Candidate: CVE-2017-1000600
PublicDate: 2018-09-06 12:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000600
 https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/
 https://youtu.be/GePBmsNJw6Y?t=1763
Description:
 WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in
 thumbnail processing that can result in remote code execution. This attack
 appears to be exploitable via thumbnail upload by an authenticated user and
 may require additional plugins in order to be exploited however this has
 not been confirmed at this time. This issue appears to have been partially,
 but not completely fixed in WordPress 4.9
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_wordpress:
upstream_wordpress: released (4.9)
precise/esm_wordpress: DNE
trusty_wordpress: ignored (reached end-of-life)
trusty/esm_wordpress: DNE (trusty was needed)
xenial_wordpress: ignored (end of standard support, was needed)
bionic_wordpress: not-affected (4.9.5+dfsg1-1)
cosmic_wordpress: not-affected (4.9.5+dfsg1-1)
disco_wordpress: not-affected (4.9.5+dfsg1-1)
eoan_wordpress: not-affected (4.9.5+dfsg1-1)
focal_wordpress: not-affected (4.9.5+dfsg1-1)
groovy_wordpress: not-affected (4.9.5+dfsg1-1)
hirsute_wordpress: not-affected (4.9.5+dfsg1-1)
impish_wordpress: not-affected (4.9.5+dfsg1-1)
jammy_wordpress: not-affected (4.9.5+dfsg1-1)
devel_wordpress: not-affected (4.9.5+dfsg1-1)