Description
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Remediation
References
Related Vulnerabilities
WordPress 3.9.x Cross-Site Scripting Vulnerability (3.9 - 3.9.9)
WordPress Plugin Contact Form 7 Style Cross-Site Request Forgery (3.1.9)
WordPress Plugin WP Server Health Stats Cross-Site Scripting (1.6.10)
Atlassian Confluence CVE-2023-22505 Vulnerability (CVE-2023-22505)
WordPress Plugin Nextend Google Connect Cross-Site Scripting (1.5.0)