CVE-2006-2667

Name of the Vulnerable Software and Affected Versions WordPress versions 2.0.2 and earlier

Description A direct static code injection issue allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile. This code is appended after a special comment sequence into files in wp-content/cache/userlogins/ and wp-content/cache/users/, which are later included by cache.php. The issue can be exploited using the displayname argument.

Recommendations For WordPress versions 2.0.2 and earlier, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the cache.php file and the wp-content/cache/ directory to minimize the risk of exploitation. Avoid using the displayname argument in profile updates until the issue is resolved.