cbcvebase.
CVE-2009-2334
published 2009-07-10

CVE-2009-2334: wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which…

PriorityP431medium4.9CVSS 2.0
AVNACMAuSCPIPAN
EXPLOIT
EPSS
6.26%
92.7th percentile
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.

Affected

91 ranges· showing 25
VendorProductVersion rangeFixed in
debianwordpress< wordpress 2.8.3-1 (bookworm)wordpress 2.8.3-1 (bookworm)
wordpresswordpress<= 2.7.1
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress
wordpresswordpress

CVSS provenance

nvdv2.04.9MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:N
osv4.9MEDIUM
vendor_debian4.9LOW
vendor_redhat4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.