Description
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin PI Button includes Backdoor [Only if downloaded via the vendor website] (3.3.3)
Collabtive Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2015-0258)
Oracle JRE CVE-2018-2811 Vulnerability (CVE-2018-2811)
Django Incorrect Regular Expression Vulnerability (CVE-2018-7537)