What is CVE-2018-20148?

CVE-2018-20148 is a vulnerability in N/a. Published 2018-12-14.

Is CVE-2018-20148 known to be exploited?

11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2018-20148

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_a…

EPSS: 0.549 (98.1th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

106220 (vdb-entry, x_refsource_BID)
wordpress.org/support/wordpress-version/version-5-0-1/ (x_refsource_MISC)
blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are (x_refsource_MISC)
codex.wordpress.org/Version_4.9.9 (x_refsource_MISC)
wpvulndb.com/vulnerabilities/9171 (x_refsource_MISC)
www.zdnet.com/article/wordpress-vulnerability-affects-a-third-of-most-popular-w… (x_refsource_MISC)
DSA-4401 (vendor-advisory, x_refsource_DEBIAN)
wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ (x_refsource_MISC)
[debian-lts-announce] 20190211 [SECURITY] [DLA 1673-1] wordpress security update (mailing-list, x_refsource_MLIST)
www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user… (x_refsource_MISC)

Frequently asked questions

What is CVE-2018-20148?: CVE-2018-20148 is a vulnerability in N/a. Published 2018-12-14.
Is CVE-2018-20148 known to be exploited?: 11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.