Make WordPress Core

Opened 4 years ago

Last modified 4 years ago

#49725 new defect (bug)

Bug in plugin upload

Reported by: offensive's profile offensive Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upload Keywords: dev-feedback
Focuses: administration Cc:


bug in wordpress version 5.3.2

how to exploit:

  1. download wordpress and run into localhost.
  2. trying to upload plugin than they are showing here only upload .zip file.
  3. but we are trying to upload .php shell file.
  4. now see file is upload successfully in database.

Attachments (3)

2020-03-21 13_23_09-Microsoft Game DVR - Dashboard ‹ reconforce — WordPress.png (225.3 KB) - added by offensive 4 years ago.
2020-03-21 13_22_09-.png (55.6 KB) - added by offensive 4 years ago.
2020-03-21 13_22_09-.2.png (55.6 KB) - added by offensive 4 years ago.

Download all attachments as: .zip

Change History (5)

#1 @mukesh27
4 years ago

  • Keywords dev-feedback added
  • Severity changed from critical to normal
  • Summary changed from found a bug in wordpress version 5.3.2 to Bug in plugin upload
  • Version 5.3.2 deleted

Hi @offensive,

Welcome to WordPress Trac! Thanks for the ticket.

When I try to upload PHP file in plugin upload it shows me below error and uploaded file is move-in upload directory.

Installing Plugin from uploaded file: code.php
Unpacking the package…

The package could not be installed. PCLZIP_ERR_BAD_FORMAT (-10) : Unable to find End of Central Dir Record signature

Before moving the file in the upload folder system need to check it uploaded file has valid format than and then move the file in the upload directory

#2 @roytanck
4 years ago

Just did a quick test using Local by Flywheel. I got the same error as @mukesh27, and the plugin file was not present in my /wp-content/plugins folder.

The file was available under /wp-content/uploads/2020/03 .

Note: See TracTickets for help on using tickets.