CVE-2012-0782
WordPress < 3.3.1 - Cross-Site Scripting via Installation Setup Parameters
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2012-0782. PoCs published by Trustwave's SpiderLabs.
AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in WordPress 3.3.1 and prior, including PHP code execution, persistent XSS, and MySQL credential disclosure via the 'setup-config.php' installation page. It leverages a malicious MySQL instance to bypass authentication and inject malicious code.
Description
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance
Exploits (1)
This exploit demonstrates multiple vulnerabilities in WordPress 3.3.1 and prior, including PHP code execution, persistent XSS, and MySQL credential disclosure via the 'setup-config.php' installation page. It leverages a malicious MySQL instance to bypass authentication and inject malicious code.