CVE-2017-1000600

WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9

Published: Sep 6, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-1000600
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	-	4.9

http://www.securityfocus.com/bid/105305
https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/
https://youtu.be/GePBmsNJw6Y?t=1763

Vulnerability Database

289,697

CVE-2017-1000600