| VID |
21373 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WordPress program has a Remote Code Execution Vulnerability.
WordPress is a freely available PHP-based publication program that uses a MySQL backend database. WordPress versions 0.7 allows a remote attacker to include a malicious remote PHP file, caused by insufficient sanitization of user-supplied URI parameters. By sending a specially crafted request with the "abspath" variable to the 'links.all.php' module, a remote attacker could include a malicious remote PHP file, which could execute arbitrary code.
* References:
http://securitytracker.com/alerts/2003/Jun/1006937.html
http://www.osvdb.org/displayvuln.php?osvdb_id=4610
* Platforms Affected:
Matthew Mullenweg, WordPress 0.7
Microsoft Windows Any version
Unix Any version
Linux Any version |
| Recommendation |
Upgrade to the version (0.72 RC1 or later) fixed this vulnerability, available from the WordPress Download Web page at http://wordpress.org/download/ |
| Related URL |
(CVE) |
| Related URL |
7785 (SecurityFocus) |
| Related URL |
12204 (ISS) |
|
