Description

WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.

Remediation

References

CVE-2007-0107

Related Vulnerabilities

Oracle Application Server Other Vulnerability (CVE-2006-0552)

Apache HTTP Server Other Vulnerability (CVE-2003-0245)

WordPress Plugin Advance Menu Manager Cross-Site Request Forgery (2.9.6)

Collabtive Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-13655)

Serendipity Other Vulnerability (CVE-2015-6968)

Severity

Medium

Classification

CVE-2007-0107

Tags

Missing Update Known Vulnerabilities