CVE-2011-4899: XSS
First published: Mon Jan 30 2012(Updated: )
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress | <=3.3.1 | |
| WordPress | =0.7 | |
| WordPress | =0.71 | |
| WordPress | =0.72 | |
| WordPress | =0.711 | |
| WordPress | =1.0 | |
| WordPress | =1.0.1 | |
| WordPress | =1.0.2 | |
| WordPress | =1.2 | |
| WordPress | =1.2.1 | |
| WordPress | =1.2.2 | |
| WordPress | =1.5 | |
| WordPress | =1.5.1 | |
| WordPress | =1.5.1.2 | |
| WordPress | =1.5.1.3 | |
| WordPress | =1.5.2 | |
| WordPress | =2.0 | |
| WordPress | =2.0.1 | |
| WordPress | =2.0.2 | |
| WordPress | =2.0.3 | |
| WordPress | =2.0.4 | |
| WordPress | =2.0.5 | |
| WordPress | =2.0.6 | |
| WordPress | =2.0.7 | |
| WordPress | =2.0.8 | |
| WordPress | =2.0.9 | |
| WordPress | =2.0.10 | |
| WordPress | =2.0.11 | |
| WordPress | =2.1 | |
| WordPress | =2.1.1 | |
| WordPress | =2.1.2 | |
| WordPress | =2.1.3 | |
| WordPress | =2.2 | |
| WordPress | =2.2.1 | |
| WordPress | =2.2.2 | |
| WordPress | =2.2.3 | |
| WordPress | =2.3 | |
| WordPress | =2.3.1 | |
| WordPress | =2.3.2 | |
| WordPress | =2.3.3 | |
| WordPress | =2.5 | |
| WordPress | =2.5.1 | |
| WordPress | =2.6 | |
| WordPress | =2.6.1 | |
| WordPress | =2.6.2 | |
| WordPress | =2.6.3 | |
| WordPress | =2.6.5 | |
| WordPress | =2.7 | |
| WordPress | =2.7.1 | |
| WordPress | =2.8 | |
| WordPress | =2.8.1 | |
| WordPress | =2.8.2 | |
| WordPress | =2.8.3 | |
| WordPress | =2.8.4 | |
| WordPress | =2.8.5 | |
| WordPress | =2.8.6 | |
| WordPress | =2.9 | |
| WordPress | =2.9.1 | |
| WordPress | =2.9.2 | |
| WordPress | =3.0 | |
| WordPress | =3.0.1 | |
| WordPress | =3.0.2 | |
| WordPress | =3.0.3 | |
| WordPress | =3.0.4 | |
| WordPress | =3.0.5 | |
| WordPress | =3.0.6 | |
| WordPress | =3.1 | |
| WordPress | =3.1.1 | |
| WordPress | =3.1.2 | |
| WordPress | =3.1.3 | |
| WordPress | =3.1.4 | |
| WordPress | =3.2.1 | |
| WordPress | =3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2011-4899?
CVE-2011-4899 has a high severity due to the potential for unauthorized access to database configuration.
How do I fix CVE-2011-4899?
To fix CVE-2011-4899, upgrade to WordPress version 3.3.2 or later that addresses this vulnerability.
What impact does CVE-2011-4899 have on WordPress installations?
CVE-2011-4899 allows remote attackers to potentially configure an arbitrary database, posing a significant security risk.
Is my WordPress site affected by CVE-2011-4899?
If your WordPress version is 3.3.1 or earlier, your site is affected by CVE-2011-4899.
What versions of WordPress are vulnerable to CVE-2011-4899?
All versions of WordPress up to and including 3.3.1 are vulnerable to CVE-2011-4899.
- agent/type
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/status
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-historical
- collector/nvd-index
- vendor/wordpress
- canonical/wordpress
- version/wordpress/3.3.1
- version/wordpress/0.7
- version/wordpress/0.71
- version/wordpress/0.72
- version/wordpress/0.711
- version/wordpress/1.0
- version/wordpress/1.0.1
- version/wordpress/1.0.2
- version/wordpress/1.2
- version/wordpress/1.2.1
- version/wordpress/1.2.2
- version/wordpress/1.5
- version/wordpress/1.5.1
- version/wordpress/1.5.1.2
- version/wordpress/1.5.1.3
- version/wordpress/1.5.2
- version/wordpress/2.0
- version/wordpress/2.0.1
- version/wordpress/2.0.2
- version/wordpress/2.0.3
- version/wordpress/2.0.4
- version/wordpress/2.0.5
- version/wordpress/2.0.6
- version/wordpress/2.0.7
- version/wordpress/2.0.8
- version/wordpress/2.0.9
- version/wordpress/2.0.10
- version/wordpress/2.0.11
- version/wordpress/2.1
- version/wordpress/2.1.1
- version/wordpress/2.1.2
- version/wordpress/2.1.3
- version/wordpress/2.2
- version/wordpress/2.2.1
- version/wordpress/2.2.2
- version/wordpress/2.2.3
- version/wordpress/2.3
- version/wordpress/2.3.1
- version/wordpress/2.3.2
- version/wordpress/2.3.3
- version/wordpress/2.5
- version/wordpress/2.5.1
- version/wordpress/2.6
- version/wordpress/2.6.1
- version/wordpress/2.6.2
- version/wordpress/2.6.3
- version/wordpress/2.6.5
- version/wordpress/2.7
- version/wordpress/2.7.1
- version/wordpress/2.8
- version/wordpress/2.8.1
- version/wordpress/2.8.2
- version/wordpress/2.8.3
- version/wordpress/2.8.4
- version/wordpress/2.8.5
- version/wordpress/2.8.6
- version/wordpress/2.9
- version/wordpress/2.9.1
- version/wordpress/2.9.2
- version/wordpress/3.0
- version/wordpress/3.0.1
- version/wordpress/3.0.2
- version/wordpress/3.0.3
- version/wordpress/3.0.4
- version/wordpress/3.0.5
- version/wordpress/3.0.6
- version/wordpress/3.1
- version/wordpress/3.1.1
- version/wordpress/3.1.2
- version/wordpress/3.1.3
- version/wordpress/3.1.4
- version/wordpress/3.2.1
- version/wordpress/3.3
- status/disputed