CVE-2019-8942
published 2019-02-20CVE-2019-8942: WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string…
PriorityP185high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.74%
99.6th percentile
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | wordpress | < wordpress 5.0.1+dfsg1-1 (bookworm) | wordpress 5.0.1+dfsg1-1 (bookworm) |
| wordpress | wordpress | < 4.9.9 | 4.9.9 |
| wordpress | wordpress | — | — |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.0.1+dfsg1-1 | 5.0.1+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal sequences in URI query strings — an attacker-crafted request uses a 'file' parameter containing directory traversal sequences (e.g., ../../) to modify the _wp_attached_file meta_key value. ↗
- →Apply Trend Micro Deep Security DPI rule 1009544 ('WordPress Image Remote Code Execution Vulnerability (CVE-2019-8942)') and rule 1005933 ('Identified Directory Traversal Sequence In Uri Query') to detect exploitation attempts. ↗
- →The Metasploit module for this CVE (wp_crop_rce) changes the _wp_page_template attribute when creating a post to include the malicious image in the current theme — monitor for unexpected _wp_page_template modifications by author-level users. ↗
- ·Exploitation of CVE-2019-8943 (path traversal via wp_crop_image) requires CVE-2019-8942 to be exploited first to modify the _wp_attached_file meta_key; patching CVE-2019-8942 alone renders CVE-2019-8943 non-exploitable. ↗
- ·The URL-based file fetch fallback in wp_crop_image (which enables the path traversal save) requires file replication plugins to be installed on the WordPress site — exploitation via this vector is conditional on that plugin presence. ↗
- ·The Metasploit exploit module (wp_crop_rce) only works on Unix-based systems. ↗
- ·Exploitation requires the attacker to have at least author-level privileges on the WordPress site — unauthenticated exploitation is not possible. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rwhm-6hw4-9fgg: WordPress before 4
ghsa_unreviewed·2022-05-13·CVSS 6.5
CVE-2019-8942 [MEDIUM] CWE-434 GHSA-rwhm-6hw4-9fgg: WordPress before 4
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
OSV
CVE-2019-8942: WordPress before 4
osv·2019-02-20·CVSS 8.8
CVE-2019-8942 [HIGH] CVE-2019-8942: WordPress before 4
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
VulnCheck
WordPress wordpress Unrestricted Upload of File with Dangerous Type
vulncheck·2019·CVSS 8.8
CVE-2019-8942 [HIGH] WordPress wordpress Unrestricted Upload of File with Dangerous Type
WordPress wordpress Unrestricted Upload of File with Dangerous Type
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
Exploit PoC: https://vulncheck.com/xdb/8bf043a44c24; https://vu
Debian
CVE-2019-8942: wordpress - WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because...
vendor_debian·2019·CVSS 8.8
CVE-2019-8942 [HIGH] CVE-2019-8942: wordpress - WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because...
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
Scope: local
bookworm: resolved (fixed in 5.0.1+dfsg1-1)
bullseye: resolved (fixed in 5.0.1+dfsg1-1)
forky: resolved (fixed in 5.0.1+dfsg1-1)
sid: resolved (fixed in 5.0.1+dfsg1-1)
trixie: resolved (fixed in 5.0.1+dfsg1-1)
No detection rules found.
Exploit-DB
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)
exploitdb·2019-04-05
CVE-2019-8943 WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)
WordPress Core 5.0.0 - Crop-image Shell Upload (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'WordPress Crop-image Shell Upload',
'Description' => %q{
This module exploits a path traversal and a local file inclusion
vulnerability on WordPress versions 5.0.0 and MSF_LICENSE,
'Author' =>
[
'RIPSTECH Technology', # Discovery
'Wilfried Becard ' # Metasploit module
],
'References' =>
[
[ 'CVE', '2019-8942' ],
[ 'CVE', '2019-8943' ],
[ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']
],
'DisclosureDate' => 'Feb 19 2019',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['WordPress', {}]],
'DefaultTarget' => 0
))
register_opti
Exploit-DB
WordPress Core 5.0 - Remote Code Execution
exploitdb·2019-03-01
CVE-2019-8943 WordPress Core 5.0 - Remote Code Execution
WordPress Core 5.0 - Remote Code Execution
---
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00
Metasploit
WordPress Crop-image Shell Upload
metasploit
WordPress Crop-image Shell Upload
WordPress Crop-image Shell Upload
This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently.
