659336 – (CVE-2018-12895) www-apps/wordpress: Arbitrary Code Execution (CVE-2018-12895)

Bug 659336 (CVE-2018-12895) - www-apps/wordpress: Arbitrary Code Execution (CVE-2018-12895)

Summary: www-apps/wordpress: Arbitrary Code Execution (CVE-2018-12895)

Status:	RESOLVED FIXED

Alias:	CVE-2018-12895

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://blog.ripstech.com/2018/wordpr...
Whiteboard:	~1 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-06-27 08:05 UTC by Florian Schuhmacher
Modified:	2019-04-04 20:47 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Schuhmacher 2018-06-27 08:05:26 UTC

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

Gentoo Security Scout
Florian Schuhmacher

Comment 1 Yury German Gentoo Infrastructure

2019-03-27 04:06:20 UTC

Arches and Maintainer(s), Thank you for your work.

This is no longer in tree, affected version removed.