Total vulnerabilities in the database
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
| Software | From | Fixed in |
|---|---|---|
| WordPress / wordpress | 5.0 | 5.0.1 |
| WordPress / wordpress | - | 4.9.9 |
| debian / debian_linux | 8.0 | 8.0.x |
| debian / debian_linux | 9.0 | 9.0.x |