National Cyber Awareness System

Vulnerability Summary for CVE-2011-4899

Overview

** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: MISC

Name: https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt

Hyperlink:https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt

External Source: EXPLOIT-DB

Name: 18417

Hyperlink:http://www.exploit-db.com/exploits/18417

External Source: BUGTRAQ

Name: 20120124 TWSL2012-002: Multiple Vulnerabilities in WordPress

Hyperlink:http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html