CVE-2012-0782

WordPress < 3.3.1 - Cross-Site Scripting via Installation Setup Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-0782. PoCs published by Trustwave's SpiderLabs.

AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in WordPress 3.3.1 and prior, including PHP code execution, persistent XSS, and MySQL credential disclosure via the 'setup-config.php' installation page. It leverages a malicious MySQL instance to bypass authentication and inject malicious code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance

Exploits (1)

exploitdb WORKING POC VERIFIED
by Trustwave's SpiderLabs · textwebappsphp
https://www.exploit-db.com/exploits/18417

This exploit demonstrates multiple vulnerabilities in WordPress 3.3.1 and prior, including PHP code execution, persistent XSS, and MySQL credential disclosure via the 'setup-config.php' installation page. It leverages a malicious MySQL instance to bypass authentication and inject malicious code.

Classification
Working Poc 100%
Attack Type
Rce | Xss | Info Leak
Complexity
Moderate
Reliability
Reliable
Target: WordPress 3.3.1 and prior
No auth needed
Prerequisites: Access to a malicious MySQL instance · Network access to the target WordPress installation
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18417
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html

Scores

EPSS 0.0375
EPSS Percentile 88.6%

Details

CWE
CWE-79
Status published
Products (50)
wordpress/wordpress 0.7
wordpress/wordpress 0.71
wordpress/wordpress 0.72
wordpress/wordpress 0.711
wordpress/wordpress 1.0
wordpress/wordpress 1.0.1
wordpress/wordpress 1.0.2
wordpress/wordpress 1.2
wordpress/wordpress 1.2.1
wordpress/wordpress 1.2.2
... and 40 more
Published Jan 30, 2012
Tracked Since Feb 18, 2026