Fernando Arnaboldi

**Name of the Vulnerable Software and Affected Versions** libxslt versions 1.1.29 and earlier **Description** The issue is related to the EXSLT math.random function in libxslt, which was not initialized with a random seed during startup. This could cause the function to produce predictable outputs when used. **Recommendations** For libxslt versions 1.1.29 and earlier, consider reinitializing the EXSLT math.random function with a random seed to minimize predictability of outputs. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 2.8.1 WordPress MU versions prior to 2.8.1 **Description** The issue allows remote attackers to access and modify plugin configuration files without administrative authentication. This can be achieved by specifying a configuration file in the `page` parameter. Sensitive information can be obtained or the files can be modified, as demonstrated by accessing files such as `collapsing-archives/options.txt`, `akismet/readme.txt`, `related-ways-to-take-action/options.php`, `wp-security-scan/securityscan.php`, and `wp-ids/ids-admin.php`. This issue can be leveraged for cross-site scripting (XSS) and denial of service. **Recommendations** For WordPress versions prior to 2.8.1, update to version 2.8.1 or later to resolve the issue. For WordPress MU versions prior to 2.8.1, update to version 2.8.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 2.8.1 WordPress MU versions prior to 2.8.1 **Description** The issue allows remote attackers to enumerate valid usernames by exploiting different behavior for failed login attempts depending on whether the user account exists. The vendor reportedly disputes the significance of this issue, stating that the behavior exists for user convenience. **Recommendations** For WordPress versions prior to 2.8.1, update to version 2.8.1 or later. For WordPress MU versions prior to 2.8.1, update to version 2.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 2.8.1 WordPress MU versions prior to 2.8.1 **Description** The forgotten mail interface in WordPress and WordPress MU exhibits different behavior for a password request depending on whether the user account exists. This allows remote attackers to enumerate valid usernames. **Recommendations** For WordPress versions prior to 2.8.1, update to version 2.8.1 or later. For WordPress MU versions prior to 2.8.1, update to version 2.8.1 or later.