cbcvebase.
CVE-2005-2612
published 2005-08-17

CVE-2005-2612: Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server]…

PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
38.77%
98.4th percentile
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 1.5.2-1 (bookworm)wordpress 1.5.2-1 (bookworm)
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress>= 0 < 1.5.2-11.5.2-1
wordpresswordpress>= 0 < 1.5.2-11.5.2-1
wordpresswordpress>= 0 < 1.5.2-11.5.2-1
wordpresswordpress>= 0 < 1.5.2-11.5.2-1

Detection & IOCsextracted from sources · hover to see the quote

cookiecache_lastpostdate[server]=<base64_encoded_payload>
cookiewp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=<payload>;wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;
commandargs[0]=eval(base64_decode(<encoded_payload>)).die()&args[1]=x
othercache_lastpostmodified[server]=//e
  • Inspect HTTP Cookie headers for the presence of 'cache_lastpostdate[server]' or 'cache_lastpostmodified[server]' keys, which are the direct injection vectors for this exploit.
  • Detect cookie values containing 'wp_filter[query_vars]' combined with PHP function names such as 'get_lastpostdate', 'base64_decode', 'parse_str', 'preg_replace', and 'get_lastpostmodified' — this is the full exploit chain delivered via cookie.
  • Flag cookie data containing 'cache_lastpostmodified[server]=//e', which is the preg_replace /e modifier trick used to trigger arbitrary PHP code evaluation.
  • Look for base64-encoded payloads in the 'cache_lastpostdate[server]' cookie value, as the exploit encodes the PHP payload in base64 and passes it through eval(base64_decode(...)).
  • ·This vulnerability is only exploitable when the PHP 'register_globals' option is enabled. Environments with register_globals disabled are not affected.
  • ·Only WordPress versions prior to 1.5.1.3 (fixed in 1.5.2-1 per Debian) are vulnerable. Patched installations should not trigger these detections as false positives.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.