CVE Daily

CVE-2018-20148

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP o...

Critical CVSS 9.8

Overview

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

CWE: CWE-502 Published: 2018-12-14T20:29:00.390
Risk analysis

This vulnerability is rated 🔴 CRITICAL.

  • CVSS: 9.8 (CRITICAL)
  • Detected tags: none (tag impact: LOW)

Recommended actions:

  • Prioritize remediation based on business criticality and exposure.
  • Limit exposure and increase monitoring until fixed.

Recommended tools

Tags