WordPress <= 5.0 – Authenticated File Delete | CVE 2018-20147

Affects WordPress

3.8.1

Fixed in WordPress 3.8.28

3.8

Fixed in WordPress 3.8.28

3.7.1

Fixed in WordPress 3.7.28

3.9

Fixed in WordPress 3.9.26

3.9.1

Fixed in WordPress 3.9.26

3.7

Fixed in WordPress 3.7.28

3.8.2

Fixed in WordPress 3.8.28

3.8.3

Fixed in WordPress 3.8.28

3.9.2

Fixed in WordPress 3.9.26

4.0

Fixed in WordPress 4.0.25

4.1

Fixed in WordPress 4.1.25

4.1.1

Fixed in WordPress 4.1.25

4.2

Fixed in WordPress 4.2.22

3.9.3

Fixed in WordPress 3.9.26

4.1.2

Fixed in WordPress 4.1.25

4.2.1

Fixed in WordPress 4.2.22

4.0.1

Fixed in WordPress 4.0.25

4.1.5

Fixed in WordPress 4.1.25

4.1.4

Fixed in WordPress 4.1.25

4.1.3

Fixed in WordPress 4.1.25

3.8.4

Fixed in WordPress 3.8.28

3.7.4

Fixed in WordPress 3.7.28

4.2.3

Fixed in WordPress 4.2.22

3.8.8

Fixed in WordPress 3.8.28

3.8.5

Fixed in WordPress 3.8.28

3.8.6

Fixed in WordPress 3.8.28

3.8.7

Fixed in WordPress 3.8.28

3.7.2

Fixed in WordPress 3.7.28

3.7.3

Fixed in WordPress 3.7.28

3.7.5

Fixed in WordPress 3.7.28

3.7.6

Fixed in WordPress 3.7.28

3.7.7

Fixed in WordPress 3.7.28

3.7.8

Fixed in WordPress 3.7.28

3.7.9

Fixed in WordPress 3.7.28

3.8.9

Fixed in WordPress 3.8.28

3.9.4

Fixed in WordPress 3.9.26

3.9.5

Fixed in WordPress 3.9.26

3.9.6

Fixed in WordPress 3.9.26

3.9.7

Fixed in WordPress 3.9.26

4.0.2

Fixed in WordPress 4.0.25

4.0.3

Fixed in WordPress 4.0.25

4.0.4

Fixed in WordPress 4.0.25

4.0.5

Fixed in WordPress 4.0.25

4.0.6

Fixed in WordPress 4.0.25

4.1.6

Fixed in WordPress 4.1.25

4.2.2

Fixed in WordPress 4.2.22

4.2.4

Fixed in WordPress 4.2.22

4.1.7

Fixed in WordPress 4.1.25

4.0.7

Fixed in WordPress 4.0.25

3.9.8

Fixed in WordPress 3.9.26

3.8.10

Fixed in WordPress 3.8.28

3.7.10

Fixed in WordPress 3.7.28

4.3

Fixed in WordPress 4.3.18

4.3.1

Fixed in WordPress 4.3.18

4.2.5

Fixed in WordPress 4.2.22

4.1.8

Fixed in WordPress 4.1.25

4.0.8

Fixed in WordPress 4.0.25

3.9.9

Fixed in WordPress 3.9.26

3.8.11

Fixed in WordPress 3.8.28

3.7.11

Fixed in WordPress 3.7.28

4.4

Fixed in WordPress 4.4.17

3.7.12

Fixed in WordPress 3.7.28

3.8.12

Fixed in WordPress 3.8.28

3.9.10

Fixed in WordPress 3.9.26

4.0.9

Fixed in WordPress 4.0.25

4.1.9

Fixed in WordPress 4.1.25

4.2.6

Fixed in WordPress 4.2.22

4.3.2

Fixed in WordPress 4.3.18

4.4.1

Fixed in WordPress 4.4.17

4.4.2

Fixed in WordPress 4.4.17

4.3.3

Fixed in WordPress 4.3.18

4.2.7

Fixed in WordPress 4.2.22

4.1.10

Fixed in WordPress 4.1.25

4.0.10

Fixed in WordPress 4.0.25

3.9.11

Fixed in WordPress 3.9.26

3.8.13

Fixed in WordPress 3.8.28

3.7.13

Fixed in WordPress 3.7.28

4.5

Fixed in WordPress 4.5.16

4.5.1

Fixed in WordPress 4.5.16

3.7.14

Fixed in WordPress 3.7.28

3.8.14

Fixed in WordPress 3.8.28

3.9.12

Fixed in WordPress 3.9.26

4.0.11

Fixed in WordPress 4.0.25

4.1.11

Fixed in WordPress 4.1.25

4.2.8

Fixed in WordPress 4.2.22

4.3.4

Fixed in WordPress 4.3.18

4.4.3

Fixed in WordPress 4.4.17

4.5.2

Fixed in WordPress 4.5.16

4.5.3

Fixed in WordPress 4.5.16

3.7.15

Fixed in WordPress 3.7.28

3.8.15

Fixed in WordPress 3.8.28

3.9.13

