Strike ID:
E19-0xlq1
CVSS:
6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
False Positive:
t
Variants:
32
Year:
2019

Description

The strike exploits a local file inclusion vulnerability in WordPress platform, leveraged beforehand by a path traversal via the wp attached file parameter. By supplying a wp page template metadata parameter, the attacker determines the theme engine to include a malicious uploaded file. By exploiting this vulnerability an authenticated attacker gains remote code execution on the target host system.

CVE

References

MSB

BID

ExploitDB

Secunia

Security Tracker

Metasploit

ZDI

Google

OSVDB

{}