Lucene search

MitreCVELIST:CVE-2018-20149

HistoryDec 14, 2018 - 8:00 p.m.

CVE-2018-20149

2018-12-1420:00:00

mitre

www.cve.org

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.1%

JSON

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

References

www.securityfocus.com/bid/106220

codex.wordpress.org/Version_4.9.9

github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a

lists.debian.org/debian-lts-announce/2019/02/msg00019.html

wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

wordpress.org/support/wordpress-version/version-5-0-1/

wpvulndb.com/vulnerabilities/9175

www.debian.org/security/2019/dsa-4401

www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/