CVE-2011-4898

Name of the Vulnerable Software and Affected Versions WordPress versions 3.3.1 and earlier

Description The installation component in WordPress generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid. This makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. The vendor disputes the significance of this issue, and it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective.

Recommendations For WordPress versions 3.3.1 and earlier, consider restricting access to the wp-admin/setup-config.php installation component to minimize the risk of exploitation. As a temporary workaround, avoid using the uname and pwd parameters in the affected requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.