{"id":"CVE-2018-20147","details":"In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.","modified":"2026-04-11T12:08:18.056584Z","published":"2018-12-14T20:29:00.343Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"}]},"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106220"},{"type":"ADVISORY","url":"https://codex.wordpress.org/Version_4.9.9"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html"},{"type":"ADVISORY","url":"https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/"},{"type":"ADVISORY","url":"https://wordpress.org/support/wordpress-version/version-5-0-1/"},{"type":"ADVISORY","url":"https://wpvulndb.com/vulnerabilities/9169"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4401"},{"type":"ADVISORY","url":"https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress","events":[{"introduced":"0"},{"fixed":"8d87e4a8b8aa7d66a4f5dd3795b5450fa0b76af0"},{"introduced":"491c67be12ca8a9fe37ae38307ba7e298c976ec3"},{"fixed":"3d448538caf519c6355bb32c0c8c21da87692855"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.9.9"},{"introduced":"5.0"},{"fixed":"5.0.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"}}],"versions":["4.9.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20147.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}