Описание
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
Ссылки
- Third Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- ProductVendor Advisory
- Mailing ListThird Party Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Vendor Advisory
- Third Party Advisory
- Press/Media CoverageThird Party Advisory
- Press/Media CoverageThird Party Advisory
- Third Party AdvisoryVDB Entry
- ExploitThird Party Advisory
- ProductVendor Advisory
- Mailing ListThird Party Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Vendor Advisory
- Third Party Advisory
- Press/Media CoverageThird Party Advisory
- Press/Media CoverageThird Party Advisory
Уязвимые конфигурации
Одно из
Одно из
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
Связанные уязвимости
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could con ...
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2