Description

WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Remediation

References

CVE-2009-2335

Related Vulnerabilities

Atlassian Jira Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2019-11581)

WordPress Plugin Advanced Page Manager Cross-Site Scripting (1.4.1)

WordPress Plugin Mailster-Email Newsletter for WordPress Local File Inclusion (4.0.6)

WordPress Plugin Browser Screenshots Cross-Site Scripting (1.7.5)

Contao Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-37626)

Severity

Medium

Classification

CVE-2009-2335

Tags

Missing Update Known Vulnerabilities