< and > are encoded as +ADw- and +AD4- in UTF-7. Now imagine the following:
-
Someone sends
+ADw-script+AD4-alert(+ACI-Hello+ACI-)+ADw-/script+AD4-as comment text. It will pass all sanitation unescaped. -
The database expects and treats all incoming data as UTF-8. Since all UTF-7 streams are valid UTF-8 too, this will never result in a SQL error, and
mysql_real_escapeorhtmlspecialcharswill not touch it. -
WordPress sends a header
text/html;charset=utf-7. -
WordPress displays the comment, expecting escaped data. But since this is treated as UTF-7 by the browser the JavaScript will be executed.
So, yes, it is a security problem.
UTF-7 is not supported by all browsers, most will render the text as Windows-1252 (or whatever is the default encoding on their OS) or as UTF-8.
The main problem is: escaping will not work anymore.
Just changing the encoding value back is not a solution. A regular visitor can never change it, so you have to find the open door.