CVE-2007-1277

WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.

Published: Mar 5, 2007
Updated: Apr 13, 2023
CVE: CVE-2007-1277
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	2.1.1	2.1.1.x

http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.html
http://secunia.com/advisories/24374
http://wordpress.org/development/2007/03/upgrade-212/
http://www.kb.cert.org/vuls/id/214480
http://www.kb.cert.org/vuls/id/641456
http://www.securityfocus.com/archive/1/461794/100/0/threaded
http://www.securityfocus.com/bid/22797
http://www.vupen.com/english/advisories/2007/0812
https://exchange.xforce.ibmcloud.com/vulnerabilities/32804
https://exchange.xforce.ibmcloud.com/vulnerabilities/32807

Vulnerability Database

289,697

CVE-2007-1277