CVE-2007-0233
EPSS 11.2%
Description
wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.
How to fix CVE-2007-0233
To remediate CVE-2007-0233, upgrade the affected package to a fixed version below.
- Debian/wordpress—upgrade to 2.1.0-1 or later
Is CVE-2007-0233 being exploited?
Moderate — EPSS is 11.2%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 2.1.0-1