7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
0.018 Low
EPSS
Percentile
88.1%
Package : wordpress
Version : 4.1.25+dfsg-1+deb8u1
CVE ID : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149
CVE-2018-20150 CVE-2018-20151 CVE-2018-20152
CVE-2018-20153
Debian Bug : 916403
CVE-2018-20147
Authors could modify metadata to bypass intended restrictions on
deleting files.
CVE-2018-20148
Contributors could conduct PHP object injection attacks via crafted
metadata in a wp.getMediaItem XMLRPC call. This is caused by
mishandling of serialized data at phar:// URLs in the
wp_get_attachment_thumb_file function in wp-includes/post.php.
CVE-2018-20149
When the Apache HTTP Server is used, authors could upload crafted
files that bypass intended MIME type restrictions, leading to XSS,
as demonstrated by a .jpg file without JPEG data.
CVE-2018-20150
Crafted URLs could trigger XSS for certain use cases involving
plugins.
CVE-2018-20151
The user-activation page could be read by a search engine's web
crawler if an unusual configuration were chosen. The search engine
could then index and display a user's e-mail address and (rarely)
the password that was generated by default.
CVE-2018-20152
Authors could bypass intended restrictions on post types via crafted
input.
CVE-2018-20153
Contributors could modify new comments made by users with greater
privileges, possibly causing XSS.
For Debian 8 "Jessie", these problems have been fixed in version
4.1.25+dfsg-1+deb8u1.
We recommend that you upgrade your wordpress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
0.018 Low
EPSS
Percentile
88.1%