Published: 30/01/2012 Updated: 11/04/2024

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 505

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and previous versions generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote malicious users to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective

Vulnerable Product	Search on Vulmon	Subscribe to Product
wordpress wordpress 3.0.5
wordpress wordpress 2.0.11
wordpress wordpress 2.8.6
wordpress wordpress 2.0
wordpress wordpress 2.1.1
wordpress wordpress 2.2.3
wordpress wordpress 2.0.2
wordpress wordpress 2.1
wordpress wordpress 2.0.6
wordpress wordpress 2.0.1
wordpress wordpress 2.8.4
wordpress wordpress 2.0.4
wordpress wordpress 3.0.2
wordpress wordpress 3.2.1
wordpress wordpress 0.711
wordpress wordpress 3.1.4
wordpress wordpress 2.2
wordpress wordpress 1.2.1
wordpress wordpress 0.7
wordpress wordpress 2.1.3
wordpress wordpress 3.0
wordpress wordpress 2.8
wordpress wordpress 2.0.7
wordpress wordpress 2.1.2
wordpress wordpress 3.0.1
wordpress wordpress 2.7.1
wordpress wordpress 0.71
wordpress wordpress 2.6.3
wordpress wordpress 2.0.5
wordpress wordpress 2.8.3
wordpress wordpress 2.6.5
wordpress wordpress 3.1.3
wordpress wordpress 2.2.2
wordpress wordpress 2.3.3
wordpress wordpress 2.0.9
wordpress wordpress 2.8.1
wordpress wordpress 2.2.1
wordpress wordpress 2.7
wordpress wordpress 1.5.2
wordpress wordpress
wordpress wordpress 1.0.1
wordpress wordpress 0.72
wordpress wordpress 3.0.4
wordpress wordpress 2.6.2
wordpress wordpress 2.9
wordpress wordpress 3.1
wordpress wordpress 2.3.1
wordpress wordpress 1.0.2
wordpress wordpress 2.5.1
wordpress wordpress 2.0.3
wordpress wordpress 2.6.1
wordpress wordpress 1.5.1.2
wordpress wordpress 3.1.2
wordpress wordpress 1.2
wordpress wordpress 3.0.6
wordpress wordpress 2.9.2
wordpress wordpress 2.5
wordpress wordpress 3.1.1
wordpress wordpress 1.2.2
wordpress wordpress 2.0.10
wordpress wordpress 2.9.1
wordpress wordpress 1.0
wordpress wordpress 3.3
wordpress wordpress 1.5
wordpress wordpress 2.8.2
wordpress wordpress 1.5.1
wordpress wordpress 3.0.3
wordpress wordpress 1.5.1.3
wordpress wordpress 2.3.2
wordpress wordpress 2.6
wordpress wordpress 2.8.5
wordpress wordpress 2.0.8
wordpress wordpress 2.3

Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress wwwtrustwavecom/spiderlabs/advisories/TWSL2012-002txt Published: 1/24/12 Version: 10 Vendor: WordPress (wordpressorg/) Product: WordPress Version affected: 331 and prior Product description: WordPress is a free and open source blog ...

WordPress versions 331 and below suffer from MySQL username/password disclosure, PHP code execution and cross site scripting vulnerabilities ...

CWE-200 http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html http://www.exploit-db.com/exploits/18417 https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt https://nvd.nist.gov https://www.exploit-db.com/exploits/18417/

CVE-2011-4898

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect