Vulnerability Name: | CVE-2018-12895 (CCN-145463) | ||||||||||||||||||||||||||||||||||||||||
Assigned: | 2018-06-26 | ||||||||||||||||||||||||||||||||||||||||
Published: | 2018-06-26 | ||||||||||||||||||||||||||||||||||||||||
Updated: | 2021-11-05 | ||||||||||||||||||||||||||||||||||||||||
Summary: | WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. | ||||||||||||||||||||||||||||||||||||||||
CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||||||||||||||
Vulnerability Type: | CWE-22 | ||||||||||||||||||||||||||||||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||||||||||
References: | Source: MITRE Type: CNA CVE-2018-12895 Source: MISC Type: Exploit, Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html Source: BID Type: Third Party Advisory, VDB Entry 104569 Source: CCN Type: BID-104569 WordPress CVE-2018-12895 Directory Traversal Vulnerability Source: CCN Type: RIPSTECH Blog, 26 Jun 2018 WARNING: WordPress File Delete to Code Execution Source: MISC Type: Third Party Advisory https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ Source: XF Type: UNKNOWN wp-cve201812895-file-deletion(145463) Source: MLIST Type: Mailing List, Third Party Advisory [debian-lts-announce] 20180730 [SECURITY] [DLA 1452-1] wordpress security update Source: CCN Type: Packet Storm Security [10-25-2021] WordPress 4.9.6 Arbitrary File Deletion Source: CCN Type: WordPress Web site WordPress Source: MISC Type: Third Party Advisory https://wpvulndb.com/vulnerabilities/9100 Source: DEBIAN Type: Third Party Advisory DSA-4250 Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [10-25-2021] Source: CCN Type: WhiteSource Vulnerability Database CVE-2018-12895 | ||||||||||||||||||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1: ![]() | ||||||||||||||||||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
BACK |