PatchSiren cyber security CVE debrief

CVE-2018-25436 Shipster CVE debrief

CVE-2018-25436 is a critical vulnerability in the WordPress Plugin Baggage Freight Shipping Australia 0.1.0. The vulnerability allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution. The CVSS score for this vulnerability is 9.3, indicating a critical severity.

Vendor: Shipster
Product: Baggage Freight Shipping Australia
CVSS: CRITICAL 9.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-15
Original CVE updated: 2026-06-15
Advisory published: 2026-06-15
Advisory updated: 2026-06-15

Who should care

Users of the WordPress Plugin Baggage Freight Shipping Australia 0.1.0 should be aware of this vulnerability and take immediate action to mitigate the risk.

Technical summary

The vulnerability is caused by an unrestricted file upload in the upload-package.php endpoint of the WordPress Plugin Baggage Freight Shipping Australia 0.1.0. This allows unauthenticated attackers to upload arbitrary files, including malicious files that can be used for remote code execution.

Defensive priority

High

Recommended defensive actions

Update the WordPress Plugin Baggage Freight Shipping Australia to a version that is not vulnerable.
Restrict access to the upload-package.php endpoint.
Validate file uploads to prevent malicious files from being uploaded.

Evidence notes

The evidence for this CVE comes from the following sources: [ref-4](https://kaimi.io/), [ref-5](https://wordpress.org/plugins/baggage-freight/), [ref-6](https://www.exploit-db.com/exploits/46061), and [ref-7](https://www.vulncheck.com/advisories/wordpress-plugin-baggage-freight-shipping-australia-arbitrary-file-upload).

Official resources

CVE-2018-25436 was published on 2018-01-01 and modified on 2018-01-01.