Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6avx-t6nt-qfcg
Vulnerability ID VCID-6avx-t6nt-qfcg
Aliases CVE-2019-8942
Summary arbitrary code execution
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.93601 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
archlinux Critical https://security.archlinux.org/AVG-910
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2019-8942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
AVG-910 https://security.archlinux.org/AVG-910
CVE-2019-8943;CVE-2019-8942 Exploit https://gist.github.com/allyshka/f159c0b43f1374f87f2c3817d6401fd6
CVE-2019-8943;CVE-2019-8942 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46662.rb
CVE-2019-8943;CVE-2019-8942 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46511.js
CVE-2019-8943;CVE-2019-8942 Exploit https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_crop_rce.rb
Data source Exploit-DB
Date added March 7, 2019
Description WordPress Core 5.0 - Remote Code Execution
Ransomware campaign use Unknown
Source publication date March 1, 2019
Exploit type webapps
Platform php
Source update date March 7, 2019
Source URL https://gist.github.com/allyshka/f159c0b43f1374f87f2c3817d6401fd6
Data source Metasploit
Description This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - artifacts-on-disk
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date Feb. 19, 2019
Platform PHP
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/wp_crop_rce.rb
Exploit Prediction Scoring System (EPSS)
Percentile 0.99843
EPSS Score 0.93601
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T10:14:54.344066+00:00 Arch Linux Importer Import https://security.archlinux.org/AVG-910 38.6.0