Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6318 to the following vulnerability: SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "" in a multibyte character. References: http://www.securityfocus.com/archive/1/archive/1/484828/100/0/threaded http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt http://www.securityfocus.com/bid/26795 http://www.frsirt.com/english/advisories/2007/4172 http://secunia.com/advisories/28005 http://xforce.iss.net/xforce/xfdb/38959
This problem does not affect default configuration, it only affects configurations with certain database character sets configured, currently confirmed with Big5 and GBK. Upstream bug report: http://trac.wordpress.org/ticket/5455