CVE-2009-4170

WP-Cumulus Plug-in <1.20 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4170. PoCs published by MustLive.

AI-analyzed exploit summary The code describes Full Path Disclosure and Cross-Site Scripting (XSS) vulnerabilities in WP-Cumulus for WordPress. It provides URLs to exploit these vulnerabilities, including a social XSS payload.

Description

WP-Cumulus Plug-in 1.20 for WordPress, and possibly other versions, allows remote attackers to obtain sensitive information via a crafted request to wp-cumulus.php, probably without parameters, which reveals the installation path in an error message.

Exploits (1)

exploitdb WRITEUP VERIFIED
by MustLive · textwebappsphp
https://www.exploit-db.com/exploits/10228

The code describes Full Path Disclosure and Cross-Site Scripting (XSS) vulnerabilities in WP-Cumulus for WordPress. It provides URLs to exploit these vulnerabilities, including a social XSS payload.

Classification
Writeup 90%
Attack Type
Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WP-Cumulus 1.20 and previous versions
No auth needed
Prerequisites: Access to the target WordPress site with WP-Cumulus plugin installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit x_refsource_misc
http://websecurity.com.ua/3665/
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508071/100/0/threaded

Scores

EPSS 0.0639
EPSS Percentile 92.8%

Details

CWE
CWE-200
Status published
Products (1)
roytanck/wp-cumulus 1.20
Published Dec 02, 2009
Tracked Since Feb 18, 2026