CVE-2007-1894
WordPress - Cross-Site Scripting via Year Parameter in wp_title Function
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function.
References (9)
Core 9
Core References
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/24485
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/22902
Product x_refsource_confirm
http://trac.wordpress.org/changeset/5003
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/25108
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/462374/100/0/threaded
Product x_refsource_confirm
http://trac.wordpress.org/ticket/4093
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/2526
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2007/dsa-1285
Vendor Advisory x_refsource_misc
http://chxsecurity.org/advisories/adv-1-mid.txt
Scores
EPSS
0.0580
EPSS Percentile
90.6%
Details
Status
published
Products (12)
wordpress/wordpress
2.0
wordpress/wordpress
2.0.1
wordpress/wordpress
2.0.2
wordpress/wordpress
2.0.3
wordpress/wordpress
2.0.4
wordpress/wordpress
2.0.5
wordpress/wordpress
2.0.6
wordpress/wordpress
2.0.7
wordpress/wordpress
2.1
wordpress/wordpress
2.1.1
... and 2 more
Published
Apr 09, 2007
Tracked Since
Feb 18, 2026