CVE-2018-20148

2018-12-14T20:29:00
ID CVE-2018-20148
Type cve
Reporter cve@mitre.org
Modified 2019-03-04T14:19:00

Description

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.