PT-2012-2868 · WordPress+1 · Wordpress+1
Jonathan Claudius
·
Published
2012-01-30
·
Updated
2024-08-06
·
CVE-2012-0782
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
WordPress versions 3.3.1 and earlier
Description
The issue allows remote attackers to inject arbitrary web script or HTML via the
dbhost, dbname, or uname parameters in the wp-admin/setup-config.php file. The vendor disputes the significance of this issue, and it is unclear whether this specific scenario has security relevance.Recommendations
For WordPress versions 3.3.1 and earlier, as a temporary workaround, consider restricting access to the wp-admin/setup-config.php file until a patch is available. Avoid using the
dbhost, dbname, and uname parameters in the affected setup-config.php file until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Wordpress