VDB

CVE-2019-8942

CVE-2019-8942 PUBLISHED

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

EPSS 93.44% · 99.8th percentile

Risk Scores

EPSS Score
93.44%
99.8th percentile

Affected Products

VendorProductVersions
Ubuntu:16.04:LTSwordpress0, 4.3+dfsg-1, 4.3.1+dfsg-1
Ubuntu:18.04:LTSwordpress0, 4.8.3+dfsg-1, 4.9.1+dfsg-1

Exploit Intelligence

…and 83 more exploits

Timeline

  • Feb 20, 2019 CVE Published
  • Mar 8, 2019 PoC Published
  • Apr 4, 2019 PoC Published
  • Apr 5, 2019 PoC Published
  • Apr 5, 2019 PoC Published
  • Apr 14, 2021 EPSS Score
  • Sep 14, 2021 EPSS Score
  • Sep 16, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Aug 4, 2024 CVE Updated
  • Aug 22, 2024 EPSS Score
  • Sep 15, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›