Description
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Remediation
References
Related Vulnerabilities
Coppermine Improper Authentication Vulnerability (CVE-2005-3979)
Liferay DXP Missing Authorization Vulnerability (CVE-2022-39975)
PHP Use After Free Vulnerability (CVE-2019-9020)
WordPress Plugin Advanced Custom Fields PRO Arbitrary File Upload (5.12.2)
WordPress Plugin WordPress Video Player Multiple SQL Injection Vulnerabilities (1.5.16)