* Privileges Unchecked in admin.php?page= leading to Local File Includes (CVE-2009-2334) This can be used to disclose files in the wp-content/plugins folder, or open plugin configuration pages and change settings. (In conjunction with faulty plugins, XSS is possible as well, as shown in an example) * Other information disclosures (CVE-2009-{2335, 2336}, not yet specifically assigned) - Login and forgotten password facilitate valid username enumeration - Usernames are only hidden inside HTML comments by default - Several installation path disclosures
The latter issues are not acknowledged by upstream and thus not fixed: Username enumeration: "WordPress team asserts that password and username discrimination as well as username leakage are known and will not be fixed because they are convenient for the users." (orig. advisory) Path disclosures: Upstream suggests to disable the error_reporting setting in php.ini. (c.f. http://core.trac.wordpress.org/ticket/10367#comment:3)
*** Bug 277377 has been marked as a duplicate of this bug. ***
2.8.1 is in CVS.
CVE-2009-2335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2335): WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." CVE-2009-2336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2336): The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." CVE-2009-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2432): WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message.
CVE-2009-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2431): WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source.