CVE-2018-12895

HIGH

WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion via Post Thumbnail Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-12895. PoCs published by bloom-ux, Slavco Mihajloski, Karim El Ouerghemmi, Aloïs Thévenot, including Metasploit module auxiliary/scanner/http/wp_arbitrary_file_deletion.

AI-analyzed exploit summary This is a hotfix for CVE-2018-12895, a WordPress vulnerability that allows file deletion leading to code execution. The fix sanitizes the 'thumb' metadata field to prevent path traversal.

Description

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

Exploits (2)

nomisec WORKING POC
by bloom-ux · poc
https://github.com/bloom-ux/cve-2018-12895-hotfix

This is a hotfix for CVE-2018-12895, a WordPress vulnerability that allows file deletion leading to code execution. The fix sanitizes the 'thumb' metadata field to prevent path traversal.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress (unspecified version)
Auth required
Prerequisites: WordPress installation with vulnerable plugin · Authenticated user with file upload capabilities
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Slavco Mihajloski, Karim El Ouerghemmi, Aloïs Thévenot · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.rb

This Metasploit module exploits an arbitrary file deletion vulnerability in WordPress (CVE-2018-12895) by leveraging author-level privileges to delete critical files like wp-config.php, potentially leading to site takeover.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress core (versions prior to 4.9.7)
Auth required
Prerequisites: Valid WordPress author credentials · Target running vulnerable WordPress version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104569
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4250
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9100
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00046.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.html

Scores

CVSS v3 8.8
EPSS 0.6256
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (3)
debian/debian_linux 8.0
debian/debian_linux 9.0
wordpress/wordpress < 4.9.7
Published Jun 26, 2018
Tracked Since Feb 18, 2026