Unrated severityNVD Advisory· Published May 30, 2006· Updated Jun 16, 2026
CVE-2006-2667
CVE-2006-2667
Description
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=2.0.2
- (no CPE)range: <=2.0.2
Patches
Vulnerability mechanics
References
9- secunia.com/advisories/20271nvdPatchVendor Advisory
- retrogod.altervista.org/wordpress_202_xpl.htmlnvdExploit
- secunia.com/advisories/20608nvd
- www.gentoo.org/security/en/glsa/glsa-200606-08.xmlnvd
- www.osvdb.org/25777nvd
- www.securityfocus.com/archive/1/435039/100/0/threadednvd
- www.securityfocus.com/bid/18372nvd
- www.vupen.com/english/advisories/2006/1992nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/26687nvd
News mentions
0No linked articles in our index yet.