CVE-2009-2334

Currently unrated

Key Information:

Vendor: Wordpress
Status: WordPress; WordPress Mu
Vendor: CVE Published:; 10 July 2009

Summary

wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.

References

https://www.redhat.com/archives/fedora-package-announce/2...

vendor-advisoryx_refsource_FEDORA

http://corelabs.coresecurity.com/index.php?action=view&ty...

x_refsource_MISC

https://www.redhat.com/archives/fedora-package-announce/2...

vendor-advisoryx_refsource_FEDORA

EPSS Score

8% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jul 10, 2009
Vulnerability Reserved
Jul 5, 2009