[VIM] Vendor ACK for PHPWordPress

Steven M. Christey coley at mitre.org
Sun Jan 15 01:57:03 EST 2006

Re: CVE-2005-3844

CONFIRM: http://forum.word-press.net/index.php?&showtopic=76&st=0&#entry181

  A critical vulnerability has been found in phpWordPress, which can
  be exploited by malicious people to conduct SQL injection attacks.

  The vulnerability allows attackers to manipulate input passed to the
  "poll", "category", and "ctg" parameters in "index.php". This can be
  exploited to manipulate SQL queries by injecting arbitrary SQL code.

- Steve

Name: CVE-2005-3844
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3844
Reference: MISC:http://pridels.blogspot.com/2005/11/phpwordpress-30-sql-inj.html
Reference: FRSIRT:ADV-2005-2594
Reference: URL:http://www.frsirt.com/english/advisories/2005/2594
Reference: SECUNIA:17733
Reference: URL:http://secunia.com/advisories/17733

SQL injection vulnerability in phpWordPress PHP News and Article
Manager 3.0 allows remote attackers to execute arbitrary SQL commands
via the (1) poll and (2) category parameters to index.php, and (3) the
ctg parameter in an archive action.

More information about the VIM mailing list