CVE-2007-1049

Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable.

Affected Software

Name	Vendor	Start Version	End Version
Wordpress	Wordpress	0.6.2-beta_2 (including)	0.6.2-beta_2 (including)
Wordpress	Wordpress	0.6.2.1-beta_2 (including)	0.6.2.1-beta_2 (including)
Wordpress	Wordpress	0.7 (including)	0.7 (including)
Wordpress	Wordpress	0.71 (including)	0.71 (including)
Wordpress	Wordpress	1.2.2 (including)	1.2.2 (including)
Wordpress	Wordpress	1.5 (including)	1.5 (including)
Wordpress	Wordpress	1.5.1 (including)	1.5.1 (including)
Wordpress	Wordpress	1.5.1.2 (including)	1.5.1.2 (including)
Wordpress	Wordpress	1.5.1.3 (including)	1.5.1.3 (including)
Wordpress	Wordpress	1.5.2 (including)	1.5.2 (including)
Wordpress	Wordpress	2.0 (including)	2.0 (including)
Wordpress	Wordpress	2.0.1 (including)	2.0.1 (including)
Wordpress	Wordpress	2.0.2 (including)	2.0.2 (including)
Wordpress	Wordpress	2.0.3 (including)	2.0.3 (including)
Wordpress	Wordpress	2.0.4 (including)	2.0.4 (including)
Wordpress	Wordpress	2.0.5 (including)	2.0.5 (including)
Wordpress	Wordpress	2.0.6 (including)	2.0.6 (including)
Wordpress	Wordpress	2.0.7 (including)	2.0.7 (including)
Wordpress	Ubuntu	dapper	*
Wordpress	Ubuntu	edgy	*
Wordpress	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-1049
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html

Affected Software

References