ID CVE-2009-2335
Summary WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
References
Vulnerable Configurations
CVSS
Base: 5.0 (as of 13-07-2009 - 11:02)
Impact:
Exploitability:
CWE CWE-16
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
exploit-db via4
  • description WordPress Block-Spam-By-Math-Reloaded Plugin - Bypass. CVE-2009-2335. Webapps exploit for php platform
    id EDB-ID:17702
    last seen 2016-02-02
    modified 2011-08-20
    published 2011-08-20
    reporter Tiago Ferreira and Heyder Andrade
    source https://www.exploit-db.com/download/17702/
    title WordPress Block-Spam-By-Math-Reloaded Plugin - Bypass
  • id EDB-ID:9110
metasploit via4
description WordPress Authentication Brute Force and User Enumeration Utility
id MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_LOGIN_ENUM
last seen 2019-03-23
modified 2018-06-14
published 2013-08-21
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_login_enum.rb
title WordPress Brute Force and User Enumeration Utility
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-8529.NASL
    description Update spans MU-versions for the following security releases from upstream: http://wordpress.org/development/2009/08/2-8-4-security-release/ http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele ase/ - Backport of XSS fixes from WordPress 2.8.2 * Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 40599
    published 2009-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40599
    title Fedora 11 : wordpress-mu-2.8.4a-1.fc11 (2009-8529)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-7729.NASL
    description - Fri Jul 10 2009 Adrian Reber - 2.8.1-1 - updated to 2.8.1 for security fixes - BZ 510745 - Mon Jun 22 2009 Adrian Reber - 2.8-1 - updated to 2.8 - Wed Feb 25 2009 Fedora Release Engineering - 2.7.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - Wed Feb 11 2009 Adrian Reber - 2.7.1-1 - updated to 2.7.1 - Wed Nov 26 2008 Adrian Reber - 2.6.5-2 - updated to 2.6.5 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 39859
    published 2009-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39859
    title Fedora 10 : wordpress-2.8.1-1.fc10 (2009-7729)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-7701.NASL
    description - Fri Jul 10 2009 Adrian Reber - 2.8.1-1 - updated to 2.8.1 for security fixes - BZ 510745 - Mon Jun 22 2009 Adrian Reber - 2.8-1 - updated to 2.8 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 39856
    published 2009-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=39856
    title Fedora 11 : wordpress-2.8.1-1.fc11 (2009-7701)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-8538.NASL
    description Update spans MU-versions for the following security releases from upstream: http://wordpress.org/development/2009/08/2-8-4-security-release/ http://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele ase/ - Backport of XSS fixes from WordPress 2.8.2 * Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Backport of security fixes for admin.php?page= bugs (CVE-2009-2334) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 40601
    published 2009-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40601
    title Fedora 10 : wordpress-mu-2.8.4a-1.fc10 (2009-8538)
packetstorm via4
refmap via4
bid 35581
bugtraq 20090708 CORE-2009-01515 - WordPress Privileges Unchecked in admin.php and Multiple Information
exploit-db 9110
fedora
  • FEDORA-2009-7701
  • FEDORA-2009-7729
  • FEDORA-2009-8529
  • FEDORA-2009-8538
misc http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
osvdb 55713
sectrack 1022528
vupen ADV-2009-1833
Last major update 19-08-2009 - 01:28
Published 10-07-2009 - 17:00
Last modified 08-11-2018 - 15:38
Back to Top