CVE-2007-1622

Wordpress - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Alexander Concha · htmlwebappsphp

https://www.exploit-db.com/exploits/29754

View Code ZIP pw:eip

References (7)

[Third Party Advisory] http://www.vupen.com/english/advisories/2007/1005

[Exploit, Patch, Vendor Advisory] http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/23027

[Third Party Advisory] http://secunia.com/advisories/25108

[Vendor Advisory] http://secunia.com/advisories/24567

[Third Party Advisory] http://www.debian.org/security/2007/dsa-1285

[Various Sources] http://sla.ckers.org/forum/read.php?2%2C7935#msg-8006

Scores

EPSS 0.0328

EPSS Percentile 87.2%

Details

Status published

Products (14)

wordpress/wordpress 2.0

wordpress/wordpress 2.0.1

wordpress/wordpress 2.0.2

wordpress/wordpress 2.0.3

wordpress/wordpress 2.0.4

wordpress/wordpress 2.0.5

wordpress/wordpress 2.0.6

wordpress/wordpress 2.0.7

wordpress/wordpress 2.0.10

wordpress/wordpress 2.0.10_rc1

... and 4 more

Published Mar 23, 2007

Tracked Since Feb 18, 2026