CVE-2007-4894SQL Injection in Wordpress

CWE-89SQL Injection4 documents4 sources
Severity
7.5HIGHNVD
EPSS
3.9%
top 11.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
WordpressDebian Wordpress
Timeline
PublishedSep 14
Latest updateMay 1

Description

Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters."

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

debiandebian/wordpress< wordpress 2.2.3-1 (bookworm)
Debianwordpress/wordpress< 2.2.3-1+3
NVDwordpress/wordpress31 versions+30

Patches

Patch: wordpress.orgPatch: wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-7jph-c3pf-xgjr: Multiple SQL injection vulnerabilities in Wordpress before 22022-05-01
OSV
CVE-2007-4894: Multiple SQL injection vulnerabilities in Wordpress before 22007-09-14

📋Vendor Advisories

1
Debian
CVE-2007-4894: wordpress - Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress m...2007
CVE-2007-4894 — SQL Injection in Debian Wordpress | cvebase