Description
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
Remediation
References
Related Vulnerabilities
OpenSSL CVE-2018-0733 Vulnerability (CVE-2018-0733)
PHP Other Vulnerability (CVE-2006-1608)
WordPress Plugin Digg Digg Cross-Site Request Forgery (5.3.4)
Oracle Application Server CVE-2008-4014 Vulnerability (CVE-2008-4014)
WordPress Plugin Yasr-Yet Another Stars Rating Unspecified Vulnerability (0.9.1)