CVE-2011-4899

Name of the Vulnerable Software and Affected Versions WordPress versions 3.3.1 and earlier

Description The installation component in WordPress does not ensure that the specified MySQL database service is appropriate, allowing remote attackers to configure an arbitrary database via the dbhost and dbname parameters. This can lead to static code injection and cross-site scripting (XSS) attacks via an HTTP request or a MySQL query. The vendor disputes the significance of this issue, but remote code execution makes it important in many realistic environments.

Recommendations For WordPress versions 3.3.1 and earlier, as a temporary workaround, consider restricting access to the wp-admin/setup-config.php installation component to minimize the risk of exploitation. Avoid using the dbhost and dbname parameters in the affected installation component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.