cbcvebase.
CVE-2019-8943
published 2019-02-20

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary…

PriorityP269medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EXPLOIT
EPSS
91.98%
99.8th percentile
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

Affected

11 ranges
VendorProductVersion rangeFixed in
baserprojectbasercms>= 0 < 5.2.35.2.3
debiandebian_linux
debianwordpress< wordpress 5.0.1+dfsg1-1 (bookworm)wordpress 5.0.1+dfsg1-1 (bookworm)
debianwordpress
wordpresswordpress< 4.9.94.9.9
wordpresswordpress<= 5.0.3
wordpresswordpress
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1
wordpresswordpress>= 0 < 5.0.1+dfsg1-15.0.1+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

filenameevil1.jpg?../../evil1.jpg
urlhxxps[:]//vulenrablewesbite/wp-content/uploads/evil1.jpg?../../evil1.jpg
filename.jpg?/../../file.jpg
  • Detect directory traversal sequences (e.g., ../) appearing in URI query strings targeting WordPress wp-content/uploads paths, as used in the CVE-2019-8943 path traversal exploit.
  • Monitor POST requests to WordPress media/post edit endpoints for the presence of a 'file' parameter in the request body, which is anomalous and indicative of CVE-2019-8942 exploitation (chained with CVE-2019-8943).
  • Alert on image filenames containing two image extensions combined with ../ path traversal sequences (e.g., matching pattern *.jpg?../../*.jpg) in WordPress crop-image requests.
  • Monitor for changes to the _wp_attached_file meta_key in the WordPress postmeta database table to values containing path traversal sequences, which indicates active exploitation.
  • The Metasploit module wp_crop_rce targets WordPress versions 5.0.0 and <= 4.9.8 on Unix-based systems; detect exploit attempts by monitoring for crop-image requests that modify _wp_page_template to include an uploaded image path.
  • ·The URL-based file access fallback in wp_crop_image (used in the exploit) requires file replication plugins to be installed on the WordPress site; without such plugins the URL-based attack path may not be available.
  • ·The Metasploit exploit module for this vulnerability only works on Unix-based systems.
  • ·Exploitation requires the attacker to have at least author-level privileges on the WordPress site.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.