Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-7qy9-e4j5-6fdb
Vulnerability ID VCID-7qy9-e4j5-6fdb
Aliases CVE-2007-0233
Summary wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.
Status Published
Exploitability 2.0
Weighted Severity 6.8
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
epss 0.11179 https://api.first.org/data/v1/epss?cve=CVE-2007-0233
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2007-0233
Reference id Reference type URL
http://osvdb.org/36860
https://api.first.org/data/v1/epss?cve=CVE-2007-0233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0233
https://exchange.xforce.ibmcloud.com/vulnerabilities/31385
https://www.exploit-db.com/exploits/3109
http://www.securityfocus.com/bid/21983
cpe:2.3:a:wordpress:wordpress:0.6.2.1:beta_2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:0.6.2.1:beta_2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.6.2:beta_2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:0.6.2:beta_2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.7:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:0.7:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.71:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:0.71:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.5:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:2.0:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.5:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:2.0.6:*:*:*:*:*:*:*
CVE-2007-0233 https://nvd.nist.gov/vuln/detail/CVE-2007-0233
OSVDB-36860;CVE-2007-0233 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/3109.php
Data source Exploit-DB
Date added Jan. 9, 2007
Description WordPress Core 2.0.6 - 'wp-trackback.php' SQL Injection
Ransomware campaign use Known
Source publication date Jan. 10, 2007
Exploit type webapps
Platform php
Source update date Sept. 21, 2016
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2007-0233
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.93458
EPSS Score 0.11179
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:30:16.304431+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0