CVE-2009-2335
WordPress <2.8.1 - Info Disclosure
Title source: llmDescription
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Exploits (3)
exploitdb
WRITEUP
VERIFIED
by Core Security · textwebappsphp
https://www.exploit-db.com/exploits/9110
exploitdb
WORKING POC
by Tiago Ferreira & Heyder Andrade · rubywebappsphp
https://www.exploit-db.com/exploits/17702
metasploit
WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wordpress_login_enum.rb
References (11)
Scores
EPSS
0.8534
EPSS Percentile
99.4%
Details
CWE
CWE-16
Status
published
Products (2)
wordpress/wordpress
< 2.8.1
wordpress/wordpress_mu
< 2.8.1
Published
Jul 10, 2009
Tracked Since
Feb 18, 2026