Description

The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Remediation

References

CVE-2009-2336

Related Vulnerabilities

WordPress 3.9.x Multiple Vulnerabilities (3.9 - 3.9.27)

Jenkins Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-5326)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4581)

WordPress Plugin WP Mapa Politico Espana Cross-Site Scripting (3.6.2)

WebLogic Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-5397)

Severity

Medium

Classification

CVE-2009-2336

Tags

Missing Update Known Vulnerabilities