Description

WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Remediation

References

CVE-2009-2335

Related Vulnerabilities

Moodle Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2014-3541)

XOOPS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-36217)

Jenkins Improper Input Validation Vulnerability (CVE-2018-1999001)

Joomla Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2010-4166)

MyBB Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-9411)

Severity

Medium

Classification

CVE-2009-2335

Tags

Missing Update Known Vulnerabilities