Description

wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.

Remediation

References

CVE-2009-2762

Related Vulnerabilities

MySQL CVE-2018-2784 Vulnerability (CVE-2018-2784)

Roundcube Resource Management Errors Vulnerability (CVE-2011-4078)

WordPress Plugin NextGEN Gallery-WordPress Gallery 'xml/media-rss.php' Cross-Site Scripting (1.5.1)

WordPress Plugin LayerSlider SQL Injection (7.10.0)

Magento Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-3458)

Severity

High

Classification

CVE-2009-2762

Tags

Missing Update Known Vulnerabilities