CVE-2009-2336

CVE Database · CVE-2009-2336

CVE-2009-2336

· N/AModified

CVSS v3.1

N/A

EPSS

5.41%

Published

Jul 10, 2009

Modified

Apr 22, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."

Weaknesses (CWE)

CWE-16

Affected Products (2)

wordpress · wordpress (up to 2.8.1)vulnerable

wordpress · wordpress_mu (up to 2.8.1)vulnerable

References (20)

http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked

ExploitPatchThird Party Advisory

http://securitytracker.com/id?1022528

PatchThird Party AdvisoryVDB Entry

http://www.exploit-db.com/exploits/9110

Third Party AdvisoryVDB Entry

http://www.osvdb.org/55714

Broken LinkPatch

http://www.securityfocus.com/archive/1/504795/100/0/threaded

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs