Support » Requests and Feedback » WP 2.02 vulnerability

  • FrSIRT has posted the following information about a new vulnerability in WordPress 2.02 and previous versions:

    Advisory ID : FrSIRT/ADV-2006-1992
    Rated as : High Risk
    Remotely Exploitable : Yes
    Locally Exploitable : Yes
    Release Date : 2006-05-26

    Technical Description

    A vulnerability has been identified in WordPress, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to input validation errors in the “wp-admin/profile.php” script that does not validate certain parameters before being written to PHP scripts in the “wp-content/cache/userlogins/” and “wp-content/cache/users/” directories, which could be exploited by malicious users to inject and execute arbitrary PHP code with the privileges of the web server.

    Note : An input validation error in the “vars.php” script when handling the “PC_REMOTE_ADDR” HTTP header could be exploited by attackers to spoof their IP addresses.

    Affected Products

    WordPress version 2.0.2 and prior


    The FrSIRT is not aware of any official supplied patch for this issue.



    Vulnerabilities reported by rgod

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘WP 2.02 vulnerability’ is closed to new replies.