In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
Conclusion & alert: CVE-2018-20149 is rated Moderate Risk (51.2/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 3.44%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 4.43% | 3.44% | -0.98% |
| 2 | 2026-03-04 | 3.53% | 4.43% | +0.89% |
| 3 | 2026-03-01 | — | 3.53% | — |
Full EPSS history (41 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.4 | 3.0 | MEDIUM |
|
2.3 | 2.7 | [email protected] |
| 3.5 | 2.0 | LOW |
|
6.8 | 2.9 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2018-20149 not yet assigned priority: Debian including 1 source packages (wordpress), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2018-20149 |
ubuntu
|
medium | CVE-2018-20149 medium priority: Ubuntu including 1 source packages (wordpress), 19 status rows across 19 suites (bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 14, needed 2, DNE 1, ignored 1, released 1. | https://ubuntu.com/security/CVE-2018-20149 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| wordpress | wordpress | < 4.9.9 | cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* |
| wordpress | wordpress | >= 5.0, < 5.0.1 | cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* |
| debian | debian_linux | 8.0 | cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106220 | Third Party Advisory VDB Entry |
| https://codex.wordpress.org/Version_4.9.9 | Product Vendor Advisory |
| https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a | Patch Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html | Mailing List Third Party Advisory |
| https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/ | Release Notes Vendor Advisory |
| https://wordpress.org/support/wordpress-version/version-5-0-1/ | Release Notes Vendor Advisory |
| https://wpvulndb.com/vulnerabilities/9175 | Vendor Advisory |
| https://www.debian.org/security/2019/dsa-4401 | Third Party Advisory |
| https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords/ | Press/Media Coverage Third Party Advisory |