diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-admin/update.php
--- a/wp/wp-admin/update.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-admin/update.php	Fri Sep 05 18:40:08 2025 +0200
@@ -107,7 +107,7 @@
 			wp_die( __( 'Sorry, you are not allowed to install plugins on this site.' ) );
 		}
 
-		include_once ABSPATH . 'wp-admin/includes/plugin-install.php'; // For plugins_api().
+		require_once ABSPATH . 'wp-admin/includes/plugin-install.php'; // For plugins_api().
 
 		check_admin_referer( 'install-plugin_' . $plugin );
 		$api = plugins_api(
@@ -154,6 +154,10 @@
 
 		check_admin_referer( 'plugin-upload' );
 
+		if ( isset( $_FILES['pluginzip']['name'] ) && ! str_ends_with( strtolower( $_FILES['pluginzip']['name'] ), '.zip' ) ) {
+			wp_die( __( 'Only .zip archives may be uploaded.' ) );
+		}
+
 		$file_upload = new File_Upload_Upgrader( 'pluginzip', 'package' );
 
 		// Used in the HTML title tag.
@@ -258,7 +262,7 @@
 			wp_die( __( 'Sorry, you are not allowed to install themes on this site.' ) );
 		}
 
-		include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php'; // For themes_api().
+		require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php'; // For themes_api().
 
 		check_admin_referer( 'install-theme_' . $theme );
 		$api = themes_api(
@@ -302,6 +306,10 @@
 
 		check_admin_referer( 'theme-upload' );
 
+		if ( isset( $_FILES['themezip']['name'] ) && ! str_ends_with( strtolower( $_FILES['themezip']['name'] ), '.zip' ) ) {
+			wp_die( __( 'Only .zip archives may be uploaded.' ) );
+		}
+
 		$file_upload = new File_Upload_Upgrader( 'themezip', 'package' );
 
 		// Used in the HTML title tag.