Parameter

Vulnerability – WordPress.com Information Disclosure

First off I want to wish a happy new year to all of our visitors to our blog, as well as clients and friends of the Parameter Security family.

Over the New Year holiday our hackers discovered an information disclosure vulnerability on WordPress.com that will disclose a users username.  In order to gain the username you will need to have knowledge of the user’s email address.

Vulnerability

At the wordpress.com login enter the known email address.  Enter something into the password (password cannot be blank.)

 

infodisclosure

The login error will disclose the username connected to the email address.

 

usernamedisclosed

Risk – Low

Use – The information disclosure could be used during footprinting to determine victim’s username on WordPress.com

Note –  The disclosure only happens on wordpress.com This vulnerability does not affect the open-source wordpress software.

The vulnerability was disclosed to WordPress on 1/2/2013