http://www.milw0rm.com/exploits/3109 Reproducible: Didn't try
millw0rm is down, see this advisory POC: http://www.securityfocus.com/archive/1/455927
Created attachment 106318 [details] www-apps/wordpress (versions <= 2.0.6) wp-trackback.php Remote SQL Injection exploit the first past is wrong, I'm sorry. this attach contain milw0rm exploit about wp-trackback.php Remote SQL Injection.
fixed in 2.0.7 it seems: http://wordpress.org/development/2007/01/wordpress-207/ web-apps, pls update
*** Bug 162302 has been marked as a duplicate of this bug. ***
2.0.7 in CVS
Security team please vote. the exploit comments say: "(needs register_globals=on, 4 <= PHP < 4.4.3,< 5.1.4)" ---> trash i vote No.
agreed, closing from wordpress.org: Here are the changes that have been made since 2.0.6: * Security fix for wp_unregister_GLOBALS() to work around the zend_hash_del_key_or_index bug in PHP 4 versions less than 4.4.3 and PHP 5 versions less than 5.1.4 with register_globals set to “On.” [...]