Summary
The host is running WordPress MU and is prone to Multiple Vulnerabilities
Impact
Successful exploitation will allow attackers to view the content of plugins configuration pages, inject malicious scripting code, or gain knowledge of sensitive username information.
Impact Level: Application
Solution
Update to Version 2.8.1
http://mu.wordpress.org/download/
Insight
- Error in 'wp-settings.php' which may disclose the sensitive information via a direct request.
- Error occur when user attampt for failed login or password request depending on whether the user account exists, and it can be exploited by enumerate valid usernames.
- Error in wp-admin/admin.php is does not require administrative authentication to access the configuration of a plugin, which allows attackers to specify a configuration file in the page parameter via collapsing-archives/options.txt, related-ways-to-take-action/options.php, wp-security-scan/securityscan.php, akismet/readme.txt and wp-ids/ids-admin.php.
Affected
WordPress MU version prior to 2.8.1 on all running platform.
References
Severity
Classification
-
CVE CVE-2009-2334, CVE-2009-2335, CVE-2009-2336, CVE-2009-2432 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Adobe ColdFusion HTTP Response Splitting Vulnerability
- AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
- Apache Tomcat RemoteFilterValve Security Bypass Vulnerability
- Apache Struts2/XWork Remote Command Execution Vulnerability
- @Mail 'MailType' Parameter Cross Site Scripting Vulnerability