Description

wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.

Remediation

References

CVE-2009-2762

Related Vulnerabilities

Oracle JRE CVE-2013-0448 Vulnerability (CVE-2013-0448)

WordPress Same Origin Method Execution (SOME) Vulnerability (0.70 - 3.7.13)

MySQL CVE-2018-3133 Vulnerability (CVE-2018-3133)

WordPress Plugin Mail Subscribe List Unspecified Vulnerability (2.0.9)

Joomla! Core 3.x.x Remote Code Execution (3.7.0 - 3.8.7)

Severity

High

Classification

CVE-2009-2762

Tags

Missing Update Known Vulnerabilities