CVE-2006-2667

WordPress < 2.0.2 - Remote Code Execution via Profile Update Displayname Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2006-2667. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets WordPress <= 2.0.2 by injecting malicious PHP code into cached user profile files via the 'display_name' field. It leverages weak or empty MySQL DB passwords to predict cache filenames and execute arbitrary commands.

Description

Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/6

View Code ZIP pw:eip

This exploit targets WordPress <= 2.0.2 by injecting malicious PHP code into cached user profile files via the 'display_name' field. It leverages weak or empty MySQL DB passwords to predict cache filenames and execute arbitrary commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress <= 2.0.2

Auth required

Prerequisites: Valid user account · User registration enabled · Weak or empty MySQL DB password

MITRE ATT&CK