Description
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
Remediation
References
Related Vulnerabilities
Oracle HTTP Server NULL Pointer Dereference Vulnerability (CVE-2020-1967)
PHP CVE-2007-4670 Vulnerability (CVE-2007-4670)
Jboss EAP Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-5188)
PHP Resource Management Errors Vulnerability (CVE-2015-8877)
WordPress Plugin Count per Day Multiple Vulnerabilities (3.5.6)