WordPress fails to properly sanitize input to the iz parameter in wp-includes/theme.php, which could allow a remote, unauthenticated attacker to execute arbitrary commands.
WordPress is a blogging application that is written in PHP. WordPress 2.1.1 fails to properly sanitize input to the iz parameter in wp-includes/theme.php, Commands that are passed to the iz parameter are executed by the WordPress server.
A remote, unauthenticated attacker may be able to execute arbitrary commands on a vulnerable WordPress system.
Apply an update
This issue is addressed in WordPress 2.1.2.
This vulnerability was reported by Ivan Fratric.
This document was written by Will Dormann.
|Date First Published:||2007-03-05|
|Date Last Updated:||2007-03-07 16:01 UTC|