cbcvebase.
CVE-2007-3544
published 2007-07-03

CVE-2007-3544: Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload…

PriorityP428medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EPSS
1.77%
75.3th percentile
Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 2.2.2-1 (bookworm)wordpress 2.2.2-1 (bookworm)
wordpresswordpress<= 2.2.0
wordpresswordpress>= 0 < 2.2.2-12.2.2-1
wordpresswordpress>= 0 < 2.2.2-12.2.2-1
wordpresswordpress>= 0 < 2.2.2-12.2.2-1
wordpresswordpress>= 0 < 2.2.2-12.2.2-1
wordpresswordpress_mu<= 1.2.2

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.0MEDIUM
vendor_debian6.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.