CVE-2009-2335

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-2335. PoCs published by Core Security, Tiago Ferreira & Heyder Andrade, including Metasploit module auxiliary/scanner/http/wordpress_login_enum.

AI-analyzed exploit summary This advisory details multiple vulnerabilities in WordPress, including privilege escalation via unchecked access to plugin configuration pages and information disclosure. It provides technical analysis of the root cause and proof-of-concept URLs demonstrating the flaws.

Description

WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Exploits (3)

exploitdb WRITEUP VERIFIED

by Core Security · textwebappsphp

https://www.exploit-db.com/exploits/9110

View Code ZIP pw:eip

This advisory details multiple vulnerabilities in WordPress, including privilege escalation via unchecked access to plugin configuration pages and information disclosure. It provides technical analysis of the root cause and proof-of-concept URLs demonstrating the flaws.

Classification

Writeup 100%

Attack Type

Auth Bypass | Info Leak | Xss

Complexity

Moderate

Reliability

Reliable

Target: WordPress 2.8 and previous, WordPress MU 2.7.1 and previous

Auth required

Prerequisites: Access to a WordPress instance with vulnerable version · Subscriber-level account or higher

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1087 - Account Discovery T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

by Tiago Ferreira & Heyder Andrade · rubywebappsphp

https://www.exploit-db.com/exploits/17702

View Code ZIP pw:eip

This Metasploit auxiliary module exploits CVE-2009-2335 to enumerate WordPress usernames and perform brute-force authentication attacks. It includes a bypass for the Block-Spam-By-Math-Reloaded plugin.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress (versions affected by CVE-2009-2335)

No auth needed

Prerequisites: Access to the WordPress login page (wp-login.php)

MITRE ATT&CK

T1110 - Brute Force T1589 - Gather Victim Identity Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_login_enum.rb

View Code ZIP pw:eip

This Metasploit module performs WordPress user enumeration, validation, and brute-force authentication. It leverages WordPress-specific HTTP requests to check for valid usernames and attempt login with provided credentials.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress (multiple versions, including those affected by CVE-2009-2335)

No auth needed

Prerequisites: WordPress installation with accessible login page · Network access to the target

MITRE ATT&CK