CVE-2009-2335
published 2009-07-10CVE-2009-2335: WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote…
PriorityP348medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
85.00%
99.7th percentile
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 2.8.3-1 (bookworm) | wordpress 2.8.3-1 (bookworm) |
| wordpress | wordpress | < 2.8.1 | 2.8.1 |
| wordpress | wordpress | >= 0 < 2.8.3-1 | 2.8.3-1 |
| wordpress | wordpress | >= 0 < 2.8.3-1 | 2.8.3-1 |
| wordpress | wordpress | >= 0 < 2.8.3-1 | 2.8.3-1 |
| wordpress | wordpress | >= 0 < 2.8.3-1 | 2.8.3-1 |
| wordpress | wordpress_mu | < 2.8.1 | 2.8.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag high-volume POST requests to /wp-login.php with minimal password values (e.g., pwd=x) as indicative of automated username enumeration activity. ↗
- →Successful brute-force login is indicated by an HTTP 302 redirect response containing a Set-Cookie header matching 'wordpress_logged_in_'; alert on this pattern following repeated failed login attempts. ↗
- →Login and forgotten password pages facilitate valid username enumeration; monitor both wp-login.php POST requests and password-reset flows for differential responses that reveal account existence. ↗
- ·The vendor disputes the significance of this username enumeration behavior, stating it is intentional for user convenience; the differential login error response is by design and will not be patched in affected versions. ↗
- ·Usernames are also passively disclosed via HTML comments in page source, compounding the enumeration risk beyond the login page alone. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
wordpress: multiple vulnerabilities
vendor_redhat·2009-07-08·CVSS 5.0
CVE-2009-2335 [MEDIUM] wordpress: multiple vulnerabilities
wordpress: multiple vulnerabilities
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Debian
CVE-2009-2335: wordpress - WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed ...
vendor_debian·2009·CVSS 5.0
CVE-2009-2335 [MEDIUM] CVE-2009-2335: wordpress - WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed ...
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Scope: local
bookworm: resolved (fixed in 2.8.3-1)
bullseye: resolved (fixed in 2.8.3-1)
forky: resolved (fixed in 2.8.3-1)
sid: resolved (fixed in 2.8.3-1)
trixie: resolved (fixed in 2.8.3-1)
GHSA
GHSA-4643-w74c-m4wv: WordPress and WordPress MU before 2
ghsa_unreviewed·2022-05-02
CVE-2009-2335 [MEDIUM] GHSA-4643-w74c-m4wv: WordPress and WordPress MU before 2
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
OSV
CVE-2009-2335: WordPress and WordPress MU before 2
osv·2009-07-10·CVSS 5.0
CVE-2009-2335 [MEDIUM] CVE-2009-2335: WordPress and WordPress MU before 2
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
No detection rules found.
Exploit-DB
WordPress Plugin Block-Spam-By-Math-Reloaded - Bypass
exploitdb·2011-08-20
CVE-2009-2335 WordPress Plugin Block-Spam-By-Math-Reloaded - Bypass
WordPress Plugin Block-Spam-By-Math-Reloaded - Bypass
---
##
# $Id: wordpress_login_enum.rb 12196 2011-04-01 00:51:33Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Wordpress Brute Force and User Enumeration Utility',
'Version' => '$Revision: 12196 $',
'Description' => 'Wordpress Authentication Brute Force and User Enumeration Utility',
'Author' => [
'Alligator Security Team',
'Tiago Ferreira ',
'Heyder Andrade ' # Block-Spam-By-Math-Reloaded Bypass
],
'References' =>
[
['BID', '35581'],
['CVE', '2009-2335'],
['OSVDB', '55713'],
],
'License' => MSF_
Exploit-DB
WordPress Core / MU / Plugins - '/admin.php' Privileges Unchecked / Multiple Information Disclosures
exploitdb·2009-07-10·CVSS 4.9
CVE-2009-2334 [MEDIUM] WordPress Core / MU / Plugins - '/admin.php' Privileges Unchecked / Multiple Information Disclosures
WordPress Core / MU / Plugins - '/admin.php' Privileges Unchecked / Multiple Information Disclosures
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
WordPress Privileges Unchecked in admin.php and Multiple Information
Disclosures
1. *Advisory Information*
Title: WordPress Privileges Unchecked in admin.php and Multiple
Information Disclosures
Advisory ID: CORE-2009-0515
Advisory URL:
http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
Date published: 2009-07-08
Date of last update: 2009-07-08
Vendors contacted: WordPress
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Local file include, Privileges unchecked, Cross site
Metasploit
WordPress Brute Force and User Enumeration Utility
metasploit
WordPress Brute Force and User Enumeration Utility
WordPress Brute Force and User Enumeration Utility
WordPress Authentication Brute Force and User Enumeration Utility
http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Uncheckedhttp://securitytracker.com/id?1022528http://www.exploit-db.com/exploits/9110http://www.osvdb.org/55713http://www.securityfocus.com/archive/1/504795/100/0/threadedhttp://www.securityfocus.com/bid/35581http://www.vupen.com/english/advisories/2009/1833https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.htmlhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Uncheckedhttp://securitytracker.com/id?1022528http://www.exploit-db.com/exploits/9110http://www.osvdb.org/55713http://www.securityfocus.com/archive/1/504795/100/0/threadedhttp://www.securityfocus.com/bid/35581http://www.vupen.com/english/advisories/2009/1833https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.html
2009-07-10
Published