← Back

CVE-2009-2334

nvd nist
Published: Jul 10, 2009Modified: Apr 23, 2026

JSON object

Loading...
4.9
Vector
AV:N/AC:M/Au:S/C:P/I:P/A:N
Exploitability: 6.8 / Impact: 4.9
Source: NVD

Description

wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.

Affected (101)

Wordpress
2 products
Wordpress
Wordpress Mu
Configuration A
101 vulnerable
Vulnerable SoftwareAffected Versions
Wordpress
Wordpress
Up to 2.7.1
Wordpress
Version 0.6.2.1
Wordpress
Version 0.6.2.1 beta_2
Wordpress
Version 0.6.2
Wordpress
Version 0.6.2 beta_2
Wordpress
Version 0.71-gold
Wordpress
Version 0.711
Wordpress
Version 0.71
Wordpress
Version 0.72
Wordpress
Version 0.72 beta1
Wordpress
Version 0.72 beta2
Wordpress
Version 0.72 rc1
Wordpress
Version 0.7
Wordpress
Version 1.0-platinum
Wordpress
Version 1.0.1-miles
Wordpress
Version 1.0.1
Wordpress
Version 1.0.2-blakey
Wordpress
Version 1.0.2
Wordpress
Version 1.0
Wordpress
Version 1.0 rc1
Wordpress
Version 1.0 rc2
Wordpress
Version 1.0 rc3
Wordpress
Version 1.0 rc4
Wordpress
Version 1.2-delta
Wordpress
Version 1.2-mingus
Wordpress
Version 1.2.1
Wordpress
Version 1.2.2
Wordpress
Version 1.2
Wordpress
Version 1.2 beta
Wordpress
Version 1.3.1
Wordpress
Version 1.4
Wordpress
Version 1.5-strayhorn
Wordpress
Version 1.5.1.1
Wordpress
Version 1.5.1.2
Wordpress
Version 1.5.1.3
Wordpress
Version 1.5.1
Wordpress
Version 1.5.2
Wordpress
Version 1.5
Wordpress
Version 1.6
Wordpress
Version 2.0.10
Wordpress
Version 2.0.10_rc1
Wordpress
Version 2.0.10_rc2
Wordpress
Version 2.0.11
Wordpress
Version 2.0.1
Wordpress
Version 2.0.2
Wordpress
Version 2.0.3
Wordpress
Version 2.0.4
Wordpress
Version 2.0.5
Wordpress
Version 2.0.6
Wordpress
Version 2.0.7
Wordpress
Version 2.0.8
Wordpress
Version 2.0.9
Wordpress
Version 2.0
Wordpress
Version 2.1.1
Wordpress
Version 2.1.2
Wordpress
Version 2.1.3
Wordpress
Version 2.1.3_rc1
Wordpress
Version 2.1.3_rc2
Wordpress
Version 2.1
Wordpress
Version 2.1 alpha_3
Wordpress
Version 2.2.0
Wordpress
Version 2.2.1
Wordpress
Version 2.2.2
Wordpress
Version 2.2.3
Wordpress
Version 2.2
Wordpress
Version 2.2_revision5002
Wordpress
Version 2.2_revision5003
Wordpress
Version 2.3.1
Wordpress
Version 2.3.1 rc1
Wordpress
Version 2.3.2
Wordpress
Version 2.3.3
Wordpress
Version 2.3
Wordpress
Version 2.3 beta3
Wordpress
Version 2.3 rc1
Wordpress
Version 2.5.1
Wordpress
Version 2.5
Wordpress
Version 2.6.1
Wordpress
Version 2.6.3
Wordpress
Version 2.6.5
Wordpress
Version 2.6
Wordpress
Wordpress Mu
Up to 2.7
Wordpress Mu
Version 1.1.1
Wordpress Mu
Version 1.1
Wordpress Mu
Version 1.2.1
Wordpress Mu
Version 1.2.2
Wordpress Mu
Version 1.2.3
Wordpress Mu
Version 1.2.4
Wordpress Mu
Version 1.2.4 rc1
Wordpress Mu
Version 1.2.5a
Wordpress Mu
Version 1.2
Wordpress Mu
Version 1.3.1
Wordpress Mu
Version 1.3.2
Wordpress Mu
Version 1.3.3
Wordpress Mu
Version 1.3
Wordpress Mu
Version 1.5.1
Wordpress Mu
Version 1.5 rc1
Wordpress Mu
Version 2.6.1
Wordpress Mu
Version 2.6.2
Wordpress Mu
Version 2.6.3
Wordpress Mu
Version 2.6.5
Wordpress Mu
Version 2.6

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (28)

Source: cve@mitre.org
Exploit
Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
ExploitPatch
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Source: cve@mitre.org
ExploitPatch
Source: cve@mitre.org
PatchVendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatch
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.