CVE-2018-20148 — Deserialization of Untrusted Data in Wordpress

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

54.9%

top 1.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedDec 14

Latest updateMay 14

Description

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 5.0.1+dfsg1-1 (bookworm)

▶NVDwordpress/wordpress5.0 — 5.0.1+1

▶Debianwordpress/wordpress< 5.0.1+dfsg1-1+3

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

GHSA

GHSA-jgj7-cghf-2wq9: In WordPress before 4↗2022-05-14

▶

OSV

CVE-2018-20148: In WordPress before 4↗2018-12-14

▶

📋Vendor Advisories

Debian

CVE-2018-20148: wordpress - In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP o...↗2018

▶