ThreatPress

WordPress Vulnerabilities Database

Back

WordPress WP-Syntax Plugin <= 0.9.1 - Remote Command Execution

Product
WP Syntax
Description
In general, WP-Syntax plugin is the most popular plugin for WordPress to provide clean syntax highlighting for embedding source code within pages or posts. It uses the library, called GeShi, that implements all the functionality to review the syntax for each language HTML-code. The vulnerability of this plugin is that the script works outside the context of WordPress. There is successfully executing arbitrary code, called call_user_func_array(). Also, there are several valid sequences of function calls that let execute any code.
Solution
Update the plugin.
Classification
Type Arbitrary Code Execution
References
Exploit-DB
CVE
Name CVE-2009-2852
Versions
Affected In <= 0.9.1
Fixed In 0.9.2
Disclosure date
2009-08-27
Credits
Raz0r