Description

wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.

Remediation

References

CVE-2009-2762

Related Vulnerabilities

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20115)

WordPress Plugin Art-Picture-Gallery Arbitrary File Upload (1.2.9)

WordPress Plugin YouTube Gallery-Best YouTube Video Gallery Cross-Site Scripting (3.2.1)

Liferay Portal Improper Restriction of XML External Entity Reference Vulnerability (CVE-2024-25606)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-0798)

Severity

High

Classification

CVE-2009-2762

Tags

Missing Update Known Vulnerabilities