CVE-2007-0107

Description

WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.

How to fix CVE-2007-0107

To remediate CVE-2007-0107, upgrade the affected package to a fixed version below.

• Debian/wordpress—upgrade to 2.0.6-1 or later

Is CVE-2007-0107 being exploited?

Moderate — EPSS is 6.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 2.0.6-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2007-0107