CVE-2018-12895 - OpenCVE

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Wordpress	Wordpress

Configuration 1 [-]

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html
http://www.securityfocus.com/bid/104569
https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
https://lists.debian.org/debian-lts-announce/2018/07/msg00046.html
https://wpvulndb.com/vulnerabilities/9100
https://www.debian.org/security/2018/dsa-4250

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-06-26T20:00:00

Updated: 2024-08-05T08:45:02.465Z

Reserved: 2018-06-26T00:00:00

Link: CVE-2018-12895

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-06-26T20:29:00.273

Modified: 2021-11-05T18:42:39.403

Link: CVE-2018-12895

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-06-26T00:00:00", "descriptions": [{"lang": "en", "value": "WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-25T18:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/"}, {"name": "104569", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/104569"}, {"name": "DSA-4250", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4250"}, {"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/9100"}, {"name": "[debian-lts-announce] 20180730 [SECURITY] [DLA 1452-1] wordpress security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00046.html"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-12895", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/", "refsource": "MISC", "url": "https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/"}, {"name": "104569", "refsource": "BID", "url": "http://www.securityfocus.com/bid/104569"}, {"name": "DSA-4250", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4250"}, {"name": "https://wpvulndb.com/vulnerabilities/9100", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/9100"}, {"name": "[debian-lts-announce] 20180730 [SECURITY] [DLA 1452-1] wordpress security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00046.html"}, {"name": "http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T08:45:02.465Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/"}, {"name": "104569", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/104569"}, {"name": "DSA-4250", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4250"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpvulndb.com/vulnerabilities/9100"}, {"name": "[debian-lts-announce] 20180730 [SECURITY] [DLA 1452-1] wordpress security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00046.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-12895", "datePublished": "2018-06-26T20:00:00", "dateReserved": "2018-06-26T00:00:00", "dateUpdated": "2024-08-05T08:45:02.465Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCD1A953-9FC5-4AB3-8F74-841B169875A8", "versionEndExcluding": "4.9.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges."}, {"lang": "es", "value": "WordPress hasta la versi\u00f3n 4.9.6 permite que los usuarios Author ejecuten c\u00f3digo arbitrario aprovech\u00e1ndose de un salto de directorio en el par\u00e1metro thumb en wp-admin/post.php que se pasa a la funci\u00f3n unlink en PHP y puede borrar el archivo wp-config.php. Esto est\u00e1 relacionado con la ausencia de validaci\u00f3n de nombres de archivo en la funci\u00f3n wp_delete_attachment en wp-includes/post.php. El atacante debe tener capacidades para archivos y publicaciones que normalmente est\u00e1n disponibles solo para los roles Author, Editor y Administrator. La metodolog\u00eda de ataque es borrar wp-config.php y luego ejecutar un proceso de instalaci\u00f3n nuevo para incrementar los privilegios del atacante."}], "id": "CVE-2018-12895", "lastModified": "2021-11-05T18:42:39.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-26T20:29:00.273", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/104569"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00046.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/9100"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4250"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}