Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3131-uvkj-vbb5
Vulnerability ID VCID-3131-uvkj-vbb5
Aliases CVE-2008-5695
Summary wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.
Status Published
Exploitability 2.0
Weighted Severity 7.7
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-20 Improper Input Validation
System Score Found at
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
epss 0.16371 https://api.first.org/data/v1/epss?cve=CVE-2008-5695
cvssv2 8.5 https://nvd.nist.gov/vuln/detail/CVE-2008-5695
Reference id Reference type URL
http://mu.wordpress.org/forums/topic.php?id=7534&page&replies=1
https://api.first.org/data/v1/epss?cve=CVE-2008-5695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5695
http://secunia.com/advisories/28789
http://securityreason.com/securityalert/4798
https://www.exploit-db.com/exploits/5066
http://www.buayacorp.com/files/wordpress/wp-blog-option-overwrite.txt
http://www.securityfocus.com/bid/27633
510786 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510786
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress_mu:*:*:*:*:*:*:*:*
CVE-2008-5695 https://nvd.nist.gov/vuln/detail/CVE-2008-5695
OSVDB-41134;CVE-2008-5695 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/5066.php
OSVDB-41134;CVE-2008-5695 Exploit http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html
Data source Exploit-DB
Date added Feb. 4, 2008
Description WordPress MU < 1.3.2 - 'active_plugins' Code Execution
Ransomware campaign use Known
Source publication date Feb. 5, 2008
Exploit type webapps
Platform php
Source URL http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html
Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2008-5695
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.94826
EPSS Score 0.16371
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:30:31.266292+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0