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Trendmicro
Remote Code Execution-Sicherheitslücken in WordPress
blogs_trendmicro·2019-03-01·CVSS 8.8
[HIGH] Remote Code Execution-Sicherheitslücken in WordPress
Ausnutzung von Schwachstellen
## Remote Code Execution-Sicherheitslücken in WordPress
WordPress steht aufgrund der reichhaltigen Funktionalität und der hohen Benutzerfreundlichkeit hinter nahezu 33 Prozent der heutigen Websites. Damit aber ist das CMS auch ein offensichtliches Ziel für Cyberkriminelle.
By: Suraj Sahu, Jayesh Patel Mar 01, 2019 Read time: ( words)
Save to Folio
Originalbeitrag von Suraj Sahu und Jayesh Patel, Vulnerability Researchers
Das quelloffene Content Management System WordPress steht aufgrund der reichhaltigen Funktionalität und der hohen Benutzerfreundlichkeit hinter nahezu 33 Prozent der heutigen Websites. Damit aber ist das CMS auch ein offensichtliches Ziel für Cyberkriminelle, und es bedarf lediglich einer Schwachstelle, damit die kriminellen Hintermänner
Trendmicro
Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
blogs_trendmicro·2019-02-26·CVSS 8.8
CVE-2019-8942 [HIGH] Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
Sfruttamento vulnerabilità
## Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
This blog post expounds the technical details of the vulnerabilities CVE-2019-8942 and CVE-2019-8943, specifically, how a potential attack could look like and the parameters that are added to take advantage of a vulnerable WordPress site."
By: Suraj Sahu, Jayesh Patel Feb 26, 2019 Read time: ( words)
Save to Folio
With its open-source, feature-rich, and user-friendly content management system (CMS), WordPress powers nearly 33 percent of today’s websites. This popularity is also what makes them an obvious cybercriminal target. All it could take is a vulnerability to gain a foothold on a website’s sensitive data. This could be compounded by security issues that can be brought by outdated websites or use o
Trendmicro
Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
blogs_trendmicro·2019-02-26·CVSS 8.8
CVE-2019-8942 [HIGH] Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
Exploits y vulnerabilidades
## Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
This blog post expounds the technical details of the vulnerabilities CVE-2019-8942 and CVE-2019-8943, specifically, how a potential attack could look like and the parameters that are added to take advantage of a vulnerable WordPress site."
By: Suraj Sahu, Jayesh Patel Feb 26, 2019 Read time: ( words)
Save to Folio
With its open-source, feature-rich, and user-friendly content management system (CMS), WordPress powers nearly 33 percent of today’s websites. This popularity is also what makes them an obvious cybercriminal target. All it could take is a vulnerability to gain a foothold on a website’s sensitive data. This could be compounded by security issues that can be brought by outdated websites or use
Trendmicro
Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
blogs_trendmicro·2019-02-26·CVSS 8.8
CVE-2019-8942 [HIGH] Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
Exploits & Vulnerabilities
## Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
This blog post expounds the technical details of the vulnerabilities CVE-2019-8942 and CVE-2019-8943, specifically, how a potential attack could look like and the parameters that are added to take advantage of a vulnerable WordPress site."
By: Suraj Sahu, Jayesh Patel 2019/02/26 Read time: ( words)
Save to Folio
With its open-source, feature-rich, and user-friendly content management system (CMS), WordPress powers nearly 33 percent of today’s websites. This popularity is also what makes them an obvious cybercriminal target. All it could take is a vulnerability to gain a foothold on a website’s sensitive data. This could be compounded by security issues that can be brought by outdated websites or use of
Trendmicro
Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
blogs_trendmicro·2019-02-26·CVSS 8.8
CVE-2019-8942 [HIGH] Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
Exploits & Vulnerabilities
# Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
This blog post expounds the technical details of the vulnerabilities CVE-2019-8942 and CVE-2019-8943, specifically, how a potential attack could look like and the parameters that are added to take advantage of a vulnerable WordPress site."
