cbcvebase.
CVE-2007-0233
published 2007-01-13

CVE-2007-0233: wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an…

PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
11.04%
95.4th percentile
wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.

Affected

24 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 2.1.0-1 (bookworm)wordpress 2.1.0-1 (bookworm)
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress>= 0 < 2.1.0-12.1.0-1
wordpresswordpress>= 0 < 2.1.0-12.1.0-1
wordpresswordpress>= 0 < 2.1.0-12.1.0-1
wordpresswordpress>= 0 < 2.1.0-12.1.0-1

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.