{
  "modified": "2025-08-09T19:01:27Z",
  "published": "2012-01-30T17:55:00Z",
  "id": "CVE-2011-4898",
  "details": "wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters.  NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html"
    },
    {
      "type": "EVIDENCE",
      "url": "http://www.exploit-db.com/exploits/18417"
    },
    {
      "type": "EVIDENCE",
      "url": "https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt"
    }
  ],
  "database_specific": {
    "isDisputed": true
  }
}