CVE-2009-2432

WordPress < 2.8.1 - Information Disclosure via wp-settings.php Direct Request

Title source: llm

Description

WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message.

References (6)

Core 6

Core References

Exploit x_refsource_misc

http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/504795/100/0/threaded

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1022528

Patch, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1833

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/51734

Patch vdb-entry x_refsource_osvdb

http://www.osvdb.org/55717

Scores

EPSS 0.0107

EPSS Percentile 78.0%

Details

CWE

CWE-264

Status published

Products (40)

wordpress/wordpress 0.6.2 (2 CPE variants)

wordpress/wordpress 0.6.2.1 (2 CPE variants)

wordpress/wordpress 0.7

wordpress/wordpress 0.71

wordpress/wordpress 0.71-gold

wordpress/wordpress 0.72 (4 CPE variants)

wordpress/wordpress 0.711

wordpress/wordpress 1.0 (5 CPE variants)

wordpress/wordpress 1.0-platinum

wordpress/wordpress 1.0.1

... and 30 more

Published Jul 10, 2009

Tracked Since Feb 18, 2026