CVE-2007-1277
published 2007-03-05CVE-2007-1277: WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows…
PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
27.01%
97.8th percentile
WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | — | — |
| wordpress | wordpress | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests targeting wp-includes/feed.php with an 'ix' query parameter — this parameter is passed to eval() and enables arbitrary PHP code injection. ↗
- →Monitor HTTP requests targeting wp-includes/theme.php with an 'iz' query parameter — this parameter is passed to passthru() and enables arbitrary OS command execution. ↗
- →This backdoor was introduced into the official WordPress 2.1.1 distribution during February and March 2007; file integrity checks on wp-includes/feed.php and wp-includes/theme.php against known-good hashes are a key detection method. ↗
- →The backdoor is a supply-chain compromise — the attacker altered the upstream source code. Treat any WordPress 2.1.1 installation as fully compromised regardless of apparent normal operation. ↗
- ·The vulnerability is exclusive to WordPress 2.1.1 distributed via certain official mirrors during a specific window; other versions are not affected by this backdoor. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vp78-84m4-9r4q: WordPress 2
ghsa_unreviewed·2022-05-01
CVE-2007-1277 [HIGH] CWE-20 GHSA-vp78-84m4-9r4q: WordPress 2
WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.
Debian
CVE-2007-1277: wordpress - WordPress 2.1.1, as downloaded from some official distribution sites during Febr...
vendor_debian·2007·CVSS 7.5
CVE-2007-1277 [HIGH] CVE-2007-1277: wordpress - WordPress 2.1.1, as downloaded from some official distribution sites during Febr...
WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
WordPress Core 2.1.1 - Arbitrary Command Execution
exploitdb·2007-03-02
CVE-2007-1277 WordPress Core 2.1.1 - Arbitrary Command Execution
WordPress Core 2.1.1 - Arbitrary Command Execution
---
source: https://www.securityfocus.com/bid/22797/info
An attacker compromised the source code for Wordpress 2.1.1 and altered it to include a malicious backdoor. This backdoor introduces a code-execution vulnerability that will let remote users inject PHP code or execute operating system commands.
The vendor has acknowledged this vulnerability and recommends that all users who have installed version 2.1.1 upgrade to version 2.1.2 or later. This issue appears limited to the 2.1.1 release.
http://www.example.com/wp-includes/feed.php?ix=phpinfo();
Exploit-DB
WordPress Core 2.1.1 - '/wp-includes/theme.php?iz' Arbitrary Command Execution
exploitdb·2007-03-02
CVE-2007-1277 WordPress Core 2.1.1 - '/wp-includes/theme.php?iz' Arbitrary Command Execution
WordPress Core 2.1.1 - '/wp-includes/theme.php?iz' Arbitrary Command Execution
---
source: https://www.securityfocus.com/bid/22797/info
An attacker compromised the source code for Wordpress 2.1.1 and altered it to include a malicious backdoor. This backdoor introduces a code-execution vulnerability that will let remote users inject PHP code or execute operating system commands.
The vendor has acknowledged this vulnerability and recommends that all users who have installed version 2.1.1 upgrade to version 2.1.2 or later. This issue appears limited to the 2.1.1 release.
http://www.example.com/wp-includes/theme.php?iz=cat /etc/passwd
No writeups or analysis indexed.
http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.htmlhttp://secunia.com/advisories/24374http://wordpress.org/development/2007/03/upgrade-212/http://www.kb.cert.org/vuls/id/214480http://www.kb.cert.org/vuls/id/641456http://www.securityfocus.com/archive/1/461794/100/0/threadedhttp://www.securityfocus.com/bid/22797http://www.vupen.com/english/advisories/2007/0812https://exchange.xforce.ibmcloud.com/vulnerabilities/32804https://exchange.xforce.ibmcloud.com/vulnerabilities/32807http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.htmlhttp://secunia.com/advisories/24374http://wordpress.org/development/2007/03/upgrade-212/http://www.kb.cert.org/vuls/id/214480http://www.kb.cert.org/vuls/id/641456http://www.securityfocus.com/archive/1/461794/100/0/threadedhttp://www.securityfocus.com/bid/22797http://www.vupen.com/english/advisories/2007/0812https://exchange.xforce.ibmcloud.com/vulnerabilities/32804https://exchange.xforce.ibmcloud.com/vulnerabilities/32807
2007-03-05
Published