cbcvebase.
CVE-2018-20148
published 2018-12-14

CVE-2018-20148: In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
30.89%
98.0th percentile
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianwordpress< wordpress 5.0.1+dfsg1-1 (bookworm)wordpress 5.0.1+dfsg1-1 (bookworm)
wordpresswordpress< 4.9.94.9.9
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 5.0 < 5.0.15.0.1

Detection & IOCsextracted from sources · hover to see the quote

pathwp-includes/post.php
otherphar://
  • Monitor XMLRPC calls to wp.getMediaItem containing crafted/serialized metadata — PHP object injection is triggered via malicious metadata submitted through this method.
  • Detect phar:// URL scheme usage in file path parameters processed by WordPress, particularly in attachment/thumbnail handling code paths, as this is the vector for deserialization.
  • ·Exploitation requires the attacker to have at least Contributor-level access to the WordPress site; unauthenticated exploitation is not possible.
  • ·Vulnerable versions are WordPress before 4.9.9 and 5.x before 5.0.1; patched versions (5.0.1+dfsg1-1 on Debian) resolve the issue.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.