By: Suraj Sahu, Jayesh Patel
Feb 26, 2019
Read time: ( words)
Save to Folio
With its open-source, feature-rich, and user-friendly content management system (CMS), WordPress powers nearly 33 percent of today’s websites. This popularity is also what makes them an obvious cybercriminal target. All it could take is a vulnerability to gain a foothold on a website’s sensitive data. This could be compounded by security issues that can be brought by outdated websites or use o
Trendmicro
Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
blogs_trendmicro·2019-02-26·CVSS 8.8
CVE-2019-8942 [HIGH] Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
Exploits & Vulnerabilities
# Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
This blog post expounds the technical details of the vulnerabilities CVE-2019-8942 and CVE-2019-8943, specifically, how a potential attack could look like and the parameters that are added to take advantage of a vulnerable WordPress site."
By: Suraj Sahu, Jayesh Patel
2019/02/26
Read time: ( words)
Save to Folio
With its open-source, feature-rich, and user-friendly content management system (CMS), WordPress powers nearly 33 percent of today’s websites. This popularity is also what makes them an obvious cybercriminal target. All it could take is a vulnerability to gain a foothold on a website’s sensitive data. This could be compounded by security issues that can be brought by outdated websites or use of
Trendmicro
Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
blogs_trendmicro·2019-02-26·CVSS 8.8
CVE-2019-8942 [HIGH] Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
Exploits & Vulnerabilities
## Wordpress: Analyzing CVE-2019-8942 and CVE-2019-8943
This blog post expounds the technical details of the vulnerabilities CVE-2019-8942 and CVE-2019-8943, specifically, how a potential attack could look like and the parameters that are added to take advantage of a vulnerable WordPress site."
By: Suraj Sahu, Jayesh Patel Feb 26, 2019 Read time: ( words)
Save to Folio
With its open-source, feature-rich, and user-friendly content management system (CMS), WordPress powers nearly 33 percent of today’s websites. This popularity is also what makes them an obvious cybercriminal target. All it could take is a vulnerability to gain a foothold on a website’s sensitive data. This could be compounded by security issues that can be brought by outdated websites or use o
Bugzilla
CVE-2019-8942 wordpress: Author users can execute arbitrary code by leveraging path traversal
bugzilla·2019-02-20·CVSS 8.8
CVE-2019-8942 [HIGH] CVE-2019-8942 wordpress: Author users can execute arbitrary code by leveraging path traversal
CVE-2019-8942 wordpress: Author users can execute arbitrary code by leveraging path traversal
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because
an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such
as one ending with a .jpg?file.php substring. An attacker with author privileges
can execute arbitrary code by uploading a crafted image containing PHP code in
the Exif metadata. Exploitation can leverage CVE-2019-8943.
Reference:
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
Discussion:
Created wordpress tracking bugs for this issue:
Affects: fedora-all [bug 1679154]
---
Created wordpress tracking bugs for this issue:
Affects: epel-all [bug 1679155]
---
This CVE Bugzilla entry is for community support in
Bugzilla
CVE-2019-8942 CVE-2019-8943 wordpress: various flaws [fedora-all]
bugzilla·2019-02-20·CVSS 8.8
CVE-2019-8942 [HIGH] CVE-2019-8942 CVE-2019-8943 wordpress: various flaws [fedora-all]
CVE-2019-8942 CVE-2019-8943 wordpress: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
Bugzilla
CVE-2019-8942 CVE-2019-8943 wordpress: various flaws [epel-all]
bugzilla·2019-02-20·CVSS 8.8
CVE-2019-8942 [HIGH] CVE-2019-8942 CVE-2019-8943 wordpress: various flaws [epel-all]
CVE-2019-8942 CVE-2019-8943 wordpress: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora EPEL.
http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rcehttp://www.securityfocus.com/bid/107088https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/https://lists.debian.org/debian-lts-announce/2019/03/msg00044.htmlhttps://wpvulndb.com/vulnerabilities/9222https://www.debian.org/security/2019/dsa-4401https://www.exploit-db.com/exploits/46511/https://www.exploit-db.com/exploits/46662/http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rcehttp://www.securityfocus.com/bid/107088https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/https://lists.debian.org/debian-lts-announce/2019/03/msg00044.htmlhttps://wpvulndb.com/vulnerabilities/9222https://www.debian.org/security/2019/dsa-4401https://www.exploit-db.com/exploits/46511/https://www.exploit-db.com/exploits/46662/
2019-02-20
Published
Exploited in the wild