cbcvebase.
CVE-2007-1277
published 2007-03-05

CVE-2007-1277: WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows…

PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
27.01%
97.8th percentile
WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianwordpress
wordpresswordpress

Detection & IOCsextracted from sources · hover to see the quote

pathwp-includes/feed.php
pathwp-includes/theme.php
urlhttp://www.example.com/wp-includes/feed.php?ix=phpinfo();
urlhttp://www.example.com/wp-includes/theme.php?iz=cat /etc/passwd
  • Monitor HTTP requests targeting wp-includes/feed.php with an 'ix' query parameter — this parameter is passed to eval() and enables arbitrary PHP code injection.
  • Monitor HTTP requests targeting wp-includes/theme.php with an 'iz' query parameter — this parameter is passed to passthru() and enables arbitrary OS command execution.
  • This backdoor was introduced into the official WordPress 2.1.1 distribution during February and March 2007; file integrity checks on wp-includes/feed.php and wp-includes/theme.php against known-good hashes are a key detection method.
  • The backdoor is a supply-chain compromise — the attacker altered the upstream source code. Treat any WordPress 2.1.1 installation as fully compromised regardless of apparent normal operation.
  • ·The vulnerability is exclusive to WordPress 2.1.1 distributed via certain official mirrors during a specific window; other versions are not affected by this backdoor.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.