Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 659336 (CVE-2018-12895) - www-apps/wordpress: Arbitrary Code Execution (CVE-2018-12895)
Summary: www-apps/wordpress: Arbitrary Code Execution (CVE-2018-12895)
Alias: CVE-2018-12895
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ~1 [noglsa cve]
Depends on:
Reported: 2018-06-27 08:05 UTC by Florian Schuhmacher
Modified: 2019-04-04 20:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-27 08:05:26 UTC
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 04:06:20 UTC
Arches and Maintainer(s), Thank you for your work.

This is no longer in tree, affected version removed.