VDB
CVE-2006-2667
CVE-2006-2667
PUBLISHED
CVSS 7.5 HIGH
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument.
EPSS 32.19% · 96.9th percentile
Risk Scores
CVSS 2.0
7.5
EPSS Score
32.19%
96.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| wordpress | wordpress | 0 |
Timeline
- May 30, 2006 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 3, 2023 EPSS Score
- May 11, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
- Sep 8, 2023 EPSS Score
References
- 20271 third-party-advisory
- 25777 vdb
- ADV-2006-1992 vdb
- 20608 third-party-advisory
- GLSA-200606-08 vendor-advisory
- 18372 vdb
- wordpress-user-profile-code-injection(26687) vdb
- http://retrogod.altervista.org/wordpress_202_xpl.html url
- 20060525 Wordpress <=2.0.2 'cache' shell injection mailing-list
- https://nvd.nist.gov/vuln/detail/CVE-2006-2667 advisory