{"id":"CVE-2007-0233","details":"wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter.  NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.","modified":"2026-04-10T03:38:39.888022Z","published":"2007-01-13T02:28:00Z","references":[{"type":"WEB","url":"http://osvdb.org/36860"},{"type":"WEB","url":"http://www.securityfocus.com/bid/21983"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/31385"},{"type":"WEB","url":"https://www.exploit-db.com/exploits/3109"}],"schema_version":"1.7.5"}