CVE-2011-4898
published 2012-01-30CVE-2011-4898: wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
9.55%
94.9th percentile
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective
Affected
74 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | — | — |
| wordpress | wordpress | <= 3.3.1 | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rrrf-759h-mc79: ** DISPUTED ** wp-admin/setup-config
ghsa_unreviewed·2022-05-17·CVSS 5.0
CVE-2012-0937 [MEDIUM] GHSA-rrrf-759h-mc79: ** DISPUTED ** wp-admin/setup-config
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time.
GHSA
GHSA-q2qm-9w2w-5x96: ** DISPUTED ** wp-admin/setup-config
ghsa_unreviewed·2022-05-17
CVE-2011-4898 [MEDIUM] CWE-200 GHSA-q2qm-9w2w-5x96: ** DISPUTED ** wp-admin/setup-config
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective.
OSV
CVE-2012-0937: ** DISPUTED ** wp-admin/setup-config
osv·2012-01-30·CVSS 5.0
CVE-2012-0937 [MEDIUM] CVE-2012-0937: ** DISPUTED ** wp-admin/setup-config
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time.
OSV
CVE-2011-4898: wp-admin/setup-config
osv·2012-01-30·CVSS 5.0
CVE-2011-4898 [MEDIUM] CVE-2011-4898: wp-admin/setup-config
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective
OSV
CVE-2011-4898: ** DISPUTED ** wp-admin/setup-config
osv·2012-01-30·CVSS 5.0
CVE-2011-4898 [MEDIUM] CVE-2011-4898: ** DISPUTED ** wp-admin/setup-config
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective.
OSV
CVE-2012-0937: wp-admin/setup-config
osv·2012-01-30·CVSS 5.0
CVE-2012-0937 [MEDIUM] CVE-2012-0937: wp-admin/setup-config
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time
Debian
CVE-2012-0937: wordpress - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and e...
vendor_debian·2012·CVSS 5.0
CVE-2012-0937 [MEDIUM] CVE-2012-0937: wordpress - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and e...
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
Debian
CVE-2011-4898: wordpress - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and e...
vendor_debian·2011·CVSS 5.0
CVE-2011-4898 [MEDIUM] CVE-2011-4898: wordpress - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and e...
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.htmlhttp://www.exploit-db.com/exploits/18417https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txthttp://archives.neohapsis.com/archives/bugtraq/2012-01/0150.htmlhttp://www.exploit-db.com/exploits/18417https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
2012-01-30
Published