CVE-2018-20148
published 2018-12-14CVE-2018-20148: In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call…
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
30.89%
98.0th percentile
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 5.0.1+dfsg1-1 (bookworm) | wordpress 5.0.1+dfsg1-1 (bookworm) |
| wordpress | wordpress | < 4.9.9 | 4.9.9 |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
| wordpress | wordpress | >= 5.0 < 5.0.1 | 5.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor XMLRPC calls to wp.getMediaItem containing crafted/serialized metadata — PHP object injection is triggered via malicious metadata submitted through this method. ↗
- →Detect phar:// URL scheme usage in file path parameters processed by WordPress, particularly in attachment/thumbnail handling code paths, as this is the vector for deserialization. ↗
- ·Exploitation requires the attacker to have at least Contributor-level access to the WordPress site; unauthenticated exploitation is not possible. ↗
- ·Vulnerable versions are WordPress before 4.9.9 and 5.x before 5.0.1; patched versions (5.0.1+dfsg1-1 on Debian) resolve the issue. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2018-20148: wordpress - In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP o...
vendor_debian·2018·CVSS 9.8
CVE-2018-20148 [CRITICAL] CVE-2018-20148: wordpress - In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP o...
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
Scope: local
bookworm: resolved (fixed in 5.0.1+dfsg1-1)
bullseye: resolved (fixed in 5.0.1+dfsg1-1)
forky: resolved (fixed in 5.0.1+dfsg1-1)
sid: resolved (fixed in 5.0.1+dfsg1-1)
trixie: resolved (fixed in 5.0.1+dfsg1-1)
GHSA
GHSA-jgj7-cghf-2wq9: In WordPress before 4
ghsa_unreviewed·2022-05-14
CVE-2018-20148 [CRITICAL] CWE-502 GHSA-jgj7-cghf-2wq9: In WordPress before 4
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
OSV
CVE-2018-20148: In WordPress before 4
osv·2018-12-14·CVSS 9.8
CVE-2018-20148 [CRITICAL] CVE-2018-20148: In WordPress before 4
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/106220https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-arehttps://codex.wordpress.org/Version_4.9.9https://lists.debian.org/debian-lts-announce/2019/02/msg00019.htmlhttps://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/https://wordpress.org/support/wordpress-version/version-5-0-1/https://wpvulndb.com/vulnerabilities/9171https://www.debian.org/security/2019/dsa-4401https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/https://www.zdnet.com/article/wordpress-vulnerability-affects-a-third-of-most-popular-websites-online/http://www.securityfocus.com/bid/106220https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-arehttps://codex.wordpress.org/Version_4.9.9https://lists.debian.org/debian-lts-announce/2019/02/msg00019.htmlhttps://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/https://wordpress.org/support/wordpress-version/version-5-0-1/https://wpvulndb.com/vulnerabilities/9171https://www.debian.org/security/2019/dsa-4401https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/https://www.zdnet.com/article/wordpress-vulnerability-affects-a-third-of-most-popular-websites-online/
2018-12-14
Published