CVE-2012-0937
WordPress < 3.3.1 - Denial of Service via MySQL Query Proxy in Setup-Config
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2012-0937. PoCs published by Trustwave's SpiderLabs.
AI-analyzed exploit summary This exploit demonstrates multiple vulnerabilities in WordPress 3.3.1 and prior, including PHP code execution, persistent XSS, and MySQL credential disclosure via the 'setup-config.php' installation page. It leverages a malicious MySQL instance to bypass authentication and inject malicious code.
Description
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time
Exploits (1)
This exploit demonstrates multiple vulnerabilities in WordPress 3.3.1 and prior, including PHP code execution, persistent XSS, and MySQL credential disclosure via the 'setup-config.php' installation page. It leverages a malicious MySQL instance to bypass authentication and inject malicious code.