cbcvebase.
CVE-2009-2762
published 2009-08-13

CVE-2009-2762: wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator…

PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
19.64%
97.1th percentile
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 2.8.3-2 (bookworm)wordpress 2.8.3-2 (bookworm)
wordpresswordpress<= 2.8.3
wordpresswordpress>= 0 < 2.8.3-22.8.3-2
wordpresswordpress>= 0 < 2.8.3-22.8.3-2
wordpresswordpress>= 0 < 2.8.3-22.8.3-2
wordpresswordpress>= 0 < 2.8.3-22.8.3-2

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
path/wp-login.php
commandaction=rp&key[]=
uaWordpressAdminTakeover
  • Detect GET requests to wp-login.php where the 'key' parameter is supplied as an array (key[]) combined with action=rp or action=resetpass — this is the exact exploit vector for CVE-2009-2762.
  • Alert on HTTP requests to /wp-login.php containing the query string pattern 'action=rp&key[]=' or 'action=resetpass&key[]=' as this is the proof-of-concept payload.
  • Monitor for POST requests to /wp-login.php?action=register with a user_login value of 'admin' followed by a large number of space characters (%20) — indicative of the SQL column truncation attack variant.
  • Flag HTTP requests bearing the User-Agent string 'WordpressAdminTakeover', which is hardcoded in the published exploit tool for the SQL column truncation admin takeover.
  • ·The password reset bypass (key[] array) only resets the password for the FIRST user in the database, which is typically but not guaranteed to be the administrator.
  • ·The SQL column truncation variant (CVE related to 2.6.1) requires user registration to be enabled on the target WordPress installation.
  • ·The core CVE-2009-2762 exploit requires no authentication and no prior steps — a single unauthenticated GET request is sufficient to trigger the password reset.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.