Lucene search

GoogleOSV:CVE-2018-20149

HistoryDec 14, 2018 - 8:29 p.m.

CVE-2018-20149

2018-12-1420:29:00

Google

osv.dev

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

41.1%

JSON

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

CPENameOperatorVersion
wordpresseq4.9.8

CPE	Name	Operator	Version
	wordpress	eq	4.9.8

References

www.securityfocus.com/bid/106220

codex.wordpress.org/Version_4.9.9

github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a

lists.debian.org/debian-lts-announce/2019/02/msg00019.html

wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

wordpress.org/support/wordpress-version/version-5-0-1/

wpvulndb.com/vulnerabilities/9175

www.debian.org/security/2019/dsa-4401

www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/