Description
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
References (9)
Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106220
Release Notes, Vendor Advisory x_refsource_misc
https://wordpress.org/support/wordpress-version/version-5-0-1/
Product, Vendor Advisory x_refsource_misc
https://codex.wordpress.org/Version_4.9.9
Vendor Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9175
Patch, Third Party Advisory x_refsource_misc
https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4401
Release Notes, Vendor Advisory x_refsource_misc
https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html
Press/Media Coverage, Third Party Advisory x_refsource_misc
https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/
Scores
CVSS v3
5.4
EPSS
0.0443
EPSS Percentile
89.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
debian/debian_linux
8.0
debian/debian_linux
9.0
wordpress/wordpress
< 4.9.9
Published
Dec 14, 2018
Tracked Since
Feb 18, 2026