Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2007-1277 — Improper Input Validation in Wordpress

CWE-20 — Improper Input Validation5 documents4 sources

Severity

7.5HIGHNVD

EPSS

84.9%

top 0.65%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Wordpress Debian Wordpress

Timeline

PublishedMar 5

Latest updateMay 1

Description

WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/wordpress

▶NVDwordpress/wordpress2.1.1

🔴Vulnerability Details

GHSA

GHSA-vp78-84m4-9r4q: WordPress 2↗2022-05-01

▶

💥Exploits & PoCs

Exploit-DB

WordPress Core 2.1.1 - Arbitrary Command Execution↗2007-03-02

▶

Exploit-DB

WordPress Core 2.1.1 - '/wp-includes/theme.php?iz' Arbitrary Command Execution↗2007-03-02

▶

📋Vendor Advisories

Debian

CVE-2007-1277: wordpress - WordPress 2.1.1, as downloaded from some official distribution sites during Febr...↗2007

▶