Nyambush
CVSS 8.8High

CVE-2019-8942/8943: Image Upload to Remote Code Execution

Overview

  • CVE: CVE-2019-8942 + CVE-2019-8943
  • Affected Versions: WordPress 3.9 to 5.0.0 (CVE-2019-8942), before 4.9.9 / 5.0.1 (CVE-2019-8943)
  • CVSS: 8.8 (High)
  • Authentication: Author role required
  • Type: Path Traversal + Remote Code Execution (RCE)

In February 2019, a critical vulnerability was discovered in WordPress's image crop (thumbnail editing) feature that allowed users with merely Author privileges to execute arbitrary code on the server. The attack chains two CVEs together.

What Happened

This vulnerability is a combination of two separate issues:

CVE-2019-8942 (Post Meta Overwrite): By manipulating wp_postmeta, an attacker could change the stored file path of an attachment to an arbitrary location.

CVE-2019-8943 (Path Traversal): The image crop processing had insufficient path validation, allowing ../ path traversal sequences in the save destination.

Chaining these together:

  1. Upload an image with malicious PHP code embedded in EXIF metadata
  2. Manipulate Post Meta to redirect the save path to the theme directory
  3. Use the image crop feature to write via path traversal to the theme directory
  4. The file is executed as a theme file — remote code execution achieved

How the Attack Works

Attack flow:

  1. Prepare a malicious image: Embed PHP code in JPEG EXIF metadata
# Embed PHP code in image using exiftool
exiftool -ImageDescription='<?php system($_GET["cmd"]); ?>' innocent.jpg

  1. Upload to WordPress: Upload the image normally using Author credentials

  2. Manipulate Post Meta: Modify the _wp_attached_file metadata to include path traversal

Example: Change 2019/02/image.jpg to 2019/02/image.jpg#/../../../wp-content/themes/theme/evil.jpg

  1. Execute crop: When the image crop is performed via the image editor, the cropped image is saved to the manipulated path

  2. Code execution: Access the image file (containing PHP code) saved in the theme directory to execute arbitrary commands

Real-World Impact

  • All WordPress versions from 3.9 to 5.0.0 were affected (approximately 5 years)
  • Author-level users could gain complete server control
  • In shared hosting environments, compromise could spread to other sites on the same server
  • Many business sites grant Author privileges to external writers, making insider threat risks concrete
  • Discovered by RIPS Tech security researchers, who reported it to the WordPress team

Fix and Lessons

Fix: Patched in WordPress 5.0.1 / 4.9.9. Path traversal prevention and validation against unauthorized Post Meta manipulation were added.

Lessons:

  1. Principle of least privilege: Even Author-level access can lead to RCE — assign minimal permissions
  2. File upload dangers: Even image files can contain executable code
  3. Compound vulnerability risk: Individually low-risk issues can become critical when chained
  4. EXIF data risks: Uploaded file metadata must also be validated
  5. Shared hosting risks: One site's compromise can cascade to other sites on the same server

Detection with Nyambush

Nyambush detects WordPress versions and displays a "High" severity warning with CVSS 8.8 when a version affected by this vulnerability is in use.

For sites that grant Author privileges to external contributors, this type of privilege escalation vulnerability is extremely dangerous. Regular version monitoring is essential.

Share this article:Post on X

Is your domain secure?

Run a free scan with Nyambush to check your security risks right now.

Back to articles