--- a/wp/wp-admin/includes/class-file-upload-upgrader.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-admin/includes/class-file-upload-upgrader.php	Fri Sep 05 18:40:08 2025 +0200
@@ -16,6 +16,7 @@
  * @since 2.8.0
  * @since 4.6.0 Moved to its own file from wp-admin/includes/class-wp-upgrader.php.
  */
+#[AllowDynamicProperties]
 class File_Upload_Upgrader {
 
 	/**
@@ -68,6 +69,30 @@
 				wp_die( $file['error'] );
 			}
 
+			if ( 'pluginzip' === $form || 'themezip' === $form ) {
+				if ( ! wp_zip_file_is_valid( $file['file'] ) ) {
+					wp_delete_file( $file['file'] );
+
+					if ( 'pluginzip' === $form ) {
+						$plugins_page = sprintf(
+							'<a href="%s">%s</a>',
+							self_admin_url( 'plugin-install.php' ),
+							__( 'Return to the Plugin Installer' )
+						);
+						wp_die( __( 'Incompatible Archive.' ) . '<br />' . $plugins_page );
+					}
+
+					if ( 'themezip' === $form ) {
+						$themes_page = sprintf(
+							'<a href="%s" target="_parent">%s</a>',
+							self_admin_url( 'theme-install.php' ),
+							__( 'Return to the Theme Installer' )
+						);
+						wp_die( __( 'Incompatible Archive.' ) . '<br />' . $themes_page );
+					}
+				}
+			}
+
 			$this->filename = $_FILES[ $form ]['name'];
 			$this->package  = $file['file'];
 
@@ -107,14 +132,14 @@
 			$this->filename = sanitize_file_name( $_GET[ $urlholder ] );
 			$this->package  = $uploads['basedir'] . '/' . $this->filename;
 
-			if ( 0 !== strpos( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
+			if ( ! str_starts_with( realpath( $this->package ), realpath( $uploads['basedir'] ) ) ) {
 				wp_die( __( 'Please select a file' ) );
 			}
 		}
 	}
 
 	/**
-	 * Delete the attachment/uploaded file.
+	 * Deletes the attachment/uploaded file.
 	 *
 	 * @since 3.2.2
 	 *