id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 28994,Install plugin by upload file not check file type,mix5003,,"Upload installs of plugins not check file type. If hacker bruteforce or get admin level access, they can run php script on my site. To reproduce: 1. Upload a php file via Plugins->Add New->Upload after upload it ask ftp login detail. please leave it and do 2. 2. Use browser goto http://mysite/wp-content/uploads/[CURRENT YEAR]/[CURRENT MONTH]/filename.php",defect (bug),closed,normal,,Plugins,3.9.1,normal,invalid,dev-feedback has-patch,,administration