CVE-2007-0107

WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.

Published: Jan 9, 2007
Updated: Apr 13, 2023
CVE: CVE-2007-0107
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	-	2.0.5.x

http://osvdb.org/31579
http://secunia.com/advisories/23595
http://secunia.com/advisories/23741
http://security.gentoo.org/glsa/glsa-200701-10.xml
http://securityreason.com/securityalert/2112
http://wordpress.org/development/2007/01/wordpress-206/
http://www.hardened-php.net/advisory_022007.141.html
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.005.html
http://www.securityfocus.com/archive/1/456049/100/0/threaded
http://www.securityfocus.com/bid/21907
http://www.vupen.com/english/advisories/2007/0061
https://exchange.xforce.ibmcloud.com/vulnerabilities/31297

Vulnerability Database

289,697

CVE-2007-0107