wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:P/I:P/A:N
Vendors Products
Wordpress
  • Wordpress
  • Wordpress Mu

Configuration 1 [-]

OR cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.6.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.6.2:beta_2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.6.2.1:beta_2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.7:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.71:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.71-gold:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.72:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.72:beta1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.72:beta2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.72:rc1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:0.711:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0:rc3:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0:rc4:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0-platinum:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0.1-miles:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.0.2-blakey:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2:beta:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2-delta:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2-mingus:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.4:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5-strayhorn:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.1.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:1.6:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.10:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.10_rc1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.10_rc2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.1:alpha_3:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.1.3_rc1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.1.3_rc2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.2_revision5002:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.2_revision5003:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.3:beta3:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.3:rc1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.3.1:rc1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.5:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.6:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.6.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.6.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress:2.6.5:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:*:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.2.4:rc1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.2.5a:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.3.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.5:rc1:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:2.6:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:2.6.1:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:2.6.3:*:*:*:*:*:*:*
cpe:2.3:a:wordpress:wordpress_mu:2.6.5:*:*:*:*:*:*:*
References
Link Resource
http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked Exploit
http://securitytracker.com/id?1022528
http://wordpress.org/development/2009/07/wordpress-2-8-1/ Vendor Advisory
http://www.debian.org/security/2009/dsa-1871
http://www.exploit-db.com/exploits/9110
http://www.osvdb.org/55712 Exploit Patch
http://www.osvdb.org/55715 Patch
http://www.securityfocus.com/archive/1/504795/100/0/threaded
http://www.securityfocus.com/bid/35584 Exploit Patch
http://www.vupen.com/english/advisories/2009/1833 Patch Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00597.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00608.html
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00632.html
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00676.html
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-07-10T20:25:00

Updated: 2018-10-10T18:57:01

Reserved: 2009-07-05T00:00:00

Link: CVE-2009-2334

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2009-07-10T21:00:00.187

Modified: 2018-10-10T19:39:37.663

Link: CVE-2009-2334

JSON object: View

cve-icon Redhat Information

No data.

CWE