diff --git a/wp-admin/includes/file.php b/wp-admin/includes/file.php
index e5a8c2f5ba..6994a35faa 100644
--- a/wp-admin/includes/file.php
+++ b/wp-admin/includes/file.php
@@ -606,6 +606,8 @@ function _unzip_file_ziparchive($file, $to, $needed_dirs = array() ) {
 		// Check the parent folders of the folders all exist within the creation array.
 		if ( untrailingslashit($to) == $dir ) // Skip over the working directory, We know this exists (or will exist)
 			continue;
+		if ( strpos($dir, $to) === false ) // If the directory is not within the working directory, Skip it
+			continue;
 
 		$parent_folder = dirname($dir);
 		while ( !empty($parent_folder) && untrailingslashit($to) != $parent_folder && !in_array($parent_folder, $needed_dirs) ) {
@@ -685,6 +687,8 @@ function _unzip_file_pclzip($file, $to, $needed_dirs = array()) {
 		// Check the parent folders of the folders all exist within the creation array.
 		if ( untrailingslashit($to) == $dir ) // Skip over the working directory, We know this exists (or will exist)
 			continue;
+		if ( strpos($dir, $to) === false ) // If the directory is not within the working directory, Skip it
+			continue;
 
 		$parent_folder = dirname($dir);
 		while ( !empty($parent_folder) && untrailingslashit($to) != $parent_folder && !in_array($parent_folder, $needed_dirs) ) {