CVE-2009-2852 – WP Syntax < 0.9.10 - Remote Code Execution

https://notcve.org/view.php?id=CVE-2009-2852

WP-Syntax plugin 0.9.1 and earlier for Wordpress, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via the test_filter[wp_head] array parameter to test/index.php, which is used in a call to the call_user_func_array function. WP-Syntax plugin v0.9.1 y anteriores de Wordpress, que activan register_globals, permiten a atacantes remotos ejecutar código PHP a su elección a través del parámetro del array test_filter[wp_head]de test/index.php, que es usado en la llamada a la función call_user_func_array. WP-Syntax plugin 0.9.9 and earlier for Wordpress, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via the test_filter[wp_head] array parameter to test/index.php, which is used in a call to the call_user_func_array function. • https://www.exploit-db.com/exploits/9431 http://www.exploit-db.com/exploits/9431 http://www.securityfocus.com/bid/36040 http://www.vupen.com/english/advisories/2009/2456 https://exchange.xforce.ibmcloud.com/vulnerabilities/52457 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •