CVE-2012-0782

Name of the Vulnerable Software and Affected Versions WordPress versions 3.3.1 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via the dbhost, dbname, or uname parameters in the wp-admin/setup-config.php file. The vendor disputes the significance of this issue, and it is unclear whether this specific scenario has security relevance.

Recommendations For WordPress versions 3.3.1 and earlier, as a temporary workaround, consider restricting access to the wp-admin/setup-config.php file until a patch is available. Avoid using the dbhost, dbname, and uname parameters in the affected setup-config.php file until the issue is resolved.