cbcvebase.
CVE-2009-2336
published 2009-07-10

CVE-2009-2336: The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user…

PriorityP434medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
5.41%
91.7th percentile
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Affected

7 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 2.8.3-1 (bookworm)wordpress 2.8.3-1 (bookworm)
wordpresswordpress< 2.8.12.8.1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress>= 0 < 2.8.3-12.8.3-1
wordpresswordpress_mu< 2.8.12.8.1

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.