cbcvebase.
CVE-2009-2335
published 2009-07-10

CVE-2009-2335: WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote…

PriorityP348medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
85.00%
99.7th percentile
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Affected

7 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 2.8.3-1 (bookworm)wordpress 2.8.3-1 (bookworm)
wordpresswordpress< 2.8.12.8.1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress_mu< 2.8.12.8.1

Detection & IOCsextracted from sources · hover to see the quote

path/wp-login.php
commandPOST /wp-login.php log=<user>&pwd=x&wp-submit=Login
cookiewordpress_logged_in_
  • Flag high-volume POST requests to /wp-login.php with minimal password values (e.g., pwd=x) as indicative of automated username enumeration activity.
  • Successful brute-force login is indicated by an HTTP 302 redirect response containing a Set-Cookie header matching 'wordpress_logged_in_'; alert on this pattern following repeated failed login attempts.
  • Login and forgotten password pages facilitate valid username enumeration; monitor both wp-login.php POST requests and password-reset flows for differential responses that reveal account existence.
  • ·The vendor disputes the significance of this username enumeration behavior, stating it is intentional for user convenience; the differential login error response is by design and will not be patched in affected versions.
  • ·Usernames are also passively disclosed via HTML comments in page source, compounding the enumeration risk beyond the login page alone.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.