CVE-2005-2612
published 2005-08-17CVE-2005-2612: Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server]…
PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
38.77%
98.4th percentile
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 1.5.2-1 (bookworm) | wordpress 1.5.2-1 (bookworm) |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | >= 0 < 1.5.2-1 | 1.5.2-1 |
| wordpress | wordpress | >= 0 < 1.5.2-1 | 1.5.2-1 |
| wordpress | wordpress | >= 0 < 1.5.2-1 | 1.5.2-1 |
| wordpress | wordpress | >= 0 < 1.5.2-1 | 1.5.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
cookiewp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=<payload>;wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;↗
- →Inspect HTTP Cookie headers for the presence of 'cache_lastpostdate[server]' or 'cache_lastpostmodified[server]' keys, which are the direct injection vectors for this exploit. ↗
- →Detect cookie values containing 'wp_filter[query_vars]' combined with PHP function names such as 'get_lastpostdate', 'base64_decode', 'parse_str', 'preg_replace', and 'get_lastpostmodified' — this is the full exploit chain delivered via cookie. ↗
- →Flag cookie data containing 'cache_lastpostmodified[server]=//e', which is the preg_replace /e modifier trick used to trigger arbitrary PHP code evaluation. ↗
- →Look for base64-encoded payloads in the 'cache_lastpostdate[server]' cookie value, as the exploit encodes the PHP payload in base64 and passes it through eval(base64_decode(...)). ↗
- ·This vulnerability is only exploitable when the PHP 'register_globals' option is enabled. Environments with register_globals disabled are not affected. ↗
- ·Only WordPress versions prior to 1.5.1.3 (fixed in 1.5.2-1 per Debian) are vulnerable. Patched installations should not trigger these detections as false positives. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-73gj-5f8g-vq97: Direct code injection vulnerability in WordPress 1
ghsa_unreviewed·2022-05-01
CVE-2005-2612 [HIGH] GHSA-73gj-5f8g-vq97: Direct code injection vulnerability in WordPress 1
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.
OSV
CVE-2005-2612: Direct code injection vulnerability in WordPress 1
osv·2005-08-17·CVSS 7.5
CVE-2005-2612 [HIGH] CVE-2005-2612: Direct code injection vulnerability in WordPress 1
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.
Debian
CVE-2005-2612: wordpress - Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remo...
vendor_debian·2005·CVSS 7.5
CVE-2005-2612 [HIGH] CVE-2005-2612: wordpress - Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remo...
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.
Scope: local
bookworm: resolved (fixed in 1.5.2-1)
bullseye: resolved (fixed in 1.5.2-1)
forky: resolved (fixed in 1.5.2-1)
sid: resolved (fixed in 1.5.2-1)
trixie: resolved (fixed in 1.5.2-1)
No detection rules found.
Exploit-DB
WordPress Core 1.5.1.3 - 'cache_lastpostdate' Arbitrary Code Execution (Metasploit)
exploitdb·2010-07-03
CVE-2005-2612 WordPress Core 1.5.1.3 - 'cache_lastpostdate' Arbitrary Code Execution (Metasploit)
WordPress Core 1.5.1.3 - 'cache_lastpostdate' Arbitrary Code Execution (Metasploit)
---
##
# $Id: php_wordpress_lastpost.rb 9671 2010-07-03 06:21:31Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WordPress cache_lastpostdate Arbitrary Code Execution',
'Description' => %q{
This module exploits an arbitrary PHP code execution flaw in the WordPress
blogging software. This vulnerability is only present when the PHP 'register_globals'
option is enabled (common for hosting providers). All versions of WordPress prior to
1.5.1.3 are affec
Metasploit
WordPress cache_lastpostdate Arbitrary Code Execution
metasploit
WordPress cache_lastpostdate Arbitrary Code Execution
WordPress cache_lastpostdate Arbitrary Code Execution
This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected.
No writeups or analysis indexed.
2005-08-17
Published