Fixed in WordPress 3.9.26

4.0.12

Fixed in WordPress 4.0.25

4.1.12

Fixed in WordPress 4.1.25

4.2.9

Fixed in WordPress 4.2.22

4.3.5

Fixed in WordPress 4.3.18

4.4.4

Fixed in WordPress 4.4.17

4.6

Fixed in WordPress 4.6.13

3.7.16

Fixed in WordPress 3.7.28

3.8.16

Fixed in WordPress 3.8.28

3.9.14

Fixed in WordPress 3.9.26

4.0.13

Fixed in WordPress 4.0.25

4.1.13

Fixed in WordPress 4.1.25

4.2.10

Fixed in WordPress 4.2.22

4.3.6

Fixed in WordPress 4.3.18

4.4.5

Fixed in WordPress 4.4.17

4.5.4

Fixed in WordPress 4.5.16

4.6.1

Fixed in WordPress 4.6.13

4.7

Fixed in WordPress 4.7.12

3.7.17

Fixed in WordPress 3.7.28

3.8.17

Fixed in WordPress 3.8.28

3.9.15

Fixed in WordPress 3.9.26

4.0.14

Fixed in WordPress 4.0.25

4.1.14

Fixed in WordPress 4.1.25

4.2.11

Fixed in WordPress 4.2.22

4.3.7

Fixed in WordPress 4.3.18

4.4.6

Fixed in WordPress 4.4.17

4.5.5

Fixed in WordPress 4.5.16

4.7.1

Fixed in WordPress 4.7.12

4.6.2

Fixed in WordPress 4.6.13

3.7.18

Fixed in WordPress 3.7.28

3.8.18

Fixed in WordPress 3.8.28

3.9.16

Fixed in WordPress 3.9.26

4.0.15

Fixed in WordPress 4.0.25

4.1.15

Fixed in WordPress 4.1.25

4.2.12

Fixed in WordPress 4.2.22

4.3.8

Fixed in WordPress 4.3.18

4.4.7

Fixed in WordPress 4.4.17

4.5.6

Fixed in WordPress 4.5.16

4.6.3

Fixed in WordPress 4.6.13

4.7.2

Fixed in WordPress 4.7.12

3.7.19

Fixed in WordPress 3.7.28

3.8.19

Fixed in WordPress 3.8.28

3.9.17

Fixed in WordPress 3.9.26

4.0.16

Fixed in WordPress 4.0.25

4.1.16

Fixed in WordPress 4.1.25

4.2.13

Fixed in WordPress 4.2.22

4.3.9

Fixed in WordPress 4.3.18

4.4.8

Fixed in WordPress 4.4.17

4.5.7

Fixed in WordPress 4.5.16

4.6.4

Fixed in WordPress 4.6.13

4.7.3

Fixed in WordPress 4.7.12

3.7.20

Fixed in WordPress 3.7.28

3.8.20

Fixed in WordPress 3.8.28

3.9.18

Fixed in WordPress 3.9.26

4.0.17

Fixed in WordPress 4.0.25

4.1.17

Fixed in WordPress 4.1.25

4.2.14

Fixed in WordPress 4.2.22

4.3.10

Fixed in WordPress 4.3.18

4.4.9

Fixed in WordPress 4.4.17

4.5.8

Fixed in WordPress 4.5.16

4.6.5

Fixed in WordPress 4.6.13

4.7.4

Fixed in WordPress 4.7.12

4.7.5

Fixed in WordPress 4.7.12

3.7.21

Fixed in WordPress 3.7.28

3.8.21

Fixed in WordPress 3.8.28

3.9.19

Fixed in WordPress 3.9.26

4.0.18

Fixed in WordPress 4.0.25

4.1.18

Fixed in WordPress 4.1.25

4.2.15

Fixed in WordPress 4.2.22

4.3.11

Fixed in WordPress 4.3.18

4.4.10

Fixed in WordPress 4.4.17

4.5.9

Fixed in WordPress 4.5.16

4.6.6

Fixed in WordPress 4.6.13

4.8

Fixed in WordPress 4.8.8

4.8.1

Fixed in WordPress 4.8.8

3.7.22

Fixed in WordPress 3.7.28

3.8.22

Fixed in WordPress 3.8.28

3.9.20

Fixed in WordPress 3.9.26

4.0.19

Fixed in WordPress 4.0.25

4.1.19

Fixed in WordPress 4.1.25

4.2.16

Fixed in WordPress 4.2.22

4.3.12

Fixed in WordPress 4.3.18

4.4.11

Fixed in WordPress 4.4.17

4.5.10

Fixed in WordPress 4.5.16

4.6.7

Fixed in WordPress 4.6.13

4.7.6

Fixed in WordPress 4.7.12

4.8.2

Fixed in WordPress 4.8.8

4.8.3

Fixed in WordPress 4.8.8

3.7.23

Fixed in WordPress 3.7.28

3.8.23

Fixed in WordPress 3.8.28

3.9.21

Fixed in WordPress 3.9.26

4.0.20

Fixed in WordPress 4.0.25

4.1.20

Fixed in WordPress 4.1.25

4.2.17

