cbcvebase.
CVE-2008-5695
published 2008-12-19

CVE-2008-5695: wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows…

PriorityP355high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
12.01%
95.6th percentile
wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 2.3.2 (bookworm)wordpress 2.3.2 (bookworm)
wordpresswordpress<= 2.3.2
wordpresswordpress>= 0 < 2.3.22.3.2
wordpresswordpress>= 0 < 2.3.22.3.2
wordpresswordpress>= 0 < 2.3.22.3.2
wordpresswordpress>= 0 < 2.3.22.3.2
wordpresswordpress_mu< 1.3.21.3.2

CVSS provenance

nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
osv8.5HIGH
vendor_debian8.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.