What is CVE-2018-12895?

CVE-2018-12895 is a vulnerability in N/a. Published 2018-06-26.

Is CVE-2018-12895 known to be exploited?

11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2018-12895

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is rel…

EPSS: 0.896 (99.6th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ (x_refsource_MISC)
104569 (vdb-entry, x_refsource_BID)
DSA-4250 (vendor-advisory, x_refsource_DEBIAN)
wpvulndb.com/vulnerabilities/9100 (x_refsource_MISC)
[debian-lts-announce] 20180730 [SECURITY] [DLA 1452-1] wordpress security update (mailing-list, x_refsource_MLIST)
packetstormsecurity.com/files/164633/WordPress-4.9.6-Arbitrary-File-Deletion.ht… (x_refsource_MISC)

Frequently asked questions

What is CVE-2018-12895?: CVE-2018-12895 is a vulnerability in N/a. Published 2018-06-26.
Is CVE-2018-12895 known to be exploited?: 11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.