cve/2019/CVE-2019-8942.md

### [CVE-2019-8942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brightgreen)

### Description

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

### POC

#### Reference
- http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html
- https://wpvulndb.com/vulnerabilities/9222
- https://www.exploit-db.com/exploits/46511/
- https://www.exploit-db.com/exploits/46662/

#### Github
- https://github.com/0xT11/CVE-POC
- https://github.com/0xZEros66/Wordpress-Exploit-AiO-Package
- https://github.com/20142995/nuclei-templates
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Afetter618/WordPress-PenTest
- https://github.com/AurelienADVANCED/ProjetBlogger
- https://github.com/El-Palomo/DerpNStink
- https://github.com/NeoOniX/5ATTACK
- https://github.com/Shamsuzzaman321/Wordpress-Exploit-AiO-Package
- https://github.com/brianwrf/WordPress_4.9.8_RCE_POC
- https://github.com/developer3000S/PoC-in-GitHub
- https://github.com/hectorgie/PoC-in-GitHub
- https://github.com/oussama-rahali/CVE-2019-8943
- https://github.com/ret2x-tools/poc-wordpress-5.0.0
- https://github.com/s4rgaz/poc-wordpress-5.0.0
- https://github.com/synacktiv/CVE-2019-8942
- https://github.com/synod2/WP_CROP_RCE
- https://github.com/theweezar/final-project-capture-packet-cve
- https://github.com/tuannq2299/CVE-2019-8942
- https://github.com/v0lck3r/CVE-2019-8943