CVE-2011-4899

🗓️ 30 Jan 2012 17:00:00Reported by mitreType

cve🔗 web.nvd.nist.gov👁 86 Views🌐 WEB

wp-admin/setup-config.php in WordPress 3.3.1 and earlier allows remote attackers to configure arbitrary database and conduct code injection and XSS attacks

Reporter	Title	Published	Views	Family All 22
0day.today	WordPress <= 3.3.1 Multiple Vulnerabilities	25 Jan 201200:00	–	zdt
Circl	CVE-2011-4899	25 Jan 201200:00	–	circl
Cvelist	CVE-2011-4899	30 Jan 201217:00	–	cvelist
Debian CVE	CVE-2011-4899	30 Jan 201217:00	–	debiancve
Exploit DB	WordPress Core 3.3.1 - Multiple Vulnerabilities	25 Jan 201200:00	–	exploitdb
exploitpack	WordPress 3.3.1 - Multiple Vulnerabilities	25 Jan 201200:00	–	exploitpack
NVD	CVE-2011-4899	30 Jan 201217:55	–	nvd
OpenVAS	WordPress 'setup-config.php' Multiple Vulnerabilities	1 Feb 201200:00	–	openvas
OSV	DEBIAN-CVE-2011-4899	30 Jan 201217:55	–	osv
OSV	UBUNTU-CVE-2011-4899	30 Jan 201217:55	–	osv

NVD

Node

wordpress wordpressRange≤3.3.1

wordpress wordpressMatch0.7

wordpress wordpressMatch0.71

wordpress wordpressMatch0.72

wordpress wordpressMatch0.711

wordpress wordpressMatch1.0

wordpress wordpressMatch1.0.1

wordpress wordpressMatch1.0.2

wordpress wordpressMatch1.2

wordpress wordpressMatch1.2.1

wordpress wordpressMatch1.2.2

wordpress wordpressMatch1.5

wordpress wordpressMatch1.5.1

wordpress wordpressMatch1.5.1.2

wordpress wordpressMatch1.5.1.3

wordpress wordpressMatch1.5.2

wordpress wordpressMatch2.0

wordpress wordpressMatch2.0.1

wordpress wordpressMatch2.0.2

wordpress wordpressMatch2.0.3

wordpress wordpressMatch2.0.4

wordpress wordpressMatch2.0.5

wordpress wordpressMatch2.0.6

wordpress wordpressMatch2.0.7

wordpress wordpressMatch2.0.8

wordpress wordpressMatch2.0.9

wordpress wordpressMatch2.0.10

wordpress wordpressMatch2.0.11

wordpress wordpressMatch2.1

wordpress wordpressMatch2.1.1

wordpress wordpressMatch2.1.2

wordpress wordpressMatch2.1.3

wordpress wordpressMatch2.2

wordpress wordpressMatch2.2.1

wordpress wordpressMatch2.2.2

wordpress wordpressMatch2.2.3

wordpress wordpressMatch2.3

wordpress wordpressMatch2.3.1

wordpress wordpressMatch2.3.2

wordpress wordpressMatch2.3.3

wordpress wordpressMatch2.5

wordpress wordpressMatch2.5.1

wordpress wordpressMatch2.6

wordpress wordpressMatch2.6.1

wordpress wordpressMatch2.6.2

wordpress wordpressMatch2.6.3

wordpress wordpressMatch2.6.5

wordpress wordpressMatch2.7

wordpress wordpressMatch2.7.1

wordpress wordpressMatch2.8

wordpress wordpressMatch2.8.1

wordpress wordpressMatch2.8.2

wordpress wordpressMatch2.8.3

wordpress wordpressMatch2.8.4

wordpress wordpressMatch2.8.5

wordpress wordpressMatch2.8.6

wordpress wordpressMatch2.9

wordpress wordpressMatch2.9.1

wordpress wordpressMatch2.9.2

wordpress wordpressMatch3.0

wordpress wordpressMatch3.0.1

wordpress wordpressMatch3.0.2

wordpress wordpressMatch3.0.3

wordpress wordpressMatch3.0.4

wordpress wordpressMatch3.0.5

wordpress wordpressMatch3.0.6

wordpress wordpressMatch3.1

wordpress wordpressMatch3.1.1

wordpress wordpressMatch3.1.2

wordpress wordpressMatch3.1.3

wordpress wordpressMatch3.1.4

wordpress wordpressMatch3.2.1

wordpress wordpressMatch3.3

Source	Link
trustwave	www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
exploit-db	www.exploit-db.com/exploits/18417
archives	www.archives.neohapsis.com/archives/bugtraq/2012-01/0150.html

Parameter	Position	Path	Description
dbname	request body	wp-admin/setup-config.php?step=2	WordPress setup-config page vulnerability allowing arbitrary DB configuration and potential PHP code execution/XSS during installation.
uname	request body	wp-admin/setup-config.php?step=2	WordPress setup-config page vulnerability allowing arbitrary DB configuration and potential PHP code execution/XSS during installation.
pwd	request body	wp-admin/setup-config.php?step=2	WordPress setup-config page vulnerability allowing arbitrary DB configuration and potential PHP code execution/XSS during installation.
dbhost	request body	wp-admin/setup-config.php?step=2	WordPress setup-config page vulnerability allowing arbitrary DB configuration and potential PHP code execution/XSS during installation.
prefix	request body	wp-admin/setup-config.php?step=2	WordPress setup-config page vulnerability allowing arbitrary DB configuration and potential PHP code execution/XSS during installation.
submit	request body	wp-admin/setup-config.php?step=2	WordPress setup-config page vulnerability allowing arbitrary DB configuration and potential PHP code execution/XSS during installation.

29 Apr 2026 01:13Current

6.7Medium risk

Vulners AI Score6.7

CVSS 27.5

EPSS0.05535

SSVC