CVE-2007-3543

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 2.2.1 WordPress MU versions prior to 1.2.3

Description The issue allows remote authenticated users to upload and execute arbitrary PHP code. This is achieved by making a post that specifies a .php filename in the wp attached file metadata field and then sending the file's content, along with its post ID value, to API endpoints such as "wp-app.php" or "app.php".

Recommendations For WordPress versions prior to 2.2.1, update to version 2.2.1 or later to resolve the issue. For WordPress MU versions prior to 1.2.3, update to version 1.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-app.php" and "app.php" API endpoints to minimize the risk of exploitation.