cbcvebase.
CVE-2019-8942
published 2019-02-20

CVE-2019-8942: WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string…

PriorityP185high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.74%
99.6th percentile
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianwordpress< wordpress 5.0.1+dfsg1-1 (bookworm)wordpress 5.0.1+dfsg1-1 (bookworm)
wordpresswordpress< 4.9.94.9.9
wordpresswordpress
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps[:]//vulenrablewesbite/wp-content/uploads/evil1.jpg?../../evil1.jpg
  • Detect path traversal sequences in URI query strings — an attacker-crafted request uses a 'file' parameter containing directory traversal sequences (e.g., ../../) to modify the _wp_attached_file meta_key value.
  • Apply Trend Micro Deep Security DPI rule 1009544 ('WordPress Image Remote Code Execution Vulnerability (CVE-2019-8942)') and rule 1005933 ('Identified Directory Traversal Sequence In Uri Query') to detect exploitation attempts.
  • The Metasploit module for this CVE (wp_crop_rce) changes the _wp_page_template attribute when creating a post to include the malicious image in the current theme — monitor for unexpected _wp_page_template modifications by author-level users.
  • ·Exploitation of CVE-2019-8943 (path traversal via wp_crop_image) requires CVE-2019-8942 to be exploited first to modify the _wp_attached_file meta_key; patching CVE-2019-8942 alone renders CVE-2019-8943 non-exploitable.
  • ·The URL-based file fetch fallback in wp_crop_image (which enables the path traversal save) requires file replication plugins to be installed on the WordPress site — exploitation via this vector is conditional on that plugin presence.
  • ·The Metasploit exploit module (wp_crop_rce) only works on Unix-based systems.
  • ·Exploitation requires the attacker to have at least author-level privileges on the WordPress site — unauthenticated exploitation is not possible.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.