CVE-2019-8942

HIGH EXPLOITED IN THE WILD LAB

WordPress < 4.9.9 and 5.x < 5.0.1 - Authenticated Remote Code Execution via Image Metadata

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-8942 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 11 public exploits from researchers including Metasploit, allyshka, brianwrf, including a Metasploit module exploits/multi/http/wp_crop_rce.

AI-analyzed exploit summary This Metasploit module exploits a path traversal and local file inclusion vulnerability in WordPress (CVE-2019-8943) to achieve remote code execution by uploading a malicious image file and including it in the theme.

Description

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

Exploits (11)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/46662

This Metasploit module exploits a path traversal and local file inclusion vulnerability in WordPress (CVE-2019-8943) to achieve remote code execution by uploading a malicious image file and including it in the theme.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress versions 5.0.0 and <= 4.9.8
Auth required
Prerequisites: Valid WordPress credentials with at least author privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by allyshka · javascriptwebappsphp
https://www.exploit-db.com/exploits/46511

This exploit targets a path traversal vulnerability in WordPress (CVE-2019-8943) to achieve remote code execution by manipulating image metadata and leveraging the image cropping functionality to write a malicious PHP file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress (versions 5.0 to 5.0.3)
Auth required
Prerequisites: Authenticated access to WordPress admin panel · Image upload privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 73 stars
by brianwrf · poc
https://github.com/brianwrf/WordPress_4.9.8_RCE_POC

This PoC demonstrates a remote code execution (RCE) vulnerability in WordPress by exploiting a path traversal flaw in image metadata handling, allowing an author-level user to write malicious PHP code to a theme file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress <= 4.9.8, WordPress <= 5.0.0
Auth required
Prerequisites: Author-level WordPress credentials · Exiftool to craft malicious image · Burp Suite for request manipulation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by synacktiv · remote-auth
https://github.com/synacktiv/CVE-2019-8942

This repository contains two Python scripts demonstrating CVE-2019-8942, a path traversal vulnerability in WordPress leading to arbitrary file write and remote code execution (RCE). The exploits abuse image metadata manipulation and the image cropping functionality to write a malicious file into the theme directory.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress (versions affected by CVE-2019-8942)
Auth required
Prerequisites: Valid WordPress credentials · Ability to upload images · ImageMagick or GD library installed on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by tuannq2299 · poc
https://github.com/tuannq2299/CVE-2019-8942

This repository provides a detailed writeup on CVE-2019-8942 and CVE-2019-8943, which involve a combination of LFI and file upload vulnerabilities in WordPress, leading to RCE for users with author privileges. The writeup includes technical analysis, exploitation steps, and a demo PoC.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress versions before 4.9.9 and 5.x before 5.0.1
Auth required
Prerequisites: WordPress installation with vulnerable version · User account with author privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by SpeatX · poc
https://github.com/SpeatX/WordPress-RCE-CVE-2019-8942

This repository contains functional exploit code for CVE-2019-8942, a WordPress Crop Image RCE vulnerability. The exploit chain leverages image upload and path traversal to achieve remote code execution on vulnerable WordPress installations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress (versions affected by CVE-2019-8942)
Auth required
Prerequisites: WordPress credentials · Image upload capability · Vulnerable WordPress version
devstral-2 · analyzed May 24, 2026 Full analysis →
nomisec WORKING POC
by SpeatX · remote-auth
https://github.com/SpeatX/Wordpress-Crop-RCE

This repository contains functional exploit code for CVE-2019-8942, a WordPress image crop RCE vulnerability. The exploit chain involves uploading a malicious JPG, manipulating file paths via image cropping, and achieving remote code execution through template inclusion.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress (versions affected by CVE-2019-8942)
Auth required
Prerequisites: WordPress admin credentials · Image upload capability · Vulnerable WordPress version
devstral-2 · analyzed May 23, 2026 Full analysis →
github WRITEUP
by Zahid-secure · poc
https://github.com/Zahid-secure/cve-walkthrough-labs/tree/main/2019/CVE-2019-8942-8943-Blog-WordPress-RCE

This repository provides a detailed technical walkthrough of exploiting CVE-2019-8942 and CVE-2019-8943, which involve improper input validation in WordPress 5.0's image cropping feature. The writeup includes reconnaissance, enumeration, exploitation using Metasploit, and privilege escalation via SUID binary abuse.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.0
Auth required
Prerequisites: WordPress 5.0 installation · Valid user credentials · Network access to target
devstral-2 · analyzed Mar 12, 2026 Full analysis →
nomisec WORKING POC
by synod2 · poc
https://github.com/synod2/WP_CROP_RCE

This PoC exploits CVE-2019-8942 and CVE-2019-8943 in WordPress by uploading a malicious image with embedded PHP code, manipulating metadata to change the file path, and triggering remote code execution via image cropping functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress 4.9.9 and 5.0.1 and prior
Auth required
Prerequisites: Valid WordPress credentials · Exiftool to inject PHP payload into image · Target WordPress theme name
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote-auth
https://github.com/oussama-rahali/CVE-2019-8943

This repository contains a functional Python exploit for CVE-2019-8942 and CVE-2019-8943, targeting WordPress versions 5.0.0 and below. The exploit chains authentication bypass and image upload vulnerabilities to achieve remote code execution (RCE) by manipulating image metadata and file paths.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.0.0 and <= 4.9.8
Auth required
Prerequisites: valid WordPress credentials · a prepared image file with injected PHP payload via exiftool · knowledge of the target WordPress theme
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by RIPSTECH Technology, Wilfried Becard <[email protected]> · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_crop_rce.rb

This Metasploit module exploits a path traversal and local file inclusion vulnerability in WordPress (CVE-2019-8942 and CVE-2019-8943) to achieve remote code execution by uploading a malicious image file and including it in a theme.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress versions 5.0.0 and <= 4.9.8
Auth required
Prerequisites: Valid WordPress credentials with at least author privileges · Target running a vulnerable WordPress version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9222
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46511/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107088
Exploit, Third Party Advisory x_refsource_misc
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4401
Exploit, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00044.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html
Exploit, Third Party Advisory x_refsource_misc
http://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46662/

Scores

CVSS v3 8.8
EPSS 0.8274
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull medicean/vulapps:base_lamp_php7
docker pull wordpress:4.9.8
+6 more repos

Details

VulnCheck KEV 2021-04-12
InTheWild.io 2021-04-12
CWE
CWE-434
Status published
Products (3)
debian/debian_linux 9.0
wordpress/wordpress 5.0 (9 CPE variants)
wordpress/wordpress < 4.9.9
Published Feb 20, 2019
Tracked Since Feb 18, 2026