|
|
|||
| Rule General Information |
|---|
| Release Date: | 2020-05-14 | |
| Rule Name: | WordPress Core _wp_attached_file Post Edit Directory Traversal Vulnerability (CVE-2019-8943) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. | |
| Impact: | An attacker can abtain sensitive information of the target victim, and do malicious actions to gain profits using the information. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | SecurityFocusBID:107089 ExploitDB:46511 http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html http://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: http://www.wordpress.org/ |