{"id":"CVE-2018-20148","details":"In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.","modified":"2026-04-10T04:08:57.302068Z","published":"2018-12-14T20:29:00.390Z","references":[{"type":"ADVISORY","url":"https://www.zdnet.com/article/wordpress-vulnerability-affects-a-third-of-most-popular-websites-online/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106220"},{"type":"ADVISORY","url":"https://codex.wordpress.org/Version_4.9.9"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4401"},{"type":"ADVISORY","url":"https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/"},{"type":"ADVISORY","url":"https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/"},{"type":"ADVISORY","url":"https://wordpress.org/support/wordpress-version/version-5-0-1/"},{"type":"ADVISORY","url":"https://wpvulndb.com/vulnerabilities/9171"},{"type":"EVIDENCE","url":"https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"fixed":"8d87e4a8b8aa7d66a4f5dd3795b5450fa0b76af0"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"3d448538caf519c6355bb32c0c8c21da87692855"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.9.9"},{"introduced":"5.0"},{"fixed":"5.0.1"}]}}],"versions":["4.9.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20148.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}