Search for vulnerabilities
Vulnerability details: VCID-wh7d-sncc-n3c4
Vulnerability ID VCID-wh7d-sncc-n3c4
Aliases CVE-2019-8942
Summary WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-434 Unrestricted Upload of File with Dangerous Type
System Score Found at
epss 0.91298 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.91298 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.91535 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.91535 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.91535 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.91535 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.91535 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.92173 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.92173 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.92882 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.92882 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.92882 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
epss 0.92882 https://api.first.org/data/v1/epss?cve=CVE-2019-8942
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2019-8942
cvssv3 8.8 https://nvd.nist.gov/vuln/detail/CVE-2019-8942
archlinux Critical https://security.archlinux.org/AVG-910
Reference id Reference type URL
http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html
https://api.first.org/data/v1/epss?cve=CVE-2019-8942
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
https://lists.debian.org/debian-lts-announce/2019/03/msg00044.html
https://wpvulndb.com/vulnerabilities/9222
https://www.debian.org/security/2019/dsa-4401
https://www.exploit-db.com/exploits/46511/
https://www.exploit-db.com/exploits/46662/
http://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
http://www.securityfocus.com/bid/107088
AVG-910 https://security.archlinux.org/AVG-910
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:-:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:-:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:beta1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:beta1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:beta2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:beta2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:beta3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:beta3:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:beta4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:beta4:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:beta5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:beta5:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:rc1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:rc2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:rc2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:5.0:rc3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:5.0:rc3:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2019-8942 https://nvd.nist.gov/vuln/detail/CVE-2019-8942
CVE-2019-8943;CVE-2019-8942 Exploit https://gist.github.com/allyshka/f159c0b43f1374f87f2c3817d6401fd6
CVE-2019-8943;CVE-2019-8942 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46662.rb
CVE-2019-8943;CVE-2019-8942 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/46511.js
CVE-2019-8943;CVE-2019-8942 Exploit https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_crop_rce.rb
Data source Metasploit
Description This module exploits a path traversal and a local file inclusion vulnerability on WordPress versions 5.0.0 and <= 4.9.8. The crop-image function allows a user, with at least author privileges, to resize an image and perform a path traversal by changing the _wp_attached_file reference during the upload. The second part of the exploit will include this image in the current theme by changing the _wp_page_template attribute when creating a post. This exploit module only works for Unix-based systems currently.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - artifacts-on-disk
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date Feb. 19, 2019
Platform PHP
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/wp_crop_rce.rb
Data source Exploit-DB
Date added March 7, 2019
Description WordPress Core 5.0 - Remote Code Execution
Ransomware campaign use Unknown
Source publication date March 1, 2019
Exploit type webapps
Platform php
Source update date March 7, 2019
Source URL https://gist.github.com/allyshka/f159c0b43f1374f87f2c3817d6401fd6
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-8942
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-8942
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99649
EPSS Score 0.91298
Published At Aug. 3, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T10:01:29.543623+00:00 NVD Importer Import https://nvd.nist.gov/vuln/detail/CVE-2019-8942 37.0.0