VDB

CVE-2019-8943

CVE-2019-8943 PUBLISHED

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

EPSS 93.73% · 99.9th percentile

Risk Scores

EPSS Score
93.73%
99.9th percentile

Affected Products

VendorProductVersions
Ubuntu:18.04:LTSwordpress*, 0, 4.8.2+dfsg-2
Ubuntu:24.04:LTSwordpress6.2+dfsg1-1ubuntu1, 0, 6.4.3+dfsg1-1ubuntu1
Ubuntu:16.04:LTSwordpress4.4.2+dfsg-1, 4.4.2+dfsg-1ubuntu1, 0
Ubuntu:20.04:LTSwordpress0, 5.2.2+dfsg1-1, 5.2.4+dfsg1-1
Ubuntu:22.04:LTSwordpress*, *, 0
Ubuntu:25.10wordpress0, 6.7.2+dfsg1-1.1ubuntu1

Exploit Intelligence

…and 70 more exploits

Timeline

  • Feb 20, 2019 CVE Published
  • Mar 1, 2019 PoC Published
  • Mar 1, 2019 PoC Published
  • Mar 8, 2019 PoC Published
  • Apr 4, 2019 PoC Published
  • Apr 5, 2019 PoC Published
  • Apr 5, 2019 PoC Published
  • Apr 14, 2021 EPSS Score
  • May 31, 2021 PoC Published
  • Aug 24, 2021 EPSS Score
  • Sep 16, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›