Main
Vulnerability Database
Exploits
ID:1544 - Exploit for Code injection in WordPress - CVE-2019-8942
ID:1544 - Exploit for Code injection in WordPress - CVE-2019-8942
Published: March 18, 2020
Vulnerability identifier: #VU17803
Vulnerability risk: High
CVE-ID: CVE-2019-8942
CWE-ID: CWE-94
Exploitation vector: Remote access
Vulnerable software:
WordPress
WordPress
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to execute PHP code on the target system.
The weakness exists due to an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. A remote attacker can upload a crafted image containing PHP code in the Exif metadata and execute arbitrary code.
Successful exploitation of the vulnerability allows to leverage SB2019022004.
The weakness exists due to an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. A remote attacker can upload a crafted image containing PHP code in the Exif metadata and execute arbitrary code.
Successful exploitation of the vulnerability allows to leverage SB2019022004.
Remediation
The vulnerability has been addressed in the versions 4.9.9, 5.0.1.