Allyshka

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.9.9 WordPress versions 5.x prior to 5.0.1 **Description** The issue allows remote code execution. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. **Recommendations** For WordPress versions prior to 4.9.9, update to version 4.9.9 or later. For WordPress versions 5.x prior to 5.0.1, update to version 5.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 5.0.4 **Description** The issue allows for Path Traversal in the `wp crop image()` function. An attacker with privileges to crop an image can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences. For example, a filename ending with the `.jpg?/../../file.jpg` substring can be used. **Recommendations** For WordPress versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue. As a temporary workaround, consider restricting the `wp crop image()` function to prevent arbitrary directory writing until a patch is available.