Description

WordPress is prone to a directory traversal vulnerability because it fails to sufficiently verify user-supplied input data. Exploiting this issue may allow an attacker to access sensitive information that could aid in further attacks. WordPress versions ranging from 3.7 and up to (and including) 5.0.3 are vulnerable.

Remediation

Edit the source code to ensure that input is properly verified, or apply a fix when available

References

https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

http://foreversong.cn/archives/1364

Related Vulnerabilities

phpMyAdmin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2009-1285)

OpenSSL NULL Pointer Dereference Vulnerability (CVE-2023-0216)

CrushFTP Server Deserialization of Untrusted Data Vulnerability (CVE-2017-14035)

WordPress Plugin Paid Memberships Pro-Content Restriction, User Registration, & Paid Subscriptions Insecure Direct Object Reference (3.0.4)

Sqlite Use of Uninitialized Resource Vulnerability (CVE-2015-3414)

Severity

High

Classification

CVE-2019-8943 CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Directory Traversal