Description
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Remediation
References
Related Vulnerabilities
WordPress Plugin ImageMagick Engine Cross-Site Request Forgery (1.7.4)
WebLogic Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10152)
WordPress Plugin VaultPress Unspecified Vulnerability (1.7.1)
Vanilla Forums Other Vulnerability (CVE-2011-3614)
WordPress Plugin Shopping Cart & eCommerce Store Multiple Security Bypass Vulnerabilities (3.0.20)