Description
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
Remediation
References
Related Vulnerabilities
WordPress Plugin RSVPMaker Cross-Site Scripting (2.5.4)
Mailman CVE-2006-2941 Vulnerability (CVE-2006-2941)
MODX Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2019-1010123)
MySQL CVE-2016-0639 Vulnerability (CVE-2016-0639)
Moodle Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2014-7836)