Summary
The host is running WordPress and is prone to Multiple Vulnerabilities.
Impact
Successful exploitation will allow attackers to view the content of plugins configuration pages, inject malicious scripting code, or gain knowledge of sensitive username information.
Impact Level: Application
Solution
Update to Version 2.8.1
http://wordpress.org/download/
Insight
- Error in 'wp-settings.php' which may disclose the sensitive information via a direct request.
- username of a post's author is placed in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source.
- Error occur when user attampt for failed login or password request depending on whether the user account exists, and it can be exploited by enumerate valid usernames.
- wp-admin/admin.php does not require administrative authentication to access the configuration of a plugin, which allows attackers to specify a configuration file in the page parameter via collapsing-archives/options.txt, related-ways-to-take-action/options.php, wp-security-scan/securityscan.php, akismet/readme.txt and wp-ids/ids-admin.php.
Affected
WordPress version prior to 2.8.1 on all running platform.
References
Severity
Classification
-
CVE CVE-2009-2334, CVE-2009-2335, CVE-2009-2336, CVE-2009-2431, CVE-2009-2432 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Andromeda Streaming MP3 Server Cross Site Scripting Vulnerability
- Apache Struts2/XWork Remote Command Execution Vulnerability
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
- Apache Struts2 'XWork' Information Disclosure Vulnerability
- Adobe ColdFusion HTTP Response Splitting Vulnerability