WordPress media library allow uploading fake file

If the file isn’t an image, its mime type is checked against the allowed list.

As your example would generate a text mimetype, and it’s an allowed file extension, it passes through. There should be no concern unless your server is executing image files as PHP, in which case this issue is the least of your concerns.

If you consider it a bug though, you should open a Trac ticket, this isn’t the place for reporting WP bugs

Related Posts:

  1. Security around save_post hook
  2. Is there a way to send HTML formatted emails with WordPress’ wp_mail() function?
  3. Is there a hook that runs after a user logs in?
  4. Hook after image is uploaded and image sizes generated
  5. How to call a REST endpoint when a post is published?
  6. __NAMESPACE__ with register_activation_hook
  7. How to check if which hook triggered the call to a function?
  8. Hook for URL Request
  9. Hook/notify when any option or setting is added or updated
  10. Which hooks is this? add_action(‘wp’,
  11. admin_notices after register_uninstall / deactivate_hook
  12. Hooks are not executing
  13. add_action on inherit post status
  14. Best possible way to get all options
  15. Why does wp_enqueue_script ignore my ‘wp_head’ hook?
  16. action lifecycle
  17. Redirect users on specific post category or category page
  18. Returning ACF custom field from publish_post
  19. How to modify an add_action() inside a loop of core function
  20. What is the best filter where to use register_block_type?
  21. How get list all users who edited post?
  22. Stuck in redirect loop after using wp_login action
  23. Hooks for Links Box [duplicate]
  24. Check if do_action(‘custom_action’) is hooked into?
  25. Hook after wp_enqueue_scripts
  26. wp_login Action hook with conditional tag
  27. Can I remove WooCommerce main content hook?
  28. How to alter the query using pre_get_posts hook and is_post_type_archive
  29. How to update WordPress core or themes and still have my child theme hooks work
  30. Proper indentation of code generated inside hooks
  31. Add parameter (time) to oembed
  32. How to find a callback attached to a bbpress hook?
  33. How to extend custom (non-core) blocks?
  34. How can I count post views of REST API calls and update them in an ACF field?
  35. Event-Driven Pattern vs MVC?
  36. Using hooks with extra parameters
  37. How to catch and modify custom field values when a page is updated
  38. Genesis: How to add content after aside and before the content-sidebar wrap
  39. new_to_publish fires multiple times
  40. Implement Hooks Using Array
  41. What hook is used to display the admin_bar on the front end?
  42. Plugin init hook
  43. Best action hook for placing ical requests
  44. Is there a hook that fires when a row of wp_sitemeta table is updated?
  45. `rest_user_query` can’t access post author in post edit screen
  46. Post Meta Emtpy on Publish Using Transition
  47. How to check post type when using sanitize_title hook?
  48. How do I trigger a post update within a get_posts() foreach loop?
  49. Duplicate Cron Jobs Using wp_next_scheduled / wp_schedule_event
  50. Hook when editing user
  51. get_post_metadata causing some meta data to fail
  52. How to change the default mail when admin approuved an user?
  53. How to modify how the_content outputs a link to an internal page
  54. read more, even if excerpt not trimmed
  55. Conditional for autosave or auto draft?
  56. How do I prevent term from being created on create_term hook?
  57. How to distinguish on hook profile_update user registering, user resetting password or user updating profile?
  58. Hook to init or call explicitly within functions.php
  59. Hook function prints output twice
  60. Hook priority in admin with custom plugin
  61. Embeding style into the header via the function.php
  62. ‘save_post’ hook not working in WP 3.5
  63. Change the Default Plugin page filter to Active intead of All
  64. Remove Header and Footer if user is not logged on
  65. How to execute a hook asynchronously?
  66. Issues with if, else, and elseif statements
  67. How to add a HTML element in ADMIN edit post window?
  68. wp query add array by if condition
  69. WP Cron not executing after timespan
  70. Gravity Forms | Form Object is NULL [closed]
  71. Change status of page after an event (Looking for best practice advice)
  72. add_action hook for links.php page
  73. Add action save post when create and publish
  74. Hooks for Start/End of Batch Plugin Updates in wordpress
  75. How to load another post if condition is true
  76. Add a Call to Action Button to WordPress Post Thumbnail
  77. Struggling with plugin dev basics: add_action
  78. RTrouble passing arguments to action
  79. What hook can you use to get the full response?
  80. delete_user hook failed
  81. Which things should be called with `after_setup_theme`?
  82. Changing header logo href for the checkout page
  83. Prefixing widget_posts_args Hook
  84. Can’t get ID of post that relates to the comment
  85. Updating user meta data from external link, user not logged in
  86. adding wordpress yoast SEO canonical url from “transition_post_status” hook
  87. Remove lines from RSS Feed
  88. Security question – Display a General Custom Login Error Message
  89. Is there a hook that triggers when grant secondary user role in WordPress?
  90. How can I insert custom html code inside a div dynamically?
  91. How to trigger click events using hooks
  92. remove_action() hook not working
  93. How WordPress understands what do with the (all) key in the $wp_filter array? [duplicate]
  94. Function Hooked on Init Running Multiple Times
  95. WP-Automatic to run publish hooks
  96. Hide post completely and still reach it via cURL
  97. Problem in register activation hook and Copying folder
  98. Why does hook priority affects admin menu permission error?
  99. How do I change TinyMCE button “i” to create a i tag rather than em? [duplicate]
  100. add_action failed to display function by a plugin
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)