Vulnerability Name:

CVE-2009-1030 (CCN-49184)

Assigned:2009-03-10
Published:2009-03-10
Updated:2018-10-10
Summary:Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-1030

Source: HP
Type: UNKNOWN
HPSBUX02514

Source: CCN
Type: WordPress multi-user (MU) Web site
WordPress MU > Download

Source: CCN
Type: SECTRACK ID: 1021838
WordPress MU Input Validation Hole in HTTP Host Header Permits Cross-Site Scripting Attacks

Source: CCN
Type: OSVDB ID: 52814
Wordpress MU wp-includes/wpmu-functions.php Host Header XSS

Source: BUGTRAQ
Type: UNKNOWN
20090310 [ISecAuditors Security Advisories] WordPress MU HTTP Header XSS Vulnerability

Source: BID
Type: UNKNOWN
34075

Source: CCN
Type: BID-34075
WordPress MU 'wp-includes/wpmu-functions.php' Cross-Site Scripting Vulnerability

Source: SECTRACK
Type: UNKNOWN
1021838

Source: XF
Type: UNKNOWN
wordpressmu-wpmufunctions-xss(49184)

Source: XF
Type: UNKNOWN
wordpressmu-wpmufunctions-xss(49184)

Source: EXPLOIT-DB
Type: UNKNOWN
8196

Vulnerable Configuration:Configuration 1:
  • cpe:/a:wordpress:wordpress_mu:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc4:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.5a:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.5:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:*:*:*:*:*:*:*:* (Version <= 2.6)
  • OR cpe:/a:wordpress:wordpress_mu:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.7:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:wordpress:wordpress_mu:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.0:rc4:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.2.5a:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.5:rc1:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:1.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:wordpress:wordpress_mu:2.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    wordpress wordpress mu 1.0
    wordpress wordpress mu 1.0 rc1
    wordpress wordpress mu 1.0 rc2
    wordpress wordpress mu 1.0 rc3
    wordpress wordpress mu 1.0 rc4
    wordpress wordpress mu 1.1
    wordpress wordpress mu 1.1.1
    wordpress wordpress mu 1.2
    wordpress wordpress mu 1.2.1
    wordpress wordpress mu 1.2.2
    wordpress wordpress mu 1.2.3
    wordpress wordpress mu 1.2.4
    wordpress wordpress mu 1.2.4 rc1
    wordpress wordpress mu 1.2.5a
    wordpress wordpress mu 1.3
    wordpress wordpress mu 1.3.1
    wordpress wordpress mu 1.3.2
    wordpress wordpress mu 1.3.3
    wordpress wordpress mu 1.5 rc1
    wordpress wordpress mu 1.5.1
    wordpress wordpress mu *
    wordpress wordpress mu 2.6.1
    wordpress wordpress mu 2.6.2
    wordpress wordpress mu 2.6.3
    wordpress wordpress mu 2.6.5
    wordpress wordpress mu 2.7
    wordpress wordpress mu 1.0
    wordpress wordpress mu 1.3.1
    wordpress wordpress mu 1.3
    wordpress wordpress mu 1.2.3
    wordpress wordpress mu 1.2.2
    wordpress wordpress mu 2.6
    wordpress wordpress mu 1.0 rc1
    wordpress wordpress mu 1.0 rc2
    wordpress wordpress mu 1.0 rc3
    wordpress wordpress mu 1.0 rc4
    wordpress wordpress mu 1.1.1
    wordpress wordpress mu 1.1
    wordpress wordpress mu 1.2
    wordpress wordpress mu 1.2.1
    wordpress wordpress mu 1.2.4
    wordpress wordpress mu 1.2.4 rc1
    wordpress wordpress mu 1.2.5a
    wordpress wordpress mu 1.3.2
    wordpress wordpress mu 1.3.3
    wordpress wordpress mu 1.5 rc1
    wordpress wordpress mu 1.5.1
    wordpress wordpress mu 2.6.1
    wordpress wordpress mu 2.6.2
    wordpress wordpress mu 2.6.3
    wordpress wordpress mu 2.6.5
    wordpress wordpress mu 2.7