Fixed in WordPress 4.2.22

4.3.13

Fixed in WordPress 4.3.18

4.4.12

Fixed in WordPress 4.4.17

4.5.11

Fixed in WordPress 4.5.16

4.6.8

Fixed in WordPress 4.6.13

4.7.7

Fixed in WordPress 4.7.12

4.9

Fixed in WordPress 4.9.9

4.9.1

Fixed in WordPress 4.9.9

4.8.4

Fixed in WordPress 4.8.8

4.7.8

Fixed in WordPress 4.7.12

4.6.9

Fixed in WordPress 4.6.13

4.5.12

Fixed in WordPress 4.5.16

4.4.13

Fixed in WordPress 4.4.17

4.3.14

Fixed in WordPress 4.3.18

4.2.18

Fixed in WordPress 4.2.22

4.1.21

Fixed in WordPress 4.1.25

4.0.21

Fixed in WordPress 4.0.25

3.9.22

Fixed in WordPress 3.9.26

3.8.24

Fixed in WordPress 3.8.28

3.7.24

Fixed in WordPress 3.7.28

4.9.2

Fixed in WordPress 4.9.9

4.8.5

Fixed in WordPress 4.8.8

4.7.9

Fixed in WordPress 4.7.12

4.6.10

Fixed in WordPress 4.6.13

4.5.13

Fixed in WordPress 4.5.16

4.4.14

Fixed in WordPress 4.4.17

4.3.15

Fixed in WordPress 4.3.18

4.2.19

Fixed in WordPress 4.2.22

4.1.22

Fixed in WordPress 4.1.25

4.0.22

Fixed in WordPress 4.0.25

3.9.23

Fixed in WordPress 3.9.26

3.8.25

Fixed in WordPress 3.8.28

3.7.25

Fixed in WordPress 3.7.28

4.9.3

Fixed in WordPress 4.9.9

4.9.4

Fixed in WordPress 4.9.9

3.7.26

Fixed in WordPress 3.7.28

3.8.26

Fixed in WordPress 3.8.28

3.9.24

Fixed in WordPress 3.9.26

4.0.23

Fixed in WordPress 4.0.25

4.1.23

Fixed in WordPress 4.1.25

4.2.20

Fixed in WordPress 4.2.22

4.3.16

Fixed in WordPress 4.3.18

4.4.15

Fixed in WordPress 4.4.17

4.5.14

Fixed in WordPress 4.5.16

4.6.11

Fixed in WordPress 4.6.13

4.7.10

Fixed in WordPress 4.7.12

4.8.6

Fixed in WordPress 4.8.8

4.9.5

Fixed in WordPress 4.9.9

4.9.6

Fixed in WordPress 4.9.9

3.7.27

Fixed in WordPress 3.7.28

3.8.27

Fixed in WordPress 3.8.28

3.9.25

Fixed in WordPress 3.9.26

4.0.24

Fixed in WordPress 4.0.25

4.1.24

Fixed in WordPress 4.1.25

4.2.21

Fixed in WordPress 4.2.22

4.3.17

Fixed in WordPress 4.3.18

4.4.16

Fixed in WordPress 4.4.17

4.5.15

Fixed in WordPress 4.5.16

4.6.12

Fixed in WordPress 4.6.13

4.7.11

Fixed in WordPress 4.7.12

4.8.7

Fixed in WordPress 4.8.8

4.9.7

Fixed in WordPress 4.9.9

4.9.8

Fixed in WordPress 4.9.9

5.0

Fixed in WordPress 5.0.1

References

CVE

CVE-2018-20147

URL

https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/

Miscellaneous

Original Researcher

RIPS Technologies (Karim El Ouerghemmi)

Submitter

Ryan Dewhurst

Submitter twitter

ethicalhack3r

Verified

WPVDB ID

e3ef8976-11cb-4854-837f-786f43cbdf44

Timeline

Publicly Published

2018-12-13 (about 7 years ago)

Added

2018-12-13 (about 7 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2023-06-28

Title

WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) < 7.6.5 - Authentication Bypass

Published

2026-01-15

Title

Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit < 5.1.6 - Missing Authorization to Unauthenticated Rede Order Logs Deletion

Published

2024-12-13

Title

WP Job Portal < 2.2.3 - Missing Authorization to Unauthenticated Arbitrary Resume Download

Published

2019-05-24

Title

Hustle < 6.0.8.1 - Unauthenticated CSV Injection

Published

2018-06-20

Title

Advanced Order Export For WooCommerce <= 1.5.4 - CSV Injection