CVE Vulnerability

CVE-2007-3238

Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability.

6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

References
Link Resource
http://blogsecurity.net/wordpress/news/news-100607-1/
http://codex.wordpress.org/Roles_and_Capabilities
http://www.xssnews.com/
http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/
http://securityreason.com/securityalert/2807
http://www.debian.org/security/2008/dsa-1502
http://secunia.com/advisories/29014
http://www.securityfocus.com/bid/25161
http://osvdb.org/37293
http://secunia.com/advisories/25541/
https://exchange.xforce.ibmcloud.com/vulnerabilities/34785
http://www.securityfocus.com/archive/1/470837/100/0/threaded
Configurations

Configuration 1

cpe:2.3:a:wordpress:wordpress:2.2:*:*:*:*:*:*:*
Information

Published : 2007-06-15 01:30

Updated : 2018-10-16 04:47

NVD link : CVE-2007-3238

Mitre link : CVE-2007-3238

Products Affected
No products.
CWE
NVD-CWE-Other