First off I want to wish a happy new year to all of our visitors to our blog, as well as clients and friends of the Parameter Security family.
Over the New Year holiday our hackers discovered an information disclosure vulnerability on WordPress.com that will disclose a users username. In order to gain the username you will need to have knowledge of the user’s email address.
At the wordpress.com login enter the known email address. Enter something into the password (password cannot be blank.)
The login error will disclose the username connected to the email address.
Risk – Low
Use – The information disclosure could be used during footprinting to determine victim’s username on WordPress.com
Note – The disclosure only happens on wordpress.com This vulnerability does not affect the open-source wordpress software.
The vulnerability was disclosed to WordPress on 1/2/2013