Launchpad.net

CVE 2007-0107

WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.

Related bugs and status

CVE-2007-0107 (Candidate) is related to these bugs:

Bug #78145: XSS and SQL injections

		In	Importance	Status
78145	XSS and SQL injections	wordpress (Ubuntu)	Undecided	Fix Released
78145	XSS and SQL injections	wordpress (Ubuntu Dapper)	Undecided	Confirmed
78145	XSS and SQL injections	wordpress (Ubuntu Edgy)	Undecided	Confirmed
78145	XSS and SQL injections	wordpress (Ubuntu Feisty)	Undecided	Fix Released
78145	XSS and SQL injections	wordpress (Debian)	Unknown	Fix Released

Bug #89654: wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs

		In	Importance	Status
89654	wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs	wordpress (Ubuntu)	Undecided	Fix Released
89654	wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs	wordpress (Ubuntu Dapper)	Undecided	Won't Fix
89654	wordpress in Edgy/Dapper has an unsettlingly large number of unfixed CVEs	wordpress (Ubuntu Edgy)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2007-0107

Related bugs and status

Related bugs

References