E19-0xlq1
CVSS:
8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
8
Year:
2019
Description
The strike exploits a local file inclusion vulnerability in WordPress platform, leveraged beforehand by a path traversal via the '_wp_attached_file' parameter. By supplying a '_wp_page_template' metadata parameter, the attacker determines the theme engine to include a malicious uploaded file. By exploiting this vulnerability an authenticated attacker gains remote code execution on the target host system.