Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-4898Sensitive Information Exposure in Wordpress

CWE-200Sensitive Information Exposure11 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
7.1%
top 8.48%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
WordpressDebian Wordpress
Timeline
PublishedJan 30
Latest updateMay 17

Description

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during instal

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

NVDwordpress/wordpress3.3.1+72

🔴Vulnerability Details

6
GHSA
GHSA-rrrf-759h-mc79: ** DISPUTED ** wp-admin/setup-config2022-05-17
GHSA
GHSA-q2qm-9w2w-5x96: ** DISPUTED ** wp-admin/setup-config2022-05-17
OSV
CVE-2012-0937: ** DISPUTED ** wp-admin/setup-config2012-01-30
OSV
CVE-2011-4898: wp-admin/setup-config2012-01-30
OSV
CVE-2011-4898: ** DISPUTED ** wp-admin/setup-config2012-01-30

💥Exploits & PoCs

1
Exploit-DB
WordPress Core 3.3.1 - Multiple Vulnerabilities2012-01-25

📋Vendor Advisories

2
Debian
CVE-2012-0937: wordpress - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and e...2012
Debian
CVE-2011-4898: wordpress - wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and e...2011
CVE-2011-4898 — Sensitive Information Exposure | cvebase