{"id":"CVE-2008-5695","details":"wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.","modified":"2026-01-27T04:09:25.872496Z","published":"2008-12-19T18:30:00Z","withdrawn":"2026-01-27T04:09:25.872496Z","references":[{"type":"ADVISORY","url":"http://mu.wordpress.org/forums/topic.php?id=7534&page&replies=1"},{"type":"ADVISORY","url":"http://secunia.com/advisories/28789"},{"type":"ADVISORY","url":"http://securityreason.com/securityalert/4798"},{"type":"EVIDENCE","url":"http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html"},{"type":"EVIDENCE","url":"http://www.buayacorp.com/files/wordpress/wp-blog-option-overwrite.txt"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/27633"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/5066"}],"schema_version":"1.7.3"}