WEB APPLICATION VULNERABILITIES Standard & Premium

WordPress Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2019-8943)

Description

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

Remediation

References

Related Vulnerabilities

WordPress Plugin Content Audit Multiple Vulnerabilities (1.9.1)

Squid Exposure of Resource to Wrong Sphere Vulnerability (CVE-2022-41317)

MySQL CVE-2021-2021 Vulnerability (CVE-2021-2021)

WordPress Plugin Pinpoint Booking System-#1 WordPress Booking SQL Injection (1.2)

WordPress Plugin WooCommerce Cross-Site Scripting (2.6.3)

Severity

Medium

Classification

CVE-2019-8943 CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities