Description

The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Remediation

References

CVE-2009-2336

Related Vulnerabilities

WordPress Plugin Qyrr-simply and modern QR-Code creation Cross-Site Scripting (0.6)

WordPress Plugin Management App for WooCommerce-Order notifications, Order management, Lead management, Uptime Monitoring Arbitrary File Upload (1.2.2)

Jenkins Incorrect Permission Assignment for Critical Resource Vulnerability (CVE-2017-2612)

CKEditor Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2023-31541)

WordPress Plugin WooCommerce Extra Product Options Multiple Vulnerabilities (4.5.3)

Severity

Medium

Classification

CVE-2009-2336

Tags

Missing Update Known Vulnerabilities