CVE-2019-8942

Published: 20 February 2019

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
wordpress
Launchpad, Ubuntu, Debian
Upstream
Released (5.0.1+dfsg1-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(5.0.3+dfsg1-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(5.0.3+dfsg1-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.0.3+dfsg1-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)