Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-4899

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2011-4899
Last Modified 31 Jan 2012 08:58:47
Published 30 Jan 2012 12:55:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2011-4899

Summary

** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments.

Vulnerable Systems

Application

  • Wordpress 0.7

  • Wordpress 0.71

  • Wordpress 0.711

  • Wordpress 0.72

  • Wordpress 1.0

  • Wordpress 1.0.1

  • Wordpress 1.0.2

  • Wordpress 1.2

  • Wordpress 1.2.1

  • Wordpress 1.2.2

  • Wordpress 1.5

  • Wordpress 1.5.1

  • Wordpress 1.5.1.2

  • Wordpress 1.5.1.3

  • Wordpress 1.5.2

  • Wordpress 2.0

  • Wordpress 2.0.1

  • Wordpress 2.0.10

  • Wordpress 2.0.11

  • Wordpress 2.0.2

  • Wordpress 2.0.3

  • Wordpress 2.0.4

  • Wordpress 2.0.5

  • Wordpress 2.0.6

  • Wordpress 2.0.7

  • Wordpress 2.0.8

  • Wordpress 2.0.9

  • Wordpress 2.1

  • Wordpress 2.1.1

  • Wordpress 2.1.2

  • Wordpress 2.1.3

  • Wordpress 2.2

  • Wordpress 2.2.1

  • Wordpress 2.2.2

  • Wordpress 2.2.3

  • Wordpress 2.3

  • Wordpress 2.3.1

  • Wordpress 2.3.2

  • Wordpress 2.3.3

  • Wordpress 2.5

  • Wordpress 2.5.1

  • Wordpress 2.6

  • Wordpress 2.6.1

  • Wordpress 2.6.2

  • Wordpress 2.6.3

  • Wordpress 2.6.5

  • Wordpress 2.7

  • Wordpress 2.7.1

  • Wordpress 2.8

  • Wordpress 2.8.1

  • Wordpress 2.8.2

  • Wordpress 2.8.3

  • Wordpress 2.8.4

  • Wordpress 2.8.5

  • Wordpress 2.8.6

  • Wordpress 2.9

  • Wordpress 2.9.1

  • Wordpress 2.9.2

  • Wordpress 3.0

  • Wordpress 3.0.1

  • Wordpress 3.0.2

  • Wordpress 3.0.3

  • Wordpress 3.0.4

  • Wordpress 3.0.5

  • Wordpress 3.0.6

  • Wordpress 3.1

  • Wordpress 3.1.1

  • Wordpress 3.1.2

  • Wordpress 3.1.3

  • Wordpress 3.1.4

  • Wordpress 3.2.1

  • Wordpress 3.3

  • Wordpress 3.3.1


References

MISC - https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt

EXPLOIT-DB - 18417

BUGTRAQ - 20120124 TWSL2012-002: Multiple Vulnerabilities in WordPress


Last Updated: 27 May 2016 10:58:08