Description
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
Remediation
References
Related Vulnerabilities
MySQL CVE-2016-5439 Vulnerability (CVE-2016-5439)
WordPress Plugin VK Gallery TimThumb Arbitrary File Upload (1.1.0)
MySQL CVE-2014-4260 Vulnerability (CVE-2014-4260)
WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.9)
Python Improper Neutralization of CRLF Sequences ('CRLF Injection') Vulnerability (CVE-2019-9947)