL

Description

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.

Metadata

CVE ID: CVE-2018-25436
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-15 11:33 UTC
Published: 2026-06-15 12:00 UTC
Last updated: 2026-06-15 16:19 UTC
Primary CWE: CWE-434
Unrestricted Upload of File with Dangerous Type
Vendor / Product: Shipster / Baggage Freight Shipping Australia
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Shipster	Baggage Freight Shipping Australia	—	0.1.0

Weakness (CWE)

CWE	Source	Description
CWE-434	cna	Unrestricted Upload of File with Dangerous Type

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)

ExploitDB-46061 https://www.exploit-db.com/exploits/46061
Official Product Homepage https://kaimi.io
Product Reference https://wordpress.org/plugins/baggage-freight/
VulnCheck Advisory: WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload https://www.vulncheck.com/advisories/wordpress-plugin-baggage-freight-shipping-australia-arbitrary-file-upload