CVE-2007-1897
published 2007-04-09CVE-2007-1897: SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL…
PriorityP339medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
7.17%
93.5th percentile
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 2.2.1-1 (bookworm) | wordpress 2.2.1-1 (bookworm) |
| debian | wordpress | < wordpress 2.1.3-1 (bookworm) | wordpress 2.1.3-1 (bookworm) |
| wordpress | wordpress | <= 2.1.2 | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
| wordpress | wordpress | >= 0 < 2.1.3-1 | 2.1.3-1 |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
| wordpress | wordpress | >= 0 < 2.1.3-1 | 2.1.3-1 |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
| wordpress | wordpress | >= 0 < 2.1.3-1 | 2.1.3-1 |
| wordpress | wordpress | >= 0 < 2.2.1-1 | 2.2.1-1 |
| wordpress | wordpress | >= 0 < 2.1.3-1 | 2.1.3-1 |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2007-3140: wordpress - SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authent...
vendor_debian·2007·CVSS 6.5
CVE-2007-3140 [MEDIUM] CVE-2007-3140: wordpress - SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authent...
SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897.
Scope: local
bookworm: resolved (fixed in 2.2.1-1)
bullseye: resolved (fixed in 2.2.1-1)
forky: resolved (fixed in 2.2.1-1)
sid: resolved (fixed in 2.2.1-1)
trixie: resolved (fixed in 2.2.1-1)
Debian
CVE-2007-1897: wordpress - SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and proba...
vendor_debian·2007·CVSS 6.5
CVE-2007-1897 [MEDIUM] CVE-2007-1897: wordpress - SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and proba...
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.
Scope: local
bookworm: resolved (fixed in 2.1.3-1)
bullseye: resolved (fixed in 2.1.3-1)
forky: resolved (fixed in 2.1.3-1)
sid: resolved (fixed in 2.1.3-1)
trixie: resolved (fixed in 2.1.3-1)
GHSA
GHSA-pp8c-8h35-cghc: SQL injection vulnerability in xmlrpc (xmlrpc
ghsa_unreviewed·2022-05-01
CVE-2007-1897 [MEDIUM] CWE-89 GHSA-pp8c-8h35-cghc: SQL injection vulnerability in xmlrpc (xmlrpc
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.
GHSA
GHSA-m425-pqwf-xvhx: SQL injection vulnerability in xmlrpc
ghsa_unreviewed·2022-05-01·CVSS 6.5
CVE-2007-3140 [MEDIUM] GHSA-m425-pqwf-xvhx: SQL injection vulnerability in xmlrpc
SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897.
OSV
CVE-2007-3140: SQL injection vulnerability in xmlrpc
osv·2007-06-08·CVSS 6.5
CVE-2007-3140 [MEDIUM] CVE-2007-3140: SQL injection vulnerability in xmlrpc
SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897.
OSV
CVE-2007-1897: SQL injection vulnerability in xmlrpc (xmlrpc
osv·2007-04-09·CVSS 6.5
CVE-2007-1897 [MEDIUM] CVE-2007-1897: SQL injection vulnerability in xmlrpc (xmlrpc
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.
No detection rules found.
http://secunia.com/advisories/24751http://secunia.com/advisories/25108http://trac.wordpress.org/ticket/4091http://www.debian.org/security/2007/dsa-1285http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues/http://www.securityfocus.com/bid/23294http://www.vupen.com/english/advisories/2007/1245https://www.exploit-db.com/exploits/3656http://secunia.com/advisories/24751http://secunia.com/advisories/25108http://trac.wordpress.org/ticket/4091http://www.debian.org/security/2007/dsa-1285http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues/http://www.securityfocus.com/bid/23294http://www.vupen.com/english/advisories/2007/1245https://www.exploit-db.com/exploits/3656
2007-04-09
Published