{"id":"CVE-2011-4898","details":"wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters.  NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective","modified":"2026-04-10T03:42:08.457116Z","published":"2012-01-30T17:55:00Z","database_specific":{"isDisputed":true},"references":[{"type":"EVIDENCE","url":"http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html"},{"type":"EVIDENCE","url":"http://www.exploit-db.com/exploits/18417"},{"type":"EVIDENCE","url":"https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt"}],"schema_version":"1.7.5"}