CVE-2019-10675

** DISPUTED ** WordPress 5.1.1 allows remote authenticated authors to obtain sensitive information via a modified PNG file to the wp-admin/media-new.php?browser-uploader Media Uploader feature, which reveals the full path in a wp-includes/functions.php exif_imagetype() error message, even when the “display_errors = Off” setting is used and wp_config.php has debugging disabled. NOTE: the vendor cannot reproduce this.
Source: NIST
CVE-2019-10675