CVE-2018-12895
published 2018-06-26CVE-2018-12895: WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is…
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
62.56%
99.1th percentile
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 4.9.7+dfsg1-1 (bookworm) | wordpress 4.9.7+dfsg1-1 (bookworm) |
| wordpress | wordpress | < 4.9.7 | 4.9.7 |
| wordpress | wordpress | >= 0 < 4.9.7+dfsg1-1 | 4.9.7+dfsg1-1 |
| wordpress | wordpress | >= 0 < 4.9.7+dfsg1-1 | 4.9.7+dfsg1-1 |
| wordpress | wordpress | >= 0 < 4.9.7+dfsg1-1 | 4.9.7+dfsg1-1 |
| wordpress | wordpress | >= 0 < 4.9.7+dfsg1-1 | 4.9.7+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to wp-admin/post.php where the 'thumb' parameter contains directory traversal sequences (e.g., '../') pointing outside the uploads directory, particularly targeting wp-config.php. ↗
- →Detect POST requests to wp-admin/post.php with body parameter 'action=editattachment' combined with a 'thumb' value containing '../' traversal sequences. ↗
- →Alert on deletion or absence of wp-config.php followed by a WordPress installation request (wp-admin/setup-config.php or wp-admin/install.php), which indicates the attacker is attempting privilege escalation via re-installation. ↗
- →Flag authenticated requests (Author/Editor role) to wp-admin/post.php with a 'thumb' POST parameter — Authors should not be submitting thumbnail path values that traverse outside the media upload directory. ↗
- ·The exploit requires the attacker to already be authenticated with at least Author-level privileges; unauthenticated exploitation is not possible. ↗
- ·The exploit uses a valid WordPress nonce (_wpnonce) extracted from the edit attachment page, meaning the attacker must first navigate to a media attachment edit page to obtain a live nonce before launching the deletion request. ↗
- ·The vulnerability is fixed in WordPress 4.9.7 and later; affected versions are 4.9.6 and below. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2018-12895: wordpress - WordPress through 4.9.6 allows Author users to execute arbitrary code by leverag...
vendor_debian·2018·CVSS 8.8
CVE-2018-12895 [HIGH] CVE-2018-12895: wordpress - WordPress through 4.9.6 allows Author users to execute arbitrary code by leverag...
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
Scope: local
bookworm: resolved (fixed in 4.9.7+dfsg1-1)
bullseye: resolved (fixed in 4.9.7+dfsg1-1)
forky: resolved (fixed in 4.9.7+dfsg1-1)
sid: resolved (fixed in 4.9.7+dfsg1-1)
trixie: resolved
GHSA
GHSA-v8xj-g4jr-hwhf: WordPress through 4
ghsa_unreviewed·2022-05-13
CVE-2018-12895 [HIGH] CWE-22 GHSA-v8xj-g4jr-hwhf: WordPress through 4
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
OSV
CVE-2018-12895: WordPress through 4
osv·2018-06-26·CVSS 8.8
CVE-2018-12895 [HIGH] CVE-2018-12895: WordPress through 4
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
No detection rules found.
Exploit-DB
Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
exploitdb·2021-10-25·CVSS 8.8
[HIGH] Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
---
# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
# Date: 04/08/2021
# Exploit Author: samguy
# Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz
# Version: 4.9.6
# Tested on: Linux - Debian Buster (PHP 7.3)
# Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution
# EDB : EDB-44949
# CVE : CVE-2018-12895
/*
Usage:
1. Login to wordpress with privileges of an author
2. Navigates to Media > Add New > Select Files > Open/Upload
3. Click Edit > Open Developer Console > Paste this exploit script
4. Execute the function, eg: unlink_thumb("../../../../wp-confi
Metasploit
Wordpress Arbitrary File Deletion
metasploit
Wordpress Arbitrary File Deletion
Wordpress Arbitrary File Deletion
An arbitrary file deletion vulnerability in the WordPress core allows any user with privileges of an Author to completely take over the WordPress site and to execute arbitrary code on the server.
Bugzilla
CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter [epel-all]
bugzilla·2018-06-27·CVSS 8.8
CVE-2018-12895 [HIGH] CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter [epel-all]
CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedp
Bugzilla
CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter [fedora-all]
bugzilla·2018-06-27·CVSS 8.8
CVE-2018-12895 [HIGH] CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter [fedora-all]
CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bugzilla
CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter
bugzilla·2018-06-27·CVSS 8.8
CVE-2018-12895 [HIGH] CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter
CVE-2018-12895 wordpress: Author users can execute arbitrary code by leveraging directory traversal on the wp-admin/post.php thumb parameter
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
References:
https://blog.ripstech.com/2018/wordpress-
http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.htmlhttp://www.securityfocus.com/bid/104569https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/https://lists.debian.org/debian-lts-announce/2018/07/msg00046.htmlhttps://wpvulndb.com/vulnerabilities/9100https://www.debian.org/security/2018/dsa-4250http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.htmlhttp://www.securityfocus.com/bid/104569https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/https://lists.debian.org/debian-lts-announce/2018/07/msg00046.htmlhttps://wpvulndb.com/vulnerabilities/9100https://www.debian.org/security/2018/dsa-4250
2018-06-26
Published