WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-20149)

Description

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

Remediation

References

CVE-2018-20149

Related Vulnerabilities

WordPress Plugin Estatik Real Estate Arbitrary File Upload (2.3.0)

PostgreSQL Other Vulnerability (CVE-2002-1399)

Internet Information Services Other Vulnerability (CVE-2002-0147)

Craft CMS Missing Encryption of Sensitive Data Vulnerability (CVE-2018-20465)

YOURLS Improper Restriction of Rendered UI Layers or Frames Vulnerability (CVE-2021-3734)

Severity

Medium

Classification

CVE-2018-20149 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N