Summary
The host is running WordPress and is prone to Multiple Vulnerabilities.
Impact
Successful exploitation will allow attackers to view the content of plugins configuration pages, inject malicious scripting code, or gain knowledge of sensitive username information.
Impact Level: Application
Solution
Update to Version 2.8.1
http://wordpress.org/download/
Insight
- Error in 'wp-settings.php' which may disclose the sensitive information via a direct request.
- username of a post's author is placed in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source.
- Error occur when user attampt for failed login or password request depending on whether the user account exists, and it can be exploited by enumerate valid usernames.
- wp-admin/admin.php does not require administrative authentication to access the configuration of a plugin, which allows attackers to specify a configuration file in the page parameter via collapsing-archives/options.txt, related-ways-to-take-action/options.php, wp-security-scan/securityscan.php, akismet/readme.txt and wp-ids/ids-admin.php.
Affected
WordPress version prior to 2.8.1 on all running platform.
References
Severity
Classification
-
CVE CVE-2009-2334, CVE-2009-2335, CVE-2009-2336, CVE-2009-2431, CVE-2009-2432 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- AdaptCMS 'init.php' Remote File Include Vulnerability
- 7Media Web Solutions EduTrac Directory Traversal Vulnerability
- Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability
- Apache mod_proxy_ftp Wildcard Characters XSS Vulnerability
- Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability