4.3
CVSSv2

CVE-2012-0782

Published: 30/01/2012 Updated: 31/01/2012
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 435
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote malicious users to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance.

Affected Products

Vendor Product Versions
WordpressWordpress0.7, 0.71, 0.72, 0.711, 1.0, 1.0.1, 1.0.2, 1.2, 1.2.1, 1.2.2, 1.5, 1.5.1, 1.5.1.2, 1.5.1.3, 1.5.2, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2, 2.2.1, 2.2.2, 2.2.3, 2.3, 2.3.1, 2.3.2, 2.3.3, 2.5, 2.5.1, 2.6, 2.6.1, 2.6.2, 2.6.3, 2.6.5, 2.7, 2.7.1, 2.8, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.9, 2.9.1, 2.9.2, 3.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.1, 3.3, 3.3.1

Exploits

Trustwave's SpiderLabs Security Advisory TWSL2012-002: Multiple Vulnerabilities in WordPress wwwtrustwavecom/spiderlabs/advisories/TWSL2012-002txt Published: 1/24/12 Version: 10 Vendor: WordPress (wordpressorg/) Product: WordPress Version affected: 331 and prior Product description: WordPress is a free and open source blog ...

Mailing Lists

WordPress versions 331 and below suffer from MySQL username/password disclosure, PHP code execution and cross site scripting vulnerabilities ...