CVE-2019-8943

MEDIUM NUCLEI

WordPress <= 5.0.3 - Authenticated Path Traversal via Image Crop Filename

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2019-8943. PoCs published by Metasploit, allyshka, oussama-rahali, including Metasploit module exploits/multi/http/wp_crop_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a path traversal and local file inclusion vulnerability in WordPress (CVE-2019-8943) to achieve remote code execution by uploading a malicious image file and including it in the theme.

Description

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/46662

This Metasploit module exploits a path traversal and local file inclusion vulnerability in WordPress (CVE-2019-8943) to achieve remote code execution by uploading a malicious image file and including it in the theme.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress versions 5.0.0 and <= 4.9.8
Auth required
Prerequisites: Valid WordPress credentials with at least author privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by allyshka · javascriptwebappsphp
https://www.exploit-db.com/exploits/46511

This exploit targets a path traversal vulnerability in WordPress (CVE-2019-8943) to achieve remote code execution by manipulating image metadata and leveraging the image cropping functionality to write a malicious PHP file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress (versions 5.0 to 5.0.3)
Auth required
Prerequisites: Authenticated access to WordPress admin panel · Image upload privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 24 stars
by oussama-rahali · poc
https://github.com/oussama-rahali/CVE-2019-8943

This exploit leverages CVE-2019-8943 (and CVE-2019-8942) to achieve remote code execution on WordPress versions 5.0.0 and below by manipulating image uploads and path traversal to execute arbitrary PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.0.0 and <= 4.9.8
Auth required
Prerequisites: Valid WordPress credentials · A prepared image with embedded PHP payload · ExifTool for payload injection
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by hadrian3689 · poc
https://github.com/hadrian3689/wordpress_cropimage

This is a Python-based exploit for CVE-2019-8943, an authenticated remote code execution vulnerability in WordPress. It leverages image upload and path traversal to drop a PHP backdoor.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress (specific version not specified)
Auth required
Prerequisites: Valid WordPress admin credentials · Target WordPress site with vulnerable plugin/theme
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by RIPSTECH Technology, Wilfried Becard <[email protected]> · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_crop_rce.rb

This Metasploit module exploits a path traversal and local file inclusion vulnerability in WordPress versions 5.0.0 and <= 4.9.8, allowing authenticated users with author privileges to upload a malicious image file and achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.0.0 and <= 4.9.8
Auth required
Prerequisites: Valid WordPress credentials with author privileges · Target running a vulnerable version of WordPress
devstral-2 · analyzed Apr 24, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/v0lck3r/cve-2019-8943

This repository contains a functional Python exploit for CVE-2019-8943, which targets WordPress versions 5.0.0 and below. The exploit chains authentication, image upload manipulation, and path traversal to achieve remote code execution (RCE) via a crafted image file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.0.0 and <= 4.9.8
Auth required
Prerequisites: valid WordPress credentials · a crafted image file with embedded PHP payload · knowledge of the target WordPress theme
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

WordPress Core 5.0.0 - Crop-image Shell Upload
MEDIUMVERIFIEDby sttlr
Shodan: http.component:"wordpress" || cpe:"cpe:2.3:a:wordpress:wordpress"
FOFA: body="oembed" && body="wp-"

References (7)

Core 7
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46511/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107089
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html
Exploit, Third Party Advisory x_refsource_misc
http://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
Exploit, Mailing List, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46662/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/161213/WordPress-5.0.0-Remote-Code-Execution.html
Exploit, Third Party Advisory x_refsource_misc
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

Scores

CVSS v3 6.5
EPSS 0.9198
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
wordpress/wordpress < 5.0.3
Published Feb 20, 2019
Tracked Since Feb 18, 2026