cbcvebase.
CVE-2018-12895
published 2018-06-26

CVE-2018-12895: WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
62.56%
99.1th percentile
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianwordpress< wordpress 4.9.7+dfsg1-1 (bookworm)wordpress 4.9.7+dfsg1-1 (bookworm)
wordpresswordpress< 4.9.74.9.7
wordpresswordpress>= 0 < 4.9.7+dfsg1-14.9.7+dfsg1-1
wordpresswordpress>= 0 < 4.9.7+dfsg1-14.9.7+dfsg1-1
wordpresswordpress>= 0 < 4.9.7+dfsg1-14.9.7+dfsg1-1
wordpresswordpress>= 0 < 4.9.7+dfsg1-14.9.7+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

pathwp-admin/post.php
path../../../../wp-config.php
commandaction=editattachment&_wpnonce=<nonce>&thumb=../../../../wp-config.php
pathwp-includes/post.php
  • Monitor POST requests to wp-admin/post.php where the 'thumb' parameter contains directory traversal sequences (e.g., '../') pointing outside the uploads directory, particularly targeting wp-config.php.
  • Detect POST requests to wp-admin/post.php with body parameter 'action=editattachment' combined with a 'thumb' value containing '../' traversal sequences.
  • Alert on deletion or absence of wp-config.php followed by a WordPress installation request (wp-admin/setup-config.php or wp-admin/install.php), which indicates the attacker is attempting privilege escalation via re-installation.
  • Flag authenticated requests (Author/Editor role) to wp-admin/post.php with a 'thumb' POST parameter — Authors should not be submitting thumbnail path values that traverse outside the media upload directory.
  • ·The exploit requires the attacker to already be authenticated with at least Author-level privileges; unauthenticated exploitation is not possible.
  • ·The exploit uses a valid WordPress nonce (_wpnonce) extracted from the edit attachment page, meaning the attacker must first navigate to a media attachment edit page to obtain a live nonce before launching the deletion request.
  • ·The vulnerability is fixed in WordPress 4.9.7 and later; affected versions are 4.9.6 and below.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.