WordPress.org

Make WordPress Core

Opened 29 hours ago

Last modified 5 hours ago

#49725 new defect (bug)

Bug in plugin upload

Reported by: offensive Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upload Keywords: dev-feedback
Focuses: administration Cc:

Description

bug in wordpress version 5.3.2

how to exploit:

  1. download wordpress and run into localhost.
  2. trying to upload plugin than they are showing here only upload .zip file.
  3. but we are trying to upload .php shell file.
  4. now see file is upload successfully in database.

Attachments (3)

2020-03-21 13_23_09-Microsoft Game DVR - Dashboard ‹ reconforce — WordPress.png (225.3 KB) - added by offensive 29 hours ago.
2020-03-21 13_22_09-.png (55.6 KB) - added by offensive 29 hours ago.
2020-03-21 13_22_09-.2.png (55.6 KB) - added by offensive 29 hours ago.

Download all attachments as: .zip

Change History (5)

@offensive
29 hours ago

@offensive
29 hours ago

@offensive
29 hours ago

#1 @mukesh27
28 hours ago

  • Keywords dev-feedback added
  • Severity changed from critical to normal
  • Summary changed from found a bug in wordpress version 5.3.2 to Bug in plugin upload
  • Version 5.3.2 deleted

Hi @offensive,

Welcome to WordPress Trac! Thanks for the ticket.

When I try to upload PHP file in plugin upload it shows me below error and uploaded file is move-in upload directory.

Installing Plugin from uploaded file: code.php
Unpacking the package…

The package could not be installed. PCLZIP_ERR_BAD_FORMAT (-10) : Unable to find End of Central Dir Record signature

Before moving the file in the upload folder system need to check it uploaded file has valid format than and then move the file in the upload directory

#2 @roytanck
5 hours ago

Just did a quick test using Local by Flywheel. I got the same error as @mukesh27, and the plugin file was not present in my /wp-content/plugins folder.

The file was available under /wp-content/uploads/2020/03 .

Note: See TracTickets for help on using tickets.