Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

Wordpress Post Meta Entry RCE

Disclosure Date: February 20, 2019
CVE-2019-8942 CVSS v3 Base Score: 8.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module

Description

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

Details

This exploit requires authentication and either the php-imagick or php-gd extension to be installed. Exploiting this vulnerability with only
the php-gd extension installed will require more work when crafting the JPEG because the php-gd extension compresses the image and strips it of
its exif metadata. This is still a valuable exploit due to the large user base of the application.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Simon Scannell
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • wordpress

Products

  • debian linux 9.0,
  • wordpress,
  • wordpress 5.0
Technical Analysis