E18-5jtr1
CVSS:
7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
False Positive:
t
Variants:
1
Year:
2018
Description
The strike exploits an authenticated directory traversal vulnerability in WordPress platform.
The vulnerability is due to the lack of sanitization of the 'thumb' POST parameter while handling media files metadata within 'post.php', and can be exploited by any account with edit rights.
As a consequence, an attacker may delete arbitrary files within the file system which can be leveraged to code execution by changing the platform's